Hello Takahiro,

I tried to run with EFI_SECURE_BOOT enabled on pine64-lts_defconfig.

U-Boot does not succeed to move from SPL to main U-Boot. The reason is that the SPL binary grows in size. This is due to EFI_SECURE_BOOT selecting additional code in SPL which of cause in unexpected.

This is related to the following settings getting enabled:

lib/Makefile:130: obj-$(CONFIG_OID_REGISTRY) += oid_registry.o

Symbol: OID_REGISTRY [=y] Type : bool Defined at lib/Kconfig:589 Selected by [y]: - RSA_PUBLIC_KEY_PARSER [=y] && ASYMMETRIC_KEY_TYPE [=y] && ASYMMETRIC_PUBLIC_KEY_SUBTYPE [=y] - X509_CERTIFICATE_PARSER [=y] && ASYMMETRIC_KEY_TYPE [=y] && ASYMMETRIC_PUBLIC_KEY_SUBTYPE [=y] - PKCS7_MESSAGE_PARSER [=y] && ASYMMETRIC_KEY_TYPE [=y] && X509_CERTIFICATE_PARSER [=y]

The OID registry is only used in lib/crypto which is never built for SPL.

lib/date.c:13: #if defined(CONFIG_LIB_DATE) || defined(CONFIG_TIMESTAMP) lib/date.c:102: #ifdef CONFIG_LIB_DATE

Symbol: LIB_DATE [=y]

Type : bool

Defined at lib/Kconfig:602

Selected by [y]:

- X509_CERTIFICATE_PARSER [=y] && ASYMMETRIC_KEY_TYPE [=y] && ASYMMETRIC_PUBLIC_KEY_SUBTYPE [=y]

Selected by [n]:

- CMD_DATE [=n]

- DM_RTC [=n] && DM [=y]

There is a symbol CONFIG_SPL_RSA. If this symbol is enabled we probably want to enable LIB_DATE and OID_REGISTRY in SPL but not otherwise.

Furthermore common/image-sig.c is built in SPL unnecessarily:

Symbol: IMAGE_SIGN_INFO [=y] Type : bool Defined at common/Kconfig:1050 Selects: SHA1 [=y] && SHA256 [=y] Selected by [y]: - EFI_SECURE_BOOT [=y] && EFI_LOADER [=y] Selected by [n]: - FIT_SIGNATURE [=n] && FIT [=y] && DM [=y] - UT_LIB_RSA [=n] && UT_LIB [=n] && RSA [=y] && RSA_VERIFY_WITH_PKEY [=y]

I am currently testing a patch series to avoid this: https://gitlab.denx.de/u-boot/custodians/u-boot-efi/-/tree/rsa

Best regards

Heinrich