2 ifneq ($(origin RELEASE
),undefined
)
3 DASHRELEASE ?
= -$(RELEASE
)
11 override TOPDIR
:= $(abspath
$(TOPDIR
))
14 CC
= $(CROSS_COMPILE
)gcc
15 LD
= $(CROSS_COMPILE
)ld
16 OBJCOPY
= $(CROSS_COMPILE
)objcopy
25 prefix := $(abspath
$(prefix))
26 datadir ?
= $(prefix)/share
/
28 ESPROOTDIR ?
= boot
/efi
/
29 EFIBOOTDIR ?
= $(ESPROOTDIR
)EFI
/BOOT
/
30 TARGETDIR ?
= $(ESPROOTDIR
)EFI
/$(EFIDIR
)/
31 DATATARGETDIR ?
= $(datadir)/$(PKGNAME
)/$(VERSION
)$(DASHRELEASE
)/$(ARCH_SUFFIX
)/
32 DEBUGINFO ?
= $(prefix)/lib
/debug
/
33 DEBUGSOURCE ?
= $(prefix)/src
/debug
/
35 DEFAULT_LOADER ?
= \\\\grub
$(ARCH_SUFFIX
).efi
37 ARCH ?
= $(shell $(CC
) -dumpmachine | cut
-f1
-d- | sed s
,i
[3456789]86,ia32
,)
38 OBJCOPY_GTE224
= $(shell expr
`$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.*\((.*)\|version\) //g' | cut -f1-2 -d.` \
>= 2.24)
40 SUBDIRS
= $(TOPDIR
)/Cryptlib
$(TOPDIR
)/lib
42 EFI_INCLUDE
:= /usr
/include/efi
43 EFI_INCLUDES
= -nostdinc
-I
$(TOPDIR
)/Cryptlib
-I
$(TOPDIR
)/Cryptlib
/Include \
44 -I
$(EFI_INCLUDE
) -I
$(EFI_INCLUDE
)/$(ARCH
) -I
$(EFI_INCLUDE
)/protocol \
45 -I
$(TOPDIR
)/include -iquote
$(TOPDIR
) -iquote
$(shell pwd
)
47 LIB_GCC
= $(shell $(CC
) -print-libgcc-file-name
)
48 EFI_LIBS
= -lefi
-lgnuefi
--start-group Cryptlib
/libcryptlib.a Cryptlib
/OpenSSL
/libopenssl.a
--end-group
$(LIB_GCC
)
50 EFI_CRT_OBJS
= $(EFI_PATH
)/crt0-efi-
$(ARCH
).o
51 EFI_LDS
= $(TOPDIR
)/elf_
$(ARCH
)_efi.lds
53 CFLAGS
= -ggdb
-O0
-fno-stack-protector
-fno-strict-aliasing
-fpic \
54 -fshort-wchar
-Wall
-Wsign-compare
-Werror
-fno-builtin \
55 -Werror
=sign-compare
-ffreestanding
-std
=gnu89 \
56 -I
$(shell $(CC
) -print-file-name
=include) \
57 "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
58 "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
61 COMMITID ?
= $(shell if
[ -d .git
] ; then git log
-1 --pretty
=format
:%H
; elif
[ -f commit
]; then cat commit
; else echo commit id not available
; fi
)
63 ifneq ($(origin OVERRIDE_SECURITY_POLICY
), undefined
)
64 CFLAGS
+= -DOVERRIDE_SECURITY_POLICY
67 ifneq ($(origin ENABLE_HTTPBOOT
), undefined
)
