xref: /freebsd/lib/libsecureboot/local.trust.mk (revision 8df8b2d3e51d1b816201d8a1fe8bc29fe192e562) 
1# $FreeBSD$
2
3# Consider this file an example.
4#
5# For Junos this is how we obtain trust anchor .pems
6# the signing server (http://www.crufty.net/sjg/blog/signing-server.htm)
7# for each key will provide the appropriate certificate chain on request
8
9# force these for Junos
10MANIFEST_SKIP_ALWAYS= boot
11VE_HASH_LIST= \
12	SHA1 \
13	SHA256 \
14	SHA384
15
16VE_SIGNATURE_LIST= \
17	ECDSA
18
19VE_SIGNATURE_EXT_LIST= \
20	esig
21
22VE_SELF_TESTS= yes
23
24.if ${MACHINE} == "host" && ${.CURDIR:T} == "tests"
25# for testing
26VE_HASH_LIST+= \
27	SHA512
28
29VE_SIGNATURE_LIST+= \
30	RSA \
31	DEPRECATED_RSA_SHA1
32
33VE_SIGNATURE_EXT_LIST+= \
34	sig
35.endif
36
37SIGNER ?= ${SB_TOOLS_PATH:U/volume/buildtools/bin}/sign.py
38
39.if exists(${SIGNER})
40SIGN_HOST ?= ${SB_SITE:Usvl}-junos-signer.juniper.net
41ECDSA_PORT:= ${133%y:L:gmtime}
42SIGN_ECDSA= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${ECDSA_PORT} -h sha256
43RSA2_PORT:= ${163%y:L:gmtime}
44SIGN_RSA2=   ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${RSA2_PORT} -h sha256
45
46.if !empty(OPENPGP_SIGN_URL)
47VE_SIGNATURE_LIST+= OPENPGP
48VE_SIGNATURE_EXT_LIST+= asc
49
50SIGN_OPENPGP= ${PYTHON} ${SIGNER:H}/openpgp-sign.py -a -u ${OPENPGP_SIGN_URL}
51
52ta_openpgp.asc:
53	${SIGN_OPENPGP} -C ${.TARGET}
54
55ta.h: ta_openpgp.asc
56
57.if ${VE_SELF_TESTS} != "no"
58# for self test
59vc_openpgp.asc: ta_openpgp.asc
60	${SIGN_OPENPGP} ${.ALLSRC:M*.asc}
61	mv ta_openpgp.asc.asc ${.TARGET}
62
63ta.h: vc_openpgp.asc
64.endif
65.endif
66
67rcerts.pem:
68	${SIGN_RSA2} -C ${.TARGET}
69
70ecerts.pem:
71	${SIGN_ECDSA} -C ${.TARGET}
72
73.if ${VE_SIGNATURE_LIST:tu:MECDSA} != ""
74# the last cert in the chain is the one we want
75ta_ec.pem: ecerts.pem _LAST_PEM_USE
76
77.if ${VE_SELF_TESTS} != "no"
78# these are for verification self test
79vc_ec.pem: ecerts.pem _2ndLAST_PEM_USE
80.endif
81.endif
82
83.if ${VE_SIGNATURE_LIST:tu:MRSA} != ""
84ta_rsa.pem: rcerts.pem _LAST_PEM_USE
85.if ${VE_SELF_TESTS} != "no"
86vc_rsa.pem: rcerts.pem _2ndLAST_PEM_USE
87.endif
88.endif
89
90# we take the mtime of this as our baseline time
91BUILD_UTC_FILE= ecerts.pem
92#VE_DEBUG_LEVEL=3
93#VE_VERBOSE_DEFAULT=1
94
95.else
96# you need to provide t*.pem or t*.asc files for each trust anchor
97.if empty(TRUST_ANCHORS)
98TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null
99.endif
100.if empty(TRUST_ANCHORS)
101.error Need TRUST_ANCHORS see ${.CURDIR}/README.rst
102.endif
103.if ${TRUST_ANCHORS:T:Mt*.pem} != ""
104ta.h: ${TRUST_ANCHORS:M*.pem}
105.endif
106.if ${TRUST_ANCHORS:T:Mt*.asc} != ""
107VE_SIGNATURE_LIST+= OPENPGP
108VE_SIGNATURE_EXT_LIST+= asc
109ta_asc.h: ${TRUST_ANCHORS:M*.asc}
110.endif
111# we take the mtime of this as our baseline time
112BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]}
113.endif
114
115