2 bool "Support running UEFI applications"
3 depends on OF_LIBFDT && ( \
4 ARM && (SYS_CPU = arm1136 || \
8 X86 || RISCV || SANDBOX)
9 # We need EFI_STUB_64BIT to be set on x86_64 with EFI_STUB
10 depends on !EFI_STUB || !X86_64 || EFI_STUB_64BIT
11 # We need EFI_STUB_32BIT to be set on x86_32 with EFI_STUB
12 depends on !EFI_STUB || !X86 || X86_64 || EFI_STUB_32BIT
15 default y if !ARM || SYS_CPU = armv7 || SYS_CPU = armv8
17 # We need to send DM events, dynamically, in the EFI block driver
25 imply USB_KEYBOARD_FN_KEYS
28 Select this option if you want to run UEFI applications (like GNU
29 GRUB or iPXE) on top of U-Boot. If this option is enabled, U-Boot
30 will expose the UEFI API to a loaded application, enabling it to
31 reuse U-Boot's device drivers.
35 config CMD_BOOTEFI_BOOTMGR
36 bool "UEFI Boot Manager"
38 select BOOTMETH_GLOBAL if BOOTSTD
40 Select this option if you want to select the UEFI binary to be booted
41 via UEFI variables Boot####, BootOrder, and BootNext. This enables the
42 'bootefi bootmgr' command.
45 prompt "Store for non-volatile UEFI variables"
46 default EFI_VARIABLE_FILE_STORE
48 Select where non-volatile UEFI variables shall be stored.
50 config EFI_VARIABLE_FILE_STORE
51 bool "Store non-volatile UEFI variables as file"
54 Select this option if you want non-volatile UEFI variables to be
55 stored as file /ubootefi.var on the EFI system partition.
57 config EFI_MM_COMM_TEE
58 bool "UEFI variables storage service via OP-TEE"
61 If OP-TEE is present and running StandAloneMM, dispatch all UEFI
62 variable related operations to that. The application will verify,
63 authenticate and store the variables on an RPMB.
65 config EFI_VARIABLE_NO_STORE
66 bool "Don't persist non-volatile UEFI variables"
68 If you choose this option, non-volatile variables cannot be persisted.
69 You could still provide non-volatile variables via
70 EFI_VARIABLES_PRESEED.
74 config EFI_VARIABLES_PRESEED
75 bool "Initial values for UEFI variables"
76 depends on !EFI_MM_COMM_TEE
78 Include a file with the initial values for non-volatile UEFI variables
79 into the U-Boot binary. If this configuration option is set, changes
80 to authentication related variables (PK, KEK, db, dbx) are not
83 if EFI_VARIABLES_PRESEED
85 config EFI_VAR_SEED_FILE
86 string "File with initial values of non-volatile UEFI variables"
89 File with initial values of non-volatile UEFI variables. The file must
90 be in the same format as the storage in the EFI system partition. The
91 easiest way to create it is by setting the non-volatile variables in
92 U-Boot. If a relative file path is used, it is relative to the source
97 config EFI_VAR_BUF_SIZE
98 int "Memory size of the UEFI variable store"
100 range 4096 2147483647
102 This defines the size in bytes of the memory area reserved for keeping
105 When using StandAloneMM (CONFIG_EFI_MM_COMM_TEE=y) this value should
106 match the value of PcdFlashNvStorageVariableSize used to compile the
109 Minimum 4096, default 16384.
112 bool "GetTime() runtime service"
116 Provide the GetTime() runtime service at boottime. This service
117 can be used by an EFI application to read the real time clock.
120 bool "SetTime() runtime service"
121 depends on EFI_GET_TIME
122 default y if ARCH_QEMU || SANDBOX
124 Provide the SetTime() runtime service at boottime. This service
125 can be used by an EFI application to adjust the real time clock.
127 config EFI_HAVE_CAPSULE_SUPPORT
130 config EFI_RUNTIME_UPDATE_CAPSULE
131 bool "UpdateCapsule() runtime service"
132 select EFI_HAVE_CAPSULE_SUPPORT
134 Select this option if you want to use UpdateCapsule and
135 QueryCapsuleCapabilities API's.
137 config EFI_CAPSULE_ON_DISK
138 bool "Enable capsule-on-disk support"
140 select EFI_HAVE_CAPSULE_SUPPORT
142 Select this option if you want to use capsule-on-disk feature,
143 that is, capsules can be fetched and executed from files
144 under a specific directory on UEFI system partition instead of
145 via UpdateCapsule API.
