Add dbx entries for all our existing grub binaries

[efi-boot-shim.git] / Makefile

diff --git a/Makefile b/Makefile
index 38a1e0e81c02cb26ad623721607161e79957772e..02f380e0e625fce9d761628141398a7dac56c9ae 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 default : all
 
 NAME           = shim
-VERSION                = 14
+VERSION                = 15
 ifneq ($(origin RELEASE),undefined)
 DASHRELEASE    ?= -$(RELEASE)
 else
@@ -33,17 +33,19 @@ CFLAGS += -DENABLE_SHIM_CERT
 else
 TARGETS += $(MMNAME) $(FBNAME)
 endif
-OBJS   = shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o
+OBJS   = shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o httpboot.o
 KEYS   = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
-ORIG_SOURCES   = shim.c mok.c netboot.c replacements.c tpm.c errlog.c shim.h version.h $(wildcard include/*.h)
-MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
+ORIG_SOURCES   = shim.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h)
+MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o
 ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
-FALLBACK_OBJS = fallback.o tpm.o errlog.o
+FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat_data.o
 ORIG_FALLBACK_SRCS = fallback.c
+SBATPATH = data/sbat.csv
 
-ifneq ($(origin ENABLE_HTTPBOOT), undefined)
-       OBJS += httpboot.o
-       SOURCES += httpboot.c include/httpboot.h
+ifeq ($(SOURCE_DATE_EPOCH),)
+       UNAME=$(shell uname -s -m -p -i -o)
+else
+       UNAME=buildhost
 endif
 
 SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c
@@ -66,7 +68,7 @@ shim_cert.h: shim.cer
 
 version.c : $(TOPDIR)/version.c.in
        sed     -e "s,@@VERSION@@,$(VERSION)," \
-               -e "s,@@UNAME@@,$(shell uname -s -m -p -i -o)," \
+               -e "s,@@UNAME@@,$(UNAME)," \
                -e "s,@@COMMIT@@,$(COMMIT_ID)," \
                < $< > $@
 
@@ -84,6 +86,18 @@ shim.o: $(wildcard $(TOPDIR)/*.h)
 cert.o : $(TOPDIR)/cert.S
        $(CC) $(CFLAGS) -c -o $@ $<
 
+sbat.%.csv : data/sbat.%.csv
+       $(DOS2UNIX) $(D2UFLAGS) $< $@
+       tail -c1 $@ | read -r _ || echo >> $@ # ensure a trailing newline
+
+VENDOR_SBATS := $(foreach x,$(wildcard data/sbat.*.csv),$(notdir $(x)))
+
+sbat_data.o : | $(SBATPATH) $(VENDOR_SBATS)
+sbat_data.o : /dev/null
+       $(CC) $(CFLAGS) -x c -c -o $@ $<
+       $(OBJCOPY) --set-section-alignment '.sbat=512' --add-section .sbat=$(SBATPATH) $@
+       $(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
+
 $(SHIMNAME) : $(SHIMSONAME)
 $(MMNAME) : $(MMSONAME)
 $(FBNAME) : $(FBSONAME)
@@ -102,11 +116,11 @@ $(MMSONAME): $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a li
        $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
 
 Cryptlib/libcryptlib.a:
-       mkdir -p Cryptlib/{Hash,Hmac,Cipher,Rand,Pk,Pem,SysCall}
+       for i in Hash Hmac Cipher Rand Pk Pem SysCall; do mkdir -p Cryptlib/$$i; done
        $(MAKE) VPATH=$(TOPDIR)/Cryptlib TOPDIR=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
 
 Cryptlib/OpenSSL/libopenssl.a:
-       mkdir -p Cryptlib/OpenSSL/crypto/{x509v3,x509,txt_db,stack,sha,rsa,rc4,rand,pkcs7,pkcs12,pem,ocsp,objects,modes,md5,lhash,kdf,hmac,evp,err,dso,dh,conf,comp,cmac,buffer,bn,bio,async{,/arch},asn1,aes}/
+       for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done
        $(MAKE) VPATH=$(TOPDIR)/Cryptlib/OpenSSL TOPDIR=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
 
 lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch])
@@ -189,11 +203,13 @@ endif
 ifneq ($(OBJCOPY_GTE224),1)
        $(error objcopy >= 2.24 is required)
 endif
-       $(OBJCOPY) -j .text -j .sdata -j .data -j .data.ident \
+       $(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
                -j .dynamic -j .dynsym -j .rel* \
                -j .rela* -j .reloc -j .eh_frame \
-               -j .vendor_cert \
-               $(FORMAT) $^ $@
+               -j .vendor_cert -j .sbat \
+               $(FORMAT) $< $@
+       # I am tired of wasting my time fighting binutils timestamp code.
+       dd conv=notrunc bs=1 count=4 seek=$(TIMESTAMP_LOCATION) if=/dev/zero of=$@
 
 ifneq ($(origin ENABLE_SHIM_HASH),undefined)
 %.hash : %.efi
@@ -204,17 +220,20 @@ endif
 ifneq ($(OBJCOPY_GTE224),1)
        $(error objcopy >= 2.24 is required)
 endif
-       $(OBJCOPY) -j .text -j .sdata -j .data \
+       $(OBJCOPY) -D -j .text -j .sdata -j .data \
                -j .dynamic -j .dynsym -j .rel* \
-               -j .rela* -j .reloc -j .eh_frame \
+               -j .rela* -j .reloc -j .eh_frame -j .sbat \
                -j .debug_info -j .debug_abbrev -j .debug_aranges \
                -j .debug_line -j .debug_str -j .debug_ranges \
                -j .note.gnu.build-id \
-               $^ $@
+               $< $@
 
 ifneq ($(origin ENABLE_SBSIGN),undefined)
 %.efi.signed: %.efi shim.key shim.crt
-       $(SBSIGN) --key shim.key --cert shim.crt --output $@ $<
+       @$(SBSIGN) \
+               --key shim.key \
+               --cert shim.crt \
+               --output $@ $<
 else
 %.efi.signed: %.efi certdb/secmod.db
        $(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f
@@ -225,7 +244,7 @@ clean-shim-objs:
        @rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
        @rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid
        @rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa]
-       @git clean -f -d -e 'Cryptlib/OpenSSL/*'
+       @if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi
 
 clean: clean-shim-objs
        $(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean
@@ -260,4 +279,4 @@ archive: tag
 
 .PHONY : install-deps shim.key
 
-export ARCH CC LD OBJCOPY EFI_INCLUDE
+export ARCH CC LD OBJCOPY EFI_INCLUDE OPTIMIZATIONS