[PATCH v2 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy

[Sascha Hauer <s.hauer@pengutronix.de>]

From: Claude <noreply@anthropic.com>

collect-policies previously depended on $(barebox-dirs), which requires
`prepare scripts` and triggers unnecessary rebuilds. Repurpose
Makefile.policy to support dual-mode operation: when invoked standalone
it bootstraps kbuild infrastructure and recurses through subdirectories
(like Makefile.clean), and when included from Makefile.build it provides
the existing build-time .sconfig rules.

Replace the collect-policies target to use lightweight _policy_collect_
prefixed dirs with no build prerequisites.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 Makefile                | 24 +++++++++++++-------
 scripts/Makefile.policy | 58 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 74 insertions(+), 8 deletions(-)

diff --git a/Makefile b/Makefile
index 4296c97ef0..4bf77896b6 100644
--- a/Makefile
+++ b/Makefile
@@ -1133,7 +1133,6 @@ $(sort $(BAREBOX_OBJS)) $(BAREBOX_LDS) $(BAREBOX_PBL_OBJS): $(barebox-dirs) ;
 
 PHONY += $(barebox-dirs)
 $(barebox-dirs): prepare scripts
-	@find $(objtree)/$@ -name policy-list -exec rm -f {} \; 2>/dev/null || true
 	$(Q)$(MAKE) $(build)=$@
 
 # Store (new) KERNELRELASE string in include/config/kernel.release
@@ -1228,12 +1227,17 @@ targets += include/generated/security_autoconf.h
 targets += include/generated/sconfig_names.h
 
 KPOLICY = $(shell find $(objtree)/ -name policy-list -exec cat {} \;)
-KPOLICY.tmp = $(addsuffix .tmp,$(KPOLICY))
 
-PHONY += collect-policies
-collect-policies: KBUILD_MODULES :=
-collect-policies: KBUILD_BUILTIN :=
-collect-policies: $(barebox-dirs) FORCE
+collect-dirs    := $(addprefix _policy_collect_,$(barebox-alldirs))
+
+PHONY += _policy_collect_clean $(collect-dirs) collect-policies
+_policy_collect_clean:
+	$(Q)find $(objtree)/ -name policy-list -delete 2>/dev/null || true
+
+$(collect-policy-dirs): | _policy_collect_clean
+	$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.policy obj=$(patsubst _policy_collect_%,%,$@)
+
+collect-policies: $(collect-policy-dirs)
 
 PHONY += security_listconfigs
 security_listconfigs: collect-policies FORCE
@@ -1241,11 +1245,15 @@ security_listconfigs: collect-policies FORCE
 	@$(foreach p, $(KPOLICY), echo $p ;)
 
 PHONY += security_checkconfigs
-security_checkconfigs: collect-policies $(KPOLICY.tmp) FORCE
+security_checkconfigs: collect-policies FORCE
+	+$(Q)$(foreach p, $(KPOLICY), \
+		$(MAKE) $(build)=$(patsubst %/,%,$(dir $p)) $p.tmp ;)
 	+$(Q)$(foreach p, $(KPOLICY), \
 		$(call loop_cmd,security_checkconfig,$p.tmp))
 
-security_%config: collect-policies $(KPOLICY.tmp) FORCE
+security_%config: collect-policies FORCE
+	+$(Q)$(foreach p, $(KPOLICY), \
+		$(MAKE) $(build)=$(patsubst %/,%,$(dir $p)) $p.tmp ;)
 	+$(Q)$(foreach p, $(KPOLICY), $(call loop_cmd,sconfig, \
 		$(@:security_%=%),$p.tmp))
 ifeq ($(KPOLICY_TMPUPDATE),)
diff --git a/scripts/Makefile.policy b/scripts/Makefile.policy
index e517feb56e..f2c6b204d5 100644
--- a/scripts/Makefile.policy
+++ b/scripts/Makefile.policy
@@ -1,5 +1,61 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
+# When invoked standalone (make -f Makefile.policy obj=dir), bootstrap
+# the kbuild infrastructure and handle recursion. When included from
+# Makefile.build, skip straight to the rules.
+
+ifndef build
+# Standalone mode — collect policies without building
+
+src := $(obj)
+
+PHONY := __collect
+__collect:
+
+policy-y :=
+
+include scripts/Kbuild.include
+
+# Include Kconfig output so CONFIG_* symbols (e.g. CONFIG_SECURITY_POLICY_PATH)
+# are available when security/Makefile computes external-policy.
+-include include/config/auto.conf
+
+kbuild-dir := $(if $(filter /%,$(src)),$(src),$(srctree)/$(src))
+include $(if $(wildcard $(kbuild-dir)/Kbuild), $(kbuild-dir)/Kbuild, $(kbuild-dir)/Makefile)
+
+__subdir-y	:= $(patsubst %/,%,$(filter %/, $(obj-y)))
+subdir-y	+= $(__subdir-y)
+__subdir-m	:= $(patsubst %/,%,$(filter %/, $(obj-m)))
+subdir-m	+= $(__subdir-m)
+
+subdir-ym	:= $(sort $(subdir-y) $(subdir-m))
+subdir-ym	:= $(addprefix $(obj)/,$(subdir-ym))
+
+real-policy-y	:= $(addprefix $(obj)/,$(policy-y))
+
+# external-policy is set by security/Makefile from CONFIG_SECURITY_POLICY_PATH
+real-external-policy := $(addprefix $(obj)/,$(external-policy))
+all-policy	:= $(real-policy-y) $(real-external-policy)
+
+quiet_cmd_collect = COLLECT $(obj)
+      cmd_collect = { $(foreach p,$(all-policy),echo $(p);) :; } > $(obj)/policy-list
+
+__collect: $(subdir-ym)
+ifneq ($(strip $(all-policy)),)
+	$(Q)mkdir -p $(obj)
+	$(call cmd,collect)
+endif
+	@:
+
+PHONY += $(subdir-ym)
+$(subdir-ym):
+	$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.policy obj=$@
+
+.PHONY: $(PHONY)
+
+else
+# Included from Makefile.build — provide build-time rules
+
 real-policy-y   := $(addprefix $(obj)/, $(policy-y))
 
 targets         += $(addsuffix .tmp, $(real-policy-y))
@@ -36,3 +92,5 @@ $(obj)/%.sconfig.c: $(obj)/%.sconfig.tmp FORCE
 # ---------------------------------------------------------------------------
 
 targets += $(always-y)
+
+endif # build

-- 
2.47.3