From 7428ab7258e03ddef79ba774432b7b8c11cc2730 Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Mon, 18 Sep 2017 13:32:39 +0100 Subject: [build] Exclude selected directories from Secure Boot builds When submitting binaries for UEFI Secure Boot signing, certain known-dubious subsystems (such as 802.11 and NFS) must be excluded from the build. Mark the directories containing these subsystems as insecure, and allow the build target to include an explicit "security flag" (a literal "-sb" appended to the build platform) to exclude these source directories from the build process. For example: make bin-x86_64-efi-sb/ipxe.efi will build iPXE with all code from the 802.11 and NFS subsystems excluded from the build. Signed-off-by: Michael Brown --- src/Makefile.housekeeping | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) (limited to 'src/Makefile.housekeeping') diff --git a/src/Makefile.housekeeping b/src/Makefile.housekeeping index f09db372..00b07926 100644 --- a/src/Makefile.housekeeping +++ b/src/Makefile.housekeeping @@ -299,7 +299,7 @@ endif # # Select build architecture and platform based on $(BIN) # -# BIN has the form bin[-[arch-]platform] +# BIN has the form bin[-[-][-sb]] ARCHS := $(patsubst arch/%,%,$(wildcard arch/*)) PLATFORMS := $(patsubst config/defaults/%.h,%,\ @@ -312,17 +312,18 @@ platforms : ifdef BIN -# Determine architecture portion of $(BIN), if present -BIN_ARCH := $(strip $(foreach A,$(ARCHS),\ - $(patsubst bin-$(A)-%,$(A),\ - $(filter bin-$(A)-%,$(BIN))))) - -# Determine platform portion of $(BIN), if present -ifeq ($(BIN_ARCH),) -BIN_PLATFORM := $(patsubst bin-%,%,$(filter bin-%,$(BIN))) +# Split $(BIN) into architecture, platform, and security flag (where present) +BIN_ELEMENTS := $(subst -,$(SPACE),$(BIN)) +BIN_APS := $(wordlist 2,4,$(BIN_ELEMENTS)) +ifeq ($(lastword $(BIN_APS)),sb) +BIN_AP := $(wordlist 2,$(words $(BIN_APS)),discard $(BIN_APS)) +BIN_SECUREBOOT := 1 else -BIN_PLATFORM := $(patsubst bin-$(BIN_ARCH)-%,%,$(BIN)) +BIN_AP := $(BIN_APS) +BIN_SECUREBOOT := 0 endif +BIN_PLATFORM := $(lastword $(BIN_AP)) +BIN_ARCH := $(wordlist 2,$(words $(BIN_AP)),discard $(BIN_AP)) # Determine build architecture DEFAULT_ARCH := i386 @@ -339,6 +340,13 @@ CFLAGS += -DPLATFORM=$(PLATFORM) platform : @$(ECHO) $(PLATFORM) +# Determine security flag +DEFAULT_SECUREBOOT := 0 +SECUREBOOT := $(firstword $(BIN_SECUREBOOT) $(DEFAULT_SECUREBOOT)) +CFLAGS += -DSECUREBOOT=$(SECUREBOOT) +secureboot : + @$(ECHO) $(SECUREBOOT) + endif # defined(BIN) # Include architecture-specific Makefile @@ -357,6 +365,11 @@ endif # # Source file handling +# Exclude known-insecure files from Secure Boot builds +ifeq ($(SECUREBOOT),0) +SRCDIRS += $(SRCDIRS_INSEC) +endif + # SRCDIRS lists all directories containing source files. srcdirs : @$(ECHO) $(SRCDIRS) -- cgit v1.2.3-55-g7522