2 bool "Support running UEFI applications"
3 depends on OF_LIBFDT && ( \
4 ARM && (SYS_CPU = arm1136 || \
8 X86 || RISCV || SANDBOX)
9 # We need EFI_STUB_64BIT to be set on x86_64 with EFI_STUB
10 depends on !EFI_STUB || !X86_64 || EFI_STUB_64BIT
11 # We need EFI_STUB_32BIT to be set on x86_32 with EFI_STUB
12 depends on !EFI_STUB || !X86 || X86_64 || EFI_STUB_32BIT
14 depends on DM_ETH || !NET
16 default y if !ARM || SYS_CPU = armv7 || SYS_CPU = armv8
26 imply USB_KEYBOARD_FN_KEYS
29 Select this option if you want to run UEFI applications (like GNU
30 GRUB or iPXE) on top of U-Boot. If this option is enabled, U-Boot
31 will expose the UEFI API to a loaded application, enabling it to
32 reuse U-Boot's device drivers.
36 config CMD_BOOTEFI_BOOTMGR
37 bool "UEFI Boot Manager"
39 select BOOTMETH_GLOBAL if BOOTSTD
41 Select this option if you want to select the UEFI binary to be booted
42 via UEFI variables Boot####, BootOrder, and BootNext. This enables the
43 'bootefi bootmgr' command.
45 config EFI_SETUP_EARLY
50 prompt "Store for non-volatile UEFI variables"
51 default EFI_VARIABLE_FILE_STORE
53 Select where non-volatile UEFI variables shall be stored.
55 config EFI_VARIABLE_FILE_STORE
56 bool "Store non-volatile UEFI variables as file"
59 Select this option if you want non-volatile UEFI variables to be
60 stored as file /ubootefi.var on the EFI system partition.
62 config EFI_MM_COMM_TEE
63 bool "UEFI variables storage service via OP-TEE"
66 If OP-TEE is present and running StandAloneMM, dispatch all UEFI
67 variable related operations to that. The application will verify,
68 authenticate and store the variables on an RPMB.
70 config EFI_VARIABLE_NO_STORE
71 bool "Don't persist non-volatile UEFI variables"
73 If you choose this option, non-volatile variables cannot be persisted.
74 You could still provide non-volatile variables via
75 EFI_VARIABLES_PRESEED.
79 config EFI_VARIABLES_PRESEED
80 bool "Initial values for UEFI variables"
81 depends on !EFI_MM_COMM_TEE
83 Include a file with the initial values for non-volatile UEFI variables
84 into the U-Boot binary. If this configuration option is set, changes
85 to authentication related variables (PK, KEK, db, dbx) are not
88 if EFI_VARIABLES_PRESEED
90 config EFI_VAR_SEED_FILE
91 string "File with initial values of non-volatile UEFI variables"
94 File with initial values of non-volatile UEFI variables. The file must
95 be in the same format as the storage in the EFI system partition. The
96 easiest way to create it is by setting the non-volatile variables in
97 U-Boot. If a relative file path is used, it is relative to the source
102 config EFI_VAR_BUF_SIZE
103 int "Memory size of the UEFI variable store"
105 range 4096 2147483647
107 This defines the size in bytes of the memory area reserved for keeping
110 When using StandAloneMM (CONFIG_EFI_MM_COMM_TEE=y) this value should
111 match the value of PcdFlashNvStorageVariableSize used to compile the
114 Minimum 4096, default 16384.
117 bool "GetTime() runtime service"
121 Provide the GetTime() runtime service at boottime. This service
122 can be used by an EFI application to read the real time clock.
125 bool "SetTime() runtime service"
126 depends on EFI_GET_TIME
127 default y if ARCH_QEMU || SANDBOX
129 Provide the SetTime() runtime service at boottime. This service
130 can be used by an EFI application to adjust the real time clock.
132 config EFI_HAVE_CAPSULE_SUPPORT
135 config EFI_RUNTIME_UPDATE_CAPSULE
136 bool "UpdateCapsule() runtime service"
137 select EFI_HAVE_CAPSULE_SUPPORT
139 Select this option if you want to use UpdateCapsule and
140 QueryCapsuleCapabilities API's.
142 config EFI_CAPSULE_ON_DISK
143 bool "Enable capsule-on-disk support"
145 select EFI_HAVE_CAPSULE_SUPPORT
147 Select this option if you want to use capsule-on-disk feature,
148 that is, capsules can be fetched and executed from files
149 under a specific directory on UEFI system partition instead of
150 via UpdateCapsule API.
