default : all
NAME = shim
-VERSION = 14
+VERSION = 15
ifneq ($(origin RELEASE),undefined)
DASHRELEASE ?= -$(RELEASE)
else
else
TARGETS += $(MMNAME) $(FBNAME)
endif
-OBJS = shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o
+OBJS = shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o httpboot.o
KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
-ORIG_SOURCES = shim.c mok.c netboot.c replacements.c tpm.c errlog.c shim.h version.h $(wildcard include/*.h)
-MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
+ORIG_SOURCES = shim.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h)
+MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o
ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
-FALLBACK_OBJS = fallback.o tpm.o errlog.o
+FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat_data.o
ORIG_FALLBACK_SRCS = fallback.c
+SBATPATH = data/sbat.csv
-ifneq ($(origin ENABLE_HTTPBOOT), undefined)
- OBJS += httpboot.o
- SOURCES += httpboot.c include/httpboot.h
+ifeq ($(SOURCE_DATE_EPOCH),)
+ UNAME=$(shell uname -s -m -p -i -o)
+else
+ UNAME=buildhost
endif
SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c
version.c : $(TOPDIR)/version.c.in
sed -e "s,@@VERSION@@,$(VERSION)," \
- -e "s,@@UNAME@@,$(shell uname -s -m -p -i -o)," \
+ -e "s,@@UNAME@@,$(UNAME)," \
-e "s,@@COMMIT@@,$(COMMIT_ID)," \
< $< > $@
cert.o : $(TOPDIR)/cert.S
$(CC) $(CFLAGS) -c -o $@ $<
+sbat.%.csv : data/sbat.%.csv
+ $(DOS2UNIX) $(D2UFLAGS) $< $@
+ tail -c1 $@ | read -r _ || echo >> $@ # ensure a trailing newline
+
+VENDOR_SBATS := $(foreach x,$(wildcard data/sbat.*.csv),$(notdir $(x)))
+
+sbat_data.o : | $(SBATPATH) $(VENDOR_SBATS)
+sbat_data.o : /dev/null
+ $(CC) $(CFLAGS) -x c -c -o $@ $<
+ $(OBJCOPY) --set-section-alignment '.sbat=512' --add-section .sbat=$(SBATPATH) $@
+ $(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
+
$(SHIMNAME) : $(SHIMSONAME)
$(MMNAME) : $(MMSONAME)
$(FBNAME) : $(FBSONAME)
$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
Cryptlib/libcryptlib.a:
- mkdir -p Cryptlib/{Hash,Hmac,Cipher,Rand,Pk,Pem,SysCall}
+ for i in Hash Hmac Cipher Rand Pk Pem SysCall; do mkdir -p Cryptlib/$$i; done
$(MAKE) VPATH=$(TOPDIR)/Cryptlib TOPDIR=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
Cryptlib/OpenSSL/libopenssl.a:
- mkdir -p Cryptlib/OpenSSL/crypto/{x509v3,x509,txt_db,stack,sha,rsa,rc4,rand,pkcs7,pkcs12,pem,ocsp,objects,modes,md5,lhash,kdf,hmac,evp,err,dso,dh,conf,comp,cmac,buffer,bn,bio,async{,/arch},asn1,aes}/
+ for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done
$(MAKE) VPATH=$(TOPDIR)/Cryptlib/OpenSSL TOPDIR=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch])
ifneq ($(OBJCOPY_GTE224),1)
$(error objcopy >= 2.24 is required)
endif
- $(OBJCOPY) -j .text -j .sdata -j .data -j .data.ident \
+ $(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
-j .dynamic -j .dynsym -j .rel* \
-j .rela* -j .reloc -j .eh_frame \
- -j .vendor_cert \
- $(FORMAT) $^ $@
+ -j .vendor_cert -j .sbat \
+ $(FORMAT) $< $@
+ # I am tired of wasting my time fighting binutils timestamp code.
+ dd conv=notrunc bs=1 count=4 seek=$(TIMESTAMP_LOCATION) if=/dev/zero of=$@
ifneq ($(origin ENABLE_SHIM_HASH),undefined)
%.hash : %.efi
ifneq ($(OBJCOPY_GTE224),1)
$(error objcopy >= 2.24 is required)
endif
- $(OBJCOPY) -j .text -j .sdata -j .data \
+ $(OBJCOPY) -D -j .text -j .sdata -j .data \
-j .dynamic -j .dynsym -j .rel* \
- -j .rela* -j .reloc -j .eh_frame \
+ -j .rela* -j .reloc -j .eh_frame -j .sbat \
-j .debug_info -j .debug_abbrev -j .debug_aranges \
-j .debug_line -j .debug_str -j .debug_ranges \
-j .note.gnu.build-id \
- $^ $@
+ $< $@
ifneq ($(origin ENABLE_SBSIGN),undefined)
%.efi.signed: %.efi shim.key shim.crt
- $(SBSIGN) --key shim.key --cert shim.crt --output $@ $<
+ @$(SBSIGN) \
+ --key shim.key \
+ --cert shim.crt \
+ --output $@ $<
else
%.efi.signed: %.efi certdb/secmod.db
$(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f
@rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
@rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid
@rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa]
- @git clean -f -d -e 'Cryptlib/OpenSSL/*'
+ @if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi
clean: clean-shim-objs
$(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean
.PHONY : install-deps shim.key
-export ARCH CC LD OBJCOPY EFI_INCLUDE
+export ARCH CC LD OBJCOPY EFI_INCLUDE OPTIMIZATIONS