On 1/28/20 9:25 AM, AKASHI Takahiro wrote:
Under this configuration, UEFI secure boot support will be added
in later patches.
Signed-off-by: AKASHI Takahiro <takahiro.aka...@linaro.org>
This patch should be after all the patches that are necessary for secure
boot, i.e. after patch 09/16. I can take care of that.
Best regards
Heinrich
---
lib/efi_loader/Kconfig | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index a7afa3f29e88..4b09a07f1b0a 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -130,4 +130,22 @@ config EFI_RNG_PROTOCOL
"Support for EFI_RNG_PROTOCOL implementation. Uses the rng
device on the platform"
+config EFI_SECURE_BOOT
+ bool "Enable EFI secure boot support"
+ depends on EFI_LOADER
+ select SHA256
+ select RSA
+ select RSA_VERIFY_WITH_PKEY
+ select IMAGE_SIGN_INFO
+ select ASYMMETRIC_KEY_TYPE
+ select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ select X509_CERTIFICATE_PARSER
+ select PKCS7_MESSAGE_PARSER
+ default n
+ help
+ Select this option to enable EFI secure boot support.
+ Once SecureBoot mode is enforced, any EFI binary can run only if
+ it is signed with a trusted key. To do that, you need to install,
+ at least, PK, KEK and db.
+
endif
