sysadmin/ipxe
1
0
Fork 0
mirror of https://github.com/ipxe/ipxe synced 2026-05-10 18:10:36 +03:00
Code Issues Packages Projects Releases Wiki Activity

[build] Filter out non-permitted drivers for UEFI Secure Boot

Browse Source 
The all-drivers targets (e.g. ipxe.efi) cannot currently be used in a
Secure Boot build since the permissibility check will (correctly) fail
due to the inclusion of non-permitted drivers.

In a Secure Boot build, filter the all-drivers list to include only
the subset of drivers that are marked as being permitted for UEFI
Secure Boot.

Note that this automatic filter is a convenience shortcut: it is not
the enforcement mechanism.  The filter exists only to provide a
meaningful definition for the otherwise unusable all-drivers targets
in Secure Boot builds.  The enforcement mechanism remains the
permissiblity check introduced in commit 1d5b1d9 ("[build] Fail Secure
Boot builds unless all files are permitted").

Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown
2026-02-11 22:35:10 +00:00
parent 7a2817bbd7
commit cf350b8eb7
2 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Makefile.housekeeping
+6
View File
@@ -1475,6 +1475,12 @@ endif
$(BIN)/etherboot.% : $(BIN)/ipxe.% $(BIN)/etherboot.% : $(BIN)/ipxe.%
ln -sf $(notdir $<) $@ ln -sf $(notdir $<) $@
# Filter out non-permitted drivers if security flag is set
#
ifneq ($(SECUREBOOT),)
DRIVERS_ipxe := $(filter $(DRIVERS_SECBOOT),$(DRIVERS_ipxe))
endif
endif # defined(BIN) endif # defined(BIN)
############################################################################### ###############################################################################
src/util/parserom.pl
+5
View File
@@ -38,6 +38,8 @@ my %RE = (
'parse_family' => qr{^ (?:\./)? (.*) \..+? $}x, 'parse_family' => qr{^ (?:\./)? (.*) \..+? $}x,
'find_rom_line' => qr/^ \s* ( (PCI|ISA|USB)_ROM \s* 'find_rom_line' => qr/^ \s* ( (PCI|ISA|USB)_ROM \s*
\( \s* (.*?) \s* \) \s* ) [,;]/msx, \( \s* (.*?) \s* \) \s* ) [,;]/msx,
'find_secboot' => qr/^ \s* FILE_SECBOOT \s*
\( \s* PERMITTED \s* \) \s* ; \s* $/mx,
'extract_hex_id' => qr/^ \s* 0x([0-9A-Fa-f]{4}) \s* ,? \s* (.*) $/sx, 'extract_hex_id' => qr/^ \s* 0x([0-9A-Fa-f]{4}) \s* ,? \s* (.*) $/sx,
'extract_quoted_string' => qr/^ \s* \" ([^\"]*?) \" \s* ,? \s* (.*) $/sx, 'extract_quoted_string' => qr/^ \s* \" ([^\"]*?) \" \s* ,? \s* (.*) $/sx,
); );
@@ -98,6 +100,7 @@ sub process_source_file {
or die "Couldn't open $state->{source_file}: $!\n"; or die "Couldn't open $state->{source_file}: $!\n";
my $content = do { local $/ = undef; <$fh> }; my $content = do { local $/ = undef; <$fh> };
close($fh) or die "Couldn't close $source_file: $!\n"; close($fh) or die "Couldn't close $source_file: $!\n";
$state->{secboot} = ( $content =~ m/$RE{find_secboot}/ );
while ( $content =~ m/$RE{find_rom_line}/g ) { while ( $content =~ m/$RE{find_rom_line}/g ) {
process_rom_decl($state, $1, $2, $3); process_rom_decl($state, $1, $2, $3);
} }
@@ -186,6 +189,8 @@ sub print_make_rules {
print "DRIVERS_$state->{type}_$state->{driver_class} ". print "DRIVERS_$state->{type}_$state->{driver_class} ".
"+= $state->{driver_name}\n"; "+= $state->{driver_name}\n";
print "DRIVERS += $state->{driver_name}\n"; print "DRIVERS += $state->{driver_name}\n";
print "DRIVERS_SECBOOT += $state->{driver_name}\n"
if $state->{'secboot'};
print "\n"; print "\n";
$state->{'is_header_printed'} = 1; $state->{'is_header_printed'} = 1;
} }