Add support for GPG signature enforcement on booted

kernels and related blobs

This can be used to implement a form of organization-controlled secure boot,
whereby kernels may be loaded from a variety of sources but they will only
boot if a valid signature file is found for each component, and only if the
signature is listed in the /etc/pb-lockdown file.

Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
(Minor build fixes and gpgme.m4, comment on secure boot in gpg.c)

1 files changed, 9 insertions, 1 deletions

diff --git a/lib/Makefile.am b/lib/Makefile.am
index 09bc1aa..bb7dfe4 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -20,6 +20,13 @@ lib_libpbcore_la_CPPFLAGS = \
 	$(AM_CPPFLAGS) \
 	-DPREFIX='"$(prefix)"'
 
+if WITH_GPGME
+gpg_int_SOURCES = lib/security/gpg..h \
+	lib/security/gpg.c
+else
+gpg_int_SOURCES =
+endif
+
 lib_libpbcore_la_SOURCES = \
 	lib/file/file.h \
 	lib/file/file.c \
@@ -50,7 +57,8 @@ lib_libpbcore_la_SOURCES = \
 	lib/util/util.c \
 	lib/util/util.h \
 	lib/flash/config.h \
-	lib/flash/flash.h
+	lib/flash/flash.h \
+	$(gpg_int_SOURCES)
 
 if ENABLE_MTD
 lib_libpbcore_la_SOURCES += \