68 CFLAGS
+= -DENABLE_HTTPBOOT
72 CFLAGS
+= -mno-mmx
-mno-sse
-mno-red-zone
-nostdinc \
73 -maccumulate-outgoing-args \
74 -DEFI_FUNCTION_WRAPPER
-DGNU_EFI_USE_MS_ABI \
75 -DNO_BUILTIN_VA_FUNCS
-DMDE_CPU_X64
-DPAGE_SIZE
=4096
76 LIBDIR ?
= $(prefix)/lib64
78 ARCH_SUFFIX_UPPER ?
= X64
82 CFLAGS
+= -mno-mmx
-mno-sse
-mno-red-zone
-nostdinc \
83 -maccumulate-outgoing-args
-m32 \
84 -DMDE_CPU_IA32
-DPAGE_SIZE
=4096
85 LIBDIR ?
= $(prefix)/lib
87 ARCH_SUFFIX_UPPER ?
= IA32
90 ifeq ($(ARCH
),aarch64
)
91 CFLAGS
+= -DMDE_CPU_AARCH64
-DPAGE_SIZE
=4096 -mstrict-align
92 LIBDIR ?
= $(prefix)/lib64
94 ARCH_SUFFIX_UPPER ?
= AA64
97 ARCH_LDFLAGS
+= --defsym
=EFI_SUBSYSTEM
=$(SUBSYSTEM
)
100 CFLAGS
+= -DMDE_CPU_ARM
-DPAGE_SIZE
=4096 -mstrict-align
101 LIBDIR ?
= $(prefix)/lib
103 ARCH_SUFFIX_UPPER ?
= ARM
106 ARCH_LDFLAGS
+= --defsym
=EFI_SUBSYSTEM
=$(SUBSYSTEM
)
109 FORMAT ?
= --target efi-app-
$(ARCH
)
110 EFI_PATH ?
= $(LIBDIR
)/gnuefi
112 MMSTEM ?
= mm
$(ARCH_SUFFIX
)
113 MMNAME
= $(MMSTEM
).efi
114 MMSONAME
= $(MMSTEM
).so
115 FBSTEM ?
= fb
$(ARCH_SUFFIX
)
116 FBNAME
= $(FBSTEM
).efi
117 FBSONAME
= $(FBSTEM
).so
118 SHIMSTEM ?
= shim
$(ARCH_SUFFIX
)
119 SHIMNAME
= $(SHIMSTEM
).efi
120 SHIMSONAME
= $(SHIMSTEM
).so
121 SHIMHASHNAME
= $(SHIMSTEM
).hash
122 BOOTEFINAME ?
= BOOT
$(ARCH_SUFFIX_UPPER
).EFI
123 BOOTCSVNAME ?
= BOOT
$(ARCH_SUFFIX_UPPER
).CSV
125 CFLAGS
+= "-DEFI_ARCH=L\"$(ARCH_SUFFIX)\"" "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/$(ARCH_SUFFIX)-$(VERSION)$(DASHRELEASE)/\""
127 ifneq ($(origin VENDOR_CERT_FILE
), undefined
)
128 CFLAGS
+= -DVENDOR_CERT_FILE
=\"$(VENDOR_CERT_FILE
)\"
130 ifneq ($(origin VENDOR_DBX_FILE
), undefined
)
131 CFLAGS
+= -DVENDOR_DBX_FILE
=\"$(VENDOR_DBX_FILE
)\"
134 LDFLAGS
= --hash-style
=sysv
-nostdlib
-znocombreloc
-T
$(EFI_LDS
) -shared
-Bsymbolic
-L
$(EFI_PATH
) -L
$(LIBDIR
) -LCryptlib
-LCryptlib
/OpenSSL
$(EFI_CRT_OBJS
) --build-id
=sha1
$(ARCH_LDFLAGS
)
136 TARGETS
= $(SHIMNAME
)
137 TARGETS
+= $(SHIMNAME
).debug
$(MMNAME
).debug
$(FBNAME
).debug
138 ifneq ($(origin ENABLE_SHIM_HASH
),undefined
)
139 TARGETS
+= $(SHIMHASHNAME
)
141 ifneq ($(origin ENABLE_SHIM_CERT
),undefined
)
142 TARGETS
+= $(MMNAME
).signed
$(FBNAME
).signed
143 CFLAGS
+= -DENABLE_SHIM_CERT
145 TARGETS
+= $(MMNAME
) $(FBNAME
)
147 OBJS
= shim.o netboot.o cert.o replacements.o tpm.o version.o errlog.o
148 KEYS
= shim_cert.h ocsp.
