Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
04851772 MF |
2 | menu "EFI (Extensible Firmware Interface) Support" |
3 | depends on EFI | |
4 | ||
3846c158 PJ |
5 | config EFI_ESRT |
6 | bool | |
7 | depends on EFI && !IA64 | |
8 | default y | |
9 | ||
04851772 MF |
10 | config EFI_VARS_PSTORE |
11 | tristate "Register efivars backend for pstore" | |
232f4eb6 | 12 | depends on PSTORE |
85974825 | 13 | select UCS2_STRING |
04851772 MF |
14 | default y |
15 | help | |
16 | Say Y here to enable use efivars as a backend to pstore. This | |
17 | will allow writing console messages, crash dumps, or anything | |
18 | else supported by pstore to EFI variables. | |
19 | ||
20 | config EFI_VARS_PSTORE_DEFAULT_DISABLE | |
21 | bool "Disable using efivars as a pstore backend by default" | |
22 | depends on EFI_VARS_PSTORE | |
23 | default n | |
24 | help | |
25 | Saying Y here will disable the use of efivars as a storage | |
26 | backend for pstore by default. This setting can be overridden | |
27 | using the efivars module's pstore_disable parameter. | |
28 | ||
926172d4 DY |
29 | config EFI_RUNTIME_MAP |
30 | bool "Export efi runtime maps to sysfs" | |
2965faa5 | 31 | depends on X86 && EFI && KEXEC_CORE |
926172d4 DY |
32 | default y |
33 | help | |
34 | Export efi runtime memory maps to /sys/firmware/efi/runtime-map. | |
35 | That memory map is used for example by kexec to set up efi virtual | |
36 | mapping the 2nd kernel, but can also be used for debugging purposes. | |
37 | ||
38 | See also Documentation/ABI/testing/sysfs-firmware-efi-runtime-map. | |
39 | ||
0f96a99d TI |
40 | config EFI_FAKE_MEMMAP |
41 | bool "Enable EFI fake memory map" | |
42 | depends on EFI && X86 | |
43 | default n | |
44 | help | |
45 | Saying Y here will enable "efi_fake_mem" boot option. | |
46 | By specifying this parameter, you can add arbitrary attribute | |
47 | to specific memory range by updating original (firmware provided) | |
48 | EFI memmap. | |
49 | This is useful for debugging of EFI memmap related feature. | |
50 | e.g. Address Range Mirroring feature. | |
51 | ||
52 | config EFI_MAX_FAKE_MEM | |
53 | int "maximum allowable number of ranges in efi_fake_mem boot option" | |
54 | depends on EFI_FAKE_MEMMAP | |
55 | range 1 128 | |
56 | default 8 | |
57 | help | |
58 | Maximum allowable number of ranges in efi_fake_mem boot option. | |
59 | Ranges can be set up to this value using comma-separated list. | |
60 | The default value is 8. | |
61 | ||
b617c526 DW |
62 | config EFI_SOFT_RESERVE |
63 | bool "Reserve EFI Specific Purpose Memory" | |
64 | depends on EFI && EFI_STUB && ACPI_HMAT | |
65 | default ACPI_HMAT | |
66 | help | |
67 | On systems that have mixed performance classes of memory EFI | |
68 | may indicate specific purpose memory with an attribute (See | |
69 | EFI_MEMORY_SP in UEFI 2.8). A memory range tagged with this | |
70 | attribute may have unique performance characteristics compared | |
71 | to the system's general purpose "System RAM" pool. On the | |
72 | expectation that such memory has application specific usage, | |
73 | and its base EFI memory type is "conventional" answer Y to | |
74 | arrange for the kernel to reserve it as a "Soft Reserved" | |
75 | resource, and set aside for direct-access (device-dax) by | |
76 | default. The memory range can later be optionally assigned to | |
77 | the page allocator by system administrator policy via the | |
78 | device-dax kmem facility. Say N to have the kernel treat this | |
79 | memory as "System RAM" by default. | |
80 | ||
81 | If unsure, say Y. | |
82 | ||
82e0d6d7 BE |
83 | config EFI_DXE_MEM_ATTRIBUTES |
84 | bool "Adjust memory attributes in EFISTUB" | |
85 | depends on EFI && EFI_STUB && X86 | |
86 | default y | |
87 | help | |
88 | UEFI specification does not guarantee all memory to be | |
89 | accessible for both write and execute as the kernel expects | |
90 | it to be. | |
91 | Use DXE services to check and alter memory protection | |
92 | attributes during boot via EFISTUB to ensure that memory | |
93 | ranges used by the kernel are writable and executable. | |
