1config EFI_LOADER
2	bool "Support running UEFI applications"
3	depends on OF_LIBFDT && ( \
4		ARM && (SYS_CPU = arm1136 || \
5			SYS_CPU = arm1176 || \
6			SYS_CPU = armv7   || \
7			SYS_CPU = armv8)  || \
8		X86 || RISCV || SANDBOX)
9	# We need EFI_STUB_64BIT to be set on x86_64 with EFI_STUB
10	depends on !EFI_STUB || !X86_64 || EFI_STUB_64BIT
11	# We need EFI_STUB_32BIT to be set on x86_32 with EFI_STUB
12	depends on !EFI_STUB || !X86 || X86_64 || EFI_STUB_32BIT
13	depends on BLK
14	depends on !EFI_APP
15	default y if !ARM || SYS_CPU = armv7 || SYS_CPU = armv8
16	select CHARSET
17	# We need to send DM events, dynamically, in the EFI block driver
18	select DM_EVENT
19	select EVENT_DYNAMIC
20	select LIB_UUID
21	imply PARTITION_UUIDS
22	select REGEX
23	imply FAT
24	imply FAT_WRITE
25	imply USB_KEYBOARD_FN_KEYS
26	imply VIDEO_ANSI
27	help
28	  Select this option if you want to run UEFI applications (like GNU
29	  GRUB or iPXE) on top of U-Boot. If this option is enabled, U-Boot
30	  will expose the UEFI API to a loaded application, enabling it to
31	  reuse U-Boot's device drivers.
32
33if EFI_LOADER
34
35config CMD_BOOTEFI_BOOTMGR
36	bool "UEFI Boot Manager"
37	default y
38	select BOOTMETH_GLOBAL if BOOTSTD
39	help
40	  Select this option if you want to select the UEFI binary to be booted
41	  via UEFI variables Boot####, BootOrder, and BootNext. This enables the
42	  'bootefi bootmgr' command.
43
44choice
45	prompt "Store for non-volatile UEFI variables"
46	default EFI_VARIABLE_FILE_STORE
47	help
48	  Select where non-volatile UEFI variables shall be stored.
49
50config EFI_VARIABLE_FILE_STORE
51	bool "Store non-volatile UEFI variables as file"
52	depends on FAT_WRITE
53	help
54	  Select this option if you want non-volatile UEFI variables to be
55	  stored as file /ubootefi.var on the EFI system partition.
56
57config EFI_MM_COMM_TEE
58	bool "UEFI variables storage service via OP-TEE"
59	depends on OPTEE
60	help
61	  If OP-TEE is present and running StandAloneMM, dispatch all UEFI
62	  variable related operations to that. The application will verify,
63	  authenticate and store the variables on an RPMB.
64
65config EFI_VARIABLE_NO_STORE
66	bool "Don't persist non-volatile UEFI variables"
67	help
68	  If you choose this option, non-volatile variables cannot be persisted.
69	  You could still provide non-volatile variables via
70	  EFI_VARIABLES_PRESEED.
71
72endchoice
73
74config EFI_VARIABLES_PRESEED
75	bool "Initial values for UEFI variables"
76	depends on !EFI_MM_COMM_TEE
77	help
78	  Include a file with the initial values for non-volatile UEFI variables
79	  into the U-Boot binary. If this configuration option is set, changes
80	  to authentication related variables (PK, KEK, db, dbx) are not
81	  allowed.
82
83if EFI_VARIABLES_PRESEED
84
85config EFI_VAR_SEED_FILE
86	string "File with initial values of non-volatile UEFI variables"
87	default ubootefi.var
88	help
89	  File with initial values of non-volatile UEFI variables. The file must
90	  be in the same format as the storage in the EFI system partition. The
91	  easiest way to create it is by setting the non-volatile variables in
92	  U-Boot. If a relative file path is used, it is relative to the source
93	  directory.
