[ipxe-devel] [PATCH 5/5] [crypto] Allow ALLOW_TRUST_OVERRIDE to be overriden by config

Ladi Prosek lprosek at redhat.com
Mon Jul 25 16:14:33 UTC 2016


Building iPXE with an empty TRUSTED macro and the intention of having
certificate fingerprints set at runtime is currently not possible because
even an empty TRUSTED macro will prevent runtime modification of the
setting. This commit fixes it by making it possible to override
ALLOW_TRUST_OVERRIDE in build-time config, independently of TRUSTED.

Signed-off-by: Ladi Prosek <lprosek at redhat.com>
---
 src/crypto/rootcert.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/crypto/rootcert.c b/src/crypto/rootcert.c
index 40a5271..b1af2ab 100644
--- a/src/crypto/rootcert.c
+++ b/src/crypto/rootcert.c
@@ -32,6 +32,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <ipxe/init.h>
 #include <ipxe/rootcert.h>
 #include <ipxe/image.h>
+#include <config/general.h>
 
 /** @file
  *
@@ -43,11 +44,13 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #define FINGERPRINT_LEN SHA256_DIGEST_SIZE
 
 /* Allow trusted certificates to be overridden if not explicitly specified */
+#ifndef ALLOW_TRUST_OVERRIDE
 #ifdef TRUSTED
 #define ALLOW_TRUST_OVERRIDE 0
 #else
 #define ALLOW_TRUST_OVERRIDE 1
 #endif
+#endif /* ALLOW_TRUST_OVERRIDE */
 
 /* Use iPXE root CA if no trusted certificates are explicitly specified */
 #ifndef TRUSTED
-- 
2.5.5




More information about the ipxe-devel mailing list