* [PATCH v2 0/2] Security policies
@ 2026-02-26 8:49 Sascha Hauer
2026-02-26 8:49 ` [PATCH v2 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy Sascha Hauer
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Sascha Hauer @ 2026-02-26 8:49 UTC (permalink / raw)
To: BAREBOX; +Cc: Claude
Two small patches for security policies. First one makes that we do not
compile all the host tools in scripts/ to do a security_*config, second
is for better integration into build systems
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
Claude (1):
kbuild: make collect-policies lightweight with standalone Makefile.policy
Sascha Hauer (1):
kbuild: policy: support out-of-tree builds for external policy files
Makefile | 26 +++++++++++++-------
scripts/Makefile.policy | 65 +++++++++++++++++++++++++++++++++++++++++++++++++
security/Makefile | 9 ++++---
3 files changed, 88 insertions(+), 12 deletions(-)
---
base-commit: 810120e81a95963c35f1f50f75ed36be2dbd03d5
change-id: 20260226-security-policies-not-so-much-compile-68aefee26fc5
Best regards,
--
Sascha Hauer <s.hauer@pengutronix.de>
^ permalink raw reply [flat|nested] 5+ messages in thread* [PATCH v2 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy 2026-02-26 8:49 [PATCH v2 0/2] Security policies Sascha Hauer @ 2026-02-26 8:49 ` Sascha Hauer 2026-02-26 9:21 ` Sascha Hauer 2026-02-26 8:49 ` [PATCH v2 2/2] kbuild: policy: support out-of-tree builds for external policy files Sascha Hauer 2026-03-04 7:38 ` [PATCH v2 0/2] Security policies Sascha Hauer 2 siblings, 1 reply; 5+ messages in thread From: Sascha Hauer @ 2026-02-26 8:49 UTC (permalink / raw) To: BAREBOX; +Cc: Claude Opus 4.6 From: Claude <noreply@anthropic.com> collect-policies previously depended on $(barebox-dirs), which requires `prepare scripts` and triggers unnecessary rebuilds. Repurpose Makefile.policy to support dual-mode operation: when invoked standalone it bootstraps kbuild infrastructure and recurses through subdirectories (like Makefile.clean), and when included from Makefile.build it provides the existing build-time .sconfig rules. Replace the collect-policies target to use lightweight _policy_collect_ prefixed dirs with no build prerequisites. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> --- Makefile | 24 +++++++++++++------- scripts/Makefile.policy | 58 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index 4296c97ef0..4bf77896b6 100644 --- a/Makefile +++ b/Makefile @@ -1133,7 +1133,6 @@ $(sort $(BAREBOX_OBJS)) $(BAREBOX_LDS) $(BAREBOX_PBL_OBJS): $(barebox-dirs) ; PHONY += $(barebox-dirs) $(barebox-dirs): prepare scripts - @find $(objtree)/$@ -name policy-list -exec rm -f {} \; 2>/dev/null || true $(Q)$(MAKE) $(build)=$@ # Store (new) KERNELRELASE string in include/config/kernel.release @@ -1228,12 +1227,17 @@ targets += include/generated/security_autoconf.h targets += include/generated/sconfig_names.h KPOLICY = $(shell find $(objtree)/ -name policy-list -exec cat {} \;) -KPOLICY.tmp = $(addsuffix .tmp,$(KPOLICY)) -PHONY += collect-policies -collect-policies: KBUILD_MODULES := -collect-policies: KBUILD_BUILTIN := -collect-policies: $(barebox-dirs) FORCE +collect-dirs := $(addprefix _policy_collect_,$(barebox-alldirs)) + +PHONY += _policy_collect_clean $(collect-dirs) collect-policies +_policy_collect_clean: + $(Q)find $(objtree)/ -name policy-list -delete 2>/dev/null || true + +$(collect-policy-dirs): | _policy_collect_clean + $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.policy