[U-Boot] [RFC 12/15] efi_loader: add CONFIG_EFI_SECURE_BOOT
AKASHI Takahiro
takahiro.akashi at linaro.org
Wed Sep 18 01:26:40 UTC 2019
Now we can enable UEFI secure boot with this option.
Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
---
lib/efi_loader/Kconfig | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index c7027a967653..fb66766d2b7a 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -115,4 +115,17 @@ config EFI_GRUB_ARM32_WORKAROUND
GRUB prior to version 2.04 requires U-Boot to disable caches. This
workaround currently is also needed on systems with caches that
cannot be managed via CP15.
+
+config EFI_SECURE_BOOT
+ bool "Enable EFI secure boot support"
+ depends on EFI_LOADER
+ depends on SECURE_BOOT
+ imply RSA_VERIFY_WITH_PKEY
+ default n
+ help
+ Select this option to enable EFI secure boot support.
+ Once SecureBoot mode is enforced, any EFI binary can run only if
+ it is signed with a trusted key. To do that, you need to install,
+ at least, PK, KEK and db.
+
endif
--
2.21.0
More information about the U-Boot
mailing list