[build] Define a mechanism for marking Secure Boot permissibility

Not all files within the iPXE codebase are allowed to be included in
UEFI Secure Boot signed builds.

Following the pattern used by the existing FILE_LICENCE() macro and
licensing check: define a FILE_SECBOOT() macro that can be used to
declare a file as being permitted (or forbidden) in a UEFI Secure Boot
signed build, and a corresponding build target to perform the check.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

src/Makefile.housekeeping

@@ -1299,15 +1299,17 @@ endef
 $(BIN)/%.nodeps : $(BIN)/%.tmp
 	$(Q)$(ECHO) $(call nodeps_list,$<)
 
-# Get licensing verdict for the specified target
-#
-define licensable_deps_list
+# Get annotated dependency list for the specified target
+define annotated_deps_list
 	$(filter-out config/local/%.h,\
 	  $(filter-out $(BIN)/.%.list,\
 	    $(call deps_list,$(1))))
 endef
+
+# Get licensing verdict for the specified target
+#
 define unlicensed_deps_list
-	$(shell grep -L FILE_LICENCE $(call licensable_deps_list,$(1)))
+	$(shell grep -L FILE_LICENCE $(call annotated_deps_list,$(1)))
 endef
 define licence_list
 	$(sort $(foreach LICENCE,\
@@ -1319,11 +1321,34 @@ $(BIN)/%.licence_list : $(BIN)/%.tmp
 $(BIN)/%.licence : $(BIN)/%.tmp
 	$(QM)$(ECHO) "  [LICENCE] $@"
 	$(Q)$(if $(strip $(call unlicensed_deps_list,$<)),\
-		echo -n "Unable to determine licence because the following " ;\
-		echo "files are missing a licence declaration:" ;\
+		echo -n "The following files are missing a FILE_LICENCE() " ;\
+		echo "declaration:" ;\
 		echo $(call unlicensed_deps_list,$<);\
-		exit 1,\
-		$(PERL) $(LICENCE) $(call licence_list,$<))
+		exit 1)
+	$(PERL) $(LICENCE) $(call licence_list,$<)
+
+# Get Secure Boot permissibility verdict for the specified target
+#
+define nosecboot_deps_list
+	$(shell grep -L FILE_SECBOOT $(call annotated_deps_list,$(1)))
+endef
+define secboot_list
+	$(sort $(foreach SECBOOT,\
+		 $(filter __secboot__%,$(shell $(NM) $(1) | cut -d" " -f3)),\
+		 $(word 2,$(subst __, ,$(SECBOOT)))))
+endef
+$(BIN)/%.secboot : $(BIN)/%.tmp
+	$(QM)$(ECHO) "  [SECBOOT] $@"
+	$(Q)$(if $(strip $(call nosecboot_deps_list,$<)),\
+		echo -n "The following files are missing a FILE_SECBOOT() " ;\
+		echo "declaration:" ;\
+		echo $(call nosecboot_deps_list,$<);\
+		exit 1)
+	echo $(call secboot_list,$<)
+	$(Q)$(if $(strip $(filter-out permitted,$(call secboot_list,$<))),\
+		echo -n "This build includes files that are not permitted " ;\
+		echo "to be signed for UEFI Secure Boot" ;\
+		exit 1)
 
 # Extract compression information from intermediate object file
 #

src/include/compiler.h

@@ -900,6 +900,36 @@ char __debug_disable(OBJECT) = ( DBGLVL_MAX & ~DBGLVL_DFLT );
 /* This file itself is under GPLv2+/UBDL */
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 
+/**
+ * @defgroup secboot UEFI Secure Boot restrictions
+ *
+ * Not all files within the iPXE codebase are allowed to be included
+ * in UEFI Secure Boot signed builds.
+ *
+ * Files that are permitted in a UEFI Secure Boot build are subject to
+ * stricter code review requirements.  In particular, contributions
+ * from third parties may not be marked as permitted unless they have
+ * passed an approved security review.
+ *
+ * @{
+ */
+
+/** Declare a file as being permitted in a UEFI Secure Boot build */
+#define FILE_SECBOOT_PERMITTED \
+	PROVIDE_SYMBOL ( PREFIX_OBJECT ( __secboot__permitted__ ) )
+
+/** Declare a file as being forbidden in a UEFI Secure Boot build */
+#define FILE_SECBOOT_FORBIDDEN \
+	PROVIDE_SYMBOL ( PREFIX_OBJECT ( __secboot__forbidden__ ) )
+
+/** Declare a file's UEFI Secure Boot permission status */
+#define FILE_SECBOOT( _status ) FILE_SECBOOT_ ## _status
+
+/** @} */
+
+/* This file itself is permitted in a Secure Boot build */
+FILE_SECBOOT ( PERMITTED );
+
 #include <bits/compiler.h>
 
 #endif /* COMPILER_H */