]> git.proxmox.com Git - efi-boot-shim.git/blob - Makefile
projects / efi-boot-shim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add ubuntu test
[efi-boot-shim.git] / Makefile
1 default : all
2
3 NAME = shim
4 VERSION = 15.7
5 ifneq ($(origin RELEASE),undefined)
6 DASHRELEASE ?= -$(RELEASE)
7 else
8 DASHRELEASE ?=
9 endif
10
11 ifeq ($(MAKELEVEL),0)
12 TOPDIR ?= $(shell pwd)
13 endif
14 ifeq ($(TOPDIR),)
15 override TOPDIR := $(shell pwd)
16 endif
17 override TOPDIR := $(abspath $(TOPDIR))
18 VPATH = $(TOPDIR)
19 export TOPDIR
20
21 include $(TOPDIR)/Make.rules
22 include $(TOPDIR)/Make.defaults
23 include $(TOPDIR)/include/coverity.mk
24 include $(TOPDIR)/include/scan-build.mk
25 include $(TOPDIR)/include/fanalyzer.mk
26
27 TARGETS = $(SHIMNAME)
28 TARGETS += $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug
29 ifneq ($(origin ENABLE_SHIM_HASH),undefined)
30 TARGETS += $(SHIMHASHNAME)
31 endif
32 ifneq ($(origin ENABLE_SHIM_DEVEL),undefined)
33 CFLAGS += -DENABLE_SHIM_DEVEL
34 endif
35 ifneq ($(origin ENABLE_SHIM_CERT),undefined)
36 TARGETS += $(MMNAME).signed $(FBNAME).signed
37 CFLAGS += -DENABLE_SHIM_CERT
38 else
39 TARGETS += $(MMNAME) $(FBNAME)
40 endif
41 OBJS = shim.o globals.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o sbat_var.o pe.o httpboot.o csv.o load-options.o
42 KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
43 ORIG_SOURCES = shim.c globals.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h) cert.S sbat_var.S
44 MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o globals.o
45 ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
46 FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat_data.o globals.o
47 ORIG_FALLBACK_SRCS = fallback.c
48 SBATPATH = $(TOPDIR)/data/sbat.csv
49
50 ifeq ($(SOURCE_DATE_EPOCH),)
51 UNAME=$(shell uname -s -m -p -i -o)
52 else
53 UNAME=buildhost
54 endif
55
56 SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c
57 MOK_SOURCES = $(foreach source,$(ORIG_MOK_SOURCES),$(TOPDIR)/$(source))
58 FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))
59
60 ifneq ($(origin FALLBACK_VERBOSE), undefined)
61 CFLAGS += -DFALLBACK_VERBOSE
62 endif
63
64 ifneq ($(origin FALLBACK_NONINTERACTIVE), undefined)
65 CFLAGS += -DFALLBACK_NONINTERACTIVE
66 endif
67
68 ifneq ($(origin FALLBACK_VERBOSE_WAIT), undefined)
69 CFLAGS += -DFALLBACK_VERBOSE_WAIT=$(FALLBACK_VERBOSE_WAIT)
70 endif
71
72 all: confcheck $(TARGETS)
73
74 confcheck:
75 ifneq ($(origin EFI_PATH),undefined)
76 $(error EFI_PATH is no longer supported, you must build using the supplied copy of gnu-efi)
77 endif
78
79 update :
80 git submodule update --init --recursive
81
82 shim.crt:
83 $(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
84
85 shim.cer: shim.crt
86 $(OPENSSL) x509 -outform der -in $< -out $@
87
88 .NOTPARALLEL: shim_cert.h
89 shim_cert.h: shim.cer
90 echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
91 $(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@
92 echo "};" >> $@
93
94 version.c : $(TOPDIR)/version.c.in
95 sed -e "s,@@VERSION@@,$(VERSION)," \
96 -e "s,@@UNAME@@,$(UNAME)," \
97 -e "s,@@COMMIT@@,$(COMMIT_ID)," \
98 < $< > $@
99
100 certdb/secmod.db: shim.crt
101 -mkdir certdb
102 $(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K ""
103 $(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u
104
105 shim.o: $(SOURCES)
106 ifneq ($(origin ENABLE_SHIM_CERT),undefined)
107 shim.o: shim_cert.h
108 endif
109 shim.o: $(wildcard $(TOPDIR)/*.h)
110
111 sbat.%.csv : data/sbat.%.csv
112 $(DOS2UNIX) $(D2UFLAGS) $< $@
113 tail -c1 $@ | read -r _ || echo >> $@ # ensure a trailing newline
114
115 VENDOR_SBATS := $(sort $(foreach x,$(wildcard $(TOPDIR)/data/sbat.*.csv data/sbat.*.csv),$(notdir $(x))))
116
117 sbat_data.o : | $(SBATPATH) $(VENDOR_SBATS)
118 sbat_data.o : /dev/null
119 $(CC) $(CFLAGS) -x c -c -o $@ $<
120 $(OBJCOPY) --add-section .sbat=$(SBATPATH) \
121 --set-section-flags .sbat=contents,alloc,load,readonly,data \
122 $@
123 $(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
124
125 $(SHIMNAME) : $(SHIMSONAME) post-process-pe
126 $(MMNAME) : $(MMSONAME) post-process-pe
127 $(FBNAME) : $(FBSONAME) post-process-pe
128 $(SHIMNAME) $(MMNAME) $(FBNAME) : | post-process-pe
129
130 LIBS = Cryptlib/libcryptlib.a \
131 Cryptlib/OpenSSL/libopenssl.a \
132 lib/lib.a \
133 gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a \
134 gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a
135
136 $(SHIMSONAME): $(OBJS) $(LIBS)
137 $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
138
139 fallback.o: $(FALLBACK_SRCS)
140
141 $(FBSONAME): $(FALLBACK_OBJS) $(LIBS)
142 $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
143
144 MokManager.o: $(MOK_SOURCES)
145
146 $(MMSONAME): $(MOK_OBJS) $(LIBS)
147 $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
148
149 gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a: CFLAGS+=-DGNU_EFI_USE_EXTERNAL_STDARG
150 gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a:
151 mkdir -p gnu-efi/lib gnu-efi/gnuefi
152 $(MAKE) -C gnu-efi \
153 COMPILER="$(COMPILER)" \
154 CCC_CC="$(COMPILER)" \
155 CC="$(CC)" \
156 ARCH=$(ARCH_GNUEFI) \
157 TOPDIR=$(TOPDIR)/gnu-efi \
158 -f $(TOPDIR)/gnu-efi/Makefile \
159 lib gnuefi inc
160
161 Cryptlib/libcryptlib.a:
162 for i in Hash Hmac Cipher Rand Pk Pem SysCall; do mkdir -p Cryptlib/$$i; done
163 $(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
164
165 Cryptlib/OpenSSL/libopenssl.a:
166 for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done
167 $(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
168
169 lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch])
170 mkdir -p lib
171 $(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) -C lib -f $(TOPDIR)/lib/Makefile
172
173 post-process-pe : $(TOPDIR)/post-process-pe.c
174 $(HOSTCC) -std=gnu11 -Og -g3 -Wall -Wextra -Wno-missing-field-initializers -Werror -o $@ $<
175
176 buildid : $(TOPDIR)/buildid.c
177 $(HOSTCC) -I/usr/include -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf
178
179 $(BOOTCSVNAME) :
180 @echo Making $@
181 @echo "$(SHIMNAME),$(OSLABEL),,This is the boot entry for $(OSLABEL)" | iconv -t UCS-2LE > $@
182
183 install-check :
184 ifeq ($(origin LIBDIR),undefined)
185 $(error Architecture $(ARCH) is not a supported build target.)
186 endif
187 ifeq ($(origin EFIDIR),undefined)
188 $(error EFIDIR must be set to your reserved EFI System Partition subdirectory name)
189 endif
190
191 install-deps : $(TARGETS)
192 install-deps : $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug buildid
193 install-deps : $(BOOTCSVNAME)
194
195 install-debugsource : install-deps
196 $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)
197 find $(TOPDIR) -type f -a '(' -iname '*.c' -o -iname '*.h' -o -iname '*.S' ')' | while read file ; do \
198 outfile=$$(echo $${file} | sed -e "s,^$(TOPDIR),,") ; \
199 $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$$(dirname $${outfile}) ; \
200 $(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$${outfile} ; \
201 done
202
203 install-debuginfo : install-deps
204 $(INSTALL) -d -m 0755 $(DESTDIR)/
205 $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR)/
206 @./buildid $(wildcard *.efi.debug) | while read file buildid ; do \
207 first=$$(echo $${buildid} | cut -b -2) ; \
208 rest=$$(echo $${buildid} | cut -b 3-) ; \
209 $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/ ;\
210 $(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR) ; \
211 ln -s ../../../../..$(DEBUGINFO)$(TARGETDIR)$${file} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest}.debug ;\
212 ln -s ../../../.build-id/$${first}/$${rest} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest} ;\
213 done
214
215 install : | install-check
216 install : install-deps install-debuginfo install-debugsource
217 $(INSTALL) -d -m 0755 $(DESTDIR)/
218 $(INSTALL) -d -m 0700 $(DESTDIR)/$(ESPROOTDIR)
219 $(INSTALL) -d -m 0755 $(DESTDIR)/$(EFIBOOTDIR)
220 $(INSTALL) -d -m 0755 $(DESTDIR)/$(TARGETDIR)
221 $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(EFIBOOTDIR)/$(BOOTEFINAME)
222 $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(TARGETDIR)/
223 $(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(TARGETDIR)/
224 ifneq ($(origin ENABLE_SHIM_CERT),undefined)
225 $(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(FBNAME)
226 $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(MMNAME)
227 $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(TARGETDIR)/$(MMNAME)
228 else
229 $(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(EFIBOOTDIR)/
230 $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(EFIBOOTDIR)/
231 $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(TARGETDIR)/
232 endif
233
234 install-as-data : install-deps
235 $(INSTALL) -d -m 0755 $(DESTDIR)/$(DATATARGETDIR)
236 $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(DATATARGETDIR)/
237 $(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(DATATARGETDIR)/
238 ifneq ($(origin ENABLE_SHIM_HASH),undefined)
239 $(INSTALL) -m 0644 $(SHIMHASHNAME) $(DESTDIR)/$(DATATARGETDIR)/
240 endif
241 ifneq ($(origin ENABLE_SHIM_CERT),undefined)
242 $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
243 $(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
244 else
245 $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
246 $(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
247 endif
248
249 %.efi: %.so
250 ifneq ($(OBJCOPY_GTE224),1)
251 $(error objcopy >= 2.24 is required)
252 endif
253 $(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
254 -j .dynamic -j .rodata -j .rel* \
255 -j .rela* -j .dyn -j .reloc -j .eh_frame \
256 -j .vendor_cert -j .sbat -j .sbatlevel \
257 $(FORMAT) $< $@
258 ./post-process-pe -vv $@
259
260 ifneq ($(origin ENABLE_SHIM_HASH),undefined)
261 %.hash : %.efi
262 $(PESIGN) -i $< -P -h > $@
263 endif
264
265 %.efi.debug : %.so
266 ifneq ($(OBJCOPY_GTE224),1)
267 $(error objcopy >= 2.24 is required)
268 endif
269 $(OBJCOPY) -D -j .text -j .sdata -j .data \
270 -j .dynamic -j .rodata -j .rel* \
271 -j .rela* -j .dyn -j .reloc -j .eh_frame -j .sbat \
272 -j .sbatlevel \
273 -j .debug_info -j .debug_abbrev -j .debug_aranges \
274 -j .debug_line -j .debug_str -j .debug_ranges \
275 -j .note.gnu.build-id \
276 $< $@
277
278 ifneq ($(origin ENABLE_SBSIGN),undefined)
279 %.efi.signed: %.efi shim.key shim.crt
280 @$(SBSIGN) \
281 --key shim.key \
282 --cert shim.crt \
283 --output $@ $<
284 else
285 %.efi.signed: %.efi certdb/secmod.db
286 $(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f
287 endif
288
289 test test-clean test-coverage test-lto :
290 @make -f $(TOPDIR)/include/test.mk \
291 COMPILER="$(COMPILER)" \
292 CROSS_COMPILE="$(CROSS_COMPILE)" \
293 CLANG_WARNINGS="$(CLANG_WARNINGS)" \
294 ARCH_DEFINES="$(ARCH_DEFINES)" \
295 EFI_INCLUDES="$(EFI_INCLUDES)" \
296 test-clean $@
297
298 $(patsubst %.c,%,$(wildcard test-*.c)) :
299 @make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" $@
300
301 .PHONY : $(patsubst %.c,%,$(wildcard test-*.c)) test
302
303 clean-test-objs:
304 @make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" clean
305
306 clean-gnu-efi:
307 @if [ -d gnu-efi ] ; then \
308 $(MAKE) -C gnu-efi \
309 CC="$(CC)" \
310 HOSTCC="$(HOSTCC)" \
311 COMPILER="$(COMPILER)" \
312 ARCH=$(ARCH_GNUEFI) \
313 TOPDIR=$(TOPDIR)/gnu-efi \
314 -f $(TOPDIR)/gnu-efi/Makefile \
315 clean ; \
316 fi
317
318 clean-lib-objs:
319 @if [ -d lib ] ; then \
320 $(MAKE) -C lib TOPDIR=$(TOPDIR) -f $(TOPDIR)/lib/Makefile clean ; \
321 fi
322
323 clean-shim-objs:
324 @rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
325 @rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid post-process-pe
326 @rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa]
327 @if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi
328
329 clean-openssl-objs:
330 @if [ -d Cryptlib/OpenSSL ] ; then \
331 $(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean ; \
332 fi
333
334 clean-cryptlib-objs:
335 @if [ -d Cryptlib ] ; then \
336 $(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean ; \
337 fi
338
339 clean: clean-shim-objs clean-test-objs clean-gnu-efi clean-openssl-objs clean-cryptlib-objs clean-lib-objs
340
341 GITTAG = $(VERSION)
342
343 test-archive:
344 @./make-archive $(if $(call get-config,shim.origin),--origin "$(call get-config,shim.origin)") --test "$(VERSION)"
345
346 tag:
347 git tag --sign $(GITTAG) refs/heads/main
348 git tag -f latest-release $(GITTAG)
349
350 archive: tag
351 @./make-archive $(if $(call get-config,shim.origin),--origin "$(call get-config,shim.origin)") --release "$(VERSION)" "$(GITTAG)" "shim-$(GITTAG)"
352
353 .PHONY : install-deps shim.key
354
355 export ARCH CC CROSS_COMPILE LD OBJCOPY EFI_INCLUDE EFI_INCLUDES OPTIMIZATIONS
356 export FEATUREFLAGS WARNFLAGS WERRFLAGS
shim, a first-stage UEFI bootloader adapted for Proxmox projects