obj=$(patsubst _policy_collect_%,%,$@) + +collect-policies: $(collect-policy-dirs) PHONY += security_listconfigs security_listconfigs: collect-policies FORCE @@ -1241,11 +1245,15 @@ security_listconfigs: collect-policies FORCE @$(foreach p, $(KPOLICY), echo $p ;) PHONY += security_checkconfigs -security_checkconfigs: collect-policies $(KPOLICY.tmp) FORCE +security_checkconfigs: collect-policies FORCE + +$(Q)$(foreach p, $(KPOLICY), \ + $(MAKE) $(build)=$(patsubst %/,%,$(dir $p)) $p.tmp ;) +$(Q)$(foreach p, $(KPOLICY), \ $(call loop_cmd,security_checkconfig,$p.tmp)) -security_%config: collect-policies $(KPOLICY.tmp) FORCE +security_%config: collect-policies FORCE + +$(Q)$(foreach p, $(KPOLICY), \ + $(MAKE) $(build)=$(patsubst %/,%,$(dir $p)) $p.tmp ;) +$(Q)$(foreach p, $(KPOLICY), $(call loop_cmd,sconfig, \ $(@:security_%=%),$p.tmp)) ifeq ($(KPOLICY_TMPUPDATE),) diff --git a/scripts/Makefile.policy b/scripts/Makefile.policy index e517feb56e..f2c6b204d5 100644 --- a/scripts/Makefile.policy +++ b/scripts/Makefile.policy @@ -1,5 +1,61 @@ # SPDX-License-Identifier: GPL-2.0-only +# When invoked standalone (make -f Makefile.policy obj=dir), bootstrap +# the kbuild infrastructure and handle recursion. When included from +# Makefile.build, skip straight to the rules. + +ifndef build +# Standalone mode — collect policies without building + +src := $(obj) + +PHONY := __collect +__collect: + +policy-y := + +include scripts/Kbuild.include + +# Include Kconfig output so CONFIG_* symbols (e.g. CONFIG_SECURITY_POLICY_PATH) +# are available when security/Makefile computes external-policy. +-include include/config/auto.conf + +kbuild-dir := $(if $(filter /%,$(src)),$(src),$(srctree)/$(src)) +include $(if $(wildcard $(kbuild-dir)/Kbuild), $(kbuild-dir)/Kbuild, $(kbuild-dir)/Makefile) + +__subdir-y := $(patsubst %/,%,$(filter %/, $(obj-y))) +subdir-y += $(__subdir-y) +__subdir-m := $(patsubst %/,%,$(filter %/, $(obj-m))) +subdir-m += $(__subdir-m) + +subdir-ym := $(sort $(subdir-y) $(subdir-m)) +subdir-ym := $(addprefix $(obj)/,$(subdir-ym)) + +real-policy-y := $(addprefix $(obj)/,$(policy-y)) + +# external-policy is set by security/Makefile from CONFIG_SECURITY_POLICY_PATH +real-external-policy := $(addprefix $(obj)/,$(external-policy)) +all-policy := $(real-policy-y) $(real-external-policy) + +quiet_cmd_collect = COLLECT $(obj) + cmd_collect = { $(foreach p,$(all-policy),echo $(p);) :; } > $(obj)/policy-list + +__collect: $(subdir-ym) +ifneq ($(strip $(all-policy)),) + $(Q)mkdir -p $(obj) + $(call cmd,collect) +endif + @: + +PHONY += $(subdir-ym) +$(subdir-ym): + $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.policy obj=$@ + +.PHONY: $(PHONY) + +else +# Included from Makefile.build — provide build-time rules + real-policy-y := $(addprefix $(obj)/, $(policy-y)) targets += $(addsuffix .tmp, $(real-policy-y)) @@ -36,3 +92,5 @@ $(obj)/%.sconfig.c: $(obj)/%.sconfig.tmp FORCE # --------------------------------------------------------------------------- targets += $(always-y) + +endif # build -- 2.47.3 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy 2026-02-26 8:49 ` [PATCH v2 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy Sascha Hauer @ 2026-02-26 9:21 ` Sascha Hauer 0 siblings, 0 replies; 5+ messages in thread From: Sascha Hauer @ 2026-02-26 9:21 UTC (permalink / raw) To: BAREBOX; +Cc: Claude On Thu, Feb 26, 2026 at 09:49:17AM +0100, Sascha Hauer wrote: > From: Claude <noreply@anthropic.com> Should be