mirror of
https://github.com/AsahiLinux/u-boot
synced 2024-12-25 20:43:32 +00:00
1eccbb16a2
At present EFI_SECURE BOOT selects RSA but does not necessarily enable FIT_SIGNATURE. Mostly this is fine, but a few boards do not enable it, so U-Boot tries to do RSA verification when loading FIT images, but it is not enabled. This worked because the condition for checking the RSA signature is wrong in the fit_image_verify_with_data() function. In order to fix it we need to fix this dependency. Make sure that FIT_SIGNATURE is enabled so that RSA can be used. It might be better to avoid using 'select' in this situation. Signed-off-by: Simon Glass <sjg@chromium.org>
367 lines
11 KiB
Text
367 lines
11 KiB
Text
config EFI_LOADER
|
|
bool "Support running UEFI applications"
|
|
depends on OF_LIBFDT && ( \
|
|
ARM && (SYS_CPU = arm1136 || \
|
|
SYS_CPU = arm1176 || \
|
|
SYS_CPU = armv7 || \
|
|
SYS_CPU = armv8) || \
|
|
X86 || RISCV || SANDBOX)
|
|
# We need EFI_STUB_64BIT to be set on x86_64 with EFI_STUB
|
|
depends on !EFI_STUB || !X86_64 || EFI_STUB_64BIT
|
|
# We need EFI_STUB_32BIT to be set on x86_32 with EFI_STUB
|
|
depends on !EFI_STUB || !X86 || X86_64 || EFI_STUB_32BIT
|
|
depends on BLK
|
|
default y if !ARM || SYS_CPU = armv7 || SYS_CPU = armv8
|
|
select LIB_UUID
|
|
select PARTITION_UUIDS
|
|
select HAVE_BLOCK_DEVICE
|
|
select REGEX
|
|
imply CFB_CONSOLE_ANSI
|
|
imply FAT
|
|
imply FAT_WRITE
|
|
imply USB_KEYBOARD_FN_KEYS
|
|
imply VIDEO_ANSI
|
|
help
|
|
Select this option if you want to run UEFI applications (like GNU
|
|
GRUB or iPXE) on top of U-Boot. If this option is enabled, U-Boot
|
|
will expose the UEFI API to a loaded application, enabling it to
|
|
reuse U-Boot's device drivers.
|
|
|
|
if EFI_LOADER
|
|
|
|
config CMD_BOOTEFI_BOOTMGR
|
|
bool "UEFI Boot Manager"
|
|
default y
|
|
help
|
|
Select this option if you want to select the UEFI binary to be booted
|
|
via UEFI variables Boot####, BootOrder, and BootNext. This enables the
|
|
'bootefi bootmgr' command.
|
|
|
|
config EFI_SETUP_EARLY
|
|
bool
|
|
|
|
choice
|
|
prompt "Store for non-volatile UEFI variables"
|
|
default EFI_VARIABLE_FILE_STORE
|
|
help
|
|
Select where non-volatile UEFI variables shall be stored.
|
|
|
|
config EFI_VARIABLE_FILE_STORE
|
|
bool "Store non-volatile UEFI variables as file"
|
|
depends on FAT_WRITE
|
|
help
|
|
Select this option if you want non-volatile UEFI variables to be
|
|
stored as file /ubootefi.var on the EFI system partition.
|
|
|
|
config EFI_MM_COMM_TEE
|
|
bool "UEFI variables storage service via OP-TEE"
|
|
depends on OPTEE
|
|
help
|
|
If OP-TEE is present and running StandAloneMM, dispatch all UEFI
|
|
variable related operations to that. The application will verify,
|
|
authenticate and store the variables on an RPMB.
|
|
|
|
endchoice
|
|
|
|
config EFI_VARIABLES_PRESEED
|
|
bool "Initial values for UEFI variables"
|
|
depends on EFI_VARIABLE_FILE_STORE
|
|
help
|
|
Include a file with the initial values for non-volatile UEFI variables
|
|
into the U-Boot binary. If this configuration option is set, changes
|
|
to authentication related variables (PK, KEK, db, dbx) are not
|
|
allowed.
