summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--configure.ac95
-rw-r--r--m4/ax_check_openssl.m4124
2 files changed, 170 insertions, 49 deletions
diff --git a/configure.ac b/configure.ac
index 564cb5d..bdd7f70 100644
--- a/configure.ac
+++ b/configure.ac
@@ -181,59 +181,42 @@ AS_IF(
AC_ARG_WITH(
[signed-boot],
- [AS_HELP_STRING([--with-signed-boot],
- [build kernel signature checking support [default=no]]
+ [AS_HELP_STRING([--with-signed-boot=@<:@no|yes|gpgme|openssl@:>@],
+ [Build kernel signature checking support with specified
+ crypto pacakge. A @<:@yes@:>@ value will first check
+ for gpgme then openssl and use the first found.
+ @<:@default=no@:>@]
+ )],
+ [AS_IF([test "x$with_signed_boot" = xno],[],
+ [test "x$with_signed_boot" = xyes],
+ [AM_PATH_GPGME([1.0.0],
+ [sboot=gpgme],
+ [AX_CHECK_OPENSSL(
+ [sboot=openssl],
+ [AC_MSG_FAILURE([--with-signed-boot=yes specified but gpgme or openssl not found])]
+ )]
+ )],
+ [test "x$with_signed_boot" = xgpgme],
+ [AM_PATH_GPGME([1.0.0],
+ [sboot=gpgme],
+ [AC_MSG_FAILURE([--with-signed-boot=gpgme specified but gpgme not found])]
+ )],
+ [test "x$with_signed_boot" = xopenssl],
+ [AX_CHECK_OPENSSL(
+ [sboot=openssl],
+ [AC_MSG_FAILURE([--with-signed-boot=openssl specified but openssl not found])]
+ )],
+ [AC_MSG_FAILURE([--with-signed-boot given invalid option: $with_signed_boot])]
)],
- [],
[with_signed_boot=no]
)
-AM_CONDITIONAL(
- [WITH_SIGNED_BOOT],
- [test "x$with_signed_boot" = "xyes"])
-
-AS_IF(
- [test "x$with_signed_boot" = "xyes"],
- [PKG_CHECK_MODULES(
- [GPGME],
- [gpgme >= 1.0.0],
- [SAVE_LIBS="$LIBS" LIBS="$LIBS $gpgme_LIBS"
- AC_CHECK_LIB(
- [gpgme],
- [gpgme_op_verify],
- [],
- [AC_MSG_FAILURE([--with-signed-boot was given but the test for gpgme failed.])]
- )
- LIBS="$SAVE_LIBS"
- ],
- [AM_PATH_GPGME([1.0.0], [SAVE_LIBS="$LIBS" LIBS="$LIBS $gpgme_LIBS"
- AC_CHECK_LIB(
- [gpgme],
- [gpgme_op_verify],
- [],
- [AC_MSG_FAILURE([--with-signed-boot was given but the test for gpgme failed.])]
- )
- LIBS="$SAVE_LIBS"],
- [AC_MSG_RESULT([$gpgme_PKG_ERRORS])
- AC_MSG_FAILURE([ Consider adjusting PKG_CONFIG_PATH environment variable])
- ])
- ]
- )]
-)
-
-AS_IF(
- [test "x$with_signed_boot" = "xyes"],
- [SAVE_CPPFLAGS="$CPPFLAGS" CPPFLAGS="$CPPFLAGS $gpgme_CFLAGS"
- AC_CHECK_HEADERS(
- [gpgme.h],
- [],
- [AC_MSG_FAILURE([ --with-signed-boot given but gpgme.h not found])]
- )
- CPPFLAGS="$SAVE_CPPFLAGS"
- ]
-)
-
-AM_CONDITIONAL([WITH_GPGME], [test "x$with_signed_boot" = "xyes"])
+AM_CONDITIONAL([WITH_GPGME], [test "x$sboot" = xgpgme])
+AM_CONDITIONAL([WITH_OPENSSL], [test "x$sboot" = xopenssl])
+AM_CONDITIONAL([WITH_SIGNED_BOOT], [test "x$with_signed_boot" != xno])
+AM_COND_IF([WITH_SIGNED_BOOT],
+ [AC_DEFINE([SIGNED_BOOT], 1, [Define if you have signed boot enabled])],
+ [])
AC_ARG_VAR(
[lockdown_file],
@@ -242,6 +225,20 @@ AC_ARG_VAR(
AS_IF([test "x$lockdown_file" = x], [lockdown_file="/etc/pb-lockdown"])
AC_DEFINE_UNQUOTED(LOCKDOWN_FILE, "$lockdown_file", [Lockdown file location])
+AC_ARG_VAR(
+ [KEYRING_PATH],
+ [Path to keyring (gpgme home dir) @<:@default="/etc/gpg"@:>@]
+)
+AS_IF([test "x$KEYRING_PATH" = x], [KEYRING_PATH="/etc/gpg"])
+AC_DEFINE_UNQUOTED(KEYRING_PATH, "$KEYRING_PATH", [gpgme home dir])
+
+AC_ARG_VAR(
+ [VERIFY_DIGEST],
+ [Signed boot signature verification digest algorithm to use (only valid in openssl) @<:@default="sha256"@:>@]
+)
+AS_IF([test "x$VERIFY_DIGEST" = x], [VERIFY_DIGEST="sha256"])
+AC_DEFINE_UNQUOTED(VERIFY_DIGEST, "$VERIFY_DIGEST", [openssl verify dgst])
+
AC_ARG_ENABLE(
[busybox],
[AS_HELP_STRING(
diff --git a/m4/ax_check_openssl.m4 b/m4/ax_check_openssl.m4
new file mode 100644
index 0000000..28e48cb
