[build] Mark core files as permitted for UEFI Secure Boot

Mark all files used in a standard build of bin-x86_64-efi/snponly.efi as permitted for UEFI Secure Boot. These files represent the core functionality of iPXE that is guaranteed to have been included in every binary that was previously subject to a security review and signed by Microsoft. It is therefore legitimate to assume that at least these files have already been reviewed to the required standard multiple times. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-01-21 18:30:56 +03:00 · 2026-01-14 13:25:34 +00:00
parent 1996e214ed
commit 6cccb3bdc0
497 changed files with 498 additions and 0 deletions
--- a/src/include/assert.h
+++ b/src/include/assert.h
@@ -11,6 +11,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #ifndef ASSERTING
 #ifdef NDEBUG
--- a/src/include/bits/dma.h
+++ b/src/include/bits/dma.h
@@ -11,5 +11,6 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #endif /* _BITS_DMA_H */
--- a/src/include/bits/uaccess.h
+++ b/src/include/bits/uaccess.h
@@ -11,5 +11,6 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #endif /* _BITS_UACCESS_H */
--- a/src/include/bits/umalloc.h
+++ b/src/include/bits/umalloc.h
@@ -11,5 +11,6 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #endif /* _BITS_UMALLOC_H */
--- a/src/include/bits/virt_offset.h
+++ b/src/include/bits/virt_offset.h
@@ -11,5 +11,6 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #endif /* _BITS_VIRT_OFFSET_H */
--- a/src/include/byteswap.h
+++ b/src/include/byteswap.h
@@ -2,6 +2,7 @@
 #define BYTESWAP_H

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <endian.h>
--- a/src/include/ctype.h
+++ b/src/include/ctype.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 /**
 * Check if character is ASCII
--- a/src/include/curses.h
+++ b/src/include/curses.h
@@ -13,6 +13,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #undef  ERR
 #define ERR	(-1)
--- a/src/include/endian.h
+++ b/src/include/endian.h
@@ -2,6 +2,7 @@
 #define _ENDIAN_H

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 /** Constant representing little-endian byte order
 *
--- a/src/include/errno.h
+++ b/src/include/errno.h
@@ -25,6 +25,7 @@
 #define ERRNO_H

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 /** @file
 *
--- a/src/include/getopt.h
+++ b/src/include/getopt.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stddef.h>

--- a/src/include/hci/ifmgmt_cmd.h
+++ b/src/include/hci/ifmgmt_cmd.h
@@ -25,6 +25,7 @@
 #define _IFMGMT_CMD_H

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/parseopt.h>

--- a/src/include/ipxe/acpi.h
+++ b/src/include/ipxe/acpi.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <byteswap.h>
--- a/src/include/ipxe/ansicol.h
+++ b/src/include/ipxe/ansicol.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <curses.h> /* For COLOR_RED etc. */
--- a/src/include/ipxe/ansiesc.h
+++ b/src/include/ipxe/ansiesc.h
@@ -27,6 +27,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 struct ansiesc_context;

--- a/src/include/ipxe/aoe.h
+++ b/src/include/ipxe/aoe.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <ipxe/list.h>
--- a/src/include/ipxe/api.h
+++ b/src/include/ipxe/api.h
@@ -12,6 +12,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 /** @defgroup Single-implementation APIs
 *
--- a/src/include/ipxe/arp.h
+++ b/src/include/ipxe/arp.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/tables.h>
 #include <ipxe/netdevice.h>
--- a/src/include/ipxe/asn1.h
+++ b/src/include/ipxe/asn1.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stddef.h>
 #include <stdint.h>
--- a/src/include/ipxe/ata.h
+++ b/src/include/ipxe/ata.h
@@ -11,6 +11,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 /**
 * An ATA Logical Block Address
--- a/src/include/ipxe/base16.h
+++ b/src/include/ipxe/base16.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <string.h>
--- a/src/include/ipxe/base64.h
+++ b/src/include/ipxe/base64.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <string.h>
--- a/src/include/ipxe/bitmap.h
+++ b/src/include/ipxe/bitmap.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <stddef.h>
--- a/src/include/ipxe/blockdev.h
+++ b/src/include/ipxe/blockdev.h
@@ -9,6 +9,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <ipxe/interface.h>
--- a/src/include/ipxe/blocktrans.h
+++ b/src/include/ipxe/blocktrans.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <ipxe/refcnt.h>
--- a/src/include/ipxe/cachedhcp.h
+++ b/src/include/ipxe/cachedhcp.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stddef.h>