94
95endif
96
97config EFI_VAR_BUF_SIZE
98	int "Memory size of the UEFI variable store"
99	default 16384
100	range 4096 2147483647
101	help
102	  This defines the size in bytes of the memory area reserved for keeping
103	  UEFI variables.
104
105	  When using StandAloneMM (CONFIG_EFI_MM_COMM_TEE=y) this value should
106	  match the value of PcdFlashNvStorageVariableSize used to compile the
107	  StandAloneMM module.
108
109	  Minimum 4096, default 16384.
110
111config EFI_GET_TIME
112	bool "GetTime() runtime service"
113	depends on DM_RTC
114	default y
115	help
116	  Provide the GetTime() runtime service at boottime. This service
117	  can be used by an EFI application to read the real time clock.
118
119config EFI_SET_TIME
120	bool "SetTime() runtime service"
121	depends on EFI_GET_TIME
122	default y if ARCH_QEMU || SANDBOX
123	help
124	  Provide the SetTime() runtime service at boottime. This service
125	  can be used by an EFI application to adjust the real time clock.
126
127config EFI_SCROLL_ON_CLEAR_SCREEN
128	bool "Avoid overwriting previous output on clear screen"
129	help
130	  Instead of erasing the screen content when the console screen should
131	  be cleared, emit blank new lines so that previous output is scrolled
132	  out of sight rather than overwritten. On serial consoles this allows
133	  to capture complete boot logs (except for interactive menus etc.)
134	  and can ease debugging related issues.
135
136config EFI_HAVE_CAPSULE_SUPPORT
137	bool
138
139config EFI_RUNTIME_UPDATE_CAPSULE
140	bool "UpdateCapsule() runtime service"
141	select EFI_HAVE_CAPSULE_SUPPORT
142	help
143	  Select this option if you want to use UpdateCapsule and
144	  QueryCapsuleCapabilities API's.
145
146config EFI_CAPSULE_ON_DISK
147	bool "Enable capsule-on-disk support"
148	depends on SYSRESET
149	select EFI_HAVE_CAPSULE_SUPPORT
150	help
151	  Select this option if you want to use capsule-on-disk feature,
152	  that is, capsules can be fetched and executed from files
153	  under a specific directory on UEFI system partition instead of
154	  via UpdateCapsule API.
155
156config EFI_IGNORE_OSINDICATIONS
157	bool "Ignore OsIndications for CapsuleUpdate on-disk"
158	depends on EFI_CAPSULE_ON_DISK
159	help
160	  There are boards where U-Boot does not support SetVariable at runtime.
161	  Select this option if you want to use the capsule-on-disk feature
162	  without setting the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED
163	  flag in variable OsIndications.
164
165config EFI_CAPSULE_ON_DISK_EARLY
166	bool "Initiate capsule-on-disk at U-Boot boottime"
167	depends on EFI_CAPSULE_ON_DISK
168	help
169	  Normally, without this option enabled, capsules will be
170	  executed only at the first time of invoking one of efi command.
171	  If this option is enabled, capsules will be enforced to be
172	  executed as part of U-Boot initialisation so that they will
173	  surely take place whatever is set to distro_bootcmd.
174
175config EFI_CAPSULE_FIRMWARE
176	bool
177
178config EFI_CAPSULE_FIRMWARE_MANAGEMENT
179	bool "Capsule: Firmware Management Protocol"
180	depends on EFI_HAVE_CAPSULE_SUPPORT
181	default y
182	help
183	  Select this option if you want to enable capsule-based
184	  firmware update using Firmware Management Protocol.
185
186config EFI_CAPSULE_FIRMWARE_FIT
187	bool "FMP driver for FIT images"
188	depends on FIT
189	depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
190	select UPDATE_FIT
191	select DFU
192	select SET_DFU_ALT_INFO
193	select EFI_CAPSULE_FIRMWARE
194	help
195	  Select this option if you want to enable firmware management protocol
196	  driver for FIT image
197
198config EFI_CAPSULE_FIRMWARE_RAW
199	bool "FMP driver for raw images"
200	depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
201	depends on SANDBOX || (!SANDBOX && !EFI_CAPSULE_FIRMWARE_FIT)
202	select DFU_WRITE_ALT
203	select DFU
204	select SET_DFU_ALT_INFO
205	select EFI_CAPSULE_FIRMWARE
206	help
207	  Select this option if you want to enable firmware management protocol
208	  driver for raw image
209
210config EFI_CAPSULE_AUTHENTICATE
211	bool "Update Capsule authentication"
212	depends on EFI_CAPSULE_FIRMWARE
213	depends on EFI_CAPSULE_ON_DISK
214	depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
215	select HASH
216	select SHA256
217	select RSA
218	select RSA_VERIFY
219	select RSA_VERIFY_WITH_PKEY
220	select X509_CERTIFICATE_PARSER
221	select PKCS7_MESSAGE_PARSER
222	select PKCS7_VERIFY
223	select IMAGE_SIGN_INFO
224	select EFI_SIGNATURE_SUPPORT
225	help
226	  Select this option if you want to enable capsule
227	  authentication
228
229config EFI_CAPSULE_MAX
230	int "Max value for capsule index"
231	default 15
232	range 0 65535
233	help
234	  Select the max capsule index value used for capsule report
235	  variables. This value is used to create CapsuleMax variable.
