summaryrefslogtreecommitdiffstats
path: root/configure.ac
diff options
context:
space:
mode:
authortpearson@raptorengineering.com <tpearson@raptorengineering.com>2016-08-18 04:45:47 -0500
committerSamuel Mendoza-Jonas <sam@mendozajonas.com>2016-08-26 13:23:01 +1000
commit86c9d34380b0074dab1ba89a569a94280d6999c4 (patch)
tree22cf0cccbd4022d150e231adcb360b3bcf528cda /configure.ac
parent5496eee36f70631ae45403f90ed7b4dc143f27c0 (diff)
downloadtalos-petitboot-86c9d34380b0074dab1ba89a569a94280d6999c4.tar.gz
talos-petitboot-86c9d34380b0074dab1ba89a569a94280d6999c4.zip
Add support for GPG signature enforcement on booted
kernels and related blobs This can be used to implement a form of organization-controlled secure boot, whereby kernels may be loaded from a variety of sources but they will only boot if a valid signature file is found for each component, and only if the signature is listed in the /etc/pb-lockdown file. Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com> (Minor build fixes and gpgme.m4, comment on secure boot in gpg.c)
Diffstat (limited to 'configure.ac')
-rw-r--r--configure.ac63
1 files changed, 63 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 00a6113..41560d1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -170,6 +170,69 @@ AS_IF(
]
)
+AC_ARG_WITH(
+ [signed-boot],
+ [AS_HELP_STRING([--with-signed-boot],
+ [build kernel signature checking support [default=no]]
+ )],
+ [],
+ [with_signed_boot=no]
+)
+
+AM_CONDITIONAL(
+ [WITH_SIGNED_BOOT],
+ [test "x$with_signed_boot" = "xyes"])
+
+AS_IF(
+ [test "x$with_signed_boot" = "xyes"],
+ [PKG_CHECK_MODULES(
+ [GPGME],
+ [gpgme >= 1.0.0],
+ [SAVE_LIBS="$LIBS" LIBS="$LIBS $gpgme_LIBS"
+ AC_CHECK_LIB(
+ [gpgme],
+ [gpgme_op_verify],
+ [],
+ [AC_MSG_FAILURE([--with-signed-boot was given but the test for gpgme failed.])]
+ )
+ LIBS="$SAVE_LIBS"
+ ],
+ [AM_PATH_GPGME([1.0.0], [SAVE_LIBS="$LIBS" LIBS="$LIBS $gpgme_LIBS"
+ AC_CHECK_LIB(
+ [gpgme],
+ [gpgme_op_verify],
+ [],
+ [AC_MSG_FAILURE([--with-signed-boot was given but the test for gpgme failed.])]
+ )
+ LIBS="$SAVE_LIBS"],
+ [AC_MSG_RESULT([$gpgme_PKG_ERRORS])
+ AC_MSG_FAILURE([ Consider adjusting PKG_CONFIG_PATH environment variable])
+ ])
+ ]
+ )]
+)
+
+AS_IF(
+ [test "x$with_signed_boot" = "xyes"],
+ [SAVE_CPPFLAGS="$CPPFLAGS" CPPFLAGS="$CPPFLAGS $gpgme_CFLAGS"
+ AC_CHECK_HEADERS(
+ [gpgme.h],
+ [],
+ [AC_MSG_FAILURE([ --with-signed-boot given but gpgme.h not found])]
+ )
+ CPPFLAGS="$SAVE_CPPFLAGS"
+ ]
+)
+
+AM_CONDITIONAL([WITH_GPGME], [test "x$with_signed_boot" = "xyes"])
+
+AC_ARG_VAR(
+ [lockdown_file],
+ [Location of authorized signature file [default = "/etc/pb-lockdown"]]
+)
+AS_IF([test "x$lockdown_file" = x], [lockdown_file="/etc/pb-lockdown"])
+AC_DEFINE_UNQUOTED(LOCKDOWN_FILE, "$lockdown_file", [Lockdown file location])
+
AC_ARG_ENABLE(
[busybox],
[AS_HELP_STRING(
OpenPOWER on IntegriCloud