[efi-boot-shim.git] / Makefile

default : all

NAME		= shim
VERSION		= 15.4
ifneq ($(origin RELEASE),undefined)
DASHRELEASE	?= -$(RELEASE)
else
DASHRELEASE	?=
endif

ifeq ($(MAKELEVEL),0)
TOPDIR		?= $(shell pwd)
endif
ifeq ($(TOPDIR),)
override TOPDIR := $(shell pwd)
endif
override TOPDIR	:= $(abspath $(TOPDIR))
VPATH		= $(TOPDIR)
export TOPDIR

include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.defaults
include $(TOPDIR)/include/coverity.mk
include $(TOPDIR)/include/scan-build.mk
include $(TOPDIR)/include/fanalyzer.mk

TARGETS	= $(SHIMNAME)
TARGETS += $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug
ifneq ($(origin ENABLE_SHIM_HASH),undefined)
TARGETS += $(SHIMHASHNAME)
endif
ifneq ($(origin ENABLE_SHIM_DEVEL),undefined)
CFLAGS += -DENABLE_SHIM_DEVEL
endif
ifneq ($(origin ENABLE_SHIM_CERT),undefined)
TARGETS	+= $(MMNAME).signed $(FBNAME).signed
CFLAGS += -DENABLE_SHIM_CERT
else
TARGETS += $(MMNAME) $(FBNAME)
endif
OBJS	= shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o httpboot.o csv.o
KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
ORIG_SOURCES	= shim.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h)
MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o
ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat_data.o
ORIG_FALLBACK_SRCS = fallback.c
SBATPATH = $(TOPDIR)/data/sbat.csv

ifeq ($(SOURCE_DATE_EPOCH),)
	UNAME=$(shell uname -s -m -p -i -o)
else
	UNAME=buildhost
endif

SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c
MOK_SOURCES = $(foreach source,$(ORIG_MOK_SOURCES),$(TOPDIR)/$(source))
FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))

ifneq ($(origin FALLBACK_VERBOSE), undefined)
	CFLAGS += -DFALLBACK_VERBOSE
endif

ifneq ($(origin FALLBACK_VERBOSE_WAIT), undefined)
	CFLAGS += -DFALLBACK_VERBOSE_WAIT=$(FALLBACK_VERBOSE_WAIT)
endif

all: confcheck $(TARGETS)

confcheck:
ifneq ($(origin EFI_PATH),undefined)
	$(error EFI_PATH is no longer supported, you must build using the supplied copy of gnu-efi)
endif

update :
	git submodule update --init --recursive

shim.crt:
	$(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null

shim.cer: shim.crt
	$(OPENSSL) x509 -outform der -in $< -out $@

.NOTPARALLEL: shim_cert.h
shim_cert.h: shim.cer
	echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
	$(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@
	echo "};" >> $@

version.c : $(TOPDIR)/version.c.in
	sed	-e "s,@@VERSION@@,$(VERSION)," \
		-e "s,@@UNAME@@,$(UNAME)," \
		-e "s,@@COMMIT@@,$(COMMIT_ID)," \
		< $< > $@

certdb/secmod.db: shim.crt
	-mkdir certdb
	$(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K ""
	$(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u

shim.o: $(SOURCES)
ifneq ($(origin ENABLE_SHIM_CERT),undefined)
shim.o: shim_cert.h
endif
shim.o: $(wildcard $(TOPDIR)/*.h)

cert.o : $(TOPDIR)/cert.S
	$(CC) $(CFLAGS) -c -o $@ $<

sbat.%.csv : data/sbat.%.csv
	$(DOS2UNIX) $(D2UFLAGS) $< $@
	tail -c1 $@ | read -r _ || echo >> $@ # ensure a trailing newline

VENDOR_SBATS := $(sort $(foreach x,$(wildcard $(TOPDIR)/data/sbat.*.csv data/sbat.*.csv),$(notdir $(x))))

sbat_data.o : | $(SBATPATH) $(VENDOR_SBATS)
sbat_data.o : /dev/null
	$(CC) $(CFLAGS) -x c -c -o $@ $<
	$(OBJCOPY) --add-section .sbat=$(SBATPATH) \
		--set-section-flags .sbat=contents,alloc,load,readonly,data \
		$@
	$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))

