[build] Exclude selected directories from Secure Boot builds

When submitting binaries for UEFI Secure Boot signing, certain
known-dubious subsystems (such as 802.11 and NFS) must be excluded
from the build.  Mark the directories containing these subsystems as
insecure, and allow the build target to include an explicit "security
flag" (a literal "-sb" appended to the build platform) to exclude
these source directories from the build process.

For example:

  make bin-x86_64-efi-sb/ipxe.efi

will build iPXE with all code from the 802.11 and NFS subsystems
excluded from the build.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

1 files changed, 11 insertions, 5 deletions

diff --git a/src/Makefile b/src/Makefile
index 911d27ab..d74565d1 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -62,7 +62,7 @@ QEMUIMG		:= qemu-img
 SRCDIRS		:=
 SRCDIRS		+= libgcc
 SRCDIRS		+= core
-SRCDIRS		+= net net/oncrpc net/tcp net/udp net/infiniband net/80211
+SRCDIRS		+= net net/tcp net/udp net/infiniband
 SRCDIRS		+= image
 SRCDIRS		+= drivers/bus
 SRCDIRS		+= drivers/net
@@ -71,10 +71,6 @@ SRCDIRS		+= drivers/net/e1000e
 SRCDIRS		+= drivers/net/igb
 SRCDIRS		+= drivers/net/igbvf
 SRCDIRS		+= drivers/net/phantom
-SRCDIRS		+= drivers/net/rtl818x
-SRCDIRS		+= drivers/net/ath
-SRCDIRS		+= drivers/net/ath/ath5k
-SRCDIRS		+= drivers/net/ath/ath9k
 SRCDIRS		+= drivers/net/vxge
 SRCDIRS		+= drivers/net/efi
 SRCDIRS		+= drivers/net/tg3
@@ -105,6 +101,16 @@ SRCDIRS		+= hci/keymap
 SRCDIRS		+= usr
 SRCDIRS		+= config
 
+# These directories contain code that is not eligible for UEFI Secure
+# Boot signing.
+#
+SRCDIRS_INSEC	+= net/oncrpc
+SRCDIRS_INSEC	+= net/80211
+SRCDIRS_INSEC	+= drivers/net/rtl818x
+SRCDIRS_INSEC	+= drivers/net/ath
+SRCDIRS_INSEC	+= drivers/net/ath/ath5k
+SRCDIRS_INSEC	+= drivers/net/ath/ath9k
+
 # NON_AUTO_SRCS lists files that are excluded from the normal
 # automatic build system.
 #