* [PATCH 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy
@ 2026-02-25 15:30 Sascha Hauer
2026-02-25 15:30 ` [PATCH 2/2] kbuild: policy: support out-of-tree builds for external policy files Sascha Hauer
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Sascha Hauer @ 2026-02-25 15:30 UTC (permalink / raw)
To: Barebox List; +Cc: Claude
From: Claude <noreply@anthropic.com>
collect-policies previously depended on $(barebox-dirs), which requires
`prepare scripts` and triggers unnecessary rebuilds. Repurpose
Makefile.policy to support dual-mode operation: when invoked standalone
via $(collect)=dir it bootstraps kbuild infrastructure and recurses
through subdirectories (like Makefile.clean), and when included from
Makefile.build it provides the existing build-time .sconfig rules.
Add a $(collect) shorthand in Kbuild.include and replace the
collect-policies target to use lightweight _collect_ prefixed dirs
with no build prerequisites.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
Makefile | 24 +++++++++++------
scripts/Makefile.policy | 59 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 75 insertions(+), 8 deletions(-)
diff --git a/Makefile b/Makefile
index 9ba624f291..14921da40a 100644
--- a/Makefile
+++ b/Makefile
@@ -1133,7 +1133,6 @@ $(sort $(BAREBOX_OBJS)) $(BAREBOX_LDS) $(BAREBOX_PBL_OBJS): $(barebox-dirs) ;
PHONY += $(barebox-dirs)
$(barebox-dirs): prepare scripts
- @find $(objtree)/$@ -name policy-list -exec rm -f {} \; 2>/dev/null || true
$(Q)$(MAKE) $(build)=$@
# Store (new) KERNELRELASE string in include/config/kernel.release
@@ -1228,12 +1227,17 @@ targets += include/generated/security_autoconf.h
targets += include/generated/sconfig_names.h
KPOLICY = $(shell find $(objtree)/ -name policy-list -exec cat {} \;)
-KPOLICY.tmp = $(addsuffix .tmp,$(KPOLICY))
-PHONY += collect-policies
-collect-policies: KBUILD_MODULES :=
-collect-policies: KBUILD_BUILTIN :=
-collect-policies: $(barebox-dirs) FORCE
+collect-dirs := $(addprefix _collect_,$(barebox-alldirs))
+
+PHONY += _collect_clean $(collect-dirs) collect-policies
+_collect_clean:
+ $(Q)find $(objtree)/ -name policy-list -delete 2>/dev/null || true
+
+$(collect-dirs): | _collect_clean
+ $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.policy obj=$(patsubst _collect_%,%,$@)
+
+collect-policies: $(collect-dirs)
PHONY += security_listconfigs
security_listconfigs: collect-policies FORCE
@@ -1241,11 +1245,15 @@ security_listconfigs: collect-policies FORCE
@$(foreach p, $(KPOLICY), echo $p ;)
PHONY += security_checkconfigs
-security_checkconfigs: collect-policies $(KPOLICY.tmp) FORCE
+security_checkconfigs: collect-policies FORCE
+ +$(Q)$(foreach p, $(KPOLICY), \
+ $(MAKE) $(build)=$(patsubst %/,%,$(dir $p)) $p.tmp ;)
+$(Q)$(foreach p, $(KPOLICY), \
$(call loop_cmd,security_checkconfig,$p.tmp))
-security_%config: collect-policies $(KPOLICY.tmp) FORCE
+security_%config: collect-policies FORCE
+ +$(Q)$(foreach p, $(KPOLICY), \
+ $(MAKE) $(build)=$(patsubst %/,%,$(dir $p)) $p.tmp ;)
+$(Q)$(foreach p, $(KPOLICY), $(call loop_cmd,sconfig, \
$(@:security_%=%),$p.tmp))
ifeq ($(KPOLICY_TMPUPDATE),)
diff --git a/scripts/Makefile.policy b/scripts/Makefile.policy
index e517feb56e..e4ba84b2cc 100644
--- a/scripts/Makefile.policy
+++ b/scripts/Makefile.policy
@@ -1,5 +1,62 @@
# SPDX-License-Identifier: GPL-2.0-only
+# When invoked standalone (make -f Makefile.policy obj=dir), bootstrap
+# the kbuild infrastructure and handle recursion. When included from
+# Makefile.build, skip straight to the rules.
+
+ifndef build
+# Standalone mode — collect policies without building
+# (invoked via $(collect)=dir, like Makefile.clean)
+
+src := $(obj)
+
+PHONY := __collect
+__collect:
+
+policy-y :=
+
+include scripts/Kbuild.include
+
+# Include Kconfig output so CONFIG_* symbols (e.g. CONFIG_SECURITY_POLICY_PATH)
+# are available when security/Makefile computes external-policy.
+-include include/config/auto.conf
+
+kbuild-dir := $(if $(filter /%,$(src)),$(src),$(srctree)/$(src))
+include $(if $(wildcard $(kbuild-dir)/Kbuild), $(kbuild-dir)/Kbuild, $(kbuild-dir)/Makefile)
+
+__subdir-y := $(patsubst %/,%,$(filter %/, $(obj-y)))
+subdir-y += $(__subdir-y)
+__subdir-m := $(patsubst %/,%,$(filter %/, $(obj-m)))
+subdir-m += $(__subdir-m)
+
+subdir-ym := $(sort $(subdir-y) $(subdir-m))
+subdir-ym := $(addprefix $(obj)/,$(subdir-ym))
+
+real-policy-y := $(addprefix $(obj)/,$(policy-y))
+
+# external-policy is set by security/Makefile from CONFIG_SECURITY_POLICY_PATH
+real-external-policy := $(addprefix $(obj)/,$(external-policy))
+all-policy := $(real-policy-y) $(real-external-policy)
+
+quiet_cmd_collect = COLLECT $(obj)
+ cmd_collect = { $(foreach p,$(all-policy),echo $(p);) :; } > $(obj)/policy-list
+
+__collect: $(subdir-ym)
+ifneq ($(strip $(all-policy)),)
+ $(Q)mkdir -p $(obj)
+ $(call cmd,collect)
+endif
+ @:
+
+PHONY += $(subdir-ym)
+$(subdir-ym):
+ $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.policy obj=$@
+
+.PHONY: $(PHONY)
+
+else
+# Included from Makefile.build — provide build-time rules
+
real-policy-y := $(addprefix $(obj)/, $(policy-y))
targets += $(addsuffix .tmp, $(real-policy-y))
@@ -36,3 +93,5 @@ $(obj)/%.sconfig.c: $(obj)/%.sconfig.tmp FORCE
# ---------------------------------------------------------------------------
targets += $(always-y)
+
+endif # build
--
2.47.3
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 2/2] kbuild: policy: support out-of-tree builds for external policy files
2026-02-25 15:30 [PATCH 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy Sascha Hauer
@ 2026-02-25 15:30 ` Sascha Hauer
2026-02-25 20:16 ` [PATCH 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy Ahmad Fatoum
2026-03-04 7:38 ` Sascha Hauer
2 siblings, 0 replies; 4+ messages in thread
From: Sascha Hauer @ 2026-02-25 15:30 UTC (permalink / raw)
To: Barebox List; +Cc: Claude Opus 4.6
So far the sconfig files were required to be in the source tree which
was a deliberate decision because we wanted the sconfig files to be
committed. With barebox integrated into build systems the sconfig files
are most of the time stored in the build system anyway, so having
them in the source tree is unnecessary and just prevents sharing the
barebox source tree between different builds.
Change this by:
- Using resolve-external instead of resolve-srctree when copying
.sconfig.tmp files back after security_%config
- Adding a .sconfig.tmp rule in Makefile.policy analogous to the
existing .config.tmp rule
- Searching both srctree and objtree for external policy files in
security/Makefile and resolving the correct path for dependencies
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
Makefile | 2 +-
scripts/Makefile.policy | 7 +++++++
security/Makefile | 9 ++++++---
3 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/Makefile b/Makefile
index 14921da40a..1bcea26ef0 100644
--- a/Makefile
+++ b/Makefile
@@ -1258,7 +1258,7 @@ security_%config: collect-policies FORCE
$(@:security_%=%),$p.tmp))
ifeq ($(KPOLICY_TMPUPDATE),)
+$(Q)$(foreach p, $(KPOLICY), \
- cp 2>/dev/null $p.tmp $(call resolve-srctree,$p) || true;)
+ cp 2>/dev/null $p.tmp $(call resolve-external,$p) || true;)
endif
quiet_cmd_sconfigpost = SCONFPP $@
diff --git a/scripts/Makefile.policy b/scripts/Makefile.policy
index e4ba84b2cc..3f85972fb4 100644
--- a/scripts/Makefile.policy
+++ b/scripts/Makefile.policy
@@ -81,6 +81,13 @@ else
$(call if_changed,shipped)
endif
+$(obj)/%.sconfig.tmp: $(obj)/%.sconfig FORCE
+ifeq ($(KPOLICY_TMPUPDATE),)
+ $(call filechk,cat)
+else
+ $(call if_changed,shipped)
+endif
+
quiet_cmd_sconfigpost_c = SCONFPP $@
cmd_sconfigpost_c = $(SCONFIGPOST) -o $@ -D$(depfile) $(2)
diff --git a/security/Makefile b/security/Makefile
index 1096cbfb9b..510fe5af65 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -52,12 +52,15 @@ $(foreach p, $(external-policy), \
CONFIG_SECURITY_POLICY_PATH contains path separators.\
$(newline)"$p" must start with security/)))
$(foreach p, $(external-policy), \
- $(if $(wildcard $(srctree)/$(src)/$p),,$(error \
+ $(if $(or $(wildcard $(srctree)/$(src)/$p),$(wildcard $(objtree)/$(src)/$p)),,$(error \
CONFIG_SECURITY_POLICY_PATH contains non-existent files.\
- $(newline)"$p" does not exist in $$(srctree)/security)))
+ $(newline)"$p" does not exist in $$(srctree)/security or $$(objtree)/security)))
endif
-$(obj)/policy-list: $(addprefix $(src)/,$(external-policy)) FORCE
+external-policy-src = $(foreach p,$(external-policy),\
+ $(if $(wildcard $(srctree)/$(src)/$p),$(src)/$p,$(obj)/$p))
+
+$(obj)/policy-list: $(external-policy-src) FORCE
$(call if_changed,gen_order_src)
targets += $(external-policy-tmp)
--
2.47.3
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy
2026-02-25 15:30 [PATCH 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy Sascha Hauer
2026-02-25 15:30 ` [PATCH 2/2] kbuild: policy: support out-of-tree builds for external policy files Sascha Hauer
@ 2026-02-25 20:16 ` Ahmad Fatoum
2026-03-04 7:38 ` Sascha Hauer
2 siblings, 0 replies; 4+ messages in thread
From: Ahmad Fatoum @ 2026-02-25 20:16 UTC (permalink / raw)
To: Sascha Hauer, Barebox List; +Cc: Claude
Hi,
On 2/25/26 4:30 PM, Sascha Hauer wrote:
> From: Claude <noreply@anthropic.com>
Invalid commit author.
> collect-policies previously depended on $(barebox-dirs), which requires
> `prepare scripts` and triggers unnecessary rebuilds. Repurpose
> Makefile.policy to support dual-mode operation: when invoked standalone
> via $(collect)=dir it bootstraps kbuild infrastructure and recurses
Left over. No $(collect) is being added,
-f $(srctree)/scripts/Makefile.policy obj= is used directly.
> through subdirectories (like Makefile.clean), and when included from
> Makefile.build it provides the existing build-time .sconfig rules.
>
> Add a $(collect) shorthand in Kbuild.include and replace the
> collect-policies target to use lightweight _collect_ prefixed dirs
> with no build prerequisites.
>
> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> ---
> Makefile | 24 +++++++++++------
> scripts/Makefile.policy | 59 +++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 75 insertions(+), 8 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index 9ba624f291..14921da40a 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1133,7 +1133,6 @@ $(sort $(BAREBOX_OBJS)) $(BAREBOX_LDS) $(BAREBOX_PBL_OBJS): $(barebox-dirs) ;
>
> PHONY += $(barebox-dirs)
> $(barebox-dirs): prepare scripts
> - @find $(objtree)/$@ -name policy-list -exec rm -f {} \; 2>/dev/null || true
> $(Q)$(MAKE) $(build)=$@>
> # Store (new) KERNELRELASE string in include/config/kernel.release
> @@ -1228,12 +1227,17 @@ targets += include/generated/security_autoconf.h
> targets += include/generated/sconfig_names.h
>
> KPOLICY = $(shell find $(objtree)/ -name policy-list -exec cat {} \;)
> -KPOLICY.tmp = $(addsuffix .tmp,$(KPOLICY))
>
> -PHONY += collect-policies
> -collect-policies: KBUILD_MODULES :=
> -collect-policies: KBUILD_BUILTIN :=
> -collect-policies: $(barebox-dirs) FORCE
> +collect-dirs := $(addprefix _collect_,$(barebox-alldirs))
> +> +PHONY += _collect_clean $(collect-dirs) collect-policies
> +_collect_clean:
Too generic names. Maybe add policy(-|_) as prefix?
> + $(Q)find $(objtree)/ -name policy-list -delete 2>/dev/null || true
> +
> +$(collect-dirs): | _collect_clean
> + $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.policy obj=$(patsubst _collect_%,%,$@)
> +
> +collect-policies: $(collect-dirs)
>
> PHONY += security_listconfigs
> security_listconfigs: collect-policies FORCE
> @@ -1241,11 +1245,15 @@ security_listconfigs: collect-policies FORCE
> @$(foreach p, $(KPOLICY), echo $p ;)
>
> PHONY += security_checkconfigs
> -security_checkconfigs: collect-policies $(KPOLICY.tmp) FORCE
> +security_checkconfigs: collect-policies FORCE
> + +$(Q)$(foreach p, $(KPOLICY), \
> + $(MAKE) $(build)=$(patsubst %/,%,$(dir $p)) $p.tmp ;)
> +$(Q)$(foreach p, $(KPOLICY), \
> $(call loop_cmd,security_checkconfig,$p.tmp))
>
> -security_%config: collect-policies $(KPOLICY.tmp) FORCE
> +security_%config: collect-policies FORCE
> + +$(Q)$(foreach p, $(KPOLICY), \
> + $(MAKE) $(build)=$(patsubst %/,%,$(dir $p)) $p.tmp ;)
> +$(Q)$(foreach p, $(KPOLICY), $(call loop_cmd,sconfig, \
> $(@:security_%=%),$p.tmp))
> ifeq ($(KPOLICY_TMPUPDATE),)
> diff --git a/scripts/Makefile.policy b/scripts/Makefile.policy
> index e517feb56e..e4ba84b2cc 100644
> --- a/scripts/Makefile.policy
> +++ b/scripts/Makefile.policy
> @@ -1,5 +1,62 @@
> # SPDX-License-Identifier: GPL-2.0-only
>
> +# When invoked standalone (make -f Makefile.policy obj=dir), bootstrap
> +# the kbuild infrastructure and handle recursion. When included from
> +# Makefile.build, skip straight to the rules.
> +
> +ifndef build
> +# Standalone mode — collect policies without building
> +# (invoked via $(collect)=dir, like Makefile.clean)
No $(collect)= used or defined.
Cheers,
Ahmad
> +
> +src := $(obj)
> +
> +PHONY := __collect
> +__collect:
> +
> +policy-y :=
> +
> +include scripts/Kbuild.include
> +
> +# Include Kconfig output so CONFIG_* symbols (e.g. CONFIG_SECURITY_POLICY_PATH)
> +# are available when security/Makefile computes external-policy.
