From patchwork Wed Feb 26 04:54:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 236815 List-Id: U-Boot discussion From: takahiro.akashi at linaro.org (AKASHI Takahiro) Date: Wed, 26 Feb 2020 13:54:33 +0900 Subject: [PATCH v6 01/16] efi_loader: add CONFIG_EFI_SECURE_BOOT config option In-Reply-To: <20200226045448.2453-1-takahiro.akashi@linaro.org> References: <20200226045448.2453-1-takahiro.akashi@linaro.org> Message-ID: <20200226045448.2453-2-takahiro.akashi@linaro.org> Under this configuration, UEFI secure boot support will be added in later patches. Signed-off-by: AKASHI Takahiro --- lib/efi_loader/Kconfig | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index a7afa3f29e88..4b09a07f1b0a 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -130,4 +130,22 @@ config EFI_RNG_PROTOCOL "Support for EFI_RNG_PROTOCOL implementation. Uses the rng device on the platform" +config EFI_SECURE_BOOT + bool "Enable EFI secure boot support" + depends on EFI_LOADER + select SHA256 + select RSA + select RSA_VERIFY_WITH_PKEY + select IMAGE_SIGN_INFO + select ASYMMETRIC_KEY_TYPE + select ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select X509_CERTIFICATE_PARSER + select PKCS7_MESSAGE_PARSER + default n + help + Select this option to enable EFI secure boot support. + Once SecureBoot mode is enforced, any EFI binary can run only if + it is signed with a trusted key. To do that, you need to install, + at least, PK, KEK and db. + endif