]> git.proxmox.com Git - efi-boot-shim.git/blob - Makefile
projects / efi-boot-shim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
New upstream version 13~git1506531982.23ce039
[efi-boot-shim.git] / Makefile
1 VERSION = 12
2 ifneq ($(origin RELEASE),undefined)
3 DASHRELEASE ?= -$(RELEASE)
4 else
5 DASHRELEASE ?=
6 endif
7
8 ifeq ($(MAKELEVEL),0)
9 TOPDIR ?= $(shell pwd)
10 endif
11 override TOPDIR := $(abspath $(TOPDIR))
12 VPATH = $(TOPDIR)
13
14 CC = $(CROSS_COMPILE)gcc
15 LD = $(CROSS_COMPILE)ld
16 OBJCOPY = $(CROSS_COMPILE)objcopy
17 OPENSSL ?= openssl
18 HEXDUMP ?= hexdump
19 INSTALL ?= install
20 PK12UTIL ?= pk12util
21 CERTUTIL ?= certutil
22 PESIGN ?= pesign
23 SBSIGN ?= sbsign
24 prefix ?= /usr
25 prefix := $(abspath $(prefix))
26 datadir ?= $(prefix)/share/
27 PKGNAME ?= shim
28 ESPROOTDIR ?= boot/efi/
29 EFIBOOTDIR ?= $(ESPROOTDIR)EFI/BOOT/
30 TARGETDIR ?= $(ESPROOTDIR)EFI/$(EFIDIR)/
31 DATATARGETDIR ?= $(datadir)/$(PKGNAME)/$(VERSION)$(DASHRELEASE)/$(ARCH_SUFFIX)/
32 DEBUGINFO ?= $(prefix)/lib/debug/
33 DEBUGSOURCE ?= $(prefix)/src/debug/
34 OSLABEL ?= $(EFIDIR)
35 DEFAULT_LOADER ?= \\\\grub$(ARCH_SUFFIX).efi
36
37 ARCH ?= $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
38 OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.*\((.*)\|version\) //g' | cut -f1-2 -d.` \>= 2.24)
39
40 SUBDIRS = $(TOPDIR)/Cryptlib $(TOPDIR)/lib
41
42 EFI_INCLUDE := /usr/include/efi
43 EFI_INCLUDES = -nostdinc -I$(TOPDIR)/Cryptlib -I$(TOPDIR)/Cryptlib/Include \
44 -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol \
45 -I$(TOPDIR)/include -iquote $(TOPDIR) -iquote $(shell pwd)
46
47 LIB_GCC = $(shell $(CC) -print-libgcc-file-name)
48 EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC)
49
50 EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
51 EFI_LDS = $(TOPDIR)/elf_$(ARCH)_efi.lds
52
53 CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
54 -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
55 -Werror=sign-compare -ffreestanding -std=gnu89 \
56 -I$(shell $(CC) -print-file-name=include) \
57 "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
58 "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
59 $(EFI_INCLUDES)
60
61 COMMITID ?= $(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)
62
63 ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
64 CFLAGS += -DOVERRIDE_SECURITY_POLICY
65 endif
66
67 ifneq ($(origin ENABLE_HTTPBOOT), undefined)
68 CFLAGS += -DENABLE_HTTPBOOT
69 endif
70
71 ifeq ($(ARCH),x86_64)
72 CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
73 -maccumulate-outgoing-args \
74 -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
75 -DNO_BUILTIN_VA_FUNCS -DMDE_CPU_X64 -DPAGE_SIZE=4096
76 LIBDIR ?= $(prefix)/lib64
77 ARCH_SUFFIX ?= x64
78 ARCH_SUFFIX_UPPER ?= X64
79 ARCH_LDFLAGS ?=
80 endif
81 ifeq ($(ARCH),ia32)
82 CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
83 -maccumulate-outgoing-args -m32 \
84 -DMDE_CPU_IA32 -DPAGE_SIZE=4096
85 LIBDIR ?= $(prefix)/lib
86 ARCH_SUFFIX ?= ia32
87 ARCH_SUFFIX_UPPER ?= IA32
88 ARCH_LDFLAGS ?=
89 endif
90 ifeq ($(ARCH),aarch64)
91 CFLAGS += -DMDE_CPU_AARCH64 -DPAGE_SIZE=4096 -mstrict-align
92 LIBDIR ?= $(prefix)/lib64
93 ARCH_SUFFIX ?= aa64
94 ARCH_SUFFIX_UPPER ?= AA64
95 FORMAT := -O binary
96 SUBSYSTEM := 0xa
97 ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
98 endif
99 ifeq ($(ARCH),arm)
100 CFLAGS += -DMDE_CPU_ARM -DPAGE_SIZE=4096 -mstrict-align
101 LIBDIR ?= $(prefix)/lib
102 ARCH_SUFFIX ?= arm
