[u-boot.git] / lib / efi_loader / Kconfig

menu "UEFI Support"

config EFI_LOADER
        bool "Support running UEFI applications"
        depends on OF_LIBFDT && ( \
                ARM && (SYS_CPU = arm1136 || \
                        SYS_CPU = arm1176 || \
                        SYS_CPU = armv7   || \
                        SYS_CPU = armv8)  || \
                X86 || RISCV || SANDBOX)
        # We need EFI_STUB_64BIT to be set on x86_64 with EFI_STUB
        depends on !EFI_STUB || !X86_64 || EFI_STUB_64BIT
        # We need EFI_STUB_32BIT to be set on x86_32 with EFI_STUB
        depends on !EFI_STUB || !X86 || X86_64 || EFI_STUB_32BIT
        depends on !EFI_APP
        default y if !ARM || SYS_CPU = armv7 || SYS_CPU = armv8
        select BLK
        select CHARSET
        # We need to send DM events, dynamically, in the EFI block driver
        select DM_EVENT
        select EVENT_DYNAMIC
        select LIB_UUID
        imply PARTITION_UUIDS
        select REGEX
        imply FAT
        imply FAT_WRITE
        imply USB_KEYBOARD_FN_KEYS
        imply VIDEO_ANSI
        help
          Select this option if you want to run UEFI applications (like GNU
          GRUB or iPXE) on top of U-Boot. If this option is enabled, U-Boot
          will expose the UEFI API to a loaded application, enabling it to
          reuse U-Boot's device drivers.

if EFI_LOADER

config EFI_BINARY_EXEC
        bool "Execute UEFI binary"
        default y
        help
          Select this option if you want to execute the UEFI binary after
          loading it with U-Boot load commands or other methods.
          You may enable CMD_BOOTEFI_BINARY so that you can use bootefi
          command to do that.

config EFI_SECURE_BOOT
        bool "Enable EFI secure boot support"
        depends on EFI_LOADER && FIT_SIGNATURE
        select HASH
        select SHA256
        select RSA
        select RSA_VERIFY_WITH_PKEY
        select IMAGE_SIGN_INFO
        select ASYMMETRIC_KEY_TYPE
        select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
        select X509_CERTIFICATE_PARSER
        select PKCS7_MESSAGE_PARSER
        select PKCS7_VERIFY
        select MSCODE_PARSER
        select EFI_SIGNATURE_SUPPORT
        help
          Select this option to enable EFI secure boot support.
          Once SecureBoot mode is enforced, any EFI binary can run only if
          it is signed with a trusted key. To do that, you need to install,
          at least, PK, KEK and db.

config EFI_SIGNATURE_SUPPORT
        bool

menu "UEFI services"

config EFI_GET_TIME
        bool "GetTime() runtime service"
        depends on DM_RTC
        default y
        help
          Provide the GetTime() runtime service at boottime. This service
          can be used by an EFI application to read the real time clock.

config EFI_SET_TIME
        bool "SetTime() runtime service"
        depends on EFI_GET_TIME
        default y if ARCH_QEMU || SANDBOX
        help
          Provide the SetTime() runtime service at boottime. This service
          can be used by an EFI application to adjust the real time clock.

config EFI_HAVE_RUNTIME_RESET
        # bool "Reset runtime service is available"
        bool
        default y
        depends on ARCH_BCM283X || FSL_LAYERSCAPE || PSCI_RESET || \
                   SANDBOX || SYSRESET_SBI || SYSRESET_X86

endmenu

menu "UEFI Variables"

choice
        prompt "Store for non-volatile UEFI variables"
        default EFI_VARIABLE_FILE_STORE
        help
          Select where non-volatile UEFI variables shall be stored.

config EFI_VARIABLE_FILE_STORE
        bool "Store non-volatile UEFI variables as file"
        depends on FAT_WRITE
        help
          Select this option if you want non-volatile UEFI variables to be
          stored as file /ubootefi.var on the EFI system partition.

