From 5abbcab9092bc7226995626a65aaa3f7a409459e Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Tue, 3 Feb 2026 16:02:19 +0000
Subject: [PATCH] [build] Mark MS-CHAPv2 as permitted for UEFI Secure Boot

MS-CHAPv2 and the underlying DES algorithm are cryptographically
obsolete, but still relatively widely used.  There is no impact to
UEFI Secure Boot from using these obsolete algorithms: the only
untrusted inputs are the username, password, and received network
packets, and all of these are thoroughly validated before use.

Review these files and mark them as permitted for UEFI Secure Boot.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/crypto/des.c            | 1 +
 src/crypto/mschapv2.c       | 1 +
 src/include/ipxe/des.h      | 1 +
 src/include/ipxe/mschapv2.h | 1 +
 src/net/eap_mschapv2.c      | 1 +
 5 files changed, 5 insertions(+)

diff --git a/src/crypto/des.c b/src/crypto/des.c
index 206f78d50..a7fad9829 100644
--- a/src/crypto/des.c
+++ b/src/crypto/des.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 /** @file
  *
diff --git a/src/crypto/mschapv2.c b/src/crypto/mschapv2.c
index ac55fec17..f5fc8829c 100644
--- a/src/crypto/mschapv2.c
+++ b/src/crypto/mschapv2.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 /** @file
  *
diff --git a/src/include/ipxe/des.h b/src/include/ipxe/des.h
index 755a90ea0..9c1c24e57 100644
--- a/src/include/ipxe/des.h
+++ b/src/include/ipxe/des.h
@@ -8,6 +8,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/crypto.h>
 
diff --git a/src/include/ipxe/mschapv2.h b/src/include/ipxe/mschapv2.h
index 59cf37eee..e39b46335 100644
--- a/src/include/ipxe/mschapv2.h
+++ b/src/include/ipxe/mschapv2.h
@@ -8,6 +8,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <stdint.h>
 
diff --git a/src/net/eap_mschapv2.c b/src/net/eap_mschapv2.c
index 0be62ed59..791fad540 100644
--- a/src/net/eap_mschapv2.c
+++ b/src/net/eap_mschapv2.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <stdlib.h>
 #include <string.h>