lib/libsecureboot/local.trust.mk

   1
   2 # Consider this file an example.
   3 #
   4 # For Junos this is how we obtain trust anchor .pems
   5 # the signing server (http://www.crufty.net/sjg/blog/signing-server.htm)
   6 # for each key will provide the appropriate certificate chain on request
   7
   8 # allow site control
   9 .-include "site.trust.mk"
  10
  11 #VE_DEBUG_LEVEL?=3
  12 #VE_VERBOSE_DEFAULT?=2
  13
  14 VE_HASH_LIST?= \
  15         SHA256 \
  16         SHA384 \
  17
  18 VE_SELF_TESTS?= yes
  19
  20 # client for the signing server above
  21 SIGNER?= /opt/sigs/sign.py
  22
  23 .if exists(${SIGNER})
  24 OPENPGP_SIGNER?= ${SIGNER:H}/openpgp-sign.py
  25 OPENPGP_SIGN_FLAGS= -a
  26 OPENPGP_SIGN_HOST?= localhost
  27 SIGN_HOST ?= localhost
  28
  29 # A list of name/ext/url tuples.
  30 # name should be one of ECDSA, OPENPGP or RSA, they can be repeated
  31 # Order of ext list implies runtime preference so do not sort!
  32 VE_SIGN_URL_LIST?= \
  33         ECDSA/esig/${SIGN_HOST}:${133%y:L:localtime} \
  34         RSA/rsig/${SIGN_HOST}:${163%y:L:localtime} \
  35         OPENPGP/asc/${OPENPGP_SIGN_HOST}:1234 \
  36
  37 .for sig ext url in ${VE_SIGN_URL_LIST:@x@${x:H:H} ${x:H:T} ${x:T}@}
  38 SIGN_${sig}:= ${PYTHON} ${${sig}_SIGNER:U${SIGNER}} -u ${url} ${${sig}_SIGN_FLAGS:U-h sha256}
  39
  40 VE_SIGNATURE_LIST+= ${sig}
  41 VE_SIGNATURE_EXT_LIST+= ${ext}
  42
  43 _SIGN_${sig}_USE:       .USE
  44         ${SIGN_${sig}} ${.ALLSRC}
  45
  46 _TA_${sig}_USE:       .USE
  47         ${SIGN_${sig}} -C ${.TARGET}
  48
  49 .if ${sig} == "OPENPGP"
  50 ta_${sig:tl}.${ext}: _TA_${sig}_USE
  51 ta_${ext}.h: ta_${sig:tl}.${ext}
  52 .else
  53 ${ext:S/sig/certs/}.pem: _TA_${sig}_USE
  54 # the last cert in the chain is the one we want
  55 ta_${ext}.pem: ${ext:S/sig/certs/}.pem _LAST_PEM_USE
  56 ta.h: ta_${ext}.pem
  57 .if ${VE_SELF_TESTS} != "no"
  58 # we use the 2nd last cert to test verification
  59 vc_${ext}.pem: ${ext:S/sig/certs/}.pem _2ndLAST_PEM_USE
  60 ta.h: vc_${ext}.pem
  61 .endif
  62 .endif
  63 .endfor
  64
  65 # cleanup duplicates
  66 VE_SIGNATURE_LIST:= ${VE_SIGNATURE_LIST:O:u}
  67
  68 .if target(ta_asc.h)
  69 XCFLAGS.opgp_key+= -DHAVE_TA_ASC_H
  70
  71 .if ${VE_SELF_TESTS} != "no"
  72 # for self test
  73 vc_openpgp.asc: ta_openpgp.asc
  74         ${SIGN_OPENPGP} ${.ALLSRC:M*.asc}
  75         mv ta_openpgp.asc.asc ${.TARGET}
  76
  77 ta_asc.h: vc_openpgp.asc
  78 .endif
  79 .endif
  80
  81 .else
  82 VE_SIGNATURE_LIST?= RSA
  83
  84 # you need to provide t*.pem or t*.asc files for each trust anchor
  85 # below assumes they are named ta_${ext}.pem eg ta_esig.pem for ECDSA
  86 .if empty(TRUST_ANCHORS)
  87 TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null
  88 .endif
  89 .if empty(TRUST_ANCHORS) && ${MK_LOADER_EFI_SECUREBOOT} != "yes"
  90 .error Need TRUST_ANCHORS see ${.PARSEDIR}/README.rst
  91 .endif
  92
  93 .if ${TRUST_ANCHORS:T:Mt*.pem} != ""
  94 ta.h: ${TRUST_ANCHORS:M*.pem}
  95 VE_SIGNATURE_EXT_LIST?= ${TRUST_ANCHORS:T:Mt*.pem:R:S/ta_//}
  96 .if ${VE_SIGNATURE_EXT_LIST:Mesig} != ""
  97 VE_SIGNATURE_LIST+= ECDSA
  98 .endif
  99 .endif
 100
 101 .if ${TRUST_ANCHORS:T:Mt*.asc} != ""
 102 VE_SIGNATURE_LIST+= OPENPGP
 103 VE_SIGNATURE_EXT_LIST+= asc
 104 ta_asc.h: ${TRUST_ANCHORS:M*.asc}
 105 .endif
 106 # we take the mtime of this as our baseline time
 107 BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]}
 108 .endif