40c2db9d67
Our long-standing policy for EFI platforms is that we support invoking binary executables only via the LoadImage() and StartImage() boot services calls, so that all security policy decisions are delegated to the platform firmware. Most binary executable formats that we support are BIOS-only and cannot in any case be linked in to an EFI executable. The only cross-platform format is the generic Linux kernel image format as used for RISC-V (and potentially also for AArch64). Mark all files associated with direct loading of a kernel binary as explicitly forbidden for UEFI Secure Boot. Signed-off-by: Michael Brown <mcb30@ipxe.org>