Re: [PATCH v15 13/28] x86: Secure Launch Kconfig

Mon, 15 Dec 2025 19:20:29 -0800 


On 12/15/25 3:33 PM, Ross Philipson wrote:
> Add a Kconfig option for compiling in/out the Secure Launch feature.
> Secure Launch is controlled by a singel boolean on/off.
> 
> Signed-off-by: Ross Philipson <[email protected]>
> ---
>  arch/x86/Kconfig | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
> 
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index fa3b616af03a..9404d207c420 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -1975,6 +1975,20 @@ config EFI_RUNTIME_MAP
>  
>         See also Documentation/ABI/testing/sysfs-firmware-efi-runtime-map.
>  
> +config SECURE_LAUNCH
> +     bool "Secure Launch DRTM support"
> +     depends on X86_64 && X86_X2APIC && TCG_TIS && TCG_CRB
> +     select CRYPTO_LIB_SHA1
> +     select CRYPTO_LIB_SHA256
> +     help
> +       The Secure Launch feature allows a kernel to be launched directly
> +       through a vendor neutral DTRM (Dynamic Root of Trust for Measurement)

                                   DRTM

> +       solution, with Intel TXT being one example.  The DRTM establishes an
> +       environment where the CPU measures the kernel image, employing the 
> TPM,
> +       before starting it. Secure Launch then continues the measurement chain
> +       over kernel configuration information and other launch artifacts (e.g.
> +       any initramfs image).
> +
>  source "kernel/Kconfig.hz"
>  
>  config ARCH_SUPPORTS_KEXEC

-- 
~Randy

























					Reply via email to