Fork of ipxe; additional commands and features https://git.openslx.org/openslx-ng/ipxe.git/atom/src/Makefile.housekeeping?h=openslx 2026-01-21T23:26:23+00:00 2026-01-21T23:26:23+00:00 Michael Brown 2026-01-21T23:19:36+00:00 urn:sha1:0abef79a29e59b0d328b0db9fb16531f7d6653f6 Using "git log" to automatically construct the build timestamp is of minimal value. Reproducible builds should be using SOURCE_DATE_EPOCH anyway, and for ad hoc builds it is arguable that the time at which the build was performed is more relevant than the commit timestamp. (For example, the user may be trying to deliberately use an older version of iPXE in order to track down a regression via bisection.) Remove the use of "git log", and thereby remove any requirement for the git tools to be available at the point of building iPXE. Signed-off-by: Michael Brown <mcb30@ipxe.org> 2026-01-21T12:57:18+00:00 Michael Brown 2026-01-21T12:55:12+00:00 urn:sha1:a42a15ae9155aad3a20b573a30b4027c4a286c58 As done for CROSS_COMPILE in commit 8fc11d8 ("[build] Allow for per-architecture cross-compilation prefixes"), allow a default sysroot for each architecture to be specified via the SYSROOT_<arch> variables. These may then be provided as environment variables, e.g. using export SYSROOT_riscv32=/usr/riscv32-linux-gnu/sys-root This is particularly useful for architectures such as RISC-V where the 64-bit compiler is also used to build 32-bit binaries, since in those cases the compiler will default to using the 64-bit sysroot. Signed-off-by: Michael Brown <mcb30@ipxe.org> 2026-01-14T17:00:42+00:00 Michael Brown 2026-01-14T16:56:38+00:00 urn:sha1:1d5b1d924882ef38cca6cce89f091fb439bfe624 Add the Secure Boot permissibility check as a dependency for targets built with the Secure Boot flag enabled. Attempting to build e.g. make bin-x86_64-efi-sb/snponly.efi will now fail unless all files used in the final binary are marked as being permitted for Secure Boot. This does not affect the standard build targets (without the "-sb" suffix on the build directory). Signed-off-by: Michael Brown <mcb30@ipxe.org> 2026-01-14T13:20:11+00:00 Michael Brown 2026-01-14T13:20:11+00:00 urn:sha1:1996e214ed6b39916d61cc15ff224cc42cd36f85 Tighten up the regular expression used to check for FILE_LICENCE() and FILE_SECBOOT() declarations: ensure that they appear at the start of a line (with optional whitespace) and include the expected opening parenthesis. Signed-off-by: Michael Brown <mcb30@ipxe.org> 2026-01-13T15:18:16+00:00 Michael Brown 2026-01-13T14:38:37+00:00 urn:sha1:30948987fda56e55d172cc3b66b291064724624d The third-party 802.11 stack and NFS protocol code are known to include multiple potential vulnerabilities and are explicitly forbidden from being included in Secure Boot signed builds. This is currently handled at the per-directory level by defining a list of source directories (SRCDIRS_INSEC) that are to be excluded from Secure Boot builds. Annotate all files in these directories with FILE_SECBOOT() to convey this information to the new per-file Secure Boot permissibility check, and remove the old separation between SRCDIRS and SRCDIRS_INSEC. Signed-off-by: Michael Brown <mcb30@ipxe.org> 2026-01-13T13:49:27+00:00 Michael Brown 2026-01-13T13:49:27+00:00 urn:sha1:e61c636bf358a2c8b53290bacf16f73e0c548781 Not all files within the iPXE codebase are allowed to be included in UEFI Secure Boot signed builds. Following the pattern used by the existing FILE_LICENCE() macro and licensing check: define a FILE_SECBOOT() macro that can be used to declare a file as being permitted (or forbidden) in a UEFI Secure Boot signed build, and a corresponding build target to perform the check. Signed-off-by: Michael Brown <mcb30@ipxe.org> 2025-06-24T13:40:57+00:00 Michael Brown 2025-06-24T12:32:49+00:00 urn:sha1:e5953ed7e6454fcab291635bfefd8e2affedd3d8 We no longer have any requirement for common symbols. Disable common symbols via the -fno-common compiler option, and simplify the test for support of -fdata-sections (which can return a false negative when common symbols are enabled). Signed-off-by: Michael Brown <mcb30@ipxe.org> 2025-05-06T11:11:02+00:00 Michael Brown 2025-05-06T11:07:38+00:00 urn:sha1:98646b9f016d9bff91a5c89f402aeb452ee7f84b Parsing ELF data is simpler if we don't have to build a single binary to handle both 32-bit and 64-bit ELF formats. Allow for separate 32-bit and 64-bit binaries built from util/zbin.c (as is already done for util/elf2efi.c). Signed-off-by: Michael Brown <mcb30@ipxe.org> 2025-04-27T17:40:52+00:00 Michael Brown 2025-04-27T17:01:24+00:00 urn:sha1:bd4ca67cf42d73495106f6f6f206c0cce8fef284 GCC 15 generates a warning when a string initializer is too large to allow for a trailing NUL terminator byte. This type of initializer is fairly common in signature strings such as ACPI table identifiers. Fix by disabling the warning. Signed-off-by: Michael Brown <mcb30@ipxe.org> 2025-04-15T12:22:00+00:00 Michael Brown 2025-04-15T12:11:48+00:00 urn:sha1:424839c58ab75afe483455f42a1e3345ca878eca We currently disable all external trust sources (such as the UEFI TlsCaCertificate variable) if an explicit TRUST=... parameter is provided on the build command line. Define an explicit TRUST_EXT build parameter that can be used to explicitly disable external trust sources even if no TRUST=... parameter is provided, or to explicitly enable external trust sources even if an explicit TRUST=... parameter is provided. For example: # Default trusted root certificate, disable external sources make TRUST_EXT=0 # Explicit trusted root certificate, enable external sources make TRUST=custom.crt TRUST_EXT=1 If no TRUST_EXT parameter is specified, then continue to default to disabling external trust sources if an explicit TRUST=... parameter is provided, to maintain backwards compatibility with existing build command lines. Signed-off-by: Michael Brown <mcb30@ipxe.org>