1# $FreeBSD$ 2 3.if empty(BEARSSL) 4.include "../libbearssl/Makefile.inc" 5.endif 6 7.if !target(_${__this}_) 8_${__this}_: 9 10libsecureboot_src:= ${.PARSEDIR} 11 12CFLAGS+= -I${libsecureboot_src}/h 13 14CFLAGS+= -DHAVE_BR_X509_TIME_CHECK 15 16.PATH: ${.PARSEDIR} 17 18SRCS+= \ 19 readfile.c \ 20 brf.c \ 21 vesigned.c \ 22 vets.c 23 24.if ${.CURDIR:M*libsecureboot*} != "" 25SRCS+= veta.c 26.endif 27 28CFLAGS+= ${XCFLAGS.${.TARGET:T:R}:U} 29 30# we use a couple of files from ${BEARSSL}/tools 31BRSSL_CFLAGS+= -I${BEARSSL}/tools 32BRSSL_SRCS+= \ 33 ${BEARSSL}/tools/xmem.c \ 34 ${BEARSSL}/tools/vector.c 35 36BRSSL_DEPS= \ 37 brf.c \ 38 vets.c \ 39 veta.c 40 41.if ${MK_LOADER_EFI_SECUREBOOT} != "no" 42BRSSL_DEPS+= \ 43 efi_init.c \ 44 efi_variables.c 45.endif 46 47# we do not need/want nested objdirs 48OBJS_SRCS_FILTER = T R 49 50SRCS+= ${BRSSL_SRCS} 51 52 53# extract the last cert from a chain (should be rootCA) 54_LAST_PEM_USE: .USE 55 sed "1,`grep -n .-END ${.ALLSRC:M*.pem} | tail -2 | head -1 | sed 's,:.*,,'`d" ${.ALLSRC:M*.pem} > ${.TARGET} 56 57# extract 2nd last cert from chain - we use this for self-test 58_2ndLAST_PEM_USE: .USE 59 sed -n "`grep -n .-BEGIN ${.ALLSRC:M*.pem} | tail -2 | \ 60 sed 's,:.*,,' | xargs | (read a b; echo $$a,$$(($$b - 1)))`p" ${.ALLSRC:M*.pem} > ${.TARGET} 61 62# list of hashes we support 63VE_HASH_LIST?= SHA256 64 65# list of signatures we support 66# some people don't trust ECDSA 67VE_SIGNATURE_LIST?= RSA 68 69# this list controls our search for signatures so will not be sorted 70# note: for X509 signatures we assume we can replace the trailing 71# "sig" with "certs" to find the certificate chain 72# eg. for manifest.esig we use manifest.ecerts 73VE_SIGNATURE_EXT_LIST?= sig 74 75# needs to be yes for FIPS 140-2 compliance 76VE_SELF_TESTS?= no 77 78# rules to populate the [tv]*.pem files we use to generate ta.h 79# and can add/alter VE_*_LIST as desired. 80.-include "local.trust.mk" 81 82# this is what we use as our trust anchor 83CFLAGS+= -I. -DTRUST_ANCHOR_STR=ta_PEM 84 85.if ${VE_SELF_TESTS} != "no" 86XCFLAGS.vets+= -DVERIFY_CERTS_STR=vc_PEM 87.endif 88 89# clean these up 90VE_HASH_LIST:= ${VE_HASH_LIST:tu:O:u} 91VE_SIGNATURE_LIST:= ${VE_SIGNATURE_LIST:tu:O:u} 92 93# define what we are supporting 94CFLAGS+= ${VE_HASH_LIST:@H@-DVE_$H_SUPPORT@} \ 95 ${VE_SIGNATURE_LIST:@S@-DVE_$S_SUPPORT@} 96 97.if ${VE_SIGNATURE_LIST:MOPENPGP} != "" 98.include "openpgp/Makefile.inc" 99.endif 100 101.if ${VE_SELF_TESTS} != "no" 102# The input used for hash KATs 103# we use a string by default so it is independent of any other test 104VE_HASH_KAT_STRLEN?