Changeset View
Changeset View
Standalone View
Standalone View
lib/libsecureboot/local.trust.mk
# $FreeBSD$ | # $FreeBSD$ | ||||
# Consider this file an example. | # Consider this file an example. | ||||
# | # | ||||
# For Junos this is how we obtain trust anchor .pems | # For Junos this is how we obtain trust anchor .pems | ||||
# the signing server (http://www.crufty.net/sjg/blog/signing-server.htm) | # the signing server (http://www.crufty.net/sjg/blog/signing-server.htm) | ||||
# for each key will provide the appropriate certificate chain on request | # for each key will provide the appropriate certificate chain on request | ||||
# force these for Junos | # force these for Junos | ||||
MANIFEST_SKIP_ALWAYS= boot | #MANIFEST_SKIP_ALWAYS= boot | ||||
VE_HASH_LIST= \ | VE_HASH_LIST= \ | ||||
SHA1 \ | SHA1 \ | ||||
SHA256 \ | SHA256 \ | ||||
SHA384 | SHA384 \ | ||||
SHA512 | |||||
VE_SIGNATURE_LIST= \ | VE_SIGNATURE_LIST= \ | ||||
ECDSA | ECDSA \ | ||||
RSA | |||||
VE_SIGNATURE_EXT_LIST= \ | VE_SIGNATURE_EXT_LIST= \ | ||||
esig | esig \ | ||||
rsig | |||||
VE_SELF_TESTS= yes | VE_SELF_TESTS= yes | ||||
.if ${MACHINE} == "host" && ${.CURDIR:T} == "tests" | .if ${MACHINE} == "host" && ${.CURDIR:T} == "tests" | ||||
# for testing | |||||
VE_HASH_LIST+= \ | |||||
SHA512 | |||||
VE_SIGNATURE_LIST+= \ | VE_SIGNATURE_LIST+= \ | ||||
RSA \ | |||||
DEPRECATED_RSA_SHA1 | DEPRECATED_RSA_SHA1 | ||||
VE_SIGNATURE_EXT_LIST+= \ | VE_SIGNATURE_EXT_LIST+= \ | ||||
sig | sig | ||||
.endif | .endif | ||||
SIGNER ?= ${SB_TOOLS_PATH:U/volume/buildtools/bin}/sign.py | SIGNER ?= ${SB_TOOLS_PATH:U/volume/buildtools/bin}/sign.py | ||||
▲ Show 20 Lines • Show All 44 Lines • ▼ Show 20 Lines | |||||
.if ${VE_SIGNATURE_LIST:tu:MRSA} != "" | .if ${VE_SIGNATURE_LIST:tu:MRSA} != "" | ||||
ta_rsa.pem: rcerts.pem _LAST_PEM_USE | ta_rsa.pem: rcerts.pem _LAST_PEM_USE | ||||
.if ${VE_SELF_TESTS} != "no" | .if ${VE_SELF_TESTS} != "no" | ||||
vc_rsa.pem: rcerts.pem _2ndLAST_PEM_USE | vc_rsa.pem: rcerts.pem _2ndLAST_PEM_USE | ||||
.endif | .endif | ||||
.endif | .endif | ||||
# we take the mtime of this as our baseline time | # we take the mtime of this as our baseline time | ||||
BUILD_UTC_FILE= ecerts.pem | #BUILD_UTC_FILE= ecerts.pem | ||||
#VE_DEBUG_LEVEL=3 | #VE_DEBUG_LEVEL=3 | ||||
#VE_VERBOSE_DEFAULT=1 | #VE_VERBOSE_DEFAULT=1 | ||||
.else | .else | ||||
# you need to provide t*.pem or t*.asc files for each trust anchor | # you need to provide t*.pem or t*.asc files for each trust anchor | ||||
.if empty(TRUST_ANCHORS) | .if empty(TRUST_ANCHORS) | ||||
TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null | TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null | ||||
.endif | .endif | ||||
.if empty(TRUST_ANCHORS) | .if empty(TRUST_ANCHORS) && ${MK_LOADER_EFI_SECUREBOOT} != "yes" | ||||
.error Need TRUST_ANCHORS see ${.CURDIR}/README.rst | .error Need TRUST_ANCHORS see ${.CURDIR}/README.rst | ||||
.endif | .endif | ||||
.if ${TRUST_ANCHORS:T:Mt*.pem} != "" | .if ${TRUST_ANCHORS:T:Mt*.pem} != "" | ||||
ta.h: ${TRUST_ANCHORS:M*.pem} | ta.h: ${TRUST_ANCHORS:M*.pem} | ||||
.endif | .endif | ||||
.if ${TRUST_ANCHORS:T:Mt*.asc} != "" | .if ${TRUST_ANCHORS:T:Mt*.asc} != "" | ||||
VE_SIGNATURE_LIST+= OPENPGP | VE_SIGNATURE_LIST+= OPENPGP | ||||
VE_SIGNATURE_EXT_LIST+= asc | VE_SIGNATURE_EXT_LIST+= asc | ||||
ta_asc.h: ${TRUST_ANCHORS:M*.asc} | ta_asc.h: ${TRUST_ANCHORS:M*.asc} | ||||
.endif | .endif | ||||
# we take the mtime of this as our baseline time | # we take the mtime of this as our baseline time | ||||
BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]} | BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]} | ||||
.endif | .endif | ||||