103 ARCH_SUFFIX_UPPER ?= ARM
104 FORMAT := -O binary
105 SUBSYSTEM := 0xa
106 ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
107 endif
108
109 FORMAT ?= --target efi-app-$(ARCH)
110 EFI_PATH ?= $(LIBDIR)/gnuefi
111
112 MMSTEM ?= mm$(ARCH_SUFFIX)
113 MMNAME = $(MMSTEM).efi
114 MMSONAME = $(MMSTEM).so
115 FBSTEM ?= fb$(ARCH_SUFFIX)
116 FBNAME = $(FBSTEM).efi
117 FBSONAME = $(FBSTEM).so
118 SHIMSTEM ?= shim$(ARCH_SUFFIX)
119 SHIMNAME = $(SHIMSTEM).efi
120 SHIMSONAME = $(SHIMSTEM).so
121 SHIMHASHNAME = $(SHIMSTEM).hash
122 BOOTEFINAME ?= BOOT$(ARCH_SUFFIX_UPPER).EFI
123 BOOTCSVNAME ?= BOOT$(ARCH_SUFFIX_UPPER).CSV
124
125 CFLAGS += "-DEFI_ARCH=L\"$(ARCH_SUFFIX)\"" "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/$(ARCH_SUFFIX)-$(VERSION)$(DASHRELEASE)/\""
126
127 ifneq ($(origin VENDOR_CERT_FILE), undefined)
128 CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
129 endif
130 ifneq ($(origin VENDOR_DBX_FILE), undefined)
131 CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
132 endif
133
134 LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 $(ARCH_LDFLAGS)
135
136 TARGETS = $(SHIMNAME)
137 TARGETS += $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug
138 ifneq ($(origin ENABLE_SHIM_HASH),undefined)
139 TARGETS += $(SHIMHASHNAME)
140 endif
141 ifneq ($(origin ENABLE_SHIM_CERT),undefined)
142 TARGETS += $(MMNAME).signed $(FBNAME).signed
143 CFLAGS += -DENABLE_SHIM_CERT
144 else
145 TARGETS += $(MMNAME) $(FBNAME)
146 endif
147 OBJS = shim.o netboot.o cert.o replacements.o tpm.o version.o errlog.o
148 KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
149 ORIG_SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.h errlog.c
150 MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
151 ORIG_MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
152 FALLBACK_OBJS = fallback.o tpm.o
153 ORIG_FALLBACK_SRCS = fallback.c
154
155 ifneq ($(origin ENABLE_HTTPBOOT), undefined)
156 OBJS += httpboot.o
157 SOURCES += httpboot.c httpboot.h
158 endif
159
160 SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c
161 MOK_SOURCES = $(foreach source,$(ORIG_MOK_SOURCES),$(TOPDIR)/$(source))
162 FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))
163
164 all: $(TARGETS)
165
166 shim.crt:
167 $(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
168
169 shim.cer: shim.crt
170 $(OPENSSL) x509 -outform der -in $< -out $@
171
172 .NOTPARALLEL: shim_cert.h
173 shim_cert.h: shim.cer
174 echo "static UINT8 shim_cert[] = {" > $@
175 $(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@
176 echo "};" >> $@
177
178 version.c : $(TOPDIR)/version.c.in
179 sed -e "s,@@VERSION@@,$(VERSION)," \
180 -e "s,@@UNAME@@,$(shell uname -a)," \
181 -e "s,@@COMMIT@@,$(COMMITID)," \
182 < $< > $@
183
184 certdb/secmod.db: shim.crt
185 -mkdir certdb
186 $(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K ""
187 $(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u
188
189 shim.o: $(SOURCES)
190 ifneq ($(origin ENABLE_SHIM_CERT),undefined)
191 shim.o: shim_cert.h
192 endif
193 shim.o: $(wildcard $(TOPDIR)/*.h)
194
195 cert.o : $(TOPDIR)/cert.S
196 $(CC) $(CFLAGS) -c -o $@ $<
197
198 $(SHIMNAME) : $(SHIMSONAME)
199 $(MMNAME) : $(MMSONAME)
200 $(FBNAME) : $(FBSONAME)
201
202 $(SHIMSONAME): $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
203 $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
204
205 fallback.o: $(FALLBACK_SRCS)
206
207 $(FBSONAME): $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
208 $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
209
210 MokManager.o: $(MOK_SOURCES)
211
212 $(MMSONAME): $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
213 $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
214
215 Cryptlib/libcryptlib.a:
216 mkdir -p Cryptlib/{Hash,Hmac,Cipher,Rand,Pk,Pem,SysCall}
217 $(MAKE) VPATH=$(TOPDIR)/Cryptlib TOPDIR=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
218
219 Cryptlib/OpenSSL/libopenssl.a:
220 mkdir -p Cryptlib/OpenSSL/crypto/{x509v3,x509,txt_db,stack,sha,rsa,rc4,rand,pkcs7,pkcs12,pem,ocsp,objects,modes,md5,lhash,kdf,hmac,evp,err,dso,dh,conf,comp,cmac,buffer,bn,bio,async{,/arch},asn1,aes}/
221 $(MAKE) VPATH=$(TOPDIR)/Cryptlib/OpenSSL TOPDIR=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
222
223 lib/lib.a:
224 if [ ! -d lib ]; then mkdir lib ; fi
225 $(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) CFLAGS="$(CFLAGS)" -C lib -f $(TOPDIR)/lib/Makefile
226
227 buildid : $(TOPDIR)/buildid.c
228 $(CC) -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf
229
230 $(BOOTCSVNAME) :
231 @echo Making $@
232 @echo "$(SHIMNAME),$(OSLABEL),,This is the boot entry for $(OSLABEL)" | iconv -t UCS-2LE > $@
233
234 install-check :
235 ifeq ($(origin LIBDIR),undefined)
236 $(error Architecture $(ARCH) is not a supported build target.)
237 endif
238 ifeq ($(origin EFIDIR),undefined)
239 $(error EFIDIR must be set to your reserved EFI System Partition subdirectory name)
240 endif
241
242 install-deps : $(TARGETS)
243 install-deps : $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug buildid
244 install-deps : $(BOOTCSVNAME)
245
246 install-debugsource : install-deps
247 $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)
248 find $(TOPDIR) -type f -a '(' -iname '*.c' -o -iname '*.h' -o -iname '*.S' ')' | while read file ; do \
249 outfile=$$(echo $${file} | sed -e "s,^$(TOPDIR),,") ; \
250 $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$$(dirname $${outfile}) ; \
251 $(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$${outfile} ; \
252 done
253
254 install-debuginfo : install-deps
255 $(INSTALL) -d -m 0755 $(DESTDIR)/
256 $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR)/
257 @./buildid $(wildcard *.efi.debug) | while read file buildid ; do \
258 first=$$(echo $${buildid} | cut -b -2) ; \
259 rest=$$(echo $${buildid} | cut -b 3-) ; \
260 $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/ ;\
261 $(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR) ; \
262 ln -s ../../../../..$(DEBUGINFO)$(TARGETDIR)$${file} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest}.debug ;\
263 ln -s ../../../.build-id/$${first}/$${rest} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest} ;\
264 done
265
266 install : | install-check
267 install : install-deps install-debuginfo install-debugsource
268 $(INSTALL) -d -m 0755 $(DESTDIR)/
269 $(INSTALL) -d -m 0700 $(DESTDIR)/$(ESPROOTDIR)
270 $(INSTALL) -d -m 0755 $(DESTDIR)/$(EFIBOOTDIR)
271 $(INSTALL) -d -m 0755 $(DESTDIR)/$(TARGETDIR)
272 $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(EFIBOOTDIR)/$(BOOTEFINAME)
273 $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(TARGETDIR)/
274 $(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(TARGETDIR)/
275 ifneq ($(origin ENABLE_SHIM_CERT),undefined)
276 $(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(FBNAME)
277 $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(MMNAME)
278 $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(TARGETDIR)/$(MMNAME)
