debian/rules

   1 #!/usr/bin/make -f
   2
   3 include /usr/share/dpkg/architecture.mk
   4
   5 # Other vendors, add your certs here.  No sense in using
   6 # dpkg-vendor --derives-from, because only Canonical-generated binaries will
   7 # be signed with this key; so if you are building your own shim binary you
   8 # should be building the other binaries also.
   9 ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
  10         cert=debian/canonical-uefi-ca.der
  11         distributor=ubuntu
  12 COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1
  13 else
  14         cert=debian/debian-uefi-ca.der
  15         distributor=debian
  16 endif
  17
  18 deb_version             := $(shell dpkg-parsechangelog | sed -ne "s/^Version: \(.*\)/\1/p")
  19 upstream_version        := $(shell echo $(deb_version) | sed -e "s/-[^-]*$$//")
  20 plain_upstream_version  := $(shell echo $(upstream_version) | sed -e "s/+dfsg.*//")
  21
  22 DBX_LIST = dbx.esl
  23 DBX_HASHES = debian/$(distributor)-dbx.hashes
  24 SBAT_IN = debian/sbat.$(distributor).csv.in
  25 SBAT_DATA = data/sbat.$(distributor).csv
  26
  27 include /usr/share/dpkg/architecture.mk
  28
  29 ifeq ($(DEB_HOST_ARCH),amd64)
  30 export EFI_ARCH := x64
  31 endif
  32 ifeq ($(DEB_HOST_ARCH),arm64)
  33 export EFI_ARCH := aa64
  34 endif
  35 ifeq ($(DEB_HOST_ARCH),i386)
  36 export EFI_ARCH := ia32
  37 endif
  38
  39 COMMON_OPTIONS += \
  40         RELEASE=$(plain_upstream_version) \
  41         COMMIT_ID=657b2483ca6e9fcf2ad8ac7ee577ff546d24c3aa \
  42         MAKELEVEL=0 \
  43         ENABLE_HTTPBOOT=true \
  44         VENDOR_CERT_FILE=$(cert) \
  45         VENDOR_DBX_FILE=$(DBX_LIST) \
  46         EFIDIR=$(distributor) \
  47         CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- \
  48         CC=$(DEB_HOST_GNU_TYPE)-gcc-12 \
  49         $(NULL)
  50
  51 # Force shim to use the latest revocations by default to block some
  52 # older grub / peimage issues. This is:
  53 # "shim,4\ngrub,4\ngrub.peimage,2\n"
  54 COMMON_OPTIONS += SBAT_AUTOMATIC_DATE=2024010900
  55
  56 $(DBX_LIST): $(DBX_HASHES)
  57         ./debian/generate_dbx_list $(EFI_ARCH) $< $@
  58
  59 $(SBAT_DATA): $(SBAT_IN)
  60         rm -f $@
  61         set -e; \
  62         sed -e "s/@DEB_VERSION@/$(deb_version)/g" \
  63                 -e "s/@UPSTREAM_VERSION@/$(plain_upstream_version)/g" \
  64                 < $(SBAT_IN) > $(SBAT_DATA)
  65         # If we have an empty $(SBAT_DATA), delete
  66         if [ ! -s $(SBAT_DATA) ]; then rm -f $(SBAT_DATA); fi
  67
  68 %:
  69         dh $@
  70
  71 override_dh_auto_clean:
  72         dh_auto_clean -- MAKELEVEL=0
  73         rm -f $(DBX_LIST) $(SBAT_DATA) sbat.*.csv BOOT*.CSV
  74         rm -f test-csv test-sbat test-str test-load-options
  75         rm -f test-mock-variables test-mok-mirror test-pe-relocate test-pe-util
  76
  77 override_dh_auto_build: $(DBX_LIST) $(SBAT_DATA)
  78         dh_auto_build -- INSTALL=install $(COMMON_OPTIONS)
  79
  80 override_dh_auto_test: $(DBX_LIST) $(SBAT_DATA)
  81         dh_auto_test -- INSTALL=install $(COMMON_OPTIONS)
  82
  83 override_dh_auto_install:
  84         dh_auto_install --destdir=debian/tmp -- INSTALL=install $(COMMON_OPTIONS)
  85         # Remove the copy of the source that's installed - we have git
  86         # already...
  87         rm -rf debian/tmp/usr
  88         # And remove the extra removable-media copy of shim too, it's
  89         # not needed for our build and causes debhelper to complain
  90         rm -f debian/tmp/boot/efi/EFI/BOOT/BOOT*.EFI
  91
  92         install -m 644 $(cert) debian/shim-unsigned/usr/share/shim
  93
  94         # Generate the template packages that we'll use for SB signing later
  95         ./debian/signing-template.generate
  96
  97         # Log some useful things about the build here
  98         ./debian/check_nx shim*.efi
  99         sha256sum *.efi
 100
 101 generate-gnu-efi:
 102         git -C gnu-efi archive --prefix=gnu-efi/ HEAD | xz -9 \
 103                 > ../shim_$(plain_upstream_version).orig-gnu-efi.tar.xz