From a92958df34df88e384374699c817f4a015c5b40d Mon Sep 17 00:00:00 2001 From: "Simon J. Gerraty" Date: Tue, 26 Feb 2019 06:11:01 +0000 Subject: [PATCH] Enable build of libbearssl Reviewed by: emaste Sponsored by: Juniper Networks Differential Revision: D16337 --- lib/Makefile | 2 ++ share/mk/src.libnames.mk | 15 +++++++++++++++ share/mk/src.opts.mk | 3 +++ tools/build/options/WITH_BEARSSL | 11 +++++++++++ tools/build/options/WITH_LOADER_VERIEXEC | 7 +++++++ tools/build/options/WITH_VERIEXEC | 9 +++++++++ 6 files changed, 47 insertions(+) create mode 100644 tools/build/options/WITH_BEARSSL create mode 100644 tools/build/options/WITH_LOADER_VERIEXEC create mode 100644 tools/build/options/WITH_VERIEXEC diff --git a/lib/Makefile b/lib/Makefile index 9e3548774c9f..a7f52d0b7c36 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -133,6 +133,7 @@ SUBDIR_DEPEND_libpcap= ofed # NB: keep these sorted by MK_* knobs SUBDIR.${MK_ATM}+= libngatm +SUBDIR.${MK_BEARSSL}+= libbearssl libsecureboot SUBDIR.${MK_BLACKLIST}+=libblacklist SUBDIR.${MK_BLUETOOTH}+=libbluetooth libsdp SUBDIR.${MK_BSNMP}+= libbsnmp @@ -204,6 +205,7 @@ SUBDIR.${MK_TESTS}+= tests SUBDIR.${MK_UNBOUND}+= libunbound SUBDIR.${MK_USB}+= libusbhid libusb SUBDIR.${MK_OFED}+= ofed +SUBDIR.${MK_VERIEXEC}+= libveriexec SUBDIR.${MK_ZFS}+= libbe .if !make(install) diff --git a/share/mk/src.libnames.mk b/share/mk/src.libnames.mk index 99ae9f7114e2..13159718d962 100644 --- a/share/mk/src.libnames.mk +++ b/share/mk/src.libnames.mk @@ -210,6 +210,21 @@ _LIBRARIES+= \ osmvendor .endif +.if ${MK_BEARSSL} == "yes" +_INTERNALLIBS+= \ + bearssl \ + secureboot \ + +LIBBEARSSL?= ${LIBBEARSSLDIR}/libbearssl${PIE_SUFFIX}.a +LIBSECUREBOOT?= ${LIBSECUREBOOTDIR}/libsecureboot${PIE_SUFFIX}.a +.endif + +.if ${MK_VERIEXEC} == "yes" +_INTERNALLIBS+= veriexec + +LIBVERIEXEC?= ${LIBVERIEXECDIR}/libveriexec${PIE_SUFFIX}.a +.endif + # Each library's LIBADD needs to be duplicated here for static linkage of # 2nd+ order consumers. Auto-generating this would be better. _DP_80211= sbuf bsdxml diff --git a/share/mk/src.opts.mk b/share/mk/src.opts.mk index 96d28b6cc521..3c3f34b6fb43 100644 --- a/share/mk/src.opts.mk +++ b/share/mk/src.opts.mk @@ -194,6 +194,7 @@ __DEFAULT_YES_OPTIONS = \ ZONEINFO __DEFAULT_NO_OPTIONS = \ + BEARSSL \ BSD_GREP \ CLANG_EXTRAS \ DTRACE_TESTS \ @@ -219,6 +220,8 @@ __DEFAULT_NO_OPTIONS = \ __DEFAULT_DEPENDENT_OPTIONS= \ CLANG_FULL/CLANG \ LLVM_TARGET_ALL/CLANG \ + LOADER_VERIEXEC/BEARSSL \ + VERIEXEC/BEARSSL \ # MK_*_SUPPORT options which default to "yes" unless their corresponding # MK_* variable is set to "no". diff --git a/tools/build/options/WITH_BEARSSL b/tools/build/options/WITH_BEARSSL new file mode 100644 index 000000000000..e89ab8570c17 --- /dev/null +++ b/tools/build/options/WITH_BEARSSL @@ -0,0 +1,11 @@ +.\" $FreeBSD$ +Build the BearSSL library. +.Pp +BearSSL is a tiny SSL library suitable for embedded environments. +For details see +.Lk http://www.BearSSL.org/ +.Pp +This library is currently only used to perform +signature verification and related operations +for Verified Exec and +.Xr loader 8 . diff --git a/tools/build/options/WITH_LOADER_VERIEXEC b/tools/build/options/WITH_LOADER_VERIEXEC new file mode 100644 index 000000000000..72dbbb12fd46 --- /dev/null +++ b/tools/build/options/WITH_LOADER_VERIEXEC @@ -0,0 +1,7 @@ +.\" $FreeBSD$ +Enable building +.Xr loader 8 +with support for verifcation similar to Verified Exec. +.Pp +It depends on +.Va WITH_BEARSSL diff --git a/tools/build/options/WITH_VERIEXEC b/tools/build/options/WITH_VERIEXEC new file mode 100644 index 000000000000..e46fab7addf2 --- /dev/null +++ b/tools/build/options/WITH_VERIEXEC @@ -0,0 +1,9 @@ +.\" $FreeBSD$ +Enable building +.Xr veriexec 8 +which loads the contents of verified manifests into the kernel +for use by +.Xr mac_veriexec 4 +.Pp +It depends on +.Va WITH_BEARSSL