From dd3a5d71252a1f94e37f1a4c8841d253630b305a Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 23 Jul 2020 12:36:56 -0400
Subject: Add support for vendor_db built-in shim authorized list.

Potential new signing strategies ( for example signing grub, fwupdate
and vmlinuz with separate certificates ) require shim to support a
vendor provided bundle of trusted certificates and hashes, which allows
shim to trust EFI binaries matching either certificate by signature or
hash in the vendor_db.  Functionality is similar to vendor_dbx.

This also improves the mirroring quite a bit.
Upstream: pr#206
---
 shim.h | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'shim.h')

diff --git a/shim.h b/shim.h
index 555498c6..c1d7e7c7 100644
--- a/shim.h
+++ b/shim.h
@@ -97,7 +97,11 @@
 #define FALLBACK L"\\fb" EFI_ARCH L".efi"
 #define MOK_MANAGER L"\\mm" EFI_ARCH L".efi"
 
-#if defined(VENDOR_CERT_FILE)
+#if defined(VENDOR_DB_FILE)
+# define vendor_authorized vendor_db
+# define vendor_authorized_size vendor_db_size
+# define vendor_authorized_category VENDOR_ADDEND_DB
+#elif defined(VENDOR_CERT_FILE)
 # define vendor_authorized vendor_cert
 # define vendor_authorized_size vendor_cert_size
 # define vendor_authorized_category VENDOR_ADDEND_X509
@@ -116,6 +120,7 @@
 #endif
 
 #include "include/asm.h"
+#include "include/compiler.h"
 #include "include/configtable.h"
 #include "include/console.h"
 #include "include/crypt_blowfish.h"
-- 
cgit v1.2.3