4 .include "../libbearssl/Makefile.inc"
7 .if !target(_${__this}_)
10 libsecureboot_src:= ${.PARSEDIR}
12 CFLAGS+= -I${libsecureboot_src}/h
22 .if ${.CURDIR:M*libsecureboot*} != ""
26 CFLAGS+= ${XCFLAGS.${.TARGET:T:R}:U}
28 # we use a couple of files from ${BEARSSL}/tools
29 BRSSL_CFLAGS+= -I${BEARSSL}/tools
31 ${BEARSSL}/tools/xmem.c \
32 ${BEARSSL}/tools/vector.c
39 .if ${MK_LOADER_EFI_SECUREBOOT} != "no"
45 # we do not need/want nested objdirs
46 OBJS_SRCS_FILTER = T R
51 # extract the last cert from a chain (should be rootCA)
53 sed "1,`grep -n .-END ${.ALLSRC:M*.pem} | tail -2 | head -1 | sed 's,:.*,,'`d" ${.ALLSRC:M*.pem} > ${.TARGET}
55 # extract 2nd last cert from chain - we use this for self-test
56 _2ndLAST_PEM_USE: .USE
57 sed -n "`grep -n .-BEGIN ${.ALLSRC:M*.pem} | tail -2 | \
58 sed 's,:.*,,' | xargs | (read a b; echo $$a,$$(($$b - 1)))`p" ${.ALLSRC:M*.pem} > ${.TARGET}
60 # list of hashes we support
63 # list of signatures we support
64 # some people don't trust ECDSA
65 VE_SIGNATURE_LIST?= RSA
67 # this list controls our search for signatures so will not be sorted
68 # note: for X509 signatures we assume we can replace the trailing
69 # "sig" with "certs" to find the certificate chain
70 # eg. for manifest.esig we use manifest.ecerts
71 VE_SIGNATURE_EXT_LIST?= sig
73 # needs to be yes for FIPS 140-2 compliance
76 # rules to populate the [tv]*.pem files we use to generate ta.h
77 # and can add/alter VE_*_LIST as desired.
78 .-include "local.trust.mk"
80 # this is what we use as our trust anchor
81 CFLAGS+= -I. -DTRUST_ANCHOR_STR=ta_PEM
83 .if ${VE_SELF_TESTS} != "no"
84 XCFLAGS.vets+= -DVERIFY_CERTS_STR=vc_PEM
88 VE_HASH_LIST:= ${VE_HASH_LIST:tu:O:u}
89 VE_SIGNATURE_LIST:= ${VE_SIGNATURE_LIST:tu:O:u}
91 # define what we are supporting
92 CFLAGS+= ${VE_HASH_LIST:@H@-DVE_$H_SUPPORT@} \
93 ${VE_SIGNATURE_LIST:@S@-DVE_$S_SUPPORT@}
95 .if ${VE_SIGNATURE_LIST:MOPENPGP} != ""
96 .include "openpgp/Makefile.inc"
99 .if ${VE_SELF_TESTS} != "no"
100 # The input used for hash KATs
101 # we use a string by default so it is independent of any other test
102 VE_HASH_KAT_STRLEN?= strlen
103 .if ${VE_HASH_KAT_STRLEN} == "strlen"
104 VE_HASH_KAT_STR?= self-tests-are-good
105 VE_HASH_KAT_STR_INPUT= echo -n
106 XCFLAGS.vets+= -DVE_HASH_KAT_STR=\"${VE_HASH_KAT_STR}\"
108 VE_HASH_KAT_STR?= vc_PEM
109 VE_HASH_KAT_STR_INPUT= cat
110 VE_HASH_KAT_STRLEN= sizeof
111 XCFLAGS.vets+= -DVE_HASH_KAT_STR=${VE_HASH_KAT_STR}
113 XCFLAGS.vets+= -DVE_HASH_KAT_STRLEN=${VE_HASH_KAT_STRLEN}
116 # this should be updated occassionally this is 2019-01-01Z
117 SOURCE_DATE_EPOCH?= 1546329600
118 .if ${MK_REPRODUCIBLE_BUILD} == "yes"
119 BUILD_UTC?= ${SOURCE_DATE_EPOCH}
121 # BUILD_UTC provides a basis for the loader's notion of time
122 # By default we use the mtime of BUILD_UTC_FILE
123 .if empty(BUILD_UTC_FILE)
124 BUILD_UTC_FILE:= ${.PARSEDIR:tA}/${.PARSEFILE}
126 # you can of course set BUILD_UTC to any value you like
127 BUILD_UTC?= ${${STAT:Ustat} -f %m ${BUILD_UTC_FILE}:L:sh}
129 # Generate ta.h containing one or more PEM encoded trust anchors in ta_PEM.
131 # If we are doing self-tests, we define another arrary vc_PEM
132 # containing certificates that we can verify for each trust anchor.
133 # This is typically a subordinate CA cert.
134 # Finally we generate a hash of VE_HASH_KAT_STR
135 # using each supported hash method
136 # to use as a Known Answer Test (needed for FIPS 140-2)
138 TA_PEM_LIST ?= ${.ALLSRC:N*crl*:Mt*.pem}
139 VC_PEM_LIST ?= ${.ALLSRC:N*crl*:Mv*.pem}
140 vets.o vets.po vets.pico: ta.h
142 @( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \
143 cat ${TA_PEM_LIST:O:u} /dev/null | \
144 file2c -sx 'static const char ta_PEM[] = {' '};'; \
145 echo "${.newline}${VE_HASH_LIST:O:u:@H@static char vh_$H[] = \"`${VE_HASH_KAT_STR_INPUT} ${VE_HASH_KAT_STR} | ${$H:U${H:tl}}`\";${.newline}@}"; ) > ${.TARGET}
146 .if ${VE_SELF_TESTS} != "no"
147 ( cat ${VC_PEM_LIST:O:u} /dev/null | \
148 file2c -sx 'static const char vc_PEM[] = {' '};'; echo ) >> ${.TARGET}
150 echo '#define BUILD_UTC ${BUILD_UTC}' >> ${.TARGET} ${.OODATE:MNOMETA_CMP}
152 # This header records our preference for signature extensions.
153 vesigned.o vesigned.po vesigned.pico: vse.h
155 @( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \
156 echo "static const char *signature_exts[] = {"; \
157 echo '${VE_SIGNATURE_EXT_LIST:O:u:@e@"$e",${.newline}@}'; \
158 echo 'NULL };' ) > ${.TARGET}
161 .for s in ${BRSSL_SRCS} ${BRSSL_DEPS}
165 XCFLAGS.${s:R}+= ${BRSSL_CFLAGS}