[efi-boot-shim.git] / Makefile

default : all

NAME		= shim
VERSION		= 15.5
ifneq ($(origin RELEASE),undefined)
DASHRELEASE	?= -$(RELEASE)
else
DASHRELEASE	?=
endif

ifeq ($(MAKELEVEL),0)
TOPDIR		?= $(shell pwd)
endif
ifeq ($(TOPDIR),)
override TOPDIR := $(shell pwd)
endif
override TOPDIR	:= $(abspath $(TOPDIR))
VPATH		= $(TOPDIR)
export TOPDIR

include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.defaults
include $(TOPDIR)/include/coverity.mk
include $(TOPDIR)/include/scan-build.mk
include $(TOPDIR)/include/fanalyzer.mk

TARGETS	= $(SHIMNAME)
TARGETS += $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug
ifneq ($(origin ENABLE_SHIM_HASH),undefined)
TARGETS += $(SHIMHASHNAME)
endif
ifneq ($(origin ENABLE_SHIM_DEVEL),undefined)
CFLAGS += -DENABLE_SHIM_DEVEL
endif
ifneq ($(origin ENABLE_SHIM_CERT),undefined)
TARGETS	+= $(MMNAME).signed $(FBNAME).signed
CFLAGS += -DENABLE_SHIM_CERT
else
TARGETS += $(MMNAME) $(FBNAME)
endif
OBJS	= shim.o globals.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o httpboot.o csv.o load-options.o
KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
ORIG_SOURCES	= shim.c globals.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h)
MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o globals.o
ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat_data.o globals.o
ORIG_FALLBACK_SRCS = fallback.c
SBATPATH = $(TOPDIR)/data/sbat.csv

ifeq ($(SOURCE_DATE_EPOCH),)
	UNAME=$(shell uname -s -m -p -i -o)
else
	UNAME=buildhost
endif

SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c
MOK_SOURCES = $(foreach source,$(ORIG_MOK_SOURCES),$(TOPDIR)/$(source))
FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))

ifneq ($(origin FALLBACK_VERBOSE), undefined)
	CFLAGS += -DFALLBACK_VERBOSE
endif

ifneq ($(origin FALLBACK_NONINTERACTIVE), undefined)
	CFLAGS += -DFALLBACK_NONINTERACTIVE
endif

ifneq ($(origin FALLBACK_VERBOSE_WAIT), undefined)
	CFLAGS += -DFALLBACK_VERBOSE_WAIT=$(FALLBACK_VERBOSE_WAIT)
endif

all: confcheck $(TARGETS)

confcheck:
ifneq ($(origin EFI_PATH),undefined)
	$(error EFI_PATH is no longer supported, you must build using the supplied copy of gnu-efi)
endif

update :
	git submodule update --init --recursive

shim.crt:
	$(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null

shim.cer: shim.crt
	$(OPENSSL) x509 -outform der -in $< -out $@

.NOTPARALLEL: shim_cert.h
shim_cert.h: shim.cer
	echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
	$(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@
	echo "};" >> $@

version.c : $(TOPDIR)/version.c.in
	sed	-e "s,@@VERSION@@,$(VERSION)," \
		-e "s,@@UNAME@@,$(UNAME)," \
		-e "s,@@COMMIT@@,$(COMMIT_ID)," \
		< $< > $@

certdb/secmod.db: shim.crt
	-mkdir certdb
	$(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K ""
	$(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u

shim.o: $(SOURCES)
ifneq ($(origin ENABLE_SHIM_CERT),undefined)
shim.o: shim_cert.h
endif
shim.o: $(wildcard $(TOPDIR)/*.h)

cert.o : $(TOPDIR)/cert.S
	$(CC) $(CFLAGS) -c -o $@ $<

sbat.%.csv : data/sbat.%.csv
	$(DOS2UNIX) $(D2UFLAGS) $< $@
	tail -c1 $@ | read -r _ || echo >> $@ # ensure a trailing newline

