From 301b1ecf2bdcf22b3d049c7fc186f909fc09ea2e Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Wed, 28 Jan 2026 16:34:57 +0000
Subject: [PATCH] [build] Mark compressed image tools as permitted for UEFI
 Secure Boot

Some older distributions (such as RHEL 8) provide their AArch64
kernels as gzip-compressed EFI binaries (with no self-decompressing
EFI stub present).  We therefore enable support for gzip images by
default for arm64 EFI builds.

Review the files used to implement the gzip (and zlib) formats and
mark these as permitted for UEFI Secure Boot.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/core/archive.c                   | 1 +
 src/hci/commands/image_archive_cmd.c | 1 +
 src/image/gzip.c                     | 1 +
 src/image/zlib.c                     | 1 +
 src/include/ipxe/gzip.h              | 1 +
 src/include/ipxe/zlib.h              | 1 +
 src/include/usr/imgarchive.h         | 1 +
 src/usr/imgarchive.c                 | 1 +
 8 files changed, 8 insertions(+)

diff --git a/src/core/archive.c b/src/core/archive.c
index 8b6accc6a..ded79089a 100644
--- a/src/core/archive.c
+++ b/src/core/archive.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <string.h>
 #include <errno.h>
diff --git a/src/hci/commands/image_archive_cmd.c b/src/hci/commands/image_archive_cmd.c
index 6b907830e..0410fceba 100644
--- a/src/hci/commands/image_archive_cmd.c
+++ b/src/hci/commands/image_archive_cmd.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <getopt.h>
 #include <ipxe/command.h>
diff --git a/src/image/gzip.c b/src/image/gzip.c
index 17ccd2492..2a14cc79a 100644
--- a/src/image/gzip.c
+++ b/src/image/gzip.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <stdlib.h>
 #include <string.h>
diff --git a/src/image/zlib.c b/src/image/zlib.c
index f0f8f5622..aac67a190 100644
--- a/src/image/zlib.c
+++ b/src/image/zlib.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <stdlib.h>
 #include <errno.h>
diff --git a/src/include/ipxe/gzip.h b/src/include/ipxe/gzip.h
index c8cf64147..4d6666db1 100644
--- a/src/include/ipxe/gzip.h
+++ b/src/include/ipxe/gzip.h
@@ -8,6 +8,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <stdint.h>
 #include <ipxe/image.h>
diff --git a/src/include/ipxe/zlib.h b/src/include/ipxe/zlib.h
index 3b0866bd1..00cb3aeec 100644
--- a/src/include/ipxe/zlib.h
+++ b/src/include/ipxe/zlib.h
@@ -8,6 +8,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <stdint.h>
 #include <byteswap.h>
diff --git a/src/include/usr/imgarchive.h b/src/include/usr/imgarchive.h
index bf0c18f55..5a0057d27 100644
--- a/src/include/usr/imgarchive.h
+++ b/src/include/usr/imgarchive.h
@@ -8,6 +8,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/image.h>
 
diff --git a/src/usr/imgarchive.c b/src/usr/imgarchive.c
index 91600760e..e1109d8af 100644
--- a/src/usr/imgarchive.c
+++ b/src/usr/imgarchive.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <stdio.h>
 #include <string.h>