config EFI_RT_VOLATILE_STORE
        bool "Allow variable runtime services in volatile storage (e.g RAM)"
        depends on EFI_VARIABLE_FILE_STORE
        help
          When EFI variables are stored on file we don't allow SetVariableRT,
          since the OS doesn't know how to write that file. At the same time
          we copy runtime variables in DRAM and support GetVariableRT

          Enable this option to allow SetVariableRT on the RAM backend of
          the EFI variable storage. The OS will be responsible for syncing
          the RAM contents to the file, otherwise any changes made during
          runtime won't persist reboots.
          Authenticated variables are not supported. Note that this will
          violate the EFI spec since writing auth variables will return
          EFI_INVALID_PARAMETER

config EFI_MM_COMM_TEE
        bool "UEFI variables storage service via the trusted world"
        depends on OPTEE
        help
          Allowing access to the MM SP services (SPs such as  StandAlonneMM, smm-gateway).
          When using the u-boot OP-TEE driver, StandAlonneMM is supported.
          When using the u-boot FF-A  driver any MM SP is supported.

          If OP-TEE is present and running StandAloneMM, dispatch all UEFI
          variable related operations to that. The application will verify,
          authenticate and store the variables on an RPMB.

          When ARM_FFA_TRANSPORT is used, dispatch all UEFI variable related
          operations to the MM SP running in the secure world.
          A door bell mechanism is used to notify the SP when there is data in the shared
          MM buffer. The data is copied by u-boot to the shared buffer before issuing
          the door bell event.

config FFA_SHARED_MM_BUF_SIZE
        int "Memory size of the shared MM communication buffer"
        depends on EFI_MM_COMM_TEE && ARM_FFA_TRANSPORT
        help
          This defines the size in bytes of the memory area reserved for the shared
          buffer used for communication between the MM feature in U-Boot and
          the MM SP in secure world.
          The size of the memory region must be a multiple of the size of the maximum
          translation granule size that is specified in the ID_AA64MMFR0_EL1 System register.
          It is assumed that the MM SP knows the size of the shared MM communication buffer.

config FFA_SHARED_MM_BUF_OFFSET
        int "Data offset in the shared MM communication buffer"
        depends on EFI_MM_COMM_TEE && ARM_FFA_TRANSPORT
        help
          This defines the offset in bytes of the data read or written to in the shared
          buffer by the MM SP.

config FFA_SHARED_MM_BUF_ADDR
        hex "Define the address of the shared MM communication buffer"
        depends on EFI_MM_COMM_TEE && ARM_FFA_TRANSPORT
        help
          This defines the address of the shared MM communication buffer
          used for communication between the MM feature in U-Boot and
          the MM SP in secure world.
          It is assumed that the MM SP knows the address of the shared MM communication buffer.

config EFI_VARIABLE_NO_STORE
        bool "Don't persist non-volatile UEFI variables"
        help
          If you choose this option, non-volatile variables cannot be persisted.
          You could still provide non-volatile variables via
          EFI_VARIABLES_PRESEED.

endchoice

config EFI_VARIABLES_PRESEED
        bool "Initial values for UEFI variables"
        depends on !EFI_MM_COMM_TEE
        help
          Include a file with the initial values for non-volatile UEFI variables
          into the U-Boot binary. If this configuration option is set, changes
          to authentication related variables (PK, KEK, db, dbx) are not
          allowed.

if EFI_VARIABLES_PRESEED

config EFI_VAR_SEED_FILE
        string "File with initial values of non-volatile UEFI variables"
        default "ubootefi.var"
        help
          File with initial values of non-volatile UEFI variables. The file must
          be in the same format as the storage in the EFI system partition. The
          easiest way to create it is by setting the non-volatile variables in
          U-Boot. If a relative file path is used, it is relative to the source
          directory.

endif

config EFI_VAR_BUF_SIZE
        int "Memory size of the UEFI variable store"
        default 131072
        range 4096 2147483647
        help
          This defines the size in bytes of the memory area reserved for keeping
          UEFI variables.

