5 ifneq ($(origin RELEASE
),undefined
)
6 DASHRELEASE ?
= -$(RELEASE
)
12 TOPDIR ?
= $(shell pwd
)
15 override TOPDIR
:= $(shell pwd
)
17 override TOPDIR
:= $(abspath
$(TOPDIR
))
20 include $(TOPDIR
)/Make.defaults
21 include $(TOPDIR
)/Make.rules
22 include $(TOPDIR
)/Make.coverity
23 include $(TOPDIR
)/Make.scan-build
26 TARGETS
+= $(SHIMNAME
).debug
$(MMNAME
).debug
$(FBNAME
).debug
27 ifneq ($(origin ENABLE_SHIM_HASH
),undefined
)
28 TARGETS
+= $(SHIMHASHNAME
)
30 ifneq ($(origin ENABLE_SHIM_CERT
),undefined
)
31 TARGETS
+= $(MMNAME
).signed
$(FBNAME
).signed
32 CFLAGS
+= -DENABLE_SHIM_CERT
34 TARGETS
+= $(MMNAME
) $(FBNAME
)
36 OBJS
= shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o
37 KEYS
= shim_cert.h ocsp.
* ca.
* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
38 ORIG_SOURCES
= shim.c mok.c netboot.c replacements.c tpm.c errlog.c shim.h version.h
$(wildcard include/*.h
)
39 MOK_OBJS
= MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o
40 ORIG_MOK_SOURCES
= MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h
$(wildcard include/*.h
)
41 FALLBACK_OBJS
= fallback.o tpm.o errlog.o
42 ORIG_FALLBACK_SRCS
= fallback.c
44 ifneq ($(origin ENABLE_HTTPBOOT
), undefined
)
46 SOURCES
+= httpboot.c
include/httpboot.h
49 SOURCES
= $(foreach source
,$(ORIG_SOURCES
),$(TOPDIR
)/$(source
)) version.c
50 MOK_SOURCES
= $(foreach source
,$(ORIG_MOK_SOURCES
),$(TOPDIR
)/$(source
))
51 FALLBACK_SRCS
= $(foreach source
,$(ORIG_FALLBACK_SRCS
),$(TOPDIR
)/$(source
))
56 $(TOPDIR
)/make-certs shim shim@xn--u4h.net
all codesign
1.3.6.1.4.1.311.10.3.1 </dev
/null
59 $(OPENSSL
) x509
-outform der
-in
$< -out
$@
61 .NOTPARALLEL
: shim_cert.h
63 echo
"static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
64 $(HEXDUMP
) -v
-e
'1/1 "0x%02x, "' $< >> $@
67 version.c
: $(TOPDIR
)/version.c.in
68 sed
-e
"s,@@VERSION@@,$(VERSION)," \
69 -e
"s,@@UNAME@@,$(shell uname -s -m -p -i -o)," \
70 -e
"s,@@COMMIT@@,$(COMMIT_ID)," \
73 certdb
/secmod.db
: shim.crt
75 $(PK12UTIL
) -d certdb
/ -i shim.p12
-W
"" -K
""
76 $(CERTUTIL
) -d certdb
/ -A
-i shim.crt
-n shim
-t u
79 ifneq ($(origin ENABLE_SHIM_CERT
),undefined
)
82 shim.o
: $(wildcard $(TOPDIR
)/*.h
)
84 cert.o
: $(TOPDIR
)/cert.S
85 $(CC
) $(CFLAGS
) -c
-o
$@
$<
87 $(SHIMNAME
) : $(SHIMSONAME
)
88 $(MMNAME
) : $(MMSONAME
)
89 $(FBNAME
) : $(FBSONAME
)
91 $(SHIMSONAME
): $(OBJS
) Cryptlib
/libcryptlib.a Cryptlib
/OpenSSL
/libopenssl.a lib
/lib.a
92 $(LD
) -o
$@
$(LDFLAGS
) $^
$(EFI_LIBS
)
94 fallback.o
: $(FALLBACK_SRCS
)
96 $(FBSONAME
): $(FALLBACK_OBJS
) Cryptlib
/libcryptlib.a Cryptlib
/OpenSSL
/libopenssl.a lib
/lib.a
97 $(LD
) -o
$@
$(LDFLAGS
) $^
$(EFI_LIBS
)
99 MokManager.o
: $(MOK_SOURCES
)
101 $(MMSONAME
): $(MOK_OBJS
) Cryptlib
/libcryptlib.a Cryptlib
/OpenSSL
/libopenssl.a lib
/lib.a
102 $(LD
) -o
$@
$(LDFLAGS
) $^
$(EFI_LIBS
) lib
/lib.a
104 Cryptlib
/libcryptlib.a
:
105 for i in Hash Hmac Cipher Rand Pk Pem SysCall
; do mkdir
-p Cryptlib
/$$i; done
106 $(MAKE
) VPATH
=$(TOPDIR
)/Cryptlib TOPDIR
=$(TOPDIR
)/Cryptlib
-C Cryptlib
-f
$(TOPDIR
)/Cryptlib
/Makefile
108 Cryptlib
/OpenSSL
/libopenssl.a
:
109 for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async
/arch asn1 aes
; do mkdir
-p Cryptlib
/OpenSSL
/crypto
/$$i; done
110 $(MAKE
) VPATH
=$(TOPDIR
)/Cryptlib
/OpenSSL TOPDIR
=$(TOPDIR
)/Cryptlib
/OpenSSL
-C Cryptlib
/OpenSSL
-f
$(TOPDIR
)/Cryptlib
/OpenSSL
/Makefile
112 lib
/lib.a
: |
$(TOPDIR
)/lib
/Makefile
$(wildcard $(TOPDIR
)/include/*.
[ch
])
113 if
[ ! -d lib
]; then mkdir lib
; fi
114 $(MAKE
) VPATH
=$(TOPDIR
)/lib TOPDIR
=$(TOPDIR
) CFLAGS
="$(CFLAGS)" -C lib
-f
$(TOPDIR
)/lib
/Makefile lib.a
116 buildid
: $(TOPDIR
)/buildid.c
117 $(CC
) -Og
-g3
-Wall
-Werror
-Wextra
-o
$@
$< -lelf
121 @echo
"$(SHIMNAME),$(OSLABEL),,This is the boot entry for $(OSLABEL)" | iconv
-t UCS-2LE
> $@
124 ifeq ($(origin LIBDIR
),undefined
)
125 $(error Architecture
$(ARCH
) is not a supported build target.
)
127 ifeq ($(origin EFIDIR
),undefined
)
128 $(error EFIDIR must be set to your reserved EFI System Partition subdirectory name
)
131 install-deps
: $(TARGETS
)
132 install-deps
: $(SHIMNAME
).debug
$(MMNAME
).debug
$(FBNAME
).debug buildid
133 install-deps
: $(BOOTCSVNAME
)
135 install-debugsource
: install-deps
136 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DEBUGSOURCE
)/$(PKGNAME
)-$(VERSION
)$(DASHRELEASE
)
137 find
$(TOPDIR
) -type f
-a
'(' -iname
'*.c' -o
-iname
'*.h' -o
-iname
'*.S' ')' | while read file
; do \
138 outfile
=$$(echo
$${file} | sed
-e
"s,^$(TOPDIR),,") ; \
139 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DEBUGSOURCE
)/$(PKGNAME
)-$(VERSION
)$(DASHRELEASE
)/$$(dirname
$${outfile}) ; \
140 $(INSTALL
) -m
0644 $${file} $(DESTDIR
)/$(DEBUGSOURCE
)/$(PKGNAME
)-$(VERSION
)$(DASHRELEASE
)/$${outfile} ; \
143 install-debuginfo
: install-deps
144 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/
145 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DEBUGINFO
)$(TARGETDIR
)/
146 @.
/buildid
$(wildcard *.efi.debug
) | while read file buildid
; do \
147 first
=$$(echo
$${buildid} | cut
-b
-2) ; \
148 rest
=$$(echo
$${buildid} | cut
-b
3-) ; \
149 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DEBUGINFO
).build-id
/$${first}/ ;\
150 $(INSTALL
) -m
0644 $${file} $(DESTDIR
)/$(DEBUGINFO
)$(TARGETDIR
) ; \
151 ln
-s ..
