[PATCH v5 01/16] efi_loader: add CONFIG_EFI_SECURE_BOOT config option
Heinrich Schuchardt
xypron.glpk at gmx.de
Sun Feb 23 11:56:09 CET 2020
On 1/28/20 9:25 AM, AKASHI Takahiro wrote:
> Under this configuration, UEFI secure boot support will be added
> in later patches.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
This patch should be after all the patches that are necessary for secure
boot, i.e. after patch 09/16. I can take care of that.
Best regards
Heinrich
> ---
> lib/efi_loader/Kconfig | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> index a7afa3f29e88..4b09a07f1b0a 100644
> --- a/lib/efi_loader/Kconfig
> +++ b/lib/efi_loader/Kconfig
> @@ -130,4 +130,22 @@ config EFI_RNG_PROTOCOL
> "Support for EFI_RNG_PROTOCOL implementation. Uses the rng
> device on the platform"
>
> +config EFI_SECURE_BOOT
> + bool "Enable EFI secure boot support"
> + depends on EFI_LOADER
> + select SHA256
> + select RSA
> + select RSA_VERIFY_WITH_PKEY
> + select IMAGE_SIGN_INFO
> + select ASYMMETRIC_KEY_TYPE
> + select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> + select X509_CERTIFICATE_PARSER
> + select PKCS7_MESSAGE_PARSER
> + default n
> + help
> + Select this option to enable EFI secure boot support.
> + Once SecureBoot mode is enforced, any EFI binary can run only if
> + it is signed with a trusted key. To do that, you need to install,
> + at least, PK, KEK and db.
> +
> endif
>
More information about the U-Boot
mailing list