* ca.
* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
149 ORIG_SOURCES
= shim.c shim.h netboot.c
include/PeImage.h
include/wincert.h
include/console.h replacements.c replacements.h tpm.c tpm.h version.h errlog.c
150 MOK_OBJS
= MokManager.o PasswordCrypt.o crypt_blowfish.o
151 ORIG_MOK_SOURCES
= MokManager.c shim.h
include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
152 FALLBACK_OBJS
= fallback.o tpm.o
153 ORIG_FALLBACK_SRCS
= fallback.c
155 ifneq ($(origin ENABLE_HTTPBOOT
), undefined
)
157 SOURCES
+= httpboot.c httpboot.h
160 SOURCES
= $(foreach source
,$(ORIG_SOURCES
),$(TOPDIR
)/$(source
)) version.c
161 MOK_SOURCES
= $(foreach source
,$(ORIG_MOK_SOURCES
),$(TOPDIR
)/$(source
))
162 FALLBACK_SRCS
= $(foreach source
,$(ORIG_FALLBACK_SRCS
),$(TOPDIR
)/$(source
))
167 $(TOPDIR
)/make-certs shim shim@xn--u4h.net
all codesign
1.3.6.1.4.1.311.10.3.1 </dev
/null
170 $(OPENSSL
) x509
-outform der
-in
$< -out
$@
172 .NOTPARALLEL
: shim_cert.h
173 shim_cert.h
: shim.cer
174 echo
"static UINT8 shim_cert[] = {" > $@
175 $(HEXDUMP
) -v
-e
'1/1 "0x%02x, "' $< >> $@
178 version.c
: $(TOPDIR
)/version.c.in
179 sed
-e
"s,@@VERSION@@,$(VERSION)," \
180 -e
"s,@@UNAME@@,$(shell uname -a)," \
181 -e
"s,@@COMMIT@@,$(COMMITID)," \
184 certdb
/secmod.db
: shim.crt
186 $(PK12UTIL
) -d certdb
/ -i shim.p12
-W
"" -K
""
187 $(CERTUTIL
) -d certdb
/ -A
-i shim.crt
-n shim
-t u
190 ifneq ($(origin ENABLE_SHIM_CERT
),undefined
)
193 shim.o
: $(wildcard $(TOPDIR
)/*.h
)
195 cert.o
: $(TOPDIR
)/cert.S
196 $(CC
) $(CFLAGS
) -c
-o
$@
$<
198 $(SHIMNAME
) : $(SHIMSONAME
)
199 $(MMNAME
) : $(MMSONAME
)
200 $(FBNAME
) : $(FBSONAME
)
202 $(SHIMSONAME
): $(OBJS
) Cryptlib
/libcryptlib.a Cryptlib
/OpenSSL
/libopenssl.a lib
/lib.a
203 $(LD
) -o
$@
$(LDFLAGS
) $^
$(EFI_LIBS
)
205 fallback.o
: $(FALLBACK_SRCS
)
207 $(FBSONAME
): $(FALLBACK_OBJS
) Cryptlib
/libcryptlib.a Cryptlib
/OpenSSL
/libopenssl.a lib
/lib.a
208 $(LD
) -o
$@
$(LDFLAGS
) $^
$(EFI_LIBS
)
210 MokManager.o
: $(MOK_SOURCES
)
212 $(MMSONAME
): $(MOK_OBJS
) Cryptlib
/libcryptlib.a Cryptlib
/OpenSSL
/libopenssl.a lib
/lib.a
213 $(LD
) -o
$@
$(LDFLAGS
) $^
$(EFI_LIBS
) lib
/lib.a
215 Cryptlib
/libcryptlib.a
:
216 mkdir
-p Cryptlib
/{Hash
,Hmac
,Cipher
,Rand
,Pk
,Pem
,SysCall
}
217 $(MAKE
) VPATH
=$(TOPDIR
)/Cryptlib TOPDIR
=$(TOPDIR
