[crypto] Allow for explicit control of external trust sources

We currently disable all external trust sources (such as the UEFI TlsCaCertificate variable) if an explicit TRUST=... parameter is provided on the build command line. Define an explicit TRUST_EXT build parameter that can be used to explicitly disable external trust sources even if no TRUST=... parameter is provided, or to explicitly enable external trust sources even if an explicit TRUST=... parameter is provided. For example: # Default trusted root certificate, disable external sources make TRUST_EXT=0 # Explicit trusted root certificate, enable external sources make TRUST=custom.crt TRUST_EXT=1 If no TRUST_EXT parameter is specified, then continue to default to disabling external trust sources if an explicit TRUST=... parameter is provided, to maintain backwards compatibility with existing build command lines. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2025-12-07 18:00:28 +03:00 · 2025-04-15 13:11:48 +01:00
parent 37e9f785ba
commit 424839c58a
2 changed files with 12 additions and 8 deletions
--- a/src/Makefile.housekeeping
+++ b/src/Makefile.housekeeping
@@ -606,7 +606,7 @@ embedded_DEPS += $(EMBEDDED_FILES) $(EMBEDDED_LIST)

 CFLAGS_embedded = -DEMBED_ALL="$(EMBED_ALL)"

-# List of trusted root certificates
+# List of trusted root certificate configuration
 #
 TRUSTED_LIST	:= $(BIN)/.trusted.list
 ifeq ($(wildcard $(TRUSTED_LIST)),)
@@ -614,8 +614,9 @@ TRUST_OLD := <invalid>
 else
 TRUST_OLD := $(shell cat $(TRUSTED_LIST))
 endif
-ifneq ($(TRUST_OLD),$(TRUST))
-$(shell $(ECHO) "$(TRUST)" > $(TRUSTED_LIST))
+TRUST_CFG := $(TRUST) $(TRUST_EXT)
+ifneq ($(TRUST_OLD),$(TRUST_CFG))
+$(shell $(ECHO) "$(TRUST_CFG)" > $(TRUSTED_LIST))
 endif

 $(TRUSTED_LIST) : $(MAKEDEPS)
@@ -632,7 +633,8 @@ TRUSTED_FPS	:= $(foreach CERT,$(TRUSTED_CERTS),\

 rootcert_DEPS += $(TRUSTED_FILES) $(TRUSTED_LIST)

-CFLAGS_rootcert = $(if $(TRUSTED_FPS),-DTRUSTED="$(TRUSTED_FPS)")
+CFLAGS_rootcert += $(if $(TRUST_EXT),-DALLOW_TRUST_OVERRIDE=$(TRUST_EXT))
+CFLAGS_rootcert += $(if $(TRUSTED_FPS),-DTRUSTED="$(TRUSTED_FPS)")

 # List of embedded certificates
 #
--- a/src/crypto/rootcert.c
+++ b/src/crypto/rootcert.c
@@ -42,10 +42,12 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #define FINGERPRINT_LEN SHA256_DIGEST_SIZE

 /* Allow trusted certificates to be overridden if not explicitly specified */
-#ifdef TRUSTED
-#define ALLOW_TRUST_OVERRIDE 0
-#else
-#define ALLOW_TRUST_OVERRIDE 1
+#ifndef ALLOW_TRUST_OVERRIDE
+ #ifdef TRUSTED
+  #define ALLOW_TRUST_OVERRIDE 0
+ #else
+  #define ALLOW_TRUST_OVERRIDE 1
+ #endif
 #endif

 /* Use iPXE root CA if no trusted certificates are explicitly specified */