From patchwork Wed Nov 9 03:29:03 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 622916 Delivered-To: patch@linaro.org Received: by 2002:a17:522:c983:b0:460:3032:e3c4 with SMTP id kr3csp16784pvb; Tue, 8 Nov 2022 19:28:21 -0800 (PST) X-Google-Smtp-Source: AMsMyM4akl4JW3tL0ZWS4UOp7zGInCTT/Ryqli4JrOu9ZGisjdwvud2hfuM7p2X1Pd1Mrq5Q+Kdx X-Received: by 2002:a17:906:edb9:b0:7ad:a423:dc75 with SMTP id sa25-20020a170906edb900b007ada423dc75mr53796813ejb.213.1667964501208; Tue, 08 Nov 2022 19:28:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1667964501; cv=none; d=google.com; s=arc-20160816; b=kVnDFhnSLygzYfiC5aXisE0AqUrPGirU4pv/iD9i9rIpyRQ2rRfRXd/btRPuPGCOvM igyQ/P37laAziLgE3M8bFEtKU/pubC5FyJh9RBja9o5cNVNODEdJzRGKeyIV0iFBVMYe ryE21p9sqHeEYl3mn2qd0s7eWeoga1IF6zYoFJZ01M16Cd8LwB2TqRJImbrjeAUKs1hO fcMIoS+YAayx/R8lNu+5f1J6/81KcxzKORy+mblt0UDsOqUei2/kUxh/O3Xaj88lxejE BA4V8QUIgJivNV8KhrGU8uImKbc1vylPyJhwti4EfwFXJwbr2VeGsyLc6Qd6uaTQvaow 8s2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=lkjs1yXUE4YkmRcZWfAreBRsbj3Ag+aHo6DENxXkEP8=; b=l5XB0KLek9ZjjsNUE90UirGm2VaDSRq66ek6pVZ7pGtXiE4XTdAe3HLa2IPp/U/sfu 50f1Wx9g/aYvGcRE8A9m4Gp098hYHqddKUSLYQ8PjJWOzKlKiQQn/+3QcXs+FikHb1sj 76MIjx88a9Y3xeeyhEDD69ysTJ+7uKSHhPaUJAB/7QZC24XmTfFrGDE7R6RBvikpteyq ljhuOmyAwKWNuaU1NekEQrQHb/iRQ8gHVsE+PDKT8zTw/aF+rIoDXq0M8Ovc4ZGHQzFd AUE9Twr/1LJDWfESRuxRS5rj+XvUI2MCIG7Z/KDDWZJe1CBu+j2kPNBOK8wFDahIhBf4 TSSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="tQJBcw/F"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id hw19-20020a170907a0d300b007adb868f102si10982706ejc.476.2022.11.08.19.28.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Nov 2022 19:28:21 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="tQJBcw/F"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id BBEFC8502B; Wed, 9 Nov 2022 04:27:49 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="tQJBcw/F"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id F20C285004; Wed, 9 Nov 2022 04:27:47 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x533.google.com (mail-pg1-x533.google.com [IPv6:2607:f8b0:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B0F7384FFA for ; Wed, 9 Nov 2022 04:27:41 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pg1-x533.google.com with SMTP id r18so15087321pgr.12 for ; Tue, 08 Nov 2022 19:27:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=references:in-reply-to:message-id:date:subject:cc:to:from:from:to :cc:subject:date:message-id:reply-to; bh=lkjs1yXUE4YkmRcZWfAreBRsbj3Ag+aHo6DENxXkEP8=; b=tQJBcw/F1zm4Q+XjzWUBTI+s9Y+ar/i3hYwD1oqYcHvwoJLnKcmwMLlLpT/yEO7YUN cieX2LsiG0R/JPqPfg1xZAPT/f3hX6yL4S+92QZLchdXaTmTKWHV753WBlxy3nxT3/VM 1No9phMlKpTgLPFljKTQNv7i0lk5a0Im7RUFAvAw8Nf2vLERRNX7arIFn0OA3nJc1MUx TYhGHjlKD3WYe4/ep3sHuAaDkyfjvfhpiZ05sHSJt7WCPWCpRigLhw/+QNknOYKabpiU f5s+eZf5/vMdhbgRoCaOmTwS8bANAkzo05Uji+/i+pZhO5NDlzeh1dwmWa7nwtfxhYA2 8xeA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:in-reply-to:message-id:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=lkjs1yXUE4YkmRcZWfAreBRsbj3Ag+aHo6DENxXkEP8=; b=2wyfRjlaTqtaUGVVkkijfKcj8Nc4BUMUgGxv9Q2X/y34yFbYmREDqciNrDrB2StKSl wT6ENBBl05CbA/tOXhCFTYYnLz9IDFfMQTccgUzwu/padvyDkK4iuGSgRYz/PJG2TNG9 