236
237config EFI_DEVICE_PATH_TO_TEXT
238	bool "Device path to text protocol"
239	default y
240	help
241	  The device path to text protocol converts device nodes and paths to
242	  human readable strings.
243
244config EFI_DEVICE_PATH_UTIL
245	bool "Device path utilities protocol"
246	default y
247	help
248	  The device path utilities protocol creates and manipulates device
249	  paths and device nodes. It is required to run the EFI Shell.
250
251config EFI_DT_FIXUP
252	bool "Device tree fixup protocol"
253	depends on !GENERATE_ACPI_TABLE
254	default y
255	help
256	  The EFI device-tree fix-up protocol provides a function to let the
257	  firmware apply fix-ups. This may be used by boot loaders.
258
259config EFI_LOADER_HII
260	bool "HII protocols"
261	default y
262	help
263	  The Human Interface Infrastructure is a complicated framework that
264	  allows UEFI applications to draw fancy menus and hook strings using
265	  a translation framework.
266
267	  U-Boot implements enough of its features to be able to run the UEFI
268	  Shell, but not more than that.
269
270config EFI_UNICODE_COLLATION_PROTOCOL2
271	bool "Unicode collation protocol"
272	default y
273	help
274	  The Unicode collation protocol is used for lexical comparisons. It is
275	  required to run the UEFI shell.
276
277if EFI_UNICODE_COLLATION_PROTOCOL2
278
279config EFI_UNICODE_CAPITALIZATION
280	bool "Support Unicode capitalization"
281	default y
282	help
283	  Select this option to enable correct handling of the capitalization of
284	  Unicode codepoints in the range 0x0000-0xffff. If this option is not
285	  set, only the the correct handling of the letters of the codepage
286	  used by the FAT file system is ensured.
287
288endif
289
290config EFI_LOADER_BOUNCE_BUFFER
291	bool "EFI Applications use bounce buffers for DMA operations"
292	depends on ARM64
293	help
294	  Some hardware does not support DMA to full 64bit addresses. For this
295	  hardware we can create a bounce buffer so that payloads don't have to
296	  worry about platform details.
297
298config EFI_PLATFORM_LANG_CODES
299	string "Language codes supported by firmware"
300	default "en-US"
301	help
302	  This value is used to initialize the PlatformLangCodes variable. Its
303	  value is a semicolon (;) separated list of language codes in native
304	  RFC 4646 format, e.g. "en-US;de-DE". The first language code is used
305	  to initialize the PlatformLang variable.
306
307config EFI_HAVE_RUNTIME_RESET
308	# bool "Reset runtime service is available"
309	bool
310	default y
311	depends on ARCH_BCM283X || FSL_LAYERSCAPE || PSCI_RESET || \
312		   SANDBOX || SYSRESET_X86
313
314config EFI_GRUB_ARM32_WORKAROUND
315	bool "Workaround for GRUB on 32bit ARM"
316	default n if ARCH_BCM283X || ARCH_SUNXI || ARCH_QEMU
317	default y
318	depends on ARM && !ARM64
319	help
320	  GRUB prior to version 2.04 requires U-Boot to disable caches. This
321	  workaround currently is also needed on systems with caches that
322	  cannot be managed via CP15.
323
324config EFI_RNG_PROTOCOL
325	bool "EFI_RNG_PROTOCOL support"
326	depends on DM_RNG
327	default y
328	help
329	  Provide a EFI_RNG_PROTOCOL implementation using the hardware random
330	  number generator of the platform.