94 | ||
0302f71c MS |
95 | config EFI_PARAMS_FROM_FDT |
96 | bool | |
97 | help | |
98 | Select this config option from the architecture Kconfig if | |
99 | the EFI runtime support gets system table address, memory | |
100 | map address, and other parameters from the device tree. | |
101 | ||
022ee6c5 AB |
102 | config EFI_RUNTIME_WRAPPERS |
103 | bool | |
104 | ||
2e0eb483 | 105 | config EFI_GENERIC_STUB |
f4f75ad5 AB |
106 | bool |
107 | ||
a0509109 AB |
108 | config EFI_ZBOOT |
109 | bool "Enable the generic EFI decompressor" | |
110 | depends on EFI_GENERIC_STUB && !ARM | |
111 | select HAVE_KERNEL_GZIP | |
112 | select HAVE_KERNEL_LZ4 | |
113 | select HAVE_KERNEL_LZMA | |
114 | select HAVE_KERNEL_LZO | |
115 | select HAVE_KERNEL_XZ | |
116 | select HAVE_KERNEL_ZSTD | |
117 | help | |
118 | Create the bootable image as an EFI application that carries the | |
119 | actual kernel image in compressed form, and decompresses it into | |
120 | memory before executing it via LoadImage/StartImage EFI boot service | |
121 | calls. For compatibility with non-EFI loaders, the payload can be | |
122 | decompressed and executed by the loader as well, provided that the | |
123 | loader implements the decompression algorithm and that non-EFI boot | |
124 | is supported by the encapsulated image. (The compression algorithm | |
125 | used is described in the zboot image header) | |
126 | ||
127 | config EFI_ZBOOT_SIGNED | |
128 | def_bool y | |
129 | depends on EFI_ZBOOT_SIGNING_CERT != "" | |
130 | depends on EFI_ZBOOT_SIGNING_KEY != "" | |
131 | ||
132 | config EFI_ZBOOT_SIGNING | |
133 | bool "Sign the EFI decompressor for UEFI secure boot" | |
134 | depends on EFI_ZBOOT | |
135 | help | |
136 | Use the 'sbsign' command line tool (which must exist on the host | |
137 | path) to sign both the EFI decompressor PE/COFF image, as well as the | |
138 | encapsulated PE/COFF image, which is subsequently compressed and | |
139 | wrapped by the former image. | |
140 | ||
141 | config EFI_ZBOOT_SIGNING_CERT | |
142 | string "Certificate to use for signing the compressed EFI boot image" | |
143 | depends on EFI_ZBOOT_SIGNING | |
144 | ||
145 | config EFI_ZBOOT_SIGNING_KEY | |
146 | string "Private key to use for signing the compressed EFI boot image" | |
147 | depends on EFI_ZBOOT_SIGNING | |
148 | ||
3d7ee348 AB |
149 | config EFI_ARMSTUB_DTB_LOADER |
150 | bool "Enable the DTB loader" | |
ead384d9 | 151 | depends on EFI_GENERIC_STUB && !RISCV && !LOONGARCH |
d3109593 | 152 | default y |
3d7ee348 AB |
153 | help |
154 | Select this config option to add support for the dtb= command | |
155 | line parameter, allowing a device tree blob to be loaded into | |
156 | memory from the EFI System Partition by the stub. | |
157 | ||
d3109593 SB |
158 | If the device tree is provided by the platform or by |
159 | the bootloader this option may not be needed. | |
160 | But, for various development reasons and to maintain existing | |
161 | functionality for bootloaders that do not have such support | |
162 | this option is necessary. | |
3d7ee348 | 163 | |
cf6b8366 | 164 | config EFI_GENERIC_STUB_INITRD_CMDLINE_LOADER |
4da0b2b7 AB |
165 | bool "Enable the command line initrd loader" if !X86 |
166 | depends on EFI_STUB && (EFI_GENERIC_STUB || X86) | |
6edcf9dc | 167 | default y if X86 |
ead384d9 | 168 | depends on !RISCV && !LOONGARCH |
cf6b8366 AB |
169 | help |
170 | Select this config option to add support for the initrd= command | |
171 | line parameter, allowing an initrd that resides on the same volume | |
172 | as the kernel image to be loaded into memory. | |
173 | ||
174 | This method is deprecated. | |
175 | ||
06f7d4a1 CJ |
176 | config EFI_BOOTLOADER_CONTROL |
177 | tristate "EFI Bootloader Control" | |
416581e4 | 178 | select UCS2_STRING |
06f7d4a1 | 179 | default n |
a7f7f624 | 180 | help |
06f7d4a1 CJ |
181 | This module installs a reboot hook, such that if reboot() is |
182 | invoked with a string argument NNN, "NNN" is copied to the | |
183 | "LoaderEntryOneShot" EFI variable, to be read by the | |
184 | bootloader. If the string matches one of the boot labels | |
185 | defined in its configuration, the bootloader will boot once | |
186 | to that label. The "LoaderEntryRebootReason" EFI variable is | |
187 | set with the reboot reason: "reboot" or "shutdown". The | |
188 | bootloader reads this reboot reason and takes particular | |
189 | action according to its policy. | |
190 | ||
65117f1a KHL |
191 | config EFI_CAPSULE_LOADER |
192 | tristate "EFI capsule loader" | |
e0a6aa30 | 193 | depends on EFI && !IA64 |
65117f1a KHL |
194 | help |
195 | This option exposes a loader interface "/dev/efi_capsule_loader" for | |
196 | users to load EFI capsules. This driver requires working runtime | |
197 | capsule support in the firmware, which many OEMs do not provide. | |
198 | ||
199 | Most users should say N. | |
200 | ||
2959c95d | 201 | config EFI_CAPSULE_QUIRK_QUARK_CSH |
1ae83c5c | 202 | bool "Add support for Quark capsules with non-standard headers" |
2959c95d JK |
203 | depends on X86 && !64BIT |
204 | select EFI_CAPSULE_LOADER | |
205 | default y | |
206 | help | |
207 | Add support for processing Quark X1000 EFI capsules, whose header | |
208 | layout deviates from the layout mandated by the UEFI specification. | |
209 | ||
ff6301da IH |
210 | config EFI_TEST |
211 | tristate "EFI Runtime Service Tests Support" | |
212 | depends on EFI | |
213 | default n | |
214 | help | |
215 | This driver uses the efi.<service> function pointers directly instead | |
216 | of going through the efivar API, because it is not trying to test the | |
217 | kernel subsystem, just for testing the UEFI runtime service | |
218 | interfaces which are provided by the firmware. This driver is used | |
219 | by the Firmware Test Suite (FWTS) for testing the UEFI runtime | |
220 | interfaces readiness of the firmware. | |
221 | Details for FWTS are available from: | |
222 | <https://wiki.ubuntu.com/FirmwareTestSuite> | |
223 | ||
224 | Say Y here to enable the runtime services support via /dev/efi_test. | |
225 | If unsure, say N. | |
226 | ||
75ed63d9 AB |
227 | config EFI_DEV_PATH_PARSER |
228 | bool | |
229 | ||
58c5475a LW |
230 | config APPLE_PROPERTIES |
231 | bool "Apple Device Properties" | |
232 | depends on EFI_STUB && X86 | |
233 | select EFI_DEV_PATH_PARSER | |
234 | select UCS2_STRING | |
235 | help | |
236 | Retrieve properties from EFI on Apple Macs and assign them to | |
237 | devices, allowing for improved support of Apple hardware. | |
238 | Properties that would otherwise be missing include the | |
239 | Thunderbolt Device ROM and GPU configuration data. | |
240 | ||
241 | If unsure, say Y if you have a Mac. Otherwise N. | |
242 | ||
ccc829ba MG |
243 | config RESET_ATTACK_MITIGATION |
244 | bool "Reset memory attack mitigation" | |
245 | depends on EFI_STUB | |
246 | help | |
247 | Request that the firmware clear the contents of RAM after a reboot | |
248 | using the TCG Platform Reset Attack Mitigation specification. This | |
249 | protects against an attacker forcibly rebooting the system while it | |
250 | still contains secrets in RAM, booting another OS and extracting the | |
a5c03c31 MG |
251 | secrets. This should only be enabled when userland is configured to |
252 | clear the MemoryOverwriteRequest flag on clean shutdown after secrets | |
253 | have been evicted, since otherwise it will trigger even on clean | |
254 | reboots. | |
ccc829ba | 255 | |
1c5fecb6 N |
256 | config EFI_RCI2_TABLE |
257 | bool "EFI Runtime Configuration Interface Table Version 2 Support" | |
0b6b30c6 | 258 | depends on X86 || COMPILE_TEST |
1c5fecb6 N |
259 | help |
260 | Displays the content of the Runtime Configuration Interface | |
261 | Table version 2 on Dell EMC PowerEdge systems as a binary | |
262 | attribute 'rci2' under /sys/firmware/efi/tables directory. | |
263 | ||
264 | RCI2 table contains BIOS HII in XML format and is used to populate | |
265 | BIOS setup page in Dell EMC OpenManage Server Administrator tool. | |
266 | The BIOS setup page contains BIOS tokens which can be configured. | |
267 | ||
268 | Say Y here for Dell EMC PowerEdge systems. | |
269 | ||
4444f854 MG |
270 | config EFI_DISABLE_PCI_DMA |
271 | bool "Clear Busmaster bit on PCI bridges during ExitBootServices()" | |
272 | help | |
273 | Disable the busmaster bit in the control register on all PCI bridges | |
274 | while calling ExitBootServices() and passing control to the runtime | |
275 | kernel. System firmware may configure the IOMMU to prevent malicious | |
276 | PCI devices from being able to attack the OS via DMA. However, since | |
277 | firmware can't guarantee that the OS is IOMMU-aware, it will tear | |
278 | down IOMMU configuration when ExitBootServices() is called. This | |
279 | leaves a window between where a hostile device could still cause | |
280 | damage before Linux configures the IOMMU again. | |
281 | ||
282 | If you say Y here, the EFI stub will clear the busmaster bit on all | |
283 | PCI bridges before ExitBootServices() is called. This will prevent | |
284 | any malicious PCI devices from being able to perform DMA until the | |
285 | kernel reenables busmastering after configuring the IOMMU. | |
286 | ||
287 | This option will cause failures with some poorly behaved hardware | |
288 | and should not be enabled without testing. The kernel commandline | |
289 | options "efi=disable_early_pci_dma" or "efi=no_disable_early_pci_dma" | |
290 | may be used to override this option. | |
291 | ||
69c1f396 AB |
292 | config EFI_EARLYCON |
293 | def_bool y | |
75ed63d9 | 294 | depends on SERIAL_EARLYCON && !ARM && !IA64 |
69c1f396 AB |
295 | select FONT_SUPPORT |
296 | select ARCH_USE_MEMREMAP_PROT | |
435d1a47 PJ |
297 | |
298 | config EFI_CUSTOM_SSDT_OVERLAYS | |
299 | bool "Load custom ACPI SSDT overlay from an EFI variable" | |
75ed63d9 | 300 | depends on ACPI |
435d1a47 PJ |
301 | default ACPI_TABLE_UPGRADE |
302 | help | |
303 | Allow loading of an ACPI SSDT overlay from an EFI variable specified | |
304 | by a kernel command line option. | |
305 | ||
306 | See Documentation/admin-guide/acpi/ssdt-overlays.rst for more | |
307 | information. | |
a031651f JMC |
308 | |
309 | config EFI_DISABLE_RUNTIME | |
310 | bool "Disable EFI runtime services support by default" | |
311 | default y if PREEMPT_RT | |
312 | help | |
313 | Allow to disable the EFI runtime services support by default. This can | |
314 | already be achieved by using the efi=noruntime option, but it could be | |
315 | useful to have this default without any kernel command line parameter. | |
316 | ||
317 | The EFI runtime services are disabled by default when PREEMPT_RT is | |
318 | enabled, because measurements have shown that some EFI functions calls | |
319 | might take too much time to complete, causing large latencies which is | |
320 | an issue for Real-Time kernels. | |
321 | ||
322 | This default can be overridden by using the efi=runtime option. | |
12274189 DM |
323 | |
324 | config EFI_COCO_SECRET | |
325 | bool "EFI Confidential Computing Secret Area Support" | |
12274189 DM |
326 | help |
327 | Confidential Computing platforms (such as AMD SEV) allow the | |
328 | Guest Owner to securely inject secrets during guest VM launch. | |
329 | The secrets are placed in a designated EFI reserved memory area. | |
330 | ||
331 | In order to use the secrets in the kernel, the location of the secret | |
332 | area (as published in the EFI config table) must be kept. | |
333 | ||
334 | If you say Y here, the address of the EFI secret area will be kept | |
335 | for usage inside the kernel. This will allow the | |
336 | virt/coco/efi_secret module to access the secrets, which in turn | |
337 | allows userspace programs to access the injected secrets. | |
75ed63d9 AB |
338 | |
339 | config EFI_EMBEDDED_FIRMWARE | |
340 | bool | |
341 | select CRYPTO_LIB_SHA256 | |
342 | ||
343 | endmenu | |
344 | ||
345 | config UEFI_CPER | |
346 | bool | |
347 | ||
348 | config UEFI_CPER_ARM | |
349 | bool | |
350 | depends on UEFI_CPER && ( ARM || ARM64 ) | |
351 | default y | |
352 | ||
353 | config UEFI_CPER_X86 | |
354 | bool | |
355 | depends on UEFI_CPER && X86 | |
356 | default y |