[PATCH v6 01/16] efi_loader: add CONFIG_EFI_SECURE_BOOT config option
AKASHI Takahiro
takahiro.akashi at linaro.org
Wed Feb 26 05:54:33 CET 2020
Under this configuration, UEFI secure boot support will be added
in later patches.
Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
---
lib/efi_loader/Kconfig | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index a7afa3f29e88..4b09a07f1b0a 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -130,4 +130,22 @@ config EFI_RNG_PROTOCOL
"Support for EFI_RNG_PROTOCOL implementation. Uses the rng
device on the platform"
+config EFI_SECURE_BOOT
+ bool "Enable EFI secure boot support"
+ depends on EFI_LOADER
+ select SHA256
+ select RSA
+ select RSA_VERIFY_WITH_PKEY
+ select IMAGE_SIGN_INFO
+ select ASYMMETRIC_KEY_TYPE
+ select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ select X509_CERTIFICATE_PARSER
+ select PKCS7_MESSAGE_PARSER
+ default n
+ help
+ Select this option to enable EFI secure boot support.
+ Once SecureBoot mode is enforced, any EFI binary can run only if
+ it is signed with a trusted key. To do that, you need to install,
+ at least, PK, KEK and db.
+
endif
--
2.24.0
More information about the U-Boot
mailing list