| # SPDX-License-Identifier: GPL-2.0-only |
| # OP-TEE Trusted Execution Environment Configuration |
| config OPTEE |
| tristate "OP-TEE" |
| depends on HAVE_ARM_SMCCC |
| depends on MMU |
| depends on RPMB || !RPMB |
| help |
| This implements the OP-TEE Trusted Execution Environment (TEE) |
| driver. |
| |
| config OPTEE_INSECURE_LOAD_IMAGE |
| bool "Load OP-TEE image as firmware" |
| default n |
| depends on OPTEE && ARM64 |
| help |
| This loads the BL32 image for OP-TEE as firmware when the driver is |
| probed. This returns -EPROBE_DEFER until the firmware is loadable from |
| the filesystem which is determined by checking the system_state until |
| it is in SYSTEM_RUNNING. This also requires enabling the corresponding |
| option in Trusted Firmware for Arm. The documentation there explains |
| the security threat associated with enabling this as well as |
| mitigations at the firmware and platform level. |
| https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html |
| |
| Additional documentation on kernel security risks are at |
| Documentation/tee/op-tee.rst. |