[efi-boot-shim.git] / debian / rules

#!/usr/bin/make -f

include /usr/share/dpkg/architecture.mk

# Other vendors, add your certs here.  No sense in using
# dpkg-vendor --derives-from, because only Canonical-generated binaries will
# be signed with this key; so if you are building your own shim binary you
# should be building the other binaries also.
ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
	cert=debian/canonical-uefi-ca.der
	distributor=ubuntu
COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1
else
	cert=debian/debian-uefi-ca.der
	distributor=debian
endif

deb_version             := $(shell dpkg-parsechangelog | sed -ne "s/^Version: \(.*\)/\1/p")
upstream_version        := $(shell echo $(deb_version) | sed -e "s/-[^-]*$$//")
plain_upstream_version  := $(shell echo $(upstream_version) | sed -e "s/+dfsg.*//")

DBX_LIST = dbx.esl
DBX_HASHES = debian/$(distributor)-dbx.hashes
SBAT_IN = debian/sbat.$(distributor).csv.in
SBAT_DATA = data/sbat.$(distributor).csv

include /usr/share/dpkg/architecture.mk

ifeq ($(DEB_HOST_ARCH),amd64)
export EFI_ARCH := x64
endif
ifeq ($(DEB_HOST_ARCH),arm64)
export EFI_ARCH := aa64
endif
ifeq ($(DEB_HOST_ARCH),i386)
export EFI_ARCH := ia32
endif

COMMON_OPTIONS += \
	RELEASE=$(plain_upstream_version) \
	COMMIT_ID=657b2483ca6e9fcf2ad8ac7ee577ff546d24c3aa \
	MAKELEVEL=0 \
	ENABLE_HTTPBOOT=true \
	VENDOR_CERT_FILE=$(cert) \
	VENDOR_DBX_FILE=$(DBX_LIST) \
	EFIDIR=$(distributor) \
	CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- \
	CC=$(DEB_HOST_GNU_TYPE)-gcc-12 \
	$(NULL)

# Force shim to use the latest revocations by default to block some
# older grub / peimage issues. This is:
# "shim,4\ngrub,4\ngrub.peimage,2\n"
COMMON_OPTIONS += SBAT_AUTOMATIC_DATE=2024010900

$(DBX_LIST): $(DBX_HASHES)
	./debian/generate_dbx_list $(EFI_ARCH) $< $@

$(SBAT_DATA): $(SBAT_IN)
	rm -f $@
	set -e; \
	sed -e "s/@DEB_VERSION@/$(deb_version)/g" \
		-e "s/@UPSTREAM_VERSION@/$(plain_upstream_version)/g" \
		< $(SBAT_IN) > $(SBAT_DATA)
	# If we have an empty $(SBAT_DATA), delete
	if [ ! -s $(SBAT_DATA) ]; then rm -f $(SBAT_DATA); fi

%:
	dh $@

override_dh_auto_clean:
	dh_auto_clean -- MAKELEVEL=0
	rm -f $(DBX_LIST) $(SBAT_DATA) sbat.*.csv BOOT*.CSV
	rm -f test-csv test-sbat test-str test-load-options
	rm -f test-mock-variables test-mok-mirror test-pe-relocate test-pe-util

override_dh_auto_build: $(DBX_LIST) $(SBAT_DATA)
	dh_auto_build -- INSTALL=install $(COMMON_OPTIONS)

override_dh_auto_test: $(DBX_LIST) $(SBAT_DATA)
	dh_auto_test -- INSTALL=install $(COMMON_OPTIONS)

override_dh_auto_install:
	dh_auto_install --destdir=debian/tmp -- INSTALL=install $(COMMON_OPTIONS)
	# Remove the copy of the source that's installed - we have git
	# already...
	rm -rf debian/tmp/usr
	# And remove the extra removable-media copy of shim too, it's
	# not needed for our build and causes debhelper to complain
	rm -f debian/tmp/boot/efi/EFI/BOOT/BOOT*.EFI

	install -m 644 $(cert) debian/shim-unsigned/usr/share/shim

	# Generate the template packages that we'll use for SB signing later
	./debian/signing-template.generate

	# Log some useful things about the build here
	./debian/check_nx shim*.efi
	sha256sum *.efi

generate-gnu-efi:
	git -C gnu-efi archive --prefix=gnu-efi/ HEAD | xz -9 \
		> ../shim_$(plain_upstream_version).orig-gnu-efi.tar.xz
Commit	Line	Data
c86d9dac SL	1	#!/usr/bin/make -f
c86d9dac SL	2
aa19fc4d HG	3	include /usr/share/dpkg/architecture.mk
aa19fc4d HG	4
21ebe035 SL	5	# Other vendors, add your certs here. No sense in using
	6	# dpkg-vendor --derives-from, because only Canonical-generated binaries will
	7	# be signed with this key; so if you are building your own shim binary you
	8	# should be building the other binaries also.
	9	ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
	10	cert=debian/canonical-uefi-ca.der
c3fa7299	11	distributor=ubuntu
e914483c	12	COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1
21ebe035 SL	13	else
21ebe035 SL	14	cert=debian/debian-uefi-ca.der
c3fa7299	15	distributor=debian
21ebe035 SL	16	endif
21ebe035 SL	17
9b014236 SM	18	deb_version := $(shell dpkg-parsechangelog \| sed -ne "s/^Version: \(.*\)/\1/p")
	19	upstream_version := $(shell echo $(deb_version) \| sed -e "s/-[^-]*$$//")
	20	plain_upstream_version := $(shell echo $(upstream_version) \| sed -e "s/+dfsg.*//")
2e0a83e1	21
55d55457	22	DBX_LIST = dbx.esl
55d55457	23	DBX_HASHES = debian/$(distributor)-dbx.hashes
2e0a83e1 SM	24	SBAT_IN = debian/sbat.$(distributor).csv.in
2e0a83e1 SM	25	SBAT_DATA = data/sbat.$(distributor).csv
6cf246a5	26
9bfbee89	27	include /usr/share/dpkg/architecture.mk
1d945f76	28
5d42729f MTL	29	ifeq ($(DEB_HOST_ARCH),amd64)
5d42729f MTL	30	export EFI_ARCH := x64
cebae05a SL	31	endif
cebae05a SL	32	ifeq ($(DEB_HOST_ARCH),arm64)
3802e1ad	33	export EFI_ARCH := aa64
5d42729f	34	endif
21efb35c SL	35	ifeq ($(DEB_HOST_ARCH),i386)
	36	export EFI_ARCH := ia32
	37	endif
5d42729f	38
e914483c	39	COMMON_OPTIONS += \
ae8c2e79	40	RELEASE=$(plain_upstream_version) \
b82b07b8	41	COMMIT_ID=657b2483ca6e9fcf2ad8ac7ee577ff546d24c3aa \
c3fa7299	42	MAKELEVEL=0 \
f42b58fc	43	ENABLE_HTTPBOOT=true \
c3fa7299	44	VENDOR_CERT_FILE=$(cert) \
6cf246a5	45	VENDOR_DBX_FILE=$(DBX_LIST) \
c3fa7299	46	EFIDIR=$(distributor) \
aa19fc4d	47	CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- \
65f161ee	48	CC=$(DEB_HOST_GNU_TYPE)-gcc-12 \
c3fa7299 MTL	49	$(NULL)
c3fa7299 MTL	50
bd9f3bf3 SM	51	# Force shim to use the latest revocations by default to block some
	52	# older grub / peimage issues. This is:
	53	# "shim,4\ngrub,4\ngrub.peimage,2\n"
	54	COMMON_OPTIONS += SBAT_AUTOMATIC_DATE=2024010900
	55
a4273971	56	$(DBX_LIST): $(DBX_HASHES)
de3def7f	57	./debian/generate_dbx_list $(EFI_ARCH) $< $@
6cf246a5	58
2e0a83e1 SM	59	$(SBAT_DATA): $(SBAT_IN)
	60	rm -f $@
	61	set -e; \
	62	sed -e "s/@DEB_VERSION@/$(deb_version)/g" \
	63	-e "s/@UPSTREAM_VERSION@/$(plain_upstream_version)/g" \
	64	< $(SBAT_IN) > $(SBAT_DATA)
	65	# If we have an empty $(SBAT_DATA), delete
	66	if [ ! -s $(SBAT_DATA) ]; then rm -f $(SBAT_DATA); fi
	67
c86d9dac	68	%:
f320bcac	69	dh $@
693c3089	70
62a4fa2d MTL	71	override_dh_auto_clean:
62a4fa2d MTL	72	dh_auto_clean -- MAKELEVEL=0
b6990a9d SM	73	rm -f $(DBX_LIST) $(SBAT_DATA) sbat..csv BOOT.CSV
	74	rm -f test-csv test-sbat test-str test-load-options
	75	rm -f test-mock-variables test-mok-mirror test-pe-relocate test-pe-util
ee22d425	76
2e0a83e1	77	override_dh_auto_build: $(DBX_LIST) $(SBAT_DATA)
d6b0fa52	78	dh_auto_build -- INSTALL=install $(COMMON_OPTIONS)
21ebe035	79
b947ca6a SM	80	override_dh_auto_test: $(DBX_LIST) $(SBAT_DATA)
	81	dh_auto_test -- INSTALL=install $(COMMON_OPTIONS)
	82
f841331c	83	override_dh_auto_install:
d6b0fa52	84	dh_auto_install --destdir=debian/tmp -- INSTALL=install $(COMMON_OPTIONS)
bcc26d6d SM	85	# Remove the copy of the source that's installed - we have git
	86	# already...
	87	rm -rf debian/tmp/usr
	88	# And remove the extra removable-media copy of shim too, it's
	89	# not needed for our build and causes debhelper to complain
	90	rm -f debian/tmp/boot/efi/EFI/BOOT/BOOT*.EFI
2c85966c	91
9b91206a SM	92	install -m 644 $(cert) debian/shim-unsigned/usr/share/shim
9b91206a SM	93
2c85966c	94	# Generate the template packages that we'll use for SB signing later
f7add225	95	./debian/signing-template.generate
2c85966c SM	96
	97	# Log some useful things about the build here
	98	./debian/check_nx shim*.efi
a42e843a	99	sha256sum *.efi
9b014236 SM	100
	101	generate-gnu-efi:
	102	git -C gnu-efi archive --prefix=gnu-efi/ HEAD \| xz -9 \
3139bb35	103	> ../shim_$(plain_upstream_version).orig-gnu-efi.tar.xz