[PATCH 1/2] fixup! Add security policy support

[PATCH 1/2] fixup! Add security policy support

[Ahmad Fatoum]

Makefile: fix spurious find No such file or directory warnings

When building with:

  $ ./MAKEALL -O build-arm -a arm imx_v8_defconfig

we run into a couple of messages:

  Building arm64 imx_v8_defconfig
  Configure: OK
  find: ‘common’: No such file or directory
  find: ‘drivers’: No such file or directory
  find: ‘commands’: No such file or directory
  find: ‘lib’: No such file or directory
  [snip]

This is because the working directory during the run of MAKEALL is the
build directory, which at such an early time may not have these
directories yet.

Fix this by explicitly referencing the build directory while suppressing
the error.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 760ac28e8ff8..5d39261d7b74 100644
--- a/Makefile
+++ b/Makefile
@@ -1085,7 +1085,7 @@ $(sort $(BAREBOX_OBJS)) $(BAREBOX_LDS) $(BAREBOX_PBL_OBJS): $(barebox-dirs) ;
 
 PHONY += $(barebox-dirs)
 $(barebox-dirs): prepare scripts
-	@find $@ -name policy-list | xargs rm -f
+	@find $(objtree)/$@ -name policy-list -exec rm -f {} \; 2>/dev/null || true
 	$(Q)$(MAKE) $(build)=$@
 
 # Store (new) KERNELRELASE string in include/config/kernel.release
-- 
2.47.3

[PATCH 2/2] fixup! test: py: add basic security policy test

[Ahmad Fatoum]

test: py: policies: rework for latest changes

Compared to the RFC, tamper now prohibits the console, so the test will
timeout. Work around this by issuing multiple commands in succession.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 test/py/test_policies.py | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/test/py/test_policies.py b/test/py/test_policies.py
index b4ece29c9597..7b6d72b4438f 100644
--- a/test/py/test_policies.py
+++ b/test/py/test_policies.py
@@ -29,15 +29,15 @@ def test_security_policies(barebox, env):
     assert 'go: Operation not permitted' not in stdout
     assert rc == 1
 
-    stdout = barebox.run_check('sconfig -v -s tamper')
+    stdout = barebox.run_check("""
+    sconfig -v -s tamper; echo "POLICY=${security.policy}";
+    sconfig +SCONFIG_CONSOLE_INPUT +SCONFIG_SHELL
+    """)
     assert set(['-SCONFIG_BOOT_UNSIGNED_IMAGES',
                 '-SCONFIG_RATP',
-                '-SCONFIG_CMD_GO']) <= set(stdout)
-    assert 'Active Policy: tamper' in barebox.run_check('sconfig')
-
-    _, _, rc = barebox.run('sconfig -s devel')
-    assert rc != 0
-    assert 'Active Policy: tamper' in barebox.run_check('sconfig')
+                '-SCONFIG_CMD_GO',
+                'POLICY=tamper']) <= set(stdout)
+    assert 'Active Policy: debug0' in barebox.run_check('sconfig')
 
     stdout, _, rc = barebox.run('go')
     assert 'go - start application at address or file' not in stdout
-- 
2.47.3

Re: [PATCH 1/2] fixup! Add security policy support

[Sascha Hauer]

On Tue, 30 Sep 2025 11:35:27 +0200, Ahmad Fatoum wrote:
> Makefile: fix spurious find No such file or directory warnings
> 
> When building with:
> 
>   $ ./MAKEALL -O build-arm -a arm imx_v8_defconfig
> 
> we run into a couple of messages:
> 
> [...]

Applied, thanks!

[1/2] fixup! Add security policy support
      https://git.pengutronix.de/cgit/barebox/commit/?id=945790bd7f1b (link may not be stable)
[2/2] fixup! test: py: add basic security policy test
      https://git.pengutronix.de/cgit/barebox/commit/?id=502d14a5c2f5 (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>