From 4db03054d5c0a7c91b0617cbc5d2461d055f13e2 Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Wed, 28 Jan 2026 13:20:38 +0000 Subject: [PATCH] [build] Mark GDB stub as forbidden for UEFI Secure Boot Enabling the GDB debugger functionality would provide an immediate and trivial Secure Boot exploit. Mark all GDB-related files as explicitly forbidden for UEFI Secure Boot. Signed-off-by: Michael Brown --- src/arch/i386/core/gdbidt.S | 2 ++ src/arch/i386/include/bits/gdbmach.h | 2 ++ src/arch/x86/core/gdbmach.c | 1 + src/arch/x86_64/core/gdbidt.S | 1 + src/arch/x86_64/include/bits/gdbmach.h | 2 ++ src/core/gdbserial.c | 1 + src/core/gdbstub.c | 1 + src/core/gdbudp.c | 1 + src/hci/commands/gdbstub_cmd.c | 1 + src/include/bits/gdbmach.h | 2 ++ src/include/ipxe/gdbserial.h | 1 + src/include/ipxe/gdbstub.h | 1 + src/include/ipxe/gdbudp.h | 1 + 13 files changed, 17 insertions(+) diff --git a/src/arch/i386/core/gdbidt.S b/src/arch/i386/core/gdbidt.S index 78945c62c..5af0e3d2d 100644 --- a/src/arch/i386/core/gdbidt.S +++ b/src/arch/i386/core/gdbidt.S @@ -1,3 +1,5 @@ +FILE_SECBOOT ( FORBIDDEN ); + /* * Interrupt handlers for GDB stub */ diff --git a/src/arch/i386/include/bits/gdbmach.h b/src/arch/i386/include/bits/gdbmach.h index 52cce7833..b338d471d 100644 --- a/src/arch/i386/include/bits/gdbmach.h +++ b/src/arch/i386/include/bits/gdbmach.h @@ -10,6 +10,8 @@ * */ +FILE_SECBOOT ( FORBIDDEN ); + #include typedef unsigned long gdbreg_t; diff --git a/src/arch/x86/core/gdbmach.c b/src/arch/x86/core/gdbmach.c index d4d187e35..cb606f67b 100644 --- a/src/arch/x86/core/gdbmach.c +++ b/src/arch/x86/core/gdbmach.c @@ -23,6 +23,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( FORBIDDEN ); #include #include diff --git a/src/arch/x86_64/core/gdbidt.S b/src/arch/x86_64/core/gdbidt.S index 477492b47..b19b66406 100644 --- a/src/arch/x86_64/core/gdbidt.S +++ b/src/arch/x86_64/core/gdbidt.S @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( FORBIDDEN ); /** @file * diff --git a/src/arch/x86_64/include/bits/gdbmach.h b/src/arch/x86_64/include/bits/gdbmach.h index 367405fd6..486b0d08c 100644 --- a/src/arch/x86_64/include/bits/gdbmach.h +++ b/src/arch/x86_64/include/bits/gdbmach.h @@ -10,6 +10,8 @@ * */ +FILE_SECBOOT ( FORBIDDEN ); + #include typedef unsigned long gdbreg_t; diff --git a/src/core/gdbserial.c b/src/core/gdbserial.c index 61add5d47..bfdb9dcec 100644 --- a/src/core/gdbserial.c +++ b/src/core/gdbserial.c @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( FORBIDDEN ); #include #include diff --git a/src/core/gdbstub.c b/src/core/gdbstub.c index d668f454a..72b1105de 100644 --- a/src/core/gdbstub.c +++ b/src/core/gdbstub.c @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( FORBIDDEN ); /** * @file diff --git a/src/core/gdbudp.c b/src/core/gdbudp.c index e4613d137..5aea6fadf 100644 --- a/src/core/gdbudp.c +++ b/src/core/gdbudp.c @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( FORBIDDEN ); #include #include diff --git a/src/hci/commands/gdbstub_cmd.c b/src/hci/commands/gdbstub_cmd.c index ba5edde3a..c3551db2d 100644 --- a/src/hci/commands/gdbstub_cmd.c +++ b/src/hci/commands/gdbstub_cmd.c @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( FORBIDDEN ); #include #include diff --git a/src/include/bits/gdbmach.h b/src/include/bits/gdbmach.h index 7e349856f..0bc49430a 100644 --- a/src/include/bits/gdbmach.h +++ b/src/include/bits/gdbmach.h @@ -10,6 +10,8 @@ * */ +FILE_SECBOOT ( FORBIDDEN ); + #include typedef unsigned long gdbreg_t; diff --git a/src/include/ipxe/gdbserial.h b/src/include/ipxe/gdbserial.h index 62cc16014..4667c760d 100644 --- a/src/include/ipxe/gdbserial.h +++ b/src/include/ipxe/gdbserial.h @@ -8,6 +8,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( FORBIDDEN ); struct gdb_transport; diff --git a/src/include/ipxe/gdbstub.h b/src/include/ipxe/gdbstub.h index 2240cca42..ef7bb6dd9 100644 --- a/src/include/ipxe/gdbstub.h +++ b/src/include/ipxe/gdbstub.h @@ -8,6 +8,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( FORBIDDEN ); #include #include diff --git a/src/include/ipxe/gdbudp.h b/src/include/ipxe/gdbudp.h index a1c091522..5790520c9 100644 --- a/src/include/ipxe/gdbudp.h +++ b/src/include/ipxe/gdbudp.h @@ -8,6 +8,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( FORBIDDEN ); struct sockaddr_in; struct gdb_transport;