Attention is currently required from: Martin L Roth, Stefan Reinauer. Matt DeVillier has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/74869 ) Change subject: payloads/edk2: Add Kconfig to enable UEFI SecureBoot support ...................................................................... payloads/edk2: Add Kconfig to enable UEFI SecureBoot support Now that MrChromebox's default edk2 branch supports SecureBoot, add a Kconfig to enable it, and do so by default when MrChromebox's branch is used and SMMSTORE_V2 is enabled. TEST=build/boot various boards, verify SecureBoot options available in payload, SecureBoot status reported properly by Linux/Windows. Change-Id: I4be58c3315cabe08729d717c59203fdc6a3e2958 Signed-off-by: Matt DeVillier <matt.devillier@gmail.com> --- M payloads/external/Makefile.inc M payloads/external/edk2/Kconfig M payloads/external/edk2/Makefile 3 files changed, 27 insertions(+), 0 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/69/74869/1 diff --git a/payloads/external/Makefile.inc b/payloads/external/Makefile.inc index effab43..5f29063 100644 --- a/payloads/external/Makefile.inc +++ b/payloads/external/Makefile.inc @@ -188,6 +188,7 @@ CONFIG_ECAM_MMCONF_LENGTH=$(CONFIG_ECAM_MMCONF_LENGTH) \ CONFIG_CPU_XTAL_HZ=$(CONFIG_CPU_XTAL_HZ) \ CONFIG_SMMSTORE_V2=$(CONFIG_SMMSTORE_v2) \ + CONFIG_EDK2_SECURE_BOOT_SUPPORT=$(CONFIG_EDK2_SECURE_BOOT_SUPPORT) \ GCC_CC_x86_32=$(GCC_CC_x86_32) \ GCC_CC_x86_64=$(GCC_CC_x86_64) \ GCC_CC_arm=$(GCC_CC_arm) \ diff --git a/payloads/external/edk2/Kconfig b/payloads/external/edk2/Kconfig index 2c8152f..1c00be0 100644 --- a/payloads/external/edk2/Kconfig +++ b/payloads/external/edk2/Kconfig @@ -242,6 +242,11 @@ Enable serial port output in edk2. Serial output limits the performance of edk2's FrontPage. +config EDK2_SECURE_BOOT_SUPPORT + bool "Enable UEFI Secure Boot feature" + depends on EDK2_REPO_MRCHROMEBOX && SMMSTORE_V2 + default y if EDK2_REPO_MRCHROMEBOX && SMMSTORE_V2 + config EDK2_CUSTOM_BUILD_PARAMS string "edk2 additional custom build parameters" default "-D VARIABLE_SUPPORT=SMMSTORE" if EDK2_REPO_MRCHROMEBOX && SMMSTORE_V2 diff --git a/payloads/external/edk2/Makefile b/payloads/external/edk2/Makefile index b241cf9..2181242 100644 --- a/payloads/external/edk2/Makefile +++ b/payloads/external/edk2/Makefile @@ -111,6 +111,10 @@ ifneq ($(CONFIG_EDK2_SD_MMC_TIMEOUT),) BUILD_STR += -D SD_MMC_TIMEOUT=$(shell echo $$(( $(CONFIG_EDK2_SD_MMC_TIMEOUT) * 1000)) ) endif +# EDK2_SECURE_BOOT_SUPPORT = FALSE +ifeq ($(CONFIG_EDK2_SECURE_BOOT_SUPPORT), y) +BUILD_STR += -D SECURE_BOOT_ENABLE=TRUE +endif # # EDKII has the below PCDs that are relevant to coreboot: -- To view, visit https://review.coreboot.org/c/coreboot/+/74869 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I4be58c3315cabe08729d717c59203fdc6a3e2958 Gerrit-Change-Number: 74869 Gerrit-PatchSet: 1 Gerrit-Owner: Matt DeVillier <matt.devillier@gmail.com> Gerrit-Reviewer: Martin L Roth <gaumless@gmail.com> Gerrit-Reviewer: Stefan Reinauer <stefan.reinauer@coreboot.org> Gerrit-Attention: Martin L Roth <gaumless@gmail.com> Gerrit-Attention: Stefan Reinauer <stefan.reinauer@coreboot.org> Gerrit-MessageType: newchange