[PATCH] ipe: Search for the boot policy file in the source tree

Fan Wu wufan at kernel.org
Wed Jan 22 18:41:07 UTC 2025 

Thanks for the fix.

My only concern here is the use of wildcard. I'm not sure but if
$(CONFIG_IPE_BOOT_POLICY) is a glob pattern it could match multiple
files?

Other than that I think the doc of security/ipe/Kconfig needs to be
updated as well to reflect the makefile change.

-Fan

On Tue, Jan 21, 2025 at 10:58 PM Tyler Hicks <code at tyhicks.com> wrote:
>
> Resolve CONFIG_IPE_BOOT_POLICY relative file paths in the source tree if
> the file was not found within the object tree and is not an absolute path.
>
> This fixes an IPE build failure that occurs when using an output directory,
> such as with the `O=/tmp/build` make option, during a build with the
> CONFIG_IPE_BOOT_POLICY option set to a path that's relative to the kernel
> source tree. For example,
>
>   $ grep CONFIG_IPE_BOOT_POLICY /tmp/build/.config
>   CONFIG_IPE_BOOT_POLICY="ipe-boot-policy"
>   $ touch ipe-boot-policy
>   $ make O=/tmp/build
>   make[1]: Entering directory '/tmp/build'
>     GEN     Makefile
>     UPD     include/config/kernel.release
>     UPD     include/generated/utsrelease.h
>     CALL    scripts/checksyscalls.sh
>     CC      init/version.o
>     AR      init/built-in.a
>     CC      kernel/sys.o
>     AR      kernel/built-in.a
>     IPE_POL ipe-boot-policy
>   An error occurred during policy conversion: : No such file or directory
>   make[5]: *** [security/ipe/Makefile:14: security/ipe/boot_policy.c] Error 2
>   make[4]: *** [scripts/Makefile.build:440: security/ipe] Error 2
>   make[3]: *** [scripts/Makefile.build:440: security] Error 2
>   make[2]: *** [Makefile:1989: .] Error 2
>   make[1]: *** [Makefile:251: __sub-make] Error 2
>   make[1]: Leaving directory '/tmp/build'
>   make: *** [Makefile:251: __sub-make] Error 2
>
> Fixes: ba199dc909a2 ("scripts: add boot policy generation program")
> Cc: stable at vger.kernel.org
> Signed-off-by: Tyler Hicks <code at tyhicks.com>
> ---
>  security/ipe/Makefile | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/security/ipe/Makefile b/security/ipe/Makefile
> index 2ffabfa63fe9..b54d7b7c9e6d 100644
> --- a/security/ipe/Makefile
> +++ b/security/ipe/Makefile
> @@ -10,8 +10,10 @@ quiet_cmd_polgen = IPE_POL $(2)
>
>  targets += boot_policy.c
>
> -$(obj)/boot_policy.c: scripts/ipe/polgen/polgen $(CONFIG_IPE_BOOT_POLICY) FORCE
> -       $(call if_changed,polgen,$(CONFIG_IPE_BOOT_POLICY))
> +boot-pol := $(if $(wildcard $(CONFIG_IPE_BOOT_POLICY)),,$(srctree)/)$(CONFIG_IPE_BOOT_POLICY)
> +
> +$(obj)/boot_policy.c: scripts/ipe/polgen/polgen $(boot-pol) FORCE
> +       $(call if_changed,polgen,$(boot-pol))
>
>  obj-$(CONFIG_SECURITY_IPE) += \
>         boot_policy.o \
> --
> 2.34.1
>

More information about the Linux-security-module-archive mailing list