blob: f2da3d3ac4520fed084dada48e4e5e0580c45658 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
# Consider this file an example.
#
# For Junos this is how we obtain trust anchor .pems
# the signing server (http://www.crufty.net/sjg/blog/signing-server.htm)
# for each key will provide the appropriate certificate chain on request
# allow site control
.-include "site.trust.mk"
#VE_DEBUG_LEVEL?=3
#VE_VERBOSE_DEFAULT?=2
VE_HASH_LIST?= \
SHA256 \
SHA384 \
VE_SELF_TESTS?= yes
# client for the signing server above
SIGNER?= /opt/sigs/sign.py
.if exists(${SIGNER})
OPENPGP_SIGNER?= ${SIGNER:H}/openpgp-sign.py
OPENPGP_SIGN_FLAGS= -a
OPENPGP_SIGN_HOST?= localhost
SIGN_HOST ?= localhost
# A list of name/ext/url tuples.
# name should be one of ECDSA, OPENPGP or RSA, they can be repeated
# Order of ext list implies runtime preference so do not sort!
VE_SIGN_URL_LIST?= \
ECDSA/esig/${SIGN_HOST}:${133%y:L:localtime} \
RSA/rsig/${SIGN_HOST}:${163%y:L:localtime} \
OPENPGP/asc/${OPENPGP_SIGN_HOST}:1234 \
.for sig ext url in ${VE_SIGN_URL_LIST:@x@${x:H:H} ${x:H:T} ${x:T}@}
SIGN_${sig}:= ${PYTHON} ${${sig}_SIGNER:U${SIGNER}} -u ${url} ${${sig}_SIGN_FLAGS:U-h sha256}
VE_SIGNATURE_LIST+= ${sig}
VE_SIGNATURE_EXT_LIST+= ${ext}
_SIGN_${sig}_USE: .USE
${SIGN_${sig}} ${.ALLSRC}
_TA_${sig}_USE: .USE
${SIGN_${sig}} -C ${.TARGET}
.if ${sig} == "OPENPGP"
ta_${sig:tl}.${ext}: _TA_${sig}_USE
ta_${ext}.h: ta_${sig:tl}.${ext}
.else
${ext:S/sig/certs/}.pem: _TA_${sig}_USE
# the last cert in the chain is the one we want
ta_${ext}.pem: ${ext:S/sig/certs/}.pem _LAST_PEM_USE
ta.h: ta_${ext}.pem
.if ${VE_SELF_TESTS} != "no"
# we use the 2nd last cert to test verification
vc_${ext}.pem: ${ext:S/sig/certs/}.pem _2ndLAST_PEM_USE
ta.h: vc_${ext}.pem
.endif
.endif
.endfor
# cleanup duplicates
VE_SIGNATURE_LIST:= ${VE_SIGNATURE_LIST:O:u}
.if target(ta_asc.h)
XCFLAGS.opgp_key+= -DHAVE_TA_ASC_H
.if ${VE_SELF_TESTS} != "no"
# for self test
vc_openpgp.asc: ta_openpgp.asc
${SIGN_OPENPGP} ${.ALLSRC:M*.asc}
mv ta_openpgp.asc.asc ${.TARGET}
ta_asc.h: vc_openpgp.asc
.endif
.endif
.else
VE_SIGNATURE_LIST?= RSA
# you need to provide t*.pem or t*.asc files for each trust anchor
# below assumes they are named ta_${ext}.pem eg ta_esig.pem for ECDSA
.if empty(TRUST_ANCHORS)
TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null || echo
.endif
.if empty(TRUST_ANCHORS) && ${MK_LOADER_EFI_SECUREBOOT} != "yes"
.error Need TRUST_ANCHORS see ${.PARSEDIR}/README.rst
.endif
.if ${TRUST_ANCHORS:T:Mt*.pem} != ""
ta.h: ${TRUST_ANCHORS:M*.pem}
VE_SIGNATURE_EXT_LIST?= ${TRUST_ANCHORS:T:Mt*.pem:R:S/ta_//}
.if ${VE_SIGNATURE_EXT_LIST:Mesig} != ""
VE_SIGNATURE_LIST+= ECDSA
.endif
.endif
.if ${TRUST_ANCHORS:T:Mt*.asc} != ""
VE_SIGNATURE_LIST+= OPENPGP
VE_SIGNATURE_EXT_LIST+= asc
ta_asc.h: ${TRUST_ANCHORS:M*.asc}
.endif
# we take the mtime of this as our baseline time
BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]}
.endif
|
