d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
freebsd-skq/lib/libsecureboot/Makefile.libsa.inc
mw 330f749452 Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation 
UEFI related headers were copied from edk2.

A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow
loading of trusted anchors from UEFI.

Certificate revocation support is also introduced.
The forbidden certificates are loaded from dbx variable.
Verification fails in two cases:

There is a direct match between cert in dbx and the one in the chain.
The CA used to sign the chain is found in dbx.
One can also insert a hash of TBS section of a certificate into dbx.
In this case verifications fails only if a direct match with a
certificate in chain is found.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision:	https://reviews.freebsd.org/D19093
2019-03-06 06:39:42 +00:00

54 lines
1.4 KiB
PHP
Raw Blame History

# $FreeBSD$
BRSSL_CFLAGS+= -DNO_STDIO
.include "Makefile.inc"
# for "measured boot"
# loader puts the equivalent of TPM's PCR register into kenv
# this is not as good but *way* simpler than talking to TPM
CFLAGS+= -DVE_PCR_SUPPORT
# sources that only apply to libsa
SRCS+= \
vectx.c \
veopen.c \
vepcr.c \
verify_file.c \
# Build library with support for the UEFI based authentication
.if ${MK_LOADER_EFI_SECUREBOOT} == "yes"
SRCS+= \
efi/efi_variables.c \
efi/efi_init.c
# Add includes required by efi part
CFLAGS+= \
-I${SRCTOP}/stand/efi/include \
-I${SRCTOP}/lib/libsecureboot/efi/include \
-I${SRCTOP}/stand/efi/include/${MACHINE}
.endif
# this is the list of paths (relative to a file
# that we need to verify) used to find a signed manifest.
# the signature extensions in VE_SIGNATURE_EXT_LIST
# will be applied to each.
VE_MANIFEST_LIST?= manifest ../manifest
verify_file.o: manifests.h
manifests.h:
@( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \
echo "static const char *manifest_names[] = {"; \
echo '${VE_MANIFEST_LIST:@m@"$m",${.newline}@}'; \
echo 'NULL };' ) > ${.TARGET}
XCFLAGS.verify_file+= \
-DVE_DEBUG_LEVEL=${VE_DEBUG_LEVEL:U0} \
-DVE_VERBOSE_DEFAULT=${VE_VERBOSE_DEFAULT:U0} \
.if !empty(MANIFEST_SKIP_ALWAYS)
XCFLAGS.verify_file+= -DMANIFEST_SKIP_ALWAYS=\"${MANIFEST_SKIP_ALWAYS}\"
.elif !empty(MANIFEST_SKIP)
XCFLAGS.verify_file+= -DMANIFEST_SKIP=\"${MANIFEST_SKIP}\"
.endif
Reference in New Issue View Git Blame Copy Permalink