xref: /openbmc/linux/drivers/firmware/efi/Kconfig (revision ee65728e)
1# SPDX-License-Identifier: GPL-2.0-only
2menu "EFI (Extensible Firmware Interface) Support"
3	depends on EFI
4
5config EFI_VARS
6	tristate "EFI Variable Support via sysfs"
7	depends on EFI && (X86 || IA64)
8	default n
9	help
10	  If you say Y here, you are able to get EFI (Extensible Firmware
11	  Interface) variable information via sysfs.  You may read,
12	  write, create, and destroy EFI variables through this interface.
13	  Note that this driver is only retained for compatibility with
14	  legacy users: new users should use the efivarfs filesystem
15	  instead.
16
17config EFI_ESRT
18	bool
19	depends on EFI && !IA64
20	default y
21
22config EFI_VARS_PSTORE
23	tristate "Register efivars backend for pstore"
24	depends on PSTORE
25	default y
26	help
27	  Say Y here to enable use efivars as a backend to pstore. This
28	  will allow writing console messages, crash dumps, or anything
29	  else supported by pstore to EFI variables.
30
31config EFI_VARS_PSTORE_DEFAULT_DISABLE
32	bool "Disable using efivars as a pstore backend by default"
33	depends on EFI_VARS_PSTORE
34	default n
35	help
36	  Saying Y here will disable the use of efivars as a storage
37	  backend for pstore by default. This setting can be overridden
38	  using the efivars module's pstore_disable parameter.
39
40config EFI_RUNTIME_MAP
41	bool "Export efi runtime maps to sysfs"
42	depends on X86 && EFI && KEXEC_CORE
43	default y
44	help
45	  Export efi runtime memory maps to /sys/firmware/efi/runtime-map.
46	  That memory map is used for example by kexec to set up efi virtual
47	  mapping the 2nd kernel, but can also be used for debugging purposes.
48
49	  See also Documentation/ABI/testing/sysfs-firmware-efi-runtime-map.
50
51config EFI_FAKE_MEMMAP
52	bool "Enable EFI fake memory map"
53	depends on EFI && X86
54	default n
55	help
56	  Saying Y here will enable "efi_fake_mem" boot option.
57	  By specifying this parameter, you can add arbitrary attribute
58	  to specific memory range by updating original (firmware provided)
59	  EFI memmap.
60	  This is useful for debugging of EFI memmap related feature.
61	  e.g. Address Range Mirroring feature.
62
63config EFI_MAX_FAKE_MEM
64	int "maximum allowable number of ranges in efi_fake_mem boot option"
65	depends on EFI_FAKE_MEMMAP
66	range 1 128
67	default 8
68	help
69	  Maximum allowable number of ranges in efi_fake_mem boot option.
70	  Ranges can be set up to this value using comma-separated list.
71	  The default value is 8.
72
73config EFI_SOFT_RESERVE
74	bool "Reserve EFI Specific Purpose Memory"
75	depends on EFI && EFI_STUB && ACPI_HMAT
76	default ACPI_HMAT
77	help
78	  On systems that have mixed performance classes of memory EFI
79	  may indicate specific purpose memory with an attribute (See
80	  EFI_MEMORY_SP in UEFI 2.8). A memory range tagged with this
81	  attribute may have unique performance characteristics compared
82	  to the system's general purpose "System RAM" pool. On the
83	  expectation that such memory has application specific usage,
84	  and its base EFI memory type is "conventional" answer Y to
85	  arrange for the kernel to reserve it as a "Soft Reserved"
86	  resource, and set aside for direct-access (device-dax) by
87	  default. The memory range can later be optionally assigned to
88	  the page allocator by system administrator policy via the
89	  device-dax kmem facility. Say N to have the kernel treat this
90	  memory as "System RAM" by default.
91
92	  If unsure, say Y.
93
94config EFI_DXE_MEM_ATTRIBUTES
95	bool "Adjust memory attributes in EFISTUB"
96	depends on EFI && EFI_STUB && X86
97	default y
98	help
99	  UEFI specification does not guarantee all memory to be
100	  accessible for both write and execute as the kernel expects
101	  it to be.
102	  Use DXE services to check and alter memory protection
103	  attributes during boot via EFISTUB to ensure that memory
104	  ranges used by the kernel are writable and executable.
105
106config EFI_PARAMS_FROM_FDT
107	bool
108	help
109	  Select this config option from the architecture Kconfig if
110	  the EFI runtime support gets system table address, memory
111          map address, and other parameters from the device tree.
112
113config EFI_RUNTIME_WRAPPERS
114	bool
115
116config EFI_GENERIC_STUB
117	bool
118
119config EFI_ARMSTUB_DTB_LOADER
120	bool "Enable the DTB loader"
121	depends on EFI_GENERIC_STUB && !RISCV
122	default y
123	help
124	  Select this config option to add support for the dtb= command
125	  line parameter, allowing a device tree blob to be loaded into
126	  memory from the EFI System Partition by the stub.
127
128	  If the device tree is provided by the platform or by
129	  the bootloader this option may not be needed.
130	  But, for various development reasons and to maintain existing
131	  functionality for bootloaders that do not have such support
132	  this option is necessary.
133
134config EFI_GENERIC_STUB_INITRD_CMDLINE_LOADER
135	bool "Enable the command line initrd loader" if !X86
136	depends on EFI_STUB && (EFI_GENERIC_STUB || X86)
137	default y if X86
138	depends on !RISCV
139	help
140	  Select this config option to add support for the initrd= command
141	  line parameter, allowing an initrd that resides on the same volume
142	  as the kernel image to be loaded into memory.
143
144	  This method is deprecated.
145
146config EFI_BOOTLOADER_CONTROL
147	tristate "EFI Bootloader Control"
148	default n
149	help
150	  This module installs a reboot hook, such that if reboot() is
151	  invoked with a string argument NNN, "NNN" is copied to the
152	  "LoaderEntryOneShot" EFI variable, to be read by the
153	  bootloader. If the string matches one of the boot labels
154	  defined in its configuration, the bootloader will boot once
155	  to that label. The "LoaderEntryRebootReason" EFI variable is
156	  set with the reboot reason: "reboot" or "shutdown". The
157	  bootloader reads this reboot reason and takes particular
158	  action according to its policy.
159
160config EFI_CAPSULE_LOADER
161	tristate "EFI capsule loader"
162	depends on EFI && !IA64
163	help
164	  This option exposes a loader interface "/dev/efi_capsule_loader" for
165	  users to load EFI capsules. This driver requires working runtime
166	  capsule support in the firmware, which many OEMs do not provide.
167
168	  Most users should say N.
169
170config EFI_CAPSULE_QUIRK_QUARK_CSH
171	bool "Add support for Quark capsules with non-standard headers"
172	depends on X86 && !64BIT
173	select EFI_CAPSULE_LOADER
174	default y
175	help
176	  Add support for processing Quark X1000 EFI capsules, whose header
177	  layout deviates from the layout mandated by the UEFI specification.
178
179config EFI_TEST
180	tristate "EFI Runtime Service Tests Support"
181	depends on EFI
182	default n
183	help
184	  This driver uses the efi.<service> function pointers directly instead
185	  of going through the efivar API, because it is not trying to test the
186	  kernel subsystem, just for testing the UEFI runtime service
187	  interfaces which are provided by the firmware. This driver is used
188	  by the Firmware Test Suite (FWTS) for testing the UEFI runtime
189	  interfaces readiness of the firmware.
190	  Details for FWTS are available from:
191	  <https://wiki.ubuntu.com/FirmwareTestSuite>
192
193	  Say Y here to enable the runtime services support via /dev/efi_test.
194	  If unsure, say N.
195
196config EFI_DEV_PATH_PARSER
197	bool
198
199config APPLE_PROPERTIES
200	bool "Apple Device Properties"
201	depends on EFI_STUB && X86
202	select EFI_DEV_PATH_PARSER
203	select UCS2_STRING
204	help
205	  Retrieve properties from EFI on Apple Macs and assign them to
206	  devices, allowing for improved support of Apple hardware.
207	  Properties that would otherwise be missing include the
208	  Thunderbolt Device ROM and GPU configuration data.
209
210	  If unsure, say Y if you have a Mac.  Otherwise N.
211
212config RESET_ATTACK_MITIGATION
213	bool "Reset memory attack mitigation"
214	depends on EFI_STUB
215	help
216	  Request that the firmware clear the contents of RAM after a reboot
217	  using the TCG Platform Reset Attack Mitigation specification. This
218	  protects against an attacker forcibly rebooting the system while it
219	  still contains secrets in RAM, booting another OS and extracting the
220	  secrets. This should only be enabled when userland is configured to
221	  clear the MemoryOverwriteRequest flag on clean shutdown after secrets
222	  have been evicted, since otherwise it will trigger even on clean
223	  reboots.
