]>
Commit | Line | Data |
---|---|---|
ab881f03 MTL |
1 | It's pretty straightforward: |
2 | ||
3 | cp $MY_DER_ENCODED_CERT pub.cer | |
4 | make VENDOR_CERT_FILE=pub.cer | |
5 | make EFIDIR=my_esp_dir_name install | |
6 | ||
7 | There are a couple of ways to customize the build: | |
8 | ||
9 | Install targets: | |
10 | - install | |
11 | installs shim as if to a hard drive, including installing MokManager and | |
12 | fallback appropriately. | |
13 | - install-as-data | |
14 | installs shim files to /usr/share/shim/$(EFI_ARCH)-$(VERSION)/ | |
15 | ||
16 | Variables you should set to customize the build: | |
17 | - EFIDIR | |
18 | This is the name of the ESP directory. The install targets won't work | |
19 | without it. | |
20 | - DESTDIR | |
21 | This will be prepended to any install targets, so you don't have to | |
22 | install to a live root directory. | |
23 | - DEFAULT_LOADER | |
24 | defaults to \\\\grub$(EFI_ARCH).efi , but you could set it to whatever. | |
25 | Be careful with the leading backslashes, they can be hard to get | |
26 | correct. | |
27 | ||
28 | Variables you could set to customize the build: | |
29 | - ENABLE_SHIM_CERT | |
f892ac66 | 30 | if this variable is defined on the make command line, shim will |
ab881f03 MTL |
31 | generate keys during the build and sign MokManager and fallback with |
32 | them, and the signed version will be what gets installed with the | |
33 | install targets | |
031e5cce SM |
34 | - ENABLE_SHIM_DEVEL |
35 | If this is set, we look for SHIM_DEVEL_DEBUG instead of SHIM_DEBUG in | |
36 | our debugger delay hook, thus meaning you can have it pause for a | |
37 | debugger only on the development branch and not the OS you need to boot | |
38 | to scp in a new development build. | |
39 | - DISABLE_EBS_PROTECTION | |
40 | On systems where a second stage bootloader is not used, and the Linux | |
41 | Kernel is embedded in the same EFI image as shim and booted directly | |
42 | from shim, shim's ExitBootServices() hook can cause problems as the | |
43 | kernel never calls the shim's verification protocol. In this case | |
44 | calling the shim verification protocol is unnecessary and redundant as | |
45 | shim has already verified the kernel when shim loaded the kernel as the | |
46 | second stage loader. In such a case, and only in this case, you should | |
47 | use DISABLE_EBS_PROTECTION=y to build. | |
8529e0f7 SM |
48 | - DISABLE_REMOVABLE_LOAD_OPTIONS |
49 | Do not parse load options when invoked as boot*.efi. This prevents boot | |
50 | failures because of unexpected data in boot entries automatically generated | |
51 | by firmware. It breaks loading non-default second-stage loaders when invoked | |
52 | via that path, and requires using a binary named shim*.efi (or really anything | |
53 | else). | |
f892ac66 MTL |
54 | - REQUIRE_TPM |
55 | if tpm logging or extends return an error code, treat that as a fatal error. | |
ab881f03 MTL |
56 | - ARCH |
57 | This allows you to do a build for a different arch that we support. For | |
58 | instance, on x86_64 you could do "setarch linux32 make ARCH=ia32" to get | |
59 | the ia32 build instead. (DEFAULT_LOADER will be automatically adjusted | |
60 | in that case.) | |
61 | - TOPDIR | |
62 | You can use this along with make -f to build in a subdir. For instance, | |
63 | on an x86_64 machine you could do: | |
64 | ||
65 | mkdir build-ia32 build-x64 inst | |
66 | cd build-ia32 | |
67 | setarch linux32 make TOPDIR=.. ARCH=ia32 -f ../Makefile | |
68 | setarch linux32 make TOPDIR=.. ARCH=ia32 \ | |
69 | DESTDIR=../inst EFIDIR=debian \ | |
70 | -f ../Makefile install | |
71 | cd ../build-x64 | |
72 | make TOPDIR=.. -f ../Makefile | |
73 | make TOPDIR=.. DESTDIR=../inst EFIDIR=debian \ | |
74 | -f ../Makefile install | |
75 | ||
76 | That would get you x86_64 and ia32 builds in the "inst" subdir. | |
77 | - OSLABEL | |
78 | This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS. | |
79 | By default this is the same value as EFIDIR . | |
80 | ||
031e5cce SM |
81 | Vendor SBAT data: |
82 | It will sometimes be requested by reviewers that a build includes extra | |
83 | .sbat data. The mechanism to do so is to add a CSV file in data/ with the | |
84 | name sbat.FOO.csv, where foo is your EFI subdirectory name. The build | |
85 | system will automatically include any such files. | |
86 | ||
ab881f03 | 87 | # vim:filetype=mail:tw=74 |