1.if empty(BEARSSL) 2.include "../libbearssl/Makefile.inc" 3.endif 4 5.if !target(_${__this}_) 6_${__this}_: 7 8libsecureboot_src:= ${.PARSEDIR} 9 10CFLAGS+= -I${libsecureboot_src}/h 11 12CFLAGS+= -DHAVE_BR_X509_TIME_CHECK 13 14.PATH: ${.PARSEDIR} 15 16SRCS+= \ 17 readfile.c \ 18 brf.c \ 19 vesigned.c \ 20 vets.c 21 22.if ${.CURDIR:M*libsecureboot*} != "" 23SRCS+= veta.c 24.endif 25 26CFLAGS+= ${XCFLAGS.${.TARGET:T:R}:U} 27 28# we use a couple of files from ${BEARSSL}/tools 29BRSSL_CFLAGS+= -I${BEARSSL}/tools 30BRSSL_SRCS+= \ 31 ${BEARSSL}/tools/xmem.c \ 32 ${BEARSSL}/tools/vector.c 33 34BRSSL_DEPS= \ 35 brf.c \ 36 vets.c \ 37 veta.c 38 39.if ${MK_LOADER_EFI_SECUREBOOT} != "no" 40BRSSL_DEPS+= \ 41 efi_init.c \ 42 efi_variables.c 43.endif 44 45# we do not need/want nested objdirs 46OBJS_SRCS_FILTER = T R 47 48SRCS+= ${BRSSL_SRCS} 49 50 51# extract the last cert from a chain (should be rootCA) 52_LAST_PEM_USE: .USE 53 sed "1,`grep -n .-END ${.ALLSRC:M*.pem} | tail -2 | head -1 | sed 's,:.*,,'`d" ${.ALLSRC:M*.pem} > ${.TARGET} 54 55# extract 2nd last cert from chain - we use this for self-test 56_2ndLAST_PEM_USE: .USE 57 sed -n "`grep -n .-BEGIN ${.ALLSRC:M*.pem} | tail -2 | \ 58 sed 's,:.*,,' | xargs | (read a b; echo $$a,$$(($$b - 1)))`p" ${.ALLSRC:M*.pem} > ${.TARGET} 59 60# rules to populate the [tv]*.pem files we use to generate ta.h 61# and can add/alter VE_*_LIST as desired. 62.-include "local.trust.mk" 63 64# list of hashes we support 65VE_HASH_LIST?= SHA256 66 67# list of signatures we support 68# some people don't trust ECDSA 69VE_SIGNATURE_LIST?= RSA 70 71# this list controls our search for signatures so will not be sorted 72# note: for X509 signatures we assume we can replace the trailing 73# "sig" with "certs" to find the certificate chain 74# eg. for manifest.esig we use manifest.ecerts 75VE_SIGNATURE_EXT_LIST?= sig 76 77# needs to be yes for FIPS 140-2 compliance 78VE_SELF_TESTS?= no 79 80CFLAGS+= -I. 81 82.if ${VE_SIGNATURE_EXT_LIST:M*sig} != "" 83# this is what we use as our trust anchor 84CFLAGS+= -DTRUST_ANCHOR_STR=ta_PEM 85 86.if ${VE_SELF_TESTS} != "no" 87XCFLAGS.vets+= -DVERIFY_CERTS_STR=vc_PEM 88.endif 89.endif 90 91# clean these up 92VE_HASH_LIST:= ${VE_HASH_LIST:tu:O:u} 93VE_SIGNATURE_LIST:= ${VE_SIGNATURE_LIST:tu:O:u} 94 95# define what we are supporting 96CFLAGS+= ${VE_HASH_LIST:@H@-DVE_$H_SUPPORT@} \ 97 ${VE_SIGNATURE_LIST:@S@-DVE_$S_SUPPORT@} 98 99.if ${VE_SIGNATURE_LIST:MOPENPGP} != "" 100.include "openpgp/Makefile.inc" 101.endif 102 103.if ${VE_SELF_TESTS} != "no" 104# The input used for hash KATs 105# we use a string by default so it is independent of any other test 106VE_HASH_KAT_STRLEN?= strlen 107.if ${VE_HASH_KAT_STRLEN} == "strlen" 108VE_HASH_KAT_STR?= self-tests-are-good 109VE_HASH_KAT_STR_INPUT= echo -n 110XCFLAGS.vets+= -DVE_HASH_KAT_STR=\"${VE_HASH_KAT_STR}\" 111.else 112VE_HASH_KAT_STR?= vc_PEM 113VE_HASH_KAT_STR_INPUT= cat 114VE_HASH_KAT_STRLEN= sizeof 115XCFLAGS.vets+= -DVE_HASH_KAT_STR=${VE_HASH_KAT_STR} 116.endif 117XCFLAGS.vets+= -DVE_HASH_KAT_STRLEN=${VE_HASH_KAT_STRLEN} 118.endif 119 120# this should be updated occassionally this is 2019-01-01Z 121SOURCE_DATE_EPOCH?= 1546329600 122.if ${MK_REPRODUCIBLE_BUILD} == "yes" 123BUILD_UTC?= ${SOURCE_DATE_EPOCH} 124.endif 125# BUILD_UTC provides a basis for the loader's notion of time 126# By default we use the mtime of BUILD_UTC_FILE 127.if empty(BUILD_UTC_FILE) 128BUILD_UTC_FILE:= ${.PARSEDIR:tA}/${.PARSEFILE} 129.endif 130# you can of course set BUILD_UTC to any value you like 131.if ${MAKE_VERSION} > 20230509 132BUILD_UTC?= ${BUILD_UTC_FILE:mtime} 133.else 134BUILD_UTC?= ${${STAT:Ustat} -L -f %m ${BUILD_UTC_FILE}:L:sh} 135.endif 136 137# Generate ta.h containing one or more PEM encoded trust anchors in ta_PEM. 138# 139# If we are doing self-tests, we define another arrary vc_PEM 140# containing certificates that we can verify for each trust anchor. 141# This is typically a subordinate CA cert. 142# Finally we generate a hash of VE_HASH_KAT_STR 143# using each supported hash method 144# to use as a Known Answer Test (needed for FIPS 140-2) 145# 146TA_PEM_LIST ?= ${.ALLSRC:N*crl*:Mt*.pem} 147VC_PEM_LIST ?= ${.ALLSRC:N*crl*:Mv*.pem} 148vets.o vets.po vets.pico: ta.h 149ta.h: 150 @( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \ 151 cat ${TA_PEM_LIST:O:u} /dev/null | \ 152 file2c -sx 'static const char ta_PEM[] = {' '};'; \ 153 echo "${.newline}${VE_HASH_LIST:O:u:@H@static char vh_$H[] = \"`${VE_HASH_KAT_STR_INPUT} ${VE_HASH_KAT_STR} | ${$H:U${H:tl}}`\";${.newline}@}"; ) > ${.TARGET} 154.if ${VE_SELF_TESTS} != "no" 155 ( cat ${VC_PEM_LIST:O:u} /dev/null | \ 156 file2c -sx 'static const char vc_PEM[] = {' '};'; echo ) >> ${.TARGET} 157.endif 158 echo '#define BUILD_UTC ${BUILD_UTC}' >> ${.TARGET} ${.OODATE:MNOMETA_CMP} 159 160# This header records our preference for signature extensions. 161vesigned.o vesigned.po vesigned.pico: vse.h 162vse.h: 163 @( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \ 164 echo "static const char *signature_exts[] = {"; \ 165 echo '${VE_SIGNATURE_EXT_LIST:O:u:@e@"$e",${.newline}@}'; \ 166 echo 'NULL };' ) > ${.TARGET} 167 168 169.for s in ${BRSSL_SRCS} ${BRSSL_DEPS} 170.ifdef BRSSL_SED 171$s: brssl.h 172.endif 173XCFLAGS.${s:R}+= ${BRSSL_CFLAGS} 174.endfor 175 176.endif 177