|
|
|
|
if EFI_VARIABLES_PRESEED
|
|
|
|
config EFI_VAR_SEED_FILE
|
|
string "File with initial values of non-volatile UEFI variables"
|
|
default ubootefi.var
|
|
help
|
|
File with initial values of non-volatile UEFI variables. The file must
|
|
be in the same format as the storage in the EFI system partition. The
|
|
easiest way to create it is by setting the non-volatile variables in
|
|
U-Boot. If a relative file path is used, it is relative to the source
|
|
directory.
|
|
|
|
endif
|
|
|
|
config EFI_VAR_BUF_SIZE
|
|
int "Memory size of the UEFI variable store"
|
|
default 16384
|
|
range 4096 2147483647
|
|
help
|
|
This defines the size in bytes of the memory area reserved for keeping
|
|
UEFI variables.
|
|
|
|
When using StandAloneMM (CONFIG_EFI_MM_COMM_TEE=y) this value should
|
|
match the value of PcdFlashNvStorageVariableSize used to compile the
|
|
StandAloneMM module.
|
|
|
|
Minimum 4096, default 16384.
|
|
|
|
config EFI_GET_TIME
|
|
bool "GetTime() runtime service"
|
|
depends on DM_RTC
|
|
default y
|
|
help
|
|
Provide the GetTime() runtime service at boottime. This service
|
|
can be used by an EFI application to read the real time clock.
|
|
|
|
config EFI_SET_TIME
|
|
bool "SetTime() runtime service"
|
|
depends on EFI_GET_TIME
|
|
default y if ARCH_QEMU || SANDBOX
|
|
help
|
|
Provide the SetTime() runtime service at boottime. This service
|
|
can be used by an EFI application to adjust the real time clock.
|
|
|
|
config EFI_HAVE_CAPSULE_SUPPORT
|
|
bool
|
|
|
|
config EFI_RUNTIME_UPDATE_CAPSULE
|
|
bool "UpdateCapsule() runtime service"
|
|
select EFI_HAVE_CAPSULE_SUPPORT
|
|
help
|
|
Select this option if you want to use UpdateCapsule and
|
|
QueryCapsuleCapabilities API's.
|
|
|
|
config EFI_CAPSULE_ON_DISK
|
|
bool "Enable capsule-on-disk support"
|
|
select EFI_HAVE_CAPSULE_SUPPORT
|
|
help
|
|
Select this option if you want to use capsule-on-disk feature,
|
|
that is, capsules can be fetched and executed from files
|
|
under a specific directory on UEFI system partition instead of
|
|
via UpdateCapsule API.
|
|
|
|
config EFI_IGNORE_OSINDICATIONS
|
|
bool "Ignore OsIndications for CapsuleUpdate on-disk"
|
|
depends on EFI_CAPSULE_ON_DISK
|
|
help
|
|
There are boards where U-Boot does not support SetVariable at runtime.
|
|
Select this option if you want to use the capsule-on-disk feature
|
|
without setting the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED
|
|
flag in variable OsIndications.
|
|
|
|
config EFI_CAPSULE_ON_DISK_EARLY
|
|
bool "Initiate capsule-on-disk at U-Boot boottime"
|
|
depends on EFI_CAPSULE_ON_DISK
|
|
select EFI_SETUP_EARLY
|
|
help
|
|
Normally, without this option enabled, capsules will be
|
|
executed only at the first time of invoking one of efi command.
|
|
If this option is enabled, capsules will be enforced to be
|
|
executed as part of U-Boot initialisation so that they will
|
|
surely take place whatever is set to distro_bootcmd.
|
|
|
|
config EFI_CAPSULE_FIRMWARE
|
|
bool
|
|
|
|
config EFI_CAPSULE_FIRMWARE_MANAGEMENT
|
|
bool "Capsule: Firmware Management Protocol"
|
|
depends on EFI_HAVE_CAPSULE_SUPPORT
|
|
default y
|
|
help
|
|
Select this option if you want to enable capsule-based
|
|
firmware update using Firmware Management Protocol.
|
|
|
|
config EFI_CAPSULE_FIRMWARE_FIT
|
|
bool "FMP driver for FIT images"
|
|
depends on FIT
|
|
depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
|
|
select UPDATE_FIT
|
|
select DFU
|
|
select EFI_CAPSULE_FIRMWARE
|
|
help
|
|
Select this option if you want to enable firmware management protocol
|
|
driver for FIT image
|
|
|
|
config EFI_CAPSULE_FIRMWARE_RAW
|
|
bool "FMP driver for raw images"
|
|
depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
|
|
depends on SANDBOX || (!SANDBOX && !EFI_CAPSULE_FIRMWARE_FIT)
|
|
select DFU_WRITE_ALT
|
|
select DFU
|
|
select EFI_CAPSULE_FIRMWARE
|
|
help
|
|
Select this option if you want to enable firmware management protocol
|
|
driver for raw image
|
|
|
|
config EFI_CAPSULE_AUTHENTICATE
|
|
bool "Update Capsule authentication"
|
|
depends on EFI_CAPSULE_FIRMWARE
|
|
depends on EFI_CAPSULE_ON_DISK
|
|
depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
|
|
select HASH
|
|
select SHA256
|
|
select RSA
|
|
select RSA_VERIFY
|
|
select RSA_VERIFY_WITH_PKEY
|
|
select X509_CERTIFICATE_PARSER
|
|
select PKCS7_MESSAGE_PARSER
|
|
select PKCS7_VERIFY
|
|
select IMAGE_SIGN_INFO
|
|
select EFI_SIGNATURE_SUPPORT
|
|
help
|
|
Select this option if you want to enable capsule
|
|
authentication
|
|
|
|
config EFI_DEVICE_PATH_TO_TEXT
|
|
bool "Device path to text protocol"
|
|
default y
|
|
help
|
|
The device path to text protocol converts device nodes and paths to
|
|
human readable strings.
|
|
|
|
config EFI_DEVICE_PATH_UTIL
|
|
bool "Device path utilities protocol"
|
|
default y
|
|
help
|
|
The device path utilities protocol creates and manipulates device
|
|
paths and device nodes. It is required to run the EFI Shell.
|
|
|
|
config EFI_DT_FIXUP
|
|
bool "Device tree fixup protocol"
|
|
depends on !GENERATE_ACPI_TABLE
|
|
default y
|
|
help
|
|
The EFI device-tree fix-up protocol provides a function to let the
|
|
firmware apply fix-ups. This may be used by boot loaders.
|
|
|
|
config EFI_LOADER_HII
|
|
bool "HII protocols"
|
|
default y
|
|
help
|
|
The Human Interface Infrastructure is a complicated framework that
|
|
allows UEFI applications to draw fancy menus and hook strings using
|
|
a translation framework.
|
|
|
|
U-Boot implements enough of its features to be able to run the UEFI
|
|
Shell, but not more than that.
|
|
|
|
config EFI_UNICODE_COLLATION_PROTOCOL2
|
|
bool "Unicode collation protocol"
|
|
default y
|
|
help
|
|
The Unicode collation protocol is used for lexical comparisons. It is
|
|
required to run the UEFI shell.
|
|
|
|
if EFI_UNICODE_COLLATION_PROTOCOL2
|
|
|
|
config EFI_UNICODE_CAPITALIZATION
|
|
bool "Support Unicode capitalization"
|
|
default y
|
|
help
|
|
Select this option to enable correct handling of the capitalization of
|
|
Unicode codepoints in the range 0x0000-0xffff. If this option is not
|
|
set, only the the correct handling of the letters of the codepage
|
|
used by the FAT file system is ensured.
|
|
|
|
endif
|
|
|
|
config EFI_LOADER_BOUNCE_BUFFER
|
|
bool "EFI Applications use bounce buffers for DMA operations"
|
|
depends on ARM64
|
|
help
|
|
Some hardware does not support DMA to full 64bit addresses. For this
|
|
hardware we can create a bounce buffer so that payloads don't have to
|
|
worry about platform details.
