From 6de3d04c4e57e5ffc49d6e9a37366adc4e3e7af2 Mon Sep 17 00:00:00 2001
From: Subrata Banik <subratabanik@google.com>
Date: Sat, 28 Feb 2026 17:16:16 +0530
Subject: [PATCH] Kconfig: Add Kconfig for signed secure blobs

Adds QC_SECURE_BOOT_BLOBS to enable inclusion of OEM-signed components
for fused Qualcomm hardware. Depends on USE_QC_BLOBS.

BUG=b:488573654
TEST=Able to build google/quenbih.

Change-Id: Id08d83fc82c9441560b1afaa333b3b7fd5a9bfca
Signed-off-by: Subrata Banik <subratabanik@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/91475
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Kapil Porwal <kapilporwal@google.com>
---
 src/Kconfig | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/Kconfig b/src/Kconfig
index 2dad082a08..dfd703630c 100644
--- a/src/Kconfig
+++ b/src/Kconfig
@@ -360,6 +360,25 @@ config USE_QC_BLOBS
 	  mainboards cannot be built and will be hidden from the "Mainboards"
 	  section.
 
+config QC_SECURE_BOOT_BLOBS
+	bool "Enable Qualcomm secure/signed blobs for fused SoCs"
+	depends on USE_QC_BLOBS
+	help
+	  This option enables the inclusion of OEM-signed binaries and
+	  secure-world components required for booting fused Qualcomm SoCs.
+
+	  When enabled, the build system will look for signed versions of
+	  QcLib, QC-SEC, and secondary bootloader stages that match the
+	  Root of Trust (RoT) fused into the SoC.
+
+	  Select this if you are building firmware for production hardware
+	  or "fused" development units that enforce OEM signature
+	  verification at the hardware level.
+
+	  Note: Using this option without the correct signing keys or
+	  signed blobs will result in a bricked boot process on fused
+	  hardware.
+
 config COVERAGE
 	bool "Code coverage support"
 	depends on COMPILER_GCC