git.ipfire.org Git - thirdparty/ipxe.git/commit

author	Michael Brown <mcb30@ipxe.org>
	Wed, 28 Jan 2026 13:31:07 +0000 (13:31 +0000)
committer	Michael Brown <mcb30@ipxe.org>
	Wed, 28 Jan 2026 13:38:20 +0000 (13:38 +0000)
commit	40c2db9d6734b2fd7a56b489c2e072a89ffa270d
tree	dc7a325bf957546ef2d114b396c0bb09bda43335	tree \| snapshot
parent	4db03054d5c0a7c91b0617cbc5d2461d055f13e2	commit \| diff

[build] Mark direct kernel loading as forbidden for UEFI Secure Boot

Our long-standing policy for EFI platforms is that we support invoking
binary executables only via the LoadImage() and StartImage() boot
services calls, so that all security policy decisions are delegated to
the platform firmware.

Most binary executable formats that we support are BIOS-only and
cannot in any case be linked in to an EFI executable. The only
cross-platform format is the generic Linux kernel image format as used
for RISC-V (and potentially also for AArch64).

Mark all files associated with direct loading of a kernel binary as
explicitly forbidden for UEFI Secure Boot.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

src/arch/arm64/include/bits/lkrn.h		diff \| blob \| blame \| history
src/arch/riscv/include/bits/lkrn.h		diff \| blob \| blame \| history
src/image/lkrn.c		diff \| blob \| blame \| history
src/include/bits/lkrn.h		diff \| blob \| blame \| history
src/include/ipxe/lkrn.h		diff \| blob \| blame \| history