debian/rules

   1 #!/usr/bin/make -f
   2
   3 include /usr/share/dpkg/architecture.mk
   4
   5 # Other vendors, add your certs here.  No sense in using
   6 # dpkg-vendor --derives-from, because only Canonical-generated binaries will
   7 # be signed with this key; so if you are building your own shim binary you
   8 # should be building the other binaries also.
   9 ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
  10         cert=debian/canonical-uefi-ca.der
  11         distributor=ubuntu
  12 COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1
  13 else
  14         cert=debian/debian-uefi-ca.der
  15         distributor=debian
  16 endif
  17
  18 deb_version := $(shell dpkg-parsechangelog | sed -ne "s/^Version: \(.*\)/\1/p")
  19
  20 DBX_LIST = dbx.esl
  21 DBX_HASHES = debian/$(distributor)-dbx.hashes
  22 SBAT_IN = debian/sbat.$(distributor).csv.in
  23 SBAT_DATA = data/sbat.$(distributor).csv
  24
  25 include /usr/share/dpkg/architecture.mk
  26
  27 ifeq ($(DEB_HOST_ARCH),amd64)
  28 export EFI_ARCH := x64
  29 endif
  30 ifeq ($(DEB_HOST_ARCH),arm64)
  31 export EFI_ARCH := aa64
  32 endif
  33 ifeq ($(DEB_HOST_ARCH),i386)
  34 export EFI_ARCH := ia32
  35 endif
  36
  37 COMMON_OPTIONS += \
  38         RELEASE=15 \
  39         COMMIT_ID=888f5b544b7cce3cdae8074aa617b1d4add271a1 \
  40         MAKELEVEL=0 \
  41         EFI_PATH=/usr/lib \
  42         ENABLE_HTTPBOOT=true \
  43         VENDOR_CERT_FILE=$(cert) \
  44         VENDOR_DBX_FILE=$(DBX_LIST) \
  45         EFIDIR=$(distributor) \
  46         CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- \
  47         CC=$(DEB_HOST_GNU_TYPE)-gcc-10 \
  48         $(NULL)
  49
  50 $(DBX_LIST): $(DBX_HASHES)
  51         rm -f $@
  52         set -e; \
  53         for HASH in $$(grep -E [[:xdigit:]]{32} $< | sort | uniq); do \
  54             echo efisiglist -o $@ -a -h $$HASH; \
  55             efisiglist -o $@ -a -h $$HASH; \
  56         done
  57         # Support an empty $(DBX_HASHES)
  58         touch $@
  59
  60 $(SBAT_DATA): $(SBAT_IN)
  61         rm -f $@
  62         set -e; \
  63         sed -e "s/@DEB_VERSION@/$(deb_version)/g" \
  64                 -e "s/@UPSTREAM_VERSION@/$(plain_upstream_version)/g" \
  65                 < $(SBAT_IN) > $(SBAT_DATA)
  66         # If we have an empty $(SBAT_DATA), delete
  67         if [ ! -s $(SBAT_DATA) ]; then rm -f $(SBAT_DATA); fi
  68
  69 %:
  70         dh $@
  71
  72 override_dh_auto_clean:
  73         dh_auto_clean -- MAKELEVEL=0
  74         rm -f $(DBX_LIST) $(SBAT_DATA) sbat.*.csv
  75
  76 override_dh_auto_build: $(DBX_LIST) $(SBAT_DATA)
  77         dh_auto_build -- $(COMMON_OPTIONS)
  78
  79 override_dh_auto_install:
  80         dh_auto_install --destdir=debian/tmp -- $(COMMON_OPTIONS)
  81         # Remove the copy of the source that's installed - we have git
  82         # already...
  83         rm -rf debian/tmp/usr
  84         # And remove the extra removable-media copy of shim too, it's
  85         # not needed for our build and causes debhelper to complain
  86         rm -f debian/tmp/boot/efi/EFI/BOOT/BOOT*.EFI
  87         ./debian/signing-template.generate