--- a/src/include/ipxe/chap.h
+++ b/src/include/ipxe/chap.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <ipxe/md5.h>
--- a/src/include/ipxe/command.h
+++ b/src/include/ipxe/command.h
@@ -2,6 +2,7 @@
 #define _IPXE_COMMAND_H

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/tables.h>

--- a/src/include/ipxe/console.h
+++ b/src/include/ipxe/console.h
@@ -17,6 +17,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 struct pixel_buffer;

--- a/src/include/ipxe/cpio.h
+++ b/src/include/ipxe/cpio.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <ipxe/image.h>
--- a/src/include/ipxe/crc32.h
+++ b/src/include/ipxe/crc32.h
@@ -2,6 +2,7 @@
 #define _IPXE_CRC32_H

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>

--- a/src/include/ipxe/crypto.h
+++ b/src/include/ipxe/crypto.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <stddef.h>
--- a/src/include/ipxe/device.h
+++ b/src/include/ipxe/device.h
@@ -9,6 +9,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/list.h>
 #include <ipxe/tables.h>
--- a/src/include/ipxe/dhcp.h
+++ b/src/include/ipxe/dhcp.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <stdarg.h>
--- a/src/include/ipxe/dhcparch.h
+++ b/src/include/ipxe/dhcparch.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 /* Include platform-specific client architecture definitions */
 #define PLATFORM_DHCPARCH(_platform) <ipxe/_platform/dhcparch.h>
--- a/src/include/ipxe/dhcpopts.h
+++ b/src/include/ipxe/dhcpopts.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>

--- a/src/include/ipxe/dhcppkt.h
+++ b/src/include/ipxe/dhcppkt.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/dhcp.h>
 #include <ipxe/dhcpopts.h>
--- a/src/include/ipxe/dhcpv6.h
+++ b/src/include/ipxe/dhcpv6.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <ipxe/in.h>
--- a/src/include/ipxe/dma.h
+++ b/src/include/ipxe/dma.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <ipxe/api.h>
--- a/src/include/ipxe/dns.h
+++ b/src/include/ipxe/dns.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <ipxe/in.h>
--- a/src/include/ipxe/downloader.h
+++ b/src/include/ipxe/downloader.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 struct interface;
 struct image;
--- a/src/include/ipxe/dummy_sanboot.h
+++ b/src/include/ipxe/dummy_sanboot.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #ifdef SANBOOT_DUMMY
 #define SANBOOT_PREFIX_dummy
--- a/src/include/ipxe/dynui.h
+++ b/src/include/ipxe/dynui.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/list.h>

--- a/src/include/ipxe/eap.h
+++ b/src/include/ipxe/eap.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <ipxe/netdevice.h>
--- a/src/include/ipxe/eapol.h
+++ b/src/include/ipxe/eapol.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <ipxe/netdevice.h>
--- a/src/include/ipxe/ecam_io.h
+++ b/src/include/ipxe/ecam_io.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>

--- a/src/include/ipxe/edd.h
+++ b/src/include/ipxe/edd.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <ipxe/interface.h>
--- a/src/include/ipxe/editbox.h
+++ b/src/include/ipxe/editbox.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <curses.h>
 #include <ipxe/editstring.h>
--- a/src/include/ipxe/editstring.h
+++ b/src/include/ipxe/editstring.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 /** An editable string */
 struct edit_string {
--- a/src/include/ipxe/efi/ProcessorBind.h
+++ b/src/include/ipxe/efi/ProcessorBind.h
@@ -2,6 +2,7 @@
 #define _IPXE_EFI_PROCESSOR_BIND_H

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 /*
 * EFI header files rely on having the CPU architecture directory
--- a/src/include/ipxe/efi/Protocol/AppleNetBoot.h
+++ b/src/include/ipxe/efi/Protocol/AppleNetBoot.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( BSD3 );
+FILE_SECBOOT ( PERMITTED );

 #define EFI_APPLE_NET_BOOT_PROTOCOL_GUID				\
 	{ 0x78ee99fb, 0x6a5e, 0x4186,					\
--- a/src/include/ipxe/efi/Protocol/ShimLock.h
+++ b/src/include/ipxe/efi/Protocol/ShimLock.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( BSD3 );
+FILE_SECBOOT ( PERMITTED );

