[crypto] Allow certificates to be marked as having been added explicitly

Allow certificates to be marked as having been added explicitly at run
time.  Such certificates will not be discarded via the certificate
store cache discarder.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

src/crypto/certstore.c

  */
 void certstore_del ( struct x509_certificate *cert ) {
 
+	/* Ignore attempts to remove permanent certificates */
+	if ( cert->flags & X509_FL_PERMANENT )
+		return;
+
 	/* Remove certificate from store */
 	DBGC ( &certstore, "CERTSTORE removed certificate %s\n",
 	       x509_name ( cert ) );
 	 * only reference is held by the store itself.
 	 */
 	list_for_each_entry_reverse ( cert, &certstore.links, store.list ) {
-		if ( cert->refcnt.count == 0 ) {
-			certstore_del ( cert );
-			return 1;
-		}
+
+		/* Skip certificates for which another reference is held */
+		if ( cert->refcnt.count > 0 )
+			continue;
+
+		/* Skip certificates that were added at build time or
+		 * added explicitly at run time.
+		 */
+		if ( cert->flags & ( X509_FL_PERMANENT | X509_FL_EXPLICIT ) )
+			continue;
+
+		/* Discard certificate */
+		certstore_del ( cert );
+		return 1;
 	}
+
 	return 0;
 }
 

src/include/ipxe/x509.h

 enum x509_flags {
 	/** Certificate has been validated */
 	X509_FL_VALIDATED = 0x0001,
+	/** Certificate was added at build time */
+	X509_FL_PERMANENT = 0x0002,
+	/** Certificate was added explicitly at run time */
+	X509_FL_EXPLICIT = 0x0004,
 };
 
 /**