freebsd-skq/lib/libsecureboot/local.trust.mk
sjg 10c90a3b2a libsecureboot: allow OpenPGP support to be dormant
Since we can now add OpenPGP trust anchors at runtime,
ensure the latent support is available.

Ensure we do not add duplicate keys to trust store.

Also allow reporting names of trust anchors added/revoked

We only do this for loader and only after initializing trust store.
Thus only changes to initial trust store will be logged.

Reviewed by:	stevek
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D20700
2019-06-26 23:33:32 +00:00

126 lines
2.8 KiB
Makefile

# $FreeBSD$
# Consider this file an example.
#
# For Junos this is how we obtain trust anchor .pems
# the signing server (http://www.crufty.net/sjg/blog/signing-server.htm)
# for each key will provide the appropriate certificate chain on request
# force these for Junos
#MANIFEST_SKIP_ALWAYS= boot
VE_HASH_LIST= \
SHA1 \
SHA256 \
SHA384 \
SHA512
VE_SIGNATURE_LIST= \
ECDSA \
RSA
VE_SIGNATURE_EXT_LIST= \
esig \
rsig
VE_SELF_TESTS= yes
.if ${MACHINE} == "host" && ${.CURDIR:T} == "tests"
VE_SIGNATURE_LIST+= \
DEPRECATED_RSA_SHA1
VE_SIGNATURE_EXT_LIST+= \
sig
.endif
# add OpenPGP support - possibly dormant
VE_SIGNATURE_LIST+= OPENPGP
VE_SIGNATURE_EXT_LIST+= asc
SIGNER ?= ${SB_TOOLS_PATH:U/volume/buildtools/bin}/sign.py
.if exists(${SIGNER})
SIGN_HOST ?= ${SB_SITE:Usvl}-junos-signer.juniper.net
ECDSA_PORT:= ${133%y:L:gmtime}
SIGN_ECDSA= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${ECDSA_PORT} -h sha256
RSA2_PORT:= ${163%y:L:gmtime}
SIGN_RSA2= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${RSA2_PORT} -h sha256
# deal with quirk of our .esig format
XCFLAGS.vets+= -DVE_ECDSA_HASH_AGAIN
.if !empty(OPENPGP_SIGN_URL)
XCFLAGS.opgp_key+= -DHAVE_TA_ASC_H
VE_SIGNATURE_LIST+= OPENPGP
VE_SIGNATURE_EXT_LIST+= asc
SIGN_OPENPGP= ${PYTHON} ${SIGNER:H}/openpgp-sign.py -a -u ${OPENPGP_SIGN_URL}
ta_openpgp.asc:
${SIGN_OPENPGP} -C ${.TARGET}
ta_asc.h: ta_openpgp.asc
.if ${VE_SELF_TESTS} != "no"
# for self test
vc_openpgp.asc: ta_openpgp.asc
${SIGN_OPENPGP} ${.ALLSRC:M*.asc}
mv ta_openpgp.asc.asc ${.TARGET}
ta_asc.h: vc_openpgp.asc
.endif
.endif
rcerts.pem:
${SIGN_RSA2} -C ${.TARGET}
ecerts.pem:
${SIGN_ECDSA} -C ${.TARGET}
.if ${VE_SIGNATURE_LIST:tu:MECDSA} != ""
# the last cert in the chain is the one we want
ta_ec.pem: ecerts.pem _LAST_PEM_USE
ta.h: ta_ec.pem
.if ${VE_SELF_TESTS} != "no"
# these are for verification self test
vc_ec.pem: ecerts.pem _2ndLAST_PEM_USE
ta.h: vc_ec.pem
.endif
.endif
.if ${VE_SIGNATURE_LIST:tu:MRSA} != ""
ta_rsa.pem: rcerts.pem _LAST_PEM_USE
ta.h: ta_rsa.pem
.if ${VE_SELF_TESTS} != "no"
vc_rsa.pem: rcerts.pem _2ndLAST_PEM_USE
ta.h: vc_rsa.pem
.endif
.endif
# we take the mtime of this as our baseline time
#BUILD_UTC_FILE= ecerts.pem
#VE_DEBUG_LEVEL=3
#VE_VERBOSE_DEFAULT=1
.else
# you need to provide t*.pem or t*.asc files for each trust anchor
.if empty(TRUST_ANCHORS)
TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null
.endif
.if empty(TRUST_ANCHORS) && ${MK_LOADER_EFI_SECUREBOOT} != "yes"
.error Need TRUST_ANCHORS see ${.CURDIR}/README.rst
.endif
.if ${TRUST_ANCHORS:T:Mt*.pem} != ""
ta.h: ${TRUST_ANCHORS:M*.pem}
.endif
.if ${TRUST_ANCHORS:T:Mt*.asc} != ""
VE_SIGNATURE_LIST+= OPENPGP
VE_SIGNATURE_EXT_LIST+= asc
ta_asc.h: ${TRUST_ANCHORS:M*.asc}
.endif
# we take the mtime of this as our baseline time
BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]}
.endif