Makefile.mk: generate EDK2 update capsule

Generate a signed UEFI capsule from the final coreboot ROM image using
EDK2 BaseTools.

When using an EDK2 payload and enabling DRIVERS_EFI_UPDATE_CAPSULES and
DRIVERS_EFI_GENERATE_CAPSULE, the build produces build/coreboot.cap once
the ROM is finalised (after all files were added to CBFS). The capsule
can also be generated explicitly with `make capsule`.

Move the capsule generation and certificate preparation into
payloads/external/edk2/Makefile, including generating the trusted root
certificate PCD include via BinToPcd.

Support capsule flows with an embedded FmpDxe driver by optionally
embedding FmpDxe.efi into generated capsules, and wiring the
embedded-driver Kconfig options through to the EDK2 payload build and
capsule generation.

Always set PersistAcrossReset on the capsule. Make InitiateReset
configurable (default off) because Linux rejects capsules with
InitiateReset when writing via /dev/efi_capsule_loader.

Use CONFIG_DRIVERS_EFI_MAIN_FW_VERSION for GenerateCapsule
--fw-version, but fall back to parsing a leading <major>.<minor> from
CONFIG_LOCALVERSION when it is left at 0. If
CONFIG_DRIVERS_EFI_MAIN_FW_LSV is 0, use the resolved firmware version.

Document capsule generation and embedded driver configuration.

Corresponding edk2 patches can be found at:
https://github.com/tianocore/edk2/pull/12053

Change-Id: I5f56b894d40ddb49f3158bb72f0143d0ebe9c34c
Signed-off-by: Sean Rhodes <sean@starlabs.systems>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/90862
Reviewed-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>

Documentation/drivers/efi_capsule_generation.md

@@ -0,0 +1,77 @@
+# Generating signed UEFI capsules with EDK2
+
+coreboot can cooperate with an EDK2 payload to support firmware updates via the UEFI
+ESRT/FMP capsule mechanism.
+
+This document covers generating a *signed* capsule during the coreboot build.
+
+At present, capsule generation requires a compatible EDK2 tree with the
+corresponding payload-side changes. Upstream support is being tracked in:
+
+https://github.com/tianocore/edk2/pull/12053
+
+Older EDK2 trees may be missing pieces required by this integration.
+
+## Build-time capsule generation
+
+Enable capsule support and use an EDK2 payload:
+
+- `CONFIG_DRIVERS_EFI_UPDATE_CAPSULES`: enable coreboot capsule update support.
+- `CONFIG_DRIVERS_EFI_GENERATE_CAPSULE`: generate `build/coreboot.cap` after the ROM is finalised.
+- `CONFIG_PAYLOAD_EDK2`: build an EDK2 payload.
+
+When enabled, the coreboot build generates `build/coreboot.cap` after the ROM image is
+finalised. The capsule can also be generated explicitly with `make capsule`.
+
+Configure the FMAP allowlist embedded into the ROM as a manifest:
+
+- `CONFIG_DRIVERS_EFI_CAPSULE_REGIONS`: whitespace-separated FMAP region allowlist embedded into
+  the ROM as a manifest (e.g. `COREBOOT EC`).
+
+Configure the ESRT/FMP firmware identity used by the capsule:
+
+- `CONFIG_DRIVERS_EFI_MAIN_FW_GUID`: GUID of the firmware
+- `CONFIG_DRIVERS_EFI_MAIN_FW_VERSION`: firmware version encoded in the capsule header;
+  if set to `0`, derive a value from the leading `<major>.<minor>` in
+  `CONFIG_LOCALVERSION` when possible
+- `CONFIG_DRIVERS_EFI_MAIN_FW_LSV`: lowest supported firmware version; if set to `0`,
+  use the resolved firmware version
+
+Reset behavior during capsule application:
+
+- `CONFIG_DRIVERS_EFI_CAPSULE_INITIATE_RESET`: add the capsule `InitiateReset` flag.
+  This is disabled by default because Linux rejects capsules with `InitiateReset` when using
+  `/dev/efi_capsule_loader`.
+
+## Embedded drivers (FmpDxe in capsule)
+
+Some EDK2 capsule update flows use an embedded `FmpDxe.efi` driver inside the capsule.
+
+To generate capsules with an embedded `FmpDxe.efi`, enable:
+
+- `CONFIG_DRIVERS_EFI_CAPSULE_EMBED_FMP_DXE`: embed `FmpDxe.efi` into generated capsules.
+- `CONFIG_DRIVERS_EFI_CAPSULE_ACCEPT_EMBEDDED_DRIVERS`: configure the EDK2 payload to accept
+  capsules with embedded drivers (sets `PcdCapsuleEmbeddedDriverSupport=TRUE`).
+
+Note: if Secure Boot is enabled, the embedded driver must be signed by a key trusted by the
+running firmware, otherwise capsule processing may fail when loading the embedded driver.
+
+## Capsule signing certificates
+
+`GenerateCapsule` can sign the FMP payload (PKCS#7). Many platforms require signed capsules.
+
+coreboot exposes three Kconfig options for the certificate chain:
+
+- `CONFIG_DRIVERS_EFI_CAPSULE_SIGNER_PRIVATE_CERT`: PEM containing the signing private key and
+  leaf certificate
+- `CONFIG_DRIVERS_EFI_CAPSULE_OTHER_PUBLIC_CERT`: PEM intermediate certificate
+- `CONFIG_DRIVERS_EFI_CAPSULE_TRUSTED_PUBLIC_CERT`: PEM trusted root certificate
+
+If a configured path is relative, it is interpreted relative to the configured EDK2 repository
+inside `payloads/external/edk2/workspace`.
+
+The defaults use the EDK2 BaseTools test certificate chain. Do not use the test keys for
+production firmware updates.
+
+To generate your own certificate chain and convert it into the required PEM files, see:
+`BaseTools/Source/Python/Pkcs7Sign/Readme.md` in the EDK2 tree.

Documentation/drivers/index.md

@@ -29,4 +29,5 @@ SMMSTOREv2 <smmstorev2.md>
 SoundWire <soundwire.md>
 USB4 Retimer <retimer.md>
 CBFS SMBIOS hooks <cbfs_smbios.md>
+EDK2 capsule generation <efi_capsule_generation.md>
 ```

Makefile.mk

@@ -73,11 +73,31 @@ build_complete:: | coreboot
 .PHONY: files_added
 files_added:: | build_complete
 
+# This target can be used to run rules once the ROM is fully finalised
+# (after all files were added to CBFS, and any files_added hooks ran).
+.PHONY: finalised_rom
+finalised_rom:: | files_added
+
+# Optional post-build targets.
+.PHONY: capsule
+capsule::
+
+ifeq ($(CONFIG_PAYLOAD_EDK2)$(CONFIG_DRIVERS_EFI_UPDATE_CAPSULES)$(CONFIG_DRIVERS_EFI_GENERATE_CAPSULE),yyy)
+finalised_rom:: $(obj)/coreboot.cap
+capsule:: $(obj)/coreboot.cap
+
+$(obj)/coreboot.cap: $(obj)/coreboot.rom $(DOTCONFIG) | files_added
+	$(MAKE) -C payloads/external/edk2 coreboot_capsule \
+		COREBOOT_ROM="$(abspath $<)" \
+		COREBOOT_CAPSULE_OUT="$(abspath $@)" \
+		$(EDK2_CAPSULE_ARGS)
+endif
+
 # This target should come just before the show_notices target.  If there
 # are no notices, the build should finish with the text of what was just
 # built.
 .PHONY: show_coreboot
-show_coreboot: | files_added
+show_coreboot: | finalised_rom
 	$(CBFSTOOL) $(obj)/coreboot.rom print -r $(subst $(spc),$(comma),$(all-regions))
 	printf "\nBuilt %s (%s)\n" $(MAINBOARDDIR) $(CONFIG_MAINBOARD_PART_NUMBER)
 	if [ -f "$(CCACHE_STATSLOG)" ]; then \

payloads/external/Makefile.mk

@@ -176,6 +176,25 @@ warn_no_option_cfr_enabled:
 endif
 endif
 
+EDK2_CAPSULE_ARGS = \
+	CONFIG_EDK2_REPOSITORY=$(CONFIG_EDK2_REPOSITORY) \
+	CONFIG_EDK2_TAG_OR_REV=$(CONFIG_EDK2_TAG_OR_REV) \
+	CONFIG_EDK2_USE_EDK2_PLATFORMS=$(CONFIG_EDK2_USE_EDK2_PLATFORMS) \
+	CONFIG_EDK2_PLATFORMS_REPOSITORY=$(CONFIG_EDK2_PLATFORMS_REPOSITORY) \
+	CONFIG_EDK2_PLATFORMS_TAG_OR_REV=$(CONFIG_EDK2_PLATFORMS_TAG_OR_REV) \
+	CONFIG_EDK2_DEBUG=$(CONFIG_EDK2_DEBUG) \
+	CONFIG_DRIVERS_EFI_MAIN_FW_GUID=$(CONFIG_DRIVERS_EFI_MAIN_FW_GUID) \
+	CONFIG_LOCALVERSION=$(CONFIG_LOCALVERSION) \
+	CONFIG_DRIVERS_EFI_MAIN_FW_VERSION=$(CONFIG_DRIVERS_EFI_MAIN_FW_VERSION) \
+	CONFIG_DRIVERS_EFI_MAIN_FW_LSV=$(CONFIG_DRIVERS_EFI_MAIN_FW_LSV) \
