payloads/edk2: Add Kconfig to enable UEFI Secure Boot support
Now that MrChromebox's default edk2 branch supports Secure Boot, add a
Kconfig to enable it, and do so by default when MrChromebox's branch
is used and SMMSTORE_V2 is enabled (which is a prerequisite).
TEST=build/boot google boards link, panther, lulu,reef, ampton, akemi,
and banshee, verify Secure Boot options available in payload, Secure
Boot status reported properly by Linux/Windows.
Change-Id: I4be58c3315cabe08729d717c59203fdc6a3e2958
Signed-off-by: Matt DeVillier <matt.devillier@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/74869
Reviewed-by: Sean Rhodes <sean@starlabs.systems>
Reviewed-by: Paul Menzel <paulepanter@mailbox.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
diff --git a/payloads/external/Makefile.inc b/payloads/external/Makefile.inc
index effab43..5f29063 100644
--- a/payloads/external/Makefile.inc
+++ b/payloads/external/Makefile.inc
@@ -188,6 +188,7 @@
CONFIG_ECAM_MMCONF_LENGTH=$(CONFIG_ECAM_MMCONF_LENGTH) \
CONFIG_CPU_XTAL_HZ=$(CONFIG_CPU_XTAL_HZ) \
CONFIG_SMMSTORE_V2=$(CONFIG_SMMSTORE_v2) \
+ CONFIG_EDK2_SECURE_BOOT_SUPPORT=$(CONFIG_EDK2_SECURE_BOOT_SUPPORT) \
GCC_CC_x86_32=$(GCC_CC_x86_32) \
GCC_CC_x86_64=$(GCC_CC_x86_64) \
GCC_CC_arm=$(GCC_CC_arm) \
diff --git a/payloads/external/edk2/Kconfig b/payloads/external/edk2/Kconfig
index 2c8152f..c166975 100644
--- a/payloads/external/edk2/Kconfig
+++ b/payloads/external/edk2/Kconfig
@@ -242,6 +242,14 @@
Enable serial port output in edk2. Serial output limits the performance of edk2's
FrontPage.
+config EDK2_SECURE_BOOT_SUPPORT
+ bool "Enable UEFI Secure Boot support"
+ depends on EDK2_REPO_MRCHROMEBOX && SMMSTORE_V2
+ default y if EDK2_REPO_MRCHROMEBOX && SMMSTORE_V2
+ help
+ Select this option to enable UEFI SecureBoot support in edk2.
+ UEFI SecureBoot will be disabled by default and can be enabled from the menu option.
+
config EDK2_CUSTOM_BUILD_PARAMS
string "edk2 additional custom build parameters"
default "-D VARIABLE_SUPPORT=SMMSTORE" if EDK2_REPO_MRCHROMEBOX && SMMSTORE_V2
diff --git a/payloads/external/edk2/Makefile b/payloads/external/edk2/Makefile
index b241cf9..2181242 100644
--- a/payloads/external/edk2/Makefile
+++ b/payloads/external/edk2/Makefile
@@ -111,6 +111,10 @@
ifneq ($(CONFIG_EDK2_SD_MMC_TIMEOUT),)
BUILD_STR += -D SD_MMC_TIMEOUT=$(shell echo $$(( $(CONFIG_EDK2_SD_MMC_TIMEOUT) * 1000)) )
endif
+# EDK2_SECURE_BOOT_SUPPORT = FALSE
+ifeq ($(CONFIG_EDK2_SECURE_BOOT_SUPPORT), y)
+BUILD_STR += -D SECURE_BOOT_ENABLE=TRUE
+endif
#
# EDKII has the below PCDs that are relevant to coreboot: