# SPDX-License-Identifier: GPL-2.0-only
#
# Security configuration
#

menu "Security options"

config INSECURE
	bool "enable convenient defaults that are unsuitable for secure-booting systems"
	default y
	select HAS_INSECURE_DEFAULTS
	help
	  Say n here when barebox is part of a secure boot chain and you
	  want to disable defaults that may compromise the boot chain.

	  This option is a moving target. Currently it:

	    - changes the default of global.env.autoprobe to 1

config PASSWORD
	bool
	prompt "Password Framework"
	select DIGEST
	help
	  allow you to have password protection framework

config PASSWORD_DEFAULT
	string
	prompt "Password default file"
	depends on PASSWORD
	help
	  Set this to a file which is used as default password file. This file
	  has to contain the passwd encoded with the selected password digest.
	  i.e.:
	  echo -ne "MyPassword" | md5sum | while read a b; do echo $a > passwdfile; done


if PASSWORD

choice
	prompt "passwd checksum"
	default PASSWD_CRYPTO_PBKDF2

config PASSWD_SUM_MD5
	bool "MD5"
	select DIGEST_MD5_GENERIC
	select HAS_INSECURE_DEFAULTS
	help
	  MD5 had been widely used historically as a cryptographic hash function,
	  but has been found to suffer from extensive vulnerabilities.
	  Use of MD5 to hash passwords is strongly discouraged.

config PASSWD_SUM_SHA1
	bool "SHA1"
	select DIGEST_SHA1_GENERIC
	select HAS_INSECURE_DEFAULTS
	help
	  SHA1 had been widely used historically as a cryptographic hash function,
	  but has since been cryptographically broken.
	  SHA-1 was designed for speed and thus use as password hash is strongly
	  discouraged as it's easier for an attacker to brute force.

config PASSWD_SUM_SHA256
	bool "SHA256"
	select DIGEST_SHA256_GENERIC

config PASSWD_SUM_SHA512
	bool "SHA512"
	select DIGEST_SHA512_GENERIC

config PASSWD_CRYPTO_PBKDF2
	bool "PBKDF2"
	select CRYPTO_PBKDF2

endchoice

endif

config CRYPTO_BUILTIN_DEVELOPMENT_KEYS
	select HAS_INSECURE_DEFAULTS
	depends on CRYPTO_BUILTIN_KEYS
	bool "Include development keys in build"
	help
	  Say y here to include well known development keys in build. These can be
	  used to authenticate FIT images during development. The private keys can
	  be found at [1]. This option should never be enabled in a production build.

	  [1] https://git.pengutronix.de/cgit/ptx-code-signing-dev/

config CRYPTO_KEYSTORE
	bool "Keystore"
	help
	  This is a simple keystore, which can be used to pass keys
	  between several components via simple interface.

config BLOBGEN
	select BASE64
	bool "include blob encode/decode support"

config JWT
	bool "JSON Web Token support" if COMPILE_TEST
	select JSMN
	select BASE64
	select CRYPTO_RSA
	select TEST_KEY_RSA2048 if FUZZ

menu "OP-TEE loading"

config HAVE_OPTEE
	bool
	help
	  This symbol is selected by configuration where barebox either
	  starts OP-TEE or runs while OP-TEE is running. Actual
	  bidirectional communication with OP-TEE is enabled via
	  CONFIG_OPTEE.

config OPTEE_SIZE
	hex
	default 0x02000000
	prompt "OP-TEE Memory Size"
	depends on HAVE_OPTEE
	help
	  Size to reserve in main memory for OP-TEE, including its shared memory.
	  Can be larger than the actual size used by OP-TEE, this is used to prevent
	  barebox from using or speculating into this area.
	  On i.MX, this should be at least OP-TEE CFG_TZDRAM + CFG_SHMEM_SIZE.
	  The name of the CFG_ options may differ on other platforms.

config OPTEE_SHM_SIZE
	hex
	default 0x400000
	prompt "OP-TEE Shared Memory Size"
	depends on HAVE_OPTEE
	help
	  Size to reserve in main memory for static OP-TEE shared memory
	  communication. The OP-TEE shared memory starts directly after
	  the OPTEE TZDRAM region. It should be chosen to be equivalent
	  to CFG_SHMEM_SIZE in OP-TEE.

	  This value can be used for fixing up the OP-TEE OF node.

	  A shared memory size of 0 means that only dynamic shared memory
	  will be supported for communication with OP-TEE. This is the only
	  mode supported by barebox anyway, but support needs to be enabled
	  in OP-TEE at compile-time.

config BOOTM_OPTEE
	bool
	prompt "support booting OP-TEE"
	depends on BOOTM && ARM32
	select HAVE_OPTEE
	select HAS_INSECURE_DEFAULTS
	help
	  OP-TEE is a trusted execution environment (TEE). With this option
	  enabled barebox supports starting optee_os as part of the bootm command.
	  Instead of the kernel bootm starts the optee_os binary which then starts
	  the kernel in nonsecure mode. Pass the optee_os binary with the -t option
	  or in the global.bootm.tee variable.

	  This mode of late loading OP-TEE just before the kernel is deprecated
	  in favor of early loading OP-TEE in the PBL (CONFIG_PBL_OPTEE).
	  Early-loading greatly reduces the attack surface and is the only mode
	  supported outside of ARMv7.

config PBL_OPTEE
	bool "Enable OP-TEE early start"
	depends on ARM
	select HAVE_OPTEE
	help
	  Allows starting OP-TEE during lowlevel initialization of the PBL.
	  Requires explicit support in the board's lowlevel file (for ARM32)
	  or the generic SoC support (for ARM64).

	  OP-TEE versions older than 3.11.0 do not support jumping back from OP-TEE
	  to barebox in THUMB2 mode. Make sure you do not compile barebox in THUMB2
	  mode for OP-TEE versions older than this.

endmenu

source "lib/Kconfig.hardening"

config HAS_INSECURE_DEFAULTS
	bool
	help
	  This is selected by options that have potentially insecure defaults.
	  Extra care needs to be taken when these options are not disabled
	  in secure booted systems.

	  Any option selecting this should include in its help text
	  an explanation of the security considerations.

if HAS_INSECURE_DEFAULTS
comment "This barebox configuration has CONFIG_HAS_INSECURE_DEFAULTS=y indicating"
comment "that some of the configured options have potentially insecure defaults."
comment "Extra care needs to be taken in secure booted systems."
endif


endmenu
