-VERSION = 0.9
-RELEASE :=
-ifneq ($(RELEASE),"")
- RELEASE:="-$(RELEASE)"
+default : all
+
+NAME = shim
+VERSION = 15
+ifneq ($(origin RELEASE),undefined)
+DASHRELEASE ?= -$(RELEASE)
+else
+DASHRELEASE ?=
endif
-CC = $(CROSS_COMPILE)gcc
-LD = $(CROSS_COMPILE)ld
-OBJCOPY = $(CROSS_COMPILE)objcopy
-
-ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
-OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.* //g' | cut -f1-2 -d.` \>= 2.24)
-
-SUBDIRS = Cryptlib lib
-
-LIB_PATH = /usr/lib64
-
-EFI_INCLUDE := /usr/include/efi
-EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I$(shell pwd)/include
-EFI_PATH := /usr/lib64/gnuefi
-
-LIB_GCC = $(shell $(CC) -print-libgcc-file-name)
-EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC)
-
-EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
-EFI_LDS = elf_$(ARCH)_efi.lds
-
-DEFAULT_LOADER := \\\\grub.efi
-CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
- -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
- -Werror=sign-compare -ffreestanding -std=gnu89 \
- -I$(shell $(CC) -print-file-name=include) \
- "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
- "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
- $(EFI_INCLUDES)
-
-ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
- CFLAGS += -DOVERRIDE_SECURITY_POLICY
+ifeq ($(MAKELEVEL),0)
+TOPDIR ?= $(shell pwd)
endif
-
-ifeq ($(ARCH),x86_64)
- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
- -maccumulate-outgoing-args \
- -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
- -DNO_BUILTIN_VA_FUNCS \
- "-DEFI_ARCH=L\"x64\"" \
- "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\""
+ifeq ($(TOPDIR),)
+override TOPDIR := $(shell pwd)
endif
-ifeq ($(ARCH),ia32)
- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
- -maccumulate-outgoing-args -m32 \
- "-DEFI_ARCH=L\"ia32\"" \
- "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/ia32-$(VERSION)$(RELEASE)/\""
+override TOPDIR := $(abspath $(TOPDIR))
+VPATH = $(TOPDIR)
+
+include $(TOPDIR)/Make.defaults
+include $(TOPDIR)/Make.rules
+include $(TOPDIR)/Make.coverity
+include $(TOPDIR)/Make.scan-build
+
+TARGETS = $(SHIMNAME)
+TARGETS += $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug
+ifneq ($(origin ENABLE_SHIM_HASH),undefined)
+TARGETS += $(SHIMHASHNAME)
endif
-ifeq ($(ARCH),aarch64)
- CFLAGS += "-DEFI_ARCH=L\"aa64\"" \
- "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/aa64-$(VERSION)$(RELEASE)/\""
+ifneq ($(origin ENABLE_SHIM_CERT),undefined)
+TARGETS += $(MMNAME).signed $(FBNAME).signed
+CFLAGS += -DENABLE_SHIM_CERT
+else
+TARGETS += $(MMNAME) $(FBNAME)
endif
-
-ifneq ($(origin VENDOR_CERT_FILE), undefined)
- CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
-endif
-ifneq ($(origin VENDOR_DBX_FILE), undefined)
- CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
+OBJS = shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o httpboot.o
+KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
+ORIG_SOURCES = shim.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h)
+MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o
+ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
+FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat_data.o
+ORIG_FALLBACK_SRCS = fallback.c
+SBATPATH = data/sbat.csv
+
+ifeq ($(SOURCE_DATE_EPOCH),)
+ UNAME=$(shell uname -s -m -p -i -o)
+else
+ UNAME=buildhost
endif
-LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1
-
-TARGET = shim.efi MokManager.efi.signed fallback.efi.signed
-OBJS = shim.o netboot.o cert.o replacements.o tpm.o version.o
-KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
-SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h
-MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
-MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
