scripts: add boot policy generation program

Enables an IPE policy to be enforced from kernel start, enabling access control based on trust from kernel startup. This is accomplished by transforming an IPE policy indicated by CONFIG_IPE_BOOT_POLICY into a c-string literal that is parsed at kernel startup as an unsigned policy. Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com> Signed-off-by: Fan Wu <wufan@linux.microsoft.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Deven Bowers <deven.desai@linux.microsoft.com> 2024-08-02 23:08:31 -0700
committer: Paul Moore <paul@paul-moore.com> 2024-08-20 14:03:39 -0400
commit: ba199dc909a20fe62270ae4e93f263987bb9d119 (patch)
tree: 497a4893e9b186438a37fbcab53cb1900480065f /scripts/Makefile
parent: 31f8c8682f30720be25e9b1021caa43c64e8d9ce (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/scripts/Makefile b/scripts/Makefile
index dccef663ca82..6bcda4b9d054 100644
--- a/scripts/Makefile
+++ b/scripts/Makefile
@@ -55,6 +55,7 @@ targets += module.lds
 subdir-$(CONFIG_GCC_PLUGINS) += gcc-plugins
 subdir-$(CONFIG_MODVERSIONS) += genksyms
 subdir-$(CONFIG_SECURITY_SELINUX) += selinux
+subdir-$(CONFIG_SECURITY_IPE) += ipe
 
 # Let clean descend into subdirs
 subdir-	+= basic dtc gdb kconfig mod
author	Deven Bowers <deven.desai@linux.microsoft.com>	2024-08-02 23:08:31 -0700
committer	Paul Moore <paul@paul-moore.com>	2024-08-20 14:03:39 -0400
commit	ba199dc909a20fe62270ae4e93f263987bb9d119 (patch)
tree	497a4893e9b186438a37fbcab53cb1900480065f /scripts/Makefile
parent	31f8c8682f30720be25e9b1021caa43c64e8d9ce (diff)