diff options
author | Marcin Wojtas <mw@FreeBSD.org> | 2019-03-06 06:39:42 +0000 |
---|---|---|
committer | Marcin Wojtas <mw@FreeBSD.org> | 2019-03-06 06:39:42 +0000 |
commit | 13ea0450a9c8742119d36f3bf8f47accdce46e54 (patch) | |
tree | 08c5058c1b3a1cde3be3dd1e7d12a25058e72d5f /lib/libsecureboot/Makefile.inc | |
parent | ce37b71e6809fe5074be54230da9cf09543d3cdd (diff) | |
download | src-13ea0450a9c8742119d36f3bf8f47accdce46e54.tar.gz src-13ea0450a9c8742119d36f3bf8f47accdce46e54.zip |
Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation
UEFI related headers were copied from edk2.
A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow
loading of trusted anchors from UEFI.
Certificate revocation support is also introduced.
The forbidden certificates are loaded from dbx variable.
Verification fails in two cases:
There is a direct match between cert in dbx and the one in the chain.
The CA used to sign the chain is found in dbx.
One can also insert a hash of TBS section of a certificate into dbx.
In this case verifications fails only if a direct match with a
certificate in chain is found.
Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19093
Notes
Notes:
svn path=/head/; revision=344840
Diffstat (limited to 'lib/libsecureboot/Makefile.inc')
-rw-r--r-- | lib/libsecureboot/Makefile.inc | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/lib/libsecureboot/Makefile.inc b/lib/libsecureboot/Makefile.inc index e7564b7bb7cb..93eaee04989e 100644 --- a/lib/libsecureboot/Makefile.inc +++ b/lib/libsecureboot/Makefile.inc @@ -31,6 +31,17 @@ BRSSL_SRCS+= \ ${BEARSSL}/tools/xmem.c \ ${BEARSSL}/tools/vector.c +BRSSL_DEPS= \ + brf.c \ + vets.c \ + veta.c + +.if ${MK_LOADER_EFI_SECUREBOOT} != "no" +BRSSL_DEPS+= \ + efi_init.c \ + efi_variables.c +.endif + # we do not need/want nested objdirs OBJS_SRCS_FILTER = T R @@ -134,7 +145,7 @@ vse.h: echo 'NULL };' ) > ${.TARGET} -.for s in ${BRSSL_SRCS} brf.c vets.c veta.c +.for s in ${BRSSL_SRCS} ${BRSSL_DEPS} .ifdef BRSSL_SED $s: brssl.h .endif |