[crypto] Allow certificates to be marked as having been added explicitly

Allow certificates to be marked as having been added explicitly at run
time.  Such certificates will not be discarded via the certificate
store cache discarder.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

src/crypto/certstore.c

@@ -152,6 +152,10 @@ void certstore_add ( struct x509_certificate *cert ) {
  */
 void certstore_del ( struct x509_certificate *cert ) {
 
+	/* Ignore attempts to remove permanent certificates */
+	if ( cert->flags & X509_FL_PERMANENT )
+		return;
+
 	/* Remove certificate from store */
 	DBGC ( &certstore, "CERTSTORE removed certificate %s\n",
 	       x509_name ( cert ) );
@@ -171,11 +175,22 @@ static unsigned int certstore_discard ( void ) {
 	 * only reference is held by the store itself.
 	 */
 	list_for_each_entry_reverse ( cert, &certstore.links, store.list ) {
-		if ( cert->refcnt.count == 0 ) {
-			certstore_del ( cert );
-			return 1;
-		}
+
+		/* Skip certificates for which another reference is held */
+		if ( cert->refcnt.count > 0 )
+			continue;
+
+		/* Skip certificates that were added at build time or
+		 * added explicitly at run time.
+		 */
+		if ( cert->flags & ( X509_FL_PERMANENT | X509_FL_EXPLICIT ) )
+			continue;
+
+		/* Discard certificate */
+		certstore_del ( cert );
+		return 1;
 	}
+
 	return 0;
 }
 

src/include/ipxe/x509.h

@@ -220,6 +220,10 @@ struct x509_certificate {
 enum x509_flags {
 	/** Certificate has been validated */
 	X509_FL_VALIDATED = 0x0001,
+	/** Certificate was added at build time */
+	X509_FL_PERMANENT = 0x0002,
+	/** Certificate was added explicitly at run time */
+	X509_FL_EXPLICIT = 0x0004,
 };
 
 /**