)/Cryptlib
-C Cryptlib
-f
$(TOPDIR
)/Cryptlib
/Makefile
219 Cryptlib
/OpenSSL
/libopenssl.a
:
220 mkdir
-p Cryptlib
/OpenSSL
/crypto
/{x509v3
,x509
,txt_db
,stack
,sha
,rsa
,rc4
,rand
,pkcs7
,pkcs12
,pem
,ocsp
,objects
,modes
,md5
,lhash
,kdf
,hmac
,evp
,err
,dso
,dh
,conf
,comp
,cmac
,buffer
,bn
,bio
,async
{,/arch
},asn1
,aes
}/
221 $(MAKE
) VPATH
=$(TOPDIR
)/Cryptlib
/OpenSSL TOPDIR
=$(TOPDIR
)/Cryptlib
/OpenSSL
-C Cryptlib
/OpenSSL
-f
$(TOPDIR
)/Cryptlib
/OpenSSL
/Makefile
224 if
[ ! -d lib
]; then mkdir lib
; fi
225 $(MAKE
) VPATH
=$(TOPDIR
)/lib TOPDIR
=$(TOPDIR
) CFLAGS
="$(CFLAGS)" -C lib
-f
$(TOPDIR
)/lib
/Makefile
227 buildid
: $(TOPDIR
)/buildid.c
228 $(CC
) -Og
-g3
-Wall
-Werror
-Wextra
-o
$@
$< -lelf
232 @echo
"$(SHIMNAME),$(OSLABEL),,This is the boot entry for $(OSLABEL)" | iconv
-t UCS-2LE
> $@
235 ifeq ($(origin LIBDIR
),undefined
)
236 $(error Architecture
$(ARCH
) is not a supported build target.
)
238 ifeq ($(origin EFIDIR
),undefined
)
239 $(error EFIDIR must be set to your reserved EFI System Partition subdirectory name
)
242 install-deps
: $(TARGETS
)
243 install-deps
: $(SHIMNAME
).debug
$(MMNAME
).debug
$(FBNAME
).debug buildid
244 install-deps
: $(BOOTCSVNAME
)
246 install-debugsource
: install-deps
247 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DEBUGSOURCE
)/$(PKGNAME
)-$(VERSION
)$(DASHRELEASE
)
248 find
$(TOPDIR
) -type f
-a
'(' -iname
'*.c' -o
-iname
'*.h' -o
-iname
'*.S' ')' | while read file
; do \
249 outfile
=$$(echo
$${file} | sed
-e
"s,^$(TOPDIR),,") ; \
250 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DEBUGSOURCE
)/$(PKGNAME
)-$(VERSION
)$(DASHRELEASE
)/$$(dirname
$${outfile}) ; \
251 $(INSTALL
) -m
0644 $${file} $(DESTDIR
)/$(DEBUGSOURCE
)/$(PKGNAME
)-$(VERSION
)$(DASHRELEASE
)/$${outfile} ; \
254 install-debuginfo
: install-deps
255 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/
256 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DEBUGINFO
)$(TARGETDIR
)/
257 @.
/buildid
$(wildcard *.efi.debug
) | while read file buildid
; do \
258 first
=$$(echo
$${buildid} | cut
-b
-2) ; \
259 rest
=$$(echo
$${buildid} | cut
-b
3-) ; \
260 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DEBUGINFO
).build-id
/$${first}/ ;\
261 $(INSTALL
) -m
0644 $${file} $(DESTDIR
)/$(DEBUGINFO
)$(TARGETDIR
) ; \
262 ln
-s ..
/..
