proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-08-13 19:48:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Conditionalize overriding the security policy.

Browse Source 
Make OVERRIDE_SECURITY_POLICY a build option.

Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
Peter Jones 2013-10-01 13:55:27 -04:00
parent 4537217422
commit f330528786
4 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@ -21,6 +21,10 @@ CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
"-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
"-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
$(EFI_INCLUDES)
ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
CFLAGS += -DOVERRIDE_SECURITY_POLICY
endif
ifeq ($(ARCH),x86_64)
CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
endif

7
include/security_policy.h
View File

@ -1,3 +1,7 @@
#ifndef _SHIM_LIB_SECURITY_POLICY_H
#define _SHIM_LIB_SECURITY_POLICY_H 1
#if defined(OVERRIDE_SECURITY_POLICY)
typedef EFI_STATUS (*SecurityHook) (void *data, UINT32 len);
EFI_STATUS
@ -6,3 +10,6 @@ EFI_STATUS
security_policy_uninstall(void);
void
security_protocol_set_hashes(unsigned char *esl, int len);
#endif /* OVERRIDE_SECURITY_POLICY */
#endif /* SHIM_LIB_SECURITY_POLICY_H */

2
lib/security_policy.c
View File

@ -14,6 +14,7 @@
#include <simple_file.h>
#include <errors.h>
#if defined(OVERRIDE_SECURITY_POLICY)
#include <security_policy.h>
/*
@ -348,3 +349,4 @@ security_protocol_set_hashes(unsigned char *esl, int len)
security_policy_esl = esl;
security_policy_esl_len = len;
}
#endif /* OVERRIDE_SECURITY_POLICY */

4
shim.c
View File

@ -1629,10 +1629,12 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
&shim_lock_guid, EFI_NATIVE_INTERFACE,
&shim_lock_interface);
#if defined(OVERRIDE_SECURITY_POLICY)
/*
* Install the security protocol hook
*/
security_policy_install(shim_verify);
#endif
/*
* Enter MokManager if necessary
@ -1657,10 +1659,12 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
uefi_call_wrapper(BS->UninstallProtocolInterface, 3, handle,
&shim_lock_guid, &shim_lock_interface);
#if defined(OVERRIDE_SECURITY_POLICY)
/*
* Clean up the security protocol hook
*/
security_policy_uninstall();
#endif
/*
* Free the space allocated for the alternative 2nd stage loader