1menu "UEFI Support"
2
3config EFI_LOADER
4	bool "Support running UEFI applications"
5	depends on ( \
6		ARM && (SYS_CPU = arm1136 || \
7			SYS_CPU = arm1176 || \
8			SYS_CPU = armv7   || \
9			SYS_CPU = armv8)  || \
10		X86 || RISCV || SANDBOX)
11	# We have not fully removed the requirement for some block device
12	depends on BLK
13	# We need EFI_STUB_64BIT to be set on x86_64 with EFI_STUB
14	depends on !EFI_STUB || !X86_64 || EFI_STUB_64BIT
15	# We need EFI_STUB_32BIT to be set on x86_32 with EFI_STUB
16	depends on !EFI_STUB || !X86 || X86_64 || EFI_STUB_32BIT
17	depends on !EFI_APP
18	default y if !ARM || SYS_CPU = armv7 || SYS_CPU = armv8
19	select EFI
20	select CHARSET
21	# We need to send DM events, dynamically, in the EFI block driver
22	select DM_EVENT
23	select EVENT_DYNAMIC
24	select LIB_UUID
25	select LMB
26	select OF_LIBFDT
27	imply PARTITION_UUIDS
28	select REGEX
29	imply FAT
30	imply FAT_WRITE
31	imply FAT_RENAME
32	imply USB_KEYBOARD_FN_KEYS
33	imply VIDEO_ANSI
34	help
35	  Select this option if you want to run UEFI applications (like GNU
36	  GRUB or iPXE) on top of U-Boot. If this option is enabled, U-Boot
37	  will expose the UEFI API to a loaded application, enabling it to
38	  reuse U-Boot's device drivers.
39
40if EFI_LOADER
41
42config EFI_BINARY_EXEC
43	bool "Execute UEFI binary"
44	default y
45	help
46	  Select this option if you want to execute the UEFI binary after
47	  loading it with U-Boot load commands or other methods.
48	  You may enable CMD_BOOTEFI_BINARY so that you can use bootefi
49	  command to do that.
50
51config EFI_SECURE_BOOT
52	bool "Enable EFI secure boot support"
53	depends on EFI_LOADER && FIT_SIGNATURE
54	select HASH
55	select SHA256
56	select RSA
57	select RSA_VERIFY_WITH_PKEY
58	select IMAGE_SIGN_INFO
59	select ASYMMETRIC_KEY_TYPE
60	select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
61	select X509_CERTIFICATE_PARSER
62	select PKCS7_MESSAGE_PARSER
63	select PKCS7_VERIFY
64	select MSCODE_PARSER
65	select EFI_SIGNATURE_SUPPORT
66	help
67	  Select this option to enable EFI secure boot support.
68	  Once SecureBoot mode is enforced, any EFI binary can run only if
69	  it is signed with a trusted key. To do that, you need to install,
70	  at least, PK, KEK and db.
71
72config EFI_SIGNATURE_SUPPORT
73	bool
74
75config EFI_DEBUG_SUPPORT
76	bool "EFI Debug Support"
77	default y if !HAS_BOARD_SIZE_LIMIT
78	help
79	  Select this option if you want to setup the EFI Debug Support
80	  Table and the EFI_SYSTEM_TABLE_POINTER which is used by the debug
81	  agent or an external debugger to determine loaded image information
82	  in a quiescent manner.
83
84menu "UEFI services"
85
86config EFI_GET_TIME
87	bool "GetTime() runtime service"
88	depends on DM_RTC
89	default y
90	help
91	  Provide the GetTime() runtime service at boottime. This service
92	  can be used by an EFI application to read the real time clock.
93
94config EFI_SET_TIME
95	bool "SetTime() runtime service"
96	depends on EFI_GET_TIME
97	default y if ARCH_QEMU || SANDBOX
98	help
99	  Provide the SetTime() runtime service at boottime. This service
100	  can be used by an EFI application to adjust the real time clock.
