[PATCH v2 0/2] Security policies

[PATCH v2 0/2] Security policies

[Sascha Hauer]

Two small patches for security policies. First one makes that we do not
compile all the host tools in scripts/ to do a security_*config, second
is for better integration into build systems

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
Claude (1):
      kbuild: make collect-policies lightweight with standalone Makefile.policy

Sascha Hauer (1):
      kbuild: policy: support out-of-tree builds for external policy files

 Makefile                | 26 +++++++++++++-------
 scripts/Makefile.policy | 65 +++++++++++++++++++++++++++++++++++++++++++++++++
 security/Makefile       |  9 ++++---
 3 files changed, 88 insertions(+), 12 deletions(-)
---
base-commit: 810120e81a95963c35f1f50f75ed36be2dbd03d5
change-id: 20260226-security-policies-not-so-much-compile-68aefee26fc5

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>

[PATCH v2 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy

[Sascha Hauer]

From: Claude <noreply@anthropic.com>

collect-policies previously depended on $(barebox-dirs), which requires
`prepare scripts` and triggers unnecessary rebuilds. Repurpose
Makefile.policy to support dual-mode operation: when invoked standalone
it bootstraps kbuild infrastructure and recurses through subdirectories
(like Makefile.clean), and when included from Makefile.build it provides
the existing build-time .sconfig rules.

Replace the collect-policies target to use lightweight _policy_collect_
prefixed dirs with no build prerequisites.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 Makefile                | 24 +++++++++++++-------
 scripts/Makefile.policy | 58 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 74 insertions(+), 8 deletions(-)

diff --git a/Makefile b/Makefile
index 4296c97ef0..4bf77896b6 100644
--- a/Makefile
+++ b/Makefile
@@ -1133,7 +1133,6 @@ $(sort $(BAREBOX_OBJS)) $(BAREBOX_LDS) $(BAREBOX_PBL_OBJS): $(barebox-dirs) ;
 
 PHONY += $(barebox-dirs)
 $(barebox-dirs): prepare scripts
-	@find $(objtree)/$@ -name policy-list -exec rm -f {} \; 2>/dev/null || true
 	$(Q)$(MAKE) $(build)=$@
 
 # Store (new) KERNELRELASE string in include/config/kernel.release
@@ -1228,12 +1227,17 @@ targets += include/generated/security_autoconf.h
 targets += include/generated/sconfig_names.h
 
 KPOLICY = $(shell find $(objtree)/ -name policy-list -exec cat {} \;)
-KPOLICY.tmp = $(addsuffix .tmp,$(KPOLICY))
 
-PHONY += collect-policies
-collect-policies: KBUILD_MODULES :=
-collect-policies: KBUILD_BUILTIN :=
-collect-policies: $(barebox-dirs) FORCE
+collect-dirs    := $(addprefix _policy_collect_,$(barebox-alldirs))
+
+PHONY += _policy_collect_clean $(collect-dirs) collect-policies
+_policy_collect_clean:
+	$(Q)find $(objtree)/ -name policy-list -delete 2>/dev/null || true
+
+$(collect-policy-dirs): | _policy_collect_clean
+	$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.policy obj=$(patsubst _policy_collect_%,%,$@)
+
+collect-policies: $(collect-policy-dirs)
 
 PHONY += security_listconfigs
 security_listconfigs: collect-policies FORCE
@@ -1241,11 +1245,15 @@ security_listconfigs: collect-policies FORCE
 	@$(foreach p, $(KPOLICY), echo $p ;)
 
 PHONY += security_checkconfigs
-security_checkconfigs: collect-policies $(KPOLICY.tmp) FORCE
+security_checkconfigs: collect-policies FORCE
+	+$(Q)$(foreach p, $(KPOLICY), \
+		$(MAKE) $(build)=$(patsubst %/,%,$(dir $p)) $p.tmp ;)
 	+$(Q)$(foreach p, $(KPOLICY), \
 		$(call loop_cmd,security_checkconfig,$p.tmp))
 