147 config EFI_IGNORE_OSINDICATIONS
148 bool "Ignore OsIndications for CapsuleUpdate on-disk"
149 depends on EFI_CAPSULE_ON_DISK
151 There are boards where U-Boot does not support SetVariable at runtime.
152 Select this option if you want to use the capsule-on-disk feature
153 without setting the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED
154 flag in variable OsIndications.
156 config EFI_CAPSULE_ON_DISK_EARLY
157 bool "Initiate capsule-on-disk at U-Boot boottime"
158 depends on EFI_CAPSULE_ON_DISK
160 Normally, without this option enabled, capsules will be
161 executed only at the first time of invoking one of efi command.
162 If this option is enabled, capsules will be enforced to be
163 executed as part of U-Boot initialisation so that they will
164 surely take place whatever is set to distro_bootcmd.
166 config EFI_CAPSULE_FIRMWARE
169 config EFI_CAPSULE_FIRMWARE_MANAGEMENT
170 bool "Capsule: Firmware Management Protocol"
171 depends on EFI_HAVE_CAPSULE_SUPPORT
174 Select this option if you want to enable capsule-based
175 firmware update using Firmware Management Protocol.
177 config EFI_CAPSULE_FIRMWARE_FIT
178 bool "FMP driver for FIT images"
180 depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
183 select SET_DFU_ALT_INFO
184 select EFI_CAPSULE_FIRMWARE
186 Select this option if you want to enable firmware management protocol
189 config EFI_CAPSULE_FIRMWARE_RAW
190 bool "FMP driver for raw images"
191 depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
192 depends on SANDBOX || (!SANDBOX && !EFI_CAPSULE_FIRMWARE_FIT)
195 select SET_DFU_ALT_INFO
196 select EFI_CAPSULE_FIRMWARE
198 Select this option if you want to enable firmware management protocol
201 config EFI_CAPSULE_AUTHENTICATE
202 bool "Update Capsule authentication"
203 depends on EFI_CAPSULE_FIRMWARE
204 depends on EFI_CAPSULE_ON_DISK
205 depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
210 select RSA_VERIFY_WITH_PKEY
211 select X509_CERTIFICATE_PARSER
212 select PKCS7_MESSAGE_PARSER
214 select IMAGE_SIGN_INFO
215 select EFI_SIGNATURE_SUPPORT
217 Select this option if you want to enable capsule
220 config EFI_DEVICE_PATH_TO_TEXT
221 bool "Device path to text protocol"
224 The device path to text protocol converts device nodes and paths to
225 human readable strings.
227 config EFI_DEVICE_PATH_UTIL
228 bool "Device path utilities protocol"
231 The device path utilities protocol creates and manipulates device
232 paths and device nodes. It is required to run the EFI Shell.
235 bool "Device tree fixup protocol"
236 depends on !GENERATE_ACPI_TABLE
239 The EFI device-tree fix-up protocol provides a function to let the
240 firmware apply fix-ups. This may be used by boot loaders.
242 config EFI_LOADER_HII
246 The Human Interface Infrastructure is a complicated framework that
247 allows UEFI applications to draw fancy menus and hook strings using
248 a translation framework.
250 U-Boot implements enough of its features to be able to run the UEFI
251 Shell, but not more than that.
253 config EFI_UNICODE_COLLATION_PROTOCOL2
254 bool "Unicode collation protocol"
257 The Unicode collation protocol is used for lexical comparisons. It is
258 required to run the UEFI shell.
260 if EFI_UNICODE_COLLATION_PROTOCOL2
262 config EFI_UNICODE_CAPITALIZATION
263 bool "Support Unicode capitalization"
266 Select this option to enable correct handling of the capitalization of
267 Unicode codepoints in the range 0x0000-0xffff. If this option is not
268 set, only the the correct handling of the letters of the codepage
269 used by the FAT file system is ensured.
273 config EFI_LOADER_BOUNCE_BUFFER
274 bool "EFI Applications use bounce buffers for DMA operations"
277 Some hardware does not support DMA to full 64bit addresses. For this
278 hardware we can create a bounce buffer so that payloads don't have to
279 worry about platform details.
