diff options
-rw-r--r-- | configure.ac | 95 | ||||
-rw-r--r-- | m4/ax_check_openssl.m4 | 124 |
2 files changed, 170 insertions, 49 deletions
diff --git a/configure.ac b/configure.ac index 564cb5d..bdd7f70 100644 --- a/configure.ac +++ b/configure.ac @@ -181,59 +181,42 @@ AS_IF( AC_ARG_WITH( [signed-boot], - [AS_HELP_STRING([--with-signed-boot], - [build kernel signature checking support [default=no]] + [AS_HELP_STRING([--with-signed-boot=@<:@no|yes|gpgme|openssl@:>@], + [Build kernel signature checking support with specified + crypto pacakge. A @<:@yes@:>@ value will first check + for gpgme then openssl and use the first found. + @<:@default=no@:>@] + )], + [AS_IF([test "x$with_signed_boot" = xno],[], + [test "x$with_signed_boot" = xyes], + [AM_PATH_GPGME([1.0.0], + [sboot=gpgme], + [AX_CHECK_OPENSSL( + [sboot=openssl], + [AC_MSG_FAILURE([--with-signed-boot=yes specified but gpgme or openssl not found])] + )] + )], + [test "x$with_signed_boot" = xgpgme], + [AM_PATH_GPGME([1.0.0], + [sboot=gpgme], + [AC_MSG_FAILURE([--with-signed-boot=gpgme specified but gpgme not found])] + )], + [test "x$with_signed_boot" = xopenssl], + [AX_CHECK_OPENSSL( + [sboot=openssl], + [AC_MSG_FAILURE([--with-signed-boot=openssl specified but openssl not found])] + )], + [AC_MSG_FAILURE([--with-signed-boot given invalid option: $with_signed_boot])] )], - [], [with_signed_boot=no] ) -AM_CONDITIONAL( - [WITH_SIGNED_BOOT], - [test "x$with_signed_boot" = "xyes"]) - -AS_IF( - [test "x$with_signed_boot" = "xyes"], - [PKG_CHECK_MODULES( - [GPGME], - [gpgme >= 1.0.0], - [SAVE_LIBS="$LIBS" LIBS="$LIBS $gpgme_LIBS" - AC_CHECK_LIB( - [gpgme], - [gpgme_op_verify], - [], - [AC_MSG_FAILURE([--with-signed-boot was given but the test for gpgme failed.])] - ) - LIBS="$SAVE_LIBS" - ], - [AM_PATH_GPGME([1.0.0], [SAVE_LIBS="$LIBS" LIBS="$LIBS $gpgme_LIBS" - AC_CHECK_LIB( - [gpgme], - [gpgme_op_verify], - [], - [AC_MSG_FAILURE([--with-signed-boot was given but the test for gpgme failed.])] - ) - LIBS="$SAVE_LIBS"], - [AC_MSG_RESULT([$gpgme_PKG_ERRORS]) - AC_MSG_FAILURE([ Consider adjusting PKG_CONFIG_PATH environment variable]) - ]) - ] - )] -) - -AS_IF( - [test "x$with_signed_boot" = "xyes"], - [SAVE_CPPFLAGS="$CPPFLAGS" CPPFLAGS="$CPPFLAGS $gpgme_CFLAGS" - AC_CHECK_HEADERS( - [gpgme.h], - [], - [AC_MSG_FAILURE([ --with-signed-boot given but gpgme.h not found])] - ) - CPPFLAGS="$SAVE_CPPFLAGS" - ] -) - -AM_CONDITIONAL([WITH_GPGME], [test "x$with_signed_boot" = "xyes"]) +AM_CONDITIONAL([WITH_GPGME], [test "x$sboot" = xgpgme]) +AM_CONDITIONAL([WITH_OPENSSL], [test "x$sboot" = xopenssl]) +AM_CONDITIONAL([WITH_SIGNED_BOOT], [test "x$with_signed_boot" != xno]) +AM_COND_IF([WITH_SIGNED_BOOT], + [AC_DEFINE([SIGNED_BOOT], 1, [Define if you have signed boot enabled])], + []) AC_ARG_VAR( [lockdown_file], @@ -242,6 +225,20 @@ AC_ARG_VAR( AS_IF([test "x$lockdown_file" = x], [lockdown_file="/etc/pb-lockdown"]) AC_DEFINE_UNQUOTED(LOCKDOWN_FILE, "$lockdown_file", [Lockdown file location]) +AC_ARG_VAR( + [KEYRING_PATH], + [Path to keyring (gpgme home dir) @<:@default="/etc/gpg"@:>@] +) +AS_IF([test "x$KEYRING_PATH" = x], [KEYRING_PATH="/etc/gpg"]) +AC_DEFINE_UNQUOTED(KEYRING_PATH, "$KEYRING_PATH", [gpgme home dir]) + +AC_ARG_VAR( + [VERIFY_DIGEST], + [Signed boot signature verification digest algorithm to use (only valid in openssl) @<:@default="sha256"@:>@] +) +AS_IF([test "x$VERIFY_DIGEST" = x], [VERIFY_DIGEST="sha256"]) +AC_DEFINE_UNQUOTED(VERIFY_DIGEST, "$VERIFY_DIGEST", [openssl verify dgst]) + AC_ARG_ENABLE( [busybox], [AS_HELP_STRING( diff --git a/m4/ax_check_openssl.m4 b/m4/ax_check_openssl.m4 new file mode 100644 index 0000000..28e48cb --- /dev/null +++ b/m4/ax_check_openssl.m4 @@ -0,0 +1,124 @@ +# =========================================================================== +# https://www.gnu.org/software/autoconf-archive/ax_check_openssl.