diff options
| author | Peter Jones <pjones@redhat.com> | 2013-10-01 13:55:27 -0400 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2013-10-01 14:03:16 -0400 |
| commit | f330528786fb02f1771c76818ffc8f1793f5d2f7 (patch) | |
| tree | 048d338958abf211b5e4148f77b8630f9cadea4e | |
| parent | 4537217422a4e1bf145e135d89284cf7887ad826 (diff) | |
| download | efi-boot-shim-f330528786fb02f1771c76818ffc8f1793f5d2f7.tar.gz efi-boot-shim-f330528786fb02f1771c76818ffc8f1793f5d2f7.zip | |
Conditionalize overriding the security policy.
Make OVERRIDE_SECURITY_POLICY a build option.
Signed-off-by: Peter Jones <pjones@redhat.com>
| -rw-r--r-- | Makefile | 4 | ||||
| -rw-r--r-- | include/security_policy.h | 7 | ||||
| -rw-r--r-- | lib/security_policy.c | 2 | ||||
| -rw-r--r-- | shim.c | 4 |
4 files changed, 17 insertions, 0 deletions
@@ -21,6 +21,10 @@ CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ $(EFI_INCLUDES) + +ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined) + CFLAGS += -DOVERRIDE_SECURITY_POLICY +endif ifeq ($(ARCH),x86_64) CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI endif diff --git a/include/security_policy.h b/include/security_policy.h index b0109ce0..7854db11 100644 --- a/include/security_policy.h +++ b/include/security_policy.h @@ -1,3 +1,7 @@ +#ifndef _SHIM_LIB_SECURITY_POLICY_H +#define _SHIM_LIB_SECURITY_POLICY_H 1 + +#if defined(OVERRIDE_SECURITY_POLICY) typedef EFI_STATUS (*SecurityHook) (void *data, UINT32 len); EFI_STATUS @@ -6,3 +10,6 @@ EFI_STATUS security_policy_uninstall(void); void security_protocol_set_hashes(unsigned char *esl, int len); +#endif /* OVERRIDE_SECURITY_POLICY */ + +#endif /* SHIM_LIB_SECURITY_POLICY_H */ diff --git a/lib/security_policy.c b/lib/security_policy.c index f1b08420..9af3a107 100644 --- a/lib/security_policy.c +++ b/lib/security_policy.c @@ -14,6 +14,7 @@ #include <simple_file.h> #include <errors.h> +#if defined(OVERRIDE_SECURITY_POLICY) #include <security_policy.h> /* @@ -348,3 +349,4 @@ security_protocol_set_hashes(unsigned char *esl, int len) security_policy_esl = esl; security_policy_esl_len = len; } +#endif /* OVERRIDE_SECURITY_POLICY */ @@ -1629,10 +1629,12 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) &shim_lock_guid, EFI_NATIVE_INTERFACE, &shim_lock_interface); +#if defined(OVERRIDE_SECURITY_POLICY) /* * Install the security protocol hook */ security_policy_install(shim_verify); +#endif /* * Enter MokManager if necessary @@ -1657,10 +1659,12 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) uefi_call_wrapper(BS->UninstallProtocolInterface, 3, handle, &shim_lock_guid, &shim_lock_interface); +#if defined(OVERRIDE_SECURITY_POLICY) /* * Clean up the security protocol hook */ security_policy_uninstall(); +#endif /* * Free the space allocated for the alternative 2nd stage loader |