$(SHIMNAME) : $(SHIMSONAME)
$(MMNAME) : $(MMSONAME)
$(FBNAME) : $(FBSONAME)

LIBS = Cryptlib/libcryptlib.a \
       Cryptlib/OpenSSL/libopenssl.a \
       lib/lib.a \
       gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a \
       gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a

$(SHIMSONAME): $(OBJS) $(LIBS)
	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a

fallback.o: $(FALLBACK_SRCS)

$(FBSONAME): $(FALLBACK_OBJS) $(LIBS)
	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a

MokManager.o: $(MOK_SOURCES)

$(MMSONAME): $(MOK_OBJS) $(LIBS)
	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a

gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a: CFLAGS+=-DGNU_EFI_USE_EXTERNAL_STDARG
gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a:
	mkdir -p gnu-efi/lib gnu-efi/gnuefi
	$(MAKE) -C gnu-efi \
		ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \
		-f $(TOPDIR)/gnu-efi/Makefile \
		lib gnuefi inc

Cryptlib/libcryptlib.a:
	for i in Hash Hmac Cipher Rand Pk Pem SysCall; do mkdir -p Cryptlib/$$i; done
	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile

Cryptlib/OpenSSL/libopenssl.a:
	for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done
	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile

lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch])
	mkdir -p lib
	$(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) -C lib -f $(TOPDIR)/lib/Makefile

buildid : $(TOPDIR)/buildid.c
	$(HOSTCC) -I/usr/include -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf

$(BOOTCSVNAME) :
	@echo Making $@
	@echo "$(SHIMNAME),$(OSLABEL),,This is the boot entry for $(OSLABEL)" | iconv -t UCS-2LE > $@

install-check :
ifeq ($(origin LIBDIR),undefined)
	$(error Architecture $(ARCH) is not a supported build target.)
endif
ifeq ($(origin EFIDIR),undefined)
	$(error EFIDIR must be set to your reserved EFI System Partition subdirectory name)
endif

install-deps : $(TARGETS)
install-deps : $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug buildid
install-deps : $(BOOTCSVNAME)

install-debugsource : install-deps
	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)
	find $(TOPDIR) -type f -a '(' -iname '*.c' -o -iname '*.h' -o -iname '*.S' ')' | while read file ; do \
		outfile=$$(echo $${file} | sed -e "s,^$(TOPDIR),,") ; \
		$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$$(dirname $${outfile}) ; \
		$(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$${outfile} ; \
	done

install-debuginfo : install-deps
	$(INSTALL) -d -m 0755 $(DESTDIR)/
	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR)/
	@./buildid $(wildcard *.efi.debug) | while read file buildid ; do \
		first=$$(echo $${buildid} | cut -b -2) ; \
		rest=$$(echo $${buildid} | cut -b 3-) ; \
		$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/ ;\
		$(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR) ; \
		ln -s ../../../../..$(DEBUGINFO)$(TARGETDIR)$${file} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest}.debug ;\
		ln -s ../../../.build-id/$${first}/$${rest} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest} ;\
	done

install : | install-check
install : install-deps install-debuginfo install-debugsource
	$(INSTALL) -d -m 0755 $(DESTDIR)/
	$(INSTALL) -d -m 0700 $(DESTDIR)/$(ESPROOTDIR)
	$(INSTALL) -d -m 0755 $(DESTDIR)/$(EFIBOOTDIR)
	$(INSTALL) -d -m 0755 $(DESTDIR)/$(TARGETDIR)
	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(EFIBOOTDIR)/$(BOOTEFINAME)
	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(TARGETDIR)/
	$(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(TARGETDIR)/
ifneq ($(origin ENABLE_SHIM_CERT),undefined)
	$(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(FBNAME)
	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(MMNAME)
	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(TARGETDIR)/$(MMNAME)
else
	$(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(EFIBOOTDIR)/
	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(EFIBOOTDIR)/
	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(TARGETDIR)/
endif

install-as-data : install-deps
	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DATATARGETDIR)
	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(DATATARGETDIR)/
	$(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(DATATARGETDIR)/
ifneq ($(origin ENABLE_SHIM_HASH),undefined)
	$(INSTALL) -m 0644 $(SHIMHASHNAME) $(DESTDIR)/$(DATATARGETDIR)/
endif
ifneq ($(origin ENABLE_SHIM_CERT),undefined)
	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
	$(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
else
	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
	$(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
endif

%.efi: %.so
ifneq ($(OBJCOPY_GTE224),1)
	$(error objcopy >= 2.24 is required)
endif
	$(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
		-j .dynamic -j .rodata -j .rel* \
		-j .rela* -j .reloc -j .eh_frame \
		-j .vendor_cert -j .sbat \
		$(FORMAT) $< $@
	# I am tired of wasting my time fighting binutils timestamp code.
	dd conv=notrunc bs=1 count=4 seek=$(TIMESTAMP_LOCATION) if=/dev/zero of=$@

ifneq ($(origin ENABLE_SHIM_HASH),undefined)
%.hash : %.efi
	$(PESIGN) -i $< -P -h > $@
endif

%.efi.debug : %.so
ifneq ($(OBJCOPY_GTE224),1)
	$(error objcopy >= 2.24 is required)
endif
	$(OBJCOPY) -D -j .text -j .sdata -j .data \
		-j .dynamic -j .rodata -j .rel* \
		-j .rela* -j .reloc -j .eh_frame -j .sbat \
		-j .debug_info -j .debug_abbrev -j .debug_aranges \
		-j .debug_line -j .debug_str -j .debug_ranges \
		-j .note.gnu.build-id \
		$< $@

ifneq ($(origin ENABLE_SBSIGN),undefined)
%.efi.signed: %.efi shim.key shim.crt
	@$(SBSIGN) \
		--key shim.key \
		--cert shim.crt \
		--output $@ $<
else
%.efi.signed: %.efi certdb/secmod.db
	$(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f
endif

test :
	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" all

$(patsubst %.c,%,$(wildcard test-*.c)) :
	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" $@

.PHONY : $(patsubst %.c,%,$(wildcard test-*.c)) test

clean-test-objs:
	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" clean

clean-gnu-efi:
	@if [ -d gnu-efi ] ; then \
		$(MAKE) -C gnu-efi \
			ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \
			-f $(TOPDIR)/gnu-efi/Makefile \
			clean ; \
	fi

clean-lib-objs:
	@if [ -d lib ] ; then \
		$(MAKE) -C lib TOPDIR=$(TOPDIR) -f $(TOPDIR)/lib/Makefile clean ; \
	fi

clean-shim-objs:
	@rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
	@rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid
	@rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa]
	@if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi

clean-openssl-objs:
	@if [ -d Cryptlib/OpenSSL ] ; then \
		$(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean ; \
	fi

clean-cryptlib-objs:
	@if [ -d Cryptlib ] ; then \
		$(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean ; \
	fi

clean: clean-shim-objs clean-test-objs clean-gnu-efi clean-openssl-objs clean-cryptlib-objs clean-lib-objs

GITTAG = $(VERSION)

test-archive:
	@./make-archive $(if $(call get-config,shim.origin),--origin "$(call get-config,shim.origin)") --test "$(VERSION)"

tag:
	git tag --sign $(GITTAG) refs/heads/main
	git tag -f latest-release $(GITTAG)

archive: tag
	@./make-archive $(if $(call get-config,shim.origin),--origin "$(call get-config,shim.origin)") --release "$(VERSION)" "$(GITTAG)" "shim-$(GITTAG)"

.PHONY : install-deps shim.key

export ARCH CC CROSS_COMPILE LD OBJCOPY EFI_INCLUDE EFI_INCLUDES OPTIMIZATIONS
export FEATUREFLAGS WARNFLAGS WERRFLAGS
Commit	Line	Data
f892ac66 MTL	1	default : all
	2
	3	NAME = shim
8119f718	4	VERSION = 15.4
b6f94dbe MTL	5	ifneq ($(origin RELEASE),undefined)
	6	DASHRELEASE ?= -$(RELEASE)
	7	else
	8	DASHRELEASE ?=
d3819813 MTL	9	endif
d3819813 MTL	10
f4173af1 MTL	11	ifeq ($(MAKELEVEL),0)
	12	TOPDIR ?= $(shell pwd)
	13	endif
f892ac66 MTL	14	ifeq ($(TOPDIR),)
	15	override TOPDIR := $(shell pwd)
	16	endif
f4173af1 MTL	17	override TOPDIR := $(abspath $(TOPDIR))
f4173af1 MTL	18	VPATH = $(TOPDIR)
031e5cce	19	export TOPDIR
f4173af1	20
f892ac66	21	include $(TOPDIR)/Make.rules
031e5cce SM	22	include $(TOPDIR)/Make.defaults
	23	include $(TOPDIR)/include/coverity.mk
	24	include $(TOPDIR)/include/scan-build.mk
	25	include $(TOPDIR)/include/fanalyzer.mk
43eeb538	26
b6f94dbe MTL	27	TARGETS = $(SHIMNAME)
	28	TARGETS += $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug
	29	ifneq ($(origin ENABLE_SHIM_HASH),undefined)
	30	TARGETS += $(SHIMHASHNAME)
	31	endif
031e5cce SM	32	ifneq ($(origin ENABLE_SHIM_DEVEL),undefined)
	33	CFLAGS += -DENABLE_SHIM_DEVEL
	34	endif
b6f94dbe MTL	35	ifneq ($(origin ENABLE_SHIM_CERT),undefined)
	36	TARGETS += $(MMNAME).signed $(FBNAME).signed
	37	CFLAGS += -DENABLE_SHIM_CERT
	38	else
	39	TARGETS += $(MMNAME) $(FBNAME)
	40	endif
031e5cce	41	OBJS = shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o httpboot.o csv.o
2892db7f	42	KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
031e5cce SM	43	ORIG_SOURCES = shim.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h)
031e5cce SM	44	MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o
f892ac66	45	ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
031e5cce	46	FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat_data.o
f4173af1	47	ORIG_FALLBACK_SRCS = fallback.c
8119f718	48	SBATPATH = $(TOPDIR)/data/sbat.csv
b2fe1780	49
031e5cce SM	50	ifeq ($(SOURCE_DATE_EPOCH),)
	51	UNAME=$(shell uname -s -m -p -i -o)
	52	else
	53	UNAME=buildhost
62f0afa2 MTL	54	endif
62f0afa2 MTL	55
f4173af1 MTL	56	SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c
	57	MOK_SOURCES = $(foreach source,$(ORIG_MOK_SOURCES),$(TOPDIR)/$(source))
	58	FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))
	59
031e5cce SM	60	ifneq ($(origin FALLBACK_VERBOSE), undefined)
	61	CFLAGS += -DFALLBACK_VERBOSE
	62	endif
	63
	64	ifneq ($(origin FALLBACK_VERBOSE_WAIT), undefined)
	65	CFLAGS += -DFALLBACK_VERBOSE_WAIT=$(FALLBACK_VERBOSE_WAIT)
	66	endif
	67
	68	all: confcheck $(TARGETS)
	69
	70	confcheck:
	71	ifneq ($(origin EFI_PATH),undefined)
	72	$(error EFI_PATH is no longer supported, you must build using the supplied copy of gnu-efi)
	73	endif
	74
	75	update :
	76	git submodule update --init --recursive
b2fe1780	77
ef8c9962	78	shim.crt:
f4173af1	79	$(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
ef8c9962 MG	80
ef8c9962 MG	81	shim.cer: shim.crt
f4173af1	82	$(OPENSSL) x509 -outform der -in $< -out $@
ef8c9962	83
51d5bbcb	84	.NOTPARALLEL: shim_cert.h
ef8c9962	85	shim_cert.h: shim.cer
6215e920	86	echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
f4173af1	87	$(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@
ef8c9962 MG	88	echo "};" >> $@
ef8c9962 MG	89
f4173af1	90	version.c : $(TOPDIR)/version.c.in
0fb089ee	91	sed -e "s,@@VERSION@@,$(VERSION)," \
031e5cce	92	-e "s,@@UNAME@@,$(UNAME)," \
f892ac66	93	-e "s,@@COMMIT@@,$(COMMIT_ID)," \
f4173af1	94	< $< > $@
0fb089ee	95