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CHECK_OPENSSL([action-if-found[, action-if-not-found]]) +# +# DESCRIPTION +# +# Look for OpenSSL in a number of default spots, or in a user-selected +# spot (via --with-openssl). Sets +# +# OPENSSL_INCLUDES to the include directives required +# OPENSSL_LIBS to the -l directives required +# OPENSSL_LDFLAGS to the -L or -R flags required +# +# and calls ACTION-IF-FOUND or ACTION-IF-NOT-FOUND appropriately +# +# This macro sets OPENSSL_INCLUDES such that source files should use the +# openssl/ directory in include directives: +# +# #include <openssl/hmac.h> +# +# LICENSE +# +# Copyright (c) 2009,2010 Zmanda Inc. <http://www.zmanda.com/> +# Copyright (c) 2009,2010 Dustin J. Mitchell <dustin@zmanda.com> +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 10 + +AU_ALIAS([CHECK_SSL], [AX_CHECK_OPENSSL]) +AC_DEFUN([AX_CHECK_OPENSSL], [ + found=false + AC_ARG_WITH([openssl], + [AS_HELP_STRING([--with-openssl=DIR], + [root of the OpenSSL directory])], + [ + case "$withval" in + "" | y | ye | yes | n | no) + AC_MSG_ERROR([Invalid --with-openssl value]) + ;; + *) ssldirs="$withval" + ;; + esac + ], [ + # if pkg-config is installed and openssl has installed a .pc file, + # then use that information and don't search ssldirs + AC_CHECK_TOOL([PKG_CONFIG], [pkg-config]) + if test x"$PKG_CONFIG" != x""; then + OPENSSL_LDFLAGS=`$PKG_CONFIG openssl --libs-only-L 2>/dev/null` + if test $? = 0; then + OPENSSL_LIBS=`$PKG_CONFIG openssl --libs-only-l 2>/dev/null` + OPENSSL_INCLUDES=`$PKG_CONFIG openssl --cflags-only-I 2>/dev/null` + found=true + fi + fi + + # no such luck; use some default ssldirs + if ! $found; then + ssldirs="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /usr" + fi + ] + ) + + + # note that we #include <openssl/foo.h>, so the OpenSSL headers have to be in + # an 'openssl' subdirectory + + if ! $found; then + OPENSSL_INCLUDES= + for ssldir in $ssldirs; do + AC_MSG_CHECKING([for openssl/ssl.h in $ssldir]) + if test -f "$ssldir/include/openssl/ssl.h"; then + OPENSSL_INCLUDES="-I$ssldir/include" + OPENSSL_LDFLAGS="-L$ssldir/lib" + OPENSSL_LIBS="-lssl -lcrypto" + found=true + AC_MSG_RESULT([yes]) + break + else + AC_MSG_RESULT([no]) + fi + done + + # if the file wasn't found, well, go ahead and try the link anyway -- maybe + # it will just work! + fi + + # try the preprocessor and linker with our new flags, + # being careful not to pollute the global LIBS, LDFLAGS, and CPPFLAGS + + AC_MSG_CHECKING([whether compiling and linking against OpenSSL works]) + echo "Trying link with OPENSSL_LDFLAGS=$OPENSSL_LDFLAGS;" \ + "OPENSSL_LIBS=$OPENSSL_LIBS; OPENSSL_INCLUDES=$OPENSSL_INCLUDES" >&AS_MESSAGE_LOG_FD + + save_LIBS="$LIBS" + save_LDFLAGS="$LDFLAGS" + save_CPPFLAGS="$CPPFLAGS" + LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS" + LIBS="$OPENSSL_LIBS $LIBS" + CPPFLAGS="$OPENSSL_INCLUDES $CPPFLAGS" + AC_LINK_IFELSE( + [AC_LANG_PROGRAM([#include <openssl/ssl.h>], [SSL_new(NULL)])], + [ + AC_MSG_RESULT([yes]) + $1 + ], [ + AC_MSG_RESULT([no]) + $2 + ]) + CPPFLAGS="$save_CPPFLAGS" + LDFLAGS="$save_LDFLAGS" + LIBS="$save_LIBS" + + AC_SUBST([OPENSSL_INCLUDES]) + AC_SUBST([OPENSSL_LIBS]) + AC_SUBST([OPENSSL_LDFLAGS]) +]) |