[build] Fail Secure Boot builds unless all files are permitted

Add the Secure Boot permissibility check as a dependency for targets built with the Secure Boot flag enabled. Attempting to build e.g. make bin-x86_64-efi-sb/snponly.efi will now fail unless all files used in the final binary are marked as being permitted for Secure Boot. This does not affect the standard build targets (without the "-sb" suffix on the build directory). Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-01-21 18:30:56 +03:00 · 2026-01-14 16:56:38 +00:00
parent 46510f36ab
commit 1d5b1d9248
2 changed files with 7 additions and 7 deletions
--- a/src/Makefile.housekeeping
+++ b/src/Makefile.housekeeping
@@ -226,10 +226,10 @@ BIN_ELEMENTS	:= $(subst -,$(SPACE),$(BIN))
 BIN_APS		:= $(wordlist 2,4,$(BIN_ELEMENTS))
 ifeq ($(lastword $(BIN_APS)),sb)
 BIN_AP		:= $(wordlist 2,$(words $(BIN_APS)),discard $(BIN_APS))
-BIN_SECUREBOOT	:= 1
+BIN_SECUREBOOT	:= sb
 else
 BIN_AP		:= $(BIN_APS)
-BIN_SECUREBOOT	:= 0
+BIN_SECUREBOOT	:=
 endif
 ifeq ($(BIN_AP),efi)
 BIN_ARCH	:= i386
@@ -259,9 +259,7 @@ platform :
 	@$(ECHO) $(PLATFORM)

 # Determine security flag
-DEFAULT_SECUREBOOT := 0
-SECUREBOOT	:= $(firstword $(BIN_SECUREBOOT) $(DEFAULT_SECUREBOOT))
-CFLAGS		+= -DSECUREBOOT=$(SECUREBOOT)
+SECUREBOOT	:= $(BIN_SECUREBOOT)
 secureboot :
 	@$(ECHO) $(SECUREBOOT)