/..
/..
/..
$(DEBUGINFO
)$(TARGETDIR
)$${file} $(DESTDIR
)/$(DEBUGINFO
).build-id
/$${first}/$${rest}.debug
;\
263 ln
-s ..
/..
/..
/.build-id
/$${first}/$${rest} $(DESTDIR
)/$(DEBUGINFO
).build-id
/$${first}/$${rest} ;\
266 install : | install-check
267 install : install-deps install-debuginfo install-debugsource
268 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/
269 $(INSTALL
) -d
-m
0700 $(DESTDIR
)/$(ESPROOTDIR
)
270 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(EFIBOOTDIR
)
271 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(TARGETDIR
)
272 $(INSTALL
) -m
0644 $(SHIMNAME
) $(DESTDIR
)/$(EFIBOOTDIR
)/$(BOOTEFINAME
)
273 $(INSTALL
) -m
0644 $(SHIMNAME
) $(DESTDIR
)/$(TARGETDIR
)/
274 $(INSTALL
) -m
0644 $(BOOTCSVNAME
) $(DESTDIR
)/$(TARGETDIR
)/
275 ifneq ($(origin ENABLE_SHIM_CERT
),undefined
)
276 $(INSTALL
) -m
0644 $(FBNAME
).signed
$(DESTDIR
)/$(EFIBOOTDIR
)/$(FBNAME
)
277 $(INSTALL
) -m
0644 $(MMNAME
).signed
$(DESTDIR
)/$(EFIBOOTDIR
)/$(MMNAME
)
278 $(INSTALL
) -m
0644 $(MMNAME
).signed
$(DESTDIR
)/$(TARGETDIR
)/$(MMNAME
)
280 $(INSTALL
) -m
0644 $(FBNAME
) $(DESTDIR
)/$(EFIBOOTDIR
)/
281 $(INSTALL
) -m
0644 $(MMNAME
) $(DESTDIR
)/$(EFIBOOTDIR
)/
282 $(INSTALL
) -m
0644 $(MMNAME
) $(DESTDIR
)/$(TARGETDIR
)/
285 install-as-data
: install-deps
286 $(INSTALL
) -d
-m
0755 $(DESTDIR
)/$(DATATARGETDIR
)
287 $(INSTALL
) -m
0644 $(SHIMNAME
) $(DESTDIR
)/$(DATATARGETDIR
)/
288 ifneq ($(origin ENABLE_SHIM_HASH
),undefined
)
289 $(INSTALL
) -m
0644 $(SHIMHASHNAME
) $(DESTDIR
)/$(DATATARGETDIR
)/
291 ifneq ($(origin ENABLE_SHIM_CERT
),undefined
)
292 $(INSTALL
) -m
0644 $(MMNAME
).signed
$(DESTDIR
)/$(DATATARGETDIR
)/$(MMNAME
)
293 $(INSTALL
) -m
0644 $(FBNAME
).signed
$(DESTDIR
)/$(DATATARGETDIR
)/$(FBNAME
)
295 $(INSTALL
) -m
0644 $(MMNAME
) $(DESTDIR
)/$(DATATARGETDIR
)/$(MMNAME
)
296 $(INSTALL
) -m
0644 $(FBNAME
) $(DESTDIR
)/$(DATATARGETDIR
)/$(FBNAME
)
300 ifneq ($(OBJCOPY_GTE224
),1)
301 $(error objcopy
>= 2.24 is required
)
303 $(OBJCOPY
) -j .text
-j .sdata
-j .data
-j .data.ident \
304 -j .dynamic
-j .dynsym
-j .rel
* \
305 -j .rela
* -j .reloc
-j .eh_frame \
309 ifneq ($(origin ENABLE_SHIM_HASH
),undefined
)
311 $(PESIGN
) -i
$< -P
-h
> $@
315 ifneq ($(OBJCOPY_GTE224
),1)
