[efi-boot-shim.git] / Makefile

CC		= $(CROSS_COMPILE)gcc
LD		= $(CROSS_COMPILE)ld
OBJCOPY		= $(CROSS_COMPILE)objcopy

ARCH		= $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)

SUBDIRS		= Cryptlib lib

LIB_PATH	= /usr/lib64

EFI_INCLUDE	:= /usr/include/efi
EFI_INCLUDES	= -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -Iinclude
EFI_PATH	:= /usr/lib64/gnuefi

LIB_GCC		= $(shell $(CC) -print-libgcc-file-name)
EFI_LIBS	= -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) 

EFI_CRT_OBJS 	= $(EFI_PATH)/crt0-efi-$(ARCH).o
EFI_LDS		= elf_$(ARCH)_efi.lds

DEFAULT_LOADER	:= \\\\grub.efi
CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
		  -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
		  "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
		  "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
		  $(EFI_INCLUDES)

ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
	CFLAGS	+= -DOVERRIDE_SECURITY_POLICY
endif

ifeq ($(ARCH),x86_64)
	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
		-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
endif
ifeq ($(ARCH),ia32)
	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32
endif

ifeq ($(ARCH),aarch64)
	CFLAGS	+= -ffreestanding -I$(shell $(CC) -print-file-name=include)
endif

ifneq ($(origin VENDOR_CERT_FILE), undefined)
	CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
endif
ifneq ($(origin VENDOR_DBX_FILE), undefined)
	CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
endif

LDFLAGS		= -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)

VERSION		= 0.7

TARGET	= shim.efi MokManager.efi.signed fallback.efi.signed
OBJS	= shim.o netboot.o cert.o replacements.o version.o
KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
SOURCES	= shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h version.c version.h
MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
FALLBACK_OBJS = fallback.o
FALLBACK_SRCS = fallback.c

all: $(TARGET)

shim.crt:
	./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null

shim.cer: shim.crt
	openssl x509 -outform der -in $< -out $@

shim_cert.h: shim.cer
	echo "static UINT8 shim_cert[] = {" > $@
	hexdump -v -e '1/1 "0x%02x, "' $< >> $@
	echo "};" >> $@

version.c : version.c.in
	sed	-e "s,@@VERSION@@,$(VERSION)," \
		-e "s,@@UNAME@@,$(shell uname -a)," \
		-e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \
		< version.c.in > version.c

certdb/secmod.db: shim.crt
	-mkdir certdb
	pk12util -d certdb/ -i shim.p12 -W "" -K ""
	certutil -d certdb/ -A -i shim.crt -n shim -t u

shim.o: $(SOURCES) shim_cert.h

cert.o : cert.S
	$(CC) $(CFLAGS) -c -o $@ $<

shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)

fallback.o: $(FALLBACK_SRCS)

fallback.so: $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)

MokManager.o: $(MOK_SOURCES)

MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a

Cryptlib/libcryptlib.a:
	$(MAKE) -C Cryptlib

Cryptlib/OpenSSL/libopenssl.a:
	$(MAKE) -C Cryptlib/OpenSSL

lib/lib.a:
	$(MAKE) -C lib

ifeq ($(ARCH),aarch64)
FORMAT		:= -O binary
SUBSYSTEM	:= 0xa
LDFLAGS		+= --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
endif

FORMAT		?= --target efi-app-$(ARCH)

%.efi: %.so
	$(OBJCOPY) -j .text -j .sdata -j .data \
		-j .dynamic -j .dynsym  -j .rel* \
		-j .rela* -j .reloc -j .eh_frame \
		-j .vendor_cert \
		$(FORMAT)  $^ $@
	$(OBJCOPY) -j .text -j .sdata -j .data \
		-j .dynamic -j .dynsym  -j .rel* \
		-j .rela* -j .reloc -j .eh_frame \
		-j .debug_info -j .debug_abbrev -j .debug_aranges \
		-j .debug_line -j .debug_str -j .debug_ranges \
		$(FORMAT) $^ $@.debug

%.efi.signed: %.efi certdb/secmod.db
	pesign -n certdb -i $< -c "shim" -s -o $@ -f

clean:
	$(MAKE) -C Cryptlib clean
	$(MAKE) -C Cryptlib/OpenSSL clean
	$(MAKE) -C lib clean
	rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb
	rm -f *.debug *.so *.efi *.tar.* version.c

GITTAG = $(VERSION)

test-archive:
	@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
	@mkdir -p /tmp/shim-$(VERSION)-tmp
	@git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
	@git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff )
	@mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
	@git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
	@dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
	@rm -rf /tmp/shim-$(VERSION)
	@echo "The archive is in shim-$(VERSION).tar.bz2"

tag:
	git tag --sign $(GITTAG) refs/heads/master

archive: tag
	@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
	@mkdir -p /tmp/shim-$(VERSION)-tmp
	@git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
	@mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
	@git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
	@dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
	@rm -rf /tmp/shim-$(VERSION)
	@echo "The archive is in shim-$(VERSION).tar.bz2"

export ARCH CC LD OBJCOPY EFI_INCLUDE
Commit	Line	Data
f7a18215 AB	1	CC = $(CROSS_COMPILE)gcc
	2	LD = $(CROSS_COMPILE)ld
	3	OBJCOPY = $(CROSS_COMPILE)objcopy
	4
	5	ARCH = $(shell $(CC) -dumpmachine \| cut -f1 -d- \| sed s,i[3456789]86,ia32,)
b2fe1780	6
17857eb8	7	SUBDIRS = Cryptlib lib
b2d0e06f	8
b2fe1780 MG	9	LIB_PATH = /usr/lib64
b2fe1780 MG	10
f7a18215	11	EFI_INCLUDE := /usr/include/efi
40375a8b	12	EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -Iinclude
5e9fee21	13	EFI_PATH := /usr/lib64/gnuefi
b2fe1780 MG	14
b2fe1780 MG	15	LIB_GCC = $(shell $(CC) -print-libgcc-file-name)
b2d0e06f	16	EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC)
b2fe1780 MG	17
b2fe1780 MG	18	EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
c682b514	19	EFI_LDS = elf_$(ARCH)_efi.lds
b2fe1780	20
e053c227	21	DEFAULT_LOADER := \\\\grub.efi
632503aa	22	CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
f7a18215	23	-fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
e053c227 PJ	24	"-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
e053c227 PJ	25	"-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
b2fe1780	26	$(EFI_INCLUDES)
bb2fe4cf PJ	27
	28	ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
	29	CFLAGS += -DOVERRIDE_SECURITY_POLICY
	30	endif
f7a18215	31
b2fe1780	32	ifeq ($(ARCH),x86_64)
f7a18215 AB	33	CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
f7a18215 AB	34	-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
b2fe1780	35	endif
6caa9bad	36	ifeq ($(ARCH),ia32)
f7a18215	37	CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32
6caa9bad	38	endif
f7a18215	39
9196c7cf AB	40	ifeq ($(ARCH),aarch64)
	41	CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include)
	42	endif
	43
8518b8cc PJ	44	ifneq ($(origin VENDOR_CERT_FILE), undefined)
	45	CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
	46	endif
ff1409c3 PJ	47	ifneq ($(origin VENDOR_DBX_FILE), undefined)
	48	CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
	49	endif
8518b8cc	50
b2d0e06f	51	LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)
b2fe1780	52
6ae4e4f9	53	VERSION = 0.7
43eeb538	54
eb9f7f1c	55	TARGET = shim.efi MokManager.efi.signed fallback.efi.signed
0fb089ee	56	OBJS = shim.o netboot.o cert.o replacements.o version.o
2892db7f	57	KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
0fb089ee	58	SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h version.c version.h
114dad49	59	MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
417077f8	60	MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
eb9f7f1c PJ	61	FALLBACK_OBJS = fallback.o
eb9f7f1c PJ	62	FALLBACK_SRCS = fallback.c
b2fe1780	63
37e456be	64	all: $(TARGET)
b2fe1780	65
ef8c9962 MG	66	shim.crt:
	67	./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
	68
	69	shim.cer: shim.crt
	70	openssl x509 -outform der -in $< -out $@
	71
	72	shim_cert.h: shim.cer
	73	echo "static UINT8 shim_cert[] = {" > $@
	74	hexdump -v -e '1/1 "0x%02x, "' $< >> $@
	75	echo "};" >> $@
	76
0fb089ee PJ	77	version.c : version.c.in
	78	sed -e "s,@@VERSION@@,$(VERSION)," \
	79	-e "s,@@UNAME@@,$(shell uname -a)," \
	80	-e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \
	81	< version.c.in > version.c
	82
ef8c9962 MG	83	certdb/secmod.db: shim.crt
ef8c9962 MG	84	-mkdir certdb
ef8c9962 MG	85	pk12util -d certdb/ -i shim.p12 -W "" -K ""
	86	certutil -d certdb/ -A -i shim.crt -n shim -t u
	87
	88	shim.o: $(SOURCES) shim_cert.h
b2fe1780	89
8518b8cc PJ	90	cert.o : cert.S
	91	$(CC) $(CFLAGS) -c -o $@ $<
	92
53862dda	93	shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
7f055335 MG	94	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
7f055335 MG	95
eb9f7f1c PJ	96	fallback.o: $(FALLBACK_SRCS)
eb9f7f1c PJ	97
663b2b93	98	fallback.so: $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
eb9f7f1c PJ	99	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
eb9f7f1c PJ	100
3a838b14	101	MokManager.o: $(MOK_SOURCES)
333bd977	102
17857eb8 MG	103	MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
17857eb8 MG	104	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
333bd977	105
b2d0e06f	106	Cryptlib/libcryptlib.a:
f7a18215	107	$(MAKE) -C Cryptlib
b2d0e06f MG	108
b2d0e06f MG	109	Cryptlib/OpenSSL/libopenssl.a:
f7a18215	110	$(MAKE) -C Cryptlib/OpenSSL
b2d0e06f	111
17857eb8	112	lib/lib.a:
f7a18215 AB	113	$(MAKE) -C lib
f7a18215 AB	114
9196c7cf AB	115	ifeq ($(ARCH),aarch64)
	116	FORMAT := -O binary
	117	SUBSYSTEM := 0xa
	118	LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
	119	endif
	120
f7a18215	121	FORMAT ?= --target efi-app-$(ARCH)
17857eb8	122
b2d0e06f	123	%.efi: %.so
f7a18215 AB	124	$(OBJCOPY) -j .text -j .sdata -j .data \
	125	-j .dynamic -j .dynsym -j .rel* \
	126	-j .rela* -j .reloc -j .eh_frame \
c682b514	127	-j .vendor_cert \
f7a18215 AB	128	$(FORMAT) $^ $@
	129	$(OBJCOPY) -j .text -j .sdata -j .data \
	130	-j .dynamic -j .dynsym -j .rel* \
	131	-j .rela* -j .reloc -j .eh_frame \
5b1bf558 MG	132	-j .debug_info -j .debug_abbrev -j .debug_aranges \
5b1bf558 MG	133	-j .debug_line -j .debug_str -j .debug_ranges \
f7a18215	134	$(FORMAT) $^ $@.debug
b2fe1780	135
ef8c9962 MG	136	%.efi.signed: %.efi certdb/secmod.db
	137	pesign -n certdb -i $< -c "shim" -s -o $@ -f
	138
b2fe1780	139	clean:
b2d0e06f MG	140	$(MAKE) -C Cryptlib clean
b2d0e06f MG	141	$(MAKE) -C Cryptlib/OpenSSL clean
cdd2dc91	142	$(MAKE) -C lib clean
1de10962	143	rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb
0fb089ee	144	rm -f .debug .so .efi .tar.* version.c
43eeb538 PJ	145
	146	GITTAG = $(VERSION)
	147
	148	test-archive:
	149	@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
	150	@mkdir -p /tmp/shim-$(VERSION)-tmp
	151	@git archive --format=tar $(shell git branch \| awk '/^*/ { print $$2 }') \| ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
	152	@git diff \| ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff )
	153	@mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
0fb089ee	154	@git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
43eeb538 PJ	155	@dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
	156	@rm -rf /tmp/shim-$(VERSION)
	157	@echo "The archive is in shim-$(VERSION).tar.bz2"
	158
acac3380 PJ	159	tag:
	160	git tag --sign $(GITTAG) refs/heads/master
	161
	162	archive: tag
43eeb538 PJ	163	@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
	164	@mkdir -p /tmp/shim-$(VERSION)-tmp
	165	@git archive --format=tar $(GITTAG) \| ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
	166	@mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
0fb089ee	167	@git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
43eeb538 PJ	168	@dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
	169	@rm -rf /tmp/shim-$(VERSION)
	170	@echo "The archive is in shim-$(VERSION).tar.bz2"
f7a18215 AB	171
f7a18215 AB	172	export ARCH CC LD OBJCOPY EFI_INCLUDE