From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: Sascha Hauer <s.hauer@pengutronix.de>,
BAREBOX <barebox@lists.infradead.org>
Cc: Ahmad Fatoum <a.fatoum@barebox.org>
Subject: Re: [PATCH 04/24] Add security policy support
Date: Fri, 22 Aug 2025 12:24:01 +0200 [thread overview]
Message-ID: <7047ec70-f7bf-49e5-8dd8-0a13eb23c7bb@pengutronix.de> (raw)
In-Reply-To: <aKhEXy49rlnKbgbx@pengutronix.de>
On 8/22/25 12:20, Sascha Hauer wrote:
> On Wed, Aug 20, 2025 at 03:17:48PM +0200, Sascha Hauer wrote:
>> diff --git a/scripts/Makefile.policy b/scripts/Makefile.policy
>> new file mode 100644
>> index 0000000000000000000000000000000000000000..4c71774bbbc98f9de9cf5463e5ef431de60be6ac
>> --- /dev/null
>> +++ b/scripts/Makefile.policy
>> @@ -0,0 +1,39 @@
>> +# SPDX-License-Identifier: GPL-2.0-only
>> +
>> +real-policy-y := $(addprefix $(obj)/, $(policy-y))
>> +
>> +targets += $(addsuffix .tmp, $(real-policy-y))
>> +
>> +# policy-list
>> +# ---------------------------------------------------------------------------
>> +
>> +subdir-policylist := $(addsuffix /policy-list, $(subdir-ym))
>> +real-policy-y += $(subdir-policylist)
>
> Not sure what this line is good for, but it has the effect that subdirs
> are added to real-policy-y...
The code was taken partially from dtbs-list handling in the kernel,
where the top-level Makefile hardcodes the path to
arch/$SRCARCH/boot/dts and then Makefile.dtbs would collect the
dtbs-list in subdirectories.
>> +ifneq ($(policy-y)$(policy-),)
>> +always-y += $(obj)/policy-list
>> +
>> +$(subdir-policylist): $(obj)/%/policy-list: $(obj)/% ;
>> +
>> +$(obj)/policy-list: $(real-policy-y) FORCE
>> + $(call if_changed,gen_order_src)
>
> ...and then this fails because it tries to do a cat on the subdir.
>
> It worked during testing because all policy-y was in leaf
> directories, but I just added a policy-y to common/Makefile.
Ah, I think we can drop the subdir-.
Thanks,
Ahmad
>
> Sascha
>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
next prev parent reply other threads:[~2025-08-22 15:10 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-20 13:17 [PATCH 00/24] " Sascha Hauer
2025-08-20 13:17 ` [PATCH 01/24] kconfig: allow setting CONFIG_ from the outside Sascha Hauer
2025-08-20 13:17 ` [PATCH 02/24] scripts: include scripts/include for all host tools Sascha Hauer
2025-08-20 13:17 ` [PATCH 03/24] kbuild: implement loopable loop_cmd Sascha Hauer
2025-08-20 13:17 ` [PATCH 04/24] Add security policy support Sascha Hauer
[not found] ` <aKhEXy49rlnKbgbx@pengutronix.de>
2025-08-22 10:24 ` Ahmad Fatoum [this message]
2025-08-22 10:37 ` [PATCH] fixup! " Sascha Hauer
2025-08-20 13:17 ` [PATCH 05/24] kbuild: allow security config use without source tree modification Sascha Hauer
2025-08-20 13:17 ` [PATCH 06/24] defaultenv: update PS1 according to security policy Sascha Hauer
2025-08-20 15:33 ` [PATCH] fixup! " Ahmad Fatoum
2025-08-20 13:17 ` [PATCH 07/24] security: policy: support externally provided configs Sascha Hauer
2025-08-22 10:40 ` [PATCH] fixup! " Sascha Hauer
2025-08-20 13:17 ` [PATCH 08/24] commands: implement sconfig command Sascha Hauer
2025-08-20 13:17 ` [PATCH 09/24] docs: security-policies: add documentation Sascha Hauer
2025-08-20 13:17 ` [PATCH 10/24] commands: go: add security config option Sascha Hauer
2025-08-20 13:17 ` [PATCH 11/24] console: ratp: " Sascha Hauer
2025-08-20 13:17 ` [PATCH 12/24] bootm: support calling bootm_optional_signed_images at any time Sascha Hauer
2025-08-20 13:17 ` [PATCH 13/24] bootm: make unsigned image support runtime configurable Sascha Hauer
2025-08-20 13:17 ` [PATCH 14/24] ARM: configs: add virt32_secure_defconfig Sascha Hauer
2025-08-20 13:17 ` [PATCH 15/24] boards: qemu-virt: add security policies Sascha Hauer
2025-08-21 6:57 ` Ahmad Fatoum
2025-08-21 14:15 ` Sascha Hauer
2025-08-21 14:22 ` Ahmad Fatoum
2025-08-20 13:18 ` [PATCH 16/24] boards: qemu-virt: allow setting policy from command line Sascha Hauer
2025-08-20 13:18 ` [PATCH 17/24] test: py: add basic security policy test Sascha Hauer
2025-08-20 13:18 ` [PATCH 18/24] usbserial: add inline wrappers Sascha Hauer
2025-08-20 13:18 ` [PATCH 19/24] security: usbgadget: add usbgadget security policy Sascha Hauer
2025-08-20 13:18 ` [PATCH 20/24] security: fastboot: add security policy for fastboot oem Sascha Hauer
2025-08-20 13:18 ` [PATCH 21/24] security: shell: add policy for executing the shell Sascha Hauer
2025-08-20 13:18 ` [PATCH 22/24] security: add security policy for loading barebox environment Sascha Hauer
2025-08-20 13:18 ` [PATCH 23/24] security: add filesystem security policies Sascha Hauer
2025-08-20 14:39 ` Ahmad Fatoum
2025-08-20 13:18 ` [PATCH 24/24] security: console: add security policy for console input Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7047ec70-f7bf-49e5-8dd8-0a13eb23c7bb@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=a.fatoum@barebox.org \
--cc=barebox@lists.infradead.org \
--cc=s.hauer@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox