[PATCH 1/5] configure: Add signed-boot openssl configuration support
Brett Grandbois
brett.grandbois at opengear.com
Fri May 4 11:40:56 AEST 2018
Change the with-signed-boot option to take the following values:
no - disable signed boot (as before)
gpgme - configure for gpgme, fail if not found
openssl - configure for openssl, fail if not found
yes - look first for gpgme then openssl using first found, fail on none
this should behave as before if gpgme has been installed
fail on any other invalid options
add in the ax_check_openssl.m4 macro to facilitate openssl probing
Signed-off-by: Brett Grandbois <brett.grandbois at opengear.com>
---
configure.ac | 95 ++++++++++++++++++-------------------
m4/ax_check_openssl.m4 | 124 +++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 170 insertions(+), 49 deletions(-)
create mode 100644 m4/ax_check_openssl.m4
diff --git a/configure.ac b/configure.ac
index 566742c..6cae48f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -178,59 +178,42 @@ AS_IF(
AC_ARG_WITH(
[signed-boot],
- [AS_HELP_STRING([--with-signed-boot],
- [build kernel signature checking support [default=no]]
+ [AS_HELP_STRING([--with-signed-boot=@<:@no|yes|gpgme|openssl@:>@],
+ [Build kernel signature checking support with specified
+ crypto pacakge. A @<:@yes@:>@ value will first check
+ for gpgme then openssl and use the first found.
+ @<:@default=no@:>@]
+ )],
+ [AS_IF([test "x$with_signed_boot" = xno],[],
+ [test "x$with_signed_boot" = xyes],
+ [AM_PATH_GPGME([1.0.0],
+ [sboot=gpgme],
+ [AX_CHECK_OPENSSL(
+ [sboot=openssl],
+ [AC_MSG_FAILURE([--with-signed-boot=yes specified but gpgme or openssl not found])]
+ )]
+ )],
+ [test "x$with_signed_boot" = xgpgme],
+ [AM_PATH_GPGME([1.0.0],
+ [sboot=gpgme],
+ [AC_MSG_FAILURE([--with-signed-boot=gpgme specified but gpgme not found])]
+ )],
+ [test "x$with_signed_boot" = xopenssl],
+ [AX_CHECK_OPENSSL(
+ [sboot=openssl],
+ [AC_MSG_FAILURE([--with-signed-boot=openssl specified but openssl not found])]
+ )],
+ [AC_MSG_FAILURE([--with-signed-boot given invalid option: $with_signed_boot])]
)],
- [],
[with_signed_boot=no]
)
-AM_CONDITIONAL(
- [WITH_SIGNED_BOOT],
- [test "x$with_signed_boot" = "xyes"])
-
-AS_IF(
- [test "x$with_signed_boot" = "xyes"],
- [PKG_CHECK_MODULES(
- [GPGME],
- [gpgme >= 1.0.0],
- [SAVE_LIBS="$LIBS" LIBS="$LIBS $gpgme_LIBS"
- AC_CHECK_LIB(
- [gpgme],
- [gpgme_op_verify],
- [],
- [AC_MSG_FAILURE([--with-signed-boot was given but the test for gpgme failed.])]
- )
- LIBS="$SAVE_LIBS"
- ],
- [AM_PATH_GPGME([1.0.0], [SAVE_LIBS="$LIBS" LIBS="$LIBS $gpgme_LIBS"
- AC_CHECK_LIB(
- [gpgme],
- [gpgme_op_verify],
- [],
- [AC_MSG_FAILURE([--with-signed-boot was given but the test for gpgme failed.])]
- )
- LIBS="$SAVE_LIBS"],
- [AC_MSG_RESULT([$gpgme_PKG_ERRORS])
- AC_MSG_FAILURE([ Consider adjusting PKG_CONFIG_PATH environment variable])
- ])
- ]
- )]
-)
-
-AS_IF(
- [test "x$with_signed_boot" = "xyes"],
- [SAVE_CPPFLAGS="$CPPFLAGS" CPPFLAGS="$CPPFLAGS $gpgme_CFLAGS"
- AC_CHECK_HEADERS(
- [gpgme.h],
- [],
- [AC_MSG_FAILURE([ --with-signed-boot given but gpgme.h not found])]
- )
- CPPFLAGS="$SAVE_CPPFLAGS"
- ]
-)
-
-AM_CONDITIONAL([WITH_GPGME], [test "x$with_signed_boot" = "xyes"])
+AM_CONDITIONAL([WITH_GPGME], [test "x$sboot" = xgpgme])
+AM_CONDITIONAL([WITH_OPENSSL], [test "x$sboot" = xopenssl])
+AM_CONDITIONAL([WITH_SIGNED_BOOT], [test "x$with_signed_boot" != xno])
+AM_COND_IF([WITH_SIGNED_BOOT],
+ [AC_DEFINE([SIGNED_BOOT], 1, [Define if you have signed boot enabled])],
+ [])
AC_ARG_VAR(
[lockdown_file],
@@ -239,6 +222,20 @@ AC_ARG_VAR(
AS_IF([test "x$lockdown_file" = x], [lockdown_file="/etc/pb-lockdown"])
AC_DEFINE_UNQUOTED(LOCKDOWN_FILE, "$lockdown_file", [Lockdown file location])
+AC_ARG_VAR(
+ [KEYRING_PATH],
+ [Path to keyring (gpgme home dir) @<:@default="/etc/gpg"@:>@]
+)
+AS_IF([test "x$KEYRING_PATH" = x], [KEYRING_PATH="/etc/gpg"])
+AC_DEFINE_UNQUOTED(KEYRING_PATH, "$KEYRING_PATH", [gpgme home dir])
+
+AC_ARG_VAR(
+ [VERIFY_DIGEST],
+ [Signed boot signature verification digest algorithm to use (only valid in openssl) @<:@default="sha256"@:>@]
+)
+AS_IF([test "x$VERIFY_DIGEST" = x], [VERIFY_DIGEST="sha256"])
+AC_DEFINE_UNQUOTED(VERIFY_DIGEST, "$VERIFY_DIGEST", [openssl verify dgst])
+
AC_ARG_ENABLE(
[busybox],
[AS_HELP_STRING(
diff --git a/m4/ax_check_openssl.m4 b/m4/ax_check_openssl.m4
new file mode 100644
index 0000000..28e48cb
--- /dev/null
+++ b/m4/ax_check_openssl.m4
@@ -0,0 +1,124 @@
+# ===========================================================================
+# https://www.gnu.org/software/autoconf-archive/ax_check_openssl.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_CHECK_OPENSSL([action-if-found[, action-if-not-found]])
+#
+# DESCRIPTION
+#
+# Look for OpenSSL in a number of default spots, or in a user-selected
+# spot (via --with-openssl). Sets
+#
+# OPENSSL_INCLUDES to the include directives required
+# OPENSSL_LIBS to the -l directives required
+# OPENSSL_LDFLAGS to the -L or -R flags required
+#
+# and calls ACTION-IF-FOUND or ACTION-IF-NOT-FOUND appropriately
+#
+# This macro sets OPENSSL_INCLUDES such that source files should use the
+# openssl/ directory in include directives:
+#
+# #include <openssl/hmac.h>
+#
+# LICENSE
+#
+# Copyright (c) 2009,2010 Zmanda Inc. <http://www.zmanda.com/>
+# Copyright (c) 2009,2010 Dustin J. Mitchell <dustin at zmanda.com>
+#
+# Copying and distribution of this file, with or without modification, are
+# permitted in any medium without royalty provided the copyright notice
+# and this notice are preserved. This file is offered as-is, without any
+# warranty.
+
+#serial 10
+
+AU_ALIAS([CHECK_SSL], [AX_CHECK_OPENSSL])
+AC_DEFUN([AX_CHECK_OPENSSL], [
+ found=false
+ AC_ARG_WITH([openssl],
+ [AS_HELP_STRING([--with-openssl=DIR],
+ [root of the OpenSSL directory])],
+ [
+ case "$withval" in
+ "" | y | ye | yes | n | no)
+ AC_MSG_ERROR([Invalid --with-openssl value])
+ ;;
+ *) ssldirs="$withval"
+ ;;
+ esac
+ ], [
+ # if pkg-config is installed and openssl has installed a .pc file,
+ # then use that information and don't search ssldirs
+ AC_CHECK_TOOL([PKG_CONFIG], [pkg-config])
+ if test x"$PKG_CONFIG" != x""; then
+ OPENSSL_LDFLAGS=`$PKG_CONFIG openssl --libs-only-L 2>/dev/null`
+ if test $? = 0; then
+ OPENSSL_LIBS=`$PKG_CONFIG openssl --libs-only-l 2>/dev/null`
+ OPENSSL_INCLUDES=`$PKG_CONFIG openssl --cflags-only-I 2>/dev/null`
+ found=true
+ fi
+ fi
+
+ # no such luck; use some default ssldirs
+ if ! $found; then
+ ssldirs="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /usr"
+ fi
+ ]
+ )
+
+
+ # note that we #include <openssl/foo.h>, so the OpenSSL headers have to be in
+ # an 'openssl' subdirectory
+
+ if ! $found; then
+ OPENSSL_INCLUDES=
+ for ssldir in $ssldirs; do
+ AC_MSG_CHECKING([for openssl/ssl.h in $ssldir])
+ if test -f "$ssldir/include/openssl/ssl.h"; then
+ OPENSSL_INCLUDES="-I$ssldir/include"
+ OPENSSL_LDFLAGS="-L$ssldir/lib"
+ OPENSSL_LIBS="-lssl -lcrypto"
+ found=true
+ AC_MSG_RESULT([yes])
+ break
+ else
+ AC_MSG_RESULT([no])
+ fi
+ done
+
+ # if the file wasn't found, well, go ahead and try the link anyway -- maybe
+ # it will just work!
+ fi
+
+ # try the preprocessor and linker with our new flags,
+ # being careful not to pollute the global LIBS, LDFLAGS, and CPPFLAGS
+
+ AC_MSG_CHECKING([whether compiling and linking against OpenSSL works])
+ echo "Trying link with OPENSSL_LDFLAGS=$OPENSSL_LDFLAGS;" \
+ "OPENSSL_LIBS=$OPENSSL_LIBS; OPENSSL_INCLUDES=$OPENSSL_INCLUDES" >&AS_MESSAGE_LOG_FD
+
+ save_LIBS="$LIBS"
+ save_LDFLAGS="$LDFLAGS"
+ save_CPPFLAGS="$CPPFLAGS"
+ LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
+ LIBS="$OPENSSL_LIBS $LIBS"
+ CPPFLAGS="$OPENSSL_INCLUDES $CPPFLAGS"
+ AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM([#include <openssl/ssl.h>], [SSL_new(NULL)])],
+ [
+ AC_MSG_RESULT([yes])
+ $1
+ ], [
+ AC_MSG_RESULT([no])
+ $2
+ ])
+ CPPFLAGS="$save_CPPFLAGS"
+ LDFLAGS="$save_LDFLAGS"
+ LIBS="$save_LIBS"
+
+ AC_SUBST([OPENSSL_INCLUDES])
+ AC_SUBST([OPENSSL_LIBS])
+ AC_SUBST([OPENSSL_LDFLAGS])
+])
--
2.7.4
More information about the Petitboot
mailing list