-security_%config: collect-policies $(KPOLICY.tmp) FORCE
+security_%config: collect-policies FORCE
+	+$(Q)$(foreach p, $(KPOLICY), \
+		$(MAKE) $(build)=$(patsubst %/,%,$(dir $p)) $p.tmp ;)
 	+$(Q)$(foreach p, $(KPOLICY), $(call loop_cmd,sconfig, \
 		$(@:security_%=%),$p.tmp))
 ifeq ($(KPOLICY_TMPUPDATE),)
diff --git a/scripts/Makefile.policy b/scripts/Makefile.policy
index e517feb56e..f2c6b204d5 100644
--- a/scripts/Makefile.policy
+++ b/scripts/Makefile.policy
@@ -1,5 +1,61 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
+# When invoked standalone (make -f Makefile.policy obj=dir), bootstrap
+# the kbuild infrastructure and handle recursion. When included from
+# Makefile.build, skip straight to the rules.
+
+ifndef build
+# Standalone mode — collect policies without building
+
+src := $(obj)
+
+PHONY := __collect
+__collect:
+
+policy-y :=
+
+include scripts/Kbuild.include
+
+# Include Kconfig output so CONFIG_* symbols (e.g. CONFIG_SECURITY_POLICY_PATH)
+# are available when security/Makefile computes external-policy.
+-include include/config/auto.conf
+
+kbuild-dir := $(if $(filter /%,$(src)),$(src),$(srctree)/$(src))
+include $(if $(wildcard $(kbuild-dir)/Kbuild), $(kbuild-dir)/Kbuild, $(kbuild-dir)/Makefile)
+
+__subdir-y	:= $(patsubst %/,%,$(filter %/, $(obj-y)))
+subdir-y	+= $(__subdir-y)
+__subdir-m	:= $(patsubst %/,%,$(filter %/, $(obj-m)))
+subdir-m	+= $(__subdir-m)
+
+subdir-ym	:= $(sort $(subdir-y) $(subdir-m))
+subdir-ym	:= $(addprefix $(obj)/,$(subdir-ym))
+
+real-policy-y	:= $(addprefix $(obj)/,$(policy-y))
+
+# external-policy is set by security/Makefile from CONFIG_SECURITY_POLICY_PATH
+real-external-policy := $(addprefix $(obj)/,$(external-policy))
+all-policy	:= $(real-policy-y) $(real-external-policy)
+
+quiet_cmd_collect = COLLECT $(obj)
+      cmd_collect = { $(foreach p,$(all-policy),echo $(p);) :; } > $(obj)/policy-list
+
+__collect: $(subdir-ym)
+ifneq ($(strip $(all-policy)),)
+	$(Q)mkdir -p $(obj)
+	$(call cmd,collect)
+endif
+	@:
+
+PHONY += $(subdir-ym)
+$(subdir-ym):
+	$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.policy obj=$@
+
+.PHONY: $(PHONY)
+
+else
+# Included from Makefile.build — provide build-time rules
+
 real-policy-y   := $(addprefix $(obj)/, $(policy-y))
 
 targets         += $(addsuffix .tmp, $(real-policy-y))
@@ -36,3 +92,5 @@ $(obj)/%.sconfig.c: $(obj)/%.sconfig.tmp FORCE
 # ---------------------------------------------------------------------------
 
 targets += $(always-y)
+
+endif # build

-- 
2.47.3

[PATCH v2 2/2] kbuild: policy: support out-of-tree builds for external policy files

[Sascha Hauer]

So far the sconfig files were required to be in the source tree which
was a deliberate decision because we wanted the sconfig files to be
committed. With barebox integrated into build systems the sconfig files
are most of the time stored in the build system anyway, so having
them in the source tree is unnecessary and just prevents sharing the
barebox source tree between different builds.

Change this by:
- Using resolve-external instead of resolve-srctree when copying
  .sconfig.tmp files back after security_%config
- Adding a .sconfig.tmp rule in Makefile.policy analogous to the
  existing .config.tmp rule
- Searching both srctree and objtree for external policy files in
  security/Makefile and resolving the correct path for dependencies

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Link: https://lore.barebox.org/20260225153057.3199724-2-s.hauer@pengutronix.de
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 Makefile                | 2 +-
 scripts/Makefile.policy | 7 +++++++
 security/Makefile       | 9 ++++++---
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index 4bf77896b6..a5b2543900 100644
--- a/Makefile
+++ b/Makefile
@@ -1258,7 +1258,7 @@ security_%config: collect-policies FORCE
 		$(@:security_%=%),$p.tmp))
 ifeq ($(KPOLICY_TMPUPDATE),)
 	+$(Q)$(foreach p, $(KPOLICY), \
-		cp 2>/dev/null $p.tmp $(call resolve-srctree,$p) || true;)
+		cp 2>/dev/null $p.tmp $(call resolve-external,$p) || true;)
 endif
 
 quiet_cmd_sconfigpost = SCONFPP $@
diff --git a/scripts/Makefile.policy b/scripts/Makefile.policy
index f2c6b204d5..12aa920c04 100644
--- a/scripts/Makefile.policy
+++ b/scripts/Makefile.policy
@@ -80,6 +80,13 @@ else
 	$(call if_changed,shipped)
 endif
 
+$(obj)/%.sconfig.tmp: $(obj)/%.sconfig FORCE
+ifeq ($(KPOLICY_TMPUPDATE),)
+	$(call filechk,cat)
+else
+	$(call if_changed,shipped)
+endif
+
 quiet_cmd_sconfigpost_c = SCONFPP $@
       cmd_sconfigpost_c = $(SCONFIGPOST) -o $@ -D$(depfile) $(2)
 
diff --git a/security/Makefile b/security/Makefile
index 1096cbfb9b..510fe5af65 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -52,12 +52,15 @@ $(foreach p, $(external-policy), \
 	CONFIG_SECURITY_POLICY_PATH contains path separators.\
 	$(newline)"$p" must start with security/)))
 $(foreach p, $(external-policy), \
-	$(if $(wildcard $(srctree)/$(src)/$p),,$(error \
+	$(if $(or $(wildcard $(srctree)/$(src)/$p),$(wildcard $(objtree)/$(src)/$p)),,$(error \
 	CONFIG_SECURITY_POLICY_PATH contains non-existent files.\
-	$(newline)"$p" does not exist in $$(srctree)/security)))
+	$(newline)"$p" does not exist in $$(srctree)/security or $$(objtree)/security)))
 endif
 
-$(obj)/policy-list: $(addprefix $(src)/,$(external-policy)) FORCE
+external-policy-src = $(foreach p,$(external-policy),\
+    $(if $(wildcard $(srctree)/$(src)/$p),$(src)/$p,$(obj)/$p))
+
+$(obj)/policy-list: $(external-policy-src) FORCE
 	$(call if_changed,gen_order_src)
 
 targets += $(external-policy-tmp)

-- 
2.47.3

Re: [PATCH v2 1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy

[Sascha Hauer]

On Thu, Feb 26, 2026 at 09:49:17AM +0100, Sascha Hauer wrote:
> From: Claude <noreply@anthropic.com>

Should be me.

From: Sascha Hauer <s.hauer@pengutronix.de>

Sascha

> 
> collect-policies previously depended on $(barebox-dirs), which requires
> `prepare scripts` and triggers unnecessary rebuilds. Repurpose
> Makefile.policy to support dual-mode operation: when invoked standalone
> it bootstraps kbuild infrastructure and recurses through subdirectories
> (like Makefile.clean), and when included from Makefile.build it provides
> the existing build-time .sconfig rules.
> 
> Replace the collect-policies target to use lightweight _policy_collect_
> prefixed dirs with no build prerequisites.
> 
> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> ---
>  Makefile                | 24 +++++++++++++-------
>  scripts/Makefile.policy | 58 +++++++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 74 insertions(+), 8 deletions(-)
> 
> diff --git a/Makefile b/Makefile
> index 4296c97ef0..4bf77896b6 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1133,7 +1133,6 @@ $(sort $(BAREBOX_OBJS)) $(BAREBOX_LDS) $(BAREBOX_PBL_OBJS): $(barebox-dirs) ;
>  
>  PHONY += $(barebox-dirs)
>  $(barebox-dirs): prepare scripts
> -	@find $(objtree)/$@ -name policy-list -exec rm -f {} \; 2>/dev/null || true
>  	$(Q)$(MAKE) $(build)=$@
>  
>  # Store (new) KERNELRELASE string in include/config/kernel.release
> @@ -1228,12 +1227,17 @@ targets += include/generated/security_autoconf.h
>  targets += include/generated/sconfig_names.h
>  
>  KPOLICY = $(shell find $(objtree)/ -name policy-list -exec cat {} \;)
> -KPOLICY.tmp = $(addsuffix .tmp,$(KPOLICY))
>  
> -PHONY += collect-policies
> -collect-policies: KBUILD_MODULES :=
> -collect-policies: KBUILD_BUILTIN :=
> -collect-policies: $(barebox-dirs) FORCE
> +collect-dirs    := $(addprefix _policy_collect_,$(barebox-alldirs))
> +
> +PHONY += _policy_collect_clean $(collect-dirs) collect-policies
> +_policy_collect_clean:
> +	$(Q)find $(objtree)/ -name policy-list -delete 2>/dev/null || true
> +
> +$(collect-policy-dirs): | _policy_collect_clean
> +	$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.policy obj=$(patsubst _policy_collect_%,%,$@)
> +
> +collect-policies: $(collect-policy-dirs)
>  
>  PHONY += security_listconfigs
>  security_listconfigs: collect-policies FORCE
> @@ -1241,11 +1245,15 @@ security_listconfigs: collect-policies FORCE
>  	@$(foreach p, $(KPOLICY), echo $p ;)
>  
>  PHONY += security_checkconfigs
> -security_checkconfigs: collect-policies $(KPOLICY.tmp) FORCE
> +security_checkconfigs: collect-policies FORCE
> +	+$(Q)$(foreach p, $(KPOLICY), \
> +		$(MAKE) $(build)=$(patsubst %/,%,$(dir $p)) $p.tmp ;)
>  	+$(Q)$(foreach p, $(KPOLICY), \
>  		$(call loop_cmd,security_checkconfig,$p.tmp))
>  
> -security_%config: collect-policies $(KPOLICY.tmp) FORCE
> +security_%config: collect-policies FORCE
> +	+$(Q)$(foreach p, $(KPOLICY), \
> +		$(MAKE) $(build)=$(patsubst %/,%,$(dir $p)) $p.tmp ;)
>  	+$(Q)$(foreach p, $(KPOLICY), $(call loop_cmd,sconfig, \
>  		$(@:security_%=%),$p.tmp))
>  ifeq ($(KPOLICY_TMPUPDATE),)
> diff --git a/scripts/Makefile.policy b/scripts/Makefile.policy
> index e517feb56e..f2c6b204d5 100644
> --- a/scripts/Makefile.policy
> +++ b/scripts/Makefile.policy
> @@ -1,5 +1,61 @@
>  # SPDX-License-Identifier: GPL-2.0-only
>  
> +# When invoked standalone (make -f Makefile.policy obj=dir), bootstrap
> +# the kbuild infrastructure and handle recursion. When included from
> +# Makefile.build, skip straight to the rules.
> +
> +ifndef build
> +# Standalone mode — collect policies without building
> +
> +src := $(obj)
> +
> +PHONY := __collect
> +__collect:
> +
> +policy-y :=
> +
> +include scripts/Kbuild.include
> +
> +# Include Kconfig output so CONFIG_* symbols (e.g. CONFIG_SECURITY_POLICY_PATH)
> +# are available when security/Makefile computes external-policy.
> +-include include/config/auto.conf
> +
> +kbuild-dir := $(if $(filter /%,$(src)),$(src),$(srctree)/$(src))
> +include $(if $(wildcard $(kbuild-dir)/Kbuild), $(kbuild-dir)/Kbuild, $(kbuild-dir)/Makefile)
> +
> +__subdir-y	:= $(patsubst %/,%,$(filter %/, $(obj-y)))
> +subdir-y	+= $(__subdir-y)
> +__subdir-m	:= $(patsubst %/,%,$(filter %/, $(obj-m)))
> +subdir-m	+= $(__subdir-m)
> +
> +subdir-ym	:= $(sort $(subdir-y) $(subdir-m))
> +subdir-ym	:= $(addprefix $(obj)/,$(subdir-ym))
> +
> +real-policy-y	:= $(addprefix $(obj)/,$(policy-y))
> +
> +# external-policy is set by security/Makefile from CONFIG_SECURITY_POLICY_PATH
> +real-external-policy := $(addprefix $(obj)/,$(external-policy))
> +all-policy	:= $(real-policy-y) $(real-external-policy)
> +
> +quiet_cmd_collect = COLLECT $(obj)
> +      cmd_collect = { $(foreach p,$(all-policy),echo $(p);) :; } > $(obj)/policy-list
> +
> +__collect: $(subdir-ym)
> +ifneq ($(strip $(all-policy)),)
> +	$(Q)mkdir -p $(obj)
> +	$(call cmd,collect)
> +endif
> +	@:
> +
> +PHONY += $(subdir-ym)
> +$(subdir-ym):
> +	$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.policy obj=$@
> +
> +.PHONY: $(PHONY)
> +
> +else
> +# Included from Makefile.build — provide build-time rules
> +
>  real-policy-y   := $(addprefix $(obj)/, $(policy-y))
>  
>  targets         += $(addsuffix .tmp, $(real-policy-y))
> @@ -36,3 +92,5 @@ $(obj)/%.sconfig.c: $(obj)/%.sconfig.tmp FORCE
>  # ---------------------------------------------------------------------------
>  
>  targets += $(always-y)
> +
> +endif # build
> 
> -- 
> 2.47.3
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Re: [PATCH v2 0/2] Security policies

[Sascha Hauer]

On Thu, 26 Feb 2026 09:49:16 +0100, Sascha Hauer wrote:
> Two small patches for security policies. First one makes that we do not
> compile all the host tools in scripts/ to do a security_*config, second
> is for better integration into build systems
> 
> 

Applied, thanks!

[1/2] kbuild: make collect-policies lightweight with standalone Makefile.policy
      https://git.pengutronix.de/cgit/barebox/commit/?id=2d871c52ddc7 (link may not be stable)
[2/2] kbuild: policy: support out-of-tree builds for external policy files
      https://git.pengutronix.de/cgit/barebox/commit/?id=c6d2e69c3e5a (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>