152 config EFI_IGNORE_OSINDICATIONS
153 bool "Ignore OsIndications for CapsuleUpdate on-disk"
154 depends on EFI_CAPSULE_ON_DISK
156 There are boards where U-Boot does not support SetVariable at runtime.
157 Select this option if you want to use the capsule-on-disk feature
158 without setting the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED
159 flag in variable OsIndications.
161 config EFI_CAPSULE_ON_DISK_EARLY
162 bool "Initiate capsule-on-disk at U-Boot boottime"
163 depends on EFI_CAPSULE_ON_DISK
164 select EFI_SETUP_EARLY
166 Normally, without this option enabled, capsules will be
167 executed only at the first time of invoking one of efi command.
168 If this option is enabled, capsules will be enforced to be
169 executed as part of U-Boot initialisation so that they will
170 surely take place whatever is set to distro_bootcmd.
172 config EFI_CAPSULE_FIRMWARE
175 config EFI_CAPSULE_FIRMWARE_MANAGEMENT
176 bool "Capsule: Firmware Management Protocol"
177 depends on EFI_HAVE_CAPSULE_SUPPORT
180 Select this option if you want to enable capsule-based
181 firmware update using Firmware Management Protocol.
183 config EFI_CAPSULE_FIRMWARE_FIT
184 bool "FMP driver for FIT images"
186 depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
189 select SET_DFU_ALT_INFO
190 select EFI_CAPSULE_FIRMWARE
192 Select this option if you want to enable firmware management protocol
195 config EFI_CAPSULE_FIRMWARE_RAW
196 bool "FMP driver for raw images"
197 depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
198 depends on SANDBOX || (!SANDBOX && !EFI_CAPSULE_FIRMWARE_FIT)
201 select SET_DFU_ALT_INFO
202 select EFI_CAPSULE_FIRMWARE
204 Select this option if you want to enable firmware management protocol
207 config EFI_CAPSULE_AUTHENTICATE
208 bool "Update Capsule authentication"
209 depends on EFI_CAPSULE_FIRMWARE
210 depends on EFI_CAPSULE_ON_DISK
211 depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
216 select RSA_VERIFY_WITH_PKEY
217 select X509_CERTIFICATE_PARSER
218 select PKCS7_MESSAGE_PARSER
220 select IMAGE_SIGN_INFO
221 select EFI_SIGNATURE_SUPPORT
223 Select this option if you want to enable capsule
226 config EFI_DEVICE_PATH_TO_TEXT
227 bool "Device path to text protocol"
230 The device path to text protocol converts device nodes and paths to
231 human readable strings.
233 config EFI_DEVICE_PATH_UTIL
234 bool "Device path utilities protocol"
237 The device path utilities protocol creates and manipulates device
238 paths and device nodes. It is required to run the EFI Shell.
241 bool "Device tree fixup protocol"
242 depends on !GENERATE_ACPI_TABLE
245 The EFI device-tree fix-up protocol provides a function to let the
246 firmware apply fix-ups. This may be used by boot loaders.
248 config EFI_LOADER_HII
252 The Human Interface Infrastructure is a complicated framework that
253 allows UEFI applications to draw fancy menus and hook strings using
254 a translation framework.
256 U-Boot implements enough of its features to be able to run the UEFI
257 Shell, but not more than that.
259 config EFI_UNICODE_COLLATION_PROTOCOL2
260 bool "Unicode collation protocol"
263 The Unicode collation protocol is used for lexical comparisons. It is
264 required to run the UEFI shell.
266 if EFI_UNICODE_COLLATION_PROTOCOL2
268 config EFI_UNICODE_CAPITALIZATION
269 bool "Support Unicode capitalization"
272 Select this option to enable correct handling of the capitalization of
273 Unicode codepoints in the range 0x0000-0xffff. If this option is not
274 set, only the the correct handling of the letters of the codepage
275 used by the FAT file system is ensured.
279 config EFI_LOADER_BOUNCE_BUFFER
280 bool "EFI Applications use bounce buffers for DMA operations"
283 Some hardware does not support DMA to full 64bit addresses. For this
284 hardware we can create a bounce buffer so that payloads don't have to
285 worry about platform details.
287 config EFI_PLATFORM_LANG_CODES
288 string "Language codes supported by firmware"
291 This value is used to initialize the PlatformLangCodes variable. Its
292 value is a semicolon (;) separated list of language codes in native
293 RFC 4646 format, e.g. "en-US;de-DE". The first language code is used
294 to initialize the PlatformLang variable.
296 config EFI_HAVE_RUNTIME_RESET
297 # bool "Reset runtime service is available"
300 depends on ARCH_BCM283X || FSL_LAYERSCAPE || PSCI_RESET || \
301 SANDBOX || SYSRESET_X86
303 config EFI_GRUB_ARM32_WORKAROUND
304 bool "Workaround for GRUB on 32bit ARM"
305 default n if ARCH_BCM283X || ARCH_SUNXI || ARCH_QEMU
307 depends on ARM && !ARM64
309 GRUB prior to version 2.04 requires U-Boot to disable caches. This
310 workaround currently is also needed on systems with caches that
311 cannot be managed via CP15.
313 config EFI_RNG_PROTOCOL
314 bool "EFI_RNG_PROTOCOL support"
318 Provide a EFI_RNG_PROTOCOL implementation using the hardware random
319 number generator of the platform.
321 config EFI_TCG2_PROTOCOL
322 bool "EFI_TCG2_PROTOCOL support"
325 # Sandbox TPM currently fails on GetCapabilities needed for TCG2
334 Provide a EFI_TCG2_PROTOCOL implementation using the TPM hardware
337 config EFI_TCG2_PROTOCOL_EVENTLOG_SIZE
338 int "EFI_TCG2_PROTOCOL EventLog size"
339 depends on EFI_TCG2_PROTOCOL
342 Define the size of the EventLog for EFI_TCG2_PROTOCOL. Note that
343 this is going to be allocated twice. One for the eventlog it self
344 and one for the configuration table that is required from the spec
346 config EFI_LOAD_FILE2_INITRD
347 bool "EFI_FILE_LOAD2_PROTOCOL for Linux initial ramdisk"
350 Linux v5.7 and later can make use of this option. If the boot option
351 selected by the UEFI boot manager specifies an existing file to be used
352 as initial RAM disk, a Linux specific Load File2 protocol will be
353 installed and Linux 5.7+ will ignore any initrd=<ramdisk> command line
356 config EFI_SECURE_BOOT
357 bool "Enable EFI secure boot support"
358 depends on EFI_LOADER && FIT_SIGNATURE
362 select RSA_VERIFY_WITH_PKEY
363 select IMAGE_SIGN_INFO
364 select ASYMMETRIC_KEY_TYPE
365 select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
366 select X509_CERTIFICATE_PARSER
367 select PKCS7_MESSAGE_PARSER
370 select EFI_SIGNATURE_SUPPORT
372 Select this option to enable EFI secure boot support.
373 Once SecureBoot mode is enforced, any EFI binary can run only if
374 it is signed with a trusted key. To do that, you need to install,
375 at least, PK, KEK and db.
377 config EFI_SIGNATURE_SUPPORT
381 bool "Enable the UEFI ESRT generation"
382 depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
385 Enabling this option creates the ESRT UEFI system table.
388 bool "Enable the UEFI ECPT generation"
391 Enabling this option created the ECPT UEFI table.
393 config EFI_EBBR_2_0_CONFORMANCE
394 bool "Add the EBBRv2.0 conformance entry to the ECPT table"
396 depends on EFI_LOADER_HII
397 depends on EFI_RISCV_BOOT_PROTOCOL || !RISCV
398 depends on EFI_RNG_PROTOCOL || !DM_RNG
399 depends on EFI_UNICODE_COLLATION_PROTOCOL2
402 Enabling this option adds the EBBRv2.0 conformance entry to the ECPT UEFI table.
404 config EFI_RISCV_BOOT_PROTOCOL
405 bool "RISCV_EFI_BOOT_PROTOCOL support"
409 The EFI_RISCV_BOOT_PROTOCOL is used to transfer the boot hart ID
410 to the next boot stage. It should be enabled as it is meant to
411 replace the transfer via the device-tree. The latter is not
412 possible on systems using ACPI.