/..
/..
/..
/..
$(DEBUGINFO
)$(TARGETDIR
)$${file} $(DESTDIR
)/$(DEBUGINFO
).build-id
/$${first}/$${rest}.debug
;\
152 ln
-s ..
/..
/..
/.build-id
/$${first}/$${rest} $(DESTDIR
)/$(DEBUGINFO
).build-id
/$${first}/$${rest} ;\
155 install : | install-check
156 install : install-deps install-debuginfo install-debugsource
157 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/
158 $(INSTALL
) -d
-m
0700 $(DESTDIR
)/$(ESPROOTDIR
)
159 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(EFIBOOTDIR
)
160 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(TARGETDIR
)
161 $(INSTALL
) -m
0644 $(SHIMNAME
) $(DESTDIR
)/$(EFIBOOTDIR
)/$(BOOTEFINAME
)
162 $(INSTALL
) -m
0644 $(SHIMNAME
) $(DESTDIR
)/$(TARGETDIR
)/
163 $(INSTALL
) -m
0644 $(BOOTCSVNAME
) $(DESTDIR
)/$(TARGETDIR
)/
164 ifneq ($(origin ENABLE_SHIM_CERT
),undefined
)
165 $(INSTALL
) -m
0644 $(FBNAME
).signed
$(DESTDIR
)/$(EFIBOOTDIR
)/$(FBNAME
)
166 $(INSTALL
) -m
0644 $(MMNAME
).signed
$(DESTDIR
)/$(EFIBOOTDIR
)/$(MMNAME
)
167 $(INSTALL
) -m
0644 $(MMNAME
).signed
$(DESTDIR
)/$(TARGETDIR
)/$(MMNAME
)
169 $(INSTALL
) -m
0644 $(FBNAME
) $(DESTDIR
)/$(EFIBOOTDIR
)/
170 $(INSTALL
) -m
0644 $(MMNAME
) $(DESTDIR
)/$(EFIBOOTDIR
)/
171 $(INSTALL
) -m
0644 $(MMNAME
) $(DESTDIR
)/$(TARGETDIR
)/
174 install-as-data
: install-deps
175 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DATATARGETDIR
)
176 $(INSTALL
) -m
0644 $(SHIMNAME
) $(DESTDIR
)/$(DATATARGETDIR
)/
177 ifneq ($(origin ENABLE_SHIM_HASH
),undefined
)
178 $(INSTALL
) -m
0644 $(SHIMHASHNAME
) $(DESTDIR
)/$(DATATARGETDIR
)/
180 ifneq ($(origin ENABLE_SHIM_CERT
),undefined
)
181 $(INSTALL
) -m
0644 $(MMNAME
).signed
$(DESTDIR
)/$(DATATARGETDIR
)/$(MMNAME
)
182 $(INSTALL
) -m
0644 $(FBNAME
).signed
$(DESTDIR
)/$(DATATARGETDIR
)/$(FBNAME
)
184 $(INSTALL
) -m
0644 $(MMNAME
) $(DESTDIR
)/$(DATATARGETDIR
)/$(MMNAME
)
185 $(INSTALL
) -m
0644 $(FBNAME
) $(DESTDIR
)/$(DATATARGETDIR
)/$(FBNAME
)
189 ifneq ($(OBJCOPY_GTE224
),1)
190 $(error objcopy
>= 2.24 is required
)
192 $(OBJCOPY
) -D
-j .text
-j .sdata
-j .data
-j .data.ident \
193 -j .dynamic
-j .dynsym
-j .rel
* \
194 -j .rela
* -j .reloc
-j .eh_frame \
197 # I am tired of wasting my time fighting binutils timestamp code.
