[build] Allow trusted root certificates to be specified at build time

Allow trusted root certificates to be specified at build time using
the syntax

  make TRUST=/path/to/certificate1,/path/to/certificate2,...

The build process uses openssl to calculate the SHA-256 fingerprints
of the specified certificates, and adds them to the root certificate
store in rootcert.c.  The certificates can be in any format understood
by openssl.

The certificates may be server certificates or (more usefully) CA
certificates.

If no trusted certificates are specified, then the default "iPXE root
CA" certificate will be used.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/Makefile b/src/Makefile
index c30dc5c9728ef43c0596ccdcd65f21064d558c35..0189a469dc2a617d5f8b22983a691d4d4314785f 100644 (file)
--- a/src/Makefile
+++ b/src/Makefile
@@ -32,6 +32,7 @@ RANLIB                := $(CROSS_COMPILE)ranlib
 OBJCOPY                := $(CROSS_COMPILE)objcopy
 NM             := $(CROSS_COMPILE)nm
 OBJDUMP                := $(CROSS_COMPILE)objdump
+OPENSSL                := openssl
 PARSEROM       := ./util/parserom.pl
 FIXROM         := ./util/fixrom.pl
 SYMCHECK       := ./util/symcheck.pl

diff --git a/src/Makefile.housekeeping b/src/Makefile.housekeeping
index 41c59562863da8384a656275bd3df0e46a89e0c8..daac97b9fd330109899dd0057fcce5673ef8e21e 100644 (file)
--- a/src/Makefile.housekeeping
+++ b/src/Makefile.housekeeping
@@ -637,6 +637,34 @@ $(BIN)/embedded.o : override CC := env CCACHE_DISABLE=1 $(CC)
 
 CFLAGS_embedded = -DEMBED_ALL="$(EMBED_ALL)"
 
+# List of trusted root certificates
+#
+TRUSTED_LIST   := $(BIN)/.trusted.list
+ifeq ($(wildcard $(TRUSTED_LIST)),)
+TRUST_OLD := <invalid>
+else
+TRUST_OLD := $(shell cat $(TRUSTED_LIST))
+endif
+ifneq ($(TRUST_OLD),$(TRUST))
+$(shell $(ECHO) "$(TRUST)" > $(TRUSTED_LIST))
+endif
+
+$(TRUSTED_LIST) :
+
+VERYCLEANUP    += $(TRUSTED_LIST)
+
+# Trusted root certificate fingerprints
+#
+TRUSTED_CERTS  := $(subst $(COMMA), ,$(TRUST))
+TRUSTED_FPS    := $(foreach CERT,$(TRUSTED_CERTS),\
+                    0x$(subst :,$(COMMA) 0x,$(lastword $(subst =, ,\
+                        $(shell $(OPENSSL) x509 -in $(CERT) -noout -sha256 \
+                                -fingerprint))))$(COMMA))
+
+$(BIN)/rootcert.o : $(TRUSTED_FILES) $(TRUSTED_LIST)
+
+CFLAGS_rootcert = $(if $(TRUSTED_FPS),-DTRUSTED="$(TRUSTED_FPS)")
+
 # Generate error usage information
 #
 $(BIN)/%.einfo : $(BIN)/%.o