 #define EFI_SHIM_LOCK_PROTOCOL_GUID					\
 	{ 0x605dab50, 0xe046, 0x4300,					\
--- a/src/include/ipxe/efi/efi.h
+++ b/src/include/ipxe/efi/efi.h
@@ -22,6 +22,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER );
+FILE_SECBOOT ( PERMITTED );

 /* EFI headers rudely redefine NULL */
 #undef NULL
--- a/src/include/ipxe/efi/efi_acpi.h
+++ b/src/include/ipxe/efi/efi_acpi.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #ifdef ACPI_EFI
 #define ACPI_PREFIX_efi
--- a/src/include/ipxe/efi/efi_autoboot.h
+++ b/src/include/ipxe/efi/efi_autoboot.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/efi/efi.h>

--- a/src/include/ipxe/efi/efi_autoexec.h
+++ b/src/include/ipxe/efi/efi_autoexec.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 extern int efi_autoexec_load ( void );

--- a/src/include/ipxe/efi/efi_block.h
+++ b/src/include/ipxe/efi/efi_block.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #ifdef SANBOOT_EFI
 #define SANBOOT_PREFIX_efi
--- a/src/include/ipxe/efi/efi_cachedhcp.h
+++ b/src/include/ipxe/efi/efi_cachedhcp.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/efi/efi.h>

--- a/src/include/ipxe/efi/efi_cmdline.h
+++ b/src/include/ipxe/efi/efi_cmdline.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <wchar.h>
--- a/src/include/ipxe/efi/efi_download.h
+++ b/src/include/ipxe/efi/efi_download.h
@@ -20,6 +20,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER );
+FILE_SECBOOT ( PERMITTED );

 /** @file
 *
--- a/src/include/ipxe/efi/efi_driver.h
+++ b/src/include/ipxe/efi/efi_driver.h
@@ -7,6 +7,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/device.h>
 #include <ipxe/tables.h>
--- a/src/include/ipxe/efi/efi_fdt.h
+++ b/src/include/ipxe/efi/efi_fdt.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/efi/efi.h>

--- a/src/include/ipxe/efi/efi_file.h
+++ b/src/include/ipxe/efi/efi_file.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 extern int efi_file_install ( EFI_HANDLE handle );
 extern void efi_file_uninstall ( EFI_HANDLE handle );
--- a/src/include/ipxe/efi/efi_hii.h
+++ b/src/include/ipxe/efi/efi_hii.h
@@ -7,6 +7,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <string.h>
 #include <ipxe/efi/Uefi/UefiInternalFormRepresentation.h>
--- a/src/include/ipxe/efi/efi_image.h
+++ b/src/include/ipxe/efi/efi_image.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/image.h>

--- a/src/include/ipxe/efi/efi_nap.h
+++ b/src/include/ipxe/efi/efi_nap.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #ifdef NAP_EFI
 #define NAP_PREFIX_efi
--- a/src/include/ipxe/efi/efi_null.h
+++ b/src/include/ipxe/efi/efi_null.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/efi/efi.h>
 #include <ipxe/efi/Protocol/AppleNetBoot.h>
--- a/src/include/ipxe/efi/efi_path.h
+++ b/src/include/ipxe/efi/efi_path.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/interface.h>
 #include <ipxe/efi/efi.h>
--- a/src/include/ipxe/efi/efi_pci.h
+++ b/src/include/ipxe/efi/efi_pci.h
@@ -7,6 +7,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/pci.h>
 #include <ipxe/efi/efi.h>
--- a/src/include/ipxe/efi/efi_pci_api.h
+++ b/src/include/ipxe/efi/efi_pci_api.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #ifdef PCIAPI_EFI
 #define PCIAPI_PREFIX_efi
--- a/src/include/ipxe/efi/efi_pxe.h
+++ b/src/include/ipxe/efi/efi_pxe.h
@@ -10,6 +10,7 @@
 #include <ipxe/netdevice.h>

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 extern int efi_pxe_install ( EFI_HANDLE handle, struct net_device *netdev );
 extern void efi_pxe_uninstall ( EFI_HANDLE handle );
--- a/src/include/ipxe/efi/efi_reboot.h
+++ b/src/include/ipxe/efi/efi_reboot.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #ifdef REBOOT_EFI
 #define REBOOT_PREFIX_efi
--- a/src/include/ipxe/efi/efi_service.h
+++ b/src/include/ipxe/efi/efi_service.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/efi/efi.h>

