[build] Mark GDB stub as forbidden for UEFI Secure Boot

Enabling the GDB debugger functionality would provide an immediate and trivial Secure Boot exploit. Mark all GDB-related files as explicitly forbidden for UEFI Secure Boot. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-05-04 20:06:30 +02:00 · 2026-01-28 13:20:38 +00:00 · 2026-01-28 13:20:38 +00:00 · 4db03054d5
commit 4db03054d5
parent 03a906a9f3
13 changed files with 17 additions and 0 deletions
--- a/src/arch/i386/core/gdbidt.S
+++ b/src/arch/i386/core/gdbidt.S
@ -1,3 +1,5 @@
+FILE_SECBOOT ( FORBIDDEN );
+
 /*
 * Interrupt handlers for GDB stub
 */
--- a/src/arch/i386/include/bits/gdbmach.h
+++ b/src/arch/i386/include/bits/gdbmach.h
@ -10,6 +10,8 @@
 *
 */

+FILE_SECBOOT ( FORBIDDEN );
+
 #include <stdint.h>

 typedef unsigned long gdbreg_t;
--- a/src/arch/x86/core/gdbmach.c
+++ b/src/arch/x86/core/gdbmach.c
@ -23,6 +23,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );

 #include <stddef.h>
 #include <stdio.h>
--- a/src/arch/x86_64/core/gdbidt.S
+++ b/src/arch/x86_64/core/gdbidt.S
@ -22,6 +22,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );

 /** @file
 *
--- a/src/arch/x86_64/include/bits/gdbmach.h
+++ b/src/arch/x86_64/include/bits/gdbmach.h
@ -10,6 +10,8 @@
 *
 */

+FILE_SECBOOT ( FORBIDDEN );
+
 #include <stdint.h>

 typedef unsigned long gdbreg_t;
--- a/src/core/gdbserial.c
+++ b/src/core/gdbserial.c
@ -22,6 +22,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );

 #include <stddef.h>
 #include <stdio.h>
--- a/src/core/gdbstub.c
+++ b/src/core/gdbstub.c
@ -22,6 +22,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );

 /**
 * @file
--- a/src/core/gdbudp.c
+++ b/src/core/gdbudp.c
@ -22,6 +22,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );

 #include <stdio.h>
 #include <string.h>
--- a/src/hci/commands/gdbstub_cmd.c
+++ b/src/hci/commands/gdbstub_cmd.c
@ -22,6 +22,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );

 #include <stdio.h>
 #include <errno.h>
--- a/src/include/bits/gdbmach.h
+++ b/src/include/bits/gdbmach.h
@ -10,6 +10,8 @@
 *
 */

+FILE_SECBOOT ( FORBIDDEN );
+
 #include <stdint.h>

 typedef unsigned long gdbreg_t;
--- a/src/include/ipxe/gdbserial.h
+++ b/src/include/ipxe/gdbserial.h
@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );

 struct gdb_transport;

--- a/src/include/ipxe/gdbstub.h
+++ b/src/include/ipxe/gdbstub.h
@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );

 #include <stdint.h>
 #include <ipxe/tables.h>
--- a/src/include/ipxe/gdbudp.h
+++ b/src/include/ipxe/gdbudp.h
@ -8,6 +8,7 @@
 */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );

 struct sockaddr_in;
 struct gdb_transport;