331
332config EFI_TCG2_PROTOCOL
333	bool "EFI_TCG2_PROTOCOL support"
334	default y
335	depends on TPM_V2
336	# Sandbox TPM currently fails on GetCapabilities needed for TCG2
337	depends on !SANDBOX
338	select SHA1
339	select SHA256
340	select SHA384
341	select SHA512
342	select HASH
343	select SMBIOS_PARSER
344	help
345	  Provide a EFI_TCG2_PROTOCOL implementation using the TPM hardware
346	  of the platform.
347
348config EFI_TCG2_PROTOCOL_EVENTLOG_SIZE
349	int "EFI_TCG2_PROTOCOL EventLog size"
350	depends on EFI_TCG2_PROTOCOL
351	default 65536
352	help
353		Define the size of the EventLog for EFI_TCG2_PROTOCOL. Note that
354		this is going to be allocated twice. One for the eventlog it self
355		and one for the configuration table that is required from the spec
356
357config EFI_TCG2_PROTOCOL_MEASURE_DTB
358	bool "Measure DTB with EFI_TCG2_PROTOCOL"
359	depends on EFI_TCG2_PROTOCOL
360	help
361	  When enabled, the DTB image passed to the booted EFI image is
362	  measured using the EFI TCG2 protocol. Do not enable this feature if
363	  the passed DTB contains data that change across platform reboots
364	  and cannot be used has a predictable measurement. Otherwise
365	  this feature allows better measurement of the system boot
366	  sequence.
367
368config EFI_LOAD_FILE2_INITRD
369	bool "EFI_FILE_LOAD2_PROTOCOL for Linux initial ramdisk"
370	default y
371	help
372	  Linux v5.7 and later can make use of this option. If the boot option
373	  selected by the UEFI boot manager specifies an existing file to be used
374	  as initial RAM disk, a Linux specific Load File2 protocol will be
375	  installed and Linux 5.7+ will ignore any initrd=<ramdisk> command line
376	  argument.
377
378config EFI_SECURE_BOOT
379	bool "Enable EFI secure boot support"
380	depends on EFI_LOADER && FIT_SIGNATURE
381	select HASH
382	select SHA256
383	select RSA
384	select RSA_VERIFY_WITH_PKEY
385	select IMAGE_SIGN_INFO
386	select ASYMMETRIC_KEY_TYPE
387	select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
388	select X509_CERTIFICATE_PARSER
389	select PKCS7_MESSAGE_PARSER
390	select PKCS7_VERIFY
391	select MSCODE_PARSER
392	select EFI_SIGNATURE_SUPPORT
393	help
394	  Select this option to enable EFI secure boot support.
395	  Once SecureBoot mode is enforced, any EFI binary can run only if
396	  it is signed with a trusted key. To do that, you need to install,
397	  at least, PK, KEK and db.
398
399config EFI_SIGNATURE_SUPPORT
400	bool
401
402config EFI_ESRT
403	bool "Enable the UEFI ESRT generation"
404	depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
405	default y
406	help
407	  Enabling this option creates the ESRT UEFI system table.
408
409config EFI_ECPT
410	bool "Enable the UEFI ECPT generation"
411	default y
412	help
413	  Enabling this option created the ECPT UEFI table.
414
415config EFI_EBBR_2_1_CONFORMANCE
416	bool "Add the EBBRv2.1 conformance entry to the ECPT table"
417	depends on EFI_ECPT
418	depends on EFI_LOADER_HII
419	depends on EFI_RISCV_BOOT_PROTOCOL || !RISCV
420	depends on EFI_RNG_PROTOCOL || !DM_RNG
421	depends on EFI_UNICODE_COLLATION_PROTOCOL2
422	default y
423	help
424	  Enabling this option adds the EBBRv2.1 conformance entry to the ECPT UEFI table.
425
426config EFI_RISCV_BOOT_PROTOCOL
427	bool "RISCV_EFI_BOOT_PROTOCOL support"
428	default y
429	depends on RISCV
430	help
431	  The EFI_RISCV_BOOT_PROTOCOL is used to transfer the boot hart ID
432	  to the next boot stage. It should be enabled as it is meant to
433	  replace the transfer via the device-tree. The latter is not
434	  possible on systems using ACPI.
435
436endif
437