diff mbox series

[v7,01/17] efi_loader: add CONFIG_EFI_SECURE_BOOT config option

Message ID 20200414025154.27283-2-takahiro.akashi@linaro.org
State Accepted
Commit 9bf09b5120da6d21d9e7774d958b98116828f907
Headers show
Series efi_loader: add secure boot support | expand

Commit Message

AKASHI Takahiro April 14, 2020, 2:51 a.m. UTC
Under this configuration, UEFI secure boot support will be added
in later patches.

Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
---
 lib/efi_loader/Kconfig | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
diff mbox series

Patch

diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 9890144d4161..71a0d003c914 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -145,4 +145,22 @@  config EFI_INITRD_FILESPEC
 	help
 	  Full path of the initramfs file, e.g. mmc 0:2 initramfs.cpio.gz.
 
+config EFI_SECURE_BOOT
+	bool "Enable EFI secure boot support"
+	depends on EFI_LOADER
+	select SHA256
+	select RSA
+	select RSA_VERIFY_WITH_PKEY
+	select IMAGE_SIGN_INFO
+	select ASYMMETRIC_KEY_TYPE
+	select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+	select X509_CERTIFICATE_PARSER
+	select PKCS7_MESSAGE_PARSER
+	default n
+	help
+	  Select this option to enable EFI secure boot support.
+	  Once SecureBoot mode is enforced, any EFI binary can run only if
+	  it is signed with a trusted key. To do that, you need to install,
+	  at least, PK, KEK and db.
+
 endif