uEjqihK8Ek37uz5PKBZOIMbCyVl4L8HjDNbSXVZ+8EENb7hFAJjwqmtrLjW15u/y9nEf MmLO2gdBxp0Ws46x1I5ZA+BiXejmJ9JavQR67JmFb/Koz2AarF28COFRk6BHy08eT9YI rr3W7u8xRogaFAAaE9oKZiedx/r3ZsK1xbeFnh9nQliVu0L70eBhBNp6P8ac3wcGKOwl iTvw== X-Gm-Message-State: ACrzQf3lG+vt+68psF5dx5FSb5rY3wuT1u2ygp2w9dcNdCwe29IIGo4W tjwAdGUujAar2r7kU5GS3mgpwqF97sGMNA== X-Received: by 2002:a63:2cd2:0:b0:41c:5901:67d8 with SMTP id s201-20020a632cd2000000b0041c590167d8mr50346303pgs.365.1667964459470; Tue, 08 Nov 2022 19:27:39 -0800 (PST) Received: from localhost.localdomain ([240d:1a:cf7:5800:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id l10-20020a170903120a00b00177faf558b5sm7742103plh.250.2022.11.08.19.27.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Nov 2022 19:27:39 -0800 (PST) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Simon Glass , Takahiro Akashi , Etienne Carriere , Masahisa Kojima , Roger Knecht , Ashok Reddy Soma , Ovidiu Panait Subject: [PATCH v6 4/5] eficonfig: add UEFI Secure Boot Key enrollment interface Date: Wed, 9 Nov 2022 12:29:03 +0900 Message-Id: <20221109032904.5361-5-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20221109032904.5361-1-masahisa.kojima@linaro.org> References: <20221109032904.5361-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean This commit adds the menu-driven UEFI Secure Boot Key enrollment interface. User can enroll the PK, KEK, db and dbx by selecting EFI Signature Lists file. After the PK is enrolled, UEFI Secure Boot is enabled and EFI Signature Lists file must be signed by KEK or PK. Signed-off-by: Masahisa Kojima --- Changes in v6: - use efi_secure_boot_enabled() - replace with WIN_CERT_REVISION_2_0 from pe.h - call efi_build_signature_store() to check the valid EFI Signature List - update comment Changes in v4: - add CONFIG_EFI_MM_COMM_TEE dependency - fix error handling Changes in v3: - fix error handling Changes in v2: - allow to enroll .esl file - fix typos - add function comments cmd/Makefile | 5 + cmd/eficonfig.c | 3 + cmd/eficonfig_sbkey.c | 333 ++++++++++++++++++++++++++++++++++++++++++ include/efi_config.h | 5 + 4 files changed, 346 insertions(+) create mode 100644 cmd/eficonfig_sbkey.c diff --git a/cmd/Makefile b/cmd/Makefile index c95e09d058..e43ef22e98 100644 --- a/cmd/Makefile +++ b/cmd/Makefile @@ -66,6 +66,11 @@ obj-$(CONFIG_CMD_EEPROM) += eeprom.o obj-$(CONFIG_EFI) += efi.o obj-$(CONFIG_CMD_EFIDEBUG) += efidebug.o obj-$(CONFIG_CMD_EFICONFIG) += eficonfig.o +ifdef CONFIG_CMD_EFICONFIG +ifdef CONFIG_EFI_MM_COMM_TEE +obj-$(CONFIG_EFI_SECURE_BOOT) += eficonfig_sbkey.o +endif +endif obj-$(CONFIG_CMD_ELF) += elf.o obj-$(CONFIG_CMD_EROFS) += erofs.o obj-$(CONFIG_HUSH_PARSER) += exit.o diff --git a/cmd/eficonfig.c b/cmd/eficonfig.c index c765b795d0..0b643a046c 100644 --- a/cmd/eficonfig.c +++ b/cmd/eficonfig.c @@ -2447,6 +2447,9 @@ static const struct eficonfig_item maintenance_menu_items[] = { {"Edit Boot Option", eficonfig_process_edit_boot_option}, {"Change Boot Order", eficonfig_process_change_boot_order}, {"Delete Boot Option", eficonfig_process_delete_boot_option}, +#if (CONFIG_IS_ENABLED(EFI_SECURE_BOOT) && CONFIG_IS_ENABLED(EFI_MM_COMM_TEE)) + {"Secure Boot