--- /dev/null
+++ b/m4/ax_check_openssl.m4
@@ -0,0 +1,124 @@
+# ===========================================================================
+# https://www.gnu.org/software/autoconf-archive/ax_check_openssl.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_CHECK_OPENSSL([action-if-found[, action-if-not-found]])
+#
+# DESCRIPTION
+#
+# Look for OpenSSL in a number of default spots, or in a user-selected
+# spot (via --with-openssl). Sets
+#
+# OPENSSL_INCLUDES to the include directives required
+# OPENSSL_LIBS to the -l directives required
+# OPENSSL_LDFLAGS to the -L or -R flags required
+#
+# and calls ACTION-IF-FOUND or ACTION-IF-NOT-FOUND appropriately
+#
+# This macro sets OPENSSL_INCLUDES such that source files should use the
+# openssl/ directory in include directives:
+#
+# #include <openssl/hmac.h>
+#
+# LICENSE
+#
+# Copyright (c) 2009,2010 Zmanda Inc. <http://www.zmanda.com/>
+# Copyright (c) 2009,2010 Dustin J. Mitchell <dustin@zmanda.com>
+#
+# Copying and distribution of this file, with or without modification, are
+# permitted in any medium without royalty provided the copyright notice
+# and this notice are preserved. This file is offered as-is, without any
+# warranty.
+
+#serial 10
+
+AU_ALIAS([CHECK_SSL], [AX_CHECK_OPENSSL])
+AC_DEFUN([AX_CHECK_OPENSSL], [
+ found=false
+ AC_ARG_WITH([openssl],
+ [AS_HELP_STRING([--with-openssl=DIR],
+ [root of the OpenSSL directory])],
+ [
+ case "$withval" in
+ "" | y | ye | yes | n | no)
+ AC_MSG_ERROR([Invalid --with-openssl value])
+ ;;
+ *) ssldirs="$withval"
+ ;;
+ esac
+ ], [
+ # if pkg-config is installed and openssl has installed a .pc file,
+ # then use that information and don't search ssldirs
+ AC_CHECK_TOOL([PKG_CONFIG], [pkg-config])
+ if test x"$PKG_CONFIG" != x""; then
+ OPENSSL_LDFLAGS=`$PKG_CONFIG openssl --libs-only-L 2>/dev/null`
+ if test $? = 0; then
+ OPENSSL_LIBS=`$PKG_CONFIG openssl --libs-only-l 2>/dev/null`
+ OPENSSL_INCLUDES=`$PKG_CONFIG openssl --cflags-only-I 2>/dev/null`
+ found=true
+ fi
+ fi
+
+ # no such luck; use some default ssldirs
+ if ! $found; then
+ ssldirs="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /usr"
+ fi
+ ]
+ )
+
+
+ # note that we #include <openssl/foo.h>, so the OpenSSL headers have to be in
+ # an 'openssl' subdirectory
+
+ if ! $found; then
+ OPENSSL_INCLUDES=
+ for ssldir in $ssldirs; do
+ AC_MSG_CHECKING([for openssl/ssl.h in $ssldir])
+ if test -f "$ssldir/include/openssl/ssl.h"; then
+ OPENSSL_INCLUDES="-I$ssldir/include"
+ OPENSSL_LDFLAGS="-L$ssldir/lib"
+ OPENSSL_LIBS="-lssl -lcrypto"
+ found=true
+ AC_MSG_RESULT([yes])
+ break
+ else
+ AC_MSG_RESULT([no])
+ fi
+ done
+
+ # if the file wasn't found, well, go ahead and try the link anyway -- maybe
+ # it will just work!
+ fi
+
+ # try the preprocessor and linker with our new flags,
+ # being careful not to pollute the global LIBS, LDFLAGS, and CPPFLAGS
+
+ AC_MSG_CHECKING([whether compiling and linking against OpenSSL works])
+ echo "Trying link with OPENSSL_LDFLAGS=$OPENSSL_LDFLAGS;" \
+ "OPENSSL_LIBS=$OPENSSL_LIBS; OPENSSL_INCLUDES=$OPENSSL_INCLUDES" >&AS_MESSAGE_LOG_FD
+
+ save_LIBS="$LIBS"
+ save_LDFLAGS="$LDFLAGS"
+ save_CPPFLAGS="$CPPFLAGS"
+ LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
+ LIBS="$OPENSSL_LIBS $LIBS"
+ CPPFLAGS="$OPENSSL_INCLUDES $CPPFLAGS"
+ AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM([#include <openssl/ssl.h>], [SSL_new(NULL)])],
+ [
+ AC_MSG_RESULT([yes])
+ $1
+ ], [
+ AC_MSG_RESULT([no])
+ $2
+ ])
+ CPPFLAGS="$save_CPPFLAGS"
+ LDFLAGS="$save_LDFLAGS"
+ LIBS="$save_LIBS"
+
+ AC_SUBST([OPENSSL_INCLUDES])
+ AC_SUBST([OPENSSL_LIBS])
+ AC_SUBST([OPENSSL_LDFLAGS])
+])
OpenPOWER on IntegriCloud