Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[build] Exclude selected directories from Secure Boot builds
When submitting binaries for UEFI Secure Boot signing, certain
known-dubious subsystems (such as 802.11 and NFS) must be excluded
from the build.  Mark the directories containing these subsystems as
insecure, and allow the build target to include an explicit "security
flag" (a literal "-sb" appended to the build platform) to exclude
these source directories from the build process.

For example:

  make bin-x86_64-efi-sb/ipxe.efi

will build iPXE with all code from the 802.11 and NFS subsystems
excluded from the build.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
  • Loading branch information
mcb30 committed Sep 18, 2017
1 parent d46c53c commit 7428ab7
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 15 deletions.
16 changes: 11 additions & 5 deletions src/Makefile
Expand Up @@ -62,7 +62,7 @@ QEMUIMG := qemu-img
SRCDIRS :=
SRCDIRS += libgcc
SRCDIRS += core
SRCDIRS += net net/oncrpc net/tcp net/udp net/infiniband net/80211
SRCDIRS += net net/tcp net/udp net/infiniband
SRCDIRS += image
SRCDIRS += drivers/bus
SRCDIRS += drivers/net
Expand All @@ -71,10 +71,6 @@ SRCDIRS += drivers/net/e1000e
SRCDIRS += drivers/net/igb
SRCDIRS += drivers/net/igbvf
SRCDIRS += drivers/net/phantom
SRCDIRS += drivers/net/rtl818x
SRCDIRS += drivers/net/ath
SRCDIRS += drivers/net/ath/ath5k
SRCDIRS += drivers/net/ath/ath9k
SRCDIRS += drivers/net/vxge
SRCDIRS += drivers/net/efi
SRCDIRS += drivers/net/tg3
Expand Down Expand Up @@ -105,6 +101,16 @@ SRCDIRS += hci/keymap
SRCDIRS += usr
SRCDIRS += config

# These directories contain code that is not eligible for UEFI Secure
# Boot signing.
#
SRCDIRS_INSEC += net/oncrpc
SRCDIRS_INSEC += net/80211
SRCDIRS_INSEC += drivers/net/rtl818x
SRCDIRS_INSEC += drivers/net/ath
SRCDIRS_INSEC += drivers/net/ath/ath5k
SRCDIRS_INSEC += drivers/net/ath/ath9k

# NON_AUTO_SRCS lists files that are excluded from the normal
# automatic build system.
#
Expand Down
33 changes: 23 additions & 10 deletions src/Makefile.housekeeping
Expand Up @@ -299,7 +299,7 @@ endif
#
# Select build architecture and platform based on $(BIN)
#
# BIN has the form bin[-[arch-]platform]
# BIN has the form bin[-[<arch>-]<platform>[-sb]]

ARCHS := $(patsubst arch/%,%,$(wildcard arch/*))
PLATFORMS := $(patsubst config/defaults/%.h,%,\
Expand All @@ -312,17 +312,18 @@ platforms :

ifdef BIN

# Determine architecture portion of $(BIN), if present
BIN_ARCH := $(strip $(foreach A,$(ARCHS),\
$(patsubst bin-$(A)-%,$(A),\
$(filter bin-$(A)-%,$(BIN)))))

# Determine platform portion of $(BIN), if present
ifeq ($(BIN_ARCH),)
BIN_PLATFORM := $(patsubst bin-%,%,$(filter bin-%,$(BIN)))
# Split $(BIN) into architecture, platform, and security flag (where present)
BIN_ELEMENTS := $(subst -,$(SPACE),$(BIN))
BIN_APS := $(wordlist 2,4,$(BIN_ELEMENTS))
ifeq ($(lastword $(BIN_APS)),sb)
BIN_AP := $(wordlist 2,$(words $(BIN_APS)),discard $(BIN_APS))
BIN_SECUREBOOT := 1
else
BIN_PLATFORM := $(patsubst bin-$(BIN_ARCH)-%,%,$(BIN))
BIN_AP := $(BIN_APS)
BIN_SECUREBOOT := 0
endif
BIN_PLATFORM := $(lastword $(BIN_AP))
BIN_ARCH := $(wordlist 2,$(words $(BIN_AP)),discard $(BIN_AP))

# Determine build architecture
DEFAULT_ARCH := i386
Expand All @@ -339,6 +340,13 @@ CFLAGS += -DPLATFORM=$(PLATFORM)
platform :
@$(ECHO) $(PLATFORM)

# Determine security flag
DEFAULT_SECUREBOOT := 0
SECUREBOOT := $(firstword $(BIN_SECUREBOOT) $(DEFAULT_SECUREBOOT))
CFLAGS += -DSECUREBOOT=$(SECUREBOOT)
secureboot :
@$(ECHO) $(SECUREBOOT)

endif # defined(BIN)

# Include architecture-specific Makefile
Expand All @@ -357,6 +365,11 @@ endif
#
# Source file handling

# Exclude known-insecure files from Secure Boot builds
ifeq ($(SECUREBOOT),0)
SRCDIRS += $(SRCDIRS_INSEC)
endif

# SRCDIRS lists all directories containing source files.
srcdirs :
@$(ECHO) $(SRCDIRS)
Expand Down

0 comments on commit 7428ab7

Please sign in to comment.