xref: /freebsd/lib/libsecureboot/Makefile.inc (revision 924226fba12cc9a228c73b956e1b7fa24c60b055)
1# $FreeBSD$
2
3.if empty(BEARSSL)
4.include "../libbearssl/Makefile.inc"
5.endif
6
7.if !target(_${__this}_)
8_${__this}_:
9
10libsecureboot_src:= ${.PARSEDIR}
11
12CFLAGS+= -I${libsecureboot_src}/h
13
14CFLAGS+= -DHAVE_BR_X509_TIME_CHECK
15
16.PATH: ${.PARSEDIR}
17
18SRCS+= \
19	readfile.c \
20	brf.c \
21	vesigned.c \
22	vets.c
23
24.if ${.CURDIR:M*libsecureboot*} != ""
25SRCS+= veta.c
26.endif
27
28CFLAGS+= ${XCFLAGS.${.TARGET:T:R}:U}
29
30# we use a couple of files from ${BEARSSL}/tools
31BRSSL_CFLAGS+= -I${BEARSSL}/tools
32BRSSL_SRCS+= \
33	${BEARSSL}/tools/xmem.c \
34	${BEARSSL}/tools/vector.c
35
36BRSSL_DEPS= \
37	brf.c \
38	vets.c \
39	veta.c
40
41.if ${MK_LOADER_EFI_SECUREBOOT} != "no"
42BRSSL_DEPS+= \
43	efi_init.c \
44	efi_variables.c
45.endif
46
47# we do not need/want nested objdirs
48OBJS_SRCS_FILTER = T R
49
50SRCS+= ${BRSSL_SRCS}
51
52
53# extract the last cert from a chain (should be rootCA)
54_LAST_PEM_USE: .USE
55	sed "1,`grep -n .-END ${.ALLSRC:M*.pem} | tail -2 | head -1 | sed 's,:.*,,'`d" ${.ALLSRC:M*.pem} > ${.TARGET}
56
57# extract 2nd last cert from chain - we use this for self-test
58_2ndLAST_PEM_USE: .USE
59	sed -n "`grep -n .-BEGIN ${.ALLSRC:M*.pem} | tail -2 | \
60	sed 's,:.*,,' | xargs | (read a b; echo $$a,$$(($$b - 1)))`p" ${.ALLSRC:M*.pem} > ${.TARGET}
61
62# list of hashes we support
63VE_HASH_LIST?= SHA256
64
65# list of signatures we support
66# some people don't trust ECDSA
67VE_SIGNATURE_LIST?= RSA
68
69# this list controls our search for signatures so will not be sorted
70# note: for X509 signatures we assume we can replace the trailing
71# "sig" with "certs" to find the certificate chain
72# eg. for manifest.esig we use manifest.ecerts
73VE_SIGNATURE_EXT_LIST?= sig
74
75# needs to be yes for FIPS 140-2 compliance
76VE_SELF_TESTS?= no
77
78# rules to populate the [tv]*.pem files we use to generate ta.h
79# and can add/alter VE_*_LIST as desired.
80.-include "local.trust.mk"
81
82# this is what we use as our trust anchor
83CFLAGS+= -I. -DTRUST_ANCHOR_STR=ta_PEM
84
85.if ${VE_SELF_TESTS} != "no"
86XCFLAGS.vets+= -DVERIFY_CERTS_STR=vc_PEM
87.endif
88
89# clean these up
90VE_HASH_LIST:= ${VE_HASH_LIST:tu:O:u}
91VE_SIGNATURE_LIST:= ${VE_SIGNATURE_LIST:tu:O:u}
92
93# define what we are supporting
94CFLAGS+= ${VE_HASH_LIST:@H@-DVE_$H_SUPPORT@} \
95	${VE_SIGNATURE_LIST:@S@-DVE_$S_SUPPORT@}
96
97.if ${VE_SIGNATURE_LIST:MOPENPGP} != ""
98.include "openpgp/Makefile.inc"
99.endif
100
101.if ${VE_SELF_TESTS} != "no"
102# The input used for hash KATs
103# we use a string by default so it is independent of any other test
104VE_HASH_KAT_STRLEN?= strlen
105.if ${VE_HASH_KAT_STRLEN} == "strlen"
106VE_HASH_KAT_STR?= self-tests-are-good
107VE_HASH_KAT_STR_INPUT= echo -n
108XCFLAGS.vets+= -DVE_HASH_KAT_STR=\"${VE_HASH_KAT_STR}\"
109.else
110VE_HASH_KAT_STR?= vc_PEM
111VE_HASH_KAT_STR_INPUT= cat
112VE_HASH_KAT_STRLEN= sizeof
113XCFLAGS.vets+= -DVE_HASH_KAT_STR=${VE_HASH_KAT_STR}
114.endif
115XCFLAGS.vets+= -DVE_HASH_KAT_STRLEN=${VE_HASH_KAT_STRLEN}
116.endif
117
118# this should be updated occassionally this is 2019-01-01Z
119SOURCE_DATE_EPOCH?= 1546329600
120.if ${MK_REPRODUCIBLE_BUILD} == "yes"
121BUILD_UTC?= ${SOURCE_DATE_EPOCH}
122.endif
123# BUILD_UTC provides a basis for the loader's notion of time
124# By default we use the mtime of BUILD_UTC_FILE
125.if empty(BUILD_UTC_FILE)
126BUILD_UTC_FILE:= ${.PARSEDIR:tA}/${.PARSEFILE}
127.endif
128# you can of course set BUILD_UTC to any value you like
129BUILD_UTC?= ${${STAT:Ustat} -f %m ${BUILD_UTC_FILE}:L:sh}
130
131# Generate ta.h containing one or more PEM encoded trust anchors in ta_PEM.
132#
133# If we are doing self-tests, we define another arrary vc_PEM
134# containing certificates that we can verify for each trust anchor.
135# This is typically a subordinate CA cert.
136# Finally we generate a hash of VE_HASH_KAT_STR
137# using each supported hash method
138# to use as a Known Answer Test (needed for FIPS 140-2)
139#
140TA_PEM_LIST ?= ${.ALLSRC:N*crl*:Mt*.pem}
141VC_PEM_LIST ?= ${.ALLSRC:N*crl*:Mv*.pem}
142vets.o vets.po vets.pico: ta.h
143ta.h:
144	@( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \
145	cat ${TA_PEM_LIST:O:u} /dev/null | \
146	file2c -sx 'static const char ta_PEM[] = {' '};'; \
147	echo "${.newline}${VE_HASH_LIST:O:u:@H@static char vh_$H[] = \"`${VE_HASH_KAT_STR_INPUT} ${VE_HASH_KAT_STR} | ${$H:U${H:tl}}`\";${.newline}@}"; ) > ${.TARGET}
148.if ${VE_SELF_TESTS} != "no"
149	( cat ${VC_PEM_LIST:O:u} /dev/null | \
150	file2c -sx 'static const char vc_PEM[] = {' '};'; echo ) >> ${.TARGET}
151.endif
152	echo '#define BUILD_UTC ${BUILD_UTC}' >> ${.TARGET} ${.OODATE:MNOMETA_CMP}
153
154# This header records our preference for signature extensions.
155vesigned.o vesigned.po vesigned.pico: vse.h
156vse.h:
157	@( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \
158	echo "static const char *signature_exts[] = {"; \
159	echo '${VE_SIGNATURE_EXT_LIST:O:u:@e@"$e",${.newline}@}'; \
160	echo 'NULL };' ) > ${.TARGET}
161
162
163.for s in ${BRSSL_SRCS} ${BRSSL_DEPS}
164.ifdef BRSSL_SED
165$s: brssl.h
166.endif
167XCFLAGS.${s:R}+= ${BRSSL_CFLAGS}
168.endfor
169
170.endif
171