diff options
| author | Simon J. Gerraty <sjg@FreeBSD.org> | 2019-05-09 22:25:12 +0000 |
|---|---|---|
| committer | Simon J. Gerraty <sjg@FreeBSD.org> | 2019-05-09 22:25:12 +0000 |
| commit | 9bee6a6083228d0e6abfb991fdbb4edf020fd438 (patch) | |
| tree | 20d58eed2a4fb4eba8dbb6d7c7db439d4077fec1 /lib/libsecureboot/Makefile.inc | |
| parent | b5a154d8e3efec60114ef08746d4fb07fd3d9fdb (diff) | |
| download | src-9bee6a6083228d0e6abfb991fdbb4edf020fd438.tar.gz src-9bee6a6083228d0e6abfb991fdbb4edf020fd438.zip | |
libsecureboot: make it easier to customize trust anchors
Avoid making hash self-tests depend on X.509 certs.
Include OpenPGP keys in trust store count.
Reviewed by: stevek
MFC after: 1 week
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D20208
Notes
Notes:
svn path=/head/; revision=347408
Diffstat (limited to 'lib/libsecureboot/Makefile.inc')
| -rw-r--r-- | lib/libsecureboot/Makefile.inc | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/lib/libsecureboot/Makefile.inc b/lib/libsecureboot/Makefile.inc index 93eaee04989e..e0faf287a245 100644 --- a/lib/libsecureboot/Makefile.inc +++ b/lib/libsecureboot/Makefile.inc @@ -98,10 +98,20 @@ CFLAGS+= ${VE_HASH_LIST:@H@-DVE_$H_SUPPORT@} \ .if ${VE_SELF_TESTS} != "no" # The input used for hash KATs +# we use a string by default so it is independent of any other test +VE_HASH_KAT_STRLEN?= strlen +.if ${VE_HASH_KAT_STRLEN} == "strlen" +VE_HASH_KAT_STR?= self-tests-are-good +VE_HASH_KAT_STR_INPUT= echo -n +XCFLAGS.vets+= -DVE_HASH_KAT_STR=\"${VE_HASH_KAT_STR}\" +.else VE_HASH_KAT_STR?= vc_PEM - +VE_HASH_KAT_STR_INPUT= cat +VE_HASH_KAT_STRLEN= sizeof XCFLAGS.vets+= -DVE_HASH_KAT_STR=${VE_HASH_KAT_STR} .endif +XCFLAGS.vets+= -DVE_HASH_KAT_STRLEN=${VE_HASH_KAT_STRLEN} +.endif # this should be updated occassionally this is 2019-01-01Z SOURCE_DATE_EPOCH?= 1546329600 @@ -121,17 +131,20 @@ BUILD_UTC?= ${${STAT:Ustat} -f %m ${BUILD_UTC_FILE}:L:sh} # If we are doing self-tests, we define another arrary vc_PEM # containing certificates that we can verify for each trust anchor. # This is typically a subordinate CA cert. -# Finally we generate a hash of vc_PEM using each supported hash method +# Finally we generate a hash of VE_HASH_KAT_STR +# using each supported hash method # to use as a Known Answer Test (needed for FIPS 140-2) # +TA_PEM_LIST ?= ${.ALLSRC:N*crl*:Mt*.pem} +VC_PEM_LIST ?= ${.ALLSRC:N*crl*:Mv*.pem} vets.o vets.po vets.pico: ta.h -ta.h: ${.ALLTARGETS:M[tv]*pem:O:u} +ta.h: @( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \ - cat ${.ALLSRC:N*crl*:Mt*.pem} /dev/null | \ + cat ${TA_PEM_LIST:O:u} /dev/null | \ file2c -sx 'static const char ta_PEM[] = {' '};'; \ - echo "${.newline}${VE_HASH_LIST:@H@static char vh_$H[] = \"`cat ${.ALLSRC:N*crl*:Mv*.pem} | ${$H:U${H:tl}}`\";${.newline}@}"; ) > ${.TARGET} + echo "${.newline}${VE_HASH_LIST:O:u:@H@static char vh_$H[] = \"`${VE_HASH_KAT_STR_INPUT} ${VE_HASH_KAT_STR} | ${$H:U${H:tl}}`\";${.newline}@}"; ) > ${.TARGET} .if ${VE_SELF_TESTS} != "no" - ( cat ${.ALLSRC:N*crl*:Mv*.pem} /dev/null | \ + ( cat ${VC_PEM_LIST:O:u} /dev/null | \ file2c -sx 'static const char vc_PEM[] = {' '};'; echo ) >> ${.TARGET} .endif echo '#define BUILD_UTC ${BUILD_UTC}' >> ${.TARGET} ${.OODATE:MNOMETA_CMP} @@ -141,7 +154,7 @@ vesigned.o vesigned.po vesigned.pico: vse.h vse.h: @( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \ echo "static const char *signature_exts[] = {"; \ - echo '${VE_SIGNATURE_EXT_LIST:@e@"$e",${.newline}@}'; \ + echo '${VE_SIGNATURE_EXT_LIST:O:u:@e@"$e",${.newline}@}'; \ echo 'NULL };' ) > ${.TARGET} |