+	CONFIG_DRIVERS_EFI_CAPSULE_ACCEPT_EMBEDDED_DRIVERS=$(CONFIG_DRIVERS_EFI_CAPSULE_ACCEPT_EMBEDDED_DRIVERS) \
+	CONFIG_DRIVERS_EFI_CAPSULE_EMBED_FMP_DXE=$(CONFIG_DRIVERS_EFI_CAPSULE_EMBED_FMP_DXE) \
+	CONFIG_DRIVERS_EFI_CAPSULE_INITIATE_RESET=$(CONFIG_DRIVERS_EFI_CAPSULE_INITIATE_RESET) \
+	CONFIG_DRIVERS_EFI_CAPSULE_REGIONS=$(CONFIG_DRIVERS_EFI_CAPSULE_REGIONS) \
+	CONFIG_DRIVERS_EFI_CAPSULE_SIGNER_PRIVATE_CERT=$(CONFIG_DRIVERS_EFI_CAPSULE_SIGNER_PRIVATE_CERT) \
+	CONFIG_DRIVERS_EFI_CAPSULE_OTHER_PUBLIC_CERT=$(CONFIG_DRIVERS_EFI_CAPSULE_OTHER_PUBLIC_CERT) \
+	CONFIG_DRIVERS_EFI_CAPSULE_TRUSTED_PUBLIC_CERT=$(CONFIG_DRIVERS_EFI_CAPSULE_TRUSTED_PUBLIC_CERT)
+
 $(obj)/UEFIPAYLOAD.fd: $(DOTCONFIG) $(IPXE_EFI)
 	$(MAKE) -C payloads/external/edk2 UefiPayloadPkg \
 		HOSTCC="$(HOSTCC)" \
@@ -220,6 +239,9 @@ $(obj)/UEFIPAYLOAD.fd: $(DOTCONFIG) $(IPXE_EFI)
 		CONFIG_SOC_AMD_COMMON_BLOCK_PSP_GEN2=$(CONFIG_SOC_AMD_COMMON_BLOCK_PSP_GEN2) \
 		CONFIG_DRIVERS_EFI_UPDATE_CAPSULES=$(CONFIG_DRIVERS_EFI_UPDATE_CAPSULES) \
 		CONFIG_DRIVERS_EFI_MAIN_FW_GUID=$(CONFIG_DRIVERS_EFI_MAIN_FW_GUID) \
+		CONFIG_DRIVERS_EFI_CAPSULE_ACCEPT_EMBEDDED_DRIVERS=$(CONFIG_DRIVERS_EFI_CAPSULE_ACCEPT_EMBEDDED_DRIVERS) \
+		CONFIG_DRIVERS_EFI_CAPSULE_EMBED_FMP_DXE=$(CONFIG_DRIVERS_EFI_CAPSULE_EMBED_FMP_DXE) \
+		CONFIG_DRIVERS_EFI_CAPSULE_TRUSTED_PUBLIC_CERT=$(CONFIG_DRIVERS_EFI_CAPSULE_TRUSTED_PUBLIC_CERT) \
 		GCC_CC_x86_32=$(GCC_CC_x86_32) \
 		GCC_CC_x86_64=$(GCC_CC_x86_64) \
 		GCC_CC_arm=$(GCC_CC_arm) \

payloads/external/edk2/Makefile

@@ -5,7 +5,17 @@ export SHELL := env bash
 
 project_name = edk2
 export WORKSPACE := $(CURDIR)/workspace
-export EDK2_PATH := $(WORKSPACE)/$(word 3,$(subst /, ,$(CONFIG_EDK2_REPOSITORY)))
+
+strip_quotes = $(subst ",,$(1))
+
+EDK2_REPOSITORY := $(call strip_quotes,$(CONFIG_EDK2_REPOSITORY))
+EDK2_PLATFORMS_REPOSITORY := $(call strip_quotes,$(CONFIG_EDK2_PLATFORMS_REPOSITORY))
+EDK2_PATH_REPO_ROOT := $(word 3,$(subst /, ,$(EDK2_REPOSITORY)))
+export EDK2_PATH := $(WORKSPACE)/$(EDK2_PATH_REPO_ROOT)
+
+define edk2_abspath
+$(if $(filter /%,$(1)),$(1),$(EDK2_PATH)/$(1))
+endef
 
 ifeq ($(CONFIG_EDK2_USE_EDK2_PLATFORMS),y)
 BUILD_STR += -D USE_EDK2_PLATFORMS=TRUE
@@ -128,6 +138,39 @@ ifeq ($(CONFIG_DRIVERS_EFI_UPDATE_CAPSULES),y)
