xref: /freebsd/lib/libsecureboot/Makefile.inc (revision e2340276fc734a1f0bd0d2cf16fcfba7936c9462)
1
2.if empty(BEARSSL)
3.include "../libbearssl/Makefile.inc"
4.endif
5
6.if !target(_${__this}_)
7_${__this}_:
8
9libsecureboot_src:= ${.PARSEDIR}
10
11CFLAGS+= -I${libsecureboot_src}/h
12
13CFLAGS+= -DHAVE_BR_X509_TIME_CHECK
14
15.PATH: ${.PARSEDIR}
16
17SRCS+= \
18	readfile.c \
19	brf.c \
20	vesigned.c \
21	vets.c
22
23.if ${.CURDIR:M*libsecureboot*} != ""
24SRCS+= veta.c
25.endif
26
27CFLAGS+= ${XCFLAGS.${.TARGET:T:R}:U}
28
29# we use a couple of files from ${BEARSSL}/tools
30BRSSL_CFLAGS+= -I${BEARSSL}/tools
31BRSSL_SRCS+= \
32	${BEARSSL}/tools/xmem.c \
33	${BEARSSL}/tools/vector.c
34
35BRSSL_DEPS= \
36	brf.c \
37	vets.c \
38	veta.c
39
40.if ${MK_LOADER_EFI_SECUREBOOT} != "no"
41BRSSL_DEPS+= \
42	efi_init.c \
43	efi_variables.c
44.endif
45
46# we do not need/want nested objdirs
47OBJS_SRCS_FILTER = T R
48
49SRCS+= ${BRSSL_SRCS}
50
51
52# extract the last cert from a chain (should be rootCA)
53_LAST_PEM_USE: .USE
54	sed "1,`grep -n .-END ${.ALLSRC:M*.pem} | tail -2 | head -1 | sed 's,:.*,,'`d" ${.ALLSRC:M*.pem} > ${.TARGET}
55
56# extract 2nd last cert from chain - we use this for self-test
57_2ndLAST_PEM_USE: .USE
58	sed -n "`grep -n .-BEGIN ${.ALLSRC:M*.pem} | tail -2 | \
59	sed 's,:.*,,' | xargs | (read a b; echo $$a,$$(($$b - 1)))`p" ${.ALLSRC:M*.pem} > ${.TARGET}
60
61# list of hashes we support
62VE_HASH_LIST?= SHA256
63
64# list of signatures we support
65# some people don't trust ECDSA
66VE_SIGNATURE_LIST?= RSA
67
68# this list controls our search for signatures so will not be sorted
69# note: for X509 signatures we assume we can replace the trailing
70# "sig" with "certs" to find the certificate chain
71# eg. for manifest.esig we use manifest.ecerts
72VE_SIGNATURE_EXT_LIST?= sig
73
74# needs to be yes for FIPS 140-2 compliance
75VE_SELF_TESTS?= no
76
77# rules to populate the [tv]*.pem files we use to generate ta.h
78# and can add/alter VE_*_LIST as desired.
79.-include "local.trust.mk"
80
81# this is what we use as our trust anchor
82CFLAGS+= -I. -DTRUST_ANCHOR_STR=ta_PEM
83
84.if ${VE_SELF_TESTS} != "no"
85XCFLAGS.vets+= -DVERIFY_CERTS_STR=vc_PEM
86.endif
87
88# clean these up
89VE_HASH_LIST:= ${VE_HASH_LIST:tu:O:u}
90VE_SIGNATURE_LIST:= ${VE_SIGNATURE_LIST:tu:O:u}
91
92# define what we are supporting
93CFLAGS+= ${VE_HASH_LIST:@H@-DVE_$H_SUPPORT@} \
94	${VE_SIGNATURE_LIST:@S@-DVE_$S_SUPPORT@}
95
96.if ${VE_SIGNATURE_LIST:MOPENPGP} != ""
97.include "openpgp/Makefile.inc"
98.endif
99
100.if ${VE_SELF_TESTS} != "no"
101# The input used for hash KATs
102# we use a string by default so it is independent of any other test
103VE_HASH_KAT_STRLEN?= strlen
104.if ${VE_HASH_KAT_STRLEN} == "strlen"
105VE_HASH_KAT_STR?= self-tests-are-good
106VE_HASH_KAT_STR_INPUT= echo -n
107XCFLAGS.vets+= -DVE_HASH_KAT_STR=\"${VE_HASH_KAT_STR}\"
108.else
109VE_HASH_KAT_STR?= vc_PEM
110VE_HASH_KAT_STR_INPUT= cat
111VE_HASH_KAT_STRLEN= sizeof
112XCFLAGS.vets+= -DVE_HASH_KAT_STR=${VE_HASH_KAT_STR}
113.endif
114XCFLAGS.vets+= -DVE_HASH_KAT_STRLEN=${VE_HASH_KAT_STRLEN}
115.endif
116
117# this should be updated occassionally this is 2019-01-01Z
118SOURCE_DATE_EPOCH?= 1546329600
119.if ${MK_REPRODUCIBLE_BUILD} == "yes"
120BUILD_UTC?= ${SOURCE_DATE_EPOCH}
121.endif
122# BUILD_UTC provides a basis for the loader's notion of time
123# By default we use the mtime of BUILD_UTC_FILE
124.if empty(BUILD_UTC_FILE)
125BUILD_UTC_FILE:= ${.PARSEDIR:tA}/${.PARSEFILE}
126.endif
127# you can of course set BUILD_UTC to any value you like
128.if ${MAKE_VERSION} > 20230509
129BUILD_UTC?= ${BUILD_UTC_FILE:mtime}
130.else
131BUILD_UTC?= ${${STAT:Ustat} -L -f %m ${BUILD_UTC_FILE}:L:sh}
132.endif
133
134# Generate ta.h containing one or more PEM encoded trust anchors in ta_PEM.
135#
136# If we are doing self-tests, we define another arrary vc_PEM
137# containing certificates that we can verify for each trust anchor.
138# This is typically a subordinate CA cert.
139# Finally we generate a hash of VE_HASH_KAT_STR
140# using each supported hash method
141# to use as a Known Answer Test (needed for FIPS 140-2)
142#
143TA_PEM_LIST ?= ${.ALLSRC:N*crl*:Mt*.pem}
144VC_PEM_LIST ?= ${.ALLSRC:N*crl*:Mv*.pem}
145vets.o vets.po vets.pico: ta.h
146ta.h:
147	@( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \
148	cat ${TA_PEM_LIST:O:u} /dev/null | \
149	file2c -sx 'static const char ta_PEM[] = {' '};'; \
150	echo "${.newline}${VE_HASH_LIST:O:u:@H@static char vh_$H[] = \"`${VE_HASH_KAT_STR_INPUT} ${VE_HASH_KAT_STR} | ${$H:U${H:tl}}`\";${.newline}@}"; ) > ${.TARGET}
151.if ${VE_SELF_TESTS} != "no"
152	( cat ${VC_PEM_LIST:O:u} /dev/null | \
153	file2c -sx 'static const char vc_PEM[] = {' '};'; echo ) >> ${.TARGET}
154.endif
155	echo '#define BUILD_UTC ${BUILD_UTC}' >> ${.TARGET} ${.OODATE:MNOMETA_CMP}
156
157# This header records our preference for signature extensions.
158vesigned.o vesigned.po vesigned.pico: vse.h
159vse.h:
160	@( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \
161	echo "static const char *signature_exts[] = {"; \
162	echo '${VE_SIGNATURE_EXT_LIST:O:u:@e@"$e",${.newline}@}'; \
163	echo 'NULL };' ) > ${.TARGET}
164
165
166.for s in ${BRSSL_SRCS} ${BRSSL_DEPS}
167.ifdef BRSSL_SED
168$s: brssl.h
169.endif
170XCFLAGS.${s:R}+= ${BRSSL_CFLAGS}
171.endfor
172
173.endif
174