Add ENABLE_SHIM_CERT to make MokManager/fallback signing optional.

This makes shim not create its own keyring and sign MokManager and
fallback by default.

Signed-off-by: Peter Jones <pjones@redhat.com>

BUILDING

@@ -26,6 +26,11 @@ Variables you should set to customize the build:
   correct.
 
 Variables you could set to customize the build:
+- ENABLE_SHIM_CERT
+  if this variable is defined one the make command line, shim will
+  generate keys during the build and sign MokManager and fallback with
+  them, and the signed version will be what gets installed with the
+  install targets
 - ENABLE_HTTPBOOT
   build support for http booting
 - ARCH

Makefile

@@ -127,8 +127,12 @@ endif
 LDFLAGS		= --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1
 
 TARGETS	= $(SHIMNAME)
+ifneq ($(origin ENABLE_SHIM_CERT),undefined)
 TARGETS	+= $(MMNAME).signed $(FBNAME).signed
+CFLAGS += -DENABLE_SHIM_CERT
+else
 TARGETS += $(MMNAME) $(FBNAME)
+endif
 OBJS	= shim.o netboot.o cert.o replacements.o tpm.o version.o
 KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
 ORIG_SOURCES	= shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.h
@@ -171,7 +175,9 @@ certdb/secmod.db: shim.crt
 	$(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u
 
 shim.o: $(SOURCES)
+ifneq ($(origin ENABLE_SHIM_CERT),undefined)
 shim.o: shim_cert.h
+endif
 shim.o: $(wildcard $(TOPDIR)/*.h)
 
 cert.o : $(TOPDIR)/cert.S
@@ -230,20 +236,26 @@ install : install-deps
 	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(EFIBOOTDIR)/$(BOOTEFINAME)
 	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(TARGETDIR)/
 	$(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(TARGETDIR)/
+ifneq ($(origin ENABLE_SHIM_CERT),undefined)
 	$(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(FBNAME)
 	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(MMNAME)
 	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(TARGETDIR)/$(MMNAME)
+else
 	$(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(EFIBOOTDIR)/
 	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(EFIBOOTDIR)/
 	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(TARGETDIR)/
+endif
 
 install-as-data : install-deps
 	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DATATARGETDIR)
 	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(DATATARGETDIR)/
+ifneq ($(origin ENABLE_SHIM_CERT),undefined)
 	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
 	$(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
+else
 	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
 	$(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
+endif
 
 %.efi: %.so
 ifneq ($(OBJCOPY_GTE224),1)

shim.c

@@ -40,7 +40,6 @@
 #include "shim.h"
 #include "netboot.h"
 #include "httpboot.h"
-#include "shim_cert.h"
 #include "replacements.h"
 #include "tpm.h"
 #include "ucs2.h"
@@ -52,6 +51,10 @@
 #include "console.h"
 #include "version.h"
 
+#ifdef ENABLE_SHIM_CERT
+#include "shim_cert.h"
+#endif
+
 #include <stdarg.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -1026,6 +1029,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 		return status;
 
 	if (cert) {
+#if defined(ENABLE_SHIM_CERT)
 		/*
 		 * Check against the shim build key
 		 */
@@ -1039,6 +1043,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 			status = EFI_SUCCESS;
 			return status;
 		}
+#endif /* defined(ENABLE_SHIM_CERT) */
 
 		/*
 		 * And finally, check against shim's built-in key