-FALLBACK_OBJS = fallback.o
-FALLBACK_SRCS = fallback.c
+SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c
+MOK_SOURCES = $(foreach source,$(ORIG_MOK_SOURCES),$(TOPDIR)/$(source))
+FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))
-all: $(TARGET)
+all: $(TARGETS)
shim.crt:
- ./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
+ $(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
shim.cer: shim.crt
- openssl x509 -outform der -in $< -out $@
+ $(OPENSSL) x509 -outform der -in $< -out $@
+.NOTPARALLEL: shim_cert.h
shim_cert.h: shim.cer
- echo "static UINT8 shim_cert[] = {" > $@
- hexdump -v -e '1/1 "0x%02x, "' $< >> $@
+ echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
+ $(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@
echo "};" >> $@
-version.c : version.c.in
+version.c : $(TOPDIR)/version.c.in
sed -e "s,@@VERSION@@,$(VERSION)," \
- -e "s,@@UNAME@@,$(shell uname -a)," \
- -e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \
- < version.c.in > version.c
+ -e "s,@@UNAME@@,$(UNAME)," \
+ -e "s,@@COMMIT@@,$(COMMIT_ID)," \
+ < $< > $@
certdb/secmod.db: shim.crt
-mkdir certdb
- pk12util -d certdb/ -i shim.p12 -W "" -K ""
- certutil -d certdb/ -A -i shim.crt -n shim -t u
+ $(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K ""
+ $(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u
-shim.o: $(SOURCES) shim_cert.h
-shim.o: $(wildcard *.h)
+shim.o: $(SOURCES)
+ifneq ($(origin ENABLE_SHIM_CERT),undefined)
+shim.o: shim_cert.h
+endif
+shim.o: $(wildcard $(TOPDIR)/*.h)
-cert.o : cert.S
+cert.o : $(TOPDIR)/cert.S
$(CC) $(CFLAGS) -c -o $@ $<
-shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
+sbat.%.csv : data/sbat.%.csv
+ $(DOS2UNIX) $(D2UFLAGS) $< $@
+ tail -c1 $@ | read -r _ || echo >> $@ # ensure a trailing newline
+
+VENDOR_SBATS := $(foreach x,$(wildcard data/sbat.*.csv),$(notdir $(x)))
+
+sbat_data.o : | $(SBATPATH) $(VENDOR_SBATS)
+sbat_data.o : /dev/null
+ $(CC) $(CFLAGS) -x c -c -o $@ $<
+ $(OBJCOPY) --set-section-alignment '.sbat=512' --add-section .sbat=$(SBATPATH) $@
+ $(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
+
+$(SHIMNAME) : $(SHIMSONAME)
+$(MMNAME) : $(MMSONAME)
+$(FBNAME) : $(FBSONAME)
+
+$(SHIMSONAME): $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
fallback.o: $(FALLBACK_SRCS)
-fallback.so: $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
+$(FBSONAME): $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
MokManager.o: $(MOK_SOURCES)
-MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
+$(MMSONAME): $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
Cryptlib/libcryptlib.a:
- $(MAKE) -C Cryptlib
+ for i in Hash Hmac Cipher Rand Pk Pem SysCall; do mkdir -p Cryptlib/$$i; done
+ $(MAKE) VPATH=$(TOPDIR)/Cryptlib TOPDIR=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
Cryptlib/OpenSSL/libopenssl.a:
- $(MAKE) -C Cryptlib/OpenSSL
+ for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done
+ $(MAKE) VPATH=$(TOPDIR)/Cryptlib/OpenSSL TOPDIR=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
+
+lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch])
+ if [ ! -d lib ]; then mkdir lib ; fi
+ $(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) CFLAGS="$(CFLAGS)" -C lib -f $(TOPDIR)/lib/Makefile lib.a
-lib/lib.a:
- $(MAKE) CFLAGS="$(CFLAGS)" -C lib
+buildid : $(TOPDIR)/buildid.c
+ $(CC) -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf
-ifeq ($(ARCH),aarch64)
-FORMAT := -O binary
-SUBSYSTEM := 0xa
-LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
+$(BOOTCSVNAME) :
+ @echo Making $@
+ @echo "$(SHIMNAME),$(OSLABEL),,This is the boot entry for $(OSLABEL)" | iconv -t UCS-2LE > $@
+
+install-check :
+ifeq ($(origin LIBDIR),undefined)
+ $(error Architecture $(ARCH) is not a supported build target.)
