Browse Source

[crypto] Allow trusted certificates to be stored in non-volatile options

The intention of the existing code (as documented in its own comments)
is that it should be possible to override the list of trusted root
certificates using a "trust" setting held in non-volatile stored
options.  However, the rootcert_init() function currently executes
before any devices have been probed, and so will not be able to
retrieve any such non-volatile stored options.

Fix by executing rootcert_init() only after devices have been probed.
Since startup functions may be executed multiple times (unlike
initialisation functions), add an explicit flag to preserve the
property that rootcert_init() should run only once.

As before, if an explicit root of trust is specified at build time,
then any runtime "trust" setting will be ignored.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 8 years ago
parent
commit
0141ea3a77
1 changed files with 7 additions and 3 deletions
  1. 7
    3
      src/crypto/rootcert.c

+ 7
- 3
src/crypto/rootcert.c View File

93
  * a rebuild.
93
  * a rebuild.
94
  */
94
  */
95
 static void rootcert_init ( void ) {
95
 static void rootcert_init ( void ) {
96
+	static int initialised;
96
 	void *external = NULL;
97
 	void *external = NULL;
97
 	int len;
98
 	int len;
98
 
99
 
99
 	/* Allow trusted root certificates to be overridden only if
100
 	/* Allow trusted root certificates to be overridden only if
100
 	 * not explicitly specified at build time.
101
 	 * not explicitly specified at build time.
101
 	 */
102
 	 */
102
-	if ( ALLOW_TRUST_OVERRIDE ) {
103
+	if ( ALLOW_TRUST_OVERRIDE && ( ! initialised ) ) {
103
 
104
 
104
 		/* Fetch copy of "trust" setting, if it exists.  This
105
 		/* Fetch copy of "trust" setting, if it exists.  This
105
 		 * memory will never be freed.
106
 		 * memory will never be freed.
109
 			root_certificates.fingerprints = external;
110
 			root_certificates.fingerprints = external;
110
 			root_certificates.count = ( len / FINGERPRINT_LEN );
111
 			root_certificates.count = ( len / FINGERPRINT_LEN );
111
 		}
112
 		}
113
+
114
+		/* Prevent subsequent modifications */
115
+		initialised = 1;
112
 	}
116
 	}
113
 
117
 
114
 	DBGC ( &root_certificates, "ROOTCERT using %d %s certificate(s):\n",
118
 	DBGC ( &root_certificates, "ROOTCERT using %d %s certificate(s):\n",
118
 }
122
 }
119
 
123
 
120
 /** Root certificate initialiser */
124
 /** Root certificate initialiser */
121
-struct init_fn rootcert_init_fn __init_fn ( INIT_LATE ) = {
122
-	.initialise = rootcert_init,
125
+struct startup_fn rootcert_startup_fn __startup_fn ( STARTUP_LATE ) = {
126
+	.startup = rootcert_init,
123
 };
127
 };

Loading…
Cancel
Save