me. From: Sascha Hauer <s.hauer@pengutronix.de> Sascha > > collect-policies previously depended on $(barebox-dirs), which requires > `prepare scripts` and triggers unnecessary rebuilds. Repurpose > Makefile.policy to support dual-mode operation: when invoked standalone > it bootstraps kbuild infrastructure and recurses through subdirectories > (like Makefile.clean), and when included from Makefile.build it provides > the existing build-time .sconfig rules. > > Replace the collect-policies target to use lightweight _policy_collect_ > prefixed dirs with no build prerequisites. > > Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> > Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> > --- > Makefile | 24 +++++++++++++------- > scripts/Makefile.policy | 58 +++++++++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 74 insertions(+), 8 deletions(-) > > diff --git a/Makefile b/Makefile > index 4296c97ef0..4bf77896b6 100644 > --- a/Makefile > +++ b/Makefile > @@ -1133,7 +1133,6 @@ $(sort $(BAREBOX_OBJS)) $(BAREBOX_LDS) $(BAREBOX_PBL_OBJS): $(barebox-dirs) ; > > PHONY += $(barebox-dirs) > $(barebox-dirs): prepare scripts > - @find $(objtree)/$@ -name policy-list -exec rm -f {} \; 2>/dev/null || true > $(Q)$(MAKE) $(build)=$@ > > # Store (new) KERNELRELASE string in include/config/kernel.release > @@ -1228,12 +1227,17 @@ targets += include/generated/security_autoconf.h > targets += include/generated/sconfig_names.h > > KPOLICY = $(shell find $(objtree)/ -name policy-list -exec cat {} \;) > -KPOLICY.tmp = $(addsuffix .tmp,$(KPOLICY)) > > -PHONY += collect-policies > -collect-policies: KBUILD_MODULES := > -collect-policies: KBUILD_BUILTIN := > -collect-policies: $(barebox-dirs) FORCE > +collect-dirs := $(addprefix _policy_collect_,$(barebox-alldirs)) > + > +PHONY += _policy_collect_clean $(collect-dirs) collect-policies > +_policy_collect_clean: > + $(Q)find $(objtree)/ -name policy-list -delete 2>/dev/null || true > + > +$(collect-policy-dirs): | _policy_collect_clean > + $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.policy obj=$(patsubst _policy_collect_%,%,$@) > + > +collect-policies: $(collect-policy-dirs) > > PHONY += security_listconfigs > security_listconfigs: collect-policies FORCE > @@ -1241,11 +1245,15 @@ security_listconfigs: collect-policies FORCE > @$(foreach p, $(KPOLICY), echo $p ;) > > PHONY += security_checkconfigs > -security_checkconfigs: collect-policies $(KPOLICY.tmp) FORCE > +security_checkconfigs: collect-policies FORCE > + +$(Q)$(foreach p, $(KPOLICY), \ > + $(MAKE) $(build)=$(patsubst %/,%,$(dir $p)) $p.tmp ;) > +$(Q)$(foreach p, $(KPOLICY), \ > $(call loop_cmd,security_checkconfig,$p.tmp)) > > -security_%config: collect-policies $(KPOLICY.tmp) FORCE > +security_%config: collect-policies FORCE > + +$(Q)$(foreach p, $(KPOLICY), \ > + $(MAKE) $(build)=$(patsubst %/,%,$(dir $p)) $p.tmp ;) > +$(Q)$(foreach p, $(KPOLICY), $(call loop_cmd,sconfig, \ > $(@:security_%=%),$p.tmp)) > ifeq ($(KPOLICY_TMPUPDATE),) > diff --git a/scripts/Makefile.policy b/scripts/Makefile.policy > index e517feb56e..f2c6b204d5 100644 > --- a/scripts/Makefile.policy > +++ b/scripts/Makefile.policy > @@ -1,5 +1,61 @@ > # SPDX-License-Identifier: GPL-2.0-only > > +# When invoked standalone (make -f Makefile.policy obj=dir), bootstrap > +# the kbuild infrastructure and handle recursion. When included from > +# Makefile.build, skip straight to the rules. > + > +ifndef build > +# Standalone mode — collect policies