Changeset View
Standalone View
lib/libsecureboot/Makefile.inc
| Show First 20 Lines • Show All 98 Lines • ▼ Show 20 Lines | |||||
| # containing certificates that we can verify for each trust anchor. | # containing certificates that we can verify for each trust anchor. | ||||
| # This is typically a subordinate CA cert. | # This is typically a subordinate CA cert. | ||||
| # Finally we generate a hash of vc_PEM using each supported hash method | # Finally we generate a hash of vc_PEM using each supported hash method | ||||
| # to use as a Known Answer Test (needed for FIPS 140-2) | # to use as a Known Answer Test (needed for FIPS 140-2) | ||||
| # | # | ||||
| vets.o vets.po vets.pico: ta.h | vets.o vets.po vets.pico: ta.h | ||||
| ta.h: ${.ALLTARGETS:M[tv]*pem:O:u} | ta.h: ${.ALLTARGETS:M[tv]*pem:O:u} | ||||
| @( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \ | @( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \ | ||||
| cat ${.ALLSRC:N*crl*:Mt*.pem} /dev/null | \ | cat ${.ALLSRC:N*crl*:M*/t*.pem} /dev/null | \ | ||||
sjg: Why is this necessary? | |||||
kdAuthorUnsubmitted Done Inline ActionsI changed the cert paths to be absolute. Without it the "BUILD_UTC_FILE" looks for the certificate in the object dir. Also IMO using absolute paths when possible is a good idea in general. kd: I changed the cert paths to be absolute. Without it the "BUILD_UTC_FILE" looks for the… | |||||
sjgUnsubmitted Not Done Inline ActionsI think it would be preferable to specify BUILD_UTC_FILE as an absolute path if need be. sjg: I think it would be preferable to specify BUILD_UTC_FILE as an absolute path if need be.
Leave… | |||||
kdAuthorUnsubmitted Done Inline ActionsI removed these changes altogether. The BUILD_UTC can now be defined by calling "date +%s" when no BUILD_UTC_FILE is present instead. kd: I removed these changes altogether. The BUILD_UTC can now be defined by calling "date +%s" when… | |||||
| file2c -sx 'static const char ta_PEM[] = {' '};'; \ | file2c -sx 'static const char ta_PEM[] = {' '};'; \ | ||||
| echo "${.newline}${VE_HASH_LIST:@H@static char vh_$H[] = \"`cat ${.ALLSRC:N*crl*:Mv*.pem} | ${$H:U${H:tl}}`\";${.newline}@}"; ) > ${.TARGET} | echo "${.newline}${VE_HASH_LIST:@H@static char vh_$H[] = \"`cat ${.ALLSRC:N*crl*:Mv*.pem} | ${$H:U${H:tl}}`\";${.newline}@}"; ) > ${.TARGET} | ||||
| .if ${VE_SELF_TESTS} != "no" | .if ${VE_SELF_TESTS} != "no" | ||||
| ( cat ${.ALLSRC:N*crl*:Mv*.pem} /dev/null | \ | ( cat ${.ALLSRC:N*crl*:M*/v*.pem} /dev/null | \ | ||||
| file2c -sx 'static const char vc_PEM[] = {' '};'; echo ) >> ${.TARGET} | file2c -sx 'static const char vc_PEM[] = {' '};'; echo ) >> ${.TARGET} | ||||
| .endif | .endif | ||||
| .if !empty(BUILD_UTC_FILE) | .if !empty(BUILD_UTC_FILE) | ||||
| echo '#define BUILD_UTC ${${STAT:Ustat} -f %m ${BUILD_UTC_FILE}:L:sh}' >> ${.TARGET} ${.OODATE:MNOMETA_CMP} | echo '#define BUILD_UTC ${${STAT:Ustat} -f %m ${BUILD_UTC_FILE}:L:sh}' >> ${.TARGET} ${.OODATE:MNOMETA_CMP} | ||||
| .endif | .endif | ||||
Not Done Inline ActionsYou do not need to use date, ${%s:L:gmtime} will produce the same output sjg: You do not need to use `date`, `${%s:L:gmtime}` will produce the same output
btw bonus points… | |||||
Done Inline ActionsThanks. kd: Thanks. | |||||
Not Done Inline Actionsquotes should encompass the :gmtime} reference sjg: quotes should encompass the `:gmtime}` reference | |||||
Not Done Inline ActionsHi @sjg, I will commit this change, so to be sure, - is below correct? echo '#define BUILD_UTC ' ${%s:L:"gmtime"} >> ${.TARGET} ${.OODATE:MNOMETA_CMP}mw: Hi @sjg,
I will commit this change, so to be sure, - is below correct?
```
echo '#define… | |||||
Not Done Inline ActionsNo. Sorry for being too lazy to type ;-) sjg: No. Sorry for being too lazy to type ;-)
I was referring to the single quote:
`echo '#define… | |||||
Not Done Inline ActionsWait a moment, how does work with reproducible builds? emaste: Wait a moment, how does work with reproducible builds? | |||||
Not Done Inline ActionsIf you want reproducible you'd need to specify BUILD_UTC_FILE sjg: If you want reproducible you'd need to specify `BUILD_UTC_FILE`
and its `mtime` will be used | |||||
Not Done Inline ActionsWe need to make it reproducible in the default configuration emaste: We need to make it reproducible in the default configuration | |||||
Not Done Inline ActionsAll depends on what you call the default configuration. BUILD_UTC provides a starting point for the loader's notion of time (it lacks access to RTC), it will get updated with mtime of files it reads (if > current value), so BUILD_UTC=0 could work in most cases, but is not ideal since you cannot handle expired certs sjg: All depends on what you call the default configuration.
First off; none of this is enabled by… | |||||
Not Done Inline ActionsOk this part of the change is now mooted by commit from D19464 sjg: Ok this part of the change is now mooted by commit from D19464 | |||||
Done Inline ActionsThanks, the changes discussed above were removed. kd: Thanks, the changes discussed above were removed. | |||||
| # This header records our preference for signature extensions. | # This header records our preference for signature extensions. | ||||
| vesigned.o vesigned.po vesigned.pico: vse.h | vesigned.o vesigned.po vesigned.pico: vse.h | ||||
| vse.h: | vse.h: | ||||
| @( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \ | @( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \ | ||||
| echo "static const char *signature_exts[] = {"; \ | echo "static const char *signature_exts[] = {"; \ | ||||
| echo '${VE_SIGNATURE_EXT_LIST:@e@"$e",${.newline}@}'; \ | echo '${VE_SIGNATURE_EXT_LIST:@e@"$e",${.newline}@}'; \ | ||||
| echo 'NULL };' ) > ${.TARGET} | echo 'NULL };' ) > ${.TARGET} | ||||
| .for s in ${BRSSL_SRCS} brf.c vets.c veta.c | .for s in ${BRSSL_SRCS} brf.c vets.c veta.c | ||||
| $s: brssl.h | $s: brssl.h | ||||
| XCFLAGS.${s:R}+= ${BRSSL_CFLAGS} | XCFLAGS.${s:R}+= ${BRSSL_CFLAGS} | ||||
| .endfor | .endfor | ||||
Why is this necessary?