efi_loader: add CONFIG_EFI_SECURE_BOOT config option

author AKASHI Takahiro <takahiro.akashi@linaro.org>

Tue, 14 Apr 2020 02:51:38 +0000 (11:51 +0900)

committer Heinrich Schuchardt <xypron.glpk@gmx.de>

Thu, 16 Apr 2020 06:12:46 +0000 (08:12 +0200)
author AKASHI Takahiro <takahiro.akashi@linaro.org>
Tue, 14 Apr 2020 02:51:38 +0000 (11:51 +0900)
committer Heinrich Schuchardt <xypron.glpk@gmx.de>
Thu, 16 Apr 2020 06:12:46 +0000 (08:12 +0200)
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig

index c89ce85c4a840e0f5c935c050d2850bc78d950c9..1cfa24ffcf727eed1e7aa9bb9794f916423541cf 100644 (file)
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -146,4 +146,22 @@ config EFI_INITRD_FILESPEC
         help
           Full path of the initramfs file, e.g. mmc 0:2 initramfs.cpio.gz.
  
+config EFI_SECURE_BOOT
+       bool "Enable EFI secure boot support"
+       depends on EFI_LOADER
+       select SHA256
+       select RSA
+       select RSA_VERIFY_WITH_PKEY
+       select IMAGE_SIGN_INFO
+       select ASYMMETRIC_KEY_TYPE
+       select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+       select X509_CERTIFICATE_PARSER
+       select PKCS7_MESSAGE_PARSER
+       default n
+       help
+         Select this option to enable EFI secure boot support.
+         Once SecureBoot mode is enforced, any EFI binary can run only if
+         it is signed with a trusted key. To do that, you need to install,
+         at least, PK, KEK and db.
+
  endif
author	AKASHI Takahiro <takahiro.akashi@linaro.org>
	Tue, 14 Apr 2020 02:51:38 +0000 (11:51 +0900)
committer	Heinrich Schuchardt <xypron.glpk@gmx.de>
	Thu, 16 Apr 2020 06:12:46 +0000 (08:12 +0200)