diff options
| author | tpearson@raptorengineering.com <tpearson@raptorengineering.com> | 2016-08-18 04:45:47 -0500 |
|---|---|---|
| committer | Samuel Mendoza-Jonas <sam@mendozajonas.com> | 2016-08-26 13:23:01 +1000 |
| commit | 86c9d34380b0074dab1ba89a569a94280d6999c4 (patch) | |
| tree | 22cf0cccbd4022d150e231adcb360b3bcf528cda /configure.ac | |
| parent | 5496eee36f70631ae45403f90ed7b4dc143f27c0 (diff) | |
| download | talos-petitboot-86c9d34380b0074dab1ba89a569a94280d6999c4.tar.gz talos-petitboot-86c9d34380b0074dab1ba89a569a94280d6999c4.zip | |
Add support for GPG signature enforcement on booted
kernels and related blobs
This can be used to implement a form of organization-controlled secure boot,
whereby kernels may be loaded from a variety of sources but they will only
boot if a valid signature file is found for each component, and only if the
signature is listed in the /etc/pb-lockdown file.
Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
(Minor build fixes and gpgme.m4, comment on secure boot in gpg.c)
Diffstat (limited to 'configure.ac')
| -rw-r--r-- | configure.ac | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 00a6113..41560d1 100644 --- a/configure.ac +++ b/configure.ac @@ -170,6 +170,69 @@ AS_IF( ] ) +AC_ARG_WITH( + [signed-boot], + [AS_HELP_STRING([--with-signed-boot], + [build kernel signature checking support [default=no]] + )], + [], + [with_signed_boot=no] +) + +AM_CONDITIONAL( + [WITH_SIGNED_BOOT], + [test "x$with_signed_boot" = "xyes"]) + +AS_IF( + [test "x$with_signed_boot" = "xyes"], + [PKG_CHECK_MODULES( + [GPGME], + [gpgme >= 1.0.0], + [SAVE_LIBS="$LIBS" LIBS="$LIBS $gpgme_LIBS" + AC_CHECK_LIB( + [gpgme], + [gpgme_op_verify], + [], + [AC_MSG_FAILURE([--with-signed-boot was given but the test for gpgme failed.])] + ) + LIBS="$SAVE_LIBS" + ], + [AM_PATH_GPGME([1.0.0], [SAVE_LIBS="$LIBS" LIBS="$LIBS $gpgme_LIBS" + AC_CHECK_LIB( + [gpgme], + [gpgme_op_verify], + [], + [AC_MSG_FAILURE([--with-signed-boot was given but the test for gpgme failed.])] + ) + LIBS="$SAVE_LIBS"], + [AC_MSG_RESULT([$gpgme_PKG_ERRORS]) + AC_MSG_FAILURE([ Consider adjusting PKG_CONFIG_PATH environment variable]) + ]) + ] + )] +) + +AS_IF( + [test "x$with_signed_boot" = "xyes"], + [SAVE_CPPFLAGS="$CPPFLAGS" CPPFLAGS="$CPPFLAGS $gpgme_CFLAGS" + AC_CHECK_HEADERS( + [gpgme.h], + [], + [AC_MSG_FAILURE([ --with-signed-boot given but gpgme.h not found])] + ) + CPPFLAGS="$SAVE_CPPFLAGS" + ] +) + +AM_CONDITIONAL([WITH_GPGME], [test "x$with_signed_boot" = "xyes"]) + +AC_ARG_VAR( + [lockdown_file], + [Location of authorized signature file [default = "/etc/pb-lockdown"]] +) +AS_IF([test "x$lockdown_file" = x], [lockdown_file="/etc/pb-lockdown"]) +AC_DEFINE_UNQUOTED(LOCKDOWN_FILE, "$lockdown_file", [Lockdown file location]) + AC_ARG_ENABLE( [busybox], [AS_HELP_STRING( |
