From 0306cc2bbd40375972e1bda32b640a51c14e4ab0 Mon Sep 17 00:00:00 2001 From: Maciej Pijanowski Date: Thu, 21 Dec 2023 21:38:03 +0100 Subject: payloads/iPXE: Hook up TRUST_CMD switch Change-Id: Ia4f5d4140eeb8625c5ee41e38f048658db28a199 Signed-off-by: Maciej Pijanowski Reviewed-on: https://review.coreboot.org/c/coreboot/+/79684 Reviewed-by: Felix Singer Tested-by: build bot (Jenkins) --- payloads/external/Makefile.mk | 1 + payloads/external/iPXE/Kconfig | 9 +++++++++ payloads/external/iPXE/Makefile | 3 +++ 3 files changed, 13 insertions(+) diff --git a/payloads/external/Makefile.mk b/payloads/external/Makefile.mk index c227402ee5..d497cf871c 100644 --- a/payloads/external/Makefile.mk +++ b/payloads/external/Makefile.mk @@ -381,6 +381,7 @@ payloads/external/iPXE/ipxe/ipxe.rom ipxe: $(DOTCONFIG) $(IPXE_CONFIG_SCRIPT) CONFIG_HAS_SCRIPT=$(CONFIG_IPXE_ADD_SCRIPT) \ CONFIG_IPXE_NO_PROMPT=$(CONFIG_IPXE_NO_PROMPT) \ CONFIG_IPXE_HAS_HTTPS=$(CONFIG_IPXE_HAS_HTTPS) \ + CONFIG_PXE_TRUST_CMD=$(CONFIG_PXE_TRUST_CMD) \ MFLAGS= MAKEFLAGS= # LinuxBoot diff --git a/payloads/external/iPXE/Kconfig b/payloads/external/iPXE/Kconfig index 2ad39a1a6b..02dce27848 100644 --- a/payloads/external/iPXE/Kconfig +++ b/payloads/external/iPXE/Kconfig @@ -108,7 +108,16 @@ config IPXE_HAS_HTTPS Enable HTTPS protocol, which allows you to encrypt all communication with a web server and to verify the server's identity +config PXE_TRUST_CMD + bool "Enable TRUST commands" + default y + help + Enable imgverify and imgtrust commands, which allow you to verify + digital signature of file prior loading it, and restrict to loading + trusted files only. + endif # BUILD_IPXE + endmenu endif # PXE diff --git a/payloads/external/iPXE/Makefile b/payloads/external/iPXE/Makefile index 6f5525bcd6..91074fea99 100644 --- a/payloads/external/iPXE/Makefile +++ b/payloads/external/iPXE/Makefile @@ -52,6 +52,9 @@ endif ifeq ($(CONFIG_IPXE_HAS_HTTPS),y) sed -i'' 's|.*DOWNLOAD_PROTO_HTTPS|#define DOWNLOAD_PROTO_HTTPS|g' "$(project_dir)/src/config/general.h" endif +ifeq ($(CONFIG_PXE_TRUST_CMD),y) + sed -i'' 's|.*IMAGE_TRUST_CMD|#define IMAGE_TRUST_CMD|g' "$(project_dir)/src/config/general.h" +endif build: config $(CONFIG_SCRIPT) ifeq ($(CONFIG_HAS_SCRIPT),y) -- cgit v1.2.3