This document explains how to build the Mako Server from the Barracuda App Server (BAS) source tree. The Mako Server is the ready-to-run Lua application server built on BAS for high-level operating systems such as Linux, Windows, macOS, QNX, and VxWorks.
Use this page when you are compiling, porting, or customizing the Mako Server C code. Use Using the Mako Server for command-line options,
mako.conf, application loading, modules, and runtime APIs. For downloads, tutorials, and product-level documentation, see makoserver.net.
| Task | Where to Start |
|---|---|
| Use Mako Server without compiling it | Download a precompiled version from makoserver.net. |
| Build Mako Server from BAS | Use the make directory and its platform scripts, or include the required source files directly in your IDE or build system. |
| Build quickly on Linux with common optional modules | Use the Ansible build script. |
| Customize Lua resources | Build or provide mako.zip. Keep the embedded ZIP as a fallback unless your deployment always ships an external mako.zip. |
| Prepare a hardened build | Review the extension hooks, signed ZIP support, SharkTrustX settings, and softTPM configuration. |
The make directory contains the generic makefile and several ready-to-use build scripts that call it. See make/README.txt for the platform-specific details.
As an alternative to the makefile, include the required source files directly in your build system or IDE.
Quick Linux build with extended features:
If you are targeting embedded Linux or want to quickly test Mako Server on Linux, consider using the provided Ansible build script. It uses the amalgamated BAS library and compiles Mako with a set of optional plugins.
| File | Required | Purpose |
|---|---|---|
src/MakoMain.c | Yes | Mako Server startup code. It creates the configurable standalone server using BAS.c. |
../../amalgamation/BAS.c | Yes | The Barracuda App Server library. See ../../amalgamation/README.txt for details. |
src/SendError.c | Optional | Traps errors and optionally reports the errors, including asserts, if enabled. You may use another error handler or remove the call in MakoMain.c. |
obj/LspZip.c | Optional | Internal fallback ZIP converted to a C array by bin2c and assembled by running BuildInternalZip. Exclude by compiling with USE_EMBEDDED_ZIP=0. |
../../xrc/sql/ls_sqlite3.c | Optional | Lua SQLite Lua bindings. |
../../xrc/sql/luasql.c | Optional | Lua SQLite Lua bindings. |
../../xrc/sql/sqlite3.c | Optional | SQLite database. |
When compiling for Windows, include all C files in the src/Windows subdirectory. These files enable the server to be installed as a Windows service.
The Mako Server requires Lua and web resource files. The make directory includes two scripts for assembling these resources:
| Script | Output | Purpose |
|---|---|---|
BuildInternalZip | obj/LspZip.c | Builds the minimum internal fallback resources and converts them to C. You can exclude this file by compiling with USE_EMBEDDED_ZIP=0. |
BuildMakoZip | mako.zip | Builds the external resource file used by the Mako Server at startup. This script requires a copy of the BAS-Resources repository in BAROOT/../BAS-Resources. |
In most deployments, ship the external mako.zip file with the Mako executable. It includes resources used by components such as the TraceLogger and the File Manager. The internal ZIP is only a fallback if mako.zip is not found. If the server is compiled without the internal ZIP and cannot mount mako.zip, startup fails.
The default build includes SQLite. You can also compile the Mako Server without built-in SQL support or with ITTIA database bindings.
| Macro | Result |
|---|---|
USE_SQL=0 | No embedded database. |
USE_SQL=1 | Embedded SQLite. |
USE_SQL=2 | ITTIA database Lua bindings. You must also embed the ITTIA database. |
The Mako Server can be compiled directly on the command line without using the makefile. The following example compiles the Mako Server for POSIX/Linux without SQLite and without the internal ZIP file (obj/LspZip.c).
Start by setting the include path:
Set the required C compiler flags:
Add the following to CFLAGS when compiling for a 64-bit processor:
Compile and link:
See make/README.txt for details.
The Mako Server is designed to allow customization and extension without requiring changes to MakoMain.c. Extension files are included at defined points in the startup code and let you add platform logic, product-specific Lua bindings, and security settings.
| File | Purpose |
|---|---|
MakoExt1.ch | Empty extension point for custom macros, helper functions, or supporting logic. |
MakoExt2.ch | Platform and security extension point. It can enforce signed ZIP validation, set a global ZIP password, add Lua bindings through makoOpenAUX(), and initialize the softTPM. Search this file for USE_ZIPSIGNATURE and USE_ZIPBINPWD. See Signed and Encrypted ZIP Files. |
MakoExtM1.ch, MakoExtM2.ch, MakoExtM3.ch, MakoExtM4.ch | Empty extension points inserted into the main initialization function, runMako(). |
MakoWBC.ch | White-box cryptography logic used by the softTPM. |
Note: When signed ZIP files are enabled, the Mako Server will only mount deployed ZIP applications. This means all ZIP files, including mako.zip, must be signed. If mako.zip is not signed or is signed with an incorrect signature, the following error will occur at server startup:
Mounting path/2/mako.zip Fatal error: cannot mount mako.zip.
The generated C file tokengen.c includes SharkTrustX settings for the demo portal local.makoserver.net. If you're using your own SharkTrustX portal, replace tokengen.c with the version generated by your portal. To exclude this code, compile with the NO_SHARKTRUST macro. Do not include tokengen.c in your build, as MakoMain.c includes it as a header file.
The Mako Server includes a softTPM implementation that, when properly configured, provides reasonable security. See the TPM API and How the TPM Works for details and an introduction to initializing the softTPM from C code.
Mako TPM Details and Required Configuration
The src/EncryptionKey.h file contains a binary random number of variable length the product designer (you) set. This number is consistent across all firmware copies and supplemented with additional per-device-specific entropy (DDUI). Instead of modifying EncryptionKey.h, you may create a new file called NewEncryptionKey.h and compile with the NewEncryptionKey macro.
To exclude the TPM functionality, compile with the NO_ENCRYPTIONKEY macro.
Device-Derived Unique Identifier (DDUI)
The softTPM relies on a Device-Derived Unique Identifier (DDUI) to function correctly. This identifier ensures that each device is truly unique. Without a DDUI, all devices would generate identical private keys for a given name handle, making the softTPM less secure.
The file PushUniqueKey.ch, included by MakoExt2.ch, provides a helper function, pushUniqueKey(), with platform-specific implementations for pushing the MAC address onto the Lua stack. If this code cannot derive a DDUI, it will print a warning message.
For best results, the DDUI should be derived from hardware-based uniqueness (e.g., CPU serial number, MAC address, or another hardware fingerprint). This guarantees that the identifier is both deterministic and device-specific.
The Embedded TPM Lua Code
For security reasons, the Lua-based TPM implementation, which is loaded and initialized by the C code, is embedded in the Mako Server binary. The file MakoTPM.lua has been renamed to .config, zipped, converted to a C code, and included in the Mako Server as tpm.h. The file MakoMain.c includes this file and initializes the TPM during startup. The Lua TPM code calculates a pre-master secret based on the data provided by the C code. This pre-master secret forms the basis for generating multiple unique secrets, instrumental in creating TPM keys. These keys are not stored but are regenerated with each system restart, significantly reducing the risk of key leakage.
Suggested release compile time macros:
In addition to NDEBUG, the following settings are recommended to secure the softTPM: do not define USE_DBGMON, and compile with NO_LDEBUG to disable the Lua debug API.