diff options
Diffstat (limited to 'lib/libsecureboot/local.trust.mk')
| -rw-r--r-- | lib/libsecureboot/local.trust.mk | 145 |
1 files changed, 63 insertions, 82 deletions
diff --git a/lib/libsecureboot/local.trust.mk b/lib/libsecureboot/local.trust.mk index 7b1e5f7ee97b..f2da3d3ac452 100644 --- a/lib/libsecureboot/local.trust.mk +++ b/lib/libsecureboot/local.trust.mk @@ -5,65 +5,69 @@ # the signing server (http://www.crufty.net/sjg/blog/signing-server.htm) # for each key will provide the appropriate certificate chain on request -# force these for Junos -#MANIFEST_SKIP_ALWAYS= boot -VE_HASH_LIST= \ - SHA1 \ - SHA256 \ - SHA384 \ - SHA512 - -VE_SIGNATURE_LIST= \ - ECDSA \ - RSA - -VE_SIGNATURE_EXT_LIST= \ - esig \ - rsig - -VE_SELF_TESTS= yes - -.if ${MACHINE} == "host" && ${.CURDIR:T} == "tests" - -VE_SIGNATURE_LIST+= \ - DEPRECATED_RSA_SHA1 +# allow site control +.-include "site.trust.mk" -VE_SIGNATURE_EXT_LIST+= \ - sig -.endif +#VE_DEBUG_LEVEL?=3 +#VE_VERBOSE_DEFAULT?=2 -# add OpenPGP support - possibly dormant -VE_SIGNATURE_LIST+= OPENPGP -VE_SIGNATURE_EXT_LIST+= asc +VE_HASH_LIST?= \ + SHA256 \ + SHA384 \ -# allow site override of all the above -.-include "site.trust.mk" +VE_SELF_TESTS?= yes -SIGNER ?= ${SB_TOOLS_PATH:U/volume/buildtools/bin}/sign.py +# client for the signing server above +SIGNER?= /opt/sigs/sign.py .if exists(${SIGNER}) -SIGN_HOST ?= ${SB_SITE:Usvl}-junos-signer.juniper.net -ECDSA_PORT:= ${133%y:L:gmtime} -SIGN_ECDSA= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${ECDSA_PORT} -h sha256 -RSA2_PORT:= ${163%y:L:gmtime} -SIGN_RSA2= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${RSA2_PORT} -h sha256 +OPENPGP_SIGNER?= ${SIGNER:H}/openpgp-sign.py +OPENPGP_SIGN_FLAGS= -a +OPENPGP_SIGN_HOST?= localhost +SIGN_HOST ?= localhost + +# A list of name/ext/url tuples. +# name should be one of ECDSA, OPENPGP or RSA, they can be repeated +# Order of ext list implies runtime preference so do not sort! +VE_SIGN_URL_LIST?= \ + ECDSA/esig/${SIGN_HOST}:${133%y:L:localtime} \ + RSA/rsig/${SIGN_HOST}:${163%y:L:localtime} \ + OPENPGP/asc/${OPENPGP_SIGN_HOST}:1234 \ + +.for sig ext url in ${VE_SIGN_URL_LIST:@x@${x:H:H} ${x:H:T} ${x:T}@} +SIGN_${sig}:= ${PYTHON} ${${sig}_SIGNER:U${SIGNER}} -u ${url} ${${sig}_SIGN_FLAGS:U-h sha256} + +VE_SIGNATURE_LIST+= ${sig} +VE_SIGNATURE_EXT_LIST+= ${ext} + +_SIGN_${sig}_USE: .USE + ${SIGN_${sig}} ${.ALLSRC} + +_TA_${sig}_USE: .USE + ${SIGN_${sig}} -C ${.TARGET} + +.if ${sig} == "OPENPGP" +ta_${sig:tl}.${ext}: _TA_${sig}_USE +ta_${ext}.h: ta_${sig:tl}.${ext} +.else +${ext:S/sig/certs/}.pem: _TA_${sig}_USE +# the last cert in the chain is the one we want +ta_${ext}.pem: ${ext:S/sig/certs/}.pem _LAST_PEM_USE +ta.h: ta_${ext}.pem +.if ${VE_SELF_TESTS} != "no" +# we use the 2nd last cert to test verification +vc_${ext}.pem: ${ext:S/sig/certs/}.pem _2ndLAST_PEM_USE +ta.h: vc_${ext}.pem +.endif +.endif +.endfor -# deal with quirk of our .esig format -XCFLAGS.vets+= -DVE_ECDSA_HASH_AGAIN +# cleanup duplicates +VE_SIGNATURE_LIST:= ${VE_SIGNATURE_LIST:O:u} -.if !empty(OPENPGP_SIGN_URL) +.if target(ta_asc.h) XCFLAGS.opgp_key+= -DHAVE_TA_ASC_H -VE_SIGNATURE_LIST+= OPENPGP -VE_SIGNATURE_EXT_LIST+= asc - -SIGN_OPENPGP= ${PYTHON} ${SIGNER:H}/openpgp-sign.py -a -u ${OPENPGP_SIGN_URL} - -ta_openpgp.asc: - ${SIGN_OPENPGP} -C ${.TARGET} - -ta_asc.h: ta_openpgp.asc - .if ${VE_SELF_TESTS} != "no" # for self test vc_openpgp.asc: ta_openpgp.asc @@ -74,48 +78,26 @@ ta_asc.h: vc_openpgp.asc .endif .endif -rcerts.pem: - ${SIGN_RSA2} -C ${.TARGET} - -ecerts.pem: - ${SIGN_ECDSA} -C ${.TARGET} - -.if ${VE_SIGNATURE_LIST:tu:MECDSA} != "" -# the last cert in the chain is the one we want -ta_ec.pem: ecerts.pem _LAST_PEM_USE -ta.h: ta_ec.pem -.if ${VE_SELF_TESTS} != "no" -# these are for verification self test -vc_ec.pem: ecerts.pem _2ndLAST_PEM_USE -ta.h: vc_ec.pem -.endif -.endif - -.if ${VE_SIGNATURE_LIST:tu:MRSA} != "" -ta_rsa.pem: rcerts.pem _LAST_PEM_USE -ta.h: ta_rsa.pem -.if ${VE_SELF_TESTS} != "no" -vc_rsa.pem: rcerts.pem _2ndLAST_PEM_USE -ta.h: vc_rsa.pem -.endif -.endif - -# we take the mtime of this as our baseline time -#BUILD_UTC_FILE= ecerts.pem -#VE_DEBUG_LEVEL=3 -#VE_VERBOSE_DEFAULT=1 - .else +VE_SIGNATURE_LIST?= RSA + # you need to provide t*.pem or t*.asc files for each trust anchor +# below assumes they are named ta_${ext}.pem eg ta_esig.pem for ECDSA .if empty(TRUST_ANCHORS) -TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null +TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null || echo .endif .if empty(TRUST_ANCHORS) && ${MK_LOADER_EFI_SECUREBOOT} != "yes" .error Need TRUST_ANCHORS see ${.PARSEDIR}/README.rst .endif + .if ${TRUST_ANCHORS:T:Mt*.pem} != "" ta.h: ${TRUST_ANCHORS:M*.pem} +VE_SIGNATURE_EXT_LIST?= ${TRUST_ANCHORS:T:Mt*.pem:R:S/ta_//} +.if ${VE_SIGNATURE_EXT_LIST:Mesig} != "" +VE_SIGNATURE_LIST+= ECDSA +.endif .endif + .if ${TRUST_ANCHORS:T:Mt*.asc} != "" VE_SIGNATURE_LIST+= OPENPGP VE_SIGNATURE_EXT_LIST+= asc @@ -124,4 +106,3 @@ ta_asc.h: ${TRUST_ANCHORS:M*.asc} # we take the mtime of this as our baseline time BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]} .endif - |