Building iPXE with an empty TRUSTED macro and the intention of having certificate fingerprints set at runtime is currently not possible because even an empty TRUSTED macro will prevent runtime modification of the setting. This commit fixes it by making it possible to override ALLOW_TRUST_OVERRIDE in build-time config, independently of TRUSTED.
Signed-off-by: Ladi Prosek <lpro...@redhat.com> --- src/crypto/rootcert.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/crypto/rootcert.c b/src/crypto/rootcert.c index 40a5271..b1af2ab 100644 --- a/src/crypto/rootcert.c +++ b/src/crypto/rootcert.c @@ -32,6 +32,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #include <ipxe/init.h> #include <ipxe/rootcert.h> #include <ipxe/image.h> +#include <config/general.h> /** @file * @@ -43,11 +44,13 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #define FINGERPRINT_LEN SHA256_DIGEST_SIZE /* Allow trusted certificates to be overridden if not explicitly specified */ +#ifndef ALLOW_TRUST_OVERRIDE #ifdef TRUSTED #define ALLOW_TRUST_OVERRIDE 0 #else #define ALLOW_TRUST_OVERRIDE 1 #endif +#endif /* ALLOW_TRUST_OVERRIDE */ /* Use iPXE root CA if no trusted certificates are explicitly specified */ #ifndef TRUSTED -- 2.5.5 _______________________________________________ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel
