]> git.proxmox.com Git - efi-boot-shim.git/blob - Makefile
projects / efi-boot-shim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix some mokmanager deletion paths
[efi-boot-shim.git] / Makefile
1 default : all
2
3 NAME = shim
4 VERSION = 15
5 ifneq ($(origin RELEASE),undefined)
6 DASHRELEASE ?= -$(RELEASE)
7 else
8 DASHRELEASE ?=
9 endif
10
11 ifeq ($(MAKELEVEL),0)
12 TOPDIR ?= $(shell pwd)
13 endif
14 ifeq ($(TOPDIR),)
15 override TOPDIR := $(shell pwd)
16 endif
17 override TOPDIR := $(abspath $(TOPDIR))
18 VPATH = $(TOPDIR)
19
20 include $(TOPDIR)/Make.defaults
21 include $(TOPDIR)/Make.rules
22 include $(TOPDIR)/Make.coverity
23 include $(TOPDIR)/Make.scan-build
24
25 TARGETS = $(SHIMNAME)
26 TARGETS += $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug
27 ifneq ($(origin ENABLE_SHIM_HASH),undefined)
28 TARGETS += $(SHIMHASHNAME)
29 endif
30 ifneq ($(origin ENABLE_SHIM_CERT),undefined)
31 TARGETS += $(MMNAME).signed $(FBNAME).signed
32 CFLAGS += -DENABLE_SHIM_CERT
33 else
34 TARGETS += $(MMNAME) $(FBNAME)
35 endif
36 OBJS = shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o
37 KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
38 ORIG_SOURCES = shim.c mok.c netboot.c replacements.c tpm.c errlog.c shim.h version.h $(wildcard include/*.h)
39 MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o
40 ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
41 FALLBACK_OBJS = fallback.o tpm.o errlog.o
42 ORIG_FALLBACK_SRCS = fallback.c
43
44 ifneq ($(origin ENABLE_HTTPBOOT), undefined)
45 OBJS += httpboot.o
46 SOURCES += httpboot.c include/httpboot.h
47 endif
48
49 SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c
50 MOK_SOURCES = $(foreach source,$(ORIG_MOK_SOURCES),$(TOPDIR)/$(source))
51 FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))
52
53 all: $(TARGETS)
54
55 shim.crt:
56 $(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
57
58 shim.cer: shim.crt
59 $(OPENSSL) x509 -outform der -in $< -out $@
60
61 .NOTPARALLEL: shim_cert.h
62 shim_cert.h: shim.cer
63 echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
64 $(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@
65 echo "};" >> $@
66
67 version.c : $(TOPDIR)/version.c.in
68 sed -e "s,@@VERSION@@,$(VERSION)," \
69 -e "s,@@UNAME@@,$(shell uname -s -m -p -i -o)," \
70 -e "s,@@COMMIT@@,$(COMMIT_ID)," \
71 < $< > $@
72
73 certdb/secmod.db: shim.crt
74 -mkdir certdb
75 $(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K ""
76 $(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u
77
78 shim.o: $(SOURCES)
79 ifneq ($(origin ENABLE_SHIM_CERT),undefined)
80 shim.o: shim_cert.h
81 endif
82 shim.o: $(wildcard $(TOPDIR)/*.h)
83
84 cert.o : $(TOPDIR)/cert.S
85 $(CC) $(CFLAGS) -c -o $@ $<
86
87 $(SHIMNAME) : $(SHIMSONAME)
88 $(MMNAME) : $(MMSONAME)
89 $(FBNAME) : $(FBSONAME)
90
91 $(SHIMSONAME): $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
92 $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
93
94 fallback.o: $(FALLBACK_SRCS)
95
96 $(FBSONAME): $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
97 $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
98
99 MokManager.o: $(MOK_SOURCES)
100
101 $(MMSONAME): $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
102 $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
103
104 Cryptlib/libcryptlib.a:
105 for i in Hash Hmac Cipher Rand Pk Pem SysCall; do mkdir -p Cryptlib/$$i; done
106 $(MAKE) VPATH=$(TOPDIR)/Cryptlib TOPDIR=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
107
108 Cryptlib/OpenSSL/libopenssl.a:
109 for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done
110 $(MAKE) VPATH=$(TOPDIR)/Cryptlib/OpenSSL TOPDIR=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
111
112 lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch])
113 if [ ! -d lib ]; then mkdir lib ; fi
114 $(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) CFLAGS="$(CFLAGS)" -C lib -f $(TOPDIR)/lib/Makefile lib.a
115
116 buildid : $(TOPDIR)/buildid.c
117 $(CC) -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf
118
119 $(BOOTCSVNAME) :
120 @echo Making $@
121 @echo "$(SHIMNAME),$(OSLABEL),,This is the boot entry for $(OSLABEL)" | iconv -t UCS-2LE > $@
122
123 install-check :
124 ifeq ($(origin LIBDIR),undefined)
125 $(error Architecture $(ARCH) is not a supported build target.)
126 endif
127 ifeq ($(origin EFIDIR),undefined)
128 $(error EFIDIR must be set to your reserved EFI System Partition subdirectory name)
129 endif
130
131 install-deps : $(TARGETS)
132 install-deps : $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug buildid
133 install-deps : $(BOOTCSVNAME)
134
135 install-debugsource : install-deps
136 $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)
137 find $(TOPDIR) -type f -a '(' -iname '*.c' -o -iname '*.h' -o -iname '*.S' ')' | while read file ; do \
138 outfile=$$(echo $${file} | sed -e "s,^$(TOPDIR),,") ; \
139 $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$$(dirname $${outfile}) ; \
140 $(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$${outfile} ; \
141 done
142
143 install-debuginfo : install-deps
144 $(INSTALL) -d -m 0755 $(DESTDIR)/
145 $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR)/
146 @./buildid $(wildcard *.efi.debug) | while read file buildid ; do \
147 first=$$(echo $${buildid} | cut -b -2) ; \
148 rest=$$(echo $${buildid} | cut -b 3-) ; \
149 $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/ ;\
150 $(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR) ; \
151 ln -s ../../../../..$(DEBUGINFO)$(TARGETDIR)$${file} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest}.debug ;\
152 ln -s ../../../.build-id/$${first}/$${rest} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest} ;\
153 done
154
155 install : | install-check
156 install : install-deps install-debuginfo install-debugsource
157 $(INSTALL) -d -m 0755 $(DESTDIR)/
158 $(INSTALL) -d -m 0700 $(DESTDIR)/$(ESPROOTDIR)
159 $(INSTALL) -d -m 0755 $(DESTDIR)/$(EFIBOOTDIR)
160 $(INSTALL) -d -m 0755 $(DESTDIR)/$(TARGETDIR)
161 $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(EFIBOOTDIR)/$(BOOTEFINAME)
162 $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(TARGETDIR)/
163 $(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(TARGETDIR)/
164 ifneq ($(origin ENABLE_SHIM_CERT),undefined)
165 $(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(FBNAME)
166 $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(MMNAME)
167 $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(TARGETDIR)/$(MMNAME)
168 else
169 $(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(EFIBOOTDIR)/
170 $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(EFIBOOTDIR)/
171 $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(TARGETDIR)/
172 endif
173
174 install-as-data : install-deps
175 $(INSTALL) -d -m 0755 $(DESTDIR)/$(DATATARGETDIR)
176 $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(DATATARGETDIR)/
177 ifneq ($(origin ENABLE_SHIM_HASH),undefined)
178 $(INSTALL) -m 0644 $(SHIMHASHNAME) $(DESTDIR)/$(DATATARGETDIR)/
179 endif
180 ifneq ($(origin ENABLE_SHIM_CERT),undefined)
181 $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
182 $(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
183 else
184 $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
185 $(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
186 endif
187
188 %.efi: %.so
189 ifneq ($(OBJCOPY_GTE224),1)
190 $(error objcopy >= 2.24 is required)
191 endif
192 $(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
193 -j .dynamic -j .dynsym -j .rel* \
194 -j .rela* -j .reloc -j .eh_frame \
195 -j .vendor_cert \
196 $(FORMAT) $^ $@
197 # I am tired of wasting my time fighting binutils timestamp code.
198 dd conv=notrunc bs=1 count=4 seek=$(TIMESTAMP_LOCATION) if=/dev/zero of=$@
199
200 ifneq ($(origin ENABLE_SHIM_HASH),undefined)
201 %.hash : %.efi
202 $(PESIGN) -i $< -P -h > $@
203 endif
204
205 %.efi.debug : %.so
206 ifneq ($(OBJCOPY_GTE224),1)
207 $(error objcopy >= 2.24 is required)
208 endif
209 $(OBJCOPY) -D -j .text -j .sdata -j .data \
210 -j .dynamic -j .dynsym -j .rel* \
211 -j .rela* -j .reloc -j .eh_frame \
212 -j .debug_info -j .debug_abbrev -j .debug_aranges \
213 -j .debug_line -j .debug_str -j .debug_ranges \
214 -j .note.gnu.build-id \
215 $^ $@
216
217 ifneq ($(origin ENABLE_SBSIGN),undefined)
218 %.efi.signed: %.efi shim.key shim.crt
219 $(SBSIGN) --key shim.key --cert shim.crt --output $@ $<
220 else
221 %.efi.signed: %.efi certdb/secmod.db
222 $(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f
223 endif
224
225 clean-shim-objs:
226 $(MAKE) -C lib -f $(TOPDIR)/lib/Makefile clean
227 @rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
228 @rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid
229 @rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa]
230 @if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi
231
232 clean: clean-shim-objs
233 $(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean
234 $(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean
235
236 GITTAG = $(VERSION)
237
238 test-archive:
239 @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
240 @mkdir -p /tmp/shim-$(VERSION)-tmp
241 @git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
242 @git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff )
243 @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
244 @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
245 @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
246 @rm -rf /tmp/shim-$(VERSION)
247 @echo "The archive is in shim-$(VERSION).tar.bz2"
248
249 tag:
250 git tag --sign $(GITTAG) refs/heads/master
251 git tag -f latest-release $(GITTAG)
252
253 archive: tag
254 @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
255 @mkdir -p /tmp/shim-$(VERSION)-tmp
256 @git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
257 @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
258 @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
259 @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
260 @rm -rf /tmp/shim-$(VERSION)
261 @echo "The archive is in shim-$(VERSION).tar.bz2"
262
263 .PHONY : install-deps shim.key
264
265 export ARCH CC LD OBJCOPY EFI_INCLUDE
shim, a first-stage UEFI bootloader adapted for Proxmox projects