[PATCH v5 01/16] efi_loader: add CONFIG_EFI_SECURE_BOOT config option
takahiro.akashi at linaro.org
Tue Feb 25 06:02:21 CET 2020
On Sun, Feb 23, 2020 at 11:56:09AM +0100, Heinrich Schuchardt wrote:
> On 1/28/20 9:25 AM, AKASHI Takahiro wrote:
> > Under this configuration, UEFI secure boot support will be added
> > in later patches.
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
> This patch should be after all the patches that are necessary for secure
> boot, i.e. after patch 09/16. I can take care of that.
Doing so will constrain bisect ability to some extent because
any code under EFI_SECURE_BOOT will never have a chance to be
compiled until this patch is applied.
Then bisect result could be inaccurate.
> Best regards
> > ---
> > lib/efi_loader/Kconfig | 18 ++++++++++++++++++
> > 1 file changed, 18 insertions(+)
> > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> > index a7afa3f29e88..4b09a07f1b0a 100644
> > --- a/lib/efi_loader/Kconfig
> > +++ b/lib/efi_loader/Kconfig
> > @@ -130,4 +130,22 @@ config EFI_RNG_PROTOCOL
> > "Support for EFI_RNG_PROTOCOL implementation. Uses the rng
> > device on the platform"
> > +config EFI_SECURE_BOOT
> > + bool "Enable EFI secure boot support"
> > + depends on EFI_LOADER
> > + select SHA256
> > + select RSA
> > + select RSA_VERIFY_WITH_PKEY
> > + select IMAGE_SIGN_INFO
> > + select ASYMMETRIC_KEY_TYPE
> > + select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> > + select X509_CERTIFICATE_PARSER
> > + select PKCS7_MESSAGE_PARSER
> > + default n
> > + help
> > + Select this option to enable EFI secure boot support.
> > + Once SecureBoot mode is enforced, any EFI binary can run only if
> > + it is signed with a trusted key. To do that, you need to install,
> > + at least, PK, KEK and db.
> > +
> > endif
More information about the U-Boot