[v3,02/16] efi_loader: add CONFIG_EFI_SECURE_BOOT config option
diff mbox series

Message ID 20191209060056.32426-3-takahiro.akashi@linaro.org
State Superseded
Delegated to: Heinrich Schuchardt
Headers show
Series
  • efi_loader: add secure boot support
Related show

Commit Message

AKASHI Takahiro Dec. 9, 2019, 6 a.m. UTC
Under this configuration, UEFI secure boot support will be added
in later patches.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 lib/efi_loader/Kconfig | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

Patch
diff mbox series

diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index c7027a967653..fc4199838c98 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -115,4 +115,20 @@  config EFI_GRUB_ARM32_WORKAROUND
 	  GRUB prior to version 2.04 requires U-Boot to disable caches. This
 	  workaround currently is also needed on systems with caches that
 	  cannot be managed via CP15.
+
+config EFI_SECURE_BOOT
+	bool "Enable EFI secure boot support"
+	depends on EFI_LOADER
+	imply SHA256
+        depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+        imply RSA_VERIFY_WITH_PKEY
+        imply X509_CERTIFICATE_PARSER
+        imply PCKS7_MESSAGE_PARSER
+	default n
+	help
+	  Select this option to enable EFI secure boot support.
+	  Once SecureBoot mode is enforced, any EFI binary can run only if
+	  it is signed with a trusted key. To do that, you need to install,
+	  at least, PK, KEK and db.
+
 endif