+endif
+ifeq ($(origin EFIDIR),undefined)
+ $(error EFIDIR must be set to your reserved EFI System Partition subdirectory name)
endif
-ifeq ($(ARCH),arm)
-FORMAT := -O binary
-SUBSYSTEM := 0xa
-LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
+install-deps : $(TARGETS)
+install-deps : $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug buildid
+install-deps : $(BOOTCSVNAME)
+
+install-debugsource : install-deps
+ $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)
+ find $(TOPDIR) -type f -a '(' -iname '*.c' -o -iname '*.h' -o -iname '*.S' ')' | while read file ; do \
+ outfile=$$(echo $${file} | sed -e "s,^$(TOPDIR),,") ; \
+ $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$$(dirname $${outfile}) ; \
+ $(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$${outfile} ; \
+ done
+
+install-debuginfo : install-deps
+ $(INSTALL) -d -m 0755 $(DESTDIR)/
+ $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR)/
+ @./buildid $(wildcard *.efi.debug) | while read file buildid ; do \
+ first=$$(echo $${buildid} | cut -b -2) ; \
+ rest=$$(echo $${buildid} | cut -b 3-) ; \
+ $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/ ;\
+ $(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR) ; \
+ ln -s ../../../../..$(DEBUGINFO)$(TARGETDIR)$${file} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest}.debug ;\
+ ln -s ../../../.build-id/$${first}/$${rest} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest} ;\
+ done
+
+install : | install-check
+install : install-deps install-debuginfo install-debugsource
+ $(INSTALL) -d -m 0755 $(DESTDIR)/
+ $(INSTALL) -d -m 0700 $(DESTDIR)/$(ESPROOTDIR)
+ $(INSTALL) -d -m 0755 $(DESTDIR)/$(EFIBOOTDIR)
+ $(INSTALL) -d -m 0755 $(DESTDIR)/$(TARGETDIR)
+ $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(EFIBOOTDIR)/$(BOOTEFINAME)
+ $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(TARGETDIR)/
+ $(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(TARGETDIR)/
+ifneq ($(origin ENABLE_SHIM_CERT),undefined)
+ $(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(FBNAME)
+ $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(MMNAME)
+ $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(TARGETDIR)/$(MMNAME)
+else
+ $(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(EFIBOOTDIR)/
+ $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(EFIBOOTDIR)/
+ $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(TARGETDIR)/
endif
-FORMAT ?= --target efi-app-$(ARCH)
+install-as-data : install-deps
+ $(INSTALL) -d -m 0755 $(DESTDIR)/$(DATATARGETDIR)
+ $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(DATATARGETDIR)/
+ifneq ($(origin ENABLE_SHIM_HASH),undefined)
+ $(INSTALL) -m 0644 $(SHIMHASHNAME) $(DESTDIR)/$(DATATARGETDIR)/
+endif
+ifneq ($(origin ENABLE_SHIM_CERT),undefined)
+ $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
+ $(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
+else
+ $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
+ $(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
+endif
%.efi: %.so
ifneq ($(OBJCOPY_GTE224),1)
$(error objcopy >= 2.24 is required)
endif
- $(OBJCOPY) -j .text -j .sdata -j .data \
- -j .dynamic -j .dynsym -j .rel* \
- -j .rela* -j .reloc -j .eh_frame \
- -j .vendor_cert \
- $(FORMAT) $^ $@
- $(OBJCOPY) -j .text -j .sdata -j .data \
- -j .dynamic -j .dynsym -j .rel* \
+ $(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
+ -j .dynamic -j .dynsym -j .rel* \
-j .rela* -j .reloc -j .eh_frame \
+ -j .vendor_cert -j .sbat \
+ $(FORMAT) $< $@
+ # I am tired of wasting my time fighting binutils timestamp code.
+ dd conv=notrunc bs=1 count=4 seek=$(TIMESTAMP_LOCATION) if=/dev/zero of=$@
+
+ifneq ($(origin ENABLE_SHIM_HASH),undefined)
+%.hash : %.efi
+ $(PESIGN) -i $< -P -h > $@
+endif
+
+%.efi.debug : %.so
+ifneq ($(OBJCOPY_GTE224),1)
+ $(error objcopy >= 2.24 is required)
+endif
+ $(OBJCOPY) -D -j .text -j .sdata -j .data \
+ -j .dynamic -j .dynsym -j .rel* \
+ -j .rela* -j .reloc -j .eh_frame -j .sbat \
-j .debug_info -j .debug_abbrev -j .debug_aranges \
-j .debug_line -j .debug_str -j .debug_ranges \
-j .note.gnu.build-id \
- $(FORMAT) $^ $@.debug
-
+ $< $@
+
+ifneq ($(origin ENABLE_SBSIGN),undefined)
+%.efi.signed: %.efi shim.key shim.crt
+ @$(SBSIGN) \
+ --key shim.key \
+ --cert shim.crt \
+ --output $@ $<
+else
%.efi.signed: %.efi certdb/secmod.db
- pesign -n certdb -i $< -c "shim" -s -o $@ -f
+ $(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f
+endif
-clean:
- $(MAKE) -C Cryptlib clean
- $(MAKE) -C Cryptlib/OpenSSL clean
- $(MAKE) -C lib clean
- rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb
- rm -f *.debug *.so *.efi *.tar.* version.c
+clean-shim-objs:
+ $(MAKE) -C lib -f $(TOPDIR)/lib/Makefile clean
+ @rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
+ @rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid
+ @rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa]
+ @if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi
+
+clean: clean-shim-objs
+ $(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean
+ $(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean
GITTAG = $(VERSION)
tag:
git tag --sign $(GITTAG) refs/heads/master
+ git tag -f latest-release $(GITTAG)
archive: tag
@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
@rm -rf /tmp/shim-$(VERSION)
@echo "The archive is in shim-$(VERSION).tar.bz2"
-export ARCH CC LD OBJCOPY EFI_INCLUDE
+.PHONY : install-deps shim.key
+
+export ARCH CC LD OBJCOPY EFI_INCLUDE OPTIMIZATIONS
projects / efi-boot-shim.git / blobdiff