[efi-boot-shim.git] / BUILDING

It's pretty straightforward:

cp $MY_DER_ENCODED_CERT pub.cer
make VENDOR_CERT_FILE=pub.cer
make EFIDIR=my_esp_dir_name install

There are a couple of ways to customize the build:

Install targets:
- install
  installs shim as if to a hard drive, including installing MokManager and
  fallback appropriately.
- install-as-data
  installs shim files to /usr/share/shim/$(EFI_ARCH)-$(VERSION)/

Variables you should set to customize the build:
- EFIDIR
  This is the name of the ESP directory.  The install targets won't work
  without it.
- DESTDIR
  This will be prepended to any install targets, so you don't have to
  install to a live root directory.
- DEFAULT_LOADER
  defaults to \\\\grub$(EFI_ARCH).efi , but you could set it to whatever.
  Be careful with the leading backslashes, they can be hard to get
  correct.

Variables you could set to customize the build:
- ENABLE_SHIM_CERT
  if this variable is defined on the make command line, shim will
  generate keys during the build and sign MokManager and fallback with
  them, and the signed version will be what gets installed with the
  install targets
- ENABLE_SHIM_DEVEL
  If this is set, we look for SHIM_DEVEL_DEBUG instead of SHIM_DEBUG in
  our debugger delay hook, thus meaning you can have it pause for a
  debugger only on the development branch and not the OS you need to boot
  to scp in a new development build.
- DISABLE_EBS_PROTECTION
  On systems where a second stage bootloader is not used, and the Linux
  Kernel is embedded in the same EFI image as shim and booted directly
  from shim, shim's ExitBootServices() hook can cause problems as the
  kernel never calls the shim's verification protocol.  In this case
  calling the shim verification protocol is unnecessary and redundant as
  shim has already verified the kernel when shim loaded the kernel as the
  second stage loader.  In such a case, and only in this case, you should
  use DISABLE_EBS_PROTECTION=y to build.
- DISABLE_REMOVABLE_LOAD_OPTIONS
  Do not parse load options when invoked as boot*.efi. This prevents boot
  failures because of unexpected data in boot entries automatically generated
  by firmware. It breaks loading non-default second-stage loaders when invoked
  via that path, and requires using a binary named shim*.efi (or really anything
  else).
- REQUIRE_TPM
  if tpm logging or extends return an error code, treat that as a fatal error.
- ARCH
  This allows you to do a build for a different arch that we support.  For
  instance, on x86_64 you could do "setarch linux32 make ARCH=ia32" to get
  the ia32 build instead.  (DEFAULT_LOADER will be automatically adjusted
  in that case.)
- TOPDIR
  You can use this along with make -f to build in a subdir.  For instance,
  on an x86_64 machine you could do:

    mkdir build-ia32 build-x64 inst
    cd build-ia32
    setarch linux32 make TOPDIR=.. ARCH=ia32 -f ../Makefile
    setarch linux32 make TOPDIR=.. ARCH=ia32 \
			 DESTDIR=../inst EFIDIR=debian \
			 -f ../Makefile install
    cd ../build-x64
    make TOPDIR=.. -f ../Makefile
    make TOPDIR=.. DESTDIR=../inst EFIDIR=debian \
			-f ../Makefile install

  That would get you x86_64 and ia32 builds in the "inst" subdir.
- OSLABEL
  This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS.
  By default this is the same value as EFIDIR .

Vendor SBAT data:
It will sometimes be requested by reviewers that a build includes extra
.sbat data.  The mechanism to do so is to add a CSV file in data/ with the
name sbat.FOO.csv, where foo is your EFI subdirectory name.  The build
system will automatically include any such files.

# vim:filetype=mail:tw=74
Commit	Line	Data
ab881f03 MTL	1	It's pretty straightforward:
	2
	3	cp $MY_DER_ENCODED_CERT pub.cer
	4	make VENDOR_CERT_FILE=pub.cer
	5	make EFIDIR=my_esp_dir_name install
	6
	7	There are a couple of ways to customize the build:
	8
	9	Install targets:
	10	- install
	11	installs shim as if to a hard drive, including installing MokManager and
	12	fallback appropriately.
	13	- install-as-data
	14	installs shim files to /usr/share/shim/$(EFI_ARCH)-$(VERSION)/
	15
	16	Variables you should set to customize the build:
	17	- EFIDIR
	18	This is the name of the ESP directory. The install targets won't work
	19	without it.
	20	- DESTDIR
	21	This will be prepended to any install targets, so you don't have to
	22	install to a live root directory.
	23	- DEFAULT_LOADER
	24	defaults to \\\\grub$(EFI_ARCH).efi , but you could set it to whatever.
	25	Be careful with the leading backslashes, they can be hard to get
	26	correct.
	27
	28	Variables you could set to customize the build:
	29	- ENABLE_SHIM_CERT
f892ac66	30	if this variable is defined on the make command line, shim will
ab881f03 MTL	31	generate keys during the build and sign MokManager and fallback with
	32	them, and the signed version will be what gets installed with the
	33	install targets
031e5cce SM	34	- ENABLE_SHIM_DEVEL
	35	If this is set, we look for SHIM_DEVEL_DEBUG instead of SHIM_DEBUG in
	36	our debugger delay hook, thus meaning you can have it pause for a
	37	debugger only on the development branch and not the OS you need to boot
	38	to scp in a new development build.
	39	- DISABLE_EBS_PROTECTION
	40	On systems where a second stage bootloader is not used, and the Linux
	41	Kernel is embedded in the same EFI image as shim and booted directly
	42	from shim, shim's ExitBootServices() hook can cause problems as the
	43	kernel never calls the shim's verification protocol. In this case
	44	calling the shim verification protocol is unnecessary and redundant as
	45	shim has already verified the kernel when shim loaded the kernel as the
	46	second stage loader. In such a case, and only in this case, you should
	47	use DISABLE_EBS_PROTECTION=y to build.
8529e0f7 SM	48	- DISABLE_REMOVABLE_LOAD_OPTIONS
	49	Do not parse load options when invoked as boot*.efi. This prevents boot
	50	failures because of unexpected data in boot entries automatically generated
	51	by firmware. It breaks loading non-default second-stage loaders when invoked
	52	via that path, and requires using a binary named shim*.efi (or really anything
	53	else).
f892ac66 MTL	54	- REQUIRE_TPM
f892ac66 MTL	55	if tpm logging or extends return an error code, treat that as a fatal error.
ab881f03 MTL	56	- ARCH
	57	This allows you to do a build for a different arch that we support. For
	58	instance, on x86_64 you could do "setarch linux32 make ARCH=ia32" to get
	59	the ia32 build instead. (DEFAULT_LOADER will be automatically adjusted
	60	in that case.)
	61	- TOPDIR
	62	You can use this along with make -f to build in a subdir. For instance,
	63	on an x86_64 machine you could do:
	64
	65	mkdir build-ia32 build-x64 inst
	66	cd build-ia32
	67	setarch linux32 make TOPDIR=.. ARCH=ia32 -f ../Makefile
	68	setarch linux32 make TOPDIR=.. ARCH=ia32 \
	69	DESTDIR=../inst EFIDIR=debian \
	70	-f ../Makefile install
	71	cd ../build-x64
	72	make TOPDIR=.. -f ../Makefile
	73	make TOPDIR=.. DESTDIR=../inst EFIDIR=debian \
	74	-f ../Makefile install
	75
	76	That would get you x86_64 and ia32 builds in the "inst" subdir.
	77	- OSLABEL
	78	This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS.
	79	By default this is the same value as EFIDIR .
	80
031e5cce SM	81	Vendor SBAT data:
	82	It will sometimes be requested by reviewers that a build includes extra
	83	.sbat data. The mechanism to do so is to add a CSV file in data/ with the
	84	name sbat.FOO.csv, where foo is your EFI subdirectory name. The build
	85	system will automatically include any such files.
	86
ab881f03	87	# vim:filetype=mail:tw=74