blob: 83a3ebf4f0bd585c15084cfb95259b8556d9ff2f [file] [log] [blame]
Masahisa Kojima1b2c5892022-09-12 17:33:58 +09001.. SPDX-License-Identifier: GPL-2.0+
2.. (C) Copyright 2022, Masahisa Kojima <masahisa.kojima@linaro.org>
3
Heinrich Schuchardt60971e62024-01-14 14:53:13 +01004.. index::
5 single: eficonfig (command)
6
Masahisa Kojima1b2c5892022-09-12 17:33:58 +09007eficonfig command
8=================
9
10Synopsis
11--------
12::
13
14 eficonfig
15
16Description
17-----------
18
Masahisa Kojima30124c22022-12-02 13:59:37 +090019The "eficonfig" command uses the U-Boot menu interface to provide a
20menu-driven UEFI variable maintenance feature. These are the top level menu
21entries:
Masahisa Kojima1b2c5892022-09-12 17:33:58 +090022
23Add Boot Option
Masahisa Kojima30124c22022-12-02 13:59:37 +090024 Add a new UEFI Boot Option.
25 The user can edit description, file path, and optional_data.
26 The new boot opiton is appended to the boot order in the *BootOrder*
27 variable. The user may want to update the boot order using the
28 *Change Boot Order* menu entry.
Masahisa Kojima1b2c5892022-09-12 17:33:58 +090029
30Edit Boot Option
Masahisa Kojima30124c22022-12-02 13:59:37 +090031 Edit an existing UEFI Boot Option.
32 The User can edit description, file path, and optional_data.
Masahisa Kojima1b2c5892022-09-12 17:33:58 +090033
34Change Boot Order
Masahisa Kojima30124c22022-12-02 13:59:37 +090035 Change the boot order updating the UEFI BootOrder variable.
Masahisa Kojima1b2c5892022-09-12 17:33:58 +090036
37Delete Boot Option
Masahisa Kojima30124c22022-12-02 13:59:37 +090038 Delete a UEFI Boot Option
Masahisa Kojima1b2c5892022-09-12 17:33:58 +090039
Masahisa Kojima30124c22022-12-02 13:59:37 +090040Secure Boot Configuration
41 Edit the UEFI Secure Boot Configuration
Masahisa Kojima1b2c5892022-09-12 17:33:58 +090042
Masahisa Kojima30124c22022-12-02 13:59:37 +090043How to boot the system with a newly added UEFI Boot Option
44''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Masahisa Kojima1b2c5892022-09-12 17:33:58 +090045
Masahisa Kojima30124c22022-12-02 13:59:37 +090046The "eficonfig" command is used to set the UEFI boot options which are stored
47in the UEFI variable Boot#### where #### is a hexadecimal number.
Masahisa Kojima1b2c5892022-09-12 17:33:58 +090048
Masahisa Kojima30124c22022-12-02 13:59:37 +090049The command *bootefi bootmgr* can be used to boot by trying in sequence all
50boot options selected by the variable *BootOrder*.
Masahisa Kojima1b2c5892022-09-12 17:33:58 +090051
Masahisa Kojima1b2c5892022-09-12 17:33:58 +090052If the bootmenu is enabled, CONFIG_BOOTMENU_DISABLE_UBOOT_CONSOLE is enabled,
53and "eficonfig" is configured as preboot command, the newly added Boot Options
Masahisa Kojima30124c22022-12-02 13:59:37 +090054are enumerated in the bootmenu when the user exits from the eficonfig menu.
55The user may select the entry in the bootmenu to boot the system, or follow
Masahisa Kojima1b2c5892022-09-12 17:33:58 +090056the U-Boot configuration the system already has.
57
58Auto boot with the UEFI Boot Option
59'''''''''''''''''''''''''''''''''''
60
61To do auto boot according to the UEFI BootOrder variable,
62add "bootefi bootmgr" entry as a default or first bootmenu entry::
63
64 CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"
65
Masahisa Kojima30124c22022-12-02 13:59:37 +090066UEFI Secure Boot Configuration
67''''''''''''''''''''''''''''''
68
69The user can enroll the variables PK, KEK, db and dbx by selecting a file.
70The "eficonfig" command only accepts signed EFI Signature List(s) with an
71authenticated header, typically a ".auth" file.
72
73To clear the PK, KEK, db and dbx, the user needs to enroll a null value
74signed by PK or KEK.
75
76Configuration
77-------------
78
79The "eficonfig" command is enabled by::
80
81 CONFIG_CMD_EFICONFIG=y
82
83If CONFIG_BOOTMENU_DISABLE_UBOOT_CONSOLE is enabled, the user can not enter
84U-Boot console. In this case, the bootmenu can be used to invoke "eficonfig"::
85
86 CONFIG_USE_PREBOOT=y
87 CONFIG_PREBOOT="setenv bootmenu_0 UEFI Maintenance Menu=eficonfig"
88
89The only way U-Boot can currently store EFI variables on a tamper
90resistant medium is via OP-TEE. The Kconfig option that enables that is::
91
92 CONFIG_EFI_MM_COMM_TEE=y.
93
94It enables storing EFI variables on the RPMB partition of an eMMC device.
95
96The UEFI Secure Boot Configuration menu entry is only available if the following
97options are enabled::
98
99 CONFIG_EFI_SECURE_BOOT=y
100 CONFIG_EFI_MM_COMM_TEE=y
101
Masahisa Kojima1b2c5892022-09-12 17:33:58 +0900102See also
103--------
Masahisa Kojima30124c22022-12-02 13:59:37 +0900104
105* :doc:`bootmenu<bootmenu>` provides a simple mechanism for creating menus with
106 different boot items