ef8c9962 MG	96	certdb/secmod.db: shim.crt
ef8c9962 MG	97	-mkdir certdb
f4173af1 MTL	98	$(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K ""
f4173af1 MTL	99	$(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u
ef8c9962	100
b6f94dbe MTL	101	shim.o: $(SOURCES)
	102	ifneq ($(origin ENABLE_SHIM_CERT),undefined)
	103	shim.o: shim_cert.h
	104	endif
	105	shim.o: $(wildcard $(TOPDIR)/*.h)
b2fe1780	106
f4173af1	107	cert.o : $(TOPDIR)/cert.S
8518b8cc PJ	108	$(CC) $(CFLAGS) -c -o $@ $<
8518b8cc PJ	109
031e5cce SM	110	sbat.%.csv : data/sbat.%.csv
	111	$(DOS2UNIX) $(D2UFLAGS) $< $@
	112	tail -c1 $@ \| read -r _ \|\| echo >> $@ # ensure a trailing newline
	113
8119f718	114	VENDOR_SBATS := $(sort $(foreach x,$(wildcard $(TOPDIR)/data/sbat..csv data/sbat..csv),$(notdir $(x))))
031e5cce SM	115
	116	sbat_data.o : \| $(SBATPATH) $(VENDOR_SBATS)
	117	sbat_data.o : /dev/null
	118	$(CC) $(CFLAGS) -x c -c -o $@ $<
	119	$(OBJCOPY) --add-section .sbat=$(SBATPATH) \
	120	--set-section-flags .sbat=contents,alloc,load,readonly,data \
	121	$@
	122	$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
	123
b6f94dbe MTL	124	$(SHIMNAME) : $(SHIMSONAME)
	125	$(MMNAME) : $(MMSONAME)
	126	$(FBNAME) : $(FBSONAME)
	127
031e5cce SM	128	LIBS = Cryptlib/libcryptlib.a \
	129	Cryptlib/OpenSSL/libopenssl.a \
	130	lib/lib.a \
	131	gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a \
	132	gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a
	133
	134	$(SHIMSONAME): $(OBJS) $(LIBS)
	135	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
7f055335	136
eb9f7f1c PJ	137	fallback.o: $(FALLBACK_SRCS)
eb9f7f1c PJ	138
031e5cce SM	139	$(FBSONAME): $(FALLBACK_OBJS) $(LIBS)
031e5cce SM	140	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
eb9f7f1c	141
3a838b14	142	MokManager.o: $(MOK_SOURCES)
333bd977	143
031e5cce	144	$(MMSONAME): $(MOK_OBJS) $(LIBS)
17857eb8	145	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
333bd977	146
031e5cce SM	147	gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a: CFLAGS+=-DGNU_EFI_USE_EXTERNAL_STDARG
031e5cce SM	148	gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a:
8119f718	149	mkdir -p gnu-efi/lib gnu-efi/gnuefi
031e5cce SM	150	$(MAKE) -C gnu-efi \
031e5cce SM	151	ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \
8119f718	152	-f $(TOPDIR)/gnu-efi/Makefile \
031e5cce SM	153	lib gnuefi inc
031e5cce SM	154
b2d0e06f	155	Cryptlib/libcryptlib.a:
031e5cce	156	for i in Hash Hmac Cipher Rand Pk Pem SysCall; do mkdir -p Cryptlib/$$i; done
8119f718	157	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
b2d0e06f MG	158
b2d0e06f MG	159	Cryptlib/OpenSSL/libopenssl.a:
031e5cce	160	for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done
8119f718	161	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
b2d0e06f	162
f892ac66	163	lib/lib.a: \| $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch])
8119f718 SM	164	mkdir -p lib
8119f718 SM	165	$(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) -C lib -f $(TOPDIR)/lib/Makefile
f7a18215	166
b6f94dbe	167	buildid : $(TOPDIR)/buildid.c
031e5cce	168	$(HOSTCC) -I/usr/include -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf
b6f94dbe MTL	169
	170	$(BOOTCSVNAME) :
	171	@echo Making $@
ecc29226	172	@echo "$(SHIMNAME),$(OSLABEL),,This is the boot entry for $(OSLABEL)" \| iconv -t UCS-2LE > $@
b6f94dbe MTL	173
	174	install-check :
	175	ifeq ($(origin LIBDIR),undefined)
	176	$(error Architecture $(ARCH) is not a supported build target.)
	177	endif
	178	ifeq ($(origin EFIDIR),undefined)
