瀏覽代碼

[build] Allow trusted root certificates to be specified at build time

Allow trusted root certificates to be specified at build time using
the syntax

  make TRUST=/path/to/certificate1,/path/to/certificate2,...

The build process uses openssl to calculate the SHA-256 fingerprints
of the specified certificates, and adds them to the root certificate
store in rootcert.c.  The certificates can be in any format understood
by openssl.

The certificates may be server certificates or (more usefully) CA
certificates.

If no trusted certificates are specified, then the default "iPXE root
CA" certificate will be used.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 13 年之前
父節點
當前提交
aee3a064f2
共有 2 個文件被更改,包括 29 次插入0 次删除
  1. 1
    0
      src/Makefile
  2. 28
    0
      src/Makefile.housekeeping

+ 1
- 0
src/Makefile 查看文件

@@ -32,6 +32,7 @@ RANLIB		:= $(CROSS_COMPILE)ranlib
32 32
 OBJCOPY		:= $(CROSS_COMPILE)objcopy
33 33
 NM		:= $(CROSS_COMPILE)nm
34 34
 OBJDUMP		:= $(CROSS_COMPILE)objdump
35
+OPENSSL		:= openssl
35 36
 PARSEROM	:= ./util/parserom.pl
36 37
 FIXROM		:= ./util/fixrom.pl
37 38
 SYMCHECK	:= ./util/symcheck.pl

+ 28
- 0
src/Makefile.housekeeping 查看文件

@@ -637,6 +637,34 @@ $(BIN)/embedded.o : override CC := env CCACHE_DISABLE=1 $(CC)
637 637
 
638 638
 CFLAGS_embedded = -DEMBED_ALL="$(EMBED_ALL)"
639 639
 
640
+# List of trusted root certificates
641
+#
642
+TRUSTED_LIST	:= $(BIN)/.trusted.list
643
+ifeq ($(wildcard $(TRUSTED_LIST)),)
644
+TRUST_OLD := <invalid>
645
+else
646
+TRUST_OLD := $(shell cat $(TRUSTED_LIST))
647
+endif
648
+ifneq ($(TRUST_OLD),$(TRUST))
649
+$(shell $(ECHO) "$(TRUST)" > $(TRUSTED_LIST))
650
+endif
651
+
652
+$(TRUSTED_LIST) :
653
+
654
+VERYCLEANUP	+= $(TRUSTED_LIST)
655
+
656
+# Trusted root certificate fingerprints
657
+#
658
+TRUSTED_CERTS	:= $(subst $(COMMA), ,$(TRUST))
659
+TRUSTED_FPS	:= $(foreach CERT,$(TRUSTED_CERTS),\
660
+		     0x$(subst :,$(COMMA) 0x,$(lastword $(subst =, ,\
661
+			 $(shell $(OPENSSL) x509 -in $(CERT) -noout -sha256 \
662
+				 -fingerprint))))$(COMMA))
663
+
664
+$(BIN)/rootcert.o : $(TRUSTED_FILES) $(TRUSTED_LIST)
665
+
666
+CFLAGS_rootcert = $(if $(TRUSTED_FPS),-DTRUSTED="$(TRUSTED_FPS)")
667
+
640 668
 # Generate error usage information
641 669
 #
642 670
 $(BIN)/%.einfo : $(BIN)/%.o

Loading…
取消
儲存