101
102config EFI_HAVE_RUNTIME_RESET
103	# bool "Reset runtime service is available"
104	bool
105	default y
106	depends on ARCH_BCM283X || FSL_LAYERSCAPE || PSCI_RESET || \
107		   SANDBOX || SYSRESET_SBI || SYSRESET_X86
108
109endmenu
110
111menu "UEFI Variables"
112
113choice
114	prompt "Store for non-volatile UEFI variables"
115	default EFI_VARIABLE_FILE_STORE
116	help
117	  Select where non-volatile UEFI variables shall be stored.
118
119config EFI_VARIABLE_FILE_STORE
120	bool "Store non-volatile UEFI variables as file"
121	depends on FAT_WRITE
122	help
123	  Select this option if you want non-volatile UEFI variables to be
124	  stored as file /ubootefi.var on the EFI system partition.
125
126config EFI_RT_VOLATILE_STORE
127	bool "Allow variable runtime services in volatile storage (e.g RAM)"
128	depends on EFI_VARIABLE_FILE_STORE
129	help
130	  When EFI variables are stored on file we don't allow SetVariableRT,
131	  since the OS doesn't know how to write that file. At the same time
132	  we copy runtime variables in DRAM and support GetVariableRT
133
134	  Enable this option to allow SetVariableRT on the RAM backend of
135	  the EFI variable storage. The OS will be responsible for syncing
136	  the RAM contents to the file, otherwise any changes made during
137	  runtime won't persist reboots.
138	  Authenticated variables are not supported. Note that this will
139	  violate the EFI spec since writing auth variables will return
140	  EFI_INVALID_PARAMETER
141
142config EFI_MM_COMM_TEE
143	bool "UEFI variables storage service via the trusted world"
144	depends on OPTEE
145	help
146	  Allowing access to the MM SP services (SPs such as  StandAlonneMM, smm-gateway).
147	  When using the u-boot OP-TEE driver, StandAlonneMM is supported.
148	  When using the u-boot FF-A  driver any MM SP is supported.
149
150	  If OP-TEE is present and running StandAloneMM, dispatch all UEFI
151	  variable related operations to that. The application will verify,
152	  authenticate and store the variables on an RPMB.
153
154	  When ARM_FFA_TRANSPORT is used, dispatch all UEFI variable related
155	  operations to the MM SP running in the secure world.
156	  A door bell mechanism is used to notify the SP when there is data in the shared
157	  MM buffer. The data is copied by u-boot to the shared buffer before issuing
158	  the door bell event.
159
160config FFA_SHARED_MM_BUF_SIZE
161	int "Memory size of the shared MM communication buffer"
162	depends on EFI_MM_COMM_TEE && ARM_FFA_TRANSPORT
163	help
164	  This defines the size in bytes of the memory area reserved for the shared
165	  buffer used for communication between the MM feature in U-Boot and
166	  the MM SP in secure world.
167	  The size of the memory region must be a multiple of the size of the maximum
168	  translation granule size that is specified in the ID_AA64MMFR0_EL1 System register.
169	  It is assumed that the MM SP knows the size of the shared MM communication buffer.
170
171config FFA_SHARED_MM_BUF_OFFSET
172	int "Data offset in the shared MM communication buffer"
173	depends on EFI_MM_COMM_TEE && ARM_FFA_TRANSPORT
174	help
175	  This defines the offset in bytes of the data read or written to in the shared
176	  buffer by the MM SP.
177
178config FFA_SHARED_MM_BUF_ADDR
179	hex "Define the address of the shared MM communication buffer"
180	depends on EFI_MM_COMM_TEE && ARM_FFA_TRANSPORT
181	help
182	  This defines the address of the shared MM communication buffer
183	  used for communication between the MM feature in U-Boot and
184	  the MM SP in secure world.
