lib/security: hard_lockdown flag to stop runtime disable of signed boot

Currently if signed-boot is enabled in configure the presence of the
LOCKDOWN_FILE is used as a runtime determination to perform the actual
verification.  In some environments this may be acceptable or even the
intended operation but in other environments could be a security hole
since the removal of the file will then cause boot task verification.
Add a 'hard_lockdown' enable flag to generate a HARD_LOCKDOWN
preprocessor definition to force the system to always do a signed boot
verification for each boot task, which in the case of a missing file the
boot will fail.

Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/configure.ac b/configure.ac
index 9eb0855..ed2ea82 100644
--- a/configure.ac
+++ b/configure.ac
@@ -239,6 +239,14 @@ AC_ARG_VAR(
 AS_IF([test "x$VERIFY_DIGEST" = x], [VERIFY_DIGEST="sha256"])
 AC_DEFINE_UNQUOTED(VERIFY_DIGEST, "$VERIFY_DIGEST", [openssl verify dgst])
 
+AC_ARG_ENABLE([hard-lockdown],
+	      [AS_HELP_STRING([--enable-hard-lockdown],
+			      [if signed boot configured, the absence of the
+			       LOCKDOWN_FILE does not disable signed boot at
+			       runtime @<:@default=no@:>@])],
+	      [AC_DEFINE(HARD_LOCKDOWN, 1, [Enable hard lockdown])],
+	      [])
+
 AC_ARG_ENABLE(
 	[busybox],
 	[AS_HELP_STRING(