leandrof/u-boot
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

doc: eficonfig: add description for UEFI Secure Boot Configuration

Browse Source 
This commits adds the description for the UEFI Secure Boot
Configuration through the eficonfig menu.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>

Redacted the complete document.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
This commit is contained in:
Masahisa Kojima 2022-12-02 13:59:37 +09:00 committed by Heinrich Schuchardt
parent 140a8959d4
commit 30124c2bb9
1 changed files with 61 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
doc/usage/cmd/eficonfig.rst
View File

@ -13,49 +13,43 @@ Synopsis
Description Description
----------- -----------
The "eficonfig" command uses U-Boot menu interface and provides The "eficonfig" command uses the U-Boot menu interface to provide a
a menu-driven UEFI variable maintenance feature. menu-driven UEFI variable maintenance feature. These are the top level menu
The "eficonfig" has the following menu entries. entries:
Add Boot Option Add Boot Option
Add new UEFI Boot Option. Add a new UEFI Boot Option.
User can edit description, file path, and optional_data. The user can edit description, file path, and optional_data.
The new boot opiton is appended to the boot order in the *BootOrder*
variable. The user may want to update the boot order using the
*Change Boot Order* menu entry.
Edit Boot Option Edit Boot Option
Edit the existing UEFI Boot Option Edit an existing UEFI Boot Option.
User can edit description, file path, and optional_data. The User can edit description, file path, and optional_data.
Change Boot Order Change Boot Order
Change the order of UEFI BootOrder variable. Change the boot order updating the UEFI BootOrder variable.
Delete Boot Option Delete Boot Option
Delete the UEFI Boot Option Delete a UEFI Boot Option
Configuration Secure Boot Configuration
------------- Edit the UEFI Secure Boot Configuration
The "eficonfig" command is enabled by:: How to boot the system with a newly added UEFI Boot Option
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
CONFIG_CMD_EFICONFIG=y The "eficonfig" command is used to set the UEFI boot options which are stored
in the UEFI variable Boot#### where #### is a hexadecimal number.
If CONFIG_BOOTMENU_DISABLE_UBOOT_CONSOLE is enabled, user can not enter The command *bootefi bootmgr* can be used to boot by trying in sequence all
U-Boot console. In this case, bootmenu can be used to invoke "eficonfig":: boot options selected by the variable *BootOrder*.
CONFIG_USE_PREBOOT=y
CONFIG_PREBOOT="setenv bootmenu_0 UEFI Maintenance Menu=eficonfig"
How to boot the system with newly added UEFI Boot Option
''''''''''''''''''''''''''''''''''''''''''''''''''''''''
"eficonfig" command is responsible for configuring the UEFI variables,
not directly handle the system boot.
The new Boot Option added by "eficonfig" is appended at the last entry
of UEFI BootOrder variable, user may want to change the boot order
through "Change Boot Order".
If the bootmenu is enabled, CONFIG_BOOTMENU_DISABLE_UBOOT_CONSOLE is enabled, If the bootmenu is enabled, CONFIG_BOOTMENU_DISABLE_UBOOT_CONSOLE is enabled,
and "eficonfig" is configured as preboot command, the newly added Boot Options and "eficonfig" is configured as preboot command, the newly added Boot Options
are enumerated in the bootmenu when user exits from the eficonfig menu. are enumerated in the bootmenu when the user exits from the eficonfig menu.
User may select the entry in the bootmenu to boot the system, or follow The user may select the entry in the bootmenu to boot the system, or follow
the U-Boot configuration the system already has. the U-Boot configuration the system already has.
Auto boot with the UEFI Boot Option Auto boot with the UEFI Boot Option
@ -66,6 +60,44 @@ add "bootefi bootmgr" entry as a default or first bootmenu entry::
CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig" CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"
UEFI Secure Boot Configuration
''''''''''''''''''''''''''''''
The user can enroll the variables PK, KEK, db and dbx by selecting a file.
The "eficonfig" command only accepts signed EFI Signature List(s) with an
authenticated header, typically a ".auth" file.
To clear the PK, KEK, db and dbx, the user needs to enroll a null value
signed by PK or KEK.
Configuration
-------------
The "eficonfig" command is enabled by::
CONFIG_CMD_EFICONFIG=y
If CONFIG_BOOTMENU_DISABLE_UBOOT_CONSOLE is enabled, the user can not enter
U-Boot console. In this case, the bootmenu can be used to invoke "eficonfig"::
CONFIG_USE_PREBOOT=y
CONFIG_PREBOOT="setenv bootmenu_0 UEFI Maintenance Menu=eficonfig"
The only way U-Boot can currently store EFI variables on a tamper
resistant medium is via OP-TEE. The Kconfig option that enables that is::
CONFIG_EFI_MM_COMM_TEE=y.
It enables storing EFI variables on the RPMB partition of an eMMC device.
The UEFI Secure Boot Configuration menu entry is only available if the following
options are enabled::
CONFIG_EFI_SECURE_BOOT=y
CONFIG_EFI_MM_COMM_TEE=y
See also See also
-------- --------
* :doc:`bootmenu<bootmenu>` provides a simple mechanism for creating menus with different boot items
* :doc:`bootmenu<bootmenu>` provides a simple mechanism for creating menus with
different boot items