[build] Define a mechanism for marking Secure Boot permissibility

Not all files within the iPXE codebase are allowed to be included in UEFI Secure Boot signed builds. Following the pattern used by the existing FILE_LICENCE() macro and licensing check: define a FILE_SECBOOT() macro that can be used to declare a file as being permitted (or forbidden) in a UEFI Secure Boot signed build, and a corresponding build target to perform the check. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-01-21 09:57:23 +03:00 · 2026-01-13 13:49:27 +00:00
parent 9c01c5a5da
commit e61c636bf3
2 changed files with 63 additions and 8 deletions
--- a/src/include/compiler.h
+++ b/src/include/compiler.h
@@ -900,6 +900,36 @@ char __debug_disable(OBJECT) = ( DBGLVL_MAX & ~DBGLVL_DFLT );
 /* This file itself is under GPLv2+/UBDL */
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );

+/**
+ * @defgroup secboot UEFI Secure Boot restrictions
+ *
+ * Not all files within the iPXE codebase are allowed to be included
+ * in UEFI Secure Boot signed builds.
+ *
+ * Files that are permitted in a UEFI Secure Boot build are subject to
+ * stricter code review requirements.  In particular, contributions
+ * from third parties may not be marked as permitted unless they have
+ * passed an approved security review.
+ *
+ * @{
+ */
+
+/** Declare a file as being permitted in a UEFI Secure Boot build */
+#define FILE_SECBOOT_PERMITTED \
+	PROVIDE_SYMBOL ( PREFIX_OBJECT ( __secboot__permitted__ ) )
+
+/** Declare a file as being forbidden in a UEFI Secure Boot build */
+#define FILE_SECBOOT_FORBIDDEN \
+	PROVIDE_SYMBOL ( PREFIX_OBJECT ( __secboot__forbidden__ ) )
+
+/** Declare a file's UEFI Secure Boot permission status */
+#define FILE_SECBOOT( _status ) FILE_SECBOOT_ ## _status
+
+/** @} */
+
+/* This file itself is permitted in a Secure Boot build */
+FILE_SECBOOT ( PERMITTED );
+
 #include <bits/compiler.h>

 #endif /* COMPILER_H */