5 ifneq ($(origin RELEASE
),undefined
)
6 DASHRELEASE ?
= -$(RELEASE
)
12 TOPDIR ?
= $(shell pwd
)
15 override TOPDIR
:= $(shell pwd
)
17 override TOPDIR
:= $(abspath
$(TOPDIR
))
20 include $(TOPDIR
)/Make.defaults
21 include $(TOPDIR
)/Make.rules
22 include $(TOPDIR
)/Make.coverity
23 include $(TOPDIR
)/Make.scan-build
26 TARGETS
+= $(SHIMNAME
).debug
$(MMNAME
).debug
$(FBNAME
).debug
27 ifneq ($(origin ENABLE_SHIM_HASH
),undefined
)
28 TARGETS
+= $(SHIMHASHNAME
)
30 ifneq ($(origin ENABLE_SHIM_CERT
),undefined
)
31 TARGETS
+= $(MMNAME
).signed
$(FBNAME
).signed
32 CFLAGS
+= -DENABLE_SHIM_CERT
34 TARGETS
+= $(MMNAME
) $(FBNAME
)
36 OBJS
= shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o httpboot.o
37 KEYS
= shim_cert.h ocsp.
* ca.
* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
38 ORIG_SOURCES
= shim.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h
$(wildcard include/*.h
)
39 MOK_OBJS
= MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o
40 ORIG_MOK_SOURCES
= MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h
$(wildcard include/*.h
)
41 FALLBACK_OBJS
= fallback.o tpm.o errlog.o sbat_data.o
42 ORIG_FALLBACK_SRCS
= fallback.c
43 SBATPATH
= data
/sbat.csv
45 ifeq ($(SOURCE_DATE_EPOCH
),)
46 UNAME
=$(shell uname
-s
-m
-p
-i
-o
)
51 SOURCES
= $(foreach source
,$(ORIG_SOURCES
),$(TOPDIR
)/$(source
)) version.c
52 MOK_SOURCES
= $(foreach source
,$(ORIG_MOK_SOURCES
),$(TOPDIR
)/$(source
))
53 FALLBACK_SRCS
= $(foreach source
,$(ORIG_FALLBACK_SRCS
),$(TOPDIR
)/$(source
))
58 $(TOPDIR
)/make-certs shim shim@xn--u4h.net
all codesign
1.3.6.1.4.1.311.10.3.1 </dev
/null
61 $(OPENSSL
) x509
-outform der
-in
$< -out
$@
63 .NOTPARALLEL
: shim_cert.h
65 echo
"static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
66 $(HEXDUMP
) -v
-e
'1/1 "0x%02x, "' $< >> $@
69 version.c
: $(TOPDIR
)/version.c.in
70 sed
-e
"s,@@VERSION@@,$(VERSION)," \
71 -e
"s,@@UNAME@@,$(UNAME)," \
72 -e
"s,@@COMMIT@@,$(COMMIT_ID)," \
75 certdb
/secmod.db
: shim.crt
77 $(PK12UTIL
) -d certdb
/ -i shim.p12
-W
"" -K
""
78 $(CERTUTIL
) -d certdb
/ -A
-i shim.crt
-n shim
-t u
81 ifneq ($(origin ENABLE_SHIM_CERT
),undefined
)
84 shim.o
: $(wildcard $(TOPDIR
)/*.h
)
86 cert.o
: $(TOPDIR
)/cert.S
87 $(CC
) $(CFLAGS
) -c
-o
$@
$<
89 sbat.
%.csv
: data
/sbat.
%.csv
90 $(DOS2UNIX
) $(D2UFLAGS
) $< $@
91 tail
-c1
$@ | read
-r _ || echo
>> $@
# ensure a trailing newline
93 VENDOR_SBATS
:= $(foreach x
,$(wildcard data
/sbat.
*.csv
),$(notdir $(x
)))
95 sbat_data.o
: |
$(SBATPATH
) $(VENDOR_SBATS
)
96 sbat_data.o
: /dev
/null
97 $(CC
) $(CFLAGS
) -x c
-c
-o
$@
$<
98 $(OBJCOPY
) --set-section-alignment
'.sbat=512' --add-section .sbat
=$(SBATPATH
) $@
99 $(foreach vs
,$(VENDOR_SBATS
),$(call add-vendor-sbat
,$(vs
),$@
))
101 $(SHIMNAME
) : $(SHIMSONAME
)
102 $(MMNAME
) : $(MMSONAME
)
103 $(FBNAME
) : $(FBSONAME
)
105 $(SHIMSONAME
): $(OBJS
) Cryptlib
/libcryptlib.a Cryptlib
/OpenSSL
/libopenssl.a lib
/lib.a
106 $(LD
) -o
$@
$(LDFLAGS
) $^
$(EFI_LIBS
)
108 fallback.o
: $(FALLBACK_SRCS
)
110 $(FBSONAME
): $(FALLBACK_OBJS
) Cryptlib
/libcryptlib.a Cryptlib
/OpenSSL
/libopenssl.a lib
/lib.a
111 $(LD
) -o
$@
$(LDFLAGS
) $^
$(EFI_LIBS
)
113 MokManager.o
: $(MOK_SOURCES
)
115 $(MMSONAME
): $(MOK_OBJS
) Cryptlib
/libcryptlib.a Cryptlib
/OpenSSL
/libopenssl.a lib
/lib.a
116 $(LD
) -o
$@
$(LDFLAGS
) $^
$(EFI_LIBS
) lib
/lib.a
118 Cryptlib
/libcryptlib.a
:
119 for i in Hash Hmac Cipher Rand Pk Pem SysCall
; do mkdir
-p Cryptlib
/$$i; done
120 $(MAKE
) VPATH
=$(TOPDIR
)/Cryptlib TOPDIR
=$(TOPDIR
)/Cryptlib
-C Cryptlib
-f
$(TOPDIR
)/Cryptlib
/Makefile
122 Cryptlib
/OpenSSL
/libopenssl.a
:
123 for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async
/arch asn1 aes
; do mkdir
-p Cryptlib
/OpenSSL
/crypto
/$$i; done
124 $(MAKE
) VPATH
=$(TOPDIR
)/Cryptlib
/OpenSSL TOPDIR
=$(TOPDIR
)/Cryptlib
/OpenSSL
-C Cryptlib
/OpenSSL
-f
$(TOPDIR
)/Cryptlib
/OpenSSL
/Makefile
126 lib
/lib.a
: |
$(TOPDIR
)/lib
/Makefile
$(wildcard $(TOPDIR
)/include/*.
[ch
])
127 if
[ ! -d lib
]; then mkdir lib
; fi
128 $(MAKE
) VPATH
=$(TOPDIR
)/lib TOPDIR
=$(TOPDIR
) CFLAGS
="$(CFLAGS)" -C lib
-f
$(TOPDIR
)/lib
/Makefile lib.a
130 buildid
: $(TOPDIR
)/buildid.c
131 $(CC
) -Og
-g3
-Wall
-Werror
-Wextra
-o
$@
$< -lelf
135 @echo
"$(SHIMNAME),$(OSLABEL),,This is the boot entry for $(OSLABEL)" | iconv
-t UCS-2LE
> $@
138 ifeq ($(origin LIBDIR
),undefined
)
139 $(error Architecture
$(ARCH
) is not a supported build target.
)
141 ifeq ($(origin EFIDIR
),undefined
)
142 $(error EFIDIR must be set to your reserved EFI System Partition subdirectory name
)
145 install-deps
: $(TARGETS
)
146 install-deps
: $(SHIMNAME
).debug
$(MMNAME
).debug
$(FBNAME
).debug buildid
147 install-deps
: $(BOOTCSVNAME
)
149 install-debugsource
: install-deps
150 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DEBUGSOURCE
)/$(PKGNAME
)-$(VERSION
)$(DASHRELEASE
)
151 find
$(TOPDIR
) -type f
-a
'(' -iname
'*.c' -o
-iname
'*.h' -o
-iname
'*.S' ')' | while read file
; do \
152 outfile
=$$(echo
$${file} | sed
-e
"s,^$(TOPDIR),,") ; \
153 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DEBUGSOURCE
)/$(PKGNAME
)-$(VERSION
)$(DASHRELEASE
)/$$(dirname
$${outfile}) ; \
154 $(INSTALL
) -m
0644 $${file} $(DESTDIR
)/$(DEBUGSOURCE
)/$(PKGNAME
)-$(VERSION
)$(DASHRELEASE
)/$${outfile} ; \
157 install-debuginfo
: install-deps
158 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/
159 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DEBUGINFO
)$(TARGETDIR
)/
160 @.
/buildid
$(wildcard *.efi.debug
) | while read file buildid
; do \
161 first
=$$(echo
$${buildid} | cut
-b
-2) ; \
162 rest
=$$(echo
$${buildid} | cut
-b
3-) ; \
163 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DEBUGINFO
).build-id
/$${first}/ ;\
164 $(INSTALL
) -m
0644 $${file} $(DESTDIR
)/$(DEBUGINFO
)$(TARGETDIR
) ; \
165 ln
-s ..
/..
/..
/..
/..
$(DEBUGINFO
)$(TARGETDIR
)$${file} $(DESTDIR
)/$(DEBUGINFO
).build-id
/$${first}/$${rest}.debug
;\
166 ln
-s ..
/..
/..
/.build-id
/$${first}/$${rest} $(DESTDIR
)/$(DEBUGINFO
).build-id
/$${first}/$${rest} ;\
169 install : | install-check
170 install : install-deps install-debuginfo install-debugsource
171 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/
172 $(INSTALL
) -d
-m
0700 $(DESTDIR
)/$(ESPROOTDIR
)
173 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(EFIBOOTDIR
)
174 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(TARGETDIR
)
175 $(INSTALL
) -m
0644 $(SHIMNAME
) $(DESTDIR
)/$(EFIBOOTDIR
)/$(BOOTEFINAME
)
176 $(INSTALL
) -m
0644 $(SHIMNAME
) $(DESTDIR
)/$(TARGETDIR
)/
177 $(INSTALL
) -m
0644 $(BOOTCSVNAME
) $(DESTDIR
)/$(TARGETDIR
)/
178 ifneq ($(origin ENABLE_SHIM_CERT
),undefined
)
179 $(INSTALL
) -m
0644 $(FBNAME
).signed
$(DESTDIR
)/$(EFIBOOTDIR
)/$(FBNAME
)
180 $(INSTALL
) -m
0644 $(MMNAME
).signed
$(DESTDIR
)/$(EFIBOOTDIR
)/$(MMNAME
)
181 $(INSTALL
) -m
0644 $(MMNAME
).signed
$(DESTDIR
)/$(TARGETDIR
)/$(MMNAME
)
183 $(INSTALL
) -m
0644 $(FBNAME
) $(DESTDIR
)/$(EFIBOOTDIR
)/
184 $(INSTALL
) -m
0644 $(MMNAME
) $(DESTDIR
)/$(EFIBOOTDIR
)/
185 $(INSTALL
) -m
0644 $(MMNAME
) $(DESTDIR
)/$(TARGETDIR
)/
188 install-as-data
: install-deps
189 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DATATARGETDIR
)
190 $(INSTALL
) -m
0644 $(SHIMNAME
) $(DESTDIR
)/$(DATATARGETDIR
)/
191 ifneq ($(origin ENABLE_SHIM_HASH
),undefined
)
192 $(INSTALL
) -m
0644 $(SHIMHASHNAME
) $(DESTDIR
)/$(DATATARGETDIR
)/
194 ifneq ($(origin ENABLE_SHIM_CERT
),undefined
)
195 $(INSTALL
) -m
0644 $(MMNAME
).signed
$(DESTDIR
)/$(DATATARGETDIR
)/$(MMNAME
)
196 $(INSTALL
) -m
0644 $(FBNAME
).signed
$(DESTDIR
)/$(DATATARGETDIR
)/$(FBNAME
)
198 $(INSTALL
) -m
0644 $(MMNAME
) $(DESTDIR
)/$(DATATARGETDIR
)/$(MMNAME
)
199 $(INSTALL
) -m
0644 $(FBNAME
) $(DESTDIR
)/$(DATATARGETDIR
)/$(FBNAME
)
203 ifneq ($(OBJCOPY_GTE224
),1)
204 $(error objcopy
>= 2.24 is required
)
206 $(OBJCOPY
) -D
-j .text
-j .sdata
-j .data
-j .data.ident \
207 -j .dynamic
-j .dynsym
-j .rel
* \
208 -j .rela
* -j .reloc
-j .eh_frame \
209 -j .vendor_cert
-j .sbat \
211 # I am tired of wasting my time fighting binutils timestamp code.
212 dd conv
=notrunc bs
=1 count
=4 seek
=$(TIMESTAMP_LOCATION
) if
=/dev
/zero of
=$@
214 ifneq ($(origin ENABLE_SHIM_HASH
),undefined
)
216 $(PESIGN
) -i
$< -P
-h
> $@
220 ifneq ($(OBJCOPY_GTE224
),1)
221 $(error objcopy
>= 2.24 is required
)
223 $(OBJCOPY
) -D
-j .text
-j .sdata
-j .data \
224 -j .dynamic
-j .dynsym
-j .rel
* \
225 -j .rela
* -j .reloc
-j .eh_frame
-j .sbat \
226 -j .debug_info
-j .debug_abbrev
-j .debug_aranges \
227 -j .debug_line
-j .debug_str
-j .debug_ranges \
228 -j .note.gnu.build-id \
231 ifneq ($(origin ENABLE_SBSIGN
),undefined
)
232 %.efi.signed
: %.efi shim.key shim.crt
238 %.efi.signed
: %.efi certdb
/secmod.db
239 $(PESIGN
) -n certdb
-i
$< -c
"shim" -s
-o
$@
-f
243 $(MAKE
) -C lib
-f
$(TOPDIR
)/lib
/Makefile
clean
244 @
rm -rvf
$(TARGET
) *.o
$(SHIM_OBJS
) $(MOK_OBJS
) $(FALLBACK_OBJS
) $(KEYS
) certdb
$(BOOTCSVNAME
)
245 @
rm -vf
*.debug
*.so
*.efi
*.efi.
* *.
tar.
* version.c buildid
246 @
rm -vf Cryptlib
/*.
[oa
] Cryptlib
/*/*.
[oa
]
247 @if
[ -d .git
] ; then git
clean -f
-d
-e
'Cryptlib/OpenSSL/*'; fi
249 clean: clean-shim-objs
250 $(MAKE
) -C Cryptlib
-f
$(TOPDIR
)/Cryptlib
/Makefile
clean
251 $(MAKE
) -C Cryptlib
/OpenSSL
-f
$(TOPDIR
)/Cryptlib
/OpenSSL
/Makefile
clean
256 @
rm -rf
/tmp
/shim-
$(VERSION
) /tmp
/shim-
$(VERSION
)-tmp
257 @mkdir
-p
/tmp
/shim-
$(VERSION
)-tmp
258 @git archive
--format
=tar $(shell git branch | awk
'/^*/ { print $$2 }') |
( cd
/tmp
/shim-
$(VERSION
)-tmp
/ ; tar x
)
259 @git diff |
( cd
/tmp
/shim-
$(VERSION
)-tmp
/ ; patch
-s
-p1
-b
-z .gitdiff
)
260 @mv
/tmp
/shim-
$(VERSION
)-tmp
/ /tmp
/shim-
$(VERSION
)/
261 @git log
-1 --pretty
=format
:%H
> /tmp
/shim-
$(VERSION
)/commit
262 @
dir=$$PWD; cd
/tmp
; tar -c
--bzip2
-f
$$dir/shim-
$(VERSION
).
tar.bz2 shim-
$(VERSION
)
263 @
rm -rf
/tmp
/shim-
$(VERSION
)
264 @echo
"The archive is in shim-$(VERSION).tar.bz2"
267 git tag
--sign
$(GITTAG
) refs
/heads
/master
268 git tag
-f latest-release
$(GITTAG
)
271 @
rm -rf
/tmp
/shim-
$(VERSION
) /tmp
/shim-
$(VERSION
)-tmp
272 @mkdir
-p
/tmp
/shim-
$(VERSION
)-tmp
273 @git archive
--format
=tar $(GITTAG
) |
( cd
/tmp
/shim-
$(VERSION
)-tmp
/ ; tar x
)
274 @mv
/tmp
/shim-
$(VERSION
)-tmp
/ /tmp
/shim-
$(VERSION
)/
275 @git log
-1 --pretty
=format
:%H
> /tmp
/shim-
$(VERSION
)/commit
276 @
dir=$$PWD; cd
/tmp
; tar -c
--bzip2
-f
$$dir/shim-
$(VERSION
).
tar.bz2 shim-
$(VERSION
)
277 @
rm -rf
/tmp
/shim-
$(VERSION
)
278 @echo
"The archive is in shim-$(VERSION).tar.bz2"
280 .PHONY
: install-deps shim.key
282 export ARCH CC LD OBJCOPY EFI_INCLUDE OPTIMIZATIONS