default : all NAME = shim VERSION = 15 ifneq ($(origin RELEASE),undefined) DASHRELEASE ?= -$(RELEASE) else DASHRELEASE ?= endif ifeq ($(MAKELEVEL),0) TOPDIR ?= $(shell pwd) endif ifeq ($(TOPDIR),) override TOPDIR := $(shell pwd) endif override TOPDIR := $(abspath $(TOPDIR)) VPATH = $(TOPDIR) include $(TOPDIR)/Make.defaults include $(TOPDIR)/Make.rules include $(TOPDIR)/Make.coverity include $(TOPDIR)/Make.scan-build TARGETS = $(SHIMNAME) TARGETS += $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug ifneq ($(origin ENABLE_SHIM_HASH),undefined) TARGETS += $(SHIMHASHNAME) endif ifneq ($(origin ENABLE_SHIM_CERT),undefined) TARGETS += $(MMNAME).signed $(FBNAME).signed CFLAGS += -DENABLE_SHIM_CERT else TARGETS += $(MMNAME) $(FBNAME) endif OBJS = shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o httpboot.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer ORIG_SOURCES = shim.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h) MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h) FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat_data.o ORIG_FALLBACK_SRCS = fallback.c SBATPATH = data/sbat.csv ifeq ($(SOURCE_DATE_EPOCH),) UNAME=$(shell uname -s -m -p -i -o) else UNAME=buildhost endif SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c MOK_SOURCES = $(foreach source,$(ORIG_MOK_SOURCES),$(TOPDIR)/$(source)) FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source)) all: $(TARGETS) shim.crt: $(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 $@ $(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@ echo "};" >> $@ version.c : $(TOPDIR)/version.c.in sed -e "s,@@VERSION@@,$(VERSION)," \ -e "s,@@UNAME@@,$(UNAME)," \ -e "s,@@COMMIT@@,$(COMMIT_ID)," \ < $< > $@ certdb/secmod.db: shim.crt -mkdir certdb $(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K "" $(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u shim.o: $(SOURCES) ifneq ($(origin ENABLE_SHIM_CERT),undefined) shim.o: shim_cert.h endif shim.o: $(wildcard $(TOPDIR)/*.h) cert.o : $(TOPDIR)/cert.S $(CC) $(CFLAGS) -c -o $@ $< sbat.%.csv : data/sbat.%.csv $(DOS2UNIX) $(D2UFLAGS) $< $@ tail -c1 $@ | read -r _ || echo >> $@ # ensure a trailing newline VENDOR_SBATS := $(foreach x,$(wildcard data/sbat.*.csv),$(notdir $(x))) sbat_data.o : | $(SBATPATH) $(VENDOR_SBATS) sbat_data.o : /dev/null $(CC) $(CFLAGS) -x c -c -o $@ $< $(OBJCOPY) --set-section-alignment '.sbat=512' --add-section .sbat=$(SBATPATH) $@ $(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@)) $(SHIMNAME) : $(SHIMSONAME) $(MMNAME) : $(MMSONAME) $(FBNAME) : $(FBSONAME) $(SHIMSONAME): $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) fallback.o: $(FALLBACK_SRCS) $(FBSONAME): $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) MokManager.o: $(MOK_SOURCES) $(MMSONAME): $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a Cryptlib/libcryptlib.a: for i in Hash Hmac Cipher Rand Pk Pem SysCall; do mkdir -p Cryptlib/$$i; done $(MAKE) VPATH=$(TOPDIR)/Cryptlib TOPDIR=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile Cryptlib/OpenSSL/libopenssl.a: for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done $(MAKE) VPATH=$(TOPDIR)/Cryptlib/OpenSSL TOPDIR=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch]) if [ ! -d lib ]; then mkdir lib ; fi $(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) CFLAGS="$(CFLAGS)" -C lib -f $(TOPDIR)/lib/Makefile lib.a buildid : $(TOPDIR)/buildid.c $(CC) -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf $(BOOTCSVNAME) : @echo Making $@ @echo "$(SHIMNAME),$(OSLABEL),,This is the boot entry for $(OSLABEL)" | iconv -t UCS-2LE > $@ install-check : ifeq ($(origin LIBDIR),undefined) $(error Architecture $(ARCH) is not a supported build target.) endif ifeq ($(origin EFIDIR),undefined) $(error EFIDIR must be set to your reserved EFI System Partition subdirectory name) endif install-deps : $(TARGETS) install-deps : $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug buildid install-deps : $(BOOTCSVNAME) install-debugsource : install-deps $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE) find $(TOPDIR) -type f -a '(' -iname '*.c' -o -iname '*.h' -o -iname '*.S' ')' | while read file ; do \ outfile=$$(echo $${file} | sed -e "s,^$(TOPDIR),,") ; \ $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$$(dirname $${outfile}) ; \ $(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$${outfile} ; \ done install-debuginfo : install-deps $(INSTALL) -d -m 0755 $(DESTDIR)/ $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR)/ @./buildid $(wildcard *.efi.debug) | while read file buildid ; do \ first=$$(echo $${buildid} | cut -b -2) ; \ rest=$$(echo $${buildid} | cut -b 3-) ; \ $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/ ;\ $(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR) ; \ ln -s ../../../../..