diff --git a/Makefile b/Makefile index 581be0a..311a2c9 100644 --- a/Makefile +++ b/Makefile @@ -21,6 +21,10 @@ CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ $(EFI_INCLUDES) + +ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined) + CFLAGS += -DOVERRIDE_SECURITY_POLICY +endif ifeq ($(ARCH),x86_64) CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI endif diff --git a/include/security_policy.h b/include/security_policy.h index b0109ce..7854db1 100644 --- a/include/security_policy.h +++ b/include/security_policy.h @@ -1,3 +1,7 @@ +#ifndef _SHIM_LIB_SECURITY_POLICY_H +#define _SHIM_LIB_SECURITY_POLICY_H 1 + +#if defined(OVERRIDE_SECURITY_POLICY) typedef EFI_STATUS (*SecurityHook) (void *data, UINT32 len); EFI_STATUS @@ -6,3 +10,6 @@ EFI_STATUS security_policy_uninstall(void); void security_protocol_set_hashes(unsigned char *esl, int len); +#endif /* OVERRIDE_SECURITY_POLICY */ + +#endif /* SHIM_LIB_SECURITY_POLICY_H */ diff --git a/lib/security_policy.c b/lib/security_policy.c index f1b0842..9af3a10 100644 --- a/lib/security_policy.c +++ b/lib/security_policy.c @@ -14,6 +14,7 @@ #include #include +#if defined(OVERRIDE_SECURITY_POLICY) #include /* @@ -348,3 +349,4 @@ security_protocol_set_hashes(unsigned char *esl, int len) security_policy_esl = esl; security_policy_esl_len = len; } +#endif /* OVERRIDE_SECURITY_POLICY */ diff --git a/shim.c b/shim.c index 3c55a5a..b725629 100644 --- a/shim.c +++ b/shim.c @@ -1629,10 +1629,12 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) &shim_lock_guid, EFI_NATIVE_INTERFACE, &shim_lock_interface); +#if defined(OVERRIDE_SECURITY_POLICY) /* * Install the security protocol hook */ security_policy_install(shim_verify); +#endif /* * Enter MokManager if necessary @@ -1657,10 +1659,12 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) uefi_call_wrapper(BS->UninstallProtocolInterface, 3, handle, &shim_lock_guid, &shim_lock_interface); +#if defined(OVERRIDE_SECURITY_POLICY) /* * Clean up the security protocol hook */ security_policy_uninstall(); +#endif /* * Free the space allocated for the alternative 2nd stage loader