xref: /freebsd/lib/libsecureboot/local.trust.mk (revision a90b9d0159070121c221b966469c3e36d912bf82)
1
2# Consider this file an example.
3#
4# For Junos this is how we obtain trust anchor .pems
5# the signing server (http://www.crufty.net/sjg/blog/signing-server.htm)
6# for each key will provide the appropriate certificate chain on request
7
8# allow site control
9.-include "site.trust.mk"
10
11#VE_DEBUG_LEVEL?=3
12#VE_VERBOSE_DEFAULT?=2
13
14VE_HASH_LIST?= \
15	SHA256 \
16	SHA384 \
17
18VE_SELF_TESTS?= yes
19
20# client for the signing server above
21SIGNER?= /opt/sigs/sign.py
22
23.if exists(${SIGNER})
24OPENPGP_SIGNER?= ${SIGNER:H}/openpgp-sign.py
25OPENPGP_SIGN_FLAGS= -a
26OPENPGP_SIGN_HOST?= localhost
27SIGN_HOST ?= localhost
28
29# A list of name/ext/url tuples.
30# name should be one of ECDSA, OPENPGP or RSA, they can be repeated
31# Order of ext list implies runtime preference so do not sort!
32VE_SIGN_URL_LIST?= \
33	ECDSA/esig/${SIGN_HOST}:${133%y:L:localtime} \
34	RSA/rsig/${SIGN_HOST}:${163%y:L:localtime} \
35	OPENPGP/asc/${OPENPGP_SIGN_HOST}:1234 \
36
37.for sig ext url in ${VE_SIGN_URL_LIST:@x@${x:H:H} ${x:H:T} ${x:T}@}
38SIGN_${sig}:= ${PYTHON} ${${sig}_SIGNER:U${SIGNER}} -u ${url} ${${sig}_SIGN_FLAGS:U-h sha256}
39
40VE_SIGNATURE_LIST+= ${sig}
41VE_SIGNATURE_EXT_LIST+= ${ext}
42
43_SIGN_${sig}_USE:	.USE
44	${SIGN_${sig}} ${.ALLSRC}
45
46_TA_${sig}_USE:       .USE
47	${SIGN_${sig}} -C ${.TARGET}
48
49.if ${sig} == "OPENPGP"
50ta_${sig:tl}.${ext}: _TA_${sig}_USE
51ta_${ext}.h: ta_${sig:tl}.${ext}
52.else
53${ext:S/sig/certs/}.pem: _TA_${sig}_USE
54# the last cert in the chain is the one we want
55ta_${ext}.pem: ${ext:S/sig/certs/}.pem _LAST_PEM_USE
56ta.h: ta_${ext}.pem
57.if ${VE_SELF_TESTS} != "no"
58# we use the 2nd last cert to test verification
59vc_${ext}.pem: ${ext:S/sig/certs/}.pem _2ndLAST_PEM_USE
60ta.h: vc_${ext}.pem
61.endif
62.endif
63.endfor
64
65# cleanup duplicates
66VE_SIGNATURE_LIST:= ${VE_SIGNATURE_LIST:O:u}
67
68.if target(ta_asc.h)
69XCFLAGS.opgp_key+= -DHAVE_TA_ASC_H
70
71.if ${VE_SELF_TESTS} != "no"
72# for self test
73vc_openpgp.asc: ta_openpgp.asc
74	${SIGN_OPENPGP} ${.ALLSRC:M*.asc}
75	mv ta_openpgp.asc.asc ${.TARGET}
76
77ta_asc.h: vc_openpgp.asc
78.endif
79.endif
80
81.else
82VE_SIGNATURE_LIST?= RSA
83
84# you need to provide t*.pem or t*.asc files for each trust anchor
85# below assumes they are named ta_${ext}.pem eg ta_esig.pem for ECDSA
86.if empty(TRUST_ANCHORS)
87TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null
88.endif
89.if empty(TRUST_ANCHORS) && ${MK_LOADER_EFI_SECUREBOOT} != "yes"
90.error Need TRUST_ANCHORS see ${.PARSEDIR}/README.rst
91.endif
92
93.if ${TRUST_ANCHORS:T:Mt*.pem} != ""
94ta.h: ${TRUST_ANCHORS:M*.pem}
95VE_SIGNATURE_EXT_LIST?= ${TRUST_ANCHORS:T:Mt*.pem:R:S/ta_//}
96.if ${VE_SIGNATURE_EXT_LIST:Mesig} != ""
97VE_SIGNATURE_LIST+= ECDSA
98.endif
99.endif
100
101.if ${TRUST_ANCHORS:T:Mt*.asc} != ""
102VE_SIGNATURE_LIST+= OPENPGP
103VE_SIGNATURE_EXT_LIST+= asc
104ta_asc.h: ${TRUST_ANCHORS:M*.asc}
105.endif
106# we take the mtime of this as our baseline time
107BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]}
108.endif
109