> +-include include/config/auto.conf
> +
> +kbuild-dir := $(if $(filter /%,$(src)),$(src),$(srctree)/$(src))
> +include $(if $(wildcard $(kbuild-dir)/Kbuild), $(kbuild-dir)/Kbuild, $(kbuild-dir)/Makefile)
> +
> +__subdir-y := $(patsubst %/,%,$(filter %/, $(obj-y)))
> +subdir-y += $(__subdir-y)
> +__subdir-m := $(patsubst %/,%,$(filter %/, $(obj-m)))
> +subdir-m += $(__subdir-m)
> +
> +subdir-ym := $(sort $(subdir-y) $(subdir-m))
> +subdir-ym := $(addprefix $(obj)/,$(subdir-ym))
> +
> +real-policy-y := $(addprefix $(obj)/,$(policy-y))
> +
> +# external-policy is set by security/Makefile from CONFIG_SECURITY_POLICY_PATH
> +real-external-policy := $(addprefix $(obj)/,$(external-policy))
> +all-policy := $(real-policy-y) $(real-external-policy)
> +
> +quiet_cmd_collect = COLLECT $(obj)
> + cmd_collect = { $(foreach p,$(all-policy),echo $(p);) :; } > $(obj)/policy-list
> +
> +__collect: $(subdir-ym)
> +ifneq ($(strip $(all-policy)),)
> + $(Q)mkdir -p $(obj)
> + $(call cmd,collect)
> +endif
> + @:
> +
> +PHONY += $(subdir-ym)
> +$(subdir-ym):
> + $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.policy obj=$@
> +
> +.PHONY: $(PHONY)
> +
> +else
> +# Included from Makefile.build — provide build-time rules
> +
> real-policy-y := $(addprefix $(obj)/, $(policy-y))
>
> targets += $(addsuffix .tmp, $(real-policy-y))
> @@ -36,3 +93,5 @@ $(obj)/%.sconfig.c: $(obj)/%.sconfig.tmp FORCE
> # ---------------------------------------------------------------------------
>
> targets += $(always-y)
> +
> +endif # build
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy
2026-02-25 15:30 [PATCH 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy Sascha Hauer
2026-02-25 15:30 ` [PATCH 2/2] kbuild: policy: support out-of-tree builds for external policy files Sascha Hauer
2026-02-25 20:16 ` [PATCH 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy Ahmad Fatoum
@ 2026-03-04 7:38 ` Sascha Hauer
2 siblings, 0 replies; 4+ messages in thread
From: Sascha Hauer @ 2026-03-04 7:38 UTC (permalink / raw)
To: Barebox List, Sascha Hauer; +Cc: Claude
On Wed, 25 Feb 2026 16:30:55 +0100, Sascha Hauer wrote:
> collect-policies previously depended on $(barebox-dirs), which requires
> `prepare scripts` and triggers unnecessary rebuilds. Repurpose
> Makefile.policy to support dual-mode operation: when invoked standalone
> via $(collect)=dir it bootstraps kbuild infrastructure and recurses
> through subdirectories (like Makefile.clean), and when included from
> Makefile.build it provides the existing build-time .sconfig rules.
>
> [...]
Applied, thanks!
[1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy
https://git.pengutronix.de/cgit/barebox/commit/?id=2d871c52ddc7 (link may not be stable)
[2/2] kbuild: policy: support out-of-tree builds for external policy files
https://git.pengutronix.de/cgit/barebox/commit/?id=c6d2e69c3e5a (link may not be stable)
Best regards,
--
Sascha Hauer <s.hauer@pengutronix.de>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-04 7:39 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-02-25 15:30 [PATCH 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy Sascha Hauer
2026-02-25 15:30 ` [PATCH 2/2] kbuild: policy: support out-of-tree builds for external policy files Sascha Hauer
2026-02-25 20:16 ` [PATCH 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy Ahmad Fatoum
2026-03-04 7:38 ` Sascha Hauer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox