On 1/28/20 9:25 AM, AKASHI Takahiro wrote:
Under this configuration, UEFI secure boot support will be added
in later patches.

Signed-off-by: AKASHI Takahiro <takahiro.aka...@linaro.org>

This patch should be after all the patches that are necessary for secure
boot, i.e. after patch 09/16. I can take care of that.

Best regards

Heinrich

---
  lib/efi_loader/Kconfig | 18 ++++++++++++++++++
  1 file changed, 18 insertions(+)

diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index a7afa3f29e88..4b09a07f1b0a 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -130,4 +130,22 @@ config EFI_RNG_PROTOCOL
          "Support for EFI_RNG_PROTOCOL implementation. Uses the rng
           device on the platform"

+config EFI_SECURE_BOOT
+       bool "Enable EFI secure boot support"
+       depends on EFI_LOADER
+       select SHA256
+       select RSA
+       select RSA_VERIFY_WITH_PKEY
+       select IMAGE_SIGN_INFO
+       select ASYMMETRIC_KEY_TYPE
+       select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+       select X509_CERTIFICATE_PARSER
+       select PKCS7_MESSAGE_PARSER
+       default n
+       help
+         Select this option to enable EFI secure boot support.
+         Once SecureBoot mode is enforced, any EFI binary can run only if
+         it is signed with a trusted key. To do that, you need to install,
+         at least, PK, KEK and db.
+
  endif


Reply via email to