3 files changed, 13 insertions, 0 deletions

diff --git a/payloads/external/Makefile.inc b/payloads/external/Makefile.inc
index effab4381871..5f29063bfe0f 100644
--- a/payloads/external/Makefile.inc
+++ b/payloads/external/Makefile.inc
@@ -188,6 +188,7 @@ $(obj)/UEFIPAYLOAD.fd: $(DOTCONFIG)
 		CONFIG_ECAM_MMCONF_LENGTH=$(CONFIG_ECAM_MMCONF_LENGTH) \
 		CONFIG_CPU_XTAL_HZ=$(CONFIG_CPU_XTAL_HZ) \
 		CONFIG_SMMSTORE_V2=$(CONFIG_SMMSTORE_v2) \
+		CONFIG_EDK2_SECURE_BOOT_SUPPORT=$(CONFIG_EDK2_SECURE_BOOT_SUPPORT) \
 		GCC_CC_x86_32=$(GCC_CC_x86_32) \
 		GCC_CC_x86_64=$(GCC_CC_x86_64) \
 		GCC_CC_arm=$(GCC_CC_arm) \
diff --git a/payloads/external/edk2/Kconfig b/payloads/external/edk2/Kconfig
index 2c8152f27d6c..c166975f81d2 100644
--- a/payloads/external/edk2/Kconfig
+++ b/payloads/external/edk2/Kconfig
@@ -242,6 +242,14 @@ config EDK2_SERIAL_SUPPORT
 	  Enable serial port output in edk2. Serial output limits the performance of edk2's
 	  FrontPage.
 
+config EDK2_SECURE_BOOT_SUPPORT
+	bool "Enable UEFI Secure Boot support"
+	depends on EDK2_REPO_MRCHROMEBOX && SMMSTORE_V2
+	default y if EDK2_REPO_MRCHROMEBOX && SMMSTORE_V2
+	help
+	  Select this option to enable UEFI SecureBoot support in edk2.
+	  UEFI SecureBoot will be disabled by default and can be enabled from the menu option.
+
 config EDK2_CUSTOM_BUILD_PARAMS
 	string "edk2 additional custom build parameters"
 	default "-D VARIABLE_SUPPORT=SMMSTORE" if EDK2_REPO_MRCHROMEBOX && SMMSTORE_V2
diff --git a/payloads/external/edk2/Makefile b/payloads/external/edk2/Makefile
index b241cf96882f..21812422fb64 100644
--- a/payloads/external/edk2/Makefile
+++ b/payloads/external/edk2/Makefile
@@ -111,6 +111,10 @@ endif
 ifneq ($(CONFIG_EDK2_SD_MMC_TIMEOUT),)
 BUILD_STR += -D SD_MMC_TIMEOUT=$(shell echo $$(( $(CONFIG_EDK2_SD_MMC_TIMEOUT) * 1000)) )
 endif
+# EDK2_SECURE_BOOT_SUPPORT      = FALSE
+ifeq ($(CONFIG_EDK2_SECURE_BOOT_SUPPORT), y)
+BUILD_STR += -D SECURE_BOOT_ENABLE=TRUE
+endif
 
 #
 # EDKII has the below PCDs that are relevant to coreboot: