1 files changed, 40 insertions, 0 deletions

diff --git a/lib/libsecureboot/Makefile.libsa.inc b/lib/libsecureboot/Makefile.libsa.inc
new file mode 100644
index 0000000000000..2456484a89c7f
--- /dev/null
+++ b/lib/libsecureboot/Makefile.libsa.inc
@@ -0,0 +1,40 @@
+# $FreeBSD$
+
+BRSSL_CFLAGS+= -DNO_STDIO
+
+.include "Makefile.inc"
+
+# for "measured boot"
+# loader puts the equivalent of TPM's PCR register into kenv
+# this is not as good but *way* simpler than talking to TPM
+CFLAGS+= -DVE_PCR_SUPPORT
+
+# sources that only apply to libsa
+SRCS+= \
+	vectx.c \
+	veopen.c \
+	vepcr.c \
+	verify_file.c \
+
+# this is the list of paths (relative to a file
+# that we need to verify) used to find a signed manifest.
+# the signature extensions in VE_SIGNATURE_EXT_LIST
+# will be applied to each.
+VE_MANIFEST_LIST?= manifest ../manifest
+
+verify_file.o: manifests.h
+manifests.h:
+	@( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \
+	echo "static const char *manifest_names[] = {"; \
+	echo '${VE_MANIFEST_LIST:@m@"$m",${.newline}@}'; \
+	echo 'NULL };' ) > ${.TARGET}
+
+XCFLAGS.verify_file+= \
+	-DVE_DEBUG_LEVEL=${VE_DEBUG_LEVEL:U0} \
+	-DVE_VERBOSE_DEFAULT=${VE_VERBOSE_DEFAULT:U0} \
+
+.if !empty(MANIFEST_SKIP_ALWAYS)
+XCFLAGS.verify_file+= -DMANIFEST_SKIP_ALWAYS=\"${MANIFEST_SKIP_ALWAYS}\"
+.elif !empty(MANIFEST_SKIP)
+XCFLAGS.verify_file+= -DMANIFEST_SKIP=\"${MANIFEST_SKIP}\"
+.endif