[build] Mark direct kernel loading as forbidden for UEFI Secure Boot

Our long-standing policy for EFI platforms is that we support invoking
binary executables only via the LoadImage() and StartImage() boot
services calls, so that all security policy decisions are delegated to
the platform firmware.

Most binary executable formats that we support are BIOS-only and
cannot in any case be linked in to an EFI executable.  The only
cross-platform format is the generic Linux kernel image format as used
for RISC-V (and potentially also for AArch64).

Mark all files associated with direct loading of a kernel binary as
explicitly forbidden for UEFI Secure Boot.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

src/arch/arm64/include/bits/lkrn.h

@@ -8,6 +8,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );
 
 /** Header magic value */
 #define LKRN_MAGIC_ARCH LKRN_MAGIC_AARCH64

src/arch/riscv/include/bits/lkrn.h

@@ -8,6 +8,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );
 
 #include <ipxe/hart.h>
 

src/image/lkrn.c

@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );
 
 #include <stdint.h>
 #include <string.h>

src/include/bits/lkrn.h

@@ -11,6 +11,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );
 
 #define LKRN_MAGIC_ARCH 0
 

src/include/ipxe/lkrn.h

@@ -8,6 +8,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );
 
 #include <stdint.h>