30124c2bb9
This commits adds the description for the UEFI Secure Boot Configuration through the eficonfig menu. Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> Redacted the complete document. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
104 lines
3.2 KiB
ReStructuredText
104 lines
3.2 KiB
ReStructuredText
.. SPDX-License-Identifier: GPL-2.0+
|
|
.. (C) Copyright 2022, Masahisa Kojima <masahisa.kojima@linaro.org>
|
|
|
|
eficonfig command
|
|
=================
|
|
|
|
Synopsis
|
|
--------
|
|
::
|
|
|
|
eficonfig
|
|
|
|
Description
|
|
-----------
|
|
|
|
The "eficonfig" command uses the U-Boot menu interface to provide a
|
|
menu-driven UEFI variable maintenance feature. These are the top level menu
|
|
entries:
|
|
|
|
Add Boot Option
|
|
Add a new UEFI Boot Option.
|
|
The user can edit description, file path, and optional_data.
|
|
The new boot opiton is appended to the boot order in the *BootOrder*
|
|
variable. The user may want to update the boot order using the
|
|
*Change Boot Order* menu entry.
|
|
|
|
Edit Boot Option
|
|
Edit an existing UEFI Boot Option.
|
|
The User can edit description, file path, and optional_data.
|
|
|
|
Change Boot Order
|
|
Change the boot order updating the UEFI BootOrder variable.
|
|
|
|
Delete Boot Option
|
|
Delete a UEFI Boot Option
|
|
|
|
Secure Boot Configuration
|
|
Edit the UEFI Secure Boot Configuration
|
|
|
|
How to boot the system with a newly added UEFI Boot Option
|
|
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
|
|
|
|
The "eficonfig" command is used to set the UEFI boot options which are stored
|
|
in the UEFI variable Boot#### where #### is a hexadecimal number.
|
|
|
|
The command *bootefi bootmgr* can be used to boot by trying in sequence all
|
|
boot options selected by the variable *BootOrder*.
|
|
|
|
If the bootmenu is enabled, CONFIG_BOOTMENU_DISABLE_UBOOT_CONSOLE is enabled,
|
|
and "eficonfig" is configured as preboot command, the newly added Boot Options
|
|
are enumerated in the bootmenu when the user exits from the eficonfig menu.
|
|
The user may select the entry in the bootmenu to boot the system, or follow
|
|
the U-Boot configuration the system already has.
|
|
|
|
Auto boot with the UEFI Boot Option
|
|
'''''''''''''''''''''''''''''''''''
|
|
|
|
To do auto boot according to the UEFI BootOrder variable,
|
|
add "bootefi bootmgr" entry as a default or first bootmenu entry::
|
|
|
|
CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"
|
|
|
|
UEFI Secure Boot Configuration
|
|
''''''''''''''''''''''''''''''
|
|
|
|
The user can enroll the variables PK, KEK, db and dbx by selecting a file.
|
|
The "eficonfig" command only accepts signed EFI Signature List(s) with an
|
|
authenticated header, typically a ".auth" file.
|
|
|
|
To clear the PK, KEK, db and dbx, the user needs to enroll a null value
|
|
signed by PK or KEK.
|
|
|
|
Configuration
|
|
-------------
|
|
|
|
The "eficonfig" command is enabled by::
|
|
|
|
CONFIG_CMD_EFICONFIG=y
|
|
|
|
If CONFIG_BOOTMENU_DISABLE_UBOOT_CONSOLE is enabled, the user can not enter
|
|
U-Boot console. In this case, the bootmenu can be used to invoke "eficonfig"::
|
|
|
|
CONFIG_USE_PREBOOT=y
|
|
CONFIG_PREBOOT="setenv bootmenu_0 UEFI Maintenance Menu=eficonfig"
|
|
|
|
The only way U-Boot can currently store EFI variables on a tamper
|
|
resistant medium is via OP-TEE. The Kconfig option that enables that is::
|
|
|
|
CONFIG_EFI_MM_COMM_TEE=y.
|
|
|
|
It enables storing EFI variables on the RPMB partition of an eMMC device.
|
|
|
|
The UEFI Secure Boot Configuration menu entry is only available if the following
|
|
options are enabled::
|
|
|
|
CONFIG_EFI_SECURE_BOOT=y
|
|
CONFIG_EFI_MM_COMM_TEE=y
|
|
|
|
See also
|
|
--------
|
|
|
|
* :doc:`bootmenu<bootmenu>` provides a simple mechanism for creating menus with
|
|
different boot items
|