185	  It is assumed that the MM SP knows the address of the shared MM communication buffer.
186
187config EFI_VARIABLE_NO_STORE
188	bool "Don't persist non-volatile UEFI variables"
189	help
190	  If you choose this option, non-volatile variables cannot be persisted.
191	  You could still provide non-volatile variables via
192	  EFI_VARIABLES_PRESEED.
193
194endchoice
195
196config EFI_VARIABLES_PRESEED
197	bool "Initial values for UEFI variables"
198	depends on !EFI_MM_COMM_TEE
199	help
200	  Include a file with the initial values for non-volatile UEFI variables
201	  into the U-Boot binary. If this configuration option is set, changes
202	  to authentication related variables (PK, KEK, db, dbx) are not
203	  allowed.
204
205if EFI_VARIABLES_PRESEED
206
207config EFI_VAR_SEED_FILE
208	string "File with initial values of non-volatile UEFI variables"
209	default "ubootefi.var"
210	help
211	  File with initial values of non-volatile UEFI variables. The file must
212	  be in the same format as the storage in the EFI system partition. The
213	  easiest way to create it is by setting the non-volatile variables in
214	  U-Boot. If a relative file path is used, it is relative to the source
215	  directory.
216
217endif
218
219config EFI_VAR_BUF_SIZE
220	int "Memory size of the UEFI variable store"
221	default 131072
222	range 4096 2147483647
223	help
224	  This defines the size in bytes of the memory area reserved for keeping
225	  UEFI variables.
226
227	  When using StandAloneMM (CONFIG_EFI_MM_COMM_TEE=y) is used the
228	  available size for storing variables is defined in
229	  PcdFlashNvStorageVariableSize.
230	  That value is probed at runtime from U-Boot. In that case,
231	  EFI_VAR_BUF_SIZE represents the memory U-Boot reserves to present
232	  runtime variables to the OS.
233
234	  Minimum 4096, default 131072
235
236config EFI_PLATFORM_LANG_CODES
237	string "Language codes supported by firmware"
238	default "en-US"
239	help
240	  This value is used to initialize the PlatformLangCodes variable. Its
241	  value is a semicolon (;) separated list of language codes in native
242	  RFC 4646 format, e.g. "en-US;de-DE". The first language code is used
243	  to initialize the PlatformLang variable.
244
245endmenu
246
247menu "Capsule support"
248
249config EFI_HAVE_CAPSULE_SUPPORT
250	bool
251
252config EFI_RUNTIME_UPDATE_CAPSULE
253	bool "UpdateCapsule() runtime service"
254	select EFI_HAVE_CAPSULE_SUPPORT
255	help
256	  Select this option if you want to use UpdateCapsule and
257	  QueryCapsuleCapabilities API's.
258
259config EFI_CAPSULE_ON_DISK
260	bool "Enable capsule-on-disk support"
261	depends on SYSRESET
262	select EFI_HAVE_CAPSULE_SUPPORT
263	help
264	  Select this option if you want to use capsule-on-disk feature,
265	  that is, capsules can be fetched and executed from files
266	  under a specific directory on UEFI system partition instead of
267	  via UpdateCapsule API.
268
269config EFI_IGNORE_OSINDICATIONS
270	bool "Ignore OsIndications for CapsuleUpdate on-disk"
271	depends on EFI_CAPSULE_ON_DISK
272	default y if !EFI_RT_VOLATILE_STORE
273	help
274	  There are boards where U-Boot does not support SetVariable at runtime.
275	  Select this option if you want to use the capsule-on-disk feature
276	  without setting the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED
277	  flag in variable OsIndications.
278
279config EFI_CAPSULE_ON_DISK_EARLY
280	bool "Initiate capsule-on-disk at U-Boot boottime"
281	depends on EFI_CAPSULE_ON_DISK
282	help
283	  Normally, without this option enabled, capsules will be
284	  executed only at the first time of invoking one of efi command.
285	  If this option is enabled, capsules will be enforced to be
286	  executed as part of U-Boot initialisation so that they will
287	  surely take place whatever is set to distro_bootcmd.
