linux/drivers/tee/optee/Kconfig

# SPDX-License-Identifier: GPL-2.0-only
# OP-TEE Trusted Execution Environment Configuration
config OPTEE
	tristate "OP-TEE"
	depends on HAVE_ARM_SMCCC
	depends on MMU
	depends on RPMB || !RPMB
	help
	  This implements the OP-TEE Trusted Execution Environment (TEE)
	  driver.

config OPTEE_INSECURE_LOAD_IMAGE
	bool "Load OP-TEE image as firmware"
	default n
	depends on OPTEE && ARM64
	help
	  This loads the BL32 image for OP-TEE as firmware when the driver is
	  probed. This returns -EPROBE_DEFER until the firmware is loadable from
	  the filesystem which is determined by checking the system_state until
	  it is in SYSTEM_RUNNING. This also requires enabling the corresponding
	  option in Trusted Firmware for Arm. The documentation there explains
	  the security threat associated with enabling this as well as
	  mitigations at the firmware and platform level.
	  https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html

	  Additional documentation on kernel security risks are at
	  Documentation/tee/op-tee.rst.