1 files changed, 13 insertions, 7 deletions

diff --git a/lib/libsecureboot/Makefile.inc b/lib/libsecureboot/Makefile.inc
index 921b5e7bc1d8..21ad019a0cb5 100644
--- a/lib/libsecureboot/Makefile.inc
+++ b/lib/libsecureboot/Makefile.inc
@@ -1,5 +1,3 @@
-# $FreeBSD$
-
 .if empty(BEARSSL)
 .include "../libbearssl/Makefile.inc"
 .endif
@@ -59,6 +57,10 @@ _2ndLAST_PEM_USE: .USE
 	sed -n "`grep -n .-BEGIN ${.ALLSRC:M*.pem} | tail -2 | \
 	sed 's,:.*,,' | xargs | (read a b; echo $$a,$$(($$b - 1)))`p" ${.ALLSRC:M*.pem} > ${.TARGET}
 
+# rules to populate the [tv]*.pem files we use to generate ta.h
+# and can add/alter VE_*_LIST as desired.
+.-include "local.trust.mk"
+
 # list of hashes we support
 VE_HASH_LIST?= SHA256
 
@@ -75,16 +77,16 @@ VE_SIGNATURE_EXT_LIST?= sig
 # needs to be yes for FIPS 140-2 compliance
 VE_SELF_TESTS?= no
 
-# rules to populate the [tv]*.pem files we use to generate ta.h
-# and can add/alter VE_*_LIST as desired.
-.-include "local.trust.mk"
+CFLAGS+= -I.
 
+.if ${VE_SIGNATURE_EXT_LIST:M*sig} != ""
 # this is what we use as our trust anchor
-CFLAGS+= -I. -DTRUST_ANCHOR_STR=ta_PEM
+CFLAGS+= -DTRUST_ANCHOR_STR=ta_PEM
 
 .if ${VE_SELF_TESTS} != "no"
 XCFLAGS.vets+= -DVERIFY_CERTS_STR=vc_PEM
 .endif
+.endif
 
 # clean these up
 VE_HASH_LIST:= ${VE_HASH_LIST:tu:O:u}
@@ -126,7 +128,11 @@ BUILD_UTC?= ${SOURCE_DATE_EPOCH}
 BUILD_UTC_FILE:= ${.PARSEDIR:tA}/${.PARSEFILE}
 .endif
 # you can of course set BUILD_UTC to any value you like
-BUILD_UTC?= ${${STAT:Ustat} -f %m ${BUILD_UTC_FILE}:L:sh}
+.if ${MAKE_VERSION} > 20230509
+BUILD_UTC?= ${BUILD_UTC_FILE:mtime}
+.else
+BUILD_UTC?= ${${STAT:Ustat} -L -f %m ${BUILD_UTC_FILE}:L:sh}
+.endif
 
 # Generate ta.h containing one or more PEM encoded trust anchors in ta_PEM.
 #