From 4718ca14ace029e2dd1ccfd6082ec496db85b643 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= <michal.zygowski@3mdeb.com>
Date: Fri, 27 Jun 2025 15:15:53 +0200
Subject: [PATCH] payloads/external/edk2: Add Sovereign Boot Wizard options
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Upstream-Status: Inappropriate [custom EDK2 application]
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
---
 payloads/external/Makefile.mk          |  4 +++-
 payloads/external/edk2/Kconfig.dasharo | 16 +++++++++++++++-
 payloads/external/edk2/Makefile        | 10 ++++++++++
 3 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/payloads/external/Makefile.mk b/payloads/external/Makefile.mk
index b3365ac0561..f41e1c5aca5 100644
--- a/payloads/external/Makefile.mk
+++ b/payloads/external/Makefile.mk
@@ -295,7 +295,9 @@ $(obj)/UEFIPAYLOAD.fd: $(DOTCONFIG) $(IPXE_EFI)
 		CONFIG_EDK2_GRAPHICAL_CAPSULE_PROGRESS=$(CONFIG_EDK2_GRAPHICAL_CAPSULE_PROGRESS) \
 		CONFIG_EDK2_FUM_AUTO_IPXE_BOOT=$(CONFIG_EDK2_FUM_AUTO_IPXE_BOOT) \
 		CONFIG_EDK2_DASHARO_IBECC_OPTION=$(CONFIG_EDK2_DASHARO_IBECC_OPTION) \
-		CONFIG_EDK2_DASHARO_SPD_PROFILE_OPTION=$(CONFIG_EDK2_DASHARO_SPD_PROFILE_OPTION)
+		CONFIG_EDK2_DASHARO_SPD_PROFILE_OPTION=$(CONFIG_EDK2_DASHARO_SPD_PROFILE_OPTION) \
+		CONFIG_EDK2_ENABLE_SOVEREIGN_BOOT_WIZARD=$(CONFIG_EDK2_ENABLE_SOVEREIGN_BOOT_WIZARD) \
+		CONFIG_EDK2_SOVEREIGN_BOOT_WIZARD_DEFAULT_STATE=$(CONFIG_EDK2_SOVEREIGN_BOOT_WIZARD_DEFAULT_STATE)
 
 
 $(obj)/ShimmedUniversalPayload.elf: $(DOTCONFIG)
diff --git a/payloads/external/edk2/Kconfig.dasharo b/payloads/external/edk2/Kconfig.dasharo
index f7329f8ba70..3aa4eecc4ef 100644
--- a/payloads/external/edk2/Kconfig.dasharo
+++ b/payloads/external/edk2/Kconfig.dasharo
@@ -46,11 +46,25 @@ config EDK2_SECURE_BOOT_DEFAULT_ENABLE
 	help
 	  Sets the UEFI Secure Boot state to enabled by default.
 
+config EDK2_ENABLE_SOVEREIGN_BOOT_WIZARD
+	bool "Enable Sovereign Boot Wizard"
+	default n
+	depends on EDK2_SECURE_BOOT_SUPPORT
+	help
+	  Enables Sovereign Boot Wizard support in the TianoCore payload.
+
+config EDK2_SOVEREIGN_BOOT_WIZARD_DEFAULT_STATE
+	bool "Enable Sovereign Boot Wizard by default"
+	default y
+	depends on EDK2_ENABLE_SOVEREIGN_BOOT_WIZARD
+	help
+	  Defines the default state of Sovereign Boot Wizard.
+
 config EDK2_SATA_PASSWORD
 	bool "Enable TianoCore SATA disk password"
 	default n
 	help
-	  Enable SATA disk password suupport in the TianoCore payload.
+	  Enable SATA disk password support in the TianoCore payload.
 
 config EDK2_OPAL_PASSWORD
 	bool "Enable TianoCore TCG OPAL password"
diff --git a/payloads/external/edk2/Makefile b/payloads/external/edk2/Makefile
index e5454bae25d..ff5f4917754 100644
--- a/payloads/external/edk2/Makefile
+++ b/payloads/external/edk2/Makefile
@@ -114,7 +114,17 @@ endif
 # EDK2_SECURE_BOOT_SUPPORT      = FALSE
 ifeq ($(CONFIG_EDK2_SECURE_BOOT_SUPPORT), y)
 BUILD_STR += -D SECURE_BOOT_ENABLE=TRUE
+
+# SOVEREIGN_BOOT_ENABLE         = FALSE
+ifeq ($(CONFIG_EDK2_ENABLE_SOVEREIGN_BOOT_WIZARD),y)
+BUILD_STR += -D SOVEREIGN_BOOT_ENABLE=TRUE
+# PcdSovereignBootDefaultState  = TRUE
+ifneq ($(CONFIG_EDK2_SOVEREIGN_BOOT_WIZARD_DEFAULT_STATE),y)
+BUILD_STR += --pcd gDasharoSystemFeaturesTokenSpaceGuid.PcdSovereignBootDefaultState=FALSE
 endif
+endif # SOVEREIGN_BOOT_ENABLE
+
+endif # EDK2_SECURE_BOOT_SUPPORT
 # PCIEXP_SUPPORT_RESIZABLE_BARS = FALSE
 #ifeq ($(CONFIG_PCIEXP_SUPPORT_RESIZABLE_BARS), y)
 #BUILD_STR += --pcd gEfiMdeModulePkgTokenSpaceGuid.PcdPcieResizableBarSupport=TRUE