On 12/15/25 7:20 PM, Randy Dunlap wrote:
On 12/15/25 3:33 PM, Ross Philipson wrote:
Add a Kconfig option for compiling in/out the Secure Launch feature.
Secure Launch is controlled by a singel boolean on/off.
Signed-off-by: Ross Philipson <[email protected]>
---
arch/x86/Kconfig | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index fa3b616af03a..9404d207c420 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1975,6 +1975,20 @@ config EFI_RUNTIME_MAP
See also Documentation/ABI/testing/sysfs-firmware-efi-runtime-map.
+config SECURE_LAUNCH
+ bool "Secure Launch DRTM support"
+ depends on X86_64 && X86_X2APIC && TCG_TIS && TCG_CRB
+ select CRYPTO_LIB_SHA1
+ select CRYPTO_LIB_SHA256
+ help
+ The Secure Launch feature allows a kernel to be launched directly
+ through a vendor neutral DTRM (Dynamic Root of Trust for Measurement)
DRTM
Thank you, will fix.
Ross
+ solution, with Intel TXT being one example. The DRTM establishes an
+ environment where the CPU measures the kernel image, employing the
TPM,
+ before starting it. Secure Launch then continues the measurement chain
+ over kernel configuration information and other launch artifacts (e.g.
+ any initramfs image).
+
source "kernel/Kconfig.hz"
config ARCH_SUPPORTS_KEXEC