          When using StandAloneMM (CONFIG_EFI_MM_COMM_TEE=y) is used the
          available size for storing variables is defined in
          PcdFlashNvStorageVariableSize.
          That value is probed at runtime from U-Boot. In that case,
          EFI_VAR_BUF_SIZE represents the memory U-Boot reserves to present
          runtime variables to the OS.

          Minimum 4096, default 131072

config EFI_PLATFORM_LANG_CODES
        string "Language codes supported by firmware"
        default "en-US"
        help
          This value is used to initialize the PlatformLangCodes variable. Its
          value is a semicolon (;) separated list of language codes in native
          RFC 4646 format, e.g. "en-US;de-DE". The first language code is used
          to initialize the PlatformLang variable.

endmenu

menu "Capsule support"

config EFI_HAVE_CAPSULE_SUPPORT
        bool

config EFI_RUNTIME_UPDATE_CAPSULE
        bool "UpdateCapsule() runtime service"
        select EFI_HAVE_CAPSULE_SUPPORT
        help
          Select this option if you want to use UpdateCapsule and
          QueryCapsuleCapabilities API's.

config EFI_CAPSULE_ON_DISK
        bool "Enable capsule-on-disk support"
        depends on SYSRESET
        select EFI_HAVE_CAPSULE_SUPPORT
        help
          Select this option if you want to use capsule-on-disk feature,
          that is, capsules can be fetched and executed from files
          under a specific directory on UEFI system partition instead of
          via UpdateCapsule API.

config EFI_IGNORE_OSINDICATIONS
        bool "Ignore OsIndications for CapsuleUpdate on-disk"
        depends on EFI_CAPSULE_ON_DISK
        default y if !EFI_RT_VOLATILE_STORE
        help
          There are boards where U-Boot does not support SetVariable at runtime.
          Select this option if you want to use the capsule-on-disk feature
          without setting the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED
          flag in variable OsIndications.

config EFI_CAPSULE_ON_DISK_EARLY
        bool "Initiate capsule-on-disk at U-Boot boottime"
        depends on EFI_CAPSULE_ON_DISK
        help
          Normally, without this option enabled, capsules will be
          executed only at the first time of invoking one of efi command.
          If this option is enabled, capsules will be enforced to be
          executed as part of U-Boot initialisation so that they will
          surely take place whatever is set to distro_bootcmd.

config EFI_CAPSULE_NAMESPACE_GUID
        string "Namespace for dynamic capsule GUIDs"
        # v4 UUID as a default for upstream U-Boot boards
        default "8c9f137e-91dc-427b-b2d6-b420faebaf2a"
        depends on EFI_HAVE_CAPSULE_SUPPORT
        help
          Define the namespace or "salt" GUID used to generate the per-image
          GUIDs. This should be a GUID in the standard 8-4-4-4-12 format.

          Device vendors are expected to generate their own namespace GUID
          to avoid conflicts with upstream/community images.

config EFI_CAPSULE_FIRMWARE
        bool

config EFI_CAPSULE_FIRMWARE_MANAGEMENT
        bool "Capsule: Firmware Management Protocol"
        depends on EFI_HAVE_CAPSULE_SUPPORT
        default y
        help
          Select this option if you want to enable capsule-based
          firmware update using Firmware Management Protocol.

config EFI_CAPSULE_FIRMWARE_FIT
        bool "FMP driver for FIT images"
        depends on FIT
        depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
        select UPDATE_FIT
        select DFU
        select SET_DFU_ALT_INFO
        select EFI_CAPSULE_FIRMWARE
        help
          Select this option if you want to enable firmware management protocol
          driver for FIT image

config EFI_CAPSULE_FIRMWARE_RAW
        bool "FMP driver for raw images"
        depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
        depends on SANDBOX || (!SANDBOX && !EFI_CAPSULE_FIRMWARE_FIT)
        select DFU_WRITE_ALT
        select DFU
        select SET_DFU_ALT_INFO
        select EFI_CAPSULE_FIRMWARE
        help
          Select this option if you want to enable firmware management protocol
          driver for raw image

