[build] Exclude selected directories from Secure Boot builds

When submitting binaries for UEFI Secure Boot signing, certain
known-dubious subsystems (such as 802.11 and NFS) must be excluded
from the build.  Mark the directories containing these subsystems as
insecure, and allow the build target to include an explicit "security
flag" (a literal "-sb" appended to the build platform) to exclude
these source directories from the build process.

For example:

  make bin-x86_64-efi-sb/ipxe.efi

will build iPXE with all code from the 802.11 and NFS subsystems
excluded from the build.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/Makefile b/src/Makefile
index 911d27ab537dd844814baaac9831f44c98e39d4e..d74565d1385da368dadfb26838811959c9b42b8d 100644 (file)
--- a/src/Makefile
+++ b/src/Makefile
@@ -62,7 +62,7 @@ QEMUIMG               := qemu-img
 SRCDIRS                :=
 SRCDIRS                += libgcc
 SRCDIRS                += core
-SRCDIRS                += net net/oncrpc net/tcp net/udp net/infiniband net/80211
+SRCDIRS                += net net/tcp net/udp net/infiniband
 SRCDIRS                += image
 SRCDIRS                += drivers/bus
 SRCDIRS                += drivers/net
@@ -71,10 +71,6 @@ SRCDIRS              += drivers/net/e1000e
 SRCDIRS                += drivers/net/igb
 SRCDIRS                += drivers/net/igbvf
 SRCDIRS                += drivers/net/phantom
-SRCDIRS                += drivers/net/rtl818x
-SRCDIRS                += drivers/net/ath
-SRCDIRS                += drivers/net/ath/ath5k
-SRCDIRS                += drivers/net/ath/ath9k
 SRCDIRS                += drivers/net/vxge
 SRCDIRS                += drivers/net/efi
 SRCDIRS                += drivers/net/tg3
@@ -105,6 +101,16 @@ SRCDIRS            += hci/keymap
 SRCDIRS                += usr
 SRCDIRS                += config
 
+# These directories contain code that is not eligible for UEFI Secure
+# Boot signing.
+#
+SRCDIRS_INSEC  += net/oncrpc
+SRCDIRS_INSEC  += net/80211
+SRCDIRS_INSEC  += drivers/net/rtl818x
+SRCDIRS_INSEC  += drivers/net/ath
+SRCDIRS_INSEC  += drivers/net/ath/ath5k
+SRCDIRS_INSEC  += drivers/net/ath/ath9k
+
 # NON_AUTO_SRCS lists files that are excluded from the normal
 # automatic build system.
 #

diff --git a/src/Makefile.housekeeping b/src/Makefile.housekeeping
index f09db37289e3d29382dc46deda1df491dce17d4c..00b079263f6be638de33a2b39ee53f92b0a5b2c7 100644 (file)
--- a/src/Makefile.housekeeping
+++ b/src/Makefile.housekeeping
@@ -299,7 +299,7 @@ endif
 #
 # Select build architecture and platform based on $(BIN)
 #
-# BIN has the form bin[-[arch-]platform]
+# BIN has the form bin[-[<arch>-]<platform>[-sb]]
 
 ARCHS          := $(patsubst arch/%,%,$(wildcard arch/*))
 PLATFORMS      := $(patsubst config/defaults/%.h,%,\
@@ -312,17 +312,18 @@ platforms :
 
 ifdef BIN
 
-# Determine architecture portion of $(BIN), if present
-BIN_ARCH       := $(strip $(foreach A,$(ARCHS),\
-                            $(patsubst bin-$(A)-%,$(A),\
-                              $(filter bin-$(A)-%,$(BIN)))))
-
-# Determine platform portion of $(BIN), if present
-ifeq ($(BIN_ARCH),)
-BIN_PLATFORM   := $(patsubst bin-%,%,$(filter bin-%,$(BIN)))
+# Split $(BIN) into architecture, platform, and security flag (where present)
+BIN_ELEMENTS   := $(subst -,$(SPACE),$(BIN))
+BIN_APS                := $(wordlist 2,4,$(BIN_ELEMENTS))
+ifeq ($(lastword $(BIN_APS)),sb)
+BIN_AP         := $(wordlist 2,$(words $(BIN_APS)),discard $(BIN_APS))
+BIN_SECUREBOOT := 1
 else
-BIN_PLATFORM   := $(patsubst bin-$(BIN_ARCH)-%,%,$(BIN))
+BIN_AP         := $(BIN_APS)
+BIN_SECUREBOOT := 0
 endif
+BIN_PLATFORM   := $(lastword $(BIN_AP))
+BIN_ARCH       := $(wordlist 2,$(words $(BIN_AP)),discard $(BIN_AP))
 
 # Determine build architecture
 DEFAULT_ARCH   := i386
@@ -339,6 +340,13 @@ CFLAGS             += -DPLATFORM=$(PLATFORM)
 platform :
        @$(ECHO) $(PLATFORM)
 
+# Determine security flag
+DEFAULT_SECUREBOOT := 0
+SECUREBOOT     := $(firstword $(BIN_SECUREBOOT) $(DEFAULT_SECUREBOOT))
+CFLAGS         += -DSECUREBOOT=$(SECUREBOOT)
+secureboot :
+       @$(ECHO) $(SECUREBOOT)
+
 endif # defined(BIN)
 
 # Include architecture-specific Makefile
@@ -357,6 +365,11 @@ endif
 #
 # Source file handling
 
+# Exclude known-insecure files from Secure Boot builds
+ifeq ($(SECUREBOOT),0)
+SRCDIRS                += $(SRCDIRS_INSEC)
+endif
+
 # SRCDIRS lists all directories containing source files.
 srcdirs :
        @$(ECHO) $(SRCDIRS)