Configuration", eficonfig_process_secure_boot_config}, +#endif {"Quit", eficonfig_process_quit}, }; diff --git a/cmd/eficonfig_sbkey.c b/cmd/eficonfig_sbkey.c new file mode 100644 index 0000000000..e4a3573f1b --- /dev/null +++ b/cmd/eficonfig_sbkey.c @@ -0,0 +1,333 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Menu-driven UEFI Secure Boot Key Maintenance + * + * Copyright (c) 2022 Masahisa Kojima, Linaro Limited + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +enum efi_sbkey_signature_type { + SIG_TYPE_X509 = 0, + SIG_TYPE_HASH, + SIG_TYPE_CRL, + SIG_TYPE_RSA2048, +}; + +struct eficonfig_sigtype_to_str { + efi_guid_t sig_type; + char *str; + enum efi_sbkey_signature_type type; +}; + +static const struct eficonfig_sigtype_to_str sigtype_to_str[] = { + {EFI_CERT_X509_GUID, "X509", SIG_TYPE_X509}, + {EFI_CERT_SHA256_GUID, "SHA256", SIG_TYPE_HASH}, + {EFI_CERT_X509_SHA256_GUID, "X509_SHA256 CRL", SIG_TYPE_CRL}, + {EFI_CERT_X509_SHA384_GUID, "X509_SHA384 CRL", SIG_TYPE_CRL}, + {EFI_CERT_X509_SHA512_GUID, "X509_SHA512 CRL", SIG_TYPE_CRL}, + /* U-Boot does not support the following signature types */ +/* {EFI_CERT_RSA2048_GUID, "RSA2048", SIG_TYPE_RSA2048}, */ +/* {EFI_CERT_RSA2048_SHA256_GUID, "RSA2048_SHA256", SIG_TYPE_RSA2048}, */ +/* {EFI_CERT_SHA1_GUID, "SHA1", SIG_TYPE_HASH}, */ +/* {EFI_CERT_RSA2048_SHA_GUID, "RSA2048_SHA", SIG_TYPE_RSA2048 }, */ +/* {EFI_CERT_SHA224_GUID, "SHA224", SIG_TYPE_HASH}, */ +/* {EFI_CERT_SHA384_GUID, "SHA384", SIG_TYPE_HASH}, */ +/* {EFI_CERT_SHA512_GUID, "SHA512", SIG_TYPE_HASH}, */ +}; + +/** + * create_time_based_payload() - create payload for time based authenticate variable + * + * @db: pointer to the original signature database + * @new_db: pointer to the authenticated variable payload + * @size: pointer to payload size + * Return: status code + */ +static efi_status_t create_time_based_payload(void *db, void **new_db, efi_uintn_t *size) +{ + efi_status_t ret; + struct efi_time time; + efi_uintn_t total_size; + struct efi_variable_authentication_2 *auth; + + *new_db = NULL; + + /* + * SetVariable() call with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS + * attribute requires EFI_VARIABLE_AUTHENTICATED_2 descriptor, prepare it + * without certificate data in it. + */ + total_size = sizeof(struct efi_variable_authentication_2) + *size; + + auth = calloc(1, total_size); + if (!auth) + return EFI_OUT_OF_RESOURCES; + + ret = EFI_CALL((*efi_runtime_services.get_time)(&time, NULL)); + if (ret != EFI_SUCCESS) { + free(auth); + return EFI_OUT_OF_RESOURCES; + } + time.pad1 = 0; + time.nanosecond = 0; + time.timezone = 0; + time.daylight = 0; + time.pad2 = 0; + memcpy(&auth->time_stamp, &time, sizeof(time)); + auth->auth_info.hdr.dwLength = sizeof(struct win_certificate_uefi_guid); + auth->auth_info.hdr.wRevision = WIN_CERT_REVISION_2_0; + auth->auth_info.hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID; + guidcpy(&auth->auth_info.cert_type, &efi_guid_cert_type_pkcs7); + if (db) + memcpy((u8 *)auth + sizeof(struct efi_variable_authentication_2), db, *size); + + *new_db = auth; + *size = total_size; + + return EFI_SUCCESS; +} + +/** + * file_have_auth_header() - check file has