1*4882a593Smuzhiyun# 2*4882a593Smuzhiyun 3*4882a593Smuzhiyuncomment "Security feature depends on linux kernel" 4*4882a593Smuzhiyun depends on RK_KERNEL_CFG = "" 5*4882a593Smuzhiyun 6*4882a593Smuzhiyuncomment "Security feature would use it's own initrd" 7*4882a593Smuzhiyun depends on RK_ROOTFS_INITRD 8*4882a593Smuzhiyun 9*4882a593Smuzhiyunif RK_KERNEL_CFG != "" && !RK_ROOTFS_INITRD 10*4882a593Smuzhiyun 11*4882a593Smuzhiyunmenu "Security" 12*4882a593Smuzhiyun 13*4882a593Smuzhiyunconfig RK_SECURITY 14*4882a593Smuzhiyun bool "security feature" 15*4882a593Smuzhiyun select RK_USE_FIT_IMG # Security feature depends on FIT image 16*4882a593Smuzhiyun select RK_UBOOT_SPL # Security feature depends on U-Boot SPL loader 17*4882a593Smuzhiyun 18*4882a593Smuzhiyunif RK_SECURITY 19*4882a593Smuzhiyun 20*4882a593Smuzhiyunconfig RK_SECURITY_INITRD_BASE_CFG 21*4882a593Smuzhiyun string "buildroot security ramdisk base cfg (rockchip_<cfg>_ramboot_defconfig)" 22*4882a593Smuzhiyun default RK_CHIP_FAMILY 23*4882a593Smuzhiyun help 24*4882a593Smuzhiyun Base name of buildroot defconfig for security ramdisk. 25*4882a593Smuzhiyun 26*4882a593Smuzhiyunconfig RK_SECURITY_INITRD_CFG 27*4882a593Smuzhiyun string 28*4882a593Smuzhiyun default "rockchip_${RK_SECURITY_INITRD_BASE_CFG}_ramboot" 29*4882a593Smuzhiyun 30*4882a593Smuzhiyunconfig RK_SECURITY_INITRD_TYPE 31*4882a593Smuzhiyun string "security ramdisk filesystem type (cpio/cpio.gz/romfs)" 32*4882a593Smuzhiyun default "cpio.gz" 33*4882a593Smuzhiyun 34*4882a593Smuzhiyunconfig RK_SECURITY_FIT_ITS 35*4882a593Smuzhiyun string "its script for FIT security ramboot image" 36*4882a593Smuzhiyun default RK_RECOVERY_FIT_ITS if RK_RECOVERY_FIT_ITS != "" 37*4882a593Smuzhiyun default "boot4recovery.its" 38*4882a593Smuzhiyun 39*4882a593Smuzhiyuncomment "Security check method (DM-V) needs squashfs rootfs type" 40*4882a593Smuzhiyun depends on RK_ROOTFS_TYPE != "squashfs" 41*4882a593Smuzhiyun 42*4882a593Smuzhiyunconfig RK_SECURITY_CHECK_METHOD 43*4882a593Smuzhiyun string 44*4882a593Smuzhiyun default "DM-E" if RK_SECURITY_CHECK_DM_E 45*4882a593Smuzhiyun default "DM-V" if RK_SECURITY_CHECK_DM_V 46*4882a593Smuzhiyun 47*4882a593Smuzhiyunchoice 48*4882a593Smuzhiyun prompt "security check method (DM-E|DM-V)" 49*4882a593Smuzhiyun default RK_SECURITY_CHECK_DM_E if RK_CHIP_FAMILY = "rk3566_rk3568" 50*4882a593Smuzhiyun 51*4882a593Smuzhiyunconfig RK_SECURITY_CHECK_DM_E 52*4882a593Smuzhiyun bool "DM-E" 53*4882a593Smuzhiyun 54*4882a593Smuzhiyunconfig RK_SECURITY_CHECK_DM_V 55*4882a593Smuzhiyun bool "DM-V" 56*4882a593Smuzhiyun depends on RK_ROOTFS_TYPE = "squashfs" 57*4882a593Smuzhiyun 58*4882a593Smuzhiyunendchoice 59*4882a593Smuzhiyun 60*4882a593Smuzhiyuncomment "Burn security key is dangerous and cannot be reverted!" 61*4882a593Smuzhiyun depends on RK_SECURITY_BURN_KEY 62*4882a593Smuzhiyun 63*4882a593Smuzhiyunconfig RK_SECURITY_BURN_KEY 64*4882a593Smuzhiyun bool "burn security key" 65*4882a593Smuzhiyun help 66*4882a593Smuzhiyun Burn security key's hash to non volatile memory. 67*4882a593Smuzhiyun 68*4882a593Smuzhiyunendif 69*4882a593Smuzhiyun 70*4882a593Smuzhiyunendmenu # Security 71*4882a593Smuzhiyun 72*4882a593Smuzhiyunendif 73