From 1d5b1d924882ef38cca6cce89f091fb439bfe624 Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Wed, 14 Jan 2026 16:56:38 +0000 Subject: [PATCH] [build] Fail Secure Boot builds unless all files are permitted Add the Secure Boot permissibility check as a dependency for targets built with the Secure Boot flag enabled. Attempting to build e.g. make bin-x86_64-efi-sb/snponly.efi will now fail unless all files used in the final binary are marked as being permitted for Secure Boot. This does not affect the standard build targets (without the "-sb" suffix on the build directory). Signed-off-by: Michael Brown --- src/Makefile.efi | 6 ++++-- src/Makefile.housekeeping | 8 +++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/Makefile.efi b/src/Makefile.efi index 95ecf3863..0c42ce6bc 100644 --- a/src/Makefile.efi +++ b/src/Makefile.efi @@ -29,11 +29,13 @@ DRIVERS_net += snp mnp # Rules for building EFI files # -$(BIN)/%.efi : $(BIN)/%.efi.tmp $(ELF2EFI) +$(BIN)/%.efi : $(BIN)/%.efi.tmp $(ELF2EFI) \ + $(if $(SECUREBOOT),$(BIN)/%.efi.secboot) $(QM)$(ECHO) " [FINISH] $@" $(Q)$(ELF2EFI) --subsystem=10 $< $@ -$(BIN)/%.efidrv : $(BIN)/%.efidrv.tmp $(ELF2EFI) +$(BIN)/%.efidrv : $(BIN)/%.efidrv.tmp $(ELF2EFI) \ + $(if $(SECUREBOOT),$(BIN)/%.efidrv.secboot) $(QM)$(ECHO) " [FINISH] $@" $(Q)$(ELF2EFI) --subsystem=11 $< $@ diff --git a/src/Makefile.housekeeping b/src/Makefile.housekeeping index abf910183..c36862bcd 100644 --- a/src/Makefile.housekeeping +++ b/src/Makefile.housekeeping @@ -226,10 +226,10 @@ BIN_ELEMENTS := $(subst -,$(SPACE),$(BIN)) BIN_APS := $(wordlist 2,4,$(BIN_ELEMENTS)) ifeq ($(lastword $(BIN_APS)),sb) BIN_AP := $(wordlist 2,$(words $(BIN_APS)),discard $(BIN_APS)) -BIN_SECUREBOOT := 1 +BIN_SECUREBOOT := sb else BIN_AP := $(BIN_APS) -BIN_SECUREBOOT := 0 +BIN_SECUREBOOT := endif ifeq ($(BIN_AP),efi) BIN_ARCH := i386 @@ -259,9 +259,7 @@ platform : @$(ECHO) $(PLATFORM) # Determine security flag -DEFAULT_SECUREBOOT := 0 -SECUREBOOT := $(firstword $(BIN_SECUREBOOT) $(DEFAULT_SECUREBOOT)) -CFLAGS += -DSECUREBOOT=$(SECUREBOOT) +SECUREBOOT := $(BIN_SECUREBOOT) secureboot : @$(ECHO) $(SECUREBOOT)