# SPDX-License-Identifier: GPL-2.0
#
# Hardware assisted os compartmentalization(Haoc) configuration
#
menu "Hardware Assisted OS Compartmentalization(HAOC)"

config IEE
	bool "Isolated Execution Environment Framework(IEE)"
	depends on ARM64_4K_PAGES
	depends on ARM64_VA_BITS_48
	help
		Support for Isolated Execution Environment Framework. Foundation of HAOC.
		Could isolate kernel critical data and enforce all write access made and
		verified in IEE APIs.
		Needs hardware support FEAT_HPDS.

config IEE_PTRP
	bool "Pointer Protection for IEE(IEE_PTRP)"
	depends on IEE
	help
		Provide IEE matadata for each process called task_token to allow
		verifing pointers inside task_struct, like struct cred* that determines
		the capabilities of a process.
		Could be a enhancement of other sub-module of HAOC.

config IEE_SIP
	bool "Sensitive Instruction Protection for IEE(IEE_SIP)"
	depends on IEE
	help
		Protects critical instructions that may break the isolation of IEE,
		such as writing system control registers. These instructions would
		be executated inside IEE.

config CREDP
	bool "Struct cred protection(CREDP)"
	depends on IEE
	help
		Protects kernel struct cred. All modifications of cred must be made and
		verified by IEE APIs, and critical dereferences of cred would be monitored
		by IEE either.
		If unsure, say N.

config PTP
	bool "Page Table Protection(PTP)"
	help
		Protects page tables by IEE, requring each page table modification call
		IEE Gate for secure mapping.
	depends on IEE

config PTP_RESERVE_ORDER
	depends on PTP
	int "maximum allowable 2^PTP_RESERVE_ORDER pages for one level page table"
	range 9 15
	default 12


endmenu # HAOC
