From: Michael Brown <mcb30@ipxe.org>
Date: Wed, 11 Feb 2026 22:35:10 +0000 (+0000)
Subject: [build] Filter out non-permitted drivers for UEFI Secure Boot
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cf350b8eb75041b9c0a0d69e46e9247c4fcbcd34;p=thirdparty%2Fipxe.git

[build] Filter out non-permitted drivers for UEFI Secure Boot

The all-drivers targets (e.g. ipxe.efi) cannot currently be used in a
Secure Boot build since the permissibility check will (correctly) fail
due to the inclusion of non-permitted drivers.

In a Secure Boot build, filter the all-drivers list to include only
the subset of drivers that are marked as being permitted for UEFI
Secure Boot.

Note that this automatic filter is a convenience shortcut: it is not
the enforcement mechanism.  The filter exists only to provide a
meaningful definition for the otherwise unusable all-drivers targets
in Secure Boot builds.  The enforcement mechanism remains the
permissiblity check introduced in commit 1d5b1d9 ("[build] Fail Secure
Boot builds unless all files are permitted").

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---

diff --git a/src/Makefile.housekeeping b/src/Makefile.housekeeping
index 1f1cae258..44684606b 100644
--- a/src/Makefile.housekeeping
+++ b/src/Makefile.housekeeping
@@ -1475,6 +1475,12 @@ endif
 $(BIN)/etherboot.% : $(BIN)/ipxe.%
 	ln -sf $(notdir $<) $@
 
+# Filter out non-permitted drivers if security flag is set
+#
+ifneq ($(SECUREBOOT),)
+DRIVERS_ipxe	:= $(filter $(DRIVERS_SECBOOT),$(DRIVERS_ipxe))
+endif
+
 endif # defined(BIN)
 
 ###############################################################################
diff --git a/src/util/parserom.pl b/src/util/parserom.pl
index 99a467e1d..a42bc2b65 100755
--- a/src/util/parserom.pl
+++ b/src/util/parserom.pl
@@ -38,6 +38,8 @@ my %RE = (
     'parse_family'          => qr{^ (?:\./)? (.*) \..+? $}x,
     'find_rom_line'         => qr/^ \s* ( (PCI|ISA|USB)_ROM \s*
                                     \( \s* (.*?) \s* \) \s* ) [,;]/msx,
+    'find_secboot'          => qr/^ \s* FILE_SECBOOT \s*
+                                    \( \s* PERMITTED \s* \) \s* ; \s* $/mx,
     'extract_hex_id'        => qr/^ \s* 0x([0-9A-Fa-f]{4}) \s* ,? \s* (.*) $/sx,
     'extract_quoted_string' => qr/^ \s* \" ([^\"]*?) \" \s* ,? \s* (.*) $/sx,
 );
@@ -98,6 +100,7 @@ sub process_source_file {
         or die "Couldn't open $state->{source_file}: $!\n";
     my $content = do { local $/ = undef; <$fh> };
     close($fh) or die "Couldn't close $source_file: $!\n";
+    $state->{secboot} = ( $content =~ m/$RE{find_secboot}/ );
     while ( $content =~ m/$RE{find_rom_line}/g ) {
         process_rom_decl($state, $1, $2, $3);
     }
@@ -186,6 +189,8 @@ sub print_make_rules {
         print "DRIVERS_$state->{type}_$state->{driver_class} ".
 	      "+= $state->{driver_name}\n";
         print "DRIVERS += $state->{driver_name}\n";
+        print "DRIVERS_SECBOOT += $state->{driver_name}\n"
+            if $state->{'secboot'};
         print "\n";
         $state->{'is_header_printed'} = 1;
     }