Index: lib/libsecureboot/h/libsecureboot.h =================================================================== --- lib/libsecureboot/h/libsecureboot.h +++ lib/libsecureboot/h/libsecureboot.h @@ -87,11 +87,4 @@ /* flags for verify_{asc,sig,signed} */ #define VEF_VERBOSE 1 -#define VE_FINGERPRINT_OK 1 -#define VE_FINGERPRINT_IGNORE 2 -/* errors from verify_fd */ -#define VE_FINGERPRINT_NONE -2 -#define VE_FINGERPRINT_WRONG -3 -#define VE_FINGERPRINT_UNKNOWN -4 /* may not be an error */ - #endif /* _LIBSECUREBOOT_H_ */ Index: lib/libsecureboot/h/verify_file.h =================================================================== --- lib/libsecureboot/h/verify_file.h +++ lib/libsecureboot/h/verify_file.h @@ -37,6 +37,13 @@ #define VE_UNVERIFIED_OK 0 /* not verified but that's ok */ #define VE_NOT_VERIFYING 2 /* we are not verifying */ +#define VE_FINGERPRINT_OK 1 +#define VE_FINGERPRINT_IGNORE 2 +/* errors from verify_fd and vectx_open */ +#define VE_FINGERPRINT_NONE -2 +#define VE_FINGERPRINT_WRONG -3 +#define VE_FINGERPRINT_UNKNOWN -4 /* may not be an error */ + struct stat; int verify_prep(int, const char *, off_t, struct stat *, const char *); Index: lib/libsecureboot/veopen.c =================================================================== --- lib/libsecureboot/veopen.c +++ lib/libsecureboot/veopen.c @@ -27,7 +27,7 @@ #include #include "libsecureboot-priv.h" - +#include struct fingerprint_info { char *fi_prefix; /**< manifest entries relative to */ Index: lib/libsecureboot/vets.c =================================================================== --- lib/libsecureboot/vets.c +++ lib/libsecureboot/vets.c @@ -36,6 +36,7 @@ #include #define NEED_BRSSL_H #include "libsecureboot-priv.h" +#include #include #include Index: stand/common/load_elf.c =================================================================== --- stand/common/load_elf.c +++ stand/common/load_elf.c @@ -231,7 +231,7 @@ int verror; ef->vctx = vectx_open(ef->fd, filename, 0L, NULL, &verror, __func__); - if (verror) { + if (verror != 0 && verror != VE_FINGERPRINT_IGNORE) { printf("Unverified %s: %s\n", filename, ve_error_get()); close(ef->fd); free(ef->vctx); Index: stand/common/load_elf_obj.c =================================================================== --- stand/common/load_elf_obj.c +++ stand/common/load_elf_obj.c @@ -114,7 +114,7 @@ int verror; ef.vctx = vectx_open(ef.fd, filename, 0L, NULL, &verror, __func__); - if (verror) { + if (verror != 0 && verror != VE_FINGERPRINT_IGNORE) { printf("Unverified %s: %s\n", filename, ve_error_get()); close(ef.fd); free(ef.vctx); Index: stand/common/module.c =================================================================== --- stand/common/module.c +++ stand/common/module.c @@ -752,7 +752,7 @@ #ifdef LOADER_VERIEXEC_VECTX vctx = vectx_open(fd, name, 0L, NULL, &verror, __func__); - if (verror) { + if (verror != 0 && verror != VE_FINGERPRINT_IGNORE) { sprintf(command_errbuf, "can't verify '%s': %s", name, ve_error_get()); free(name); Index: stand/common/readin.h =================================================================== --- stand/common/readin.h +++ stand/common/readin.h @@ -27,7 +27,7 @@ #ifndef _READIN_H_ #define _READIN_H_ -#ifdef LOADER_VERIEXEC +#if defined(LOADER_VERIEXEC) || defined(LOADER_VERIEXEC_VECTX) #include #endif #ifdef LOADER_VERIEXEC_VECTX Index: stand/i386/loader/chain.c =================================================================== --- stand/i386/loader/chain.c +++ stand/i386/loader/chain.c @@ -87,7 +87,7 @@ #ifdef LOADER_VERIEXEC_VECTX vctx = vectx_open(fd, argv[1], 0L, NULL, &verror, __func__); - if (verror) { + if (verror != 0 && verror != VE_FINGERPRINT_IGNORE) { sprintf(command_errbuf, "can't verify: %s", argv[1]); close(fd); free(vctx);