2 files changed, 51 insertions, 31 deletions

diff --git a/lib/libsecureboot/openpgp/Makefile.inc b/lib/libsecureboot/openpgp/Makefile.inc
index a1b234271852..5e8777c1221f 100644
--- a/lib/libsecureboot/openpgp/Makefile.inc
+++ b/lib/libsecureboot/openpgp/Makefile.inc
@@ -23,26 +23,29 @@ opgp_key.o opgp_key.po opgp_key.pico: ta_asc.h
 # It is assumed that these v*.asc files are named similarly to
 # the appropriate t*.asc so that the relative order of vc_ASC
 # entries matches ta_ASC.
-# 
-ta_asc.h: ${.ALLTARGETS:M[tv]*.asc:O:u}
+#
+TA_ASC_LIST ?= ${.ALLSRC:Mt*.asc}
+VC_ASC_LIST ?= ${.ALLSRC:Mv*.asc}
+
+ta_asc.h: 
 .if ${VE_SIGNATURE_LIST:MOPENPGP} != ""
 	@( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \
 	echo "#define HAVE_TA_ASC 1"; \
-	set -- ${.ALLSRC:Mt*.asc:@f@$f ${f:T:R}@}; \
+	set -- ${TA_ASC_LIST:@f@$f ${f:T:R}@}; \
 	while test $$# -ge 2; do \
 		file2c -sx "static const char $$2[] = {" ', 0x00 };' < $$1; \
 		shift 2; \
 	done; \
-	echo 'static const char *ta_ASC[] = { ${.ALLSRC:Mt*.asc:T:R:ts,}, NULL };'; \
+	echo 'static const char *ta_ASC[] = { ${TA_ASC_LIST:T:R:ts,}, NULL };'; \
 	echo; ) > ${.TARGET}
 .if ${VE_SELF_TESTS} != "no"
 	@( echo "#define HAVE_VC_ASC 1"; \
-	set -- ${.ALLSRC:Mv*.asc:@f@$f ${f:T:R}@}; \
+	set -- ${VC_ASC_LIST:@f@$f ${f:T:R}@}; \
 	while test $$# -ge 2; do \
 		file2c -sx "static const char $$2[] = {" ', 0x00 };' < $$1; \
 		shift 2; \
 	done; \
-	echo 'static const char *vc_ASC[] = { ${.ALLSRC:Mv*.asc:T:R:ts,}, NULL };'; \
+	echo 'static const char *vc_ASC[] = { ${VC_ASC_LIST:T:R:ts,}, NULL };'; \
 	echo; ) >> ${.TARGET}
 .endif
 .endif
diff --git a/lib/libsecureboot/openpgp/opgp_key.c b/lib/libsecureboot/openpgp/opgp_key.c
index 1a8e06b1d677..0a064b5a008e 100644
--- a/lib/libsecureboot/openpgp/opgp_key.c
+++ b/lib/libsecureboot/openpgp/opgp_key.c
@@ -289,32 +289,47 @@ load_trusted_key_id(const char *keyID)
 OpenPGP_key *
 load_key_id(const char *keyID)
 {
-	static int once = 0;
 	OpenPGP_key *key;
 
-	if (!once) {
+	key = openpgp_trust_get(keyID);
+#ifndef _STANDALONE
+	if (!key)
+		key = load_trusted_key_id(keyID);
+#endif
+	return (key);
+}
+
+/**
+ * @brief initialize our internal trust store if any
+ */
+int
+openpgp_trust_init(void)
+{
+	static int once = -1;
 #ifdef HAVE_TA_ASC
-		const char **tp;
-		char *cp;
-		size_t n;
+	OpenPGP_key *key;
+	const char **tp;
+	char *cp;
+	size_t n;
+#endif
 
+	if (once < 0) {
+		once = 0;
+#ifdef HAVE_TA_ASC
 		for (tp = ta_ASC; *tp; tp++) {
 			if ((cp = strdup(*tp))) {
 				n = strlen(cp);
 				key = load_key_buf((unsigned char *)cp, n);
 				free(cp);
-				openpgp_trust_add(key);
+				if (key) {
+					openpgp_trust_add(key);
+					once++;
+				}
 			}
 		}
-#endif
-		once = 1;
 	}
-	key = openpgp_trust_get(keyID);
-#ifndef _STANDALONE
-	if (!key)
-		key = load_trusted_key_id(keyID);
 #endif
-	return (key);
+	return (once);
 }
 
 /**
@@ -333,19 +348,21 @@ openpgp_self_tests(void)
 	char *fdata, *sdata = NULL;
 	size_t fbytes, sbytes;
 
-	for (tp = ta_ASC, vp = vc_ASC; *tp && *vp && rc; tp++, vp++) {
-		if ((fdata = strdup(*tp)) &&
-		    (sdata = strdup(*vp))) {
-			fbytes = strlen(fdata);
-			sbytes = strlen(sdata);
-			rc = openpgp_verify("ta_ASC",
-			    (unsigned char *)fdata, fbytes,
-			    (unsigned char *)sdata, sbytes, 0);
-			printf("Testing verify OpenPGP signature:\t\t%s\n",
-			    rc ? "Failed" : "Passed");
+	if (openpgp_trust_init() > 0) {
+		for (tp = ta_ASC, vp = vc_ASC; *tp && *vp && rc; tp++, vp++) {
+			if ((fdata = strdup(*tp)) &&
+			    (sdata = strdup(*vp))) {
+				fbytes = strlen(fdata);
+				sbytes = strlen(sdata);
+				rc = openpgp_verify("ta_ASC",
+				    (unsigned char *)fdata, fbytes,
+				    (unsigned char *)sdata, sbytes, 0);
+				printf("Testing verify OpenPGP signature:\t\t%s\n",
+				    rc ? "Failed" : "Passed");
+			}
+			free(fdata);
+			free(sdata);
 		}
-		free(fdata);
-		free(sdata);
 	}
 #endif
 	return (rc);