1# $FreeBSD$ 2 3.if empty(BEARSSL) 4.include "../libbearssl/Makefile.inc" 5.endif 6 7.if !target(_${__this}_) 8_${__this}_: 9 10libsecureboot_src:= ${.PARSEDIR} 11 12CFLAGS+= -I${libsecureboot_src}/h 13 14.PATH: ${.PARSEDIR} 15 16SRCS+= \ 17 readfile.c \ 18 brf.c \ 19 vesigned.c \ 20 vets.c 21 22.if ${.CURDIR:M*libsecureboot*} != "" 23SRCS+= veta.c 24.endif 25 26CFLAGS+= ${XCFLAGS.${.TARGET:T:R}:U} 27 28# we use a couple of files from ${BEARSSL}/tools 29BRSSL_CFLAGS+= -I${BEARSSL}/tools 30BRSSL_SRCS+= \ 31 ${BEARSSL}/tools/xmem.c \ 32 ${BEARSSL}/tools/vector.c 33 34# we do not need/want nested objdirs 35OBJS_SRCS_FILTER = T R 36 37SRCS+= ${BRSSL_SRCS} 38 39 40# extract the last cert from a chain (should be rootCA) 41_LAST_PEM_USE: .USE 42 sed "1,`grep -n .-END ${.ALLSRC:M*.pem} | tail -2 | head -1 | sed 's,:.*,,'`d" ${.ALLSRC:M*.pem} > ${.TARGET} 43 44# extract 2nd last cert from chain - we use this for self-test 45_2ndLAST_PEM_USE: .USE 46 sed -n "`grep -n .-BEGIN ${.ALLSRC:M*.pem} | tail -2 | \ 47 sed 's,:.*,,' | xargs | (read a b; echo $$a,$$(($$b - 1)))`p" ${.ALLSRC:M*.pem} > ${.TARGET} 48 49# list of hashes we support 50VE_HASH_LIST?= SHA256 51 52# list of signatures we support 53# some people don't trust ECDSA 54VE_SIGNATURE_LIST?= RSA 55 56# this list controls our search for signatures so will not be sorted 57# note: for X509 signatures we assume we can replace the trailing 58# "sig" with "certs" to find the certificate chain 59# eg. for manifest.esig we use manifest.ecerts 60VE_SIGNATURE_EXT_LIST?= sig 61 62# needs to be yes for FIPS 140-2 compliance 63VE_SELF_TESTS?= no 64 65# rules to populate the [tv]*.pem files we use to generate ta.h 66# and can add/alter VE_*_LIST as desired. 67.-include "local.trust.mk" 68 69# this is what we use as our trust anchor 70CFLAGS+= -I. -DTRUST_ANCHOR_STR=ta_PEM 71 72.if ${VE_SELF_TESTS} != "no" 73XCFLAGS.vets+= -DVERIFY_CERTS_STR=vc_PEM 74.endif 75 76# clean these up 77VE_HASH_LIST:= ${VE_HASH_LIST:tu:O:u} 78VE_SIGNATURE_LIST:= ${VE_SIGNATURE_LIST:tu:O:u} 79 80# define what we are supporting 81CFLAGS+= ${VE_HASH_LIST:@H@-DVE_$H_SUPPORT@} \ 82 ${VE_SIGNATURE_LIST:@S@-DVE_$S_SUPPORT@} 83 84.if ${VE_SIGNATURE_LIST:MOPENPGP} != "" 85.include "openpgp/Makefile.inc" 86.endif 87 88.if ${VE_SELF_TESTS} != "no" 89# The input used for hash KATs 90VE_HASH_KAT_STR?= vc_PEM 91 92XCFLAGS.vets+= -DVE_HASH_KAT_STR=${VE_HASH_KAT_STR} 93.endif 94 95# this should be updated occassionally this is 2019-01-01Z 96SOURCE_DATE_EPOCH?= 1546329600 97.if ${MK_REPRODUCIBLE_BUILD} == "yes" 98BUILD_UTC?= ${SOURCE_DATE_EPOCH} 99.endif 100# BUILD_UTC provides a basis for the loader's notion of time 101# By default we use the mtime of BUILD_UTC_FILE 102.if empty(BUILD_UTC_FILE) 103BUILD_UTC_FILE:= ${.PARSEDIR:tA}/${.PARSEFILE} 104.endif 105# you can of course set BUILD_UTC to any value you like 106BUILD_UTC?= ${${STAT:Ustat} -f %m ${BUILD_UTC_FILE}:L:sh} 107 108# Generate ta.h containing one or more PEM encoded trust anchors in ta_PEM. 109# 110# If we are doing self-tests, we define another arrary vc_PEM 111# containing certificates that we can verify for each trust anchor. 112# This is typically a subordinate CA cert. 113# Finally we generate a hash of vc_PEM using each supported hash method 114# to use as a Known Answer Test (needed for FIPS 140-2) 115# 116vets.o vets.po vets.pico: ta.h 117ta.h: ${.ALLTARGETS:M[tv]*pem:O:u} 118 @( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \ 119 cat ${.ALLSRC:N*crl*:Mt*.pem} /dev/null | \ 120 file2c -sx 'static const char ta_PEM[] = {' '};'; \ 121 echo "${.newline}${VE_HASH_LIST:@H@static char vh_$H[] = \"`cat ${.ALLSRC:N*crl*:Mv*.pem} | ${$H:U${H:tl}}`\";${.newline}@}"; ) > ${.TARGET} 122.if ${VE_SELF_TESTS} != "no" 123 ( cat ${.ALLSRC:N*crl*:Mv*.pem} /dev/null | \ 124 file2c -sx 'static const char vc_PEM[] = {' '};'; echo ) >> ${.TARGET} 125.endif 126 echo '#define BUILD_UTC ${BUILD_UTC}' >> ${.TARGET} ${.OODATE:MNOMETA_CMP} 127 128# This header records our preference for signature extensions. 129vesigned.o vesigned.po vesigned.pico: vse.h 130vse.h: 131 @( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \ 132 echo "static const char *signature_exts[] = {"; \ 133 echo '${VE_SIGNATURE_EXT_LIST:@e@"$e",${.newline}@}'; \ 134 echo 'NULL };' ) > ${.TARGET} 135 136 137.for s in ${BRSSL_SRCS} brf.c vets.c veta.c 138.ifdef BRSSL_SED 139$s: brssl.h 140.endif 141XCFLAGS.${s:R}+= ${BRSSL_CFLAGS} 142.endfor 143 144.endif 145