Enable build of libbearssl

Reviewed by: emaste Sponsored by: Juniper Networks Differential Revision: D16337
2019-02-26 06:11:01 +00:00 · 2019-02-26 06:11:01 +00:00 · a92958df34
commit a92958df34
parent 5fff9558a4
6 changed files with 47 additions and 0 deletions
--- a/lib/Makefile
+++ b/lib/Makefile
@ -133,6 +133,7 @@ SUBDIR_DEPEND_libpcap= ofed
 # NB: keep these sorted by MK_* knobs

 SUBDIR.${MK_ATM}+=	libngatm
+SUBDIR.${MK_BEARSSL}+=	libbearssl libsecureboot
 SUBDIR.${MK_BLACKLIST}+=libblacklist
 SUBDIR.${MK_BLUETOOTH}+=libbluetooth libsdp
 SUBDIR.${MK_BSNMP}+=	libbsnmp
@ -204,6 +205,7 @@ SUBDIR.${MK_TESTS}+=	tests
 SUBDIR.${MK_UNBOUND}+=	libunbound
 SUBDIR.${MK_USB}+=	libusbhid libusb
 SUBDIR.${MK_OFED}+=	ofed
+SUBDIR.${MK_VERIEXEC}+=	libveriexec
 SUBDIR.${MK_ZFS}+=	libbe

 .if !make(install)
--- a/share/mk/src.libnames.mk
+++ b/share/mk/src.libnames.mk
@ -210,6 +210,21 @@ _LIBRARIES+= \
 		osmvendor
 .endif

+.if ${MK_BEARSSL} == "yes"
+_INTERNALLIBS+= \
+		bearssl \
+		secureboot \
+
+LIBBEARSSL?=	${LIBBEARSSLDIR}/libbearssl${PIE_SUFFIX}.a
+LIBSECUREBOOT?=	${LIBSECUREBOOTDIR}/libsecureboot${PIE_SUFFIX}.a
+.endif
+
+.if ${MK_VERIEXEC} == "yes"
+_INTERNALLIBS+= veriexec
+
+LIBVERIEXEC?=	${LIBVERIEXECDIR}/libveriexec${PIE_SUFFIX}.a
+.endif
+
 # Each library's LIBADD needs to be duplicated here for static linkage of
 # 2nd+ order consumers.  Auto-generating this would be better.
 _DP_80211=	sbuf bsdxml
--- a/share/mk/src.opts.mk
+++ b/share/mk/src.opts.mk
@ -194,6 +194,7 @@ __DEFAULT_YES_OPTIONS = \
    ZONEINFO

 __DEFAULT_NO_OPTIONS = \
+    BEARSSL \
    BSD_GREP \
    CLANG_EXTRAS \
    DTRACE_TESTS \
@ -219,6 +220,8 @@ __DEFAULT_NO_OPTIONS = \
 __DEFAULT_DEPENDENT_OPTIONS= \
 	CLANG_FULL/CLANG \
 	LLVM_TARGET_ALL/CLANG \
+	LOADER_VERIEXEC/BEARSSL \
+	VERIEXEC/BEARSSL \

 # MK_*_SUPPORT options which default to "yes" unless their corresponding
 # MK_* variable is set to "no".
--- a/tools/build/options/WITH_BEARSSL
+++ b/tools/build/options/WITH_BEARSSL
@ -0,0 +1,11 @@
+.\" $FreeBSD$
+Build the BearSSL library.
+.Pp
+BearSSL is a tiny SSL library suitable for embedded environments.
+For details see
+.Lk http://www.BearSSL.org/
+.Pp
+This library is currently only used to perform
+signature verification and related operations
+for Verified Exec and
+.Xr loader 8 .
--- a/tools/build/options/WITH_LOADER_VERIEXEC
+++ b/tools/build/options/WITH_LOADER_VERIEXEC
@ -0,0 +1,7 @@
+.\" $FreeBSD$
+Enable building
+.Xr loader 8
+with support for verifcation similar to Verified Exec.
+.Pp
+It depends on
+.Va WITH_BEARSSL
--- a/tools/build/options/WITH_VERIEXEC
+++ b/tools/build/options/WITH_VERIEXEC
@ -0,0 +1,9 @@
+.\" $FreeBSD$
+Enable building
+.Xr veriexec 8
+which loads the contents of verified manifests into the kernel
+for use by
+.Xr mac_veriexec 4
+.Pp
+It depends on
+.Va WITH_BEARSSL