xref: /freebsd/lib/libsecureboot/local.trust.mk (revision 2e3f49888ec8851bafb22011533217487764fdb0)
1
2# Consider this file an example.
3#
4# For Junos this is how we obtain trust anchor .pems
5# the signing server (http://www.crufty.net/sjg/blog/signing-server.htm)
6# for each key will provide the appropriate certificate chain on request
7
8# force these for Junos
9#MANIFEST_SKIP_ALWAYS= boot
10VE_HASH_LIST= \
11	SHA1 \
12	SHA256 \
13	SHA384 \
14	SHA512
15
16VE_SIGNATURE_LIST= \
17	ECDSA \
18	RSA
19
20VE_SIGNATURE_EXT_LIST= \
21	esig \
22	rsig
23
24VE_SELF_TESTS= yes
25
26.if ${MACHINE} == "host" && ${.CURDIR:T} == "tests"
27
28VE_SIGNATURE_LIST+= \
29	DEPRECATED_RSA_SHA1
30
31VE_SIGNATURE_EXT_LIST+= \
32	sig
33.endif
34
35# add OpenPGP support - possibly dormant
36VE_SIGNATURE_LIST+= OPENPGP
37VE_SIGNATURE_EXT_LIST+= asc
38
39# allow site override of all the above
40.-include "site.trust.mk"
41
42SIGNER ?= ${SB_TOOLS_PATH:U/volume/buildtools/bin}/sign.py
43
44.if exists(${SIGNER})
45SIGN_HOST ?= ${SB_SITE:Usvl}-junos-signer.juniper.net
46ECDSA_PORT:= ${133%y:L:gmtime}
47SIGN_ECDSA= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${ECDSA_PORT} -h sha256
48RSA2_PORT:= ${163%y:L:gmtime}
49SIGN_RSA2=   ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${RSA2_PORT} -h sha256
50
51# deal with quirk of our .esig format
52XCFLAGS.vets+= -DVE_ECDSA_HASH_AGAIN
53
54.if !empty(OPENPGP_SIGN_URL)
55XCFLAGS.opgp_key+= -DHAVE_TA_ASC_H
56
57VE_SIGNATURE_LIST+= OPENPGP
58VE_SIGNATURE_EXT_LIST+= asc
59
60SIGN_OPENPGP= ${PYTHON} ${SIGNER:H}/openpgp-sign.py -a -u ${OPENPGP_SIGN_URL}
61
62ta_openpgp.asc:
63	${SIGN_OPENPGP} -C ${.TARGET}
64
65ta_asc.h: ta_openpgp.asc
66
67.if ${VE_SELF_TESTS} != "no"
68# for self test
69vc_openpgp.asc: ta_openpgp.asc
70	${SIGN_OPENPGP} ${.ALLSRC:M*.asc}
71	mv ta_openpgp.asc.asc ${.TARGET}
72
73ta_asc.h: vc_openpgp.asc
74.endif
75.endif
76
77rcerts.pem:
78	${SIGN_RSA2} -C ${.TARGET}
79
80ecerts.pem:
81	${SIGN_ECDSA} -C ${.TARGET}
82
83.if ${VE_SIGNATURE_LIST:tu:MECDSA} != ""
84# the last cert in the chain is the one we want
85ta_ec.pem: ecerts.pem _LAST_PEM_USE
86ta.h: ta_ec.pem
87.if ${VE_SELF_TESTS} != "no"
88# these are for verification self test
89vc_ec.pem: ecerts.pem _2ndLAST_PEM_USE
90ta.h: vc_ec.pem
91.endif
92.endif
93
94.if ${VE_SIGNATURE_LIST:tu:MRSA} != ""
95ta_rsa.pem: rcerts.pem _LAST_PEM_USE
96ta.h: ta_rsa.pem
97.if ${VE_SELF_TESTS} != "no"
98vc_rsa.pem: rcerts.pem _2ndLAST_PEM_USE
99ta.h: vc_rsa.pem
100.endif
101.endif
102
103# we take the mtime of this as our baseline time
104#BUILD_UTC_FILE= ecerts.pem
105#VE_DEBUG_LEVEL=3
106#VE_VERBOSE_DEFAULT=1
107
108.else
109# you need to provide t*.pem or t*.asc files for each trust anchor
110.if empty(TRUST_ANCHORS)
111TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null
112.endif
113.if empty(TRUST_ANCHORS) && ${MK_LOADER_EFI_SECUREBOOT} != "yes"
114.error Need TRUST_ANCHORS see ${.PARSEDIR}/README.rst
115.endif
116.if ${TRUST_ANCHORS:T:Mt*.pem} != ""
117ta.h: ${TRUST_ANCHORS:M*.pem}
118.endif
119.if ${TRUST_ANCHORS:T:Mt*.asc} != ""
120VE_SIGNATURE_LIST+= OPENPGP
121VE_SIGNATURE_EXT_LIST+= asc
122ta_asc.h: ${TRUST_ANCHORS:M*.asc}
123.endif
124# we take the mtime of this as our baseline time
125BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]}
126.endif
127
128