[U-Boot] [RFC 12/15] efi_loader: add CONFIG_EFI_SECURE_BOOT

AKASHI Takahiro takahiro.akashi at linaro.org
Wed Sep 18 01:26:40 UTC 2019


Now we can enable UEFI secure boot with this option.

Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
---
 lib/efi_loader/Kconfig | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index c7027a967653..fb66766d2b7a 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -115,4 +115,17 @@ config EFI_GRUB_ARM32_WORKAROUND
 	  GRUB prior to version 2.04 requires U-Boot to disable caches. This
 	  workaround currently is also needed on systems with caches that
 	  cannot be managed via CP15.
+
+config EFI_SECURE_BOOT
+	bool "Enable EFI secure boot support"
+	depends on EFI_LOADER
+	depends on SECURE_BOOT
+	imply RSA_VERIFY_WITH_PKEY
+	default n
+	help
+	  Select this option to enable EFI secure boot support.
+	  Once SecureBoot mode is enforced, any EFI binary can run only if
+	  it is signed with a trusted key. To do that, you need to install,
+	  at least, PK, KEK and db.
+
 endif
-- 
2.21.0



More information about the U-Boot mailing list