[efi-boot-shim.git] / Makefile

ARCH		= $(shell uname -m | sed s,i[3456789]86,ia32,)

SUBDIRS		= Cryptlib

LIB_PATH	= /usr/lib64

EFI_INCLUDE	= /usr/include/efi
EFI_INCLUDES	= -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
EFI_PATH	= /usr/lib64/gnuefi

LIB_GCC		= $(shell $(CC) -print-libgcc-file-name)
EFI_LIBS	= -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) 

EFI_CRT_OBJS 	= $(EFI_PATH)/crt0-efi-$(ARCH).o
EFI_LDS		= elf_$(ARCH)_efi.lds

CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
		  -fshort-wchar -Wall -Werror -mno-red-zone -maccumulate-outgoing-args \
		  -mno-mmx -mno-sse \
		  $(EFI_INCLUDES)
ifeq ($(ARCH),x86_64)
	CFLAGS	+= -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
endif
ifneq ($(origin VENDOR_CERT_FILE), undefined)
	CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
endif
ifneq ($(origin VENDOR_DBX_FILE), undefined)
	CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
endif

LDFLAGS		= -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)

VERSION		= 0.4

TARGET	= shim.efi MokManager.efi.signed fallback.efi.signed
OBJS	= shim.o netboot.o cert.o dbx.o
KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key
SOURCES	= shim.c shim.h netboot.c signature.h PeImage.h
MOK_OBJS = MokManager.o
MOK_SOURCES = MokManager.c shim.h console_control.h
FALLBACK_OBJS = fallback.o
FALLBACK_SRCS = fallback.c

all: $(TARGET)

shim.crt:
	./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null

shim.cer: shim.crt
	openssl x509 -outform der -in $< -out $@

shim_cert.h: shim.cer
	echo "static UINT8 shim_cert[] = {" > $@
	hexdump -v -e '1/1 "0x%02x, "' $< >> $@
	echo "};" >> $@

certdb/secmod.db: shim.crt
	-mkdir certdb
	certutil -A -n 'my CA' -d certdb/ -t CT,CT,CT -i ca.crt
	pk12util -d certdb/ -i shim.p12 -W "" -K ""
	certutil -d certdb/ -A -i shim.crt -n shim -t u

shim.o: $(SOURCES) shim_cert.h

cert.o : cert.S
	$(CC) $(CFLAGS) -c -o $@ $<

dbx.o : dbx.S
	$(CC) $(CFLAGS) -c -o $@ $<

shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)

fallback.o: $(FALLBACK_SRCS)

fallback.so: $(FALLBACK_OBJS)
	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)

MokManager.o: $(SOURCES)

MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)

Cryptlib/libcryptlib.a:
	$(MAKE) -C Cryptlib

Cryptlib/OpenSSL/libopenssl.a:
	$(MAKE) -C Cryptlib/OpenSSL

%.efi: %.so
	objcopy -j .text -j .sdata -j .data \
		-j .dynamic -j .dynsym  -j .rel \
		-j .rela -j .reloc -j .eh_frame \
		-j .vendor_cert \
		--target=efi-app-$(ARCH) $^ $@
	objcopy -j .text -j .sdata -j .data \
		-j .dynamic -j .dynsym  -j .rel \
		-j .rela -j .reloc -j .eh_frame \
		-j .debug_info -j .debug_abbrev -j .debug_aranges \
		-j .debug_line -j .debug_str -j .debug_ranges \
		--target=efi-app-$(ARCH) $^ $@.debug

%.efi.signed: %.efi certdb/secmod.db
	pesign -n certdb -i $< -c "shim" -s -o $@ -f

clean:
	$(MAKE) -C Cryptlib clean
	$(MAKE) -C Cryptlib/OpenSSL clean
	rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb
	rm -f *.debug *.so *.efi

GITTAG = $(VERSION)

test-archive:
	@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
	@mkdir -p /tmp/shim-$(VERSION)-tmp
	@git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
	@git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff )
	@mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
	@dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
	@rm -rf /tmp/shim-$(VERSION)
	@echo "The archive is in shim-$(VERSION).tar.bz2"

archive:
	git tag $(GITTAG) refs/heads/master
	@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
	@mkdir -p /tmp/shim-$(VERSION)-tmp
	@git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
	@mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
	@dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
	@rm -rf /tmp/shim-$(VERSION)
	@echo "The archive is in shim-$(VERSION).tar.bz2"
Commit	Line	Data
b2fe1780 MG	1	ARCH = $(shell uname -m \| sed s,i[3456789]86,ia32,)
b2fe1780 MG	2
b2d0e06f MG	3	SUBDIRS = Cryptlib
b2d0e06f MG	4
b2fe1780 MG	5	LIB_PATH = /usr/lib64
	6
	7	EFI_INCLUDE = /usr/include/efi
acf2e8ed	8	EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
b2fe1780 MG	9	EFI_PATH = /usr/lib64/gnuefi
	10
	11	LIB_GCC = $(shell $(CC) -print-libgcc-file-name)
b2d0e06f	12	EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC)
b2fe1780 MG	13
b2fe1780 MG	14	EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
c682b514	15	EFI_LDS = elf_$(ARCH)_efi.lds
b2fe1780	16
632503aa	17	CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
2d8cfca2	18	-fshort-wchar -Wall -Werror -mno-red-zone -maccumulate-outgoing-args \
acf2e8ed	19	-mno-mmx -mno-sse \
b2fe1780 MG	20	$(EFI_INCLUDES)
b2fe1780 MG	21	ifeq ($(ARCH),x86_64)
aa55fcf1	22	CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
b2fe1780	23	endif
8518b8cc PJ	24	ifneq ($(origin VENDOR_CERT_FILE), undefined)
	25	CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
	26	endif
ff1409c3 PJ	27	ifneq ($(origin VENDOR_DBX_FILE), undefined)
	28	CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
	29	endif
8518b8cc	30
b2d0e06f	31	LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)
b2fe1780	32
d141608b	33	VERSION = 0.4
43eeb538	34
eb9f7f1c	35	TARGET = shim.efi MokManager.efi.signed fallback.efi.signed
28a3e57c	36	OBJS = shim.o netboot.o cert.o dbx.o
ef8c9962	37	KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key
1c595706	38	SOURCES = shim.c shim.h netboot.c signature.h PeImage.h
333bd977	39	MOK_OBJS = MokManager.o
a869915a	40	MOK_SOURCES = MokManager.c shim.h console_control.h
eb9f7f1c PJ	41	FALLBACK_OBJS = fallback.o
eb9f7f1c PJ	42	FALLBACK_SRCS = fallback.c
b2fe1780	43
37e456be	44	all: $(TARGET)
b2fe1780	45
ef8c9962 MG	46	shim.crt:
	47	./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
	48
	49	shim.cer: shim.crt
	50	openssl x509 -outform der -in $< -out $@
	51
	52	shim_cert.h: shim.cer
	53	echo "static UINT8 shim_cert[] = {" > $@
	54	hexdump -v -e '1/1 "0x%02x, "' $< >> $@
	55	echo "};" >> $@
	56
	57	certdb/secmod.db: shim.crt
	58	-mkdir certdb
	59	certutil -A -n 'my CA' -d certdb/ -t CT,CT,CT -i ca.crt
	60	pk12util -d certdb/ -i shim.p12 -W "" -K ""
	61	certutil -d certdb/ -A -i shim.crt -n shim -t u
	62
	63	shim.o: $(SOURCES) shim_cert.h
b2fe1780	64
8518b8cc PJ	65	cert.o : cert.S
	66	$(CC) $(CFLAGS) -c -o $@ $<
	67
5f0a358b PJ	68	dbx.o : dbx.S
	69	$(CC) $(CFLAGS) -c -o $@ $<
	70
	71	shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
7f055335 MG	72	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
7f055335 MG	73
eb9f7f1c PJ	74	fallback.o: $(FALLBACK_SRCS)
	75
	76	fallback.so: $(FALLBACK_OBJS)
	77	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
	78
333bd977 GCPL	79	MokManager.o: $(SOURCES)
	80
	81	MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
	82	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
	83
b2d0e06f MG	84	Cryptlib/libcryptlib.a:
	85	$(MAKE) -C Cryptlib
	86
	87	Cryptlib/OpenSSL/libopenssl.a:
	88	$(MAKE) -C Cryptlib/OpenSSL
	89
	90	%.efi: %.so
b2fe1780 MG	91	objcopy -j .text -j .sdata -j .data \
b2fe1780 MG	92	-j .dynamic -j .dynsym -j .rel \
5b1bf558	93	-j .rela -j .reloc -j .eh_frame \
c682b514	94	-j .vendor_cert \
7f055335	95	--target=efi-app-$(ARCH) $^ $@
5b1bf558 MG	96	objcopy -j .text -j .sdata -j .data \
	97	-j .dynamic -j .dynsym -j .rel \
	98	-j .rela -j .reloc -j .eh_frame \
	99	-j .debug_info -j .debug_abbrev -j .debug_aranges \
	100	-j .debug_line -j .debug_str -j .debug_ranges \
e676d64a	101	--target=efi-app-$(ARCH) $^ $@.debug
b2fe1780	102
ef8c9962 MG	103	%.efi.signed: %.efi certdb/secmod.db
	104	pesign -n certdb -i $< -c "shim" -s -o $@ -f
	105
b2fe1780	106	clean:
b2d0e06f MG	107	$(MAKE) -C Cryptlib clean
b2d0e06f MG	108	$(MAKE) -C Cryptlib/OpenSSL clean
1de10962 PJ	109	rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb
1de10962 PJ	110	rm -f .debug .so *.efi
43eeb538 PJ	111
	112	GITTAG = $(VERSION)
	113
	114	test-archive:
	115	@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
	116	@mkdir -p /tmp/shim-$(VERSION)-tmp
	117	@git archive --format=tar $(shell git branch \| awk '/^*/ { print $$2 }') \| ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
	118	@git diff \| ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff )
	119	@mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
	120	@dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
	121	@rm -rf /tmp/shim-$(VERSION)
	122	@echo "The archive is in shim-$(VERSION).tar.bz2"
	123
	124	archive:
	125	git tag $(GITTAG) refs/heads/master
	126	@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
	127	@mkdir -p /tmp/shim-$(VERSION)-tmp
	128	@git archive --format=tar $(GITTAG) \| ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
	129	@mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
	130	@dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
	131	@rm -rf /tmp/shim-$(VERSION)
	132	@echo "The archive is in shim-$(VERSION).tar.bz2"