sysadmin/ipxe
1
0
Fork 0
mirror of https://github.com/ipxe/ipxe synced 2026-01-08 13:11:17 +03:00
Code Issues Packages Projects Releases Wiki Activity

[build] Exclude selected directories from Secure Boot builds

Browse Source 
When submitting binaries for UEFI Secure Boot signing, certain
known-dubious subsystems (such as 802.11 and NFS) must be excluded
from the build.  Mark the directories containing these subsystems as
insecure, and allow the build target to include an explicit "security
flag" (a literal "-sb" appended to the build platform) to exclude
these source directories from the build process.

For example:

  make bin-x86_64-efi-sb/ipxe.efi

will build iPXE with all code from the 802.11 and NFS subsystems
excluded from the build.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown
2017-09-18 13:32:39 +01:00
parent d46c53cfc6
commit 7428ab7258
2 changed files with 34 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
src/Makefile.housekeeping
View File

@@ -299,7 +299,7 @@ endif
#
# Select build architecture and platform based on $(BIN)
#
# BIN has the form bin[-[arch-]platform]
# BIN has the form bin[-[<arch>-]<platform>[-sb]]
ARCHS := $(patsubst arch/%,%,$(wildcard arch/*))
PLATFORMS := $(patsubst config/defaults/%.h,%,\
@@ -312,17 +312,18 @@ platforms :
ifdef BIN
# Determine architecture portion of $(BIN), if present
BIN_ARCH := $(strip $(foreach A,$(ARCHS),\
$(patsubst bin-$(A)-%,$(A),\
$(filter bin-$(A)-%,$(BIN)))))
# Determine platform portion of $(BIN), if present
ifeq ($(BIN_ARCH),)
BIN_PLATFORM := $(patsubst bin-%,%,$(filter bin-%,$(BIN)))
# Split $(BIN) into architecture, platform, and security flag (where present)
BIN_ELEMENTS := $(subst -,$(SPACE),$(BIN))
BIN_APS := $(wordlist 2,4,$(BIN_ELEMENTS))
ifeq ($(lastword $(BIN_APS)),sb)
BIN_AP := $(wordlist 2,$(words $(BIN_APS)),discard $(BIN_APS))
BIN_SECUREBOOT := 1
else
BIN_PLATFORM := $(patsubst bin-$(BIN_ARCH)-%,%,$(BIN))
BIN_AP := $(BIN_APS)
BIN_SECUREBOOT := 0
endif
BIN_PLATFORM := $(lastword $(BIN_AP))
BIN_ARCH := $(wordlist 2,$(words $(BIN_AP)),discard $(BIN_AP))
# Determine build architecture
DEFAULT_ARCH := i386
@@ -339,6 +340,13 @@ CFLAGS += -DPLATFORM=$(PLATFORM)
platform :
@$(ECHO) $(PLATFORM)
# Determine security flag
DEFAULT_SECUREBOOT := 0
SECUREBOOT := $(firstword $(BIN_SECUREBOOT) $(DEFAULT_SECUREBOOT))
CFLAGS += -DSECUREBOOT=$(SECUREBOOT)
secureboot :
@$(ECHO) $(SECUREBOOT)
endif # defined(BIN)
# Include architecture-specific Makefile
@@ -357,6 +365,11 @@ endif
#
# Source file handling
# Exclude known-insecure files from Secure Boot builds
ifeq ($(SECUREBOOT),0)
SRCDIRS += $(SRCDIRS_INSEC)
endif
# SRCDIRS lists all directories containing source files.
srcdirs :
@$(ECHO) $(SRCDIRS)