Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation

UEFI related headers were copied from edk2.

A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow
loading of trusted anchors from UEFI.

Certificate revocation support is also introduced.
The forbidden certificates are loaded from dbx variable.
Verification fails in two cases:

There is a direct match between cert in dbx and the one in the chain.
The CA used to sign the chain is found in dbx.
One can also insert a hash of TBS section of a certificate into dbx.
In this case verifications fails only if a direct match with a
certificate in chain is found.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision:	https://reviews.freebsd.org/D19093

1 files changed, 12 insertions, 1 deletions

diff --git a/lib/libsecureboot/Makefile.inc b/lib/libsecureboot/Makefile.inc
index e7564b7bb7cb..93eaee04989e 100644
--- a/lib/libsecureboot/Makefile.inc
+++ b/lib/libsecureboot/Makefile.inc
@@ -31,6 +31,17 @@ BRSSL_SRCS+= \
 	${BEARSSL}/tools/xmem.c \
 	${BEARSSL}/tools/vector.c
 
+BRSSL_DEPS= \
+	brf.c \
+	vets.c \
+	veta.c
+
+.if ${MK_LOADER_EFI_SECUREBOOT} != "no"
+BRSSL_DEPS+= \
+	efi_init.c \
+	efi_variables.c
+.endif
+
 # we do not need/want nested objdirs
 OBJS_SRCS_FILTER = T R
 
@@ -134,7 +145,7 @@ vse.h:
 	echo 'NULL };' ) > ${.TARGET}
 
 
-.for s in ${BRSSL_SRCS} brf.c vets.c veta.c
+.for s in ${BRSSL_SRCS} ${BRSSL_DEPS}
 .ifdef BRSSL_SED
 $s: brssl.h
 .endif