245592c60e
Test: Pass build and multi-node deploy test Depends-On: https://review.openstack.org/627922 Story: 2004522 Task: 28438 Change-Id: I838e71c0334515ad2e34cbad968188b81f908d6a Signed-off-by: Martin, Chen <haochuan.z.chen@intel.com>
81 lines
3.1 KiB
Diff
81 lines
3.1 KiB
Diff
From 057532ac6c77d20ae8d6ce0354e7ef67b1870eb6 Mon Sep 17 00:00:00 2001
|
|
From: root <root@yow-cgts4-lx.wrs.com>
|
|
Date: Mon, 15 Jan 2018 13:25:04 -0500
|
|
Subject: [PATCH] Use Titanium certificate
|
|
|
|
---
|
|
Make.defaults | 6 ++++++
|
|
Makefile | 20 ++++++++++++--------
|
|
2 files changed, 18 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/Make.defaults b/Make.defaults
|
|
index 3cec82d..d7606db 100644
|
|
--- a/Make.defaults
|
|
+++ b/Make.defaults
|
|
@@ -51,6 +51,12 @@ CLANG_BUGS = $(if $(findstring gcc,$(CC)),-maccumulate-outgoing-args,)
|
|
|
|
COMMIT_ID ?= $(shell if [ -e .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo master; fi)
|
|
|
|
+# We compile a certificate into shim. Usually this is a one-time generated
|
|
+# certificate (make-certs script) however we want to include a custom
|
|
+# certificate for which we have the key. We use the key to sign the kernel and
|
|
+# grub down the road
|
|
+INTERNAL_CERT = tis-shim
|
|
+
|
|
ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
|
|
CFLAGS += -DOVERRIDE_SECURITY_POLICY
|
|
endif
|
|
diff --git a/Makefile b/Makefile
|
|
index 115e7f0..8964a97 100644
|
|
--- a/Makefile
|
|
+++ b/Makefile
|
|
@@ -34,7 +34,7 @@ else
|
|
TARGETS += $(MMNAME) $(FBNAME)
|
|
endif
|
|
OBJS = shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o
|
|
-KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
|
|
+KEYS = shim_cert.h ocsp.* ca.* $(INTERNAL_CERT).crt $(INTERNAL_CERT).csr $(INTERNAL_CERT).p12 $(INTERNAL_CERT).pem $(INTERNAL_CERT).key $(INTERNAL_CERT).cer
|
|
ORIG_SOURCES = shim.c mok.c netboot.c replacements.c tpm.c errlog.c shim.h version.h $(wildcard include/*.h)
|
|
MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
|
|
ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
|
|
@@ -52,14 +52,18 @@ FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))
|
|
|
|
all: $(TARGETS)
|
|
|
|
-shim.crt:
|
|
- $(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
|
|
+# certificate is now provided in source. To generate a random certificate,
|
|
+# uncomment this rule
|
|
+#$(INTERNAL_CERT).crt:
|
|
+# $(TOPDIR)/make-certs $(INTERNAL_CERT) shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
|
|
|
|
-shim.cer: shim.crt
|
|
+$(INTERNAL_CERT).cer: $(INTERNAL_CERT).crt
|
|
$(OPENSSL) x509 -outform der -in $< -out $@
|
|
|
|
.NOTPARALLEL: shim_cert.h
|
|
-shim_cert.h: shim.cer
|
|
+# name "shim_cert.h" rather than "$(INTERNAL_CERT).h" used so C files can just
|
|
+# use a fixed name for #include
|
|
+shim_cert.h: $(INTERNAL_CERT).cer
|
|
echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
|
|
$(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@
|
|
echo "};" >> $@
|
|
@@ -70,10 +74,10 @@ version.c : $(TOPDIR)/version.c.in
|
|
-e "s,@@COMMIT@@,$(COMMIT_ID)," \
|
|
< $< > $@
|
|
|
|
-certdb/secmod.db: shim.crt
|
|
+certdb/secmod.db: $(INTERNAL_CERT).crt
|
|
-mkdir certdb
|
|
- $(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K ""
|
|
- $(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u
|
|
+ $(PK12UTIL) -d certdb/ -i $(INTERNAL_CERT).p12 -W "" -K ""
|
|
+ $(CERTUTIL) -d certdb/ -A -i $(INTERNAL_CERT).crt -n shim -t u
|
|
|
|
shim.o: $(SOURCES)
|
|
ifneq ($(origin ENABLE_SHIM_CERT),undefined)
|
|
--
|
|
1.8.3.1
|
|
|