without building > + > +src := $(obj) > + > +PHONY := __collect > +__collect: > + > +policy-y := > + > +include scripts/Kbuild.include > + > +# Include Kconfig output so CONFIG_* symbols (e.g. CONFIG_SECURITY_POLICY_PATH) > +# are available when security/Makefile computes external-policy. > +-include include/config/auto.conf > + > +kbuild-dir := $(if $(filter /%,$(src)),$(src),$(srctree)/$(src)) > +include $(if $(wildcard $(kbuild-dir)/Kbuild), $(kbuild-dir)/Kbuild, $(kbuild-dir)/Makefile) > + > +__subdir-y := $(patsubst %/,%,$(filter %/, $(obj-y))) > +subdir-y += $(__subdir-y) > +__subdir-m := $(patsubst %/,%,$(filter %/, $(obj-m))) > +subdir-m += $(__subdir-m) > + > +subdir-ym := $(sort $(subdir-y) $(subdir-m)) > +subdir-ym := $(addprefix $(obj)/,$(subdir-ym)) > + > +real-policy-y := $(addprefix $(obj)/,$(policy-y)) > + > +# external-policy is set by security/Makefile from CONFIG_SECURITY_POLICY_PATH > +real-external-policy := $(addprefix $(obj)/,$(external-policy)) > +all-policy := $(real-policy-y) $(real-external-policy) > + > +quiet_cmd_collect = COLLECT $(obj) > + cmd_collect = { $(foreach p,$(all-policy),echo $(p);) :; } > $(obj)/policy-list > + > +__collect: $(subdir-ym) > +ifneq ($(strip $(all-policy)),) > + $(Q)mkdir -p $(obj) > + $(call cmd,collect) > +endif > + @: > + > +PHONY += $(subdir-ym) > +$(subdir-ym): > + $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.policy obj=$@ > + > +.PHONY: $(PHONY) > + > +else > +# Included from Makefile.build — provide build-time rules > + > real-policy-y := $(addprefix $(obj)/, $(policy-y)) > > targets += $(addsuffix .tmp, $(real-policy-y)) > @@ -36,3 +92,5 @@ $(obj)/%.sconfig.c: $(obj)/%.sconfig.tmp FORCE > # --------------------------------------------------------------------------- > > targets += $(always-y) > + > +endif # build > > -- > 2.47.3 > > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2 2/2] kbuild: policy: support out-of-tree builds for external policy files 2026-02-26 8:49 [PATCH v2 0/2] Security policies Sascha Hauer 2026-02-26 8:49 ` [PATCH v2 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy Sascha Hauer @ 2026-02-26 8:49 ` Sascha Hauer 2026-03-04 7:38 ` [PATCH v2 0/2] Security policies Sascha Hauer 2 siblings, 0 replies; 5+ messages in thread From: Sascha Hauer @ 2026-02-26 8:49 UTC (permalink / raw) To: BAREBOX; +Cc: Claude Opus 4.6 So far the sconfig files were required to be in the source tree which was a deliberate decision because we wanted the sconfig files to be committed. With barebox integrated into build systems the sconfig files are most of the time stored in the build system anyway, so having them in the source tree is unnecessary and just prevents sharing the barebox source tree between different builds. Change this by: - Using resolve-external instead of resolve-srctree when copying .sconfig.tmp files back after security_%config - Adding a .sconfig.tmp rule in Makefile.policy analogous to the existing .config.tmp rule - Searching both srctree and objtree for external policy files in security/Makefile and resolving the correct path for dependencies Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Link: https://lore.barebox.org/20260225153057.3199724-2-s.hauer@pengutronix.de Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> --- Makefile | 2 +- scripts/Makefile.policy | 7 +++++++ security/Makefile | 9 ++++++--- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 4bf77896b6..a5b2543900 100644 --- a/Makefile +++ b/Makefile @@ -1258,7 +1258,7 @@ security_%config: collect-policies FORCE $(@:security_%=%),$p.tmp)) ifeq ($(KPOLICY_TMPUPDATE),) +$(Q)$(foreach p, $(KPOLICY), \ - cp 2>/dev/null $p.tmp $(call resolve-srctree,$p) || true;) + cp 2>/dev/null $p.tmp $(call resolve-external,$p) || true;) endif quiet_cmd_sconfigpost = SCONFPP $@ diff --git a/scripts/Makefile.policy b/scripts/Makefile.policy index f2c6b204d5..12aa920c04 100644 --- a/scripts/Makefile.policy +++ b/scripts/Makefile.policy @@ -80,6 +80,13 @@ else $(call if_changed,shipped) endif +$(obj)/%.sconfig.tmp: $(obj)/%.sconfig FORCE +ifeq ($(KPOLICY_TMPUPDATE),) + $(call filechk,cat) +else + $(call if_changed,shipped) +endif + quiet_cmd_sconfigpost_c = SCONFPP $@ cmd_sconfigpost_c = $(SCONFIGPOST) -o $@ -D$(depfile) $(2) diff --git a/security/Makefile b/security/Makefile index 1096cbfb9b..510fe5af65 100644 --- a/security/Makefile +++ b/security/Makefile @@ -52,12 +52,15 @@ $(foreach p, $(external-policy), \ CONFIG_SECURITY_POLICY_PATH contains path separators.\ $(newline)"$p" must start with security/))) $(foreach p, $(external-policy), \ - $(if $(wildcard $(srctree)/$(src)/$p),,$(error \ + $(if $(or $(wildcard $(srctree)/$(src)/$p),$(wildcard $(objtree)/$(src)/$p)),,$(error \ CONFIG_SECURITY_POLICY_PATH contains non-existent files.\ - $(newline)"$p" does not exist in $$(srctree)/security))) + $(newline)"$p" does not exist in $$(srctree)/security or $$(objtree)/security))) endif -$(obj)/policy-list: $(addprefix $(src)/,$(external-policy)) FORCE +external-policy-src = $(foreach p,$(external-policy),\ + $(if $(wildcard $(srctree)/$(src)/$p),$(src)/$p,$(obj)/$p)) + +$(obj)/policy-list: $(external-policy-src) FORCE $(call if_changed,gen_order_src) targets += $(external-policy-tmp) -- 2.47.3 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2 0/2] Security policies 2026-02-26 8:49 [PATCH v2 0/2] Security policies Sascha Hauer 2026-02-26 8:49 ` [PATCH v2 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy Sascha Hauer 2026-02-26 8:49 ` [PATCH v2 2/2] kbuild: policy: support out-of-tree builds for external policy files Sascha Hauer @ 2026-03-04 7:38 ` Sascha Hauer 2 siblings, 0 replies; 5+ messages in thread From: Sascha Hauer @ 2026-03-04 7:38 UTC (permalink / raw) To: BAREBOX, Sascha Hauer; +Cc: Claude On Thu, 26 Feb 2026 09:49:16 +0100, Sascha Hauer wrote: > Two small patches for security policies. First one makes that we do not > compile all the host tools in scripts/ to do a security_*config, second > is for better integration into build systems > > Applied, thanks! [1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy https://git.pengutronix.de/cgit/barebox/commit/?id=2d871c52ddc7 (link may not be stable) [2/2] kbuild: policy: support out-of-tree builds for external policy files https://git.pengutronix.de/cgit/barebox/commit/?id=c6d2e69c3e5a (link may not be stable) Best regards, -- Sascha Hauer <s.hauer@pengutronix.de> ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-03-04 7:39 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2026-02-26 8:49 [PATCH v2 0/2] Security policies Sascha Hauer 2026-02-26 8:49 ` [PATCH v2 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy Sascha Hauer 2026-02-26 9:21 ` Sascha Hauer 2026-02-26 8:49 ` [PATCH v2 2/2] kbuild: policy: support out-of-tree builds for external policy files Sascha Hauer 2026-03-04 7:38 ` [PATCH v2 0/2] Security policies Sascha Hauer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox