[crypto] Allow for explicit control of external trust sources

We currently disable all external trust sources (such as the UEFI
TlsCaCertificate variable) if an explicit TRUST=... parameter is
provided on the build command line.

Define an explicit TRUST_EXT build parameter that can be used to
explicitly disable external trust sources even if no TRUST=...
parameter is provided, or to explicitly enable external trust sources
even if an explicit TRUST=... parameter is provided.  For example:

   # Default trusted root certificate, disable external sources
   make TRUST_EXT=0

   # Explicit trusted root certificate, enable external sources
   make TRUST=custom.crt TRUST_EXT=1

If no TRUST_EXT parameter is specified, then continue to default to
disabling external trust sources if an explicit TRUST=... parameter is
provided, to maintain backwards compatibility with existing build
command lines.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/Makefile.housekeeping b/src/Makefile.housekeeping
index d99a6fe6a7007a5c12181c103ffc00b8c02598af..11aab7a50dcd68e47d027ec22156b7f21816c661 100644 (file)
--- a/src/Makefile.housekeeping
+++ b/src/Makefile.housekeeping
@@ -606,7 +606,7 @@ embedded_DEPS += $(EMBEDDED_FILES) $(EMBEDDED_LIST)
 
 CFLAGS_embedded = -DEMBED_ALL="$(EMBED_ALL)"
 
-# List of trusted root certificates
+# List of trusted root certificate configuration
 #
 TRUSTED_LIST   := $(BIN)/.trusted.list
 ifeq ($(wildcard $(TRUSTED_LIST)),)
@@ -614,8 +614,9 @@ TRUST_OLD := <invalid>
 else
 TRUST_OLD := $(shell cat $(TRUSTED_LIST))
 endif
-ifneq ($(TRUST_OLD),$(TRUST))
-$(shell $(ECHO) "$(TRUST)" > $(TRUSTED_LIST))
+TRUST_CFG := $(TRUST) $(TRUST_EXT)
+ifneq ($(TRUST_OLD),$(TRUST_CFG))
+$(shell $(ECHO) "$(TRUST_CFG)" > $(TRUSTED_LIST))
 endif
 
 $(TRUSTED_LIST) : $(MAKEDEPS)
@@ -632,7 +633,8 @@ TRUSTED_FPS := $(foreach CERT,$(TRUSTED_CERTS),\
 
 rootcert_DEPS += $(TRUSTED_FILES) $(TRUSTED_LIST)
 
-CFLAGS_rootcert = $(if $(TRUSTED_FPS),-DTRUSTED="$(TRUSTED_FPS)")
+CFLAGS_rootcert += $(if $(TRUST_EXT),-DALLOW_TRUST_OVERRIDE=$(TRUST_EXT))
+CFLAGS_rootcert += $(if $(TRUSTED_FPS),-DTRUSTED="$(TRUSTED_FPS)")
 
 # List of embedded certificates
 #

diff --git a/src/crypto/rootcert.c b/src/crypto/rootcert.c
index e2b817c57847b7e391114cb9b8e29aaad86a9761..b198c1d95c63e58d4f92431eb022bda32fa8d4df 100644 (file)
--- a/src/crypto/rootcert.c
+++ b/src/crypto/rootcert.c
@@ -42,10 +42,12 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #define FINGERPRINT_LEN SHA256_DIGEST_SIZE
 
 /* Allow trusted certificates to be overridden if not explicitly specified */
-#ifdef TRUSTED
-#define ALLOW_TRUST_OVERRIDE 0
-#else
-#define ALLOW_TRUST_OVERRIDE 1
+#ifndef ALLOW_TRUST_OVERRIDE
+ #ifdef TRUSTED
+  #define ALLOW_TRUST_OVERRIDE 0
+ #else
+  #define ALLOW_TRUST_OVERRIDE 1
+ #endif
 #endif
 
 /* Use iPXE root CA if no trusted certificates are explicitly specified */