281 config EFI_PLATFORM_LANG_CODES
282 string "Language codes supported by firmware"
285 This value is used to initialize the PlatformLangCodes variable. Its
286 value is a semicolon (;) separated list of language codes in native
287 RFC 4646 format, e.g. "en-US;de-DE". The first language code is used
288 to initialize the PlatformLang variable.
290 config EFI_HAVE_RUNTIME_RESET
291 # bool "Reset runtime service is available"
294 depends on ARCH_BCM283X || FSL_LAYERSCAPE || PSCI_RESET || \
295 SANDBOX || SYSRESET_X86
297 config EFI_GRUB_ARM32_WORKAROUND
298 bool "Workaround for GRUB on 32bit ARM"
299 default n if ARCH_BCM283X || ARCH_SUNXI || ARCH_QEMU
301 depends on ARM && !ARM64
303 GRUB prior to version 2.04 requires U-Boot to disable caches. This
304 workaround currently is also needed on systems with caches that
305 cannot be managed via CP15.
307 config EFI_RNG_PROTOCOL
308 bool "EFI_RNG_PROTOCOL support"
312 Provide a EFI_RNG_PROTOCOL implementation using the hardware random
313 number generator of the platform.
315 config EFI_TCG2_PROTOCOL
316 bool "EFI_TCG2_PROTOCOL support"
319 # Sandbox TPM currently fails on GetCapabilities needed for TCG2
328 Provide a EFI_TCG2_PROTOCOL implementation using the TPM hardware
331 config EFI_TCG2_PROTOCOL_EVENTLOG_SIZE
332 int "EFI_TCG2_PROTOCOL EventLog size"
333 depends on EFI_TCG2_PROTOCOL
336 Define the size of the EventLog for EFI_TCG2_PROTOCOL. Note that
337 this is going to be allocated twice. One for the eventlog it self
338 and one for the configuration table that is required from the spec
340 config EFI_LOAD_FILE2_INITRD
341 bool "EFI_FILE_LOAD2_PROTOCOL for Linux initial ramdisk"
344 Linux v5.7 and later can make use of this option. If the boot option
345 selected by the UEFI boot manager specifies an existing file to be used
346 as initial RAM disk, a Linux specific Load File2 protocol will be
347 installed and Linux 5.7+ will ignore any initrd=<ramdisk> command line
350 config EFI_SECURE_BOOT
351 bool "Enable EFI secure boot support"
352 depends on EFI_LOADER && FIT_SIGNATURE
356 select RSA_VERIFY_WITH_PKEY
357 select IMAGE_SIGN_INFO
358 select ASYMMETRIC_KEY_TYPE
359 select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
360 select X509_CERTIFICATE_PARSER
361 select PKCS7_MESSAGE_PARSER
364 select EFI_SIGNATURE_SUPPORT
366 Select this option to enable EFI secure boot support.
367 Once SecureBoot mode is enforced, any EFI binary can run only if
368 it is signed with a trusted key. To do that, you need to install,
369 at least, PK, KEK and db.
371 config EFI_SIGNATURE_SUPPORT
375 bool "Enable the UEFI ESRT generation"
376 depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
379 Enabling this option creates the ESRT UEFI system table.
382 bool "Enable the UEFI ECPT generation"
385 Enabling this option created the ECPT UEFI table.
387 config EFI_EBBR_2_1_CONFORMANCE
388 bool "Add the EBBRv2.1 conformance entry to the ECPT table"
390 depends on EFI_LOADER_HII
391 depends on EFI_RISCV_BOOT_PROTOCOL || !RISCV
392 depends on EFI_RNG_PROTOCOL || !DM_RNG
393 depends on EFI_UNICODE_COLLATION_PROTOCOL2
396 Enabling this option adds the EBBRv2.1 conformance entry to the ECPT UEFI table.
398 config EFI_RISCV_BOOT_PROTOCOL
399 bool "RISCV_EFI_BOOT_PROTOCOL support"
403 The EFI_RISCV_BOOT_PROTOCOL is used to transfer the boot hart ID
404 to the next boot stage. It should be enabled as it is meant to
405 replace the transfer via the device-tree. The latter is not
406 possible on systems using ACPI.