Entries marked as "no_hash" in the manifest will generate this "error"
code. It should be treated as success.
Why did these definitions need to be moved to verify_file.h?
libsecureboot-priv.h already includes libsecureboot.h, so the definitions should have been available to those files where you added #include "verify_file.h". I suppose leaving them here would have required an #include "libsecureboot.h" in those files where you added #include "verify_file.h"?
Maybe the amount of change would have been a wash either way. It just sort of "feels right" to me to have the definitions in libsecureboot.h.
I know I didn't make this comment before, but I _thought_ about doing so. And so here we are. :-)
Neither libsecureboot.h nor libsecureboot-priv.h is included in any stand/ code (despite the presence of #ifdef _STANDALONE in the former). Only verify_file.h is included in stand/, so that file seemed most appropriate for definitions needed in stand/. Furthermore, all other VE_* definitions are already in verify_file.h.
That being said, I'm honestly not sure of the best approach, and I'm not really sure of the distinction between these two header files. Maybe @sjg can comment on the design here.
There should be no need for anything outside libsecureboot to grok VE_FINGERPRINT_IGNORE, vectx should not return an error status in such a case.
But we (I) do not expect vectx to be used for anything which does not require a valid fingerprint.
Why would you want no_hash on mfsroot ? That opens a big vulnerability window.