198 dd conv
=notrunc bs
=1 count
=4 seek
=$(TIMESTAMP_LOCATION
) if
=/dev
/zero of
=$@
200 ifneq ($(origin ENABLE_SHIM_HASH
),undefined
)
202 $(PESIGN
) -i
$< -P
-h
> $@
206 ifneq ($(OBJCOPY_GTE224
),1)
207 $(error objcopy
>= 2.24 is required
)
209 $(OBJCOPY
) -D
-j .text
-j .sdata
-j .data \
210 -j .dynamic
-j .dynsym
-j .rel
* \
211 -j .rela
* -j .reloc
-j .eh_frame \
212 -j .debug_info
-j .debug_abbrev
-j .debug_aranges \
213 -j .debug_line
-j .debug_str
-j .debug_ranges \
214 -j .note.gnu.build-id \
217 ifneq ($(origin ENABLE_SBSIGN
),undefined
)
218 %.efi.signed
: %.efi shim.key shim.crt
219 $(SBSIGN
) --key shim.key
--cert shim.crt
--output
$@
$<
221 %.efi.signed
: %.efi certdb
/secmod.db
222 $(PESIGN
) -n certdb
-i
$< -c
"shim" -s
-o
$@
-f
226 $(MAKE
) -C lib
-f
$(TOPDIR
)/lib
/Makefile
clean
227 @
rm -rvf
$(TARGET
) *.o
$(SHIM_OBJS
) $(MOK_OBJS
) $(FALLBACK_OBJS
) $(KEYS
) certdb
$(BOOTCSVNAME
)
228 @
rm -vf
*.debug
*.so
*.efi
*.efi.
* *.
tar.
* version.c buildid
229 @
rm -vf Cryptlib
/*.
[oa
] Cryptlib
/*/*.
[oa
]
230 @if
[ -d .git
] ; then git
clean -f
-d
-e
'Cryptlib/OpenSSL/*'; fi
232 clean: clean-shim-objs
233 $(MAKE
) -C Cryptlib
-f
$(TOPDIR
)/Cryptlib
/Makefile
clean
234 $(MAKE
) -C Cryptlib
/OpenSSL
-f
$(TOPDIR
)/Cryptlib
/OpenSSL
/Makefile
clean
239 @
rm -rf
/tmp
/shim-
$(VERSION
) /tmp
/shim-
$(VERSION
)-tmp
240 @mkdir
-p
/tmp
/shim-
$(VERSION
)-tmp
241 @git archive
--format
=tar $(shell git branch | awk
'/^*/ { print $$2 }') |
( cd
/tmp
/shim-
$(VERSION
)-tmp
/ ; tar x
)
242 @git diff |
( cd
/tmp
/shim-
$(VERSION
)-tmp
/ ; patch
-s
-p1
-b
-z .gitdiff
)
243 @mv
/tmp
/shim-
$(VERSION
)-tmp
/ /tmp
/shim-
$(VERSION
)/
244 @git log
-1 --pretty
=format
:%H
> /tmp
/shim-
$(VERSION
)/commit
245 @
dir=$$PWD; cd
/tmp
; tar -c
--bzip2
-f
$$dir/shim-
$(VERSION
).
tar.bz2 shim-
$(VERSION
)
246 @
rm -rf
/tmp
/shim-
$(VERSION
)
247 @echo
"The archive is in shim-$(VERSION).tar.bz2"
250 git tag
--sign
$(GITTAG
) refs
/heads
/master
251 git tag
-f latest-release
$(GITTAG
)
254 @
rm -rf
/tmp
/shim-
$(VERSION
) /tmp
/shim-
$(VERSION
)-tmp
255 @mkdir
-p
/tmp
/shim-
$(VERSION
)-tmp
256 @git archive
--format
=tar $(GITTAG
) |
( cd
/tmp
/shim-
$(VERSION
)-tmp
/ ; tar x
)
257 @mv
/tmp
/shim-
$(VERSION
)-tmp
/ /tmp
/shim-
$(VERSION
)/
258 @git log
-1 --pretty
=format
:%H
> /tmp
/shim-
$(VERSION
)/commit
259 @
dir=$$PWD; cd
/tmp
; tar -c
--bzip2
-f
$$dir/shim-
$(VERSION
).
tar.bz2 shim-
$(VERSION
)
260 @
rm -rf
/tmp
/shim-
$(VERSION
)
261 @echo
"The archive is in shim-$(VERSION).tar.bz2"
263 .PHONY
: install-deps shim.key
265 export ARCH CC LD OBJCOPY EFI_INCLUDE