[build] Fail Secure Boot builds unless all files are permitted

Add the Secure Boot permissibility check as a dependency for targets
built with the Secure Boot flag enabled.  Attempting to build e.g.

  make bin-x86_64-efi-sb/snponly.efi

will now fail unless all files used in the final binary are marked as
being permitted for Secure Boot.

This does not affect the standard build targets (without the "-sb"
suffix on the build directory).

Signed-off-by: Michael Brown <mcb30@ipxe.org>

src/Makefile.efi

@@ -29,11 +29,13 @@ DRIVERS_net += snp mnp
 
 # Rules for building EFI files
 #
-$(BIN)/%.efi : $(BIN)/%.efi.tmp $(ELF2EFI)
+$(BIN)/%.efi : $(BIN)/%.efi.tmp $(ELF2EFI) \
+		$(if $(SECUREBOOT),$(BIN)/%.efi.secboot)
 	$(QM)$(ECHO) "  [FINISH] $@"
 	$(Q)$(ELF2EFI) --subsystem=10 $< $@
 
-$(BIN)/%.efidrv : $(BIN)/%.efidrv.tmp $(ELF2EFI)
+$(BIN)/%.efidrv : $(BIN)/%.efidrv.tmp $(ELF2EFI) \
+		$(if $(SECUREBOOT),$(BIN)/%.efidrv.secboot)
 	$(QM)$(ECHO) "  [FINISH] $@"
 	$(Q)$(ELF2EFI) --subsystem=11 $< $@
 

src/Makefile.housekeeping

@@ -226,10 +226,10 @@ BIN_ELEMENTS	:= $(subst -,$(SPACE),$(BIN))
 BIN_APS		:= $(wordlist 2,4,$(BIN_ELEMENTS))
 ifeq ($(lastword $(BIN_APS)),sb)
 BIN_AP		:= $(wordlist 2,$(words $(BIN_APS)),discard $(BIN_APS))
-BIN_SECUREBOOT	:= 1
+BIN_SECUREBOOT	:= sb
 else
 BIN_AP		:= $(BIN_APS)
-BIN_SECUREBOOT	:= 0
+BIN_SECUREBOOT	:=
 endif
 ifeq ($(BIN_AP),efi)
 BIN_ARCH	:= i386
@@ -259,9 +259,7 @@ platform :
 	@$(ECHO) $(PLATFORM)
 
 # Determine security flag
-DEFAULT_SECUREBOOT := 0
-SECUREBOOT	:= $(firstword $(BIN_SECUREBOOT) $(DEFAULT_SECUREBOOT))
-CFLAGS		+= -DSECUREBOOT=$(SECUREBOOT)
+SECUREBOOT	:= $(BIN_SECUREBOOT)
 secureboot :
 	@$(ECHO) $(SECUREBOOT)