VENDOR_SBATS := $(sort $(foreach x,$(wildcard $(TOPDIR)/data/sbat.*.csv data/sbat.*.csv),$(notdir $(x))))

sbat_data.o : | $(SBATPATH) $(VENDOR_SBATS)
sbat_data.o : /dev/null
	$(CC) $(CFLAGS) -x c -c -o $@ $<
	$(OBJCOPY) --add-section .sbat=$(SBATPATH) \
		--set-section-flags .sbat=contents,alloc,load,readonly,data \
		$@
	$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))

$(SHIMNAME) : $(SHIMSONAME) post-process-pe
$(MMNAME) : $(MMSONAME) post-process-pe
$(FBNAME) : $(FBSONAME) post-process-pe
$(SHIMNAME) $(MMNAME) $(FBNAME) : | post-process-pe

LIBS = Cryptlib/libcryptlib.a \
       Cryptlib/OpenSSL/libopenssl.a \
       lib/lib.a \
       gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a \
       gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a

$(SHIMSONAME): $(OBJS) $(LIBS)
	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a

fallback.o: $(FALLBACK_SRCS)

$(FBSONAME): $(FALLBACK_OBJS) $(LIBS)
	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a

MokManager.o: $(MOK_SOURCES)

$(MMSONAME): $(MOK_OBJS) $(LIBS)
	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a

gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a: CFLAGS+=-DGNU_EFI_USE_EXTERNAL_STDARG
gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a:
	mkdir -p gnu-efi/lib gnu-efi/gnuefi
	$(MAKE) -C gnu-efi \
		COMPILER="$(COMPILER)" \
		CC="$(CC)" \
		ARCH=$(ARCH_GNUEFI) \
		TOPDIR=$(TOPDIR)/gnu-efi \
		-f $(TOPDIR)/gnu-efi/Makefile \
		lib gnuefi inc

Cryptlib/libcryptlib.a:
	for i in Hash Hmac Cipher Rand Pk Pem SysCall; do mkdir -p Cryptlib/$$i; done
	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile

Cryptlib/OpenSSL/libopenssl.a:
	for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done
	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile

lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch])
	mkdir -p lib
	$(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) -C lib -f $(TOPDIR)/lib/Makefile

post-process-pe : $(TOPDIR)/post-process-pe.c
	$(HOSTCC) -std=gnu11 -Og -g3 -Wall -Wextra -Wno-missing-field-initializers -Werror -o $@ $<

buildid : $(TOPDIR)/buildid.c
	$(HOSTCC) -I/usr/include -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf

$(BOOTCSVNAME) :
	@echo Making $@
	@echo "$(SHIMNAME),$(OSLABEL),,This is the boot entry for $(OSLABEL)" | iconv -t UCS-2LE > $@

install-check :
ifeq ($(origin LIBDIR),undefined)
	$(error Architecture $(ARCH) is not a supported build target.)
endif
ifeq ($(origin EFIDIR),undefined)
	$(error EFIDIR must be set to your reserved EFI System Partition subdirectory name)
endif

install-deps : $(TARGETS)
install-deps : $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug buildid
install-deps : $(BOOTCSVNAME)

install-debugsource : install-deps
	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)
	find $(TOPDIR) -type f -a '(' -iname '*.c' -o -iname '*.h' -o -iname '*.S' ')' | while read file ; do \
		outfile=$$(echo $${file} | sed -e "s,^$(TOPDIR),,") ; \
		$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$$(dirname $${outfile}) ; \
		$(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$${outfile} ; \
	done

install-debuginfo : install-deps
	$(INSTALL) -d -m 0755 $(DESTDIR)/
	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR)/
	@./buildid $(wildcard *.efi.debug) | while read file buildid ; do \
		first=$$(echo $${buildid} | cut -b -2) ; \
		rest=$$(echo $${buildid} | cut -b 3-) ; \
		$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/ ;\
		$(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR) ; \
		ln -s ../../../../..$(DEBUGINFO)$(TARGETDIR)$${file} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest}.debug ;\
		ln -s ../../../.build-id/$${first}/$${rest} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest} ;\
	done