config EFI_CAPSULE_AUTHENTICATE
        bool "Update Capsule authentication"
        depends on EFI_CAPSULE_FIRMWARE
        depends on EFI_CAPSULE_ON_DISK
        depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
        select HASH
        select SHA256
        select RSA
        select RSA_VERIFY
        select RSA_VERIFY_WITH_PKEY
        select X509_CERTIFICATE_PARSER
        select PKCS7_MESSAGE_PARSER
        select PKCS7_VERIFY
        select IMAGE_SIGN_INFO
        select EFI_SIGNATURE_SUPPORT
        help
          Select this option if you want to enable capsule
          authentication

config EFI_CAPSULE_MAX
        int "Max value for capsule index"
        default 15
        range 0 65535
        help
          Select the max capsule index value used for capsule report
          variables. This value is used to create CapsuleMax variable.

config EFI_CAPSULE_CRT_FILE
        string "Path to the EFI capsule public key certificate"
        depends on EFI_CAPSULE_AUTHENTICATE
        help
          Provides the path to the EFI capsule public key certificate that
          corresponds to the capsule signing key. This certificate will be used
          to generate the EFI capsule ESL (signature list file) that gets
          embedded in the platform's device tree and used for capsule
          authentication at the time of capsule update.

endmenu

menu "UEFI protocol support"

config EFI_DEVICE_PATH_TO_TEXT
        bool "Device path to text protocol"
        default y
        help
          The device path to text protocol converts device nodes and paths to
          human readable strings.

config EFI_DEVICE_PATH_UTIL
        bool "Device path utilities protocol"
        default y
        help
          The device path utilities protocol creates and manipulates device
          paths and device nodes. It is required to run the EFI Shell.

config EFI_DT_FIXUP
        bool "Device tree fixup protocol"
        depends on !GENERATE_ACPI_TABLE
        default y
        help
          The EFI device-tree fix-up protocol provides a function to let the
          firmware apply fix-ups. This may be used by boot loaders.

config EFI_LOADER_HII
        bool "HII protocols"
        default y
        help
          The Human Interface Infrastructure is a complicated framework that
          allows UEFI applications to draw fancy menus and hook strings using
          a translation framework.

          U-Boot implements enough of its features to be able to run the UEFI
          Shell, but not more than that.

config EFI_UNICODE_COLLATION_PROTOCOL2
        bool "Unicode collation protocol"
        default y
        help
          The Unicode collation protocol is used for lexical comparisons. It is
          required to run the UEFI shell.

if EFI_UNICODE_COLLATION_PROTOCOL2

config EFI_UNICODE_CAPITALIZATION
        bool "Support Unicode capitalization"
        default y
        help
          Select this option to enable correct handling of the capitalization of
          Unicode codepoints in the range 0x0000-0xffff. If this option is not
          set, only the the correct handling of the letters of the codepage
          used by the FAT file system is ensured.

endif

config EFI_RNG_PROTOCOL
        bool "EFI_RNG_PROTOCOL support"
        depends on DM_RNG
        default y
        help
          Provide a EFI_RNG_PROTOCOL implementation using the hardware random
          number generator of the platform.

config EFI_TCG2_PROTOCOL
        bool "EFI_TCG2_PROTOCOL support"
        default y
        depends on TPM_V2
        select SHA1
        select SHA256
        select SHA384
        select SHA512
        select HASH
        select SMBIOS_PARSER
        help
          Provide a EFI_TCG2_PROTOCOL implementation using the TPM hardware
          of the platform.