	179	$(error EFIDIR must be set to your reserved EFI System Partition subdirectory name)
9196c7cf AB	180	endif
9196c7cf AB	181
b6f94dbe MTL	182	install-deps : $(TARGETS)
	183	install-deps : $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug buildid
	184	install-deps : $(BOOTCSVNAME)
	185
	186	install-debugsource : install-deps
	187	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)
	188	find $(TOPDIR) -type f -a '(' -iname '.c' -o -iname '.h' -o -iname '*.S' ')' \| while read file ; do \
	189	outfile=$$(echo $${file} \| sed -e "s,^$(TOPDIR),,") ; \
	190	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$$(dirname $${outfile}) ; \
	191	$(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$${outfile} ; \
	192	done
	193
	194	install-debuginfo : install-deps
	195	$(INSTALL) -d -m 0755 $(DESTDIR)/
	196	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR)/
	197	@./buildid $(wildcard *.efi.debug) \| while read file buildid ; do \
	198	first=$$(echo $${buildid} \| cut -b -2) ; \
	199	rest=$$(echo $${buildid} \| cut -b 3-) ; \
	200	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/ ;\
	201	$(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR) ; \
	202	ln -s ../../../../..$(DEBUGINFO)$(TARGETDIR)$${file} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest}.debug ;\
	203	ln -s ../../../.build-id/$${first}/$${rest} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest} ;\
	204	done
	205
	206	install : \| install-check
	207	install : install-deps install-debuginfo install-debugsource
	208	$(INSTALL) -d -m 0755 $(DESTDIR)/
	209	$(INSTALL) -d -m 0700 $(DESTDIR)/$(ESPROOTDIR)
	210	$(INSTALL) -d -m 0755 $(DESTDIR)/$(EFIBOOTDIR)
	211	$(INSTALL) -d -m 0755 $(DESTDIR)/$(TARGETDIR)
	212	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(EFIBOOTDIR)/$(BOOTEFINAME)
	213	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(TARGETDIR)/
	214	$(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(TARGETDIR)/
	215	ifneq ($(origin ENABLE_SHIM_CERT),undefined)
	216	$(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(FBNAME)
	217	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(MMNAME)
	218	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(TARGETDIR)/$(MMNAME)
	219	else
	220	$(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(EFIBOOTDIR)/
	221	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(EFIBOOTDIR)/
	222	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(TARGETDIR)/
221faac5 AB	223	endif
221faac5 AB	224
b6f94dbe MTL	225	install-as-data : install-deps
	226	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DATATARGETDIR)
	227	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(DATATARGETDIR)/
8119f718	228	$(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(DATATARGETDIR)/
b6f94dbe MTL	229	ifneq ($(origin ENABLE_SHIM_HASH),undefined)
	230	$(INSTALL) -m 0644 $(SHIMHASHNAME) $(DESTDIR)/$(DATATARGETDIR)/
	231	endif
	232	ifneq ($(origin ENABLE_SHIM_CERT),undefined)
	233	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
	234	$(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
	235	else
	236	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
	237	$(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
	238	endif
17857eb8	239
b2d0e06f	240	%.efi: %.so
d3819813 MTL	241	ifneq ($(OBJCOPY_GTE224),1)
	242	$(error objcopy >= 2.24 is required)
	243	endif
031e5cce	244	$(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
8119f718	245	-j .dynamic -j .rodata -j .rel* \
f7a18215	246	-j .rela* -j .reloc -j .eh_frame \
031e5cce SM	247	-j .vendor_cert -j .sbat \
	248	$(FORMAT) $< $@
	249	# I am tired of wasting my time fighting binutils timestamp code.
	250	dd conv=notrunc bs=1 count=4 seek=$(TIMESTAMP_LOCATION) if=/dev/zero of=$@
b6f94dbe MTL	251
	252	ifneq ($(origin ENABLE_SHIM_HASH),undefined)
	253	%.hash : %.efi
	254	$(PESIGN) -i $< -P -h > $@
	255	endif
	256
	257	%.efi.debug : %.so
	258	ifneq ($(OBJCOPY_GTE224),1)
	259	$(error objcopy >= 2.24 is required)
	260	endif
031e5cce	261	$(OBJCOPY) -D -j .text -j .sdata -j .data \
8119f718	262	-j .dynamic -j .rodata -j .rel* \
031e5cce	263	-j .rela* -j .reloc -j .eh_frame -j .sbat \
5b1bf558 MG	264	-j .debug_info -j .debug_abbrev -j .debug_aranges \
5b1bf558 MG	265	-j .debug_line -j .debug_str -j .debug_ranges \
d3819813	266	-j .note.gnu.build-id \
031e5cce	267	$< $@
b2fe1780	268
b6f94dbe MTL	269	ifneq ($(origin ENABLE_SBSIGN),undefined)
b6f94dbe MTL	270	%.efi.signed: %.efi shim.key shim.crt
031e5cce SM	271	@$(SBSIGN) \
	272	--key shim.key \
	273	--cert shim.crt \
	274	--output $@ $<
b6f94dbe	275	else
ef8c9962	276	%.efi.signed: %.efi certdb/secmod.db
f4173af1	277	$(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f
b6f94dbe	278	endif
ef8c9962	279
031e5cce	280	test :
8119f718	281	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" all
031e5cce SM	282
031e5cce SM	283	$(patsubst %.c,%,$(wildcard test-*.c)) :
8119f718	284	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" $@
031e5cce SM	285
	286	.PHONY : $(patsubst %.c,%,$(wildcard test-*.c)) test
	287
	288	clean-test-objs:
8119f718	289	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" clean
031e5cce SM	290
031e5cce SM	291	clean-gnu-efi:
8119f718 SM	292	@if [ -d gnu-efi ] ; then \
	293	$(MAKE) -C gnu-efi \
	294	ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \
	295	-f $(TOPDIR)/gnu-efi/Makefile \
	296	clean ; \
	297	fi
	298
	299	clean-lib-objs:
	300	@if [ -d lib ] ; then \
	301	$(MAKE) -C lib TOPDIR=$(TOPDIR) -f $(TOPDIR)/lib/Makefile clean ; \
	302	fi
031e5cce	303
f892ac66	304	clean-shim-objs:
f892ac66 MTL	305	@rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
	306	@rm -vf .debug .so .efi .efi.* .tar. version.c buildid
	307	@rm -vf Cryptlib/.[oa] Cryptlib//*.[oa]
031e5cce	308	@if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi
f892ac66	309
031e5cce	310	clean-openssl-objs:
8119f718 SM	311	@if [ -d Cryptlib/OpenSSL ] ; then \
	312	$(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean ; \
	313	fi
43eeb538	314
031e5cce	315	clean-cryptlib-objs:
8119f718 SM	316	@if [ -d Cryptlib ] ; then \
	317	$(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean ; \
	318	fi
031e5cce	319
8119f718	320	clean: clean-shim-objs clean-test-objs clean-gnu-efi clean-openssl-objs clean-cryptlib-objs clean-lib-objs
031e5cce	321
43eeb538 PJ	322	GITTAG = $(VERSION)
	323
	324	test-archive:
031e5cce	325	@./make-archive $(if $(call get-config,shim.origin),--origin "$(call get-config,shim.origin)") --test "$(VERSION)"
43eeb538	326
acac3380	327	tag:
031e5cce	328	git tag --sign $(GITTAG) refs/heads/main
f4173af1	329	git tag -f latest-release $(GITTAG)
acac3380 PJ	330
acac3380 PJ	331	archive: tag
031e5cce	332	@./make-archive $(if $(call get-config,shim.origin),--origin "$(call get-config,shim.origin)") --release "$(VERSION)" "$(GITTAG)" "shim-$(GITTAG)"
f7a18215	333
b6f94dbe MTL	334	.PHONY : install-deps shim.key
b6f94dbe MTL	335
031e5cce SM	336	export ARCH CC CROSS_COMPILE LD OBJCOPY EFI_INCLUDE EFI_INCLUDES OPTIMIZATIONS
031e5cce SM	337	export FEATUREFLAGS WARNFLAGS WERRFLAGS