Gitiles
Code Review Sign In
review.coreboot.org / coreboot / a38e2484ac74c04684a2bd4339d4f43c721294c8^! / .
commita38e2484ac74c04684a2bd4339d4f43c721294c8[log] [tgz]
authorMatt DeVillier <matt.devillier@gmail.com>Sun Apr 30 15:10:57 2023 -0500
committerMatt DeVillier <matt.devillier@amd.corp-partner.google.com>Tue May 02 13:46:59 2023 +0000
tree76b3bfb8a757f7fabbec97f7ff79640bdcaa1c21
parentb8fd41b4416dc955e44b6e7c455d8d64e94a4fd8 [diff]
payloads/edk2: Add Kconfig to enable UEFI Secure Boot support

Now that MrChromebox's default edk2 branch supports Secure Boot, add a
Kconfig to enable it, and do so by default when MrChromebox's branch
is used and SMMSTORE_V2 is enabled (which is a prerequisite).

TEST=build/boot google boards link, panther, lulu,reef, ampton, akemi,
and banshee, verify Secure Boot options available in payload, Secure
Boot status reported properly by Linux/Windows.

Change-Id: I4be58c3315cabe08729d717c59203fdc6a3e2958
Signed-off-by: Matt DeVillier <matt.devillier@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/74869
Reviewed-by: Sean Rhodes <sean@starlabs.systems>
Reviewed-by: Paul Menzel <paulepanter@mailbox.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>

diff --git a/payloads/external/Makefile.inc b/payloads/external/Makefile.inc
index effab43..5f29063 100644
--- a/payloads/external/Makefile.inc
+++ b/payloads/external/Makefile.inc

@@ -188,6 +188,7 @@
 		CONFIG_ECAM_MMCONF_LENGTH=$(CONFIG_ECAM_MMCONF_LENGTH) \
 		CONFIG_CPU_XTAL_HZ=$(CONFIG_CPU_XTAL_HZ) \
 		CONFIG_SMMSTORE_V2=$(CONFIG_SMMSTORE_v2) \
+		CONFIG_EDK2_SECURE_BOOT_SUPPORT=$(CONFIG_EDK2_SECURE_BOOT_SUPPORT) \
 		GCC_CC_x86_32=$(GCC_CC_x86_32) \
 		GCC_CC_x86_64=$(GCC_CC_x86_64) \
 		GCC_CC_arm=$(GCC_CC_arm) \

diff --git a/payloads/external/edk2/Kconfig b/payloads/external/edk2/Kconfig
index 2c8152f..c166975 100644
--- a/payloads/external/edk2/Kconfig
+++ b/payloads/external/edk2/Kconfig

@@ -242,6 +242,14 @@
 	  Enable serial port output in edk2. Serial output limits the performance of edk2's
 	  FrontPage.
 
+config EDK2_SECURE_BOOT_SUPPORT
+	bool "Enable UEFI Secure Boot support"
+	depends on EDK2_REPO_MRCHROMEBOX && SMMSTORE_V2
+	default y if EDK2_REPO_MRCHROMEBOX && SMMSTORE_V2
+	help
+	  Select this option to enable UEFI SecureBoot support in edk2.
+	  UEFI SecureBoot will be disabled by default and can be enabled from the menu option.
+
 config EDK2_CUSTOM_BUILD_PARAMS
 	string "edk2 additional custom build parameters"
 	default "-D VARIABLE_SUPPORT=SMMSTORE" if EDK2_REPO_MRCHROMEBOX && SMMSTORE_V2

diff --git a/payloads/external/edk2/Makefile b/payloads/external/edk2/Makefile
index b241cf9..2181242 100644
--- a/payloads/external/edk2/Makefile
+++ b/payloads/external/edk2/Makefile

@@ -111,6 +111,10 @@
 ifneq ($(CONFIG_EDK2_SD_MMC_TIMEOUT),)
 BUILD_STR += -D SD_MMC_TIMEOUT=$(shell echo $$(( $(CONFIG_EDK2_SD_MMC_TIMEOUT) * 1000)) )
 endif
+# EDK2_SECURE_BOOT_SUPPORT      = FALSE
+ifeq ($(CONFIG_EDK2_SECURE_BOOT_SUPPORT), y)
+BUILD_STR += -D SECURE_BOOT_ENABLE=TRUE
+endif
 
 #
 # EDKII has the below PCDs that are relevant to coreboot: