[v5,01/16] efi_loader: add CONFIG_EFI_SECURE_BOOT config option
diff mbox series

Message ID 20200128082532.15943-2-takahiro.akashi@linaro.org
State Superseded
Delegated to: Heinrich Schuchardt
Headers show
Series
  • efi_loader: add secure boot support
Related show

Commit Message

AKASHI Takahiro Jan. 28, 2020, 8:25 a.m. UTC
Under this configuration, UEFI secure boot support will be added
in later patches.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 lib/efi_loader/Kconfig | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

Comments

Heinrich Schuchardt Feb. 23, 2020, 10:56 a.m. UTC | #1
On 1/28/20 9:25 AM, AKASHI Takahiro wrote:
> Under this configuration, UEFI secure boot support will be added
> in later patches.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

This patch should be after all the patches that are necessary for secure
boot, i.e. after patch 09/16. I can take care of that.

Best regards

Heinrich

> ---
>   lib/efi_loader/Kconfig | 18 ++++++++++++++++++
>   1 file changed, 18 insertions(+)
>
> diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> index a7afa3f29e88..4b09a07f1b0a 100644
> --- a/lib/efi_loader/Kconfig
> +++ b/lib/efi_loader/Kconfig
> @@ -130,4 +130,22 @@ config EFI_RNG_PROTOCOL
>   	  "Support for EFI_RNG_PROTOCOL implementation. Uses the rng
>   	   device on the platform"
>
> +config EFI_SECURE_BOOT
> +	bool "Enable EFI secure boot support"
> +	depends on EFI_LOADER
> +	select SHA256
> +	select RSA
> +	select RSA_VERIFY_WITH_PKEY
> +	select IMAGE_SIGN_INFO
> +	select ASYMMETRIC_KEY_TYPE
> +	select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> +	select X509_CERTIFICATE_PARSER
> +	select PKCS7_MESSAGE_PARSER
> +	default n
> +	help
> +	  Select this option to enable EFI secure boot support.
> +	  Once SecureBoot mode is enforced, any EFI binary can run only if
> +	  it is signed with a trusted key. To do that, you need to install,
> +	  at least, PK, KEK and db.
> +
>   endif
>
AKASHI Takahiro Feb. 25, 2020, 5:02 a.m. UTC | #2
On Sun, Feb 23, 2020 at 11:56:09AM +0100, Heinrich Schuchardt wrote:
> On 1/28/20 9:25 AM, AKASHI Takahiro wrote:
> > Under this configuration, UEFI secure boot support will be added
> > in later patches.
> > 
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> 
> This patch should be after all the patches that are necessary for secure
> boot, i.e. after patch 09/16. I can take care of that.

I disagree.
Doing so will constrain bisect ability to some extent because
any code under EFI_SECURE_BOOT will never have a chance to be
compiled until this patch is applied.
Then bisect result could be inaccurate.

Thanks,
-Takahiro Akashi


> Best regards
> 
> Heinrich
> 
> > ---
> >   lib/efi_loader/Kconfig | 18 ++++++++++++++++++
> >   1 file changed, 18 insertions(+)
> > 
> > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> > index a7afa3f29e88..4b09a07f1b0a 100644
> > --- a/lib/efi_loader/Kconfig
> > +++ b/lib/efi_loader/Kconfig
> > @@ -130,4 +130,22 @@ config EFI_RNG_PROTOCOL
> >   	  "Support for EFI_RNG_PROTOCOL implementation. Uses the rng
> >   	   device on the platform"
> > 
> > +config EFI_SECURE_BOOT
> > +	bool "Enable EFI secure boot support"
> > +	depends on EFI_LOADER
> > +	select SHA256
> > +	select RSA
> > +	select RSA_VERIFY_WITH_PKEY
> > +	select IMAGE_SIGN_INFO
> > +	select ASYMMETRIC_KEY_TYPE
> > +	select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> > +	select X509_CERTIFICATE_PARSER
> > +	select PKCS7_MESSAGE_PARSER
> > +	default n
> > +	help
> > +	  Select this option to enable EFI secure boot support.
> > +	  Once SecureBoot mode is enforced, any EFI binary can run only if
> > +	  it is signed with a trusted key. To do that, you need to install,
> > +	  at least, PK, KEK and db.
> > +
> >   endif
> > 
>

Patch
diff mbox series

diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index a7afa3f29e88..4b09a07f1b0a 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -130,4 +130,22 @@  config EFI_RNG_PROTOCOL
 	  "Support for EFI_RNG_PROTOCOL implementation. Uses the rng
 	   device on the platform"
 
+config EFI_SECURE_BOOT
+	bool "Enable EFI secure boot support"
+	depends on EFI_LOADER
+	select SHA256
+	select RSA
+	select RSA_VERIFY_WITH_PKEY
+	select IMAGE_SIGN_INFO
+	select ASYMMETRIC_KEY_TYPE
+	select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+	select X509_CERTIFICATE_PARSER
+	select PKCS7_MESSAGE_PARSER
+	default n
+	help
+	  Select this option to enable EFI secure boot support.
+	  Once SecureBoot mode is enforced, any EFI binary can run only if
+	  it is signed with a trusted key. To do that, you need to install,
+	  at least, PK, KEK and db.
+
 endif