summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatt DeVillier <matt.devillier@gmail.com>2023-04-30 15:10:57 -0500
committerMatt DeVillier <matt.devillier@amd.corp-partner.google.com>2023-05-02 13:46:59 +0000
commita38e2484ac74c04684a2bd4339d4f43c721294c8 (patch)
tree76b3bfb8a757f7fabbec97f7ff79640bdcaa1c21
parentb8fd41b4416dc955e44b6e7c455d8d64e94a4fd8 (diff)
payloads/edk2: Add Kconfig to enable UEFI Secure Boot support
Now that MrChromebox's default edk2 branch supports Secure Boot, add a Kconfig to enable it, and do so by default when MrChromebox's branch is used and SMMSTORE_V2 is enabled (which is a prerequisite). TEST=build/boot google boards link, panther, lulu,reef, ampton, akemi, and banshee, verify Secure Boot options available in payload, Secure Boot status reported properly by Linux/Windows. Change-Id: I4be58c3315cabe08729d717c59203fdc6a3e2958 Signed-off-by: Matt DeVillier <matt.devillier@gmail.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/74869 Reviewed-by: Sean Rhodes <sean@starlabs.systems> Reviewed-by: Paul Menzel <paulepanter@mailbox.org> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
-rw-r--r--payloads/external/Makefile.inc1
-rw-r--r--payloads/external/edk2/Kconfig8
-rw-r--r--payloads/external/edk2/Makefile4
3 files changed, 13 insertions, 0 deletions
diff --git a/payloads/external/Makefile.inc b/payloads/external/Makefile.inc
index effab43818..5f29063bfe 100644
--- a/payloads/external/Makefile.inc
+++ b/payloads/external/Makefile.inc
@@ -188,6 +188,7 @@ $(obj)/UEFIPAYLOAD.fd: $(DOTCONFIG)
CONFIG_ECAM_MMCONF_LENGTH=$(CONFIG_ECAM_MMCONF_LENGTH) \
CONFIG_CPU_XTAL_HZ=$(CONFIG_CPU_XTAL_HZ) \
CONFIG_SMMSTORE_V2=$(CONFIG_SMMSTORE_v2) \
+ CONFIG_EDK2_SECURE_BOOT_SUPPORT=$(CONFIG_EDK2_SECURE_BOOT_SUPPORT) \
GCC_CC_x86_32=$(GCC_CC_x86_32) \
GCC_CC_x86_64=$(GCC_CC_x86_64) \
GCC_CC_arm=$(GCC_CC_arm) \
diff --git a/payloads/external/edk2/Kconfig b/payloads/external/edk2/Kconfig
index 2c8152f27d..c166975f81 100644
--- a/payloads/external/edk2/Kconfig
+++ b/payloads/external/edk2/Kconfig
@@ -242,6 +242,14 @@ config EDK2_SERIAL_SUPPORT
Enable serial port output in edk2. Serial output limits the performance of edk2's
FrontPage.
+config EDK2_SECURE_BOOT_SUPPORT
+ bool "Enable UEFI Secure Boot support"
+ depends on EDK2_REPO_MRCHROMEBOX && SMMSTORE_V2
+ default y if EDK2_REPO_MRCHROMEBOX && SMMSTORE_V2
+ help
+ Select this option to enable UEFI SecureBoot support in edk2.
+ UEFI SecureBoot will be disabled by default and can be enabled from the menu option.
+
config EDK2_CUSTOM_BUILD_PARAMS
string "edk2 additional custom build parameters"
default "-D VARIABLE_SUPPORT=SMMSTORE" if EDK2_REPO_MRCHROMEBOX && SMMSTORE_V2
diff --git a/payloads/external/edk2/Makefile b/payloads/external/edk2/Makefile
index b241cf9688..21812422fb 100644
--- a/payloads/external/edk2/Makefile
+++ b/payloads/external/edk2/Makefile
@@ -111,6 +111,10 @@ endif
ifneq ($(CONFIG_EDK2_SD_MMC_TIMEOUT),)
BUILD_STR += -D SD_MMC_TIMEOUT=$(shell echo $$(( $(CONFIG_EDK2_SD_MMC_TIMEOUT) * 1000)) )
endif
+# EDK2_SECURE_BOOT_SUPPORT = FALSE
+ifeq ($(CONFIG_EDK2_SECURE_BOOT_SUPPORT), y)
+BUILD_STR += -D SECURE_BOOT_ENABLE=TRUE
+endif
#
# EDKII has the below PCDs that are relevant to coreboot: