lib/libsecureboot/local.trust.mk

   1 # $FreeBSD$
   2
   3 # Consider this file an example.
   4 #
   5 # For Junos this is how we obtain trust anchor .pems
   6 # the signing server (http://www.crufty.net/sjg/blog/signing-server.htm)
   7 # for each key will provide the appropriate certificate chain on request
   8
   9 # force these for Junos
  10 MANIFEST_SKIP_ALWAYS= boot
  11 VE_HASH_LIST= \
  12         SHA1 \
  13         SHA256 \
  14         SHA384
  15
  16 VE_SIGNATURE_LIST= \
  17         ECDSA
  18
  19 VE_SIGNATURE_EXT_LIST= \
  20         esig
  21
  22 VE_SELF_TESTS= yes
  23
  24 .if ${MACHINE} == "host" && ${.CURDIR:T} == "tests"
  25 # for testing
  26 VE_HASH_LIST+= \
  27         SHA512
  28
  29 VE_SIGNATURE_LIST+= \
  30         RSA \
  31         DEPRECATED_RSA_SHA1
  32
  33 VE_SIGNATURE_EXT_LIST+= \
  34         sig
  35 .endif
  36
  37 SIGNER ?= ${SB_TOOLS_PATH:U/volume/buildtools/bin}/sign.py
  38
  39 .if exists(${SIGNER})
  40 SIGN_HOST ?= ${SB_SITE:Usvl}-junos-signer.juniper.net
  41 ECDSA_PORT:= ${133%y:L:gmtime}
  42 SIGN_ECDSA= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${ECDSA_PORT} -h sha256
  43 RSA2_PORT:= ${163%y:L:gmtime}
  44 SIGN_RSA2=   ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${RSA2_PORT} -h sha256
  45
  46 .if !empty(OPENPGP_SIGN_URL)
  47 VE_SIGNATURE_LIST+= OPENPGP
  48 VE_SIGNATURE_EXT_LIST+= asc
  49
  50 SIGN_OPENPGP= ${PYTHON} ${SIGNER:H}/openpgp-sign.py -a -u ${OPENPGP_SIGN_URL}
  51
  52 ta_openpgp.asc:
  53         ${SIGN_OPENPGP} -C ${.TARGET}
  54
  55 ta.h: ta_openpgp.asc
  56
  57 .if ${VE_SELF_TESTS} != "no"
  58 # for self test
  59 vc_openpgp.asc: ta_openpgp.asc
  60         ${SIGN_OPENPGP} ${.ALLSRC:M*.asc}
  61         mv ta_openpgp.asc.asc ${.TARGET}
  62
  63 ta.h: vc_openpgp.asc
  64 .endif
  65 .endif
  66
  67 rcerts.pem:
  68         ${SIGN_RSA2} -C ${.TARGET}
  69
  70 ecerts.pem:
  71         ${SIGN_ECDSA} -C ${.TARGET}
  72
  73 .if ${VE_SIGNATURE_LIST:tu:MECDSA} != ""
  74 # the last cert in the chain is the one we want
  75 ta_ec.pem: ecerts.pem _LAST_PEM_USE
  76
  77 .if ${VE_SELF_TESTS} != "no"
  78 # these are for verification self test
  79 vc_ec.pem: ecerts.pem _2ndLAST_PEM_USE
  80 .endif
  81 .endif
  82
  83 .if ${VE_SIGNATURE_LIST:tu:MRSA} != ""
  84 ta_rsa.pem: rcerts.pem _LAST_PEM_USE
  85 .if ${VE_SELF_TESTS} != "no"
  86 vc_rsa.pem: rcerts.pem _2ndLAST_PEM_USE
  87 .endif
  88 .endif
  89
  90 # we take the mtime of this as our baseline time
  91 BUILD_UTC_FILE= ecerts.pem
  92 #VE_DEBUG_LEVEL=3
  93 #VE_VERBOSE_DEFAULT=1
  94
  95 .else
  96 # you need to provide t*.pem or t*.asc files for each trust anchor
  97 .if empty(TRUST_ANCHORS)
  98 TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null
  99 .endif
 100 .if empty(TRUST_ANCHORS)
 101 .error Need TRUST_ANCHORS see ${.CURDIR}/README.rst
 102 .endif
 103 .if ${TRUST_ANCHORS:T:Mt*.pem} != ""
 104 ta.h: ${TRUST_ANCHORS:M*.pem}
 105 .endif
 106 .if ${TRUST_ANCHORS:T:Mt*.asc} != ""
 107 VE_SIGNATURE_LIST+= OPENPGP
 108 VE_SIGNATURE_EXT_LIST+= asc
 109 ta_asc.h: ${TRUST_ANCHORS:M*.asc}
 110 .endif
 111 # we take the mtime of this as our baseline time
 112 BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]}
 113 .endif
 114