$(DEBUGINFO)$(TARGETDIR)$${file} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest}.debug ;\ ln -s ../../../.build-id/$${first}/$${rest} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest} ;\ done install : | install-check install : install-deps install-debuginfo install-debugsource $(INSTALL) -d -m 0755 $(DESTDIR)/ $(INSTALL) -d -m 0700 $(DESTDIR)/$(ESPROOTDIR) $(INSTALL) -d -m 0755 $(DESTDIR)/$(EFIBOOTDIR) $(INSTALL) -d -m 0755 $(DESTDIR)/$(TARGETDIR) $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(EFIBOOTDIR)/$(BOOTEFINAME) $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(TARGETDIR)/ $(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(TARGETDIR)/ ifneq ($(origin ENABLE_SHIM_CERT),undefined) $(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(FBNAME) $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(MMNAME) $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(TARGETDIR)/$(MMNAME) else $(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(EFIBOOTDIR)/ $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(EFIBOOTDIR)/ $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(TARGETDIR)/ endif install-as-data : install-deps $(INSTALL) -d -m 0755 $(DESTDIR)/$(DATATARGETDIR) $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(DATATARGETDIR)/ ifneq ($(origin ENABLE_SHIM_HASH),undefined) $(INSTALL) -m 0644 $(SHIMHASHNAME) $(DESTDIR)/$(DATATARGETDIR)/ endif ifneq ($(origin ENABLE_SHIM_CERT),undefined) $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME) $(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME) else $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME) $(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME) endif %.efi: %.so ifneq ($(OBJCOPY_GTE224),1) $(error objcopy >= 2.24 is required) endif $(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \ -j .dynamic -j .dynsym -j .rel* \ -j .rela* -j .reloc -j .eh_frame \ -j .vendor_cert -j .sbat \ $(FORMAT) $< $@ # I am tired of wasting my time fighting binutils timestamp code. dd conv=notrunc bs=1 count=4 seek=$(TIMESTAMP_LOCATION) if=/dev/zero of=$@ ifneq ($(origin ENABLE_SHIM_HASH),undefined) %.hash : %.efi $(PESIGN) -i $< -P -h > $@ endif %.efi.debug : %.so ifneq ($(OBJCOPY_GTE224),1) $(error objcopy >= 2.24 is required) endif $(OBJCOPY) -D -j .text -j .sdata -j .data \ -j .dynamic -j .dynsym -j .rel* \ -j .rela* -j .reloc -j .eh_frame -j .sbat \ -j .debug_info -j .debug_abbrev -j .debug_aranges \ -j .debug_line -j .debug_str -j .debug_ranges \ -j .note.gnu.build-id \ $< $@ ifneq ($(origin ENABLE_SBSIGN),undefined) %.efi.signed: %.efi shim.key shim.crt @$(SBSIGN) \ --key shim.key \ --cert shim.crt \ --output $@ $< else %.efi.signed: %.efi certdb/secmod.db $(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f endif clean-shim-objs: $(MAKE) -C lib -f $(TOPDIR)/lib/Makefile clean @rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME) @rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid @rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa] @if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi clean: clean-shim-objs $(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean $(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean GITTAG = $(VERSION) test-archive: @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp @mkdir -p /tmp/shim-$(VERSION)-tmp @git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x ) @git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff ) @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/ @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION) @rm -rf /tmp/shim-$(VERSION) @echo "The archive is in shim-$(VERSION).tar.bz2" tag: git tag --sign $(GITTAG) refs/heads/master git tag -f latest-release $(GITTAG) archive: tag @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp @mkdir -p /tmp/shim-$(VERSION)-tmp @git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x ) @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/ @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION) @rm -rf /tmp/shim-$(VERSION) @echo "The archive is in shim-$(VERSION).tar.bz2" .PHONY : install-deps shim.key export ARCH CC LD OBJCOPY EFI_INCLUDE OPTIMIZATIONS