config EFI_TCG2_PROTOCOL_EVENTLOG_SIZE
        int "EFI_TCG2_PROTOCOL EventLog size"
        depends on EFI_TCG2_PROTOCOL
        default 65536
        help
                Define the size of the EventLog for EFI_TCG2_PROTOCOL. Note that
                this is going to be allocated twice. One for the eventlog it self
                and one for the configuration table that is required from the spec

config EFI_TCG2_PROTOCOL_MEASURE_DTB
        bool "Measure DTB with EFI_TCG2_PROTOCOL"
        depends on EFI_TCG2_PROTOCOL
        help
          When enabled, the DTB image passed to the booted EFI image is
          measured using the EFI TCG2 protocol. Do not enable this feature if
          the passed DTB contains data that change across platform reboots
          and cannot be used has a predictable measurement. Otherwise
          this feature allows better measurement of the system boot
          sequence.

config EFI_LOAD_FILE2_INITRD
        bool "EFI_FILE_LOAD2_PROTOCOL for Linux initial ramdisk"
        default y
        help
          Linux v5.7 and later can make use of this option. If the boot option
          selected by the UEFI boot manager specifies an existing file to be used
          as initial RAM disk, a Linux specific Load File2 protocol will be
          installed and Linux 5.7+ will ignore any initrd=<ramdisk> command line
          argument.

config EFI_RISCV_BOOT_PROTOCOL
        bool "RISCV_EFI_BOOT_PROTOCOL support"
        default y
        depends on RISCV
        help
          The EFI_RISCV_BOOT_PROTOCOL is used to transfer the boot hart ID
          to the next boot stage. It should be enabled as it is meant to
          replace the transfer via the device-tree. The latter is not
          possible on systems using ACPI.

endmenu

menu "Misc options"
config EFI_LOADER_BOUNCE_BUFFER
        bool "EFI Applications use bounce buffers for DMA operations"
        depends on ARM64
        help
          Some hardware does not support DMA to full 64bit addresses. For this
          hardware we can create a bounce buffer so that payloads don't have to
          worry about platform details.

config EFI_GRUB_ARM32_WORKAROUND
        bool "Workaround for GRUB on 32bit ARM"
        default n if ARCH_BCM283X || ARCH_SUNXI || ARCH_QEMU
        default y
        depends on ARM && !ARM64
        help
          GRUB prior to version 2.04 requires U-Boot to disable caches. This
          workaround currently is also needed on systems with caches that
          cannot be managed via CP15.

config EFI_ESRT
        bool "Enable the UEFI ESRT generation"
        depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
        default y
        help
          Enabling this option creates the ESRT UEFI system table.

config EFI_ECPT
        bool "Enable the UEFI ECPT generation"
        default y
        help
          Enabling this option created the ECPT UEFI table.

config EFI_EBBR_2_1_CONFORMANCE
        bool "Add the EBBRv2.1 conformance entry to the ECPT table"
        depends on BOOTMETH_EFI_BOOTMGR
        depends on EFI_ECPT
        depends on EFI_LOADER_HII
        depends on EFI_RISCV_BOOT_PROTOCOL || !RISCV
        depends on EFI_RNG_PROTOCOL || !DM_RNG
        depends on EFI_UNICODE_COLLATION_PROTOCOL2
        default y
        help
          Enabling this option adds the EBBRv2.1 conformance entry to the ECPT UEFI table.

config EFI_SCROLL_ON_CLEAR_SCREEN
        bool "Avoid overwriting previous output on clear screen"
        help
          Instead of erasing the screen content when the console screen should
          be cleared, emit blank new lines so that previous output is scrolled
          out of sight rather than overwritten. On serial consoles this allows
          to capture complete boot logs (except for interactive menus etc.)
          and can ease debugging related issues.

endmenu

menu "EFI bootmanager"

config EFI_BOOTMGR
        bool "UEFI Boot Manager"
        default y
        help
          Select this option if you want to select the UEFI binary to be booted
          via UEFI variables Boot####, BootOrder, and BootNext. You should also
          normally enable CMD_BOOTEFI_BOOTMGR so that the command is available.

config EFI_HTTP_BOOT
        bool "EFI HTTP Boot support"
        select CMD_DNS
        select CMD_WGET
        select BLKMAP
        help
          Enabling this option adds EFI HTTP Boot support. It allows to
          directly boot from network.
endmenu

endif

source "lib/efi/Kconfig"

endmenu