install : | install-check
install : install-deps install-debuginfo install-debugsource
	$(INSTALL) -d -m 0755 $(DESTDIR)/
	$(INSTALL) -d -m 0700 $(DESTDIR)/$(ESPROOTDIR)
	$(INSTALL) -d -m 0755 $(DESTDIR)/$(EFIBOOTDIR)
	$(INSTALL) -d -m 0755 $(DESTDIR)/$(TARGETDIR)
	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(EFIBOOTDIR)/$(BOOTEFINAME)
	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(TARGETDIR)/
	$(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(TARGETDIR)/
ifneq ($(origin ENABLE_SHIM_CERT),undefined)
	$(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(FBNAME)
	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(MMNAME)
	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(TARGETDIR)/$(MMNAME)
else
	$(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(EFIBOOTDIR)/
	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(EFIBOOTDIR)/
	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(TARGETDIR)/
endif

install-as-data : install-deps
	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DATATARGETDIR)
	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(DATATARGETDIR)/
	$(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(DATATARGETDIR)/
ifneq ($(origin ENABLE_SHIM_HASH),undefined)
	$(INSTALL) -m 0644 $(SHIMHASHNAME) $(DESTDIR)/$(DATATARGETDIR)/
endif
ifneq ($(origin ENABLE_SHIM_CERT),undefined)
	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
	$(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
else
	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
	$(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
endif

%.efi: %.so
ifneq ($(OBJCOPY_GTE224),1)
	$(error objcopy >= 2.24 is required)
endif
	$(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
		-j .dynamic -j .rodata -j .rel* \
		-j .rela* -j .dyn -j .reloc -j .eh_frame \
		-j .vendor_cert -j .sbat \
		$(FORMAT) $< $@
	./post-process-pe -vv $@

ifneq ($(origin ENABLE_SHIM_HASH),undefined)
%.hash : %.efi
	$(PESIGN) -i $< -P -h > $@
endif

%.efi.debug : %.so
ifneq ($(OBJCOPY_GTE224),1)
	$(error objcopy >= 2.24 is required)
endif
	$(OBJCOPY) -D -j .text -j .sdata -j .data \
		-j .dynamic -j .rodata -j .rel* \
		-j .rela* -j .dyn -j .reloc -j .eh_frame -j .sbat \
		-j .debug_info -j .debug_abbrev -j .debug_aranges \
		-j .debug_line -j .debug_str -j .debug_ranges \
		-j .note.gnu.build-id \
		$< $@

ifneq ($(origin ENABLE_SBSIGN),undefined)
%.efi.signed: %.efi shim.key shim.crt
	@$(SBSIGN) \
		--key shim.key \
		--cert shim.crt \
		--output $@ $<
else
%.efi.signed: %.efi certdb/secmod.db
	$(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f
endif

test test-clean test-coverage test-lto :
	@make -f $(TOPDIR)/include/test.mk \
		COMPILER="$(COMPILER)" \
		CROSS_COMPILE="$(CROSS_COMPILE)" \
		CLANG_WARNINGS="$(CLANG_WARNINGS)" \
		ARCH_DEFINES="$(ARCH_DEFINES)" \
		EFI_INCLUDES="$(EFI_INCLUDES)" \
		test-clean $@

$(patsubst %.c,%,$(wildcard test-*.c)) :
	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" $@

.PHONY : $(patsubst %.c,%,$(wildcard test-*.c)) test

clean-test-objs:
	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" clean

clean-gnu-efi:
	@if [ -d gnu-efi ] ; then \
		$(MAKE) -C gnu-efi \
			CC="$(CC)" \
			HOSTCC="$(HOSTCC)" \
			COMPILER="$(COMPILER)" \
			ARCH=$(ARCH_GNUEFI) \
			TOPDIR=$(TOPDIR)/gnu-efi \
			-f $(TOPDIR)/gnu-efi/Makefile \
			clean ; \
	fi

clean-lib-objs:
	@if [ -d lib ] ; then \
		$(MAKE) -C lib TOPDIR=$(TOPDIR) -f $(TOPDIR)/lib/Makefile clean ; \
	fi

clean-shim-objs:
	@rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
	@rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid post-process-pe
	@rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa]
	@if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi

clean-openssl-objs:
	@if [ -d Cryptlib/OpenSSL ] ; then \
		$(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean ; \
	fi

clean-cryptlib-objs:
	@if [ -d Cryptlib ] ; then \
		$(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean ; \
	fi

clean: clean-shim-objs clean-test-objs clean-gnu-efi clean-openssl-objs clean-cryptlib-objs clean-lib-objs

GITTAG = $(VERSION)

test-archive:
	@./make-archive $(if $(call get-config,shim.origin),--origin "$(call get-config,shim.origin)") --test "$(VERSION)"

tag:
	git tag --sign $(GITTAG) refs/heads/main
	git tag -f latest-release $(GITTAG)

archive: tag
	@./make-archive $(if $(call get-config,shim.origin),--origin "$(call get-config,shim.origin)") --release "$(VERSION)" "$(GITTAG)" "shim-$(GITTAG)"

.PHONY : install-deps shim.key

export ARCH CC CROSS_COMPILE LD OBJCOPY EFI_INCLUDE EFI_INCLUDES OPTIMIZATIONS
export FEATUREFLAGS WARNFLAGS WERRFLAGS
Commit	Line	Data
f892ac66 MTL	1	default : all
	2
	3	NAME = shim
8529e0f7	4	VERSION = 15.5
b6f94dbe MTL	5	ifneq ($(origin RELEASE),undefined)
	6	DASHRELEASE ?= -$(RELEASE)
	7	else
	8	DASHRELEASE ?=
d3819813 MTL	9	endif
d3819813 MTL	10
f4173af1 MTL	11	ifeq ($(MAKELEVEL),0)
	12	TOPDIR ?= $(shell pwd)
	13	endif
f892ac66 MTL	14	ifeq ($(TOPDIR),)
	15	override TOPDIR := $(shell pwd)
	16	endif
f4173af1 MTL	17	override TOPDIR := $(abspath $(TOPDIR))
f4173af1 MTL	18	VPATH = $(TOPDIR)
031e5cce	19	export TOPDIR
f4173af1	20
f892ac66	21	include $(TOPDIR)/Make.rules
031e5cce SM	22	include $(TOPDIR)/Make.defaults
	23	include $(TOPDIR)/include/coverity.mk
	24	include $(TOPDIR)/include/scan-build.mk
	25	include $(TOPDIR)/include/fanalyzer.mk
43eeb538	26
b6f94dbe MTL	27	TARGETS = $(SHIMNAME)
	28	TARGETS += $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug
	29	ifneq ($(origin ENABLE_SHIM_HASH),undefined)
	30	TARGETS += $(SHIMHASHNAME)
	31	endif
031e5cce SM	32	ifneq ($(origin ENABLE_SHIM_DEVEL),undefined)
	33	CFLAGS += -DENABLE_SHIM_DEVEL
	34	endif
b6f94dbe MTL	35	ifneq ($(origin ENABLE_SHIM_CERT),undefined)
	36	TARGETS += $(MMNAME).signed $(FBNAME).signed
	37	CFLAGS += -DENABLE_SHIM_CERT
	38	else
	39	TARGETS += $(MMNAME) $(FBNAME)
	40	endif
8529e0f7	41	OBJS = shim.o globals.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o httpboot.o csv.o load-options.o
2892db7f	42	KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
8529e0f7 SM	43	ORIG_SOURCES = shim.c globals.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h)
8529e0f7 SM	44	MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o globals.o
f892ac66	45	ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
8529e0f7	46	FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat_data.o globals.o
f4173af1	47	ORIG_FALLBACK_SRCS = fallback.c
8119f718	48	SBATPATH = $(TOPDIR)/data/sbat.csv
b2fe1780	49
031e5cce SM	50	ifeq ($(SOURCE_DATE_EPOCH),)
	51	UNAME=$(shell uname -s -m -p -i -o)
	52	else
	53	UNAME=buildhost
62f0afa2 MTL	54	endif
62f0afa2 MTL	55
f4173af1 MTL	56	SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c
	57	MOK_SOURCES = $(foreach source,$(ORIG_MOK_SOURCES),$(TOPDIR)/$(source))
	58	FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))
	59
031e5cce SM	60	ifneq ($(origin FALLBACK_VERBOSE), undefined)
	61	CFLAGS += -DFALLBACK_VERBOSE
	62	endif
	63
8529e0f7 SM	64	ifneq ($(origin FALLBACK_NONINTERACTIVE), undefined)
	65	CFLAGS += -DFALLBACK_NONINTERACTIVE
	66	endif
	67
031e5cce SM	68	ifneq ($(origin FALLBACK_VERBOSE_WAIT), undefined)
	69	CFLAGS += -DFALLBACK_VERBOSE_WAIT=$(FALLBACK_VERBOSE_WAIT)
	70	endif
	71
	72	all: confcheck $(TARGETS)
	73
	74	confcheck:
	75	ifneq ($(origin EFI_PATH),undefined)
	76	$(error EFI_PATH is no longer supported, you must build using the supplied copy of gnu-efi)
	77	endif
	78
	79	update :
	80	git submodule update --init --recursive
b2fe1780	81
ef8c9962	82	shim.crt:
f4173af1	83	$(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
ef8c9962 MG	84
ef8c9962 MG	85	shim.cer: shim.crt
f4173af1	86	$(OPENSSL) x509 -outform der -in $< -out $@
ef8c9962	87
51d5bbcb	88	.NOTPARALLEL: shim_cert.h
ef8c9962	89	shim_cert.h: shim.cer
6215e920	90	echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
f4173af1	91	$(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@
ef8c9962 MG	92	echo "};" >> $@
ef8c9962 MG	93
f4173af1	94	version.c : $(TOPDIR)/version.c.in
0fb089ee	95	sed -e "s,@@VERSION@@,$(VERSION)," \
031e5cce	96	-e "s,@@UNAME@@,$(UNAME)," \
f892ac66	97	-e "s,@@COMMIT@@,$(COMMIT_ID)," \
f4173af1	98	< $< > $@
0fb089ee	99
ef8c9962 MG	100	certdb/secmod.db: shim.crt
ef8c9962 MG	101	-mkdir certdb
f4173af1 MTL	102	$(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K ""
f4173af1 MTL	103	$(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u
ef8c9962	104
b6f94dbe MTL	105	shim.o: $(SOURCES)
	106	ifneq ($(origin ENABLE_SHIM_CERT),undefined)
	107	shim.o: shim_cert.h
	108	endif
	109	shim.o: $(wildcard $(TOPDIR)/*.h)
b2fe1780	110
f4173af1	111	cert.o : $(TOPDIR)/cert.S
8518b8cc PJ	112	$(CC) $(CFLAGS) -c -o $@ $<
8518b8cc PJ	113
031e5cce SM	114	sbat.%.csv : data/sbat.%.csv
	115	$(DOS2UNIX) $(D2UFLAGS) $< $@
	116	tail -c1 $@ \| read -r _ \|\| echo >> $@ # ensure a trailing newline
	117
8119f718	118	VENDOR_SBATS := $(sort $(foreach x,$(wildcard $(TOPDIR)/data/sbat..csv data/sbat..csv),$(notdir $(x))))
031e5cce SM	119
	120	sbat_data.o : \| $(SBATPATH) $(VENDOR_SBATS)
	121	sbat_data.o : /dev/null
	122	$(CC) $(CFLAGS) -x c -c -o $@ $<
	123	$(OBJCOPY) --add-section .sbat=$(SBATPATH) \
	124	--set-section-flags .sbat=contents,alloc,load,readonly,data \
	125	$@
	126	$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
	127
8529e0f7 SM	128	$(SHIMNAME) : $(SHIMSONAME) post-process-pe
	129	$(MMNAME) : $(MMSONAME) post-process-pe
	130	$(FBNAME) : $(FBSONAME) post-process-pe
	131	$(SHIMNAME) $(MMNAME) $(FBNAME) : \| post-process-pe
b6f94dbe	132
031e5cce SM	133	LIBS = Cryptlib/libcryptlib.a \
	134	Cryptlib/OpenSSL/libopenssl.a \
	135	lib/lib.a \
	136	gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a \
	137	gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a
	138
	139	$(SHIMSONAME): $(OBJS) $(LIBS)
	140	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
7f055335	141
eb9f7f1c PJ	142	fallback.o: $(FALLBACK_SRCS)
eb9f7f1c PJ	143
031e5cce SM	144	$(FBSONAME): $(FALLBACK_OBJS) $(LIBS)
031e5cce SM	145	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
eb9f7f1c	146
3a838b14	147	MokManager.o: $(MOK_SOURCES)
333bd977	148
031e5cce	149	$(MMSONAME): $(MOK_OBJS) $(LIBS)
17857eb8	150	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
333bd977	151
031e5cce SM	152	gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a: CFLAGS+=-DGNU_EFI_USE_EXTERNAL_STDARG
031e5cce SM	153	gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a:
8119f718	154	mkdir -p gnu-efi/lib gnu-efi/gnuefi
031e5cce	155	$(MAKE) -C gnu-efi \
8529e0f7 SM	156	COMPILER="$(COMPILER)" \
	157	CC="$(CC)" \
	158	ARCH=$(ARCH_GNUEFI) \
	159	TOPDIR=$(TOPDIR)/gnu-efi \
8119f718	160	-f $(TOPDIR)/gnu-efi/Makefile \
031e5cce SM	161	lib gnuefi inc
031e5cce SM	162
b2d0e06f	163	Cryptlib/libcryptlib.a:
031e5cce	164	for i in Hash Hmac Cipher Rand Pk Pem SysCall; do mkdir -p Cryptlib/$$i; done
8119f718	165	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
b2d0e06f MG	166
b2d0e06f MG	167	Cryptlib/OpenSSL/libopenssl.a:
031e5cce	168	for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done
8119f718	169	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
b2d0e06f	170
f892ac66	171	lib/lib.a: \| $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch])
8119f718 SM	172	mkdir -p lib
8119f718 SM	173	$(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) -C lib -f $(TOPDIR)/lib/Makefile
f7a18215	174
8529e0f7 SM	175	post-process-pe : $(TOPDIR)/post-process-pe.c
	176	$(HOSTCC) -std=gnu11 -Og -g3 -Wall -Wextra -Wno-missing-field-initializers -Werror -o $@ $<
	177
b6f94dbe	178	buildid : $(TOPDIR)/buildid.c
031e5cce	179	$(HOSTCC) -I/usr/include -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf
b6f94dbe MTL	180
	181	$(BOOTCSVNAME) :
	182	@echo Making $@
ecc29226	183	@echo "$(SHIMNAME),$(OSLABEL),,This is the boot entry for $(OSLABEL)" \| iconv -t UCS-2LE > $@
b6f94dbe MTL	184
	185	install-check :
	186	ifeq ($(origin LIBDIR),undefined)
	187	$(error Architecture $(ARCH) is not a supported build target.)
	188	endif
	189	ifeq ($(origin EFIDIR),undefined)
	190	$(error EFIDIR must be set to your reserved EFI System Partition subdirectory name)
9196c7cf AB	191	endif
9196c7cf AB	192
b6f94dbe MTL	193	install-deps : $(TARGETS)
	194	install-deps : $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug buildid
	195	install-deps : $(BOOTCSVNAME)
	196
	197	install-debugsource : install-deps
	198	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)
	199	find $(TOPDIR) -type f -a '(' -iname '.c' -o -iname '.h' -o -iname '*.S' ')' \| while read file ; do \
	200	outfile=$$(echo $${file} \| sed -e "s,^$(TOPDIR),,") ; \
	201	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$$(dirname $${outfile}) ; \
	202	$(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$${outfile} ; \
	203	done
	204
	205	install-debuginfo : install-deps
	206	$(INSTALL) -d -m 0755 $(DESTDIR)/
	207	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR)/
	208	@./buildid $(wildcard *.efi.debug) \| while read file buildid ; do \
	209	first=$$(echo $${buildid} \| cut -b -2) ; \
	210	rest=$$(echo $${buildid} \| cut -b 3-) ; \
	211	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/ ;\
	212	$(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR) ; \
