10c90a3b2a
Since we can now add OpenPGP trust anchors at runtime, ensure the latent support is available. Ensure we do not add duplicate keys to trust store. Also allow reporting names of trust anchors added/revoked We only do this for loader and only after initializing trust store. Thus only changes to initial trust store will be logged. Reviewed by: stevek MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D20700
126 lines
2.8 KiB
Makefile
126 lines
2.8 KiB
Makefile
# $FreeBSD$
|
|
|
|
# Consider this file an example.
|
|
#
|
|
# For Junos this is how we obtain trust anchor .pems
|
|
# the signing server (http://www.crufty.net/sjg/blog/signing-server.htm)
|
|
# for each key will provide the appropriate certificate chain on request
|
|
|
|
# force these for Junos
|
|
#MANIFEST_SKIP_ALWAYS= boot
|
|
VE_HASH_LIST= \
|
|
SHA1 \
|
|
SHA256 \
|
|
SHA384 \
|
|
SHA512
|
|
|
|
VE_SIGNATURE_LIST= \
|
|
ECDSA \
|
|
RSA
|
|
|
|
VE_SIGNATURE_EXT_LIST= \
|
|
esig \
|
|
rsig
|
|
|
|
VE_SELF_TESTS= yes
|
|
|
|
.if ${MACHINE} == "host" && ${.CURDIR:T} == "tests"
|
|
|
|
VE_SIGNATURE_LIST+= \
|
|
DEPRECATED_RSA_SHA1
|
|
|
|
VE_SIGNATURE_EXT_LIST+= \
|
|
sig
|
|
.endif
|
|
|
|
# add OpenPGP support - possibly dormant
|
|
VE_SIGNATURE_LIST+= OPENPGP
|
|
VE_SIGNATURE_EXT_LIST+= asc
|
|
|
|
SIGNER ?= ${SB_TOOLS_PATH:U/volume/buildtools/bin}/sign.py
|
|
|
|
.if exists(${SIGNER})
|
|
SIGN_HOST ?= ${SB_SITE:Usvl}-junos-signer.juniper.net
|
|
ECDSA_PORT:= ${133%y:L:gmtime}
|
|
SIGN_ECDSA= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${ECDSA_PORT} -h sha256
|
|
RSA2_PORT:= ${163%y:L:gmtime}
|
|
SIGN_RSA2= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${RSA2_PORT} -h sha256
|
|
|
|
# deal with quirk of our .esig format
|
|
XCFLAGS.vets+= -DVE_ECDSA_HASH_AGAIN
|
|
|
|
.if !empty(OPENPGP_SIGN_URL)
|
|
XCFLAGS.opgp_key+= -DHAVE_TA_ASC_H
|
|
|
|
VE_SIGNATURE_LIST+= OPENPGP
|
|
VE_SIGNATURE_EXT_LIST+= asc
|
|
|
|
SIGN_OPENPGP= ${PYTHON} ${SIGNER:H}/openpgp-sign.py -a -u ${OPENPGP_SIGN_URL}
|
|
|
|
ta_openpgp.asc:
|
|
${SIGN_OPENPGP} -C ${.TARGET}
|
|
|
|
ta_asc.h: ta_openpgp.asc
|
|
|
|
.if ${VE_SELF_TESTS} != "no"
|
|
# for self test
|
|
vc_openpgp.asc: ta_openpgp.asc
|
|
${SIGN_OPENPGP} ${.ALLSRC:M*.asc}
|
|
mv ta_openpgp.asc.asc ${.TARGET}
|
|
|
|
ta_asc.h: vc_openpgp.asc
|
|
.endif
|
|
.endif
|
|
|
|
rcerts.pem:
|
|
${SIGN_RSA2} -C ${.TARGET}
|
|
|
|
ecerts.pem:
|
|
${SIGN_ECDSA} -C ${.TARGET}
|
|
|
|
.if ${VE_SIGNATURE_LIST:tu:MECDSA} != ""
|
|
# the last cert in the chain is the one we want
|
|
ta_ec.pem: ecerts.pem _LAST_PEM_USE
|
|
ta.h: ta_ec.pem
|
|
.if ${VE_SELF_TESTS} != "no"
|
|
# these are for verification self test
|
|
vc_ec.pem: ecerts.pem _2ndLAST_PEM_USE
|
|
ta.h: vc_ec.pem
|
|
.endif
|
|
.endif
|
|
|
|
.if ${VE_SIGNATURE_LIST:tu:MRSA} != ""
|
|
ta_rsa.pem: rcerts.pem _LAST_PEM_USE
|
|
ta.h: ta_rsa.pem
|
|
.if ${VE_SELF_TESTS} != "no"
|
|
vc_rsa.pem: rcerts.pem _2ndLAST_PEM_USE
|
|
ta.h: vc_rsa.pem
|
|
.endif
|
|
.endif
|
|
|
|
# we take the mtime of this as our baseline time
|
|
#BUILD_UTC_FILE= ecerts.pem
|
|
#VE_DEBUG_LEVEL=3
|
|
#VE_VERBOSE_DEFAULT=1
|
|
|
|
.else
|
|
# you need to provide t*.pem or t*.asc files for each trust anchor
|
|
.if empty(TRUST_ANCHORS)
|
|
TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null
|
|
.endif
|
|
.if empty(TRUST_ANCHORS) && ${MK_LOADER_EFI_SECUREBOOT} != "yes"
|
|
.error Need TRUST_ANCHORS see ${.CURDIR}/README.rst
|
|
.endif
|
|
.if ${TRUST_ANCHORS:T:Mt*.pem} != ""
|
|
ta.h: ${TRUST_ANCHORS:M*.pem}
|
|
.endif
|
|
.if ${TRUST_ANCHORS:T:Mt*.asc} != ""
|
|
VE_SIGNATURE_LIST+= OPENPGP
|
|
VE_SIGNATURE_EXT_LIST+= asc
|
|
ta_asc.h: ${TRUST_ANCHORS:M*.asc}
|
|
.endif
|
|
# we take the mtime of this as our baseline time
|
|
BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]}
|
|
.endif
|
|
|