From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: barebox@lists.infradead.org
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH RFC 05/17] kbuild: allow security config use without source tree modification
Date: Thu, 14 Aug 2025 15:06:50 +0200 [thread overview]
Message-ID: <20250814130702.4039241-6-a.fatoum@pengutronix.de> (raw)
In-Reply-To: <20250814130702.4039241-1-a.fatoum@pengutronix.de>
A key aspect of security policies is the enforcement of a policy to be
complete with no implicit defaults. To make this easier to use, the
security_*config targets directly manipulate the specified KPOLICY or
all known policies if none were specified.
This is at odds with build systems that assume an immutable source tree
and prefer that changes to files within purview of the build system are
only done explicitly by the user. For that purpose, add an optional
KPOLICY_TMPUPDATE, which works as follows:
- When set, only the tmp file in the build tree is updated, but not the
original
- The tmp file is always what's used in the build
- Once unset, the tmp file will always be overwritten by the original
on next build
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
Makefile | 4 +++-
scripts/Makefile.policy | 4 ++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index a2e5697b09fe..6027b5c37c82 100644
--- a/Makefile
+++ b/Makefile
@@ -100,7 +100,7 @@ ifeq ($(silence),s)
quiet=silent_
endif
-export quiet Q KBUILD_VERBOSE
+export quiet Q KBUILD_VERBOSE KPOLICY_TMPUPDATE
# Kbuild will save output files in the current working directory.
# This does not need to match to the root of the kernel source tree.
@@ -1213,8 +1213,10 @@ security_checkconfigs: collect-policies $(KPOLICY.tmp) FORCE
security_%config: collect-policies $(KPOLICY.tmp) FORCE
+$(Q)$(foreach p, $(KPOLICY), $(call loop_cmd,sconfig, \
$(@:security_%=%),$p.tmp))
+ifeq ($(KPOLICY_TMPUPDATE),)
+$(Q)$(foreach p, $(KPOLICY), \
cp 2>/dev/null $p.tmp $(call resolve-srctree,$p) || true;)
+endif
quiet_cmd_sconfigpost = SCONFPP $@
cmd_sconfigpost = $(SCONFIGPOST) $2 -D $(depfile) -o $@ $<
diff --git a/scripts/Makefile.policy b/scripts/Makefile.policy
index 4c71774bbbc9..7629afc43226 100644
--- a/scripts/Makefile.policy
+++ b/scripts/Makefile.policy
@@ -23,7 +23,11 @@ endif
# ---------------------------------------------------------------------------
$(obj)/%.sconfig.tmp: $(src)/%.sconfig FORCE
+ifeq ($(KPOLICY_TMPUPDATE),)
$(call filechk,cat)
+else
+ $(call if_changed,shipped)
+endif
quiet_cmd_sconfigpost_c = SCONFPP $@
cmd_sconfigpost_c = $(SCONFIGPOST) -o $@ -D$(depfile) $(2)
--
2.39.5
next prev parent reply other threads:[~2025-08-14 13:51 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-14 13:06 [PATCH RFC 00/17] Add security policy support Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 01/17] kconfig: allow setting CONFIG_ from the outside Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 02/17] scripts: include scripts/include for all host tools Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 03/17] kbuild: implement loopable loop_cmd Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 04/17] Add security policy support Ahmad Fatoum
2025-08-14 13:06 ` Ahmad Fatoum [this message]
2025-08-14 13:06 ` [PATCH RFC 06/17] defaultenv: update PS1 according to security policy Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 07/17] security: policy: support externally provided configs Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 08/17] commands: implement sconfig command Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 09/17] docs: security-policies: add documentation Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 10/17] commands: go: add security config option Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 11/17] console: ratp: " Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 12/17] bootm: support calling bootm_optional_signed_images at any time Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 13/17] bootm: make unsigned image support runtime configurable Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 14/17] ARM: configs: add virt32_secure_defconfig Ahmad Fatoum
2025-08-14 13:07 ` [PATCH RFC 15/17] boards: qemu-virt: add security policies Ahmad Fatoum
2025-08-14 13:07 ` [PATCH RFC 16/17] boards: qemu-virt: allow setting policy from command line Ahmad Fatoum
2025-08-14 13:07 ` [PATCH RFC 17/17] test: py: add basic security policy test Ahmad Fatoum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250814130702.4039241-6-a.fatoum@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox