From 424839c58ab75afe483455f42a1e3345ca878eca Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Tue, 15 Apr 2025 13:11:48 +0100 Subject: [PATCH] [crypto] Allow for explicit control of external trust sources We currently disable all external trust sources (such as the UEFI TlsCaCertificate variable) if an explicit TRUST=... parameter is provided on the build command line. Define an explicit TRUST_EXT build parameter that can be used to explicitly disable external trust sources even if no TRUST=... parameter is provided, or to explicitly enable external trust sources even if an explicit TRUST=... parameter is provided. For example: # Default trusted root certificate, disable external sources make TRUST_EXT=0 # Explicit trusted root certificate, enable external sources make TRUST=custom.crt TRUST_EXT=1 If no TRUST_EXT parameter is specified, then continue to default to disabling external trust sources if an explicit TRUST=... parameter is provided, to maintain backwards compatibility with existing build command lines. Signed-off-by: Michael Brown --- src/Makefile.housekeeping | 10 ++++++---- src/crypto/rootcert.c | 10 ++++++---- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/src/Makefile.housekeeping b/src/Makefile.housekeeping index d99a6fe6a..11aab7a50 100644 --- a/src/Makefile.housekeeping +++ b/src/Makefile.housekeeping @@ -606,7 +606,7 @@ embedded_DEPS += $(EMBEDDED_FILES) $(EMBEDDED_LIST) CFLAGS_embedded = -DEMBED_ALL="$(EMBED_ALL)" -# List of trusted root certificates +# List of trusted root certificate configuration # TRUSTED_LIST := $(BIN)/.trusted.list ifeq ($(wildcard $(TRUSTED_LIST)),) @@ -614,8 +614,9 @@ TRUST_OLD := else TRUST_OLD := $(shell cat $(TRUSTED_LIST)) endif -ifneq ($(TRUST_OLD),$(TRUST)) -$(shell $(ECHO) "$(TRUST)" > $(TRUSTED_LIST)) +TRUST_CFG := $(TRUST) $(TRUST_EXT) +ifneq ($(TRUST_OLD),$(TRUST_CFG)) +$(shell $(ECHO) "$(TRUST_CFG)" > $(TRUSTED_LIST)) endif $(TRUSTED_LIST) : $(MAKEDEPS) @@ -632,7 +633,8 @@ TRUSTED_FPS := $(foreach CERT,$(TRUSTED_CERTS),\ rootcert_DEPS += $(TRUSTED_FILES) $(TRUSTED_LIST) -CFLAGS_rootcert = $(if $(TRUSTED_FPS),-DTRUSTED="$(TRUSTED_FPS)") +CFLAGS_rootcert += $(if $(TRUST_EXT),-DALLOW_TRUST_OVERRIDE=$(TRUST_EXT)) +CFLAGS_rootcert += $(if $(TRUSTED_FPS),-DTRUSTED="$(TRUSTED_FPS)") # List of embedded certificates # diff --git a/src/crypto/rootcert.c b/src/crypto/rootcert.c index e2b817c57..b198c1d95 100644 --- a/src/crypto/rootcert.c +++ b/src/crypto/rootcert.c @@ -42,10 +42,12 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #define FINGERPRINT_LEN SHA256_DIGEST_SIZE /* Allow trusted certificates to be overridden if not explicitly specified */ -#ifdef TRUSTED -#define ALLOW_TRUST_OVERRIDE 0 -#else -#define ALLOW_TRUST_OVERRIDE 1 +#ifndef ALLOW_TRUST_OVERRIDE + #ifdef TRUSTED + #define ALLOW_TRUST_OVERRIDE 0 + #else + #define ALLOW_TRUST_OVERRIDE 1 + #endif #endif /* Use iPXE root CA if no trusted certificates are explicitly specified */