[linux-block.git] / drivers / firmware / efi / Kconfig

# SPDX-License-Identifier: GPL-2.0-only
menu "EFI (Extensible Firmware Interface) Support"
	depends on EFI

config EFI_ESRT
	bool
	depends on EFI && !IA64
	default y

config EFI_VARS_PSTORE
	tristate "Register efivars backend for pstore"
	depends on PSTORE
	select UCS2_STRING
	default y
	help
	  Say Y here to enable use efivars as a backend to pstore. This
	  will allow writing console messages, crash dumps, or anything
	  else supported by pstore to EFI variables.

config EFI_VARS_PSTORE_DEFAULT_DISABLE
	bool "Disable using efivars as a pstore backend by default"
	depends on EFI_VARS_PSTORE
	default n
	help
	  Saying Y here will disable the use of efivars as a storage
	  backend for pstore by default. This setting can be overridden
	  using the efivars module's pstore_disable parameter.

config EFI_RUNTIME_MAP
	bool "Export efi runtime maps to sysfs"
	depends on X86 && EFI && KEXEC_CORE
	default y
	help
	  Export efi runtime memory maps to /sys/firmware/efi/runtime-map.
	  That memory map is used for example by kexec to set up efi virtual
	  mapping the 2nd kernel, but can also be used for debugging purposes.

	  See also Documentation/ABI/testing/sysfs-firmware-efi-runtime-map.

config EFI_FAKE_MEMMAP
	bool "Enable EFI fake memory map"
	depends on EFI && X86
	default n
	help
	  Saying Y here will enable "efi_fake_mem" boot option.
	  By specifying this parameter, you can add arbitrary attribute
	  to specific memory range by updating original (firmware provided)
	  EFI memmap.
	  This is useful for debugging of EFI memmap related feature.
	  e.g. Address Range Mirroring feature.

config EFI_MAX_FAKE_MEM
	int "maximum allowable number of ranges in efi_fake_mem boot option"
	depends on EFI_FAKE_MEMMAP
	range 1 128
	default 8
	help
	  Maximum allowable number of ranges in efi_fake_mem boot option.
	  Ranges can be set up to this value using comma-separated list.
	  The default value is 8.

config EFI_SOFT_RESERVE
	bool "Reserve EFI Specific Purpose Memory"
	depends on EFI && EFI_STUB && ACPI_HMAT
	default ACPI_HMAT
	help
	  On systems that have mixed performance classes of memory EFI
	  may indicate specific purpose memory with an attribute (See
	  EFI_MEMORY_SP in UEFI 2.8). A memory range tagged with this
	  attribute may have unique performance characteristics compared
	  to the system's general purpose "System RAM" pool. On the
	  expectation that such memory has application specific usage,
	  and its base EFI memory type is "conventional" answer Y to
	  arrange for the kernel to reserve it as a "Soft Reserved"
	  resource, and set aside for direct-access (device-dax) by
	  default. The memory range can later be optionally assigned to
	  the page allocator by system administrator policy via the
	  device-dax kmem facility. Say N to have the kernel treat this
	  memory as "System RAM" by default.

	  If unsure, say Y.

config EFI_DXE_MEM_ATTRIBUTES
	bool "Adjust memory attributes in EFISTUB"
	depends on EFI && EFI_STUB && X86
	default y
	help
	  UEFI specification does not guarantee all memory to be
	  accessible for both write and execute as the kernel expects
	  it to be.
	  Use DXE services to check and alter memory protection
	  attributes during boot via EFISTUB to ensure that memory
	  ranges used by the kernel are writable and executable.

config EFI_PARAMS_FROM_FDT
	bool
	help
	  Select this config option from the architecture Kconfig if
	  the EFI runtime support gets system table address, memory
          map address, and other parameters from the device tree.

config EFI_RUNTIME_WRAPPERS
	bool

config EFI_GENERIC_STUB
	bool

config EFI_ZBOOT
	bool "Enable the generic EFI decompressor"
	depends on EFI_GENERIC_STUB && !ARM
	select HAVE_KERNEL_GZIP
	select HAVE_KERNEL_LZ4
	select HAVE_KERNEL_LZMA
	select HAVE_KERNEL_LZO
	select HAVE_KERNEL_XZ
	select HAVE_KERNEL_ZSTD
	help
	  Create the bootable image as an EFI application that carries the
	  actual kernel image in compressed form, and decompresses it into
	  memory before executing it via LoadImage/StartImage EFI boot service
	  calls. For compatibility with non-EFI loaders, the payload can be
	  decompressed and executed by the loader as well, provided that the
	  loader implements the decompression algorithm and that non-EFI boot
	  is supported by the encapsulated image. (The compression algorithm
	  used is described in the zboot image header)

config EFI_ZBOOT_SIGNED
	def_bool y
	depends on EFI_ZBOOT_SIGNING_CERT != ""
	depends on EFI_ZBOOT_SIGNING_KEY != ""

config EFI_ZBOOT_SIGNING
	bool "Sign the EFI decompressor for UEFI secure boot"
	depends on EFI_ZBOOT
	help
	  Use the 'sbsign' command line tool (which must exist on the host
	  path) to sign both the EFI decompressor PE/COFF image, as well as the
	  encapsulated PE/COFF image, which is subsequently compressed and
	  wrapped by the former image.

config EFI_ZBOOT_SIGNING_CERT
	string "Certificate to use for signing the compressed EFI boot image"
	depends on EFI_ZBOOT_SIGNING

config EFI_ZBOOT_SIGNING_KEY
	string "Private key to use for signing the compressed EFI boot image"
	depends on EFI_ZBOOT_SIGNING

config EFI_ARMSTUB_DTB_LOADER
	bool "Enable the DTB loader"
	depends on EFI_GENERIC_STUB && !RISCV && !LOONGARCH
	default y
	help
	  Select this config option to add support for the dtb= command
	  line parameter, allowing a device tree blob to be loaded into
	  memory from the EFI System Partition by the stub.

	  If the device tree is provided by the platform or by
	  the bootloader this option may not be needed.
	  But, for various development reasons and to maintain existing
	  functionality for bootloaders that do not have such support
	  this option is necessary.

config EFI_GENERIC_STUB_INITRD_CMDLINE_LOADER
	bool "Enable the command line initrd loader" if !X86
	depends on EFI_STUB && (EFI_GENERIC_STUB || X86)
	default y if X86
	depends on !RISCV && !LOONGARCH
	help
	  Select this config option to add support for the initrd= command
	  line parameter, allowing an initrd that resides on the same volume
	  as the kernel image to be loaded into memory.

	  This method is deprecated.

config EFI_BOOTLOADER_CONTROL
	tristate "EFI Bootloader Control"
	select UCS2_STRING
	default n
	help
	  This module installs a reboot hook, such that if reboot() is
	  invoked with a string argument NNN, "NNN" is copied to the
	  "LoaderEntryOneShot" EFI variable, to be read by the
	  bootloader. If the string matches one of the boot labels
	  defined in its configuration, the bootloader will boot once
	  to that label. The "LoaderEntryRebootReason" EFI variable is
	  set with the reboot reason: "reboot" or "shutdown". The
	  bootloader reads this reboot reason and takes particular
	  action according to its policy.

config EFI_CAPSULE_LOADER
	tristate "EFI capsule loader"
	depends on EFI && !IA64
	help
	  This option exposes a loader interface "/dev/efi_capsule_loader" for
	  users to load EFI capsules. This driver requires working runtime
	  capsule support in the firmware, which many OEMs do not provide.

	  Most users should say N.

config EFI_CAPSULE_QUIRK_QUARK_CSH
	bool "Add support for Quark capsules with non-standard headers"
	depends on X86 && !64BIT
	select EFI_CAPSULE_LOADER
	default y
	help
	  Add support for processing Quark X1000 EFI capsules, whose header
	  layout deviates from the layout mandated by the UEFI specification.

config EFI_TEST
	tristate "EFI Runtime Service Tests Support"
	depends on EFI
	default n
	help
	  This driver uses the efi.<service> function pointers directly instead
	  of going through the efivar API, because it is not trying to test the
	  kernel subsystem, just for testing the UEFI runtime service
	  interfaces which are provided by the firmware. This driver is used
	  by the Firmware Test Suite (FWTS) for testing the UEFI runtime
	  interfaces readiness of the firmware.
	  Details for FWTS are available from:
	  <https://wiki.ubuntu.com/FirmwareTestSuite>

	  Say Y here to enable the runtime services support via /dev/efi_test.
	  If unsure, say N.

config EFI_DEV_PATH_PARSER
	bool

config APPLE_PROPERTIES
	bool "Apple Device Properties"
	depends on EFI_STUB && X86
	select EFI_DEV_PATH_PARSER
	select UCS2_STRING
	help
	  Retrieve properties from EFI on Apple Macs and assign them to
	  devices, allowing for improved support of Apple hardware.
	  Properties that would otherwise be missing include the
	  Thunderbolt Device ROM and GPU configuration data.

	  If unsure, say Y if you have a Mac.  Otherwise N.

config RESET_ATTACK_MITIGATION
	bool "Reset memory attack mitigation"
	depends on EFI_STUB
	help
	  Request that the firmware clear the contents of RAM after a reboot
	  using the TCG Platform Reset Attack Mitigation specification. This
	  protects against an attacker forcibly rebooting the system while it
	  still contains secrets in RAM, booting another OS and extracting the
	  secrets. This should only be enabled when userland is configured to
	  clear the MemoryOverwriteRequest flag on clean shutdown after secrets
	  have been evicted, since otherwise it will trigger even on clean
	  reboots.

config EFI_RCI2_TABLE
	bool "EFI Runtime Configuration Interface Table Version 2 Support"
	depends on X86 || COMPILE_TEST
	help
	  Displays the content of the Runtime Configuration Interface
	  Table version 2 on Dell EMC PowerEdge systems as a binary
	  attribute 'rci2' under /sys/firmware/efi/tables directory.

	  RCI2 table contains BIOS HII in XML format and is used to populate
	  BIOS setup page in Dell EMC OpenManage Server Administrator tool.
	  The BIOS setup page contains BIOS tokens which can be configured.

	  Say Y here for Dell EMC PowerEdge systems.

config EFI_DISABLE_PCI_DMA
       bool "Clear Busmaster bit on PCI bridges during ExitBootServices()"
       help
	  Disable the busmaster bit in the control register on all PCI bridges
	  while calling ExitBootServices() and passing control to the runtime
	  kernel. System firmware may configure the IOMMU to prevent malicious
	  PCI devices from being able to attack the OS via DMA. However, since
	  firmware can't guarantee that the OS is IOMMU-aware, it will tear
	  down IOMMU configuration when ExitBootServices() is called. This
	  leaves a window between where a hostile device could still cause
	  damage before Linux configures the IOMMU again.

	  If you say Y here, the EFI stub will clear the busmaster bit on all
	  PCI bridges before ExitBootServices() is called. This will prevent
	  any malicious PCI devices from being able to perform DMA until the
	  kernel reenables busmastering after configuring the IOMMU.

	  This option will cause failures with some poorly behaved hardware
	  and should not be enabled without testing. The kernel commandline
	  options "efi=disable_early_pci_dma" or "efi=no_disable_early_pci_dma"
	  may be used to override this option.

config EFI_EARLYCON
	def_bool y
	depends on SERIAL_EARLYCON && !ARM && !IA64
	select FONT_SUPPORT
	select ARCH_USE_MEMREMAP_PROT

config EFI_CUSTOM_SSDT_OVERLAYS
	bool "Load custom ACPI SSDT overlay from an EFI variable"
	depends on ACPI
	default ACPI_TABLE_UPGRADE
	help
	  Allow loading of an ACPI SSDT overlay from an EFI variable specified
	  by a kernel command line option.

	  See Documentation/admin-guide/acpi/ssdt-overlays.rst for more
	  information.

config EFI_DISABLE_RUNTIME
	bool "Disable EFI runtime services support by default"
	default y if PREEMPT_RT
	help
	  Allow to disable the EFI runtime services support by default. This can
	  already be achieved by using the efi=noruntime option, but it could be
	  useful to have this default without any kernel command line parameter.

	  The EFI runtime services are disabled by default when PREEMPT_RT is
	  enabled, because measurements have shown that some EFI functions calls
	  might take too much time to complete, causing large latencies which is
	  an issue for Real-Time kernels.

	  This default can be overridden by using the efi=runtime option.

config EFI_COCO_SECRET
	bool "EFI Confidential Computing Secret Area Support"
	help
	  Confidential Computing platforms (such as AMD SEV) allow the
	  Guest Owner to securely inject secrets during guest VM launch.
	  The secrets are placed in a designated EFI reserved memory area.

	  In order to use the secrets in the kernel, the location of the secret
	  area (as published in the EFI config table) must be kept.

	  If you say Y here, the address of the EFI secret area will be kept
	  for usage inside the kernel.  This will allow the
	  virt/coco/efi_secret module to access the secrets, which in turn
	  allows userspace programs to access the injected secrets.

config EFI_EMBEDDED_FIRMWARE
	bool
	select CRYPTO_LIB_SHA256

endmenu

config UEFI_CPER
	bool

config UEFI_CPER_ARM
	bool
	depends on UEFI_CPER && ( ARM || ARM64 )
	default y

config UEFI_CPER_X86
	bool
	depends on UEFI_CPER && X86
	default y
Commit	Line	Data
ec8f24b7	1	# SPDX-License-Identifier: GPL-2.0-only
04851772 MF	2	menu "EFI (Extensible Firmware Interface) Support"
	3	depends on EFI
	4
3846c158 PJ	5	config EFI_ESRT
	6	bool
	7	depends on EFI && !IA64
	8	default y
	9
04851772 MF	10	config EFI_VARS_PSTORE
04851772 MF	11	tristate "Register efivars backend for pstore"
232f4eb6	12	depends on PSTORE
85974825	13	select UCS2_STRING
04851772 MF	14	default y
	15	help
	16	Say Y here to enable use efivars as a backend to pstore. This
	17	will allow writing console messages, crash dumps, or anything
	18	else supported by pstore to EFI variables.
	19
	20	config EFI_VARS_PSTORE_DEFAULT_DISABLE
	21	bool "Disable using efivars as a pstore backend by default"
	22	depends on EFI_VARS_PSTORE
	23	default n
	24	help
	25	Saying Y here will disable the use of efivars as a storage
	26	backend for pstore by default. This setting can be overridden
	27	using the efivars module's pstore_disable parameter.
	28
926172d4 DY	29	config EFI_RUNTIME_MAP
926172d4 DY	30	bool "Export efi runtime maps to sysfs"
2965faa5	31	depends on X86 && EFI && KEXEC_CORE
926172d4 DY	32	default y
	33	help
	34	Export efi runtime memory maps to /sys/firmware/efi/runtime-map.
	35	That memory map is used for example by kexec to set up efi virtual
	36	mapping the 2nd kernel, but can also be used for debugging purposes.
	37
	38	See also Documentation/ABI/testing/sysfs-firmware-efi-runtime-map.
	39
0f96a99d TI	40	config EFI_FAKE_MEMMAP
	41	bool "Enable EFI fake memory map"
	42	depends on EFI && X86
	43	default n
	44	help
	45	Saying Y here will enable "efi_fake_mem" boot option.
	46	By specifying this parameter, you can add arbitrary attribute
	47	to specific memory range by updating original (firmware provided)
	48	EFI memmap.
	49	This is useful for debugging of EFI memmap related feature.
	50	e.g. Address Range Mirroring feature.
	51
	52	config EFI_MAX_FAKE_MEM
	53	int "maximum allowable number of ranges in efi_fake_mem boot option"
	54	depends on EFI_FAKE_MEMMAP
	55	range 1 128
	56	default 8
	57	help
	58	Maximum allowable number of ranges in efi_fake_mem boot option.
	59	Ranges can be set up to this value using comma-separated list.
	60	The default value is 8.
	61
b617c526 DW	62	config EFI_SOFT_RESERVE
	63	bool "Reserve EFI Specific Purpose Memory"
	64	depends on EFI && EFI_STUB && ACPI_HMAT
	65	default ACPI_HMAT
	66	help
	67	On systems that have mixed performance classes of memory EFI
	68	may indicate specific purpose memory with an attribute (See
	69	EFI_MEMORY_SP in UEFI 2.8). A memory range tagged with this
	70	attribute may have unique performance characteristics compared
	71	to the system's general purpose "System RAM" pool. On the
	72	expectation that such memory has application specific usage,
	73	and its base EFI memory type is "conventional" answer Y to
	74	arrange for the kernel to reserve it as a "Soft Reserved"
	75	resource, and set aside for direct-access (device-dax) by
	76	default. The memory range can later be optionally assigned to
	77	the page allocator by system administrator policy via the
	78	device-dax kmem facility. Say N to have the kernel treat this
	79	memory as "System RAM" by default.
	80
	81	If unsure, say Y.
	82
82e0d6d7 BE	83	config EFI_DXE_MEM_ATTRIBUTES
	84	bool "Adjust memory attributes in EFISTUB"
	85	depends on EFI && EFI_STUB && X86
	86	default y
	87	help
	88	UEFI specification does not guarantee all memory to be
	89	accessible for both write and execute as the kernel expects
	90	it to be.
	91	Use DXE services to check and alter memory protection
	92	attributes during boot via EFISTUB to ensure that memory
	93	ranges used by the kernel are writable and executable.
	94
0302f71c MS	95	config EFI_PARAMS_FROM_FDT
	96	bool
	97	help
	98	Select this config option from the architecture Kconfig if
	99	the EFI runtime support gets system table address, memory
	100	map address, and other parameters from the device tree.
	101
022ee6c5 AB	102	config EFI_RUNTIME_WRAPPERS
	103	bool
	104
2e0eb483	105	config EFI_GENERIC_STUB
f4f75ad5 AB	106	bool
f4f75ad5 AB	107
a0509109 AB	108	config EFI_ZBOOT
	109	bool "Enable the generic EFI decompressor"
	110	depends on EFI_GENERIC_STUB && !ARM
	111	select HAVE_KERNEL_GZIP
	112	select HAVE_KERNEL_LZ4
	113	select HAVE_KERNEL_LZMA
	114	select HAVE_KERNEL_LZO
	115	select HAVE_KERNEL_XZ
	116	select HAVE_KERNEL_ZSTD
	117	help
	118	Create the bootable image as an EFI application that carries the
	119	actual kernel image in compressed form, and decompresses it into
	120	memory before executing it via LoadImage/StartImage EFI boot service
	121	calls. For compatibility with non-EFI loaders, the payload can be
	122	decompressed and executed by the loader as well, provided that the
	123	loader implements the decompression algorithm and that non-EFI boot
	124	is supported by the encapsulated image. (The compression algorithm
	125	used is described in the zboot image header)
	126
	127	config EFI_ZBOOT_SIGNED
	128	def_bool y
	129	depends on EFI_ZBOOT_SIGNING_CERT != ""
	130	depends on EFI_ZBOOT_SIGNING_KEY != ""
	131
	132	config EFI_ZBOOT_SIGNING
	133	bool "Sign the EFI decompressor for UEFI secure boot"
	134	depends on EFI_ZBOOT
	135	help
	136	Use the 'sbsign' command line tool (which must exist on the host
	137	path) to sign both the EFI decompressor PE/COFF image, as well as the
	138	encapsulated PE/COFF image, which is subsequently compressed and
	139	wrapped by the former image.
	140
	141	config EFI_ZBOOT_SIGNING_CERT
	142	string "Certificate to use for signing the compressed EFI boot image"
	143	depends on EFI_ZBOOT_SIGNING
	144
	145	config EFI_ZBOOT_SIGNING_KEY
	146	string "Private key to use for signing the compressed EFI boot image"
	147	depends on EFI_ZBOOT_SIGNING
	148
3d7ee348 AB	149	config EFI_ARMSTUB_DTB_LOADER
3d7ee348 AB	150	bool "Enable the DTB loader"
ead384d9	151	depends on EFI_GENERIC_STUB && !RISCV && !LOONGARCH
d3109593	152	default y
3d7ee348 AB	153	help
	154	Select this config option to add support for the dtb= command
	155	line parameter, allowing a device tree blob to be loaded into
	156	memory from the EFI System Partition by the stub.
	157
d3109593 SB	158	If the device tree is provided by the platform or by
	159	the bootloader this option may not be needed.
	160	But, for various development reasons and to maintain existing
	161	functionality for bootloaders that do not have such support
	162	this option is necessary.
3d7ee348	163
cf6b8366	164	config EFI_GENERIC_STUB_INITRD_CMDLINE_LOADER
4da0b2b7 AB	165	bool "Enable the command line initrd loader" if !X86
4da0b2b7 AB	166	depends on EFI_STUB && (EFI_GENERIC_STUB \|\| X86)
6edcf9dc	167	default y if X86
ead384d9	168	depends on !RISCV && !LOONGARCH
cf6b8366 AB	169	help
	170	Select this config option to add support for the initrd= command
	171	line parameter, allowing an initrd that resides on the same volume
	172	as the kernel image to be loaded into memory.
	173
	174	This method is deprecated.
	175
06f7d4a1 CJ	176	config EFI_BOOTLOADER_CONTROL
06f7d4a1 CJ	177	tristate "EFI Bootloader Control"
416581e4	178	select UCS2_STRING
06f7d4a1	179	default n
a7f7f624	180	help
06f7d4a1 CJ	181	This module installs a reboot hook, such that if reboot() is
	182	invoked with a string argument NNN, "NNN" is copied to the
	183	"LoaderEntryOneShot" EFI variable, to be read by the
	184	bootloader. If the string matches one of the boot labels
	185	defined in its configuration, the bootloader will boot once
	186	to that label. The "LoaderEntryRebootReason" EFI variable is
	187	set with the reboot reason: "reboot" or "shutdown". The
	188	bootloader reads this reboot reason and takes particular
	189	action according to its policy.
	190
65117f1a KHL	191	config EFI_CAPSULE_LOADER
65117f1a KHL	192	tristate "EFI capsule loader"
e0a6aa30	193	depends on EFI && !IA64
65117f1a KHL	194	help
	195	This option exposes a loader interface "/dev/efi_capsule_loader" for
	196	users to load EFI capsules. This driver requires working runtime
	197	capsule support in the firmware, which many OEMs do not provide.
	198
	199	Most users should say N.
	200
2959c95d	201	config EFI_CAPSULE_QUIRK_QUARK_CSH
1ae83c5c	202	bool "Add support for Quark capsules with non-standard headers"
2959c95d JK	203	depends on X86 && !64BIT
	204	select EFI_CAPSULE_LOADER
	205	default y
	206	help
	207	Add support for processing Quark X1000 EFI capsules, whose header
	208	layout deviates from the layout mandated by the UEFI specification.
	209
ff6301da IH	210	config EFI_TEST
	211	tristate "EFI Runtime Service Tests Support"
	212	depends on EFI
	213	default n
	214	help
	215	This driver uses the efi.<service> function pointers directly instead
	216	of going through the efivar API, because it is not trying to test the
	217	kernel subsystem, just for testing the UEFI runtime service
	218	interfaces which are provided by the firmware. This driver is used
	219	by the Firmware Test Suite (FWTS) for testing the UEFI runtime
	220	interfaces readiness of the firmware.
	221	Details for FWTS are available from:
	222	<https://wiki.ubuntu.com/FirmwareTestSuite>
	223
	224	Say Y here to enable the runtime services support via /dev/efi_test.
	225	If unsure, say N.
	226
75ed63d9 AB	227	config EFI_DEV_PATH_PARSER
	228	bool
	229
58c5475a LW	230	config APPLE_PROPERTIES
	231	bool "Apple Device Properties"
	232	depends on EFI_STUB && X86
	233	select EFI_DEV_PATH_PARSER
	234	select UCS2_STRING
	235	help
	236	Retrieve properties from EFI on Apple Macs and assign them to
	237	devices, allowing for improved support of Apple hardware.
	238	Properties that would otherwise be missing include the
	239	Thunderbolt Device ROM and GPU configuration data.
	240
	241	If unsure, say Y if you have a Mac. Otherwise N.
	242
ccc829ba MG	243	config RESET_ATTACK_MITIGATION
	244	bool "Reset memory attack mitigation"
	245	depends on EFI_STUB
	246	help
	247	Request that the firmware clear the contents of RAM after a reboot
	248	using the TCG Platform Reset Attack Mitigation specification. This
	249	protects against an attacker forcibly rebooting the system while it
	250	still contains secrets in RAM, booting another OS and extracting the
a5c03c31 MG	251	secrets. This should only be enabled when userland is configured to
	252	clear the MemoryOverwriteRequest flag on clean shutdown after secrets
	253	have been evicted, since otherwise it will trigger even on clean
	254	reboots.
ccc829ba	255
1c5fecb6 N	256	config EFI_RCI2_TABLE
1c5fecb6 N	257	bool "EFI Runtime Configuration Interface Table Version 2 Support"
0b6b30c6	258	depends on X86 \|\| COMPILE_TEST
1c5fecb6 N	259	help
	260	Displays the content of the Runtime Configuration Interface
	261	Table version 2 on Dell EMC PowerEdge systems as a binary
	262	attribute 'rci2' under /sys/firmware/efi/tables directory.
	263
	264	RCI2 table contains BIOS HII in XML format and is used to populate
	265	BIOS setup page in Dell EMC OpenManage Server Administrator tool.
	266	The BIOS setup page contains BIOS tokens which can be configured.
	267
	268	Say Y here for Dell EMC PowerEdge systems.
	269
4444f854 MG	270	config EFI_DISABLE_PCI_DMA
	271	bool "Clear Busmaster bit on PCI bridges during ExitBootServices()"
	272	help
	273	Disable the busmaster bit in the control register on all PCI bridges
	274	while calling ExitBootServices() and passing control to the runtime
	275	kernel. System firmware may configure the IOMMU to prevent malicious
	276	PCI devices from being able to attack the OS via DMA. However, since
	277	firmware can't guarantee that the OS is IOMMU-aware, it will tear
	278	down IOMMU configuration when ExitBootServices() is called. This
	279	leaves a window between where a hostile device could still cause
	280	damage before Linux configures the IOMMU again.
	281
	282	If you say Y here, the EFI stub will clear the busmaster bit on all
	283	PCI bridges before ExitBootServices() is called. This will prevent
	284	any malicious PCI devices from being able to perform DMA until the
	285	kernel reenables busmastering after configuring the IOMMU.
	286
	287	This option will cause failures with some poorly behaved hardware
	288	and should not be enabled without testing. The kernel commandline
	289	options "efi=disable_early_pci_dma" or "efi=no_disable_early_pci_dma"
	290	may be used to override this option.
	291
69c1f396 AB	292	config EFI_EARLYCON
69c1f396 AB	293	def_bool y
75ed63d9	294	depends on SERIAL_EARLYCON && !ARM && !IA64
69c1f396 AB	295	select FONT_SUPPORT
69c1f396 AB	296	select ARCH_USE_MEMREMAP_PROT
435d1a47 PJ	297
	298	config EFI_CUSTOM_SSDT_OVERLAYS
	299	bool "Load custom ACPI SSDT overlay from an EFI variable"
75ed63d9	300	depends on ACPI
435d1a47 PJ	301	default ACPI_TABLE_UPGRADE
	302	help
	303	Allow loading of an ACPI SSDT overlay from an EFI variable specified
	304	by a kernel command line option.
	305
	306	See Documentation/admin-guide/acpi/ssdt-overlays.rst for more
	307	information.
a031651f JMC	308
	309	config EFI_DISABLE_RUNTIME
	310	bool "Disable EFI runtime services support by default"
	311	default y if PREEMPT_RT
	312	help
	313	Allow to disable the EFI runtime services support by default. This can
	314	already be achieved by using the efi=noruntime option, but it could be
	315	useful to have this default without any kernel command line parameter.
	316
	317	The EFI runtime services are disabled by default when PREEMPT_RT is
	318	enabled, because measurements have shown that some EFI functions calls
	319	might take too much time to complete, causing large latencies which is
	320	an issue for Real-Time kernels.
	321
	322	This default can be overridden by using the efi=runtime option.
12274189 DM	323
	324	config EFI_COCO_SECRET
	325	bool "EFI Confidential Computing Secret Area Support"
12274189 DM	326	help
	327	Confidential Computing platforms (such as AMD SEV) allow the
	328	Guest Owner to securely inject secrets during guest VM launch.
	329	The secrets are placed in a designated EFI reserved memory area.
	330
	331	In order to use the secrets in the kernel, the location of the secret
	332	area (as published in the EFI config table) must be kept.
	333
	334	If you say Y here, the address of the EFI secret area will be kept
	335	for usage inside the kernel. This will allow the
	336	virt/coco/efi_secret module to access the secrets, which in turn
	337	allows userspace programs to access the injected secrets.
75ed63d9 AB	338
	339	config EFI_EMBEDDED_FIRMWARE
	340	bool
	341	select CRYPTO_LIB_SHA256
	342
	343	endmenu
	344
	345	config UEFI_CPER
	346	bool
	347
	348	config UEFI_CPER_ARM
	349	bool
	350	depends on UEFI_CPER && ( ARM \|\| ARM64 )
	351	default y
	352
	353	config UEFI_CPER_X86
	354	bool
	355	depends on UEFI_CPER && X86
	356	default y