= strlen 105.if ${VE_HASH_KAT_STRLEN} == "strlen" 106VE_HASH_KAT_STR?= self-tests-are-good 107VE_HASH_KAT_STR_INPUT= echo -n 108XCFLAGS.vets+= -DVE_HASH_KAT_STR=\"${VE_HASH_KAT_STR}\" 109.else 110VE_HASH_KAT_STR?= vc_PEM 111VE_HASH_KAT_STR_INPUT= cat 112VE_HASH_KAT_STRLEN= sizeof 113XCFLAGS.vets+= -DVE_HASH_KAT_STR=${VE_HASH_KAT_STR} 114.endif 115XCFLAGS.vets+= -DVE_HASH_KAT_STRLEN=${VE_HASH_KAT_STRLEN} 116.endif 117 118# this should be updated occassionally this is 2019-01-01Z 119SOURCE_DATE_EPOCH?= 1546329600 120.if ${MK_REPRODUCIBLE_BUILD} == "yes" 121BUILD_UTC?= ${SOURCE_DATE_EPOCH} 122.endif 123# BUILD_UTC provides a basis for the loader's notion of time 124# By default we use the mtime of BUILD_UTC_FILE 125.if empty(BUILD_UTC_FILE) 126BUILD_UTC_FILE:= ${.PARSEDIR:tA}/${.PARSEFILE} 127.endif 128# you can of course set BUILD_UTC to any value you like 129.if ${MAKE_VERSION} > 20230509 130BUILD_UTC?= ${BUILD_UTC_FILE:mtime} 131.else 132BUILD_UTC?= ${${STAT:Ustat} -L -f %m ${BUILD_UTC_FILE}:L:sh} 133.endif 134 135# Generate ta.h containing one or more PEM encoded trust anchors in ta_PEM. 136# 137# If we are doing self-tests, we define another arrary vc_PEM 138# containing certificates that we can verify for each trust anchor. 139# This is typically a subordinate CA cert. 140# Finally we generate a hash of VE_HASH_KAT_STR 141# using each supported hash method 142# to use as a Known Answer Test (needed for FIPS 140-2) 143# 144TA_PEM_LIST ?= ${.ALLSRC:N*crl*:Mt*.pem} 145VC_PEM_LIST ?= ${.ALLSRC:N*crl*:Mv*.pem} 146vets.o vets.po vets.pico: ta.h 147ta.h: 148 @( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \ 149 cat ${TA_PEM_LIST:O:u} /dev/null | \ 150 file2c -sx 'static const char ta_PEM[] = {' '};'; \ 151 echo "${.newline}${VE_HASH_LIST:O:u:@H@static char vh_$H[] = \"`${VE_HASH_KAT_STR_INPUT} ${VE_HASH_KAT_STR} | ${$H:U${H:tl}}`\";${.newline}@}"; ) > ${.TARGET} 152.if ${VE_SELF_TESTS} != "no" 153 ( cat ${VC_PEM_LIST:O:u} /dev/null | \ 154 file2c -sx 'static const char vc_PEM[] = {' '};'; echo ) >> ${.TARGET} 155.endif 156 echo '#define BUILD_UTC ${BUILD_UTC}' >> ${.TARGET} ${.OODATE:MNOMETA_CMP} 157 158# This header records our preference for signature extensions. 159vesigned.o vesigned.po vesigned.pico: vse.h 160vse.h: 161 @( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \ 162 echo "static const char *signature_exts[] = {"; \ 163 echo '${VE_SIGNATURE_EXT_LIST:O:u:@e@"$e",${.newline}@}'; \ 164 echo 'NULL };' ) > ${.TARGET} 165 166 167.for s in ${BRSSL_SRCS} ${BRSSL_DEPS} 168.ifdef BRSSL_SED 169$s: brssl.h 170.endif 171XCFLAGS.${s:R}+= ${BRSSL_CFLAGS} 172.endfor 173 174.endif 175