From 057532ac6c77d20ae8d6ce0354e7ef67b1870eb6 Mon Sep 17 00:00:00 2001
From: root <root@yow-cgts4-lx.wrs.com>
Date: Mon, 15 Jan 2018 13:25:04 -0500
Subject: [PATCH] Use Titanium certificate

---
 Makefile | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/Makefile b/Makefile
index 6ece282..bb4f7f9 100644
--- a/Makefile
+++ b/Makefile
@@ -36,6 +36,12 @@ FBNAME		= fallback
 
 COMMITID ?= $(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)
 
+# We compile a certificate into shim.  Usually this is a one-time generated
+# certificate (make-certs script) however we want to include a custom
+# certificate for which we have the key.  We use the key to sign the kernel and
+# grub down the road
+INTERNAL_CERT = tis-shim
+
 ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
 	CFLAGS	+= -DOVERRIDE_SECURITY_POLICY
 endif
@@ -90,7 +96,7 @@ LDFLAGS		= --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsym
 
 TARGET	= $(SHIMNAME).efi $(MMNAME).efi.signed $(FBNAME).efi.signed
 OBJS	= shim.o netboot.o cert.o replacements.o tpm.o version.o
-KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
+KEYS    = shim_cert.h ocsp.* ca.* $(INTERNAL_CERT).crt $(INTERNAL_CERT).csr $(INTERNAL_CERT).p12 $(INTERNAL_CERT).pem $(INTERNAL_CERT).key $(INTERNAL_CERT).cer
 SOURCES	= shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h
 MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
 MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
@@ -104,13 +110,17 @@ endif
 
 all: $(TARGET)
 
-shim.crt:
-	./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
+# certificate is now provided in source.  To generate a random certificate,
+# uncomment this rule
+#$(INTERNAL_CERT).crt:
+#	./make-certs $(INTERNAL_CERT) shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
 
-shim.cer: shim.crt
+$(INTERNAL_CERT).cer: $(INTERNAL_CERT).crt
 	openssl x509 -outform der -in $< -out $@
 
-shim_cert.h: shim.cer
+# name "shim_cert.h" rather than "$(INTERNAL_CERT).h" used so C files can just
+# use a fixed name for #include
+shim_cert.h: $(INTERNAL_CERT).cer
 	echo "static UINT8 shim_cert[] = {" > $@
 	hexdump -v -e '1/1 "0x%02x, "' $< >> $@
 	echo "};" >> $@
@@ -121,10 +131,10 @@ version.c : version.c.in
 		-e "s,@@COMMIT@@,$(COMMITID)," \
 		< version.c.in > version.c
 
-certdb/secmod.db: shim.crt
+certdb/secmod.db: $(INTERNAL_CERT).crt
 	-mkdir certdb
-	pk12util -d certdb/ -i shim.p12 -W "" -K ""
-	certutil -d certdb/ -A -i shim.crt -n shim -t u
+	pk12util -d certdb/ -i $(INTERNAL_CERT).p12 -W "" -K ""
+	certutil -d certdb/ -A -i $(INTERNAL_CERT).crt -n shim -t u
 
 shim.o: $(SOURCES) shim_cert.h
 shim.o: $(wildcard *.h)
-- 
1.8.3.1