Hi Raymond,
Wed, Feb 04, 2026 at 02:28:53PM -0500, Raymond Mao wrote:
Hi Marko,
[snip]
When EFI_SECURE_BOOT is enabled, all these dependent Kconfigs will be
selected automatically.
Thank you for your help. I can confirm that the following will build the
ECDSA_SW implementation:
make sandbox_defconfig
scripts/config -e ECDSA_SW
make syncconfig && grep ASN1 .config
make -j$(nproc)
The redundant "grep" step above would output the following:
CONFIG_ASN1_DECODER_MBEDTLS=y
CONFIG_ASN1_COMPILER=y
CONFIG_ASN1_DECODER=y
I still can't enable those in any rpi_4_defconfig based build attempt,
such as this one:
cat > configs/rpi_4a_defconfig << EOF
#include <configs/rpi_4_defconfig>
CONFIG_EFI_SECURE_BOOT=y
CONFIG_MBEDTLS_LIB=y
CONFIG_ECDSA_SW=y
CONFIG_ECDSA_MBEDTLS=y
CONFIG_ECDSA=y
CONFIG_ECDSA_VERIFY=y
EOF
make rpi_4a_defconfig
make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu-
This build fails in the same way as yesterday because none of the ASN1
options will be present in the .config file. Neither will
CONFIG_EFI_SECURE_BOOT. Many EFI options were enabled, but not that one.
On a positive note, CONFIG_LEGACY_HASHING_AND_CRYPTO was disabled
automatically by the above, and MBEDTLS was enabled, unlike in my
earlier attempt about a month ago, using an different u-boot revision.
I also tried to enable several options that CONFIG_EFI_SECURE_BOOT would
select in lib/efi_loader/Kconfig, but with no success.
Is there a way to get some diagnostics that explains why Kconfig refuses
to enable a particular option?
With best regards,
Marko
