Makefile

   1 VERSION         = 12
   2 RELEASE         :=
   3 ifneq ($(RELEASE),"")
   4         RELEASE:="-$(RELEASE)"
   5 endif
   6
   7 CC              = $(CROSS_COMPILE)gcc
   8 LD              = $(CROSS_COMPILE)ld
   9 OBJCOPY         = $(CROSS_COMPILE)objcopy
  10 OPENSSL         ?= openssl
  11 HEXDUMP         ?= hexdump
  12 PK12UTIL        ?= pk12util
  13 CERTUTIL        ?= certutil
  14 PESIGN          ?= pesign
  15
  16 ARCH            = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
  17 OBJCOPY_GTE224  = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.*\((.*)\|version\) //g' | cut -f1-2 -d.` \>= 2.24)
  18
  19 SUBDIRS         = Cryptlib lib
  20
  21 EFI_INCLUDE     := /usr/include/efi
  22 EFI_INCLUDES    = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I$(shell pwd)/include
  23
  24 LIB_GCC         = $(shell $(CC) -print-libgcc-file-name)
  25 EFI_LIBS        = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC)
  26
  27 EFI_CRT_OBJS    = $(EFI_PATH)/crt0-efi-$(ARCH).o
  28 EFI_LDS         = elf_$(ARCH)_efi.lds
  29
  30 DEFAULT_LOADER  := \\\\grub.efi
  31 CFLAGS          = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
  32                   -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
  33                   -Werror=sign-compare -ffreestanding -std=gnu89 \
  34                   -I$(shell $(CC) -print-file-name=include) \
  35                   "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
  36                   "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
  37                   $(EFI_INCLUDES)
  38 SHIMNAME        = shim
  39 MMNAME          = MokManager
  40 FBNAME          = fallback
  41
  42 COMMITID ?= $(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)
  43
  44 ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
  45         CFLAGS  += -DOVERRIDE_SECURITY_POLICY
  46 endif
  47
  48 ifneq ($(origin ENABLE_HTTPBOOT), undefined)
  49         CFLAGS  += -DENABLE_HTTPBOOT
  50 endif
  51
  52 ifeq ($(ARCH),x86_64)
  53         CFLAGS  += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
  54                 -maccumulate-outgoing-args \
  55                 -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
  56                 -DNO_BUILTIN_VA_FUNCS \
  57                 -DMDE_CPU_X64 "-DEFI_ARCH=L\"x64\"" -DPAGE_SIZE=4096 \
  58                 "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\""
  59         MMNAME  = mmx64
  60         FBNAME  = fbx64
  61         SHIMNAME= shimx64
  62         EFI_PATH:=/usr/lib64/gnuefi
  63         LIB_PATH:=/usr/lib64
  64
  65 endif
  66 ifeq ($(ARCH),ia32)
  67         CFLAGS  += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
  68                 -maccumulate-outgoing-args -m32 \
  69                 -DMDE_CPU_IA32 "-DEFI_ARCH=L\"ia32\"" -DPAGE_SIZE=4096 \
  70                 "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/ia32-$(VERSION)$(RELEASE)/\""
  71         MMNAME  = mmia32
  72         FBNAME  = fbia32
  73         SHIMNAME= shimia32
  74         EFI_PATH:=/usr/lib/gnuefi
  75         LIB_PATH:=/usr/lib
  76 endif
  77 ifeq ($(ARCH),aarch64)
  78         CFLAGS += -DMDE_CPU_AARCH64 "-DEFI_ARCH=L\"aa64\"" -DPAGE_SIZE=4096 \
  79                 "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/aa64-$(VERSION)$(RELEASE)/\""
  80         MMNAME  = mmaa64
  81         FBNAME  = fbaa64
  82         SHIMNAME= shimaa64
  83         EFI_PATH:=/usr/lib64/gnuefi
  84         LIB_PATH:=/usr/lib64
  85 endif
  86
  87 ifneq ($(origin VENDOR_CERT_FILE), undefined)
  88         CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
  89 endif
  90 ifneq ($(origin VENDOR_DBX_FILE), undefined)
  91         CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
  92 endif
  93
  94 LDFLAGS         = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1
  95
  96 TARGET  = $(SHIMNAME).efi $(MMNAME).efi.signed $(FBNAME).efi.signed
  97 OBJS    = shim.o netboot.o cert.o replacements.o tpm.o version.o
  98 KEYS    = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
  99 SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h
 100 MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
 101 MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
 102 FALLBACK_OBJS = fallback.o
 103 FALLBACK_SRCS = fallback.c
 104
 105 ifneq ($(origin ENABLE_HTTPBOOT), undefined)
 106         OBJS += httpboot.o
 107         SOURCES += httpboot.c httpboot.h
 108 endif
 109
 110 all: $(TARGET)
 111
 112 shim.crt:
