[build] Filter out non-permitted drivers for UEFI Secure Boot

The all-drivers targets (e.g. ipxe.efi) cannot currently be used in a Secure Boot build since the permissibility check will (correctly) fail due to the inclusion of non-permitted drivers. In a Secure Boot build, filter the all-drivers list to include only the subset of drivers that are marked as being permitted for UEFI Secure Boot. Note that this automatic filter is a convenience shortcut: it is not the enforcement mechanism. The filter exists only to provide a meaningful definition for the otherwise unusable all-drivers targets in Secure Boot builds. The enforcement mechanism remains the permissiblity check introduced in commit 1d5b1d9 ("[build] Fail Secure Boot builds unless all files are permitted"). Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-05-05 04:16:33 +02:00 · 2026-02-11 22:35:10 +00:00 · 2026-02-11 22:35:10 +00:00 · cf350b8eb7
commit cf350b8eb7
parent 7a2817bbd7
2 changed files with 11 additions and 0 deletions
--- a/src/Makefile.housekeeping
+++ b/src/Makefile.housekeeping
@ -1475,6 +1475,12 @@ endif
 $(BIN)/etherboot.% : $(BIN)/ipxe.%
 	ln -sf $(notdir $<) $@

+# Filter out non-permitted drivers if security flag is set
+#
+ifneq ($(SECUREBOOT),)
+DRIVERS_ipxe	:= $(filter $(DRIVERS_SECBOOT),$(DRIVERS_ipxe))
+endif
+
 endif # defined(BIN)

 ###############################################################################
--- a/src/util/parserom.pl
+++ b/src/util/parserom.pl
@ -38,6 +38,8 @@ my %RE = (
    'parse_family'          => qr{^ (?:\./)? (.*) \..+? $}x,
    'find_rom_line'         => qr/^ \s* ( (PCI|ISA|USB)_ROM \s*
                                    \( \s* (.*?) \s* \) \s* ) [,;]/msx,
+    'find_secboot'          => qr/^ \s* FILE_SECBOOT \s*
+                                    \( \s* PERMITTED \s* \) \s* ; \s* $/mx,
    'extract_hex_id'        => qr/^ \s* 0x([0-9A-Fa-f]{4}) \s* ,? \s* (.*) $/sx,
    'extract_quoted_string' => qr/^ \s* \" ([^\"]*?) \" \s* ,? \s* (.*) $/sx,
 );
@ -98,6 +100,7 @@ sub process_source_file {
        or die "Couldn't open $state->{source_file}: $!\n";
    my $content = do { local $/ = undef; <$fh> };
    close($fh) or die "Couldn't close $source_file: $!\n";
+    $state->{secboot} = ( $content =~ m/$RE{find_secboot}/ );
    while ( $content =~ m/$RE{find_rom_line}/g ) {
        process_rom_decl($state, $1, $2, $3);
    }
@ -186,6 +189,8 @@ sub print_make_rules {
        print "DRIVERS_$state->{type}_$state->{driver_class} ".
 	      "+= $state->{driver_name}\n";
        print "DRIVERS += $state->{driver_name}\n";
+        print "DRIVERS_SECBOOT += $state->{driver_name}\n"
+            if $state->{'secboot'};
        print "\n";
        $state->{'is_header_printed'} = 1;
    }