]>
Commit | Line | Data |
---|---|---|
c86d9dac SL |
1 | #!/usr/bin/make -f |
2 | ||
aa19fc4d HG |
3 | include /usr/share/dpkg/architecture.mk |
4 | ||
21ebe035 SL |
5 | # Other vendors, add your certs here. No sense in using |
6 | # dpkg-vendor --derives-from, because only Canonical-generated binaries will | |
7 | # be signed with this key; so if you are building your own shim binary you | |
8 | # should be building the other binaries also. | |
9 | ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes) | |
10 | cert=debian/canonical-uefi-ca.der | |
c3fa7299 | 11 | distributor=ubuntu |
e914483c | 12 | COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1 |
21ebe035 SL |
13 | else |
14 | cert=debian/debian-uefi-ca.der | |
c3fa7299 | 15 | distributor=debian |
21ebe035 SL |
16 | endif |
17 | ||
9b014236 SM |
18 | deb_version := $(shell dpkg-parsechangelog | sed -ne "s/^Version: \(.*\)/\1/p") |
19 | upstream_version := $(shell echo $(deb_version) | sed -e "s/-[^-]*$$//") | |
20 | plain_upstream_version := $(shell echo $(upstream_version) | sed -e "s/+dfsg.*//") | |
2e0a83e1 | 21 | |
55d55457 | 22 | DBX_LIST = dbx.esl |
23 | DBX_HASHES = debian/$(distributor)-dbx.hashes | |
2e0a83e1 SM |
24 | SBAT_IN = debian/sbat.$(distributor).csv.in |
25 | SBAT_DATA = data/sbat.$(distributor).csv | |
6cf246a5 | 26 | |
9bfbee89 | 27 | include /usr/share/dpkg/architecture.mk |
1d945f76 | 28 | |
5d42729f MTL |
29 | ifeq ($(DEB_HOST_ARCH),amd64) |
30 | export EFI_ARCH := x64 | |
cebae05a SL |
31 | endif |
32 | ifeq ($(DEB_HOST_ARCH),arm64) | |
3802e1ad | 33 | export EFI_ARCH := aa64 |
5d42729f | 34 | endif |
21efb35c SL |
35 | ifeq ($(DEB_HOST_ARCH),i386) |
36 | export EFI_ARCH := ia32 | |
37 | endif | |
5d42729f | 38 | |
e914483c | 39 | COMMON_OPTIONS += \ |
ae8c2e79 | 40 | RELEASE=$(plain_upstream_version) \ |
b82b07b8 | 41 | COMMIT_ID=657b2483ca6e9fcf2ad8ac7ee577ff546d24c3aa \ |
c3fa7299 | 42 | MAKELEVEL=0 \ |
f42b58fc | 43 | ENABLE_HTTPBOOT=true \ |
c3fa7299 | 44 | VENDOR_CERT_FILE=$(cert) \ |
6cf246a5 | 45 | VENDOR_DBX_FILE=$(DBX_LIST) \ |
c3fa7299 | 46 | EFIDIR=$(distributor) \ |
aa19fc4d | 47 | CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- \ |
65f161ee | 48 | CC=$(DEB_HOST_GNU_TYPE)-gcc-12 \ |
c3fa7299 MTL |
49 | $(NULL) |
50 | ||
bd9f3bf3 SM |
51 | # Force shim to use the latest revocations by default to block some |
52 | # older grub / peimage issues. This is: | |
53 | # "shim,4\ngrub,4\ngrub.peimage,2\n" | |
54 | COMMON_OPTIONS += SBAT_AUTOMATIC_DATE=2024010900 | |
55 | ||
a4273971 | 56 | $(DBX_LIST): $(DBX_HASHES) |
de3def7f | 57 | ./debian/generate_dbx_list $(EFI_ARCH) $< $@ |
6cf246a5 | 58 | |
2e0a83e1 SM |
59 | $(SBAT_DATA): $(SBAT_IN) |
60 | rm -f $@ | |
61 | set -e; \ | |
62 | sed -e "s/@DEB_VERSION@/$(deb_version)/g" \ | |
63 | -e "s/@UPSTREAM_VERSION@/$(plain_upstream_version)/g" \ | |
64 | < $(SBAT_IN) > $(SBAT_DATA) | |
65 | # If we have an empty $(SBAT_DATA), delete | |
66 | if [ ! -s $(SBAT_DATA) ]; then rm -f $(SBAT_DATA); fi | |
67 | ||
c86d9dac | 68 | %: |
f320bcac | 69 | dh $@ |
693c3089 | 70 | |
62a4fa2d MTL |
71 | override_dh_auto_clean: |
72 | dh_auto_clean -- MAKELEVEL=0 | |
b6990a9d SM |
73 | rm -f $(DBX_LIST) $(SBAT_DATA) sbat.*.csv BOOT*.CSV |
74 | rm -f test-csv test-sbat test-str test-load-options | |
75 | rm -f test-mock-variables test-mok-mirror test-pe-relocate test-pe-util | |
ee22d425 | 76 | |
2e0a83e1 | 77 | override_dh_auto_build: $(DBX_LIST) $(SBAT_DATA) |
d6b0fa52 | 78 | dh_auto_build -- INSTALL=install $(COMMON_OPTIONS) |
21ebe035 | 79 | |
b947ca6a SM |
80 | override_dh_auto_test: $(DBX_LIST) $(SBAT_DATA) |
81 | dh_auto_test -- INSTALL=install $(COMMON_OPTIONS) | |
82 | ||
f841331c | 83 | override_dh_auto_install: |
d6b0fa52 | 84 | dh_auto_install --destdir=debian/tmp -- INSTALL=install $(COMMON_OPTIONS) |
bcc26d6d SM |
85 | # Remove the copy of the source that's installed - we have git |
86 | # already... | |
87 | rm -rf debian/tmp/usr | |
88 | # And remove the extra removable-media copy of shim too, it's | |
89 | # not needed for our build and causes debhelper to complain | |
90 | rm -f debian/tmp/boot/efi/EFI/BOOT/BOOT*.EFI | |
2c85966c | 91 | |
9b91206a SM |
92 | install -m 644 $(cert) debian/shim-unsigned/usr/share/shim |
93 | ||
2c85966c | 94 | # Generate the template packages that we'll use for SB signing later |
f7add225 | 95 | ./debian/signing-template.generate |
2c85966c SM |
96 | |
97 | # Log some useful things about the build here | |
98 | ./debian/check_nx shim*.efi | |
a42e843a | 99 | sha256sum *.efi |
9b014236 SM |
100 | |
101 | generate-gnu-efi: | |
102 | git -C gnu-efi archive --prefix=gnu-efi/ HEAD | xz -9 \ | |
3139bb35 | 103 | > ../shim_$(plain_upstream_version).orig-gnu-efi.tar.xz |