+AC_ARG_WITH(
+ [signed-boot],
+ [AS_HELP_STRING([--with-signed-boot=@<:@no|yes|gpgme|openssl@:>@],
+ [Build kernel signature checking support with specified
+ crypto pacakge. A @<:@yes@:>@ value will first check
+ for gpgme then openssl and use the first found.
+ @<:@default=no@:>@]
+ )],
+ [AS_IF([test "x$with_signed_boot" = xno],[],
+ [test "x$with_signed_boot" = xyes],
+ [AM_PATH_GPGME([1.0.0],
+ [sboot=gpgme],
+ [AX_CHECK_OPENSSL(
+ [sboot=openssl],
+ [AC_MSG_FAILURE([--with-signed-boot=yes specified but gpgme or openssl not found])]
+ )]
+ )],
+ [test "x$with_signed_boot" = xgpgme],
+ [AM_PATH_GPGME([1.0.0],
+ [sboot=gpgme],
+ [AC_MSG_FAILURE([--with-signed-boot=gpgme specified but gpgme not found])]
+ )],
+ [test "x$with_signed_boot" = xopenssl],
+ [AX_CHECK_OPENSSL(
+ [sboot=openssl],
+ [AC_MSG_FAILURE([--with-signed-boot=openssl specified but openssl not found])]
+ )],
+ [AC_MSG_FAILURE([--with-signed-boot given invalid option: $with_signed_boot])]
+ )],
+ [with_signed_boot=no]
+)
+
+AM_CONDITIONAL([WITH_GPGME], [test "x$sboot" = xgpgme])
+AM_CONDITIONAL([WITH_OPENSSL], [test "x$sboot" = xopenssl])
+AM_CONDITIONAL([WITH_SIGNED_BOOT], [test "x$with_signed_boot" != xno])
+AM_COND_IF([WITH_SIGNED_BOOT],
+ [AC_DEFINE([SIGNED_BOOT], 1, [Define if you have signed boot enabled])],
+ [])
+
+AC_ARG_VAR(
+ [lockdown_file],
+ [Location of authorized signature file [default = "/etc/pb-lockdown"]]
+)
+AS_IF([test "x$lockdown_file" = x], [lockdown_file="/etc/pb-lockdown"])
+AC_DEFINE_UNQUOTED(LOCKDOWN_FILE, "$lockdown_file", [Lockdown file location])
+
+AC_ARG_VAR(
+ [KEYRING_PATH],
+ [Path to keyring (gpgme home dir) @<:@default="/etc/gpg"@:>@]
+)
+AS_IF([test "x$KEYRING_PATH" = x], [KEYRING_PATH="/etc/gpg"])
+AC_DEFINE_UNQUOTED(KEYRING_PATH, "$KEYRING_PATH", [gpgme home dir])
+
+AC_ARG_VAR(
+ [VERIFY_DIGEST],
+ [Signed boot signature verification digest algorithm to use (only valid in openssl) @<:@default="sha256"@:>@]
+)
+AS_IF([test "x$VERIFY_DIGEST" = x], [VERIFY_DIGEST="sha256"])
+AC_DEFINE_UNQUOTED(VERIFY_DIGEST, "$VERIFY_DIGEST", [openssl verify dgst])
+
+AC_ARG_ENABLE([hard-lockdown],
+ [AS_HELP_STRING([--enable-hard-lockdown],
+ [if signed boot configured, the absence of the
+ LOCKDOWN_FILE does not disable signed boot at
+ runtime @<:@default=no@:>@])],
+ [AC_DEFINE(HARD_LOCKDOWN, 1, [Enable hard lockdown])],
+ [])
+