xref: /freebsd/lib/libsecureboot/local.trust.mk (revision 924226fba12cc9a228c73b956e1b7fa24c60b055)
1# $FreeBSD$
2
3# Consider this file an example.
4#
5# For Junos this is how we obtain trust anchor .pems
6# the signing server (http://www.crufty.net/sjg/blog/signing-server.htm)
7# for each key will provide the appropriate certificate chain on request
8
9# force these for Junos
10#MANIFEST_SKIP_ALWAYS= boot
11VE_HASH_LIST= \
12	SHA1 \
13	SHA256 \
14	SHA384 \
15	SHA512
16
17VE_SIGNATURE_LIST= \
18	ECDSA \
19	RSA
20
21VE_SIGNATURE_EXT_LIST= \
22	esig \
23	rsig
24
25VE_SELF_TESTS= yes
26
27.if ${MACHINE} == "host" && ${.CURDIR:T} == "tests"
28
29VE_SIGNATURE_LIST+= \
30	DEPRECATED_RSA_SHA1
31
32VE_SIGNATURE_EXT_LIST+= \
33	sig
34.endif
35
36# add OpenPGP support - possibly dormant
37VE_SIGNATURE_LIST+= OPENPGP
38VE_SIGNATURE_EXT_LIST+= asc
39
40SIGNER ?= ${SB_TOOLS_PATH:U/volume/buildtools/bin}/sign.py
41
42.if exists(${SIGNER})
43SIGN_HOST ?= ${SB_SITE:Usvl}-junos-signer.juniper.net
44ECDSA_PORT:= ${133%y:L:gmtime}
45SIGN_ECDSA= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${ECDSA_PORT} -h sha256
46RSA2_PORT:= ${163%y:L:gmtime}
47SIGN_RSA2=   ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${RSA2_PORT} -h sha256
48
49# deal with quirk of our .esig format
50XCFLAGS.vets+= -DVE_ECDSA_HASH_AGAIN
51
52.if !empty(OPENPGP_SIGN_URL)
53XCFLAGS.opgp_key+= -DHAVE_TA_ASC_H
54
55VE_SIGNATURE_LIST+= OPENPGP
56VE_SIGNATURE_EXT_LIST+= asc
57
58SIGN_OPENPGP= ${PYTHON} ${SIGNER:H}/openpgp-sign.py -a -u ${OPENPGP_SIGN_URL}
59
60ta_openpgp.asc:
61	${SIGN_OPENPGP} -C ${.TARGET}
62
63ta_asc.h: ta_openpgp.asc
64
65.if ${VE_SELF_TESTS} != "no"
66# for self test
67vc_openpgp.asc: ta_openpgp.asc
68	${SIGN_OPENPGP} ${.ALLSRC:M*.asc}
69	mv ta_openpgp.asc.asc ${.TARGET}
70
71ta_asc.h: vc_openpgp.asc
72.endif
73.endif
74
75rcerts.pem:
76	${SIGN_RSA2} -C ${.TARGET}
77
78ecerts.pem:
79	${SIGN_ECDSA} -C ${.TARGET}
80
81.if ${VE_SIGNATURE_LIST:tu:MECDSA} != ""
82# the last cert in the chain is the one we want
83ta_ec.pem: ecerts.pem _LAST_PEM_USE
84ta.h: ta_ec.pem
85.if ${VE_SELF_TESTS} != "no"
86# these are for verification self test
87vc_ec.pem: ecerts.pem _2ndLAST_PEM_USE
88ta.h: vc_ec.pem
89.endif
90.endif
91
92.if ${VE_SIGNATURE_LIST:tu:MRSA} != ""
93ta_rsa.pem: rcerts.pem _LAST_PEM_USE
94ta.h: ta_rsa.pem
95.if ${VE_SELF_TESTS} != "no"
96vc_rsa.pem: rcerts.pem _2ndLAST_PEM_USE
97ta.h: vc_rsa.pem
98.endif
99.endif
100
101# we take the mtime of this as our baseline time
102#BUILD_UTC_FILE= ecerts.pem
103#VE_DEBUG_LEVEL=3
104#VE_VERBOSE_DEFAULT=1
105
106.else
107# you need to provide t*.pem or t*.asc files for each trust anchor
108.if empty(TRUST_ANCHORS)
109TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null
110.endif
111.if empty(TRUST_ANCHORS) && ${MK_LOADER_EFI_SECUREBOOT} != "yes"
112.error Need TRUST_ANCHORS see ${.CURDIR}/README.rst
113.endif
114.if ${TRUST_ANCHORS:T:Mt*.pem} != ""
115ta.h: ${TRUST_ANCHORS:M*.pem}
116.endif
117.if ${TRUST_ANCHORS:T:Mt*.asc} != ""
118VE_SIGNATURE_LIST+= OPENPGP
119VE_SIGNATURE_EXT_LIST+= asc
120ta_asc.h: ${TRUST_ANCHORS:M*.asc}
121.endif
122# we take the mtime of this as our baseline time
123BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]}
124.endif
125
126