 113         ./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
 114
 115 shim.cer: shim.crt
 116         $(OPENSSL) x509 -outform der -in $< -out $@
 117
 118 shim_cert.h: shim.cer
 119         echo "static UINT8 shim_cert[] = {" > $@
 120         $(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@
 121         echo "};" >> $@
 122
 123 version.c : version.c.in
 124         sed     -e "s,@@VERSION@@,$(VERSION)," \
 125                 -e "s,@@UNAME@@,$(shell uname -a)," \
 126                 -e "s,@@COMMIT@@,$(COMMITID)," \
 127                 < version.c.in > version.c
 128
 129 certdb/secmod.db: shim.crt
 130         -mkdir certdb
 131         $(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K ""
 132         $(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u
 133
 134 shim.o: $(SOURCES) shim_cert.h
 135 shim.o: $(wildcard *.h)
 136
 137 cert.o : cert.S
 138         $(CC) $(CFLAGS) -c -o $@ $<
 139
 140 $(SHIMNAME).so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
 141         $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
 142
 143 fallback.o: $(FALLBACK_SRCS)
 144
 145 $(FBNAME).so: $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
 146         $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
 147
 148 MokManager.o: $(MOK_SOURCES)
 149
 150 $(MMNAME).so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
 151         $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
 152
 153 Cryptlib/libcryptlib.a:
 154         $(MAKE) -C Cryptlib
 155
 156 Cryptlib/OpenSSL/libopenssl.a:
 157         $(MAKE) -C Cryptlib/OpenSSL
 158
 159 lib/lib.a:
 160         $(MAKE) CFLAGS="$(CFLAGS)" -C lib
 161
 162 ifeq ($(ARCH),aarch64)
 163 FORMAT          := -O binary
 164 SUBSYSTEM       := 0xa
 165 LDFLAGS         += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
 166 endif
 167
 168 ifeq ($(ARCH),arm)
 169 FORMAT          := -O binary
 170 SUBSYSTEM       := 0xa
 171 LDFLAGS         += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
 172 endif
 173
 174 FORMAT          ?= --target efi-app-$(ARCH)
 175
 176 %.efi: %.so
 177 ifneq ($(OBJCOPY_GTE224),1)
 178         $(error objcopy >= 2.24 is required)
 179 endif
 180         $(OBJCOPY) -j .text -j .sdata -j .data -j .data.ident \
 181                 -j .dynamic -j .dynsym  -j .rel* \
 182                 -j .rela* -j .reloc -j .eh_frame \
 183                 -j .vendor_cert \
 184                 $(FORMAT)  $^ $@
 185         $(OBJCOPY) -j .text -j .sdata -j .data \
 186                 -j .dynamic -j .dynsym  -j .rel* \
 187                 -j .rela* -j .reloc -j .eh_frame \
 188                 -j .debug_info -j .debug_abbrev -j .debug_aranges \
 189                 -j .debug_line -j .debug_str -j .debug_ranges \
 190                 -j .note.gnu.build-id \
 191                 $(FORMAT) $^ $@.debug
 192
 193 %.efi.signed: %.efi certdb/secmod.db
 194         $(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f
 195
 196 clean:
 197         $(MAKE) -C Cryptlib clean
 198         $(MAKE) -C Cryptlib/OpenSSL clean
 199         $(MAKE) -C lib clean
 200         rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb
 201         rm -f *.debug *.so *.efi *.tar.* version.c
 202
 203 GITTAG = $(VERSION)
 204
 205 test-archive:
 206         @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
 207         @mkdir -p /tmp/shim-$(VERSION)-tmp
 208         @git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
 209         @git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff )
 210         @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
 211         @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
 212         @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
 213         @rm -rf /tmp/shim-$(VERSION)
 214         @echo "The archive is in shim-$(VERSION).tar.bz2"
 215
 216 tag:
 217         git tag --sign $(GITTAG) refs/heads/master
 218         git tag -f latest-release $(GITTAG)
 219
 220 archive: tag
 221         @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
 222         @mkdir -p /tmp/shim-$(VERSION)-tmp
 223         @git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
 224         @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
 225         @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
 226         @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
 227         @rm -rf /tmp/shim-$(VERSION)
 228         @echo "The archive is in shim-$(VERSION).tar.bz2"
 229
 230 export ARCH CC LD OBJCOPY EFI_INCLUDE