diff options
author | Brett Grandbois <brett.grandbois@opengear.com> | 2018-05-15 10:55:48 +1000 |
---|---|---|
committer | Samuel Mendoza-Jonas <sam@mendozajonas.com> | 2018-05-30 14:23:35 +1000 |
commit | b1234ac9dd09c9ceaf929c9d4d738fd556525291 (patch) | |
tree | c39931b577bb473f327b7f543711c49147bd557f /configure.ac | |
parent | 8cda0a3c85878e30706d90d25c560d6e31cd9f5e (diff) | |
download | talos-petitboot-b1234ac9dd09c9ceaf929c9d4d738fd556525291.tar.gz talos-petitboot-b1234ac9dd09c9ceaf929c9d4d738fd556525291.zip |
configure: Add signed-boot openssl configuration support
Change the with-signed-boot option to take the following values:
no - disable signed boot (as before)
gpgme - configure for gpgme, fail if not found
openssl - configure for openssl, fail if not found
yes - look first for gpgme then openssl using first found, fail on none
this should behave as before if gpgme has been installed
fail on any other invalid options
add in the ax_check_openssl.m4 macro to facilitate openssl probing
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Diffstat (limited to 'configure.ac')
-rw-r--r-- | configure.ac | 95 |
1 files changed, 46 insertions, 49 deletions
diff --git a/configure.ac b/configure.ac index 564cb5d..bdd7f70 100644 --- a/configure.ac +++ b/configure.ac @@ -181,59 +181,42 @@ AS_IF( AC_ARG_WITH( [signed-boot], - [AS_HELP_STRING([--with-signed-boot], - [build kernel signature checking support [default=no]] + [AS_HELP_STRING([--with-signed-boot=@<:@no|yes|gpgme|openssl@:>@], + [Build kernel signature checking support with specified + crypto pacakge. A @<:@yes@:>@ value will first check + for gpgme then openssl and use the first found. + @<:@default=no@:>@] + )], + [AS_IF([test "x$with_signed_boot" = xno],[], + [test "x$with_signed_boot" = xyes], + [AM_PATH_GPGME([1.0.0], + [sboot=gpgme], + [AX_CHECK_OPENSSL( + [sboot=openssl], + [AC_MSG_FAILURE([--with-signed-boot=yes specified but gpgme or openssl not found])] + )] + )], + [test "x$with_signed_boot" = xgpgme], + [AM_PATH_GPGME([1.0.0], + [sboot=gpgme], + [AC_MSG_FAILURE([--with-signed-boot=gpgme specified but gpgme not found])] + )], + [test "x$with_signed_boot" = xopenssl], + [AX_CHECK_OPENSSL( + [sboot=openssl], + [AC_MSG_FAILURE([--with-signed-boot=openssl specified but openssl not found])] + )], + [AC_MSG_FAILURE([--with-signed-boot given invalid option: $with_signed_boot])] )], - [], [with_signed_boot=no] ) -AM_CONDITIONAL( - [WITH_SIGNED_BOOT], - [test "x$with_signed_boot" = "xyes"]) - -AS_IF( - [test "x$with_signed_boot" = "xyes"], - [PKG_CHECK_MODULES( - [GPGME], - [gpgme >= 1.0.0], - [SAVE_LIBS="$LIBS" LIBS="$LIBS $gpgme_LIBS" - AC_CHECK_LIB( - [gpgme], - [gpgme_op_verify], - [], - [AC_MSG_FAILURE([--with-signed-boot was given but the test for gpgme failed.])] - ) - LIBS="$SAVE_LIBS" - ], - [AM_PATH_GPGME([1.0.0], [SAVE_LIBS="$LIBS" LIBS="$LIBS $gpgme_LIBS" - AC_CHECK_LIB( - [gpgme], - [gpgme_op_verify], - [], - [AC_MSG_FAILURE([--with-signed-boot was given but the test for gpgme failed.])] - ) - LIBS="$SAVE_LIBS"], - [AC_MSG_RESULT([$gpgme_PKG_ERRORS]) - AC_MSG_FAILURE([ Consider adjusting PKG_CONFIG_PATH environment variable]) - ]) - ] - )] -) - -AS_IF( - [test "x$with_signed_boot" = "xyes"], - [SAVE_CPPFLAGS="$CPPFLAGS" CPPFLAGS="$CPPFLAGS $gpgme_CFLAGS" - AC_CHECK_HEADERS( - [gpgme.h], - [], - [AC_MSG_FAILURE([ --with-signed-boot given but gpgme.h not found])] - ) - CPPFLAGS="$SAVE_CPPFLAGS" - ] -) - -AM_CONDITIONAL([WITH_GPGME], [test "x$with_signed_boot" = "xyes"]) +AM_CONDITIONAL([WITH_GPGME], [test "x$sboot" = xgpgme]) +AM_CONDITIONAL([WITH_OPENSSL], [test "x$sboot" = xopenssl]) +AM_CONDITIONAL([WITH_SIGNED_BOOT], [test "x$with_signed_boot" != xno]) +AM_COND_IF([WITH_SIGNED_BOOT], + [AC_DEFINE([SIGNED_BOOT], 1, [Define if you have signed boot enabled])], + []) AC_ARG_VAR( [lockdown_file], @@ -242,6 +225,20 @@ AC_ARG_VAR( AS_IF([test "x$lockdown_file" = x], [lockdown_file="/etc/pb-lockdown"]) AC_DEFINE_UNQUOTED(LOCKDOWN_FILE, "$lockdown_file", [Lockdown file location]) +AC_ARG_VAR( + [KEYRING_PATH], + [Path to keyring (gpgme home dir) @<:@default="/etc/gpg"@:>@] +) +AS_IF([test "x$KEYRING_PATH" = x], [KEYRING_PATH="/etc/gpg"]) +AC_DEFINE_UNQUOTED(KEYRING_PATH, "$KEYRING_PATH", [gpgme home dir]) + +AC_ARG_VAR( + [VERIFY_DIGEST], + [Signed boot signature verification digest algorithm to use (only valid in openssl) @<:@default="sha256"@:>@] +) +AS_IF([test "x$VERIFY_DIGEST" = x], [VERIFY_DIGEST="sha256"]) +AC_DEFINE_UNQUOTED(VERIFY_DIGEST, "$VERIFY_DIGEST", [openssl verify dgst]) + AC_ARG_ENABLE( [busybox], [AS_HELP_STRING( |