 BUILD_STR += -D CAPSULE_SUPPORT=TRUE
 BUILD_STR += -D CAPSULE_MAIN_FW_GUID=$(CONFIG_DRIVERS_EFI_MAIN_FW_GUID)
 endif
+ifeq ($(CONFIG_DRIVERS_EFI_CAPSULE_ACCEPT_EMBEDDED_DRIVERS),y)
+BUILD_STR += --pcd gEfiMdeModulePkgTokenSpaceGuid.PcdCapsuleEmbeddedDriverSupport=TRUE
+endif
+ifeq ($(CONFIG_DRIVERS_EFI_CAPSULE_EMBED_FMP_DXE),y)
+BUILD_STR += -D CAPSULE_EMBED_FMP_DXE=TRUE
+endif
+
+CAPSULE_PCD_INC_REL := BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc
+CAPSULE_PCD_INC := $(EDK2_PATH)/$(CAPSULE_PCD_INC_REL)
+CAPSULE_PCD_NAME := gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr
+
+CAPSULE_GUID := $(call strip_quotes,$(CONFIG_DRIVERS_EFI_MAIN_FW_GUID))
+CAPSULE_REGIONS := $(call strip_quotes,$(CONFIG_DRIVERS_EFI_CAPSULE_REGIONS))
+CAPSULE_LOCALVERSION := $(call strip_quotes,$(CONFIG_LOCALVERSION))
+CAPSULE_SIGNER_PRIVATE_CERT := $(call strip_quotes,$(CONFIG_DRIVERS_EFI_CAPSULE_SIGNER_PRIVATE_CERT))
+CAPSULE_OTHER_PUBLIC_CERT := $(call strip_quotes,$(CONFIG_DRIVERS_EFI_CAPSULE_OTHER_PUBLIC_CERT))
+CAPSULE_TRUSTED_PUBLIC_CERT := $(call strip_quotes,$(CONFIG_DRIVERS_EFI_CAPSULE_TRUSTED_PUBLIC_CERT))
+
+CAPSULE_SIGNER_PRIVATE_CERT_PATH := $(call edk2_abspath,$(CAPSULE_SIGNER_PRIVATE_CERT))
+CAPSULE_OTHER_PUBLIC_CERT_PATH := $(call edk2_abspath,$(CAPSULE_OTHER_PUBLIC_CERT))
+CAPSULE_TRUSTED_PUBLIC_CERT_PATH := $(call edk2_abspath,$(CAPSULE_TRUSTED_PUBLIC_CERT))
+
+# AppendRmapManifest.py moved from BaseTools/Scripts to UefiPayloadPkg/Tools in
+# newer edk2 trees.
+EDK2_APPEND_RMAP_MANIFEST = $(firstword $(wildcard \
+	$(EDK2_PATH)/UefiPayloadPkg/Tools/AppendRmapManifest.py \
+	$(EDK2_PATH)/BaseTools/Scripts/AppendRmapManifest.py \
+))
+
+# If FmpDxe is built, edk2 also places it in the top-level X64 output dir.
+EDK2_FMP_DXE = $(WORKSPACE)/Build/UefiPayloadPkgX64/$(RELEASE_STR)_GCC/X64/FmpDxe.efi
+
+CAPSULE_ROOT_CERT_DER := $(WORKSPACE)/capsule_trusted_root.der
 
 #
 # One or more downstream edk2 repositories support the following additional options:
@@ -223,6 +266,10 @@ $(EDK2_PATH): $(WORKSPACE)
 	fi
 	cd $(EDK2_PATH); \
 		git checkout MdeModulePkg/Logo/Logo.bmp > /dev/null 2>&1 || true; \
+		git checkout "$(CAPSULE_PCD_INC_REL)" > /dev/null 2>&1 || true; \
