3 files changed, 13 insertions, 0 deletions

diff --git a/payloads/external/Makefile.mk b/payloads/external/Makefile.mk
index c227402ee5..d497cf871c 100644
--- a/payloads/external/Makefile.mk
+++ b/payloads/external/Makefile.mk
@@ -381,6 +381,7 @@ payloads/external/iPXE/ipxe/ipxe.rom ipxe: $(DOTCONFIG) $(IPXE_CONFIG_SCRIPT)
 	CONFIG_HAS_SCRIPT=$(CONFIG_IPXE_ADD_SCRIPT) \
 	CONFIG_IPXE_NO_PROMPT=$(CONFIG_IPXE_NO_PROMPT) \
 	CONFIG_IPXE_HAS_HTTPS=$(CONFIG_IPXE_HAS_HTTPS) \
+	CONFIG_PXE_TRUST_CMD=$(CONFIG_PXE_TRUST_CMD) \
 	MFLAGS= MAKEFLAGS=
 
 # LinuxBoot
diff --git a/payloads/external/iPXE/Kconfig b/payloads/external/iPXE/Kconfig
index 2ad39a1a6b..02dce27848 100644
--- a/payloads/external/iPXE/Kconfig
+++ b/payloads/external/iPXE/Kconfig
@@ -108,7 +108,16 @@ config IPXE_HAS_HTTPS
 	  Enable HTTPS protocol, which allows you to encrypt all communication
 	  with a web server and to verify the server's identity
 
+config PXE_TRUST_CMD
+	bool "Enable TRUST commands"
+	default y
+	help
+	  Enable imgverify and imgtrust commands, which allow you to verify
+	  digital signature of file prior loading it, and restrict to loading
+	  trusted files only.
+
 endif # BUILD_IPXE
+
 endmenu
 
 endif # PXE
diff --git a/payloads/external/iPXE/Makefile b/payloads/external/iPXE/Makefile
index 6f5525bcd6..91074fea99 100644
--- a/payloads/external/iPXE/Makefile
+++ b/payloads/external/iPXE/Makefile
@@ -52,6 +52,9 @@ endif
 ifeq ($(CONFIG_IPXE_HAS_HTTPS),y)
 	sed -i'' 's|.*DOWNLOAD_PROTO_HTTPS|#define DOWNLOAD_PROTO_HTTPS|g' "$(project_dir)/src/config/general.h"
 endif
+ifeq ($(CONFIG_PXE_TRUST_CMD),y)
+	sed -i'' 's|.*IMAGE_TRUST_CMD|#define IMAGE_TRUST_CMD|g' "$(project_dir)/src/config/general.h"
+endif
 
 build: config $(CONFIG_SCRIPT)
 ifeq ($(CONFIG_HAS_SCRIPT),y)