224
225config EFI_RCI2_TABLE
226	bool "EFI Runtime Configuration Interface Table Version 2 Support"
227	depends on X86 || COMPILE_TEST
228	help
229	  Displays the content of the Runtime Configuration Interface
230	  Table version 2 on Dell EMC PowerEdge systems as a binary
231	  attribute 'rci2' under /sys/firmware/efi/tables directory.
232
233	  RCI2 table contains BIOS HII in XML format and is used to populate
234	  BIOS setup page in Dell EMC OpenManage Server Administrator tool.
235	  The BIOS setup page contains BIOS tokens which can be configured.
236
237	  Say Y here for Dell EMC PowerEdge systems.
238
239config EFI_DISABLE_PCI_DMA
240       bool "Clear Busmaster bit on PCI bridges during ExitBootServices()"
241       help
242	  Disable the busmaster bit in the control register on all PCI bridges
243	  while calling ExitBootServices() and passing control to the runtime
244	  kernel. System firmware may configure the IOMMU to prevent malicious
245	  PCI devices from being able to attack the OS via DMA. However, since
246	  firmware can't guarantee that the OS is IOMMU-aware, it will tear
247	  down IOMMU configuration when ExitBootServices() is called. This
248	  leaves a window between where a hostile device could still cause
249	  damage before Linux configures the IOMMU again.
250
251	  If you say Y here, the EFI stub will clear the busmaster bit on all
252	  PCI bridges before ExitBootServices() is called. This will prevent
253	  any malicious PCI devices from being able to perform DMA until the
254	  kernel reenables busmastering after configuring the IOMMU.
255
256	  This option will cause failures with some poorly behaved hardware
257	  and should not be enabled without testing. The kernel commandline
258	  options "efi=disable_early_pci_dma" or "efi=no_disable_early_pci_dma"
259	  may be used to override this option.
260
261config EFI_EARLYCON
262	def_bool y
263	depends on SERIAL_EARLYCON && !ARM && !IA64
264	select FONT_SUPPORT
265	select ARCH_USE_MEMREMAP_PROT
266
267config EFI_CUSTOM_SSDT_OVERLAYS
268	bool "Load custom ACPI SSDT overlay from an EFI variable"
269	depends on ACPI
270	default ACPI_TABLE_UPGRADE
271	help
272	  Allow loading of an ACPI SSDT overlay from an EFI variable specified
273	  by a kernel command line option.
274
275	  See Documentation/admin-guide/acpi/ssdt-overlays.rst for more
276	  information.
277
278config EFI_DISABLE_RUNTIME
279	bool "Disable EFI runtime services support by default"
280	default y if PREEMPT_RT
281	help
282	  Allow to disable the EFI runtime services support by default. This can
283	  already be achieved by using the efi=noruntime option, but it could be
284	  useful to have this default without any kernel command line parameter.
285
286	  The EFI runtime services are disabled by default when PREEMPT_RT is
287	  enabled, because measurements have shown that some EFI functions calls
288	  might take too much time to complete, causing large latencies which is
289	  an issue for Real-Time kernels.
290
291	  This default can be overridden by using the efi=runtime option.
292
293config EFI_COCO_SECRET
294	bool "EFI Confidential Computing Secret Area Support"
295	help
296	  Confidential Computing platforms (such as AMD SEV) allow the
297	  Guest Owner to securely inject secrets during guest VM launch.
298	  The secrets are placed in a designated EFI reserved memory area.
299
300	  In order to use the secrets in the kernel, the location of the secret
301	  area (as published in the EFI config table) must be kept.
302
303	  If you say Y here, the address of the EFI secret area will be kept
304	  for usage inside the kernel.  This will allow the
305	  virt/coco/efi_secret module to access the secrets, which in turn
306	  allows userspace programs to access the injected secrets.
307
308config EFI_EMBEDDED_FIRMWARE
309	bool
310	select CRYPTO_LIB_SHA256
311
312endmenu
313
314config UEFI_CPER
315	bool
316
317config UEFI_CPER_ARM
318	bool
319	depends on UEFI_CPER && ( ARM || ARM64 )
320	default y
321
322config UEFI_CPER_X86
323	bool
324	depends on UEFI_CPER && X86
325	default y
326