Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Process OVERRIDE_SECURITY_POLICY in lib/Makefile #613

Closed
wants to merge 1 commit into from

Conversation

mikebeaton
Copy link
Contributor

Without this make OVERRIDE_SECURITY_POLICY=1 fails with

ld: shim.o: in function `install_shim_protocols':
/home/mjsbeaton/shim_source/shim.c:1354: undefined reference to `security_policy_install'
ld: shim.o: in function `uninstall_shim_protocols':
/home/mjsbeaton/shim_source/shim.c:1376: undefined reference to `security_policy_uninstall'

Fixes issue #596 and is an alternative to PR #600.

Without this `make OVERRIDE_SECURITY_POLICY=1` fails with

ld: shim.o: in function `install_shim_protocols':
/home/mjsbeaton/shim_source/shim.c:1354: undefined reference to `security_policy_install'
ld: shim.o: in function `uninstall_shim_protocols':
/home/mjsbeaton/shim_source/shim.c:1376: undefined reference to `security_policy_uninstall'

Signed-off-by: Mike Beaton <[email protected]>
@dennis-tseng99
Copy link
Contributor

dennis-tseng99 commented Sep 16, 2023

To consider the code expanding in the near future, I still suggest we should make use of "export DEFINES" in Make.defaults to pass down variable(s) to sub-make. Please refer our original discussion #600

@mikebeaton
Copy link
Contributor Author

mikebeaton commented Sep 17, 2023

Just export DEFINES anywhere inside Make.defaults but not inside a conditional also sounds fine to me. Tyvm.

Am intrigued what the changes are in the near future.

As mentioned in the related issue, it'd be very appreciated if anyone (cc @jejb @vathpela @bluca - if I may) can point to any public discussion (or provide any info here) of the status of OVERRIDE_SECURITY_POLICY (&/or any issues with using it). As far as I can make out, it dates back to the original Linux Foundation Preloader.efi, and pretty soon after being added to Shim was made conditional (apparently with the issue being addressed here always present, although I may be misunderstanding something). However it seems like it would be an essential feature for any third-party second stage bootloader (for instance a BLSpec compliant one) which wants to:

  • Defer to distro certificates (rather than requiring user-signing of everything)
  • Use SBAT revocations
  • Not implement its own PE loader

Since, AFAICT, a user-build of Shim* is the only way to achieve this at the moment (e.g. a tentative approach to exactly this is here).

*With OVERRIDE_SECURITY_POLICY enabled, and including @bluca's recent commit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants