5 ifneq ($(origin RELEASE
),undefined
)
6 DASHRELEASE ?
= -$(RELEASE
)
12 TOPDIR ?
= $(shell pwd
)
15 override TOPDIR
:= $(shell pwd
)
17 override TOPDIR
:= $(abspath
$(TOPDIR
))
21 include $(TOPDIR
)/Make.rules
22 include $(TOPDIR
)/Make.defaults
23 include $(TOPDIR
)/include/coverity.mk
24 include $(TOPDIR
)/include/scan-build.mk
25 include $(TOPDIR
)/include/fanalyzer.mk
28 TARGETS
+= $(SHIMNAME
).debug
$(MMNAME
).debug
$(FBNAME
).debug
29 ifneq ($(origin ENABLE_SHIM_HASH
),undefined
)
30 TARGETS
+= $(SHIMHASHNAME
)
32 ifneq ($(origin ENABLE_SHIM_DEVEL
),undefined
)
33 CFLAGS
+= -DENABLE_SHIM_DEVEL
35 ifneq ($(origin ENABLE_SHIM_CERT
),undefined
)
36 TARGETS
+= $(MMNAME
).signed
$(FBNAME
).signed
37 CFLAGS
+= -DENABLE_SHIM_CERT
39 TARGETS
+= $(MMNAME
) $(FBNAME
)
41 OBJS
= shim.o globals.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o sbat_var.o pe.o httpboot.o csv.o load-options.o
42 KEYS
= shim_cert.h ocsp.
* ca.
* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
43 ORIG_SOURCES
= shim.c globals.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h
$(wildcard include/*.h
) cert.S sbat_var.S
44 MOK_OBJS
= MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o globals.o
45 ORIG_MOK_SOURCES
= MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h
$(wildcard include/*.h
)
46 FALLBACK_OBJS
= fallback.o tpm.o errlog.o sbat_data.o globals.o
47 ORIG_FALLBACK_SRCS
= fallback.c
48 SBATPATH
= $(TOPDIR
)/data
/sbat.csv
50 ifeq ($(SOURCE_DATE_EPOCH
),)
51 UNAME
=$(shell uname
-s
-m
-p
-i
-o
)
56 SOURCES
= $(foreach source
,$(ORIG_SOURCES
),$(TOPDIR
)/$(source
)) version.c
57 MOK_SOURCES
= $(foreach source
,$(ORIG_MOK_SOURCES
),$(TOPDIR
)/$(source
))
58 FALLBACK_SRCS
= $(foreach source
,$(ORIG_FALLBACK_SRCS
),$(TOPDIR
)/$(source
))
60 ifneq ($(origin FALLBACK_VERBOSE
), undefined
)
61 CFLAGS
+= -DFALLBACK_VERBOSE
64 ifneq ($(origin FALLBACK_NONINTERACTIVE
), undefined
)
65 CFLAGS
+= -DFALLBACK_NONINTERACTIVE
68 ifneq ($(origin FALLBACK_VERBOSE_WAIT
), undefined
)
69 CFLAGS
+= -DFALLBACK_VERBOSE_WAIT
=$(FALLBACK_VERBOSE_WAIT
)
72 all: confcheck
$(TARGETS
)
75 ifneq ($(origin EFI_PATH
),undefined
)
76 $(error EFI_PATH is no longer supported
, you must build using the supplied copy of gnu-efi
)
80 git submodule update
--init
--recursive
83 $(TOPDIR
)/make-certs shim shim@xn--u4h.net
all codesign
1.3.6.1.4.1.311.10.3.1 </dev
/null
86 $(OPENSSL
) x509
-outform der
-in
$< -out
$@
88 .NOTPARALLEL
: shim_cert.h
90 echo
"static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
91 $(HEXDUMP
) -v
-e
'1/1 "0x%02x, "' $< >> $@
94 version.c
: $(TOPDIR
)/version.c.in
95 sed
-e
"s,@@VERSION@@,$(VERSION)," \
96 -e
"s,@@UNAME@@,$(UNAME)," \
97 -e
"s,@@COMMIT@@,$(COMMIT_ID)," \
100 certdb
/secmod.db
: shim.crt
102 $(PK12UTIL
) -d certdb
/ -i shim.p12
-W
"" -K
""
103 $(CERTUTIL
) -d certdb
/ -A
-i shim.crt
-n shim
-t u
106 ifneq ($(origin ENABLE_SHIM_CERT
),undefined
)
109 shim.o
: $(wildcard $(TOPDIR
)/*.h
)
111 sbat.
%.csv
: data
/sbat.
%.csv
112 $(DOS2UNIX
) $(D2UFLAGS
) $< $@
113 tail
-c1
$@ | read
-r _ || echo
>> $@
# ensure a trailing newline
115 VENDOR_SBATS
:= $(sort $(foreach x
,$(wildcard $(TOPDIR
)/data
/sbat.
*.csv data
/sbat.
*.csv
),$(notdir $(x
))))
117 sbat_data.o
: |
$(SBATPATH
) $(VENDOR_SBATS
)
118 sbat_data.o
: /dev
/null
119 $(CC
) $(CFLAGS
) -x c
-c
-o
$@
$<
120 $(OBJCOPY
) --add-section .sbat
=$(SBATPATH
) \
121 --set-section-flags .sbat
=contents
,alloc
,load
,readonly
,data \
123 $(foreach vs
,$(VENDOR_SBATS
),$(call add-vendor-sbat
,$(vs
),$@
))
125 $(SHIMNAME
) : $(SHIMSONAME
) post-process-pe
126 $(MMNAME
) : $(MMSONAME
) post-process-pe
127 $(FBNAME
) : $(FBSONAME
) post-process-pe
128 $(SHIMNAME
) $(MMNAME
) $(FBNAME
) : | post-process-pe
130 LIBS
= Cryptlib
/libcryptlib.a \
131 Cryptlib
/OpenSSL
/libopenssl.a \
133 gnu-efi
/$(ARCH_GNUEFI
)/lib
/libefi.a \
134 gnu-efi
/$(ARCH_GNUEFI
)/gnuefi
/libgnuefi.a
136 $(SHIMSONAME
): $(OBJS
) $(LIBS
)
137 $(LD
) -o
$@
$(LDFLAGS
) $^
$(EFI_LIBS
) lib
/lib.a
139 fallback.o
: $(FALLBACK_SRCS
)
141 $(FBSONAME
): $(FALLBACK_OBJS
) $(LIBS
)
142 $(LD
) -o
$@
$(LDFLAGS
) $^
$(EFI_LIBS
) lib
/lib.a
144 MokManager.o
: $(MOK_SOURCES
)
146 $(MMSONAME
): $(MOK_OBJS
) $(LIBS
)
147 $(LD
) -o
$@
$(LDFLAGS
) $^
$(EFI_LIBS
) lib
/lib.a
149 gnu-efi
/$(ARCH_GNUEFI
)/gnuefi
/libgnuefi.a gnu-efi
/$(ARCH_GNUEFI
)/lib
/libefi.a
: CFLAGS
+=-DGNU_EFI_USE_EXTERNAL_STDARG
150 gnu-efi
/$(ARCH_GNUEFI
)/gnuefi
/libgnuefi.a gnu-efi
/$(ARCH_GNUEFI
)/lib
/libefi.a
:
151 mkdir
-p gnu-efi
/lib gnu-efi
/gnuefi
153 COMPILER
="$(COMPILER)" \
154 CCC_CC
="$(COMPILER)" \
156 ARCH
=$(ARCH_GNUEFI
) \
157 TOPDIR
=$(TOPDIR
)/gnu-efi \
158 -f
$(TOPDIR
)/gnu-efi
/Makefile \
161 Cryptlib
/libcryptlib.a
:
162 for i in Hash Hmac Cipher Rand Pk Pem SysCall
; do mkdir
-p Cryptlib
/$$i; done
163 $(MAKE
) TOPDIR
=$(TOPDIR
) VPATH
=$(TOPDIR
)/Cryptlib
-C Cryptlib
-f
$(TOPDIR
)/Cryptlib
/Makefile
165 Cryptlib
/OpenSSL
/libopenssl.a
:
166 for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async
/arch asn1 aes
; do mkdir
-p Cryptlib
/OpenSSL
/crypto
/$$i; done
167 $(MAKE
) TOPDIR
=$(TOPDIR
) VPATH
=$(TOPDIR
)/Cryptlib
/OpenSSL
-C Cryptlib
/OpenSSL
-f
$(TOPDIR
)/Cryptlib
/OpenSSL
/Makefile
169 lib
/lib.a
: |
$(TOPDIR
)/lib
/Makefile
$(wildcard $(TOPDIR
)/include/*.
[ch
])
171 $(MAKE
) VPATH
=$(TOPDIR
)/lib TOPDIR
=$(TOPDIR
) -C lib
-f
$(TOPDIR
)/lib
/Makefile
173 post-process-pe
: $(TOPDIR
)/post-process-pe.c
174 $(HOSTCC
) -std
=gnu11
-Og
-g3
-Wall
-Wextra
-Wno-missing-field-initializers
-Werror
-o
$@
$<
176 buildid
: $(TOPDIR
)/buildid.c
177 $(HOSTCC
) -I
/usr
/include -Og
-g3
-Wall
-Werror
-Wextra
-o
$@
$< -lelf
181 @echo
"$(SHIMNAME),$(OSLABEL),,This is the boot entry for $(OSLABEL)" | iconv
-t UCS-2LE
> $@
184 ifeq ($(origin LIBDIR
),undefined
)
185 $(error Architecture
$(ARCH
) is not a supported build target.
)
187 ifeq ($(origin EFIDIR
),undefined
)
188 $(error EFIDIR must be set to your reserved EFI System Partition subdirectory name
)
191 install-deps
: $(TARGETS
)
192 install-deps
: $(SHIMNAME
).debug
$(MMNAME
).debug
$(FBNAME
).debug buildid
193 install-deps
: $(BOOTCSVNAME
)
195 install-debugsource
: install-deps
196 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DEBUGSOURCE
)/$(PKGNAME
)-$(VERSION
)$(DASHRELEASE
)
197 find
$(TOPDIR
) -type f
-a
'(' -iname
'*.c' -o
-iname
'*.h' -o
-iname
'*.S' ')' | while read file
; do \
198 outfile
=$$(echo
$${file} | sed
-e
"s,^$(TOPDIR),,") ; \
199 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DEBUGSOURCE
)/$(PKGNAME
)-$(VERSION
)$(DASHRELEASE
)/$$(dirname
$${outfile}) ; \
200 $(INSTALL
) -m
0644 $${file} $(DESTDIR
)/$(DEBUGSOURCE
)/$(PKGNAME
)-$(VERSION
)$(DASHRELEASE
)/$${outfile} ; \
203 install-debuginfo
: install-deps
204 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/
205 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DEBUGINFO
)$(TARGETDIR
)/
206 @.
/buildid
$(wildcard *.efi.debug
) | while read file buildid
; do \
207 first
=$$(echo
$${buildid} | cut
-b
-2) ; \
208 rest
=$$(echo
$${buildid} | cut
-b
3-) ; \
209 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DEBUGINFO
).build-id
/$${first}/ ;\
210 $(INSTALL
) -m
0644 $${file} $(DESTDIR
)/$(DEBUGINFO
)$(TARGETDIR
) ; \
211 ln
-s ..
/..
/..
/..
/..
$(DEBUGINFO
)$(TARGETDIR
)$${file} $(DESTDIR
)/$(DEBUGINFO
).build-id
/$${first}/$${rest}.debug
;\
212 ln
-s ..
/..
/..
/.build-id
/$${first}/$${rest} $(DESTDIR
)/$(DEBUGINFO
).build-id
/$${first}/$${rest} ;\
215 install : | install-check
216 install : install-deps install-debuginfo install-debugsource
217 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/
218 $(INSTALL
) -d
-m
0700 $(DESTDIR
)/$(ESPROOTDIR
)
219 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(EFIBOOTDIR
)
220 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(TARGETDIR
)
221 $(INSTALL
) -m
0644 $(SHIMNAME
) $(DESTDIR
)/$(EFIBOOTDIR
)/$(BOOTEFINAME
)
222 $(INSTALL
) -m
0644 $(SHIMNAME
) $(DESTDIR
)/$(TARGETDIR
)/
223 $(INSTALL
) -m
0644 $(BOOTCSVNAME
) $(DESTDIR
)/$(TARGETDIR
)/
224 ifneq ($(origin ENABLE_SHIM_CERT
),undefined
)
225 $(INSTALL
) -m
0644 $(FBNAME
).signed
$(DESTDIR
)/$(EFIBOOTDIR
)/$(FBNAME
)
226 $(INSTALL
) -m
0644 $(MMNAME
).signed
$(DESTDIR
)/$(EFIBOOTDIR
)/$(MMNAME
)
227 $(INSTALL
) -m
0644 $(MMNAME
).signed
$(DESTDIR
)/$(TARGETDIR
)/$(MMNAME
)
229 $(INSTALL
) -m
0644 $(FBNAME
) $(DESTDIR
)/$(EFIBOOTDIR
)/
230 $(INSTALL
) -m
0644 $(MMNAME
) $(DESTDIR
)/$(EFIBOOTDIR
)/
231 $(INSTALL
) -m
0644 $(MMNAME
) $(DESTDIR
)/$(TARGETDIR
)/
234 install-as-data
: install-deps
235 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DATATARGETDIR
)
236 $(INSTALL
) -m
0644 $(SHIMNAME
) $(DESTDIR
)/$(DATATARGETDIR
)/
237 $(INSTALL
) -m
0644 $(BOOTCSVNAME
) $(DESTDIR
)/$(DATATARGETDIR
)/
238 ifneq ($(origin ENABLE_SHIM_HASH
),undefined
)
239 $(INSTALL
) -m
0644 $(SHIMHASHNAME
) $(DESTDIR
)/$(DATATARGETDIR
)/
241 ifneq ($(origin ENABLE_SHIM_CERT
),undefined
)
242 $(INSTALL
) -m
0644 $(MMNAME
).signed
$(DESTDIR
)/$(DATATARGETDIR
)/$(MMNAME
)
243 $(INSTALL
) -m
0644 $(FBNAME
).signed
$(DESTDIR
)/$(DATATARGETDIR
)/$(FBNAME
)
245 $(INSTALL
) -m
0644 $(MMNAME
) $(DESTDIR
)/$(DATATARGETDIR
)/$(MMNAME
)
246 $(INSTALL
) -m
0644 $(FBNAME
) $(DESTDIR
)/$(DATATARGETDIR
)/$(FBNAME
)
250 ifneq ($(OBJCOPY_GTE224
),1)
251 $(error objcopy
>= 2.24 is required
)
253 $(OBJCOPY
) -D
-j .text
-j .sdata
-j .data
-j .data.ident \
254 -j .dynamic
-j .rodata
-j .rel
* \
255 -j .rela
* -j .dyn
-j .reloc
-j .eh_frame \
256 -j .vendor_cert
-j .sbat
-j .sbatlevel \
258 .
/post-process-pe
-vv
$@
260 ifneq ($(origin ENABLE_SHIM_HASH
),undefined
)
262 $(PESIGN
) -i
$< -P
-h
> $@
266 ifneq ($(OBJCOPY_GTE224
),1)
267 $(error objcopy
>= 2.24 is required
)
269 $(OBJCOPY
) -D
-j .text
-j .sdata
-j .data \
270 -j .dynamic
-j .rodata
-j .rel
* \
271 -j .rela
* -j .dyn
-j .reloc
-j .eh_frame
-j .sbat \
273 -j .debug_info
-j .debug_abbrev
-j .debug_aranges \
274 -j .debug_line
-j .debug_str
-j .debug_ranges \
275 -j .note.gnu.build-id \
278 ifneq ($(origin ENABLE_SBSIGN
),undefined
)
279 %.efi.signed
: %.efi shim.key shim.crt
285 %.efi.signed
: %.efi certdb
/secmod.db
286 $(PESIGN
) -n certdb
-i
$< -c
"shim" -s
-o
$@
-f
289 test test-clean test-coverage test-lto
:
290 @make
-f
$(TOPDIR
)/include/test.mk \
291 COMPILER
="$(COMPILER)" \
292 CROSS_COMPILE
="$(CROSS_COMPILE)" \
293 CLANG_WARNINGS
="$(CLANG_WARNINGS)" \
294 ARCH_DEFINES
="$(ARCH_DEFINES)" \
295 EFI_INCLUDES
="$(EFI_INCLUDES)" \
298 $(patsubst %.c
,%,$(wildcard test-
*.c
)) :
299 @make
-f
$(TOPDIR
)/include/test.mk EFI_INCLUDES
="$(EFI_INCLUDES)" ARCH_DEFINES
="$(ARCH_DEFINES)" $@
301 .PHONY
: $(patsubst %.c
,%,$(wildcard test-
*.c
)) test
304 @make
-f
$(TOPDIR
)/include/test.mk EFI_INCLUDES
="$(EFI_INCLUDES)" ARCH_DEFINES
="$(ARCH_DEFINES)" clean
307 @if
[ -d gnu-efi
] ; then \
311 COMPILER
="$(COMPILER)" \
312 ARCH
=$(ARCH_GNUEFI
) \
313 TOPDIR
=$(TOPDIR
)/gnu-efi \
314 -f
$(TOPDIR
)/gnu-efi
/Makefile \
319 @if
[ -d lib
] ; then \
320 $(MAKE
) -C lib TOPDIR
=$(TOPDIR
) -f
$(TOPDIR
)/lib
/Makefile
clean ; \
324 @
rm -rvf
$(TARGET
) *.o
$(SHIM_OBJS
) $(MOK_OBJS
) $(FALLBACK_OBJS
) $(KEYS
) certdb
$(BOOTCSVNAME
)
325 @
rm -vf
*.debug
*.so
*.efi
*.efi.
* *.
tar.
* version.c buildid post-process-pe
326 @
rm -vf Cryptlib
/*.
[oa
] Cryptlib
/*/*.
[oa
]
327 @if
[ -d .git
] ; then git
clean -f
-d
-e
'Cryptlib/OpenSSL/*'; fi
330 @if
[ -d Cryptlib
/OpenSSL
] ; then \
331 $(MAKE
) -C Cryptlib
/OpenSSL
-f
$(TOPDIR
)/Cryptlib
/OpenSSL
/Makefile
clean ; \
335 @if
[ -d Cryptlib
] ; then \
336 $(MAKE
) -C Cryptlib
-f
$(TOPDIR
)/Cryptlib
/Makefile
clean ; \
339 clean: clean-shim-objs clean-test-objs clean-gnu-efi clean-openssl-objs clean-cryptlib-objs clean-lib-objs
344 @.
/make-archive
$(if
$(call get-config
,shim.
origin),--origin "$(call get-config,shim.origin)") --test "$(VERSION)"
347 git tag
--sign
$(GITTAG
) refs
/heads
/main
348 git tag
-f latest-release
$(GITTAG
)
351 @.
/make-archive
$(if
$(call get-config
,shim.
origin),--origin "$(call get-config,shim.origin)") --release
"$(VERSION)" "$(GITTAG)" "shim-$(GITTAG)"
353 .PHONY
: install-deps shim.key
355 export ARCH CC CROSS_COMPILE LD OBJCOPY EFI_INCLUDE EFI_INCLUDES OPTIMIZATIONS
356 export FEATUREFLAGS WARNFLAGS WERRFLAGS