Hi Marko, On Thu, Feb 5, 2026 at 1:16 PM Marko Mäkelä <[email protected]> wrote: > > Hi Raymond, > > Wed, Feb 04, 2026 at 02:28:53PM -0500, Raymond Mao wrote: > >Hi Marko, > [snip] > >When EFI_SECURE_BOOT is enabled, all these dependent Kconfigs will be > >selected automatically. > > Thank you for your help. I can confirm that the following will build the > ECDSA_SW implementation: > > make sandbox_defconfig > scripts/config -e ECDSA_SW > make syncconfig && grep ASN1 .config > make -j$(nproc) > > The redundant "grep" step above would output the following: > CONFIG_ASN1_DECODER_MBEDTLS=y > CONFIG_ASN1_COMPILER=y > CONFIG_ASN1_DECODER=y > > I still can't enable those in any rpi_4_defconfig based build attempt, > such as this one: > > cat > configs/rpi_4a_defconfig << EOF > #include <configs/rpi_4_defconfig> > CONFIG_EFI_SECURE_BOOT=y > CONFIG_MBEDTLS_LIB=y > CONFIG_ECDSA_SW=y > CONFIG_ECDSA_MBEDTLS=y > CONFIG_ECDSA=y > CONFIG_ECDSA_VERIFY=y > EOF > make rpi_4a_defconfig > make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu- > > This build fails in the same way as yesterday because none of the ASN1 > options will be present in the .config file. Neither will > CONFIG_EFI_SECURE_BOOT. Many EFI options were enabled, but not that one. > > On a positive note, CONFIG_LEGACY_HASHING_AND_CRYPTO was disabled > automatically by the above, and MBEDTLS was enabled, unlike in my > earlier attempt about a month ago, using an different u-boot revision. > > I also tried to enable several options that CONFIG_EFI_SECURE_BOOT would > select in lib/efi_loader/Kconfig, but with no success. > > Is there a way to get some diagnostics that explains why Kconfig refuses > to enable a particular option? >
Can you take a reference on 'sandbox_defconfig', it enables: ``` CONFIG_EFI_SECURE_BOOT=y ... CONFIG_MBEDTLS_LIB=y ``` Then all dependent Kconfigs are selected automatically when you do `make sandbox_defconfig`. Regards, Raymond > With best regards, > > Marko
