On Sun, Feb 23, 2020 at 11:56:09AM +0100, Heinrich Schuchardt wrote:
On 1/28/20 9:25 AM, AKASHI Takahiro wrote:
Under this configuration, UEFI secure boot support will be added in later patches.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
This patch should be after all the patches that are necessary for secure boot, i.e. after patch 09/16. I can take care of that.
I disagree. Doing so will constrain bisect ability to some extent because any code under EFI_SECURE_BOOT will never have a chance to be compiled until this patch is applied. Then bisect result could be inaccurate.
Thanks, -Takahiro Akashi
Best regards
Heinrich
lib/efi_loader/Kconfig | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index a7afa3f29e88..4b09a07f1b0a 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -130,4 +130,22 @@ config EFI_RNG_PROTOCOL "Support for EFI_RNG_PROTOCOL implementation. Uses the rng device on the platform"
+config EFI_SECURE_BOOT
- bool "Enable EFI secure boot support"
- depends on EFI_LOADER
- select SHA256
- select RSA
- select RSA_VERIFY_WITH_PKEY
- select IMAGE_SIGN_INFO
- select ASYMMETRIC_KEY_TYPE
- select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
- select X509_CERTIFICATE_PARSER
- select PKCS7_MESSAGE_PARSER
- default n
- help
Select this option to enable EFI secure boot support.Once SecureBoot mode is enforced, any EFI binary can run only ifit is signed with a trusted key. To do that, you need to install,at least, PK, KEK and db.- endif