Message ID | 20200128082532.15943-2-takahiro.akashi@linaro.org |
---|---|
State | Superseded |
Delegated to: | Heinrich Schuchardt |
Headers | show |
Series | efi_loader: add secure boot support | expand |
On 1/28/20 9:25 AM, AKASHI Takahiro wrote: > Under this configuration, UEFI secure boot support will be added > in later patches. > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> This patch should be after all the patches that are necessary for secure boot, i.e. after patch 09/16. I can take care of that. Best regards Heinrich > --- > lib/efi_loader/Kconfig | 18 ++++++++++++++++++ > 1 file changed, 18 insertions(+) > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig > index a7afa3f29e88..4b09a07f1b0a 100644 > --- a/lib/efi_loader/Kconfig > +++ b/lib/efi_loader/Kconfig > @@ -130,4 +130,22 @@ config EFI_RNG_PROTOCOL > "Support for EFI_RNG_PROTOCOL implementation. Uses the rng > device on the platform" > > +config EFI_SECURE_BOOT > + bool "Enable EFI secure boot support" > + depends on EFI_LOADER > + select SHA256 > + select RSA > + select RSA_VERIFY_WITH_PKEY > + select IMAGE_SIGN_INFO > + select ASYMMETRIC_KEY_TYPE > + select ASYMMETRIC_PUBLIC_KEY_SUBTYPE > + select X509_CERTIFICATE_PARSER > + select PKCS7_MESSAGE_PARSER > + default n > + help > + Select this option to enable EFI secure boot support. > + Once SecureBoot mode is enforced, any EFI binary can run only if > + it is signed with a trusted key. To do that, you need to install, > + at least, PK, KEK and db. > + > endif >
On Sun, Feb 23, 2020 at 11:56:09AM +0100, Heinrich Schuchardt wrote: > On 1/28/20 9:25 AM, AKASHI Takahiro wrote: > > Under this configuration, UEFI secure boot support will be added > > in later patches. > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > > This patch should be after all the patches that are necessary for secure > boot, i.e. after patch 09/16. I can take care of that. I disagree. Doing so will constrain bisect ability to some extent because any code under EFI_SECURE_BOOT will never have a chance to be compiled until this patch is applied. Then bisect result could be inaccurate. Thanks, -Takahiro Akashi > Best regards > > Heinrich > > > --- > > lib/efi_loader/Kconfig | 18 ++++++++++++++++++ > > 1 file changed, 18 insertions(+) > > > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig > > index a7afa3f29e88..4b09a07f1b0a 100644 > > --- a/lib/efi_loader/Kconfig > > +++ b/lib/efi_loader/Kconfig > > @@ -130,4 +130,22 @@ config EFI_RNG_PROTOCOL > > "Support for EFI_RNG_PROTOCOL implementation. Uses the rng > > device on the platform" > > > > +config EFI_SECURE_BOOT > > + bool "Enable EFI secure boot support" > > + depends on EFI_LOADER > > + select SHA256 > > + select RSA > > + select RSA_VERIFY_WITH_PKEY > > + select IMAGE_SIGN_INFO > > + select ASYMMETRIC_KEY_TYPE > > + select ASYMMETRIC_PUBLIC_KEY_SUBTYPE > > + select X509_CERTIFICATE_PARSER > > + select PKCS7_MESSAGE_PARSER > > + default n > > + help > > + Select this option to enable EFI secure boot support. > > + Once SecureBoot mode is enforced, any EFI binary can run only if > > + it is signed with a trusted key. To do that, you need to install, > > + at least, PK, KEK and db. > > + > > endif > > >
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index a7afa3f29e88..4b09a07f1b0a 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -130,4 +130,22 @@ config EFI_RNG_PROTOCOL "Support for EFI_RNG_PROTOCOL implementation. Uses the rng device on the platform" +config EFI_SECURE_BOOT + bool "Enable EFI secure boot support" + depends on EFI_LOADER + select SHA256 + select RSA + select RSA_VERIFY_WITH_PKEY + select IMAGE_SIGN_INFO + select ASYMMETRIC_KEY_TYPE + select ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select X509_CERTIFICATE_PARSER + select PKCS7_MESSAGE_PARSER + default n + help + Select this option to enable EFI secure boot support. + Once SecureBoot mode is enforced, any EFI binary can run only if + it is signed with a trusted key. To do that, you need to install, + at least, PK, KEK and db. + endif
Under this configuration, UEFI secure boot support will be added in later patches. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> --- lib/efi_loader/Kconfig | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)