	213	ln -s ../../../../..$(DEBUGINFO)$(TARGETDIR)$${file} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest}.debug ;\
	214	ln -s ../../../.build-id/$${first}/$${rest} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest} ;\
	215	done
	216
	217	install : \| install-check
	218	install : install-deps install-debuginfo install-debugsource
	219	$(INSTALL) -d -m 0755 $(DESTDIR)/
	220	$(INSTALL) -d -m 0700 $(DESTDIR)/$(ESPROOTDIR)
	221	$(INSTALL) -d -m 0755 $(DESTDIR)/$(EFIBOOTDIR)
	222	$(INSTALL) -d -m 0755 $(DESTDIR)/$(TARGETDIR)
	223	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(EFIBOOTDIR)/$(BOOTEFINAME)
	224	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(TARGETDIR)/
	225	$(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(TARGETDIR)/
	226	ifneq ($(origin ENABLE_SHIM_CERT),undefined)
	227	$(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(FBNAME)
	228	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(MMNAME)
	229	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(TARGETDIR)/$(MMNAME)
	230	else
	231	$(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(EFIBOOTDIR)/
	232	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(EFIBOOTDIR)/
	233	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(TARGETDIR)/
221faac5 AB	234	endif
221faac5 AB	235
b6f94dbe MTL	236	install-as-data : install-deps
	237	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DATATARGETDIR)
	238	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(DATATARGETDIR)/
8119f718	239	$(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(DATATARGETDIR)/
b6f94dbe MTL	240	ifneq ($(origin ENABLE_SHIM_HASH),undefined)
	241	$(INSTALL) -m 0644 $(SHIMHASHNAME) $(DESTDIR)/$(DATATARGETDIR)/
	242	endif
	243	ifneq ($(origin ENABLE_SHIM_CERT),undefined)
	244	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
	245	$(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
	246	else
	247	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
	248	$(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
	249	endif
17857eb8	250
b2d0e06f	251	%.efi: %.so
d3819813 MTL	252	ifneq ($(OBJCOPY_GTE224),1)
	253	$(error objcopy >= 2.24 is required)
	254	endif
031e5cce	255	$(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
8119f718	256	-j .dynamic -j .rodata -j .rel* \
8529e0f7	257	-j .rela* -j .dyn -j .reloc -j .eh_frame \
031e5cce SM	258	-j .vendor_cert -j .sbat \
031e5cce SM	259	$(FORMAT) $< $@
8529e0f7	260	./post-process-pe -vv $@
b6f94dbe MTL	261
	262	ifneq ($(origin ENABLE_SHIM_HASH),undefined)
	263	%.hash : %.efi
	264	$(PESIGN) -i $< -P -h > $@
	265	endif
	266
	267	%.efi.debug : %.so
	268	ifneq ($(OBJCOPY_GTE224),1)
	269	$(error objcopy >= 2.24 is required)
	270	endif
031e5cce	271	$(OBJCOPY) -D -j .text -j .sdata -j .data \
8119f718	272	-j .dynamic -j .rodata -j .rel* \
8529e0f7	273	-j .rela* -j .dyn -j .reloc -j .eh_frame -j .sbat \
5b1bf558 MG	274	-j .debug_info -j .debug_abbrev -j .debug_aranges \
5b1bf558 MG	275	-j .debug_line -j .debug_str -j .debug_ranges \
d3819813	276	-j .note.gnu.build-id \
031e5cce	277	$< $@
b2fe1780	278
b6f94dbe MTL	279	ifneq ($(origin ENABLE_SBSIGN),undefined)
b6f94dbe MTL	280	%.efi.signed: %.efi shim.key shim.crt
031e5cce SM	281	@$(SBSIGN) \
	282	--key shim.key \
	283	--cert shim.crt \
	284	--output $@ $<
b6f94dbe	285	else
ef8c9962	286	%.efi.signed: %.efi certdb/secmod.db
f4173af1	287	$(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f
b6f94dbe	288	endif
ef8c9962	289
8529e0f7 SM	290	test test-clean test-coverage test-lto :
	291	@make -f $(TOPDIR)/include/test.mk \
	292	COMPILER="$(COMPILER)" \
	293	CROSS_COMPILE="$(CROSS_COMPILE)" \
	294	CLANG_WARNINGS="$(CLANG_WARNINGS)" \
	295	ARCH_DEFINES="$(ARCH_DEFINES)" \
	296	EFI_INCLUDES="$(EFI_INCLUDES)" \
	297	test-clean $@
031e5cce SM	298
031e5cce SM	299	$(patsubst %.c,%,$(wildcard test-*.c)) :
8119f718	300	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" $@
031e5cce SM	301
	302	.PHONY : $(patsubst %.c,%,$(wildcard test-*.c)) test
	303
	304	clean-test-objs:
8119f718	305	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" clean
031e5cce SM	306
031e5cce SM	307	clean-gnu-efi:
8119f718 SM	308	@if [ -d gnu-efi ] ; then \
8119f718 SM	309	$(MAKE) -C gnu-efi \
8529e0f7 SM	310	CC="$(CC)" \
	311	HOSTCC="$(HOSTCC)" \
	312	COMPILER="$(COMPILER)" \
	313	ARCH=$(ARCH_GNUEFI) \
	314	TOPDIR=$(TOPDIR)/gnu-efi \
8119f718 SM	315	-f $(TOPDIR)/gnu-efi/Makefile \
	316	clean ; \
	317	fi
	318
	319	clean-lib-objs:
	320	@if [ -d lib ] ; then \
	321	$(MAKE) -C lib TOPDIR=$(TOPDIR) -f $(TOPDIR)/lib/Makefile clean ; \
	322	fi
031e5cce	323
f892ac66	324	clean-shim-objs:
f892ac66	325	@rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
8529e0f7	326	@rm -vf .debug .so .efi .efi.* .tar. version.c buildid post-process-pe
f892ac66	327	@rm -vf Cryptlib/.[oa] Cryptlib//*.[oa]
031e5cce	328	@if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi
f892ac66	329
031e5cce	330	clean-openssl-objs:
8119f718 SM	331	@if [ -d Cryptlib/OpenSSL ] ; then \
	332	$(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean ; \
	333	fi
43eeb538	334
031e5cce	335	clean-cryptlib-objs:
8119f718 SM	336	@if [ -d Cryptlib ] ; then \
	337	$(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean ; \
	338	fi
031e5cce	339
8119f718	340	clean: clean-shim-objs clean-test-objs clean-gnu-efi clean-openssl-objs clean-cryptlib-objs clean-lib-objs
031e5cce	341
43eeb538 PJ	342	GITTAG = $(VERSION)
	343
	344	test-archive:
031e5cce	345	@./make-archive $(if $(call get-config,shim.origin),--origin "$(call get-config,shim.origin)") --test "$(VERSION)"
43eeb538	346
acac3380	347	tag:
031e5cce	348	git tag --sign $(GITTAG) refs/heads/main
f4173af1	349	git tag -f latest-release $(GITTAG)
acac3380 PJ	350
acac3380 PJ	351	archive: tag
031e5cce	352	@./make-archive $(if $(call get-config,shim.origin),--origin "$(call get-config,shim.origin)") --release "$(VERSION)" "$(GITTAG)" "shim-$(GITTAG)"
f7a18215	353
b6f94dbe MTL	354	.PHONY : install-deps shim.key
b6f94dbe MTL	355
031e5cce SM	356	export ARCH CC CROSS_COMPILE LD OBJCOPY EFI_INCLUDE EFI_INCLUDES OPTIMIZATIONS
031e5cce SM	357	export FEATUREFLAGS WARNFLAGS WERRFLAGS