[build] Exclude selected directories from Secure Boot builds

mcb30 · mcb30 · commit 7428ab7258e0 · 2017-09-18T14:38:12.000+01:00
When submitting binaries for UEFI Secure Boot signing, certain
known-dubious subsystems (such as 802.11 and NFS) must be excluded
from the build.  Mark the directories containing these subsystems as
insecure, and allow the build target to include an explicit "security
flag" (a literal "-sb" appended to the build platform) to exclude
these source directories from the build process.

For example:

  make bin-x86_64-efi-sb/ipxe.efi

will build iPXE with all code from the 802.11 and NFS subsystems
excluded from the build.

Signed-off-by: Michael Brown &lt;mcb30@ipxe.org&gt;
diff --git a/src/Makefile b/src/Makefile
@@ -62,7 +62,7 @@ QEMUIMG		:= qemu-img
 SRCDIRS		:=
 SRCDIRS		+= libgcc
 SRCDIRS		+= core
-SRCDIRS		+= net net/oncrpc net/tcp net/udp net/infiniband net/80211
+SRCDIRS		+= net net/tcp net/udp net/infiniband
 SRCDIRS		+= image
 SRCDIRS		+= drivers/bus
 SRCDIRS		+= drivers/net
@@ -71,10 +71,6 @@ SRCDIRS		+= drivers/net/e1000e
 SRCDIRS		+= drivers/net/igb
 SRCDIRS		+= drivers/net/igbvf
 SRCDIRS		+= drivers/net/phantom
-SRCDIRS		+= drivers/net/rtl818x
-SRCDIRS		+= drivers/net/ath
-SRCDIRS		+= drivers/net/ath/ath5k
-SRCDIRS		+= drivers/net/ath/ath9k
 SRCDIRS		+= drivers/net/vxge
 SRCDIRS		+= drivers/net/efi
 SRCDIRS		+= drivers/net/tg3
@@ -105,6 +101,16 @@ SRCDIRS		+= hci/keymap
 SRCDIRS		+= usr
 SRCDIRS		+= config
 
+# These directories contain code that is not eligible for UEFI Secure
+# Boot signing.
+#
+SRCDIRS_INSEC	+= net/oncrpc
+SRCDIRS_INSEC	+= net/80211
+SRCDIRS_INSEC	+= drivers/net/rtl818x
+SRCDIRS_INSEC	+= drivers/net/ath
+SRCDIRS_INSEC	+= drivers/net/ath/ath5k
+SRCDIRS_INSEC	+= drivers/net/ath/ath9k
+
 # NON_AUTO_SRCS lists files that are excluded from the normal
 # automatic build system.
 #
diff --git a/src/Makefile.housekeeping b/src/Makefile.housekeeping
@@ -299,7 +299,7 @@ endif
 #
 # Select build architecture and platform based on $(BIN)
 #
-# BIN has the form bin[-[arch-]platform]
+# BIN has the form bin[-[<arch>-]<platform>[-sb]]
 
 ARCHS		:= $(patsubst arch/%,%,$(wildcard arch/*))
 PLATFORMS	:= $(patsubst config/defaults/%.h,%,\
@@ -312,17 +312,18 @@ platforms :
 
 ifdef BIN
 
-# Determine architecture portion of $(BIN), if present
-BIN_ARCH	:= $(strip $(foreach A,$(ARCHS),\
-			     $(patsubst bin-$(A)-%,$(A),\
-			       $(filter bin-$(A)-%,$(BIN)))))
-
-# Determine platform portion of $(BIN), if present
-ifeq ($(BIN_ARCH),)
-BIN_PLATFORM	:= $(patsubst bin-%,%,$(filter bin-%,$(BIN)))
+# Split $(BIN) into architecture, platform, and security flag (where present)
+BIN_ELEMENTS	:= $(subst -,$(SPACE),$(BIN))
+BIN_APS		:= $(wordlist 2,4,$(BIN_ELEMENTS))
+ifeq ($(lastword $(BIN_APS)),sb)
+BIN_AP		:= $(wordlist 2,$(words $(BIN_APS)),discard $(BIN_APS))
+BIN_SECUREBOOT	:= 1
 else
-BIN_PLATFORM	:= $(patsubst bin-$(BIN_ARCH)-%,%,$(BIN))
+BIN_AP		:= $(BIN_APS)
+BIN_SECUREBOOT	:= 0
 endif
+BIN_PLATFORM	:= $(lastword $(BIN_AP))
+BIN_ARCH	:= $(wordlist 2,$(words $(BIN_AP)),discard $(BIN_AP))
 
 # Determine build architecture
 DEFAULT_ARCH	:= i386
@@ -339,6 +340,13 @@ CFLAGS		+= -DPLATFORM=$(PLATFORM)
 platform :
 	@$(ECHO) $(PLATFORM)
 
+# Determine security flag
+DEFAULT_SECUREBOOT := 0
+SECUREBOOT	:= $(firstword $(BIN_SECUREBOOT) $(DEFAULT_SECUREBOOT))
+CFLAGS		+= -DSECUREBOOT=$(SECUREBOOT)
+secureboot :
+	@$(ECHO) $(SECUREBOOT)
+
 endif # defined(BIN)
 
 # Include architecture-specific Makefile
@@ -357,6 +365,11 @@ endif
 #
 # Source file handling
 
+# Exclude known-insecure files from Secure Boot builds
+ifeq ($(SECUREBOOT),0)
+SRCDIRS		+= $(SRCDIRS_INSEC)
+endif
+
 # SRCDIRS lists all directories containing source files.
 srcdirs :
 	@$(ECHO) $(SRCDIRS)