279 else
280 $(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(EFIBOOTDIR)/
281 $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(EFIBOOTDIR)/
282 $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(TARGETDIR)/
283 endif
284
285 install-as-data : install-deps
286 $(INSTALL) -d -m 0755 $(DESTDIR)/$(DATATARGETDIR)
287 $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(DATATARGETDIR)/
288 ifneq ($(origin ENABLE_SHIM_HASH),undefined)
289 $(INSTALL) -m 0644 $(SHIMHASHNAME) $(DESTDIR)/$(DATATARGETDIR)/
290 endif
291 ifneq ($(origin ENABLE_SHIM_CERT),undefined)
292 $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
293 $(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
294 else
295 $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
296 $(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
297 endif
298
299 %.efi: %.so
300 ifneq ($(OBJCOPY_GTE224),1)
301 $(error objcopy >= 2.24 is required)
302 endif
303 $(OBJCOPY) -j .text -j .sdata -j .data -j .data.ident \
304 -j .dynamic -j .dynsym -j .rel* \
305 -j .rela* -j .reloc -j .eh_frame \
306 -j .vendor_cert \
307 $(FORMAT) $^ $@
308
309 ifneq ($(origin ENABLE_SHIM_HASH),undefined)
310 %.hash : %.efi
311 $(PESIGN) -i $< -P -h > $@
312 endif
313
314 %.efi.debug : %.so
315 ifneq ($(OBJCOPY_GTE224),1)
316 $(error objcopy >= 2.24 is required)
317 endif
318 $(OBJCOPY) -j .text -j .sdata -j .data \
319 -j .dynamic -j .dynsym -j .rel* \
320 -j .rela* -j .reloc -j .eh_frame \
321 -j .debug_info -j .debug_abbrev -j .debug_aranges \
322 -j .debug_line -j .debug_str -j .debug_ranges \
323 -j .note.gnu.build-id \
324 $^ $@
325
326 ifneq ($(origin ENABLE_SBSIGN),undefined)
327 %.efi.signed: %.efi shim.key shim.crt
328 $(SBSIGN) --key shim.key --cert shim.crt --output $@ $<
329 else
330 %.efi.signed: %.efi certdb/secmod.db
331 $(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f
332 endif
333
334 clean: OBJS=$(wildcard *.o)
335 clean:
336 $(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean
337 $(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean
338 $(MAKE) -C lib -f $(TOPDIR)/lib/Makefile clean
339 rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
340 rm -f *.debug *.so *.efi *.efi.* *.tar.* version.c
341
342 GITTAG = $(VERSION)
343
344 test-archive:
345 @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
346 @mkdir -p /tmp/shim-$(VERSION)-tmp
347 @git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
348 @git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff )
349 @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
350 @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
351 @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
352 @rm -rf /tmp/shim-$(VERSION)
353 @echo "The archive is in shim-$(VERSION).tar.bz2"
354
355 tag:
356 git tag --sign $(GITTAG) refs/heads/master
357 git tag -f latest-release $(GITTAG)
358
359 archive: tag
360 @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
361 @mkdir -p /tmp/shim-$(VERSION)-tmp
362 @git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
363 @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
364 @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
365 @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
366 @rm -rf /tmp/shim-$(VERSION)
367 @echo "The archive is in shim-$(VERSION).tar.bz2"
368
369 .PHONY : install-deps shim.key
370
371 export ARCH CC LD OBJCOPY EFI_INCLUDE
shim, a first-stage UEFI bootloader adapted for Proxmox projects