diff options
author | Simon J. Gerraty <sjg@FreeBSD.org> | 2019-02-26 06:09:10 +0000 |
---|---|---|
committer | Simon J. Gerraty <sjg@FreeBSD.org> | 2019-02-26 06:09:10 +0000 |
commit | 5fff9558a43aaac53da41dc23c250c4e84f6fb02 (patch) | |
tree | 3071b8bc4159c4fb11bac2d4ae7687322b260066 /lib/libsecureboot/local.trust.mk | |
parent | 0957b409a90fd597c1e9124cbaf3edd2b488f4ac (diff) | |
download | src-5fff9558a43aaac53da41dc23c250c4e84f6fb02.tar.gz src-5fff9558a43aaac53da41dc23c250c4e84f6fb02.zip |
Add libsecureboot
Used by loader and veriexec
Depends on libbearssl
Reviewed by: emaste
Sponsored by: Juniper Networks
Differential Revision: D16335
Notes
Notes:
svn path=/head/; revision=344565
Diffstat (limited to 'lib/libsecureboot/local.trust.mk')
-rw-r--r-- | lib/libsecureboot/local.trust.mk | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/lib/libsecureboot/local.trust.mk b/lib/libsecureboot/local.trust.mk new file mode 100644 index 000000000000..f26a4ec0a9be --- /dev/null +++ b/lib/libsecureboot/local.trust.mk @@ -0,0 +1,114 @@ +# $FreeBSD$ + +# Consider this file an example. +# +# For Junos this is how we obtain trust anchor .pems +# the signing server (http://www.crufty.net/sjg/blog/signing-server.htm) +# for each key will provide the appropriate certificate chain on request + +# force these for Junos +MANIFEST_SKIP_ALWAYS= boot +VE_HASH_LIST= \ + SHA1 \ + SHA256 \ + SHA384 + +VE_SIGNATURE_LIST= \ + ECDSA + +VE_SIGNATURE_EXT_LIST= \ + esig + +VE_SELF_TESTS= yes + +.if ${MACHINE} == "host" && ${.CURDIR:T} == "tests" +# for testing +VE_HASH_LIST+= \ + SHA512 + +VE_SIGNATURE_LIST+= \ + RSA \ + DEPRECATED_RSA_SHA1 + +VE_SIGNATURE_EXT_LIST+= \ + sig +.endif + +SIGNER ?= ${SB_TOOLS_PATH:U/volume/buildtools/bin}/sign.py + +.if exists(${SIGNER}) +SIGN_HOST ?= ${SB_SITE:Usvl}-junos-signer.juniper.net +ECDSA_PORT:= ${133%y:L:gmtime} +SIGN_ECDSA= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${ECDSA_PORT} -h sha256 +RSA2_PORT:= ${163%y:L:gmtime} +SIGN_RSA2= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${RSA2_PORT} -h sha256 + +.if !empty(OPENPGP_SIGN_URL) +VE_SIGNATURE_LIST+= OPENPGP +VE_SIGNATURE_EXT_LIST+= asc + +SIGN_OPENPGP= ${PYTHON} ${SIGNER:H}/openpgp-sign.py -a -u ${OPENPGP_SIGN_URL} + +ta_openpgp.asc: + ${SIGN_OPENPGP} -C ${.TARGET} + +ta.h: ta_openpgp.asc + +.if ${VE_SELF_TESTS} != "no" +# for self test +vc_openpgp.asc: ta_openpgp.asc + ${SIGN_OPENPGP} ${.ALLSRC:M*.asc} + mv ta_openpgp.asc.asc ${.TARGET} + +ta.h: vc_openpgp.asc +.endif +.endif + +rcerts.pem: + ${SIGN_RSA2} -C ${.TARGET} + +ecerts.pem: + ${SIGN_ECDSA} -C ${.TARGET} + +.if ${VE_SIGNATURE_LIST:tu:MECDSA} != "" +# the last cert in the chain is the one we want +ta_ec.pem: ecerts.pem _LAST_PEM_USE + +.if ${VE_SELF_TESTS} != "no" +# these are for verification self test +vc_ec.pem: ecerts.pem _2ndLAST_PEM_USE +.endif +.endif + +.if ${VE_SIGNATURE_LIST:tu:MRSA} != "" +ta_rsa.pem: rcerts.pem _LAST_PEM_USE +.if ${VE_SELF_TESTS} != "no" +vc_rsa.pem: rcerts.pem _2ndLAST_PEM_USE +.endif +.endif + +# we take the mtime of this as our baseline time +BUILD_UTC_FILE= ecerts.pem +#VE_DEBUG_LEVEL=3 +#VE_VERBOSE_DEFAULT=1 + +.else +# you need to provide t*.pem or t*.asc files for each trust anchor +.if empty(TRUST_ANCHORS) +TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null +.endif +.if empty(TRUST_ANCHORS) +.error Need TRUST_ANCHORS see ${.CURDIR}/README.rst +.endif +.if ${TRUST_ANCHORS:T:Mt*.pem} != "" +ta.h: ${TRUST_ANCHORS:M*.pem} +.endif +.if ${TRUST_ANCHORS:T:Mt*.asc} != "" +VE_SIGNATURE_LIST+= OPENPGP +VE_SIGNATURE_EXT_LIST+= asc +ta_asc.h: ${TRUST_ANCHORS:M*.asc} +.endif +# we take the mtime of this as our baseline time +BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]} +.endif + |