]> git.proxmox.com Git - efi-boot-shim.git/blob - Makefile
projects / efi-boot-shim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
make tag: always tag latest-release as well
[efi-boot-shim.git] / Makefile
1 VERSION = 11
2 RELEASE :=
3 ifneq ($(RELEASE),"")
4 RELEASE:="-$(RELEASE)"
5 endif
6
7 CC = $(CROSS_COMPILE)gcc
8 LD = $(CROSS_COMPILE)ld
9 OBJCOPY = $(CROSS_COMPILE)objcopy
10
11 ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
12 OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.*\((.*)\|version\) //g' | cut -f1-2 -d.` \>= 2.24)
13
14 SUBDIRS = Cryptlib lib
15
16 EFI_INCLUDE := /usr/include/efi
17 EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I$(shell pwd)/include
18
19 LIB_GCC = $(shell $(CC) -print-libgcc-file-name)
20 EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC)
21
22 EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
23 EFI_LDS = elf_$(ARCH)_efi.lds
24
25 DEFAULT_LOADER := \\\\grub.efi
26 CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
27 -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
28 -Werror=sign-compare -ffreestanding -std=gnu89 \
29 -I$(shell $(CC) -print-file-name=include) \
30 "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
31 "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
32 $(EFI_INCLUDES)
33 SHIMNAME = shim
34 MMNAME = MokManager
35 FBNAME = fallback
36
37 COMMITID ?= $(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)
38
39 ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
40 CFLAGS += -DOVERRIDE_SECURITY_POLICY
41 endif
42
43 ifneq ($(origin ENABLE_HTTPBOOT), undefined)
44 CFLAGS += -DENABLE_HTTPBOOT
45 endif
46
47 ifeq ($(ARCH),x86_64)
48 CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
49 -maccumulate-outgoing-args \
50 -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
51 -DNO_BUILTIN_VA_FUNCS \
52 -DMDE_CPU_X64 "-DEFI_ARCH=L\"x64\"" -DPAGE_SIZE=4096 \
53 "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\""
54 MMNAME = mmx64
55 FBNAME = fbx64
56 SHIMNAME= shimx64
57 EFI_PATH:=/usr/lib64/gnuefi
58 LIB_PATH:=/usr/lib64
59
60 endif
61 ifeq ($(ARCH),ia32)
62 CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
63 -maccumulate-outgoing-args -m32 \
64 -DMDE_CPU_IA32 "-DEFI_ARCH=L\"ia32\"" -DPAGE_SIZE=4096 \
65 "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/ia32-$(VERSION)$(RELEASE)/\""
66 MMNAME = mmia32
67 FBNAME = fbia32
68 SHIMNAME= shimia32
69 EFI_PATH:=/usr/lib/gnuefi
70 LIB_PATH:=/usr/lib
71 endif
72 ifeq ($(ARCH),aarch64)
73 CFLAGS += -DMDE_CPU_AARCH64 "-DEFI_ARCH=L\"aa64\"" -DPAGE_SIZE=4096 \
74 "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/aa64-$(VERSION)$(RELEASE)/\""
75 MMNAME = mmaa64
76 FBNAME = fbaa64
77 SHIMNAME= shimaa64
78 EFI_PATH:=/usr/lib64/gnuefi
79 LIB_PATH:=/usr/lib64
80 endif
81
82 ifneq ($(origin VENDOR_CERT_FILE), undefined)
83 CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
84 endif
85 ifneq ($(origin VENDOR_DBX_FILE), undefined)
86 CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
87 endif
88
89 LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1
90
91 TARGET = $(SHIMNAME).efi $(MMNAME).efi.signed $(FBNAME).efi.signed
92 OBJS = shim.o netboot.o cert.o replacements.o tpm.o version.o
93 KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
94 SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h
95 MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
96 MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
97 FALLBACK_OBJS = fallback.o
98 FALLBACK_SRCS = fallback.c
99
100 ifneq ($(origin ENABLE_HTTPBOOT), undefined)
101 OBJS += httpboot.o
102 SOURCES += httpboot.c httpboot.h
103 endif
104
105 all: $(TARGET)
106
107 shim.crt:
108 ./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
109
110 shim.cer: shim.crt
111 openssl x509 -outform der -in $< -out $@
112
113 shim_cert.h: shim.cer
114 echo "static UINT8 shim_cert[] = {" > $@
115 hexdump -v -e '1/1 "0x%02x, "' $< >> $@
116 echo "};" >> $@
117
118 version.c : version.c.in
119 sed -e "s,@@VERSION@@,$(VERSION)," \
120 -e "s,@@UNAME@@,$(shell uname -a)," \
121 -e "s,@@COMMIT@@,$(COMMITID)," \
122 < version.c.in > version.c
123
124 certdb/secmod.db: shim.crt
125 -mkdir certdb
126 pk12util -d certdb/ -i shim.p12 -W "" -K ""
127 certutil -d certdb/ -A -i shim.crt -n shim -t u
128
129 shim.o: $(SOURCES) shim_cert.h
130 shim.o: $(wildcard *.h)
131
132 cert.o : cert.S
133 $(CC) $(CFLAGS) -c -o $@ $<
134
135 $(SHIMNAME).so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
136 $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
137
138 fallback.o: $(FALLBACK_SRCS)
139
140 $(FBNAME).so: $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
141 $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
142
143 MokManager.o: $(MOK_SOURCES)
144
145 $(MMNAME).so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
146 $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
147
148 Cryptlib/libcryptlib.a:
149 $(MAKE) -C Cryptlib
150
151 Cryptlib/OpenSSL/libopenssl.a:
152 $(MAKE) -C Cryptlib/OpenSSL
153
154 lib/lib.a:
155 $(MAKE) CFLAGS="$(CFLAGS)" -C lib
156
157 ifeq ($(ARCH),aarch64)
158 FORMAT := -O binary
159 SUBSYSTEM := 0xa
160 LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
161 endif
162
163 ifeq ($(ARCH),arm)
164 FORMAT := -O binary
165 SUBSYSTEM := 0xa
166 LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
167 endif
168
169 FORMAT ?= --target efi-app-$(ARCH)
170
171 %.efi: %.so
172 ifneq ($(OBJCOPY_GTE224),1)
173 $(error objcopy >= 2.24 is required)
174 endif
175 $(OBJCOPY) -j .text -j .sdata -j .data -j .data.ident \
176 -j .dynamic -j .dynsym -j .rel* \
177 -j .rela* -j .reloc -j .eh_frame \
178 -j .vendor_cert \
179 $(FORMAT) $^ $@
180 $(OBJCOPY) -j .text -j .sdata -j .data \
181 -j .dynamic -j .dynsym -j .rel* \
182 -j .rela* -j .reloc -j .eh_frame \
183 -j .debug_info -j .debug_abbrev -j .debug_aranges \
184 -j .debug_line -j .debug_str -j .debug_ranges \
185 -j .note.gnu.build-id \
186 $(FORMAT) $^ $@.debug
187
188 %.efi.signed: %.efi certdb/secmod.db
189 pesign -n certdb -i $< -c "shim" -s -o $@ -f
190
191 clean:
192 $(MAKE) -C Cryptlib clean
193 $(MAKE) -C Cryptlib/OpenSSL clean
194 $(MAKE) -C lib clean
195 rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb
196 rm -f *.debug *.so *.efi *.tar.* version.c
197
198 GITTAG = $(VERSION)
199
200 test-archive:
201 @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
202 @mkdir -p /tmp/shim-$(VERSION)-tmp
203 @git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
204 @git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff )
205 @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
206 @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
207 @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
208 @rm -rf /tmp/shim-$(VERSION)
209 @echo "The archive is in shim-$(VERSION).tar.bz2"
210
211 tag:
212 git tag --sign $(GITTAG) refs/heads/master
213 git tag -f latest-release $(GITTAG)
214
215 archive: tag
216 @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
217 @mkdir -p /tmp/shim-$(VERSION)-tmp
218 @git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
219 @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
220 @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
221 @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
222 @rm -rf /tmp/shim-$(VERSION)
223 @echo "The archive is in shim-$(VERSION).tar.bz2"
224
225 export ARCH CC LD OBJCOPY EFI_INCLUDE
shim, a first-stage UEFI bootloader adapted for Proxmox projects