316 $(error objcopy
>= 2.24 is required
)
318 $(OBJCOPY
) -j .text
-j .sdata
-j .data \
319 -j .dynamic
-j .dynsym
-j .rel
* \
320 -j .rela
* -j .reloc
-j .eh_frame \
321 -j .debug_info
-j .debug_abbrev
-j .debug_aranges \
322 -j .debug_line
-j .debug_str
-j .debug_ranges \
323 -j .note.gnu.build-id \
326 ifneq ($(origin ENABLE_SBSIGN
),undefined
)
327 %.efi.signed
: %.efi shim.key shim.crt
328 $(SBSIGN
) --key shim.key
--cert shim.crt
--output
$@
$<
330 %.efi.signed
: %.efi certdb
/secmod.db
331 $(PESIGN
) -n certdb
-i
$< -c
"shim" -s
-o
$@
-f
334 clean: OBJS
=$(wildcard *.o
)
336 $(MAKE
) -C Cryptlib
-f
$(TOPDIR
)/Cryptlib
/Makefile
clean
337 $(MAKE
) -C Cryptlib
/OpenSSL
-f
$(TOPDIR
)/Cryptlib
/OpenSSL
/Makefile
clean
338 $(MAKE
) -C lib
-f
$(TOPDIR
)/lib
/Makefile
clean
339 rm -rf
$(TARGET
) $(OBJS
) $(MOK_OBJS
) $(FALLBACK_OBJS
) $(KEYS
) certdb
$(BOOTCSVNAME
)
340 rm -f
*.debug
*.so
*.efi
*.efi.
* *.
tar.
* version.c
345 @
rm -rf
/tmp
/shim-
$(VERSION
) /tmp
/shim-
$(VERSION
)-tmp
346 @mkdir
-p
/tmp
/shim-
$(VERSION
)-tmp
347 @git archive
--format
=tar $(shell git branch | awk
'/^*/ { print $$2 }') |
( cd
/tmp
/shim-
$(VERSION
)-tmp
/ ; tar x
)
348 @git diff |
( cd
/tmp
/shim-
$(VERSION
)-tmp
/ ; patch
-s
-p1
-b
-z .gitdiff
)
349 @mv
/tmp
/shim-
$(VERSION
)-tmp
/ /tmp
/shim-
$(VERSION
)/
350 @git log
-1 --pretty
=format
:%H
> /tmp
/shim-
$(VERSION
)/commit
351 @
dir=$$PWD; cd
/tmp
; tar -c
--bzip2
-f
$$dir/shim-
$(VERSION
).
tar.bz2 shim-
$(VERSION
)
352 @
rm -rf
/tmp
/shim-
$(VERSION
)
353 @echo
"The archive is in shim-$(VERSION).tar.bz2"
356 git tag
--sign
$(GITTAG
) refs
/heads
/master
357 git tag
-f latest-release
$(GITTAG
)
360 @
rm -rf
/tmp
/shim-
$(VERSION
) /tmp
/shim-
$(VERSION
)-tmp
361 @mkdir
-p
/tmp
/shim-
$(VERSION
)-tmp
362 @git archive
--format
=tar $(GITTAG
) |
( cd
/tmp
/shim-
$(VERSION
)-tmp
/ ; tar x
)
363 @mv
/tmp
/shim-
$(VERSION
)-tmp
/ /tmp
/shim-
$(VERSION
)/
364 @git log
-1 --pretty
=format
:%H
> /tmp
/shim-
$(VERSION
)/commit
365 @
dir=$$PWD; cd
/tmp
; tar -c
--bzip2
-f
$$dir/shim-
$(VERSION
).
tar.bz2 shim-
$(VERSION
)
366 @
rm -rf
/tmp
/shim-
$(VERSION
)
367 @echo
"The archive is in shim-$(VERSION).tar.bz2"
369 .PHONY
: install-deps shim.key
371 export ARCH CC LD OBJCOPY EFI_INCLUDE