--- a/src/include/ipxe/efi/efi_shim.h
+++ b/src/include/ipxe/efi/efi_shim.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/image.h>
 #include <ipxe/efi/efi.h>
--- a/src/include/ipxe/efi/efi_smbios.h
+++ b/src/include/ipxe/efi/efi_smbios.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #ifdef SMBIOS_EFI
 #define SMBIOS_PREFIX_efi
--- a/src/include/ipxe/efi/efi_snp.h
+++ b/src/include/ipxe/efi/efi_snp.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/list.h>
 #include <ipxe/netdevice.h>
--- a/src/include/ipxe/efi/efi_strings.h
+++ b/src/include/ipxe/efi/efi_strings.h
@@ -7,6 +7,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stddef.h>
 #include <stdint.h>
--- a/src/include/ipxe/efi/efi_table.h
+++ b/src/include/ipxe/efi/efi_table.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/efi/efi.h>

--- a/src/include/ipxe/efi/efi_time.h
+++ b/src/include/ipxe/efi/efi_time.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>

--- a/src/include/ipxe/efi/efi_umalloc.h
+++ b/src/include/ipxe/efi/efi_umalloc.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #ifdef UMALLOC_EFI
 #define UMALLOC_PREFIX_efi
--- a/src/include/ipxe/efi/efi_utils.h
+++ b/src/include/ipxe/efi/efi_utils.h
@@ -7,6 +7,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/efi/efi.h>

--- a/src/include/ipxe/efi/efi_veto.h
+++ b/src/include/ipxe/efi/efi_veto.h
@@ -7,6 +7,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 extern void efi_veto ( void );

--- a/src/include/ipxe/efi/efi_watchdog.h
+++ b/src/include/ipxe/efi/efi_watchdog.h
@@ -7,6 +7,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 extern struct retry_timer efi_watchdog;

--- a/src/include/ipxe/efi/efi_wrap.h
+++ b/src/include/ipxe/efi/efi_wrap.h
@@ -7,6 +7,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/efi/efi.h>

--- a/src/include/ipxe/efi/mnpnet.h
+++ b/src/include/ipxe/efi/mnpnet.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 struct efi_device;
 struct net_device;
--- a/src/include/ipxe/errfile.h
+++ b/src/include/ipxe/errfile.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <bits/errfile.h>

--- a/src/include/ipxe/errno/efi.h
+++ b/src/include/ipxe/errno/efi.h
@@ -22,6 +22,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/efi/efi.h>
 #include <ipxe/efi/Uefi/UefiBaseType.h>
--- a/src/include/ipxe/errortab.h
+++ b/src/include/ipxe/errortab.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <ipxe/tables.h>

--- a/src/include/ipxe/eth_slow.h
+++ b/src/include/ipxe/eth_slow.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 /** Slow protocols header */
 struct eth_slow_header {
--- a/src/include/ipxe/ethernet.h
+++ b/src/include/ipxe/ethernet.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <ipxe/netdevice.h>
--- a/src/include/ipxe/fakedhcp.h
+++ b/src/include/ipxe/fakedhcp.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>

--- a/src/include/ipxe/fault.h
+++ b/src/include/ipxe/fault.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <config/fault.h>
--- a/src/include/ipxe/fc.h
+++ b/src/include/ipxe/fc.h
@@ -9,6 +9,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <ipxe/refcnt.h>
--- a/src/include/ipxe/fcels.h
+++ b/src/include/ipxe/fcels.h
@@ -9,6 +9,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <ipxe/fc.h>
--- a/src/include/ipxe/fcp.h
+++ b/src/include/ipxe/fcp.h
@@ -9,6 +9,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <ipxe/fc.h>
--- a/src/include/ipxe/fdtmem.h
+++ b/src/include/ipxe/fdtmem.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>

--- a/src/include/ipxe/features.h
+++ b/src/include/ipxe/features.h
@@ -12,6 +12,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 /**
 * @defgroup featurecat Feature categories
--- a/src/include/ipxe/fragment.h
+++ b/src/include/ipxe/fragment.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <ipxe/list.h>
--- a/src/include/ipxe/http.h
+++ b/src/include/ipxe/http.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <ipxe/refcnt.h>
--- a/src/include/ipxe/ib_mad.h
+++ b/src/include/ipxe/ib_mad.h
@@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );

 #include <stdint.h>
 #include <ipxe/ib_packet.h>
--- a/Show More
+++ b/Show More