efi_loader: add CONFIG_EFI_SECURE_BOOT config option

Under this configuration, UEFI secure boot support will be added in later patches. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
author: AKASHI Takahiro <takahiro.akashi@linaro.org> 2020-04-14 11:51:38 +0900
committer: Heinrich Schuchardt <xypron.glpk@gmx.de> 2020-04-16 08:12:46 +0200
commit: 9bf09b5120da6d21d9e7774d958b98116828f907 (patch)
tree: e3a88e5bac7020942f9a2fac0a06ba9daac64f19 /lib/efi_loader
parent: 17e11740857163d2b4574e5da995732350885812 (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index c89ce85c4a..1cfa24ffcf 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -146,4 +146,22 @@ config EFI_INITRD_FILESPEC
 	help
 	  Full path of the initramfs file, e.g. mmc 0:2 initramfs.cpio.gz.
 
+config EFI_SECURE_BOOT
+	bool "Enable EFI secure boot support"
+	depends on EFI_LOADER
+	select SHA256
+	select RSA
+	select RSA_VERIFY_WITH_PKEY
+	select IMAGE_SIGN_INFO
+	select ASYMMETRIC_KEY_TYPE
+	select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+	select X509_CERTIFICATE_PARSER
+	select PKCS7_MESSAGE_PARSER
+	default n
+	help
+	  Select this option to enable EFI secure boot support.
+	  Once SecureBoot mode is enforced, any EFI binary can run only if
+	  it is signed with a trusted key. To do that, you need to install,
+	  at least, PK, KEK and db.
+
 endif
author	AKASHI Takahiro <takahiro.akashi@linaro.org>	2020-04-14 11:51:38 +0900
committer	Heinrich Schuchardt <xypron.glpk@gmx.de>	2020-04-16 08:12:46 +0200
commit	9bf09b5120da6d21d9e7774d958b98116828f907 (patch)
tree	e3a88e5bac7020942f9a2fac0a06ba9daac64f19 /lib/efi_loader
parent	17e11740857163d2b4574e5da995732350885812 (diff)