xref: /openbmc/linux/drivers/tee/optee/Kconfig (revision 8a649e33f48e08be20c51541d9184645892ec370)
1# SPDX-License-Identifier: GPL-2.0-only
2# OP-TEE Trusted Execution Environment Configuration
3config OPTEE
4	tristate "OP-TEE"
5	depends on HAVE_ARM_SMCCC
6	depends on MMU
7	help
8	  This implements the OP-TEE Trusted Execution Environment (TEE)
9	  driver.
10
11config OPTEE_INSECURE_LOAD_IMAGE
12	bool "Load OP-TEE image as firmware"
13	default n
14	depends on OPTEE && ARM64
15	help
16	  This loads the BL32 image for OP-TEE as firmware when the driver is
17	  probed. This returns -EPROBE_DEFER until the firmware is loadable from
18	  the filesystem which is determined by checking the system_state until
19	  it is in SYSTEM_RUNNING. This also requires enabling the corresponding
20	  option in Trusted Firmware for Arm. The documentation there explains
21	  the security threat associated with enabling this as well as
22	  mitigations at the firmware and platform level.
23	  https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html
24
25	  Additional documentation on kernel security risks are at
26	  Documentation/staging/tee.rst.
27