Process OVERRIDE_SECURITY_POLICY in lib/Makefile

[mikebeaton]

Without this make OVERRIDE_SECURITY_POLICY=1 fails with

ld: shim.o: in function `install_shim_protocols':
/home/mjsbeaton/shim_source/shim.c:1354: undefined reference to `security_policy_install'
ld: shim.o: in function `uninstall_shim_protocols':
/home/mjsbeaton/shim_source/shim.c:1376: undefined reference to `security_policy_uninstall'

Fixes issue #596 and is an alternative to PR #600.

[dennis-tseng99]

To consider the code expanding in the near future, I still suggest we should make use of "export DEFINES" in Make.defaults to pass down variable(s) to sub-make. Please refer our original discussion https://github.com/rhboot/shim/pull/600

[mikebeaton]

Just export DEFINES anywhere inside Make.defaults but not inside a conditional also sounds fine to me. Tyvm.

Am intrigued what the changes are in the near future.

As mentioned in the related issue, it'd be very appreciated if anyone (cc @jejb @vathpela @bluca - if I may) can point to any public discussion (or provide any info here) of the status of OVERRIDE_SECURITY_POLICY (&/or any issues with using it). As far as I can make out, it dates back to the original Linux Foundation Preloader.efi, and pretty soon after being added to Shim was made conditional (apparently with the issue being addressed here always present, although I may be misunderstanding something). However it seems like it would be an essential feature for any third-party second stage bootloader (for instance a BLSpec compliant one) which wants to:

• Defer to distro certificates (rather than requiring user-signing of everything)
• Use SBAT revocations
• Not implement its own PE loader

Since, AFAICT, a user-build of Shim* is the only way to achieve this at the moment (e.g. a tentative approach to exactly this is here).

*With OVERRIDE_SECURITY_POLICY enabled, and including @bluca's recent commit.