Add the Secure Boot permissibility check as a dependency for targets
built with the Secure Boot flag enabled. Attempting to build e.g.
make bin-x86_64-efi-sb/snponly.efi
will now fail unless all files used in the final binary are marked as
being permitted for Secure Boot.
This does not affect the standard build targets (without the "-sb"
suffix on the build directory).
Signed-off-by: Michael Brown <mcb30@ipxe.org>
# Rules for building EFI files
#
-$(BIN)/%.efi : $(BIN)/%.efi.tmp $(ELF2EFI)
+$(BIN)/%.efi : $(BIN)/%.efi.tmp $(ELF2EFI) \
+ $(if $(SECUREBOOT),$(BIN)/%.efi.secboot)
$(QM)$(ECHO) " [FINISH] $@"
$(Q)$(ELF2EFI) --subsystem=10 $< $@
-$(BIN)/%.efidrv : $(BIN)/%.efidrv.tmp $(ELF2EFI)
+$(BIN)/%.efidrv : $(BIN)/%.efidrv.tmp $(ELF2EFI) \
+ $(if $(SECUREBOOT),$(BIN)/%.efidrv.secboot)
$(QM)$(ECHO) " [FINISH] $@"
$(Q)$(ELF2EFI) --subsystem=11 $< $@
BIN_APS := $(wordlist 2,4,$(BIN_ELEMENTS))
ifeq ($(lastword $(BIN_APS)),sb)
BIN_AP := $(wordlist 2,$(words $(BIN_APS)),discard $(BIN_APS))
-BIN_SECUREBOOT := 1
+BIN_SECUREBOOT := sb
else
BIN_AP := $(BIN_APS)
-BIN_SECUREBOOT := 0
+BIN_SECUREBOOT :=
endif
ifeq ($(BIN_AP),efi)
BIN_ARCH := i386
@$(ECHO) $(PLATFORM)
# Determine security flag
-DEFAULT_SECUREBOOT := 0
-SECUREBOOT := $(firstword $(BIN_SECUREBOOT) $(DEFAULT_SECUREBOOT))
-CFLAGS += -DSECUREBOOT=$(SECUREBOOT)
+SECUREBOOT := $(BIN_SECUREBOOT)
secureboot :
@$(ECHO) $(SECUREBOOT)
projects / thirdparty / ipxe.git / commitdiff