|
|
|
|
config EFI_PLATFORM_LANG_CODES
|
|
string "Language codes supported by firmware"
|
|
default "en-US"
|
|
help
|
|
This value is used to initialize the PlatformLangCodes variable. Its
|
|
value is a semicolon (;) separated list of language codes in native
|
|
RFC 4646 format, e.g. "en-US;de-DE". The first language code is used
|
|
to initialize the PlatformLang variable.
|
|
|
|
config EFI_HAVE_RUNTIME_RESET
|
|
# bool "Reset runtime service is available"
|
|
bool
|
|
default y
|
|
depends on ARCH_BCM283X || FSL_LAYERSCAPE || PSCI_RESET || \
|
|
SANDBOX || SYSRESET_X86
|
|
|
|
config EFI_GRUB_ARM32_WORKAROUND
|
|
bool "Workaround for GRUB on 32bit ARM"
|
|
default n if ARCH_BCM283X || ARCH_SUNXI || ARCH_QEMU
|
|
default y
|
|
depends on ARM && !ARM64
|
|
help
|
|
GRUB prior to version 2.04 requires U-Boot to disable caches. This
|
|
workaround currently is also needed on systems with caches that
|
|
cannot be managed via CP15.
|
|
|
|
config EFI_RNG_PROTOCOL
|
|
bool "EFI_RNG_PROTOCOL support"
|
|
depends on DM_RNG
|
|
default y
|
|
help
|
|
Provide a EFI_RNG_PROTOCOL implementation using the hardware random
|
|
number generator of the platform.
|
|
|
|
config EFI_TCG2_PROTOCOL
|
|
bool "EFI_TCG2_PROTOCOL support"
|
|
default y
|
|
depends on TPM_V2
|
|
select SHA1
|
|
select SHA256
|
|
select SHA384
|
|
select SHA512
|
|
select HASH
|
|
help
|
|
Provide a EFI_TCG2_PROTOCOL implementation using the TPM hardware
|
|
of the platform.
|
|
|
|
config EFI_TCG2_PROTOCOL_EVENTLOG_SIZE
|
|
int "EFI_TCG2_PROTOCOL EventLog size"
|
|
depends on EFI_TCG2_PROTOCOL
|
|
default 65536
|
|
help
|
|
Define the size of the EventLog for EFI_TCG2_PROTOCOL. Note that
|
|
this is going to be allocated twice. One for the eventlog it self
|
|
and one for the configuration table that is required from the spec
|
|
|
|
config EFI_LOAD_FILE2_INITRD
|
|
bool "EFI_FILE_LOAD2_PROTOCOL for Linux initial ramdisk"
|
|
default y
|
|
help
|
|
Linux v5.7 and later can make use of this option. If the boot option
|
|
selected by the UEFI boot manager specifies an existing file to be used
|
|
as initial RAM disk, a Linux specific Load File2 protocol will be
|
|
installed and Linux 5.7+ will ignore any initrd=<ramdisk> command line
|
|
argument.
|
|
|
|
config EFI_SECURE_BOOT
|
|
bool "Enable EFI secure boot support"
|
|
depends on EFI_LOADER && FIT_SIGNATURE
|
|
select HASH
|
|
select SHA256
|
|
select RSA
|
|
select RSA_VERIFY_WITH_PKEY
|
|
select IMAGE_SIGN_INFO
|
|
select ASYMMETRIC_KEY_TYPE
|
|
select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
|
|
select X509_CERTIFICATE_PARSER
|
|
select PKCS7_MESSAGE_PARSER
|
|
select PKCS7_VERIFY
|
|
select EFI_SIGNATURE_SUPPORT
|
|
help
|
|
Select this option to enable EFI secure boot support.
|
|
Once SecureBoot mode is enforced, any EFI binary can run only if
|
|
it is signed with a trusted key. To do that, you need to install,
|
|
at least, PK, KEK and db.
|
|
|
|
config EFI_SIGNATURE_SUPPORT
|
|
bool
|
|
|
|
config EFI_ESRT
|
|
bool "Enable the UEFI ESRT generation"
|
|
depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
|
|
default y
|
|
help
|
|
Enabling this option creates the ESRT UEFI system table.
|
|
|
|
endif
|