From 894bcc876da9390a02789dba31ab5ec5ec90bc33 Mon Sep 17 00:00:00 2001
From: "Stephen J. Kiernan" <stevek@FreeBSD.org>
Date: Sun, 16 Apr 2023 19:36:07 -0400
Subject: [PATCH] sys/modules/Makefile: conditionally add MAC/veriexec modules

Only build MAC/veriexec modules when MK_VERIEXEC is yes or we
are building all modules.

Add VERIEXEC knob to kernel __DEFAULT_NO_OPTIONS

Reviewed by:	sjg
Obtained from:	Juniper Networks, Inc.
---
 sys/conf/kern.opts.mk | 3 ++-
 sys/modules/Makefile  | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/sys/conf/kern.opts.mk b/sys/conf/kern.opts.mk
index 35ce97fae63..53992a31d07 100644
--- a/sys/conf/kern.opts.mk
+++ b/sys/conf/kern.opts.mk
@@ -62,7 +62,8 @@ __DEFAULT_NO_OPTIONS = \
     INIT_ALL_ZERO \
     KERNEL_RETPOLINE \
     RATELIMIT \
-    REPRODUCIBLE_BUILD
+    REPRODUCIBLE_BUILD \
+    VERIEXEC
 
 # Some options are totally broken on some architectures. We disable
 # them. If you need to enable them on an experimental basis, you
diff --git a/sys/modules/Makefile b/sys/modules/Makefile
index 71e0be4cce2..df47f5bf465 100644
--- a/sys/modules/Makefile
+++ b/sys/modules/Makefile
@@ -588,12 +588,14 @@ _mac_priority=	mac_priority
 _mac_seeotheruids= mac_seeotheruids
 _mac_stub=	mac_stub
 _mac_test=	mac_test
+.if ${MK_VERIEXEC} != "no" || defined(ALL_MODULES)
 _mac_veriexec=	mac_veriexec
 _mac_veriexec_sha1= mac_veriexec_sha1
 _mac_veriexec_sha256= mac_veriexec_sha256
 _mac_veriexec_sha384= mac_veriexec_sha384
 _mac_veriexec_sha512= mac_veriexec_sha512
 .endif
+.endif
 
 .if ${MK_NETGRAPH} != "no" || defined(ALL_MODULES)
 _netgraph=	netgraph