diff --git a/BUILDING b/BUILDING index 3609b5b..461b85c 100644 --- a/BUILDING +++ b/BUILDING @@ -26,6 +26,11 @@ Variables you should set to customize the build: correct. Variables you could set to customize the build: +- ENABLE_SHIM_CERT + if this variable is defined one the make command line, shim will + generate keys during the build and sign MokManager and fallback with + them, and the signed version will be what gets installed with the + install targets - ENABLE_HTTPBOOT build support for http booting - ARCH diff --git a/Makefile b/Makefile index 4226c2f..2137db2 100644 --- a/Makefile +++ b/Makefile @@ -127,8 +127,12 @@ endif LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 TARGETS = $(SHIMNAME) +ifneq ($(origin ENABLE_SHIM_CERT),undefined) TARGETS += $(MMNAME).signed $(FBNAME).signed +CFLAGS += -DENABLE_SHIM_CERT +else TARGETS += $(MMNAME) $(FBNAME) +endif OBJS = shim.o netboot.o cert.o replacements.o tpm.o version.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer ORIG_SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.h @@ -171,7 +175,9 @@ certdb/secmod.db: shim.crt $(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u shim.o: $(SOURCES) +ifneq ($(origin ENABLE_SHIM_CERT),undefined) shim.o: shim_cert.h +endif shim.o: $(wildcard $(TOPDIR)/*.h) cert.o : $(TOPDIR)/cert.S @@ -230,20 +236,26 @@ install : install-deps $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(EFIBOOTDIR)/$(BOOTEFINAME) $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(TARGETDIR)/ $(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(TARGETDIR)/ +ifneq ($(origin ENABLE_SHIM_CERT),undefined) $(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(FBNAME) $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(MMNAME) $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(TARGETDIR)/$(MMNAME) +else $(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(EFIBOOTDIR)/ $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(EFIBOOTDIR)/ $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(TARGETDIR)/ +endif install-as-data : install-deps $(INSTALL) -d -m 0755 $(DESTDIR)/$(DATATARGETDIR) $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(DATATARGETDIR)/ +ifneq ($(origin ENABLE_SHIM_CERT),undefined) $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME) $(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME) +else $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME) $(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME) +endif %.efi: %.so ifneq ($(OBJCOPY_GTE224),1) diff --git a/shim.c b/shim.c index a9be9ac..bd314b3 100644 --- a/shim.c +++ b/shim.c @@ -40,7 +40,6 @@ #include "shim.h" #include "netboot.h" #include "httpboot.h" -#include "shim_cert.h" #include "replacements.h" #include "tpm.h" #include "ucs2.h" @@ -52,6 +51,10 @@ #include "console.h" #include "version.h" +#ifdef ENABLE_SHIM_CERT +#include "shim_cert.h" +#endif + #include #include #include @@ -1026,6 +1029,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, return status; if (cert) { +#if defined(ENABLE_SHIM_CERT) /* * Check against the shim build key */ @@ -1039,6 +1043,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, status = EFI_SUCCESS; return status; } +#endif /* defined(ENABLE_SHIM_CERT) */ /* * And finally, check against shim's built-in key