+		if ! git ls-files --error-unmatch "$(CAPSULE_PCD_INC_REL)" >/dev/null 2>&1; then \
+			rm -f "$(CAPSULE_PCD_INC_REL)" || true; \
+		fi; \
 		if [ -e UefiPayloadPkg/ShimLayer/UniversalPayload.o ]; then \
 			rm UefiPayloadPkg/ShimLayer/UniversalPayload.o; \
 		fi; \
@@ -286,6 +333,19 @@ checktools:
 		exit 1; \
 	fi
 
+ifeq ($(CONFIG_DRIVERS_EFI_UPDATE_CAPSULES)$(CONFIG_DRIVERS_EFI_GENERATE_CAPSULE),yy)
+capsule_keys: $(EDK2_PATH)
+	type openssl > /dev/null 2>&1 || ( echo "ERROR: Please install openssl."; exit 1 )
+	test -f "$(CAPSULE_TRUSTED_PUBLIC_CERT_PATH)"
+	test -f "$(EDK2_PATH)/BaseTools/Scripts/BinToPcd.py"
+	mkdir -p "$(dir $(CAPSULE_PCD_INC))"
+	openssl x509 -in "$(CAPSULE_TRUSTED_PUBLIC_CERT_PATH)" -outform der -out "$(CAPSULE_ROOT_CERT_DER)"
+	python3 "$(EDK2_PATH)/BaseTools/Scripts/BinToPcd.py" -q -x \
+		-i "$(CAPSULE_ROOT_CERT_DER)" -o "$(CAPSULE_PCD_INC)" -p "$(CAPSULE_PCD_NAME)"
+
+prep: capsule_keys
+endif
+
 print:
 	echo "   ##### $(project_name) Build Summary #####"
 	echo "   Repository:     $(CONFIG_EDK2_REPOSITORY)"
@@ -359,3 +419,46 @@ distclean:
 	rm -rf $(WORKSPACE)
 
 .PHONY: $(EDK2_PATH) checktools logo UefiPayloadPkg UniversalPayload clean distclean
+
+.PHONY: coreboot_capsule capsule_keys
+
+coreboot_capsule: $(EDK2_PATH)
+	test -n "$(COREBOOT_ROM)"
+	test -n "$(COREBOOT_CAPSULE_OUT)"
+	test -f "$(COREBOOT_ROM)"
+	test -f "$(EDK2_APPEND_RMAP_MANIFEST)"
+	test -x "$(EDK2_PATH)/BaseTools/BinWrappers/PosixLike/GenerateCapsule"
+	test -f "$(CAPSULE_SIGNER_PRIVATE_CERT_PATH)"
+	test -f "$(CAPSULE_OTHER_PUBLIC_CERT_PATH)"
+	test -f "$(CAPSULE_TRUSTED_PUBLIC_CERT_PATH)"
+	rmap_rom="$${COREBOOT_CAPSULE_OUT%.cap}.rmap.rom"; \
+	set -e; \
+	python3 "$(EDK2_APPEND_RMAP_MANIFEST)" -o "$$rmap_rom" $(foreach r,$(CAPSULE_REGIONS),-r $(r)) "$(COREBOOT_ROM)"; \
+	embedded_driver_args=(); \
+	if [ "$(CONFIG_DRIVERS_EFI_CAPSULE_EMBED_FMP_DXE)" = "y" ]; then \
+		test -f "$(EDK2_FMP_DXE)"; \
+		embedded_driver_args=( --embedded-driver "$(EDK2_FMP_DXE)" ); \
+	fi; \
+	fw_version=$$(( $(CONFIG_DRIVERS_EFI_MAIN_FW_VERSION) )); \
+	if [ $$fw_version -eq 0 ]; then \
+		if [[ "$(CAPSULE_LOCALVERSION)" =~ ^[^0-9]*([0-9]+)[.]([0-9]+) ]]; then \
+			fw_version=$$(( (10#$${BASH_REMATCH[1]} << 16) | 10#$${BASH_REMATCH[2]} )); \
