Re: [PATCH] fixup! Add security policy support

Mon, 25 Aug 2025 01:55:02 -0700 

On Fri, Aug 22, 2025 at 05:59:19PM +0200, Ahmad Fatoum wrote:
> Hello Sascha,
> 
> On 8/22/25 12:37, Sascha Hauer wrote:
> > Remove policy-list files before recreating them, otherwise we can get stale
> > security configs when changing the build configuration or branch.
> > 
> > Signed-off-by: Sascha Hauer <s.ha...@pengutronix.de>
> > ---
> >  Makefile | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> > 
> > diff --git a/Makefile b/Makefile
> > index 49658e5fe2..be87fbbc7a 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -1195,10 +1195,14 @@ targets += include/generated/sconfig_names.h
> >  KPOLICY = $(shell find $(objtree)/ -name policy-list -exec cat {} \;)
> >  KPOLICY.tmp = $(addsuffix .tmp,$(KPOLICY))
> >  
> > +PHONY += remove-policies
> > +remove-policies: FORCE
> > +   find -name "policy-list" | xargs rm
> > +
> >  PHONY += collect-policies
> >  collect-policies: KBUILD_MODULES :=
> >  collect-policies: KBUILD_BUILTIN :=
> > -collect-policies: $(barebox-dirs) FORCE
> > +collect-policies: remove-policies $(barebox-dirs) FORCE
> 
> Wouldn't this race with the descend into barebox-dirs?

Indeed it does.

> I think we need
> to enforce a strict order between these two.

How about this?

----------------------------------8<-------------------------------

>From 9e50b650e81b1630dfa677f2d49f30dcb9feb36b Mon Sep 17 00:00:00 2001
From: Sascha Hauer <s.ha...@pengutronix.de>
Date: Fri, 22 Aug 2025 12:35:06 +0200
Subject: [PATCH] fixup! Add security policy support

Remove policy-list files before recreating them, otherwise we can get stale
security configs when changing the build configuration or branch.

Signed-off-by: Sascha Hauer <s.ha...@pengutronix.de>
---
 Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Makefile b/Makefile
index 49658e5fe2..0b1e059091 100644
--- a/Makefile
+++ b/Makefile
@@ -1084,6 +1084,7 @@ $(sort $(BAREBOX_OBJS)) $(BAREBOX_LDS) 
$(BAREBOX_PBL_OBJS): $(barebox-dirs) ;
 
 PHONY += $(barebox-dirs)
 $(barebox-dirs): prepare scripts
+       @find $@ -name policy-list | xargs rm -f
        $(Q)$(MAKE) $(build)=$@
 
 # Store (new) KERNELRELASE string in include/config/kernel.release
-- 
2.47.2


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Reply via email to