EFI_VARIABLE_AUTHENTICATION_2 header + * @buf: pointer to file + * @size: file size + * Return: true if file has auth header, false otherwise + */ +static bool file_have_auth_header(void *buf, efi_uintn_t size) +{ + struct efi_variable_authentication_2 *auth = buf; + + if (auth->auth_info.hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) + return false; + + if (guidcmp(&auth->auth_info.cert_type, &efi_guid_cert_type_pkcs7)) + return false; + + return true; +} + +/** + * eficonfig_process_enroll_key() - enroll key into signature database + * + * @data: pointer to the data for each entry + * Return: status code + */ +static efi_status_t eficonfig_process_enroll_key(void *data) +{ + u32 attr; + char *buf = NULL; + efi_uintn_t size; + efi_status_t ret; + void *new_db = NULL; + struct efi_file_handle *f; + struct efi_file_handle *root; + struct eficonfig_select_file_info file_info; + + file_info.current_path = calloc(1, EFICONFIG_FILE_PATH_BUF_SIZE); + if (!file_info.current_path) { + ret = EFI_OUT_OF_RESOURCES; + goto out; + } + + ret = eficonfig_select_file_handler(&file_info); + if (ret != EFI_SUCCESS) + goto out; + + ret = efi_open_volume_int(file_info.current_volume, &root); + if (ret != EFI_SUCCESS) + goto out; + + ret = efi_file_open_int(root, &f, file_info.current_path, EFI_FILE_MODE_READ, 0); + if (ret != EFI_SUCCESS) + goto out; + + size = 0; + ret = EFI_CALL(f->getinfo(f, &efi_file_info_guid, &size, NULL)); + if (ret != EFI_BUFFER_TOO_SMALL) + goto out; + + buf = calloc(1, size); + if (!buf) { + ret = EFI_OUT_OF_RESOURCES; + goto out; + } + ret = EFI_CALL(f->getinfo(f, &efi_file_info_guid, &size, buf)); + if (ret != EFI_SUCCESS) + goto out; + + size = ((struct efi_file_info *)buf)->file_size; + free(buf); + + buf = calloc(1, size); + if (!buf) { + ret = EFI_OUT_OF_RESOURCES; + goto out; + } + + ret = efi_file_read_int(f, &size, buf); + if (ret != EFI_SUCCESS) { + eficonfig_print_msg("ERROR! Failed to read file."); + goto out; + } + if (size == 0) { + eficonfig_print_msg("ERROR! File is empty."); + goto out; + } + + if (!file_have_auth_header(buf, size)) { + struct efi_signature_store *sigstore; + char *tmp_buf; + + /* Check if the file is valid EFI Signature List(s) */ + tmp_buf = calloc(1, size); + if (!tmp_buf) { + ret = EFI_OUT_OF_RESOURCES; + goto out; + } + memcpy(tmp_buf, buf, size); + /* tmp_buf is freed in efi_build_signature_store() */ + sigstore = efi_build_signature_store(tmp_buf, size); + if (!sigstore) { + eficonfig_print_msg("ERROR! Invalid file format."); + ret = EFI_INVALID_PARAMETER; + goto out; + } + efi_sigstore_free(sigstore); + + ret = create_time_based_payload(buf, &new_db, &size); + if (ret != EFI_SUCCESS) { + eficonfig_print_msg("ERROR! Failed to create payload with timestamp."); + goto out; + } + + free(buf); + buf = new_db; + } + + attr = EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; + + /* PK can enroll only one certificate */ + if (u16_strcmp(data, u"PK")) { + efi_uintn_t db_size = 0; + + /* check the variable exists. If exists, add APPEND_WRITE attribute */ + ret = efi_get_variable_int(data, efi_auth_var_get_guid(data), NULL, + &db_size, NULL, NULL); + if (ret == EFI_BUFFER_TOO_SMALL) + attr |= EFI_VARIABLE_APPEND_WRITE; + } + + ret = efi_set_variable_int((u16 *)data, efi_auth_var_get_guid((u16 *)data), + attr, size, buf, false); + if (ret != EFI_SUCCESS) + eficonfig_print_msg("ERROR! Failed to update signature database"); + +out: + free(file_info.current_path); + free(buf); + + /* return to the parent menu */ + ret = (ret == EFI_ABORTED) ? EFI_NOT_READY : ret; + + return ret; +} + +static struct eficonfig_item key_config_menu_items[] = { + {"Enroll New Key", eficonfig_process_enroll_key}, + {"Quit", eficonfig_process_quit}, +}; + +/** + * eficonfig_process_set_secure_boot_key() - display the key configuration menu + * + * @data: pointer to the data for each entry + * Return: status code + */ +static efi_status_t eficonfig_process_set_secure_boot_key(void *data) +{ + u32 i; + efi_status_t ret; + char header_str[32]; + struct efimenu *efi_menu; + + for (i = 0; i < ARRAY_SIZE(key_config_menu_items); i++) + key_config_menu_items[i].data = data; + + snprintf(header_str, sizeof(header_str), " ** Configure %ls **", (u16 *)data); + + while (1) { + efi_menu = eficonfig_create_fixed_menu(key_config_menu_items, + ARRAY_SIZE(key_config_menu_items)); + + ret = eficonfig_process_common(efi_menu, header_str); + eficonfig_destroy(efi_menu); + + if (ret == EFI_ABORTED) + break; + } + + /* return to the parent menu */ + ret = (ret == EFI_ABORTED) ? EFI_NOT_READY : ret; + + return ret; +} + +static const struct eficonfig_item secure_boot_menu_items[] = { + {"PK", eficonfig_process_set_secure_boot_key, u"PK"}, + {"KEK", eficonfig_process_set_secure_boot_key, u"KEK"}, + {"db", eficonfig_process_set_secure_boot_key, u"db"}, + {"dbx", eficonfig_process_set_secure_boot_key, u"dbx"}, + {"Quit", eficonfig_process_quit}, +}; + +/** + * eficonfig_process_secure_boot_config() - display the key list menu + * + * @data: pointer to the data for each entry + * Return: status code + */ +efi_status_t eficonfig_process_secure_boot_config(void *data) +{ + efi_status_t ret; + struct efimenu *efi_menu; + + while (1) { + char header_str[64]; + + snprintf(header_str, sizeof(header_str), + " ** UEFI Secure Boot Key Configuration (SecureBoot : %s) **", + (efi_secure_boot_enabled() ? "ON" : "OFF")); + + efi_menu = eficonfig_create_fixed_menu(secure_boot_menu_items, + ARRAY_SIZE(secure_boot_menu_items)); + if (!efi_menu) { + ret = EFI_OUT_OF_RESOURCES; + break; + } + + ret = eficonfig_process_common(efi_menu, header_str); + eficonfig_destroy(efi_menu); + + if (ret == EFI_ABORTED) + break; + } + + /* return to the parent menu */ + ret = (ret == EFI_ABORTED) ? EFI_NOT_READY : ret; + + return ret; +} diff --git a/include/efi_config.h b/include/efi_config.h index 86bc801211..6db8e123f0 100644 --- a/include/efi_config.h +++ b/include/efi_config.h @@ -99,5 +99,10 @@ efi_status_t eficonfig_append_menu_entry(struct efimenu *efi_menu, char *title, eficonfig_entry_func func, void *data); efi_status_t eficonfig_append_quit_entry(struct efimenu *efi_menu); +void *eficonfig_create_fixed_menu(const struct eficonfig_item *items, int count); + +#ifdef CONFIG_EFI_SECURE_BOOT +efi_status_t eficonfig_process_secure_boot_config(void *data); +#endif #endif