288
289config EFI_CAPSULE_NAMESPACE_GUID
290	string "Namespace for dynamic capsule GUIDs"
291	# v4 UUID as a default for upstream U-Boot boards
292	default "8c9f137e-91dc-427b-b2d6-b420faebaf2a"
293	depends on EFI_HAVE_CAPSULE_SUPPORT
294	help
295	  Define the namespace or "salt" GUID used to generate the per-image
296	  GUIDs. This should be a GUID in the standard 8-4-4-4-12 format.
297
298	  Device vendors are expected to generate their own namespace GUID
299	  to avoid conflicts with upstream/community images.
300
301config EFI_CAPSULE_FIRMWARE
302	bool
303
304config EFI_CAPSULE_FIRMWARE_MANAGEMENT
305	bool "Capsule: Firmware Management Protocol"
306	depends on EFI_HAVE_CAPSULE_SUPPORT
307	default y
308	help
309	  Select this option if you want to enable capsule-based
310	  firmware update using Firmware Management Protocol.
311
312config EFI_CAPSULE_FIRMWARE_FIT
313	bool "FMP driver for FIT images"
314	depends on FIT
315	depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
316	select UPDATE_FIT
317	select DFU
318	select EFI_CAPSULE_FIRMWARE
319	help
320	  Select this option if you want to enable firmware management protocol
321	  driver for FIT image
322
323config EFI_CAPSULE_FIRMWARE_RAW
324	bool "FMP driver for raw images"
325	depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
326	depends on SANDBOX || (!SANDBOX && !EFI_CAPSULE_FIRMWARE_FIT)
327	select DFU_WRITE_ALT
328	select DFU
329	select EFI_CAPSULE_FIRMWARE
330	help
331	  Select this option if you want to enable firmware management protocol
332	  driver for raw image
333
334config EFI_CAPSULE_AUTHENTICATE
335	bool "Update Capsule authentication"
336	depends on EFI_CAPSULE_FIRMWARE
337	depends on EFI_CAPSULE_ON_DISK
338	depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
339	select HASH
340	select SHA256
341	select RSA
342	select RSA_VERIFY
343	select RSA_VERIFY_WITH_PKEY
344	select X509_CERTIFICATE_PARSER
345	select PKCS7_MESSAGE_PARSER
346	select PKCS7_VERIFY
347	select IMAGE_SIGN_INFO
348	select EFI_SIGNATURE_SUPPORT
349	help
350	  Select this option if you want to enable capsule
351	  authentication
352
353config EFI_CAPSULE_MAX
354	int "Max value for capsule index"
355	default 15
356	range 0 65535
357	help
358	  Select the max capsule index value used for capsule report
359	  variables. This value is used to create CapsuleMax variable.
360
361config EFI_CAPSULE_CRT_FILE
362	string "Path to the EFI capsule public key certificate"
363	depends on EFI_CAPSULE_AUTHENTICATE
364	help
365	  Provides the path to the EFI capsule public key certificate that
366	  corresponds to the capsule signing key. This certificate will be used
367	  to generate the EFI capsule ESL (signature list file) that gets
368	  embedded in the platform's device tree and used for capsule
369	  authentication at the time of capsule update.
370
371endmenu
372
373menu "UEFI protocol support"
374
375config EFI_DEVICE_PATH_TO_TEXT
376	bool "Device path to text protocol"
377	default y
378	help
379	  The device path to text protocol converts device nodes and paths to
380	  human readable strings.
381
382config EFI_DEVICE_PATH_UTIL
383	bool "Device path utilities protocol"
384	default y
385	help
386	  The device path utilities protocol creates and manipulates device
387	  paths and device nodes. It is required to run the EFI Shell.
388
389config EFI_DT_FIXUP
390	bool "Device tree fixup protocol"
391	depends on !GENERATE_ACPI_TABLE
392	default y
393	help
394	  The EFI device-tree fix-up protocol provides a function to let the
395	  firmware apply fix-ups. This may be used by boot loaders.
396
397config EFI_LOADER_HII
398	bool "HII protocols"
399	default y if !HAS_BOARD_SIZE_LIMIT
400	help
401	  The Human Interface Infrastructure is a complicated framework that
402	  allows UEFI applications to draw fancy menus and hook strings using
403	  a translation framework.
404
405	  U-Boot implements enough of its features to be able to run the UEFI
406	  Shell, but not more than that.
407
408config EFI_UNICODE_COLLATION_PROTOCOL2
409	bool "Unicode collation protocol"
410	default y
411	help
412	  The Unicode collation protocol is used for lexical comparisons. It is
413	  required to run the UEFI shell.
414
415if EFI_UNICODE_COLLATION_PROTOCOL2
416
417config EFI_UNICODE_CAPITALIZATION
418	bool "Support Unicode capitalization"
419	default y if !HAS_BOARD_SIZE_LIMIT
420	help
421	  Select this option to enable correct handling of the capitalization of
422	  Unicode codepoints in the range 0x0000-0xffff. If this option is not
423	  set, only the the correct handling of the letters of the codepage
424	  used by the FAT file system is ensured.
425
426endif
427
428config EFI_RNG_PROTOCOL
429	bool "EFI_RNG_PROTOCOL support"
430	depends on DM_RNG
431	default y
432	help
433	  Provide a EFI_RNG_PROTOCOL implementation using the hardware random
434	  number generator of the platform.
435
436config EFI_TCG2_PROTOCOL
437	bool "EFI_TCG2_PROTOCOL support"
438	default y
439	depends on TPM_V2
440	select SHA1
441	select SHA256
442	select SHA384
443	select SHA512
444	select HASH
445	select SMBIOS_PARSER
446	help
447	  Provide a EFI_TCG2_PROTOCOL implementation using the TPM hardware
448	  of the platform.
449
450config EFI_TCG2_PROTOCOL_MEASURE_DTB
451	bool "Measure DTB with EFI_TCG2_PROTOCOL"
452	depends on EFI_TCG2_PROTOCOL
453	help
454	  When enabled, the DTB image passed to the booted EFI image is
455	  measured using the EFI TCG2 protocol. Do not enable this feature if
456	  the passed DTB contains data that changes across platform reboots
457	  and cannot be used for a predictable measurement. Otherwise, this
458	  feature allows for better measurement of the system boot sequence.
459
460config EFI_LOAD_FILE2_INITRD
461	bool "EFI_FILE_LOAD2_PROTOCOL for Linux initial ramdisk"
462	default y
463	help
464	  Linux v5.7 and later can make use of this option. If the boot option
465	  selected by the UEFI boot manager specifies an existing file to be used
466	  as initial RAM disk, a Linux specific Load File2 protocol will be
467	  installed and Linux 5.7+ will ignore any initrd=<ramdisk> command line
468	  argument.
469
470config EFI_RISCV_BOOT_PROTOCOL
471	bool "RISCV_EFI_BOOT_PROTOCOL support"
472	default y
473	depends on RISCV
474	help
475	  The EFI_RISCV_BOOT_PROTOCOL is used to transfer the boot hart ID
476	  to the next boot stage. It should be enabled as it is meant to
477	  replace the transfer via the device-tree. The latter is not
478	  possible on systems using ACPI.
479
480config EFI_IP4_CONFIG2_PROTOCOL
481	bool "EFI_IP4_CONFIG2_PROTOCOL support"
482	default y if ARCH_QEMU || SANDBOX
483	depends on NET || NET_LWIP
484	help
485	  Provides an implementation of the EFI_IP4_CONFIG2_PROTOCOL, this
486	  protocol can be used to set and get the current ip address and
487	  other network information.
488
489config EFI_HTTP_PROTOCOL
490	bool "EFI_HTTP_PROTOCOL support"
491	default y if ARCH_QEMU || SANDBOX
492	depends on WGET
493	help
494	  Provides an EFI HTTP driver implementing the EFI_HTTP_PROTOCOL. and
495	  EFI_HTTP_SERVICE_BINDING_PROTOCOL.
496
497endmenu
498
499menu "Misc options"
500config EFI_LOADER_BOUNCE_BUFFER
501	bool "EFI Applications use bounce buffers for DMA operations"
502	help
503	  Some hardware does not support DMA to full 64bit addresses. For this
504	  hardware we can create a bounce buffer so that payloads don't have to
505	  worry about platform details.
506
507config EFI_GRUB_ARM32_WORKAROUND
508	bool "Workaround for GRUB on 32bit ARM"
509	default n if ARCH_BCM283X || ARCH_SUNXI || ARCH_QEMU
510	default y
511	depends on ARM && !ARM64
512	help
513	  GRUB prior to version 2.04 requires U-Boot to disable caches. This
514	  workaround currently is also needed on systems with caches that
515	  cannot be managed via CP15.
516
517config EFI_ESRT
518	bool "Enable the UEFI ESRT generation"
519	depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
520	default y
521	help
522	  Enabling this option creates the ESRT UEFI system table.
523
524config EFI_ECPT
525	bool "Enable the UEFI ECPT generation"
526	default y
527	help
528	  Enabling this option created the ECPT UEFI table.
529
530config EFI_EBBR_2_1_CONFORMANCE
531	bool "Add the EBBRv2.1 conformance entry to the ECPT table"
532	depends on BOOTMETH_EFI_BOOTMGR
533	depends on EFI_ECPT
534	depends on EFI_LOADER_HII
535	depends on EFI_RISCV_BOOT_PROTOCOL || !RISCV
536	depends on EFI_RNG_PROTOCOL || !DM_RNG
537	depends on EFI_UNICODE_COLLATION_PROTOCOL2
538	default y
539	help
540	  Enabling this option adds the EBBRv2.1 conformance entry to the ECPT UEFI table.
541
542config EFI_SCROLL_ON_CLEAR_SCREEN
543	bool "Avoid overwriting previous output on clear screen"
544	help
545	  Instead of erasing the screen content when the console screen should
546	  be cleared, emit blank new lines so that previous output is scrolled
547	  out of sight rather than overwritten. On serial consoles this allows
548	  to capture complete boot logs (except for interactive menus etc.)
549	  and can ease debugging related issues.
550
551endmenu
552
553menu "EFI bootmanager"
554
555config EFI_BOOTMGR
556	bool "UEFI Boot Manager"
557	default y
558	help
559	  Select this option if you want to select the UEFI binary to be booted
560	  via UEFI variables Boot####, BootOrder, and BootNext. You should also
561	  normally enable CMD_BOOTEFI_BOOTMGR so that the command is available.
562
563config EFI_HTTP_BOOT
564	bool "EFI HTTP Boot support"
565	depends on NET || NET_LWIP
566	select CMD_NET
567	select CMD_DNS
568	select CMD_WGET
569	select BLKMAP
570	help
571	  Enabling this option adds EFI HTTP Boot support. It allows to
572	  directly boot from network.
573endmenu
574
575config BOOTEFI_HELLO_COMPILE
576	bool "Compile a standard EFI hello world binary for testing"
577	default y
578	help
579	  This compiles a standard EFI hello world application with U-Boot so
580	  that it can be used with the test/py testing framework. This is useful
581	  for testing that EFI is working at a basic level, and for bringing
582	  up EFI support on a new architecture.
583
584	  No additional space will be required in the resulting U-Boot binary
585	  when this option is enabled.
586
587config BOOTEFI_TESTAPP_COMPILE
588	bool "Compile an EFI test app for testing"
589	default y
590	help
591	  This compiles an app designed for testing. It is packed into an image
592	  by the test.py testing frame in the setup_efi_image() function.
593
594	  No additional space will be required in the resulting U-Boot binary
595	  when this option is enabled.
596
597endif
598
599source "lib/efi_client/Kconfig"
600
601source "lib/efi/Kconfig"
602
603endmenu
604