From eb02afc6f822576b73b7added3966ad7e72fd342 Mon Sep 17 00:00:00 2001 From: Dennis Tseng Date: Wed, 5 Jun 2024 22:33:06 +0800 Subject: Optionally enabling codesign EKU check in compiling time. This commit also supersedes PR#232 which was closed on Jul 1, 2021. So that original codesign EKU codes cannot be bothered. To enable the codesign check, ENABLE_CODESIGN_EKU can be set to 1. To disable the codesign check, ENABLE_CODESIGN_EKU can be set to 0 or just omit this flag. For example: make xxxx ENABLE_CODESIGN_EKU=1 xxxx shim.efi Signed-off-by: Dennis Tseng --- Cryptlib/Library/BaseCryptLib.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Cryptlib/Library/BaseCryptLib.h') diff --git a/Cryptlib/Library/BaseCryptLib.h b/Cryptlib/Library/BaseCryptLib.h index ed482d3f..439f0516 100644 --- a/Cryptlib/Library/BaseCryptLib.h +++ b/Cryptlib/Library/BaseCryptLib.h @@ -2403,6 +2403,7 @@ Pkcs7Verify ( IN UINTN DataLength ); +#if defined(ENABLE_CODESIGN_EKU) /** This function receives a PKCS#7 formatted signature blob, looks for the EKU SEQUENCE blob, and if found then looks @@ -2442,6 +2443,7 @@ VerifyEKUsInPkcs7Signature ( IN CONST UINT32 RequiredEKUsSize, IN BOOLEAN RequireAllPresent ); +#endif /** Extracts the attached content from a PKCS#7 signed data if existed. The input signed -- cgit v1.2.3