+		fi; \
+	fi; \
+	lsv=$$(( $(CONFIG_DRIVERS_EFI_MAIN_FW_LSV) )); \
+	if [ $$lsv -eq 0 ]; then \
+		lsv=$$fw_version; \
+	fi; \
+	capflags=( --capflag PersistAcrossReset ); \
+	if [ "$(CONFIG_DRIVERS_EFI_CAPSULE_INITIATE_RESET)" = "y" ]; then \
+		capflags+=( --capflag InitiateReset ); \
+	fi; \
+	"$(EDK2_PATH)/BaseTools/BinWrappers/PosixLike/GenerateCapsule" -e -o "$(COREBOOT_CAPSULE_OUT)" \
+		--guid "$(CAPSULE_GUID)" \
+		"$${capflags[@]}" \
+		--fw-version $$fw_version --lsv $$lsv \
+		--signer-private-cert "$(CAPSULE_SIGNER_PRIVATE_CERT_PATH)" \
+		--other-public-cert "$(CAPSULE_OTHER_PUBLIC_CERT_PATH)" \
+		--trusted-public-cert "$(CAPSULE_TRUSTED_PUBLIC_CERT_PATH)" \
+		"$${embedded_driver_args[@]}" \
+		"$$rmap_rom"

src/drivers/efi/Kconfig

@@ -57,3 +57,93 @@ config DRIVERS_EFI_UPDATE_CAPSULES
 	  Adds a driver that is able to parse CapsuleUpdateData* EFI variables
 	  to discover firmware updates and expose them for tianocore thorough
 	  CBMEM for execution.  tianocore is responsible for erasing the variables.
+
+config DRIVERS_EFI_CAPSULE_ACCEPT_EMBEDDED_DRIVERS
+	bool "Allow embedded drivers in update capsules"
+	depends on PAYLOAD_EDK2 && DRIVERS_EFI_UPDATE_CAPSULES
+	help
+	  Allow the EDK2 payload's capsule processing to load embedded drivers
+	  from capsules (PcdCapsuleEmbeddedDriverSupport).
+
+	  This is required for capsules that contain embedded drivers.
+
+	  Note: if Secure Boot is enabled, the embedded driver must be signed by a
+	  key trusted by the running firmware (or capsule processing may fail).
+
+config DRIVERS_EFI_GENERATE_CAPSULE
+	bool "Generate an update capsule during the build"
+	depends on PAYLOAD_EDK2 && DRIVERS_EFI_UPDATE_CAPSULES
+	help
+	  Generates a UEFI capsule from the final ROM image using EDK2 BaseTools.
+	  This is intended for fwupd update workflows that use the ESRT/FMP
+	  mechanism.
+
+config DRIVERS_EFI_CAPSULE_EMBED_FMP_DXE
+	bool "Embed FmpDxe driver into generated capsules"
+	depends on DRIVERS_EFI_GENERATE_CAPSULE
+	depends on DRIVERS_EFI_CAPSULE_ACCEPT_EMBEDDED_DRIVERS
+	help
+	  When generating build/coreboot.cap, embed the built FmpDxe.efi as an
+	  embedded driver in the capsule.
+
+
+config DRIVERS_EFI_CAPSULE_INITIATE_RESET
+	bool "Request reset after capsule is applied"
+	default n
+	depends on DRIVERS_EFI_GENERATE_CAPSULE
+	help
+	  Add the InitiateReset capsule flag when generating build/coreboot.cap.
+
+	  Note: Linux rejects capsules with InitiateReset when using
+	  /dev/efi_capsule_loader.
+
+
+config DRIVERS_EFI_CAPSULE_REGIONS
+	string "FMAP regions to include in the capsule manifest"
+	default "COREBOOT"
+	depends on DRIVERS_EFI_GENERATE_CAPSULE
+	help
+	  Whitespace-separated list of FMAP regions that the update capsule is
+	  allowed to modify. The list is embedded as a manifest inside the ROM
+	  image prior to building the capsule.
+
+menu "Capsule signing certificates"
+	depends on DRIVERS_EFI_GENERATE_CAPSULE
+
+config DRIVERS_EFI_CAPSULE_SIGNER_PRIVATE_CERT
+	string "PEM file used to sign generated capsules"
+	default "BaseTools/Source/Python/Pkcs7Sign/TestCert.pem"
+	depends on DRIVERS_EFI_GENERATE_CAPSULE
+	help
+	  Path to a PEM file containing the private key and leaf certificate used
+	  when signing the capsule with EDK2 GenerateCapsule.
+
+	  If the path is relative, it is interpreted relative to the configured
+	  EDK2 repository (payloads/external/edk2 workspace).
+
+	  See Documentation/drivers/efi_capsule_generation.md and
+	  BaseTools/Source/Python/Pkcs7Sign/Readme.md in the EDK2 tree.
+
+config DRIVERS_EFI_CAPSULE_OTHER_PUBLIC_CERT
+	string "Intermediate certificate for capsule signing (PEM)"
+	default "BaseTools/Source/Python/Pkcs7Sign/TestSub.pub.pem"
+	depends on DRIVERS_EFI_GENERATE_CAPSULE
+	help
+	  Path to the intermediate certificate (PEM) used when generating a PKCS#7
+	  signature for the capsule.
+
+	  If the path is relative, it is interpreted relative to the configured
+	  EDK2 repository (payloads/external/edk2 workspace).
+
+config DRIVERS_EFI_CAPSULE_TRUSTED_PUBLIC_CERT
+	string "Trusted root certificate for capsule signing (PEM)"
+	default "BaseTools/Source/Python/Pkcs7Sign/TestRoot.pub.pem"
+	depends on DRIVERS_EFI_GENERATE_CAPSULE
+	help
+	  Path to the trusted root certificate (PEM) used when generating a PKCS#7
+	  signature for the capsule.
+
+	  If the path is relative, it is interpreted relative to the configured
+	  EDK2 repository (payloads/external/edk2 workspace).
+
+endmenu