1# $FreeBSD$ 2 3.if empty(BEARSSL) 4.include "../libbearssl/Makefile.inc" 5.endif 6 7.if !target(_${__this}_) 8_${__this}_: 9 10libsecureboot_src:= ${.PARSEDIR} 11 12CFLAGS+= -I${libsecureboot_src}/h 13 14.PATH: ${.PARSEDIR} 15 16SRCS+= \ 17 readfile.c \ 18 brf.c \ 19 vesigned.c \ 20 vets.c 21 22.if ${.CURDIR:M*libsecureboot*} != "" 23SRCS+= veta.c 24.endif 25 26CFLAGS+= ${XCFLAGS.${.TARGET:T:R}:U} 27 28# we use a couple of files from ${BEARSSL}/tools 29BRSSL_CFLAGS+= -I${BEARSSL}/tools 30BRSSL_SRCS+= \ 31 ${BEARSSL}/tools/xmem.c \ 32 ${BEARSSL}/tools/vector.c 33 34# we do not need/want nested objdirs 35OBJS_SRCS_FILTER = T R 36 37SRCS+= ${BRSSL_SRCS} 38 39 40# extract the last cert from a chain (should be rootCA) 41_LAST_PEM_USE: .USE 42 sed "1,`grep -n .-END ${.ALLSRC:M*.pem} | tail -2 | head -1 | sed 's,:.*,,'`d" ${.ALLSRC:M*.pem} > ${.TARGET} 43 44# extract 2nd last cert from chain - we use this for self-test 45_2ndLAST_PEM_USE: .USE 46 sed -n "`grep -n .-BEGIN ${.ALLSRC:M*.pem} | tail -2 | \ 47 sed 's,:.*,,' | xargs | (read a b; echo $$a,$$(($$b - 1)))`p" ${.ALLSRC:M*.pem} > ${.TARGET} 48 49# list of hashes we support 50VE_HASH_LIST?= SHA256 51 52# list of signatures we support 53# some people don't trust ECDSA 54VE_SIGNATURE_LIST?= RSA 55 56# this list controls our search for signatures so will not be sorted 57# note: for X509 signatures we assume we can replace the trailing 58# "sig" with "certs" to find the certificate chain 59# eg. for manifest.esig we use manifest.ecerts 60VE_SIGNATURE_EXT_LIST?= sig 61 62# needs to be yes for FIPS 140-2 compliance 63VE_SELF_TESTS?= no 64 65# rules to populate the [tv]*.pem files we use to generate ta.h 66# and can add/alter VE_*_LIST as desired. 67.-include "local.trust.mk" 68 69# this is what we use as our trust anchor 70CFLAGS+= -I. -DTRUST_ANCHOR_STR=ta_PEM 71 72.if ${VE_SELF_TESTS} != "no" 73XCFLAGS.vets+= -DVERIFY_CERTS_STR=vc_PEM 74.endif 75 76# clean these up 77VE_HASH_LIST:= ${VE_HASH_LIST:tu:O:u} 78VE_SIGNATURE_LIST:= ${VE_SIGNATURE_LIST:tu:O:u} 79 80# define what we are supporting 81CFLAGS+= ${VE_HASH_LIST:@H@-DVE_$H_SUPPORT@} \ 82 ${VE_SIGNATURE_LIST:@S@-DVE_$S_SUPPORT@} 83 84.if ${VE_SIGNATURE_LIST:MOPENPGP} != "" 85.include "openpgp/Makefile.inc" 86.endif 87 88.if ${VE_SELF_TESTS} != "no" 89# The input used for hash KATs 90VE_HASH_KAT_STR?= vc_PEM 91 92XCFLAGS.vets+= -DVE_HASH_KAT_STR=${VE_HASH_KAT_STR} 93.endif 94 95# Generate ta.h containing one or more PEM encoded trust anchors in ta_PEM. 96# 97# If we are doing self-tests, we define another arrary vc_PEM 98# containing certificates that we can verify for each trust anchor. 99# This is typically a subordinate CA cert. 100# Finally we generate a hash of vc_PEM using each supported hash method 101# to use as a Known Answer Test (needed for FIPS 140-2) 102# 103vets.o vets.po vets.pico: ta.h 104ta.h: ${.ALLTARGETS:M[tv]*pem:O:u} 105 @( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \ 106 cat ${.ALLSRC:N*crl*:Mt*.pem} /dev/null | \ 107 file2c -sx 'static const char ta_PEM[] = {' '};'; \ 108 echo "${.newline}${VE_HASH_LIST:@H@static char vh_$H[] = \"`cat ${.ALLSRC:N*crl*:Mv*.pem} | ${$H:U${H:tl}}`\";${.newline}@}"; ) > ${.TARGET} 109.if ${VE_SELF_TESTS} != "no" 110 ( cat ${.ALLSRC:N*crl*:Mv*.pem} /dev/null | \ 111 file2c -sx 'static const char vc_PEM[] = {' '};'; echo ) >> ${.TARGET} 112.endif 113.if !empty(BUILD_UTC_FILE) 114 echo '#define BUILD_UTC ${${STAT:Ustat} -f %m ${BUILD_UTC_FILE}:L:sh}' >> ${.TARGET} ${.OODATE:MNOMETA_CMP} 115.endif 116 117# This header records our preference for signature extensions. 118vesigned.o vesigned.po vesigned.pico: vse.h 119vse.h: 120 @( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \ 121 echo "static const char *signature_exts[] = {"; \ 122 echo '${VE_SIGNATURE_EXT_LIST:@e@"$e",${.newline}@}'; \ 123 echo 'NULL };' ) > ${.TARGET} 124 125 126.for s in ${BRSSL_SRCS} brf.c vets.c veta.c 127.ifdef BRSSL_SED 128$s: brssl.h 129.endif 130XCFLAGS.${s:R}+= ${BRSSL_CFLAGS} 131.endfor 132 133.endif 134