correct.
Variables you could set to customize the build:
+- ENABLE_SHIM_CERT
+ if this variable is defined one the make command line, shim will
+ generate keys during the build and sign MokManager and fallback with
+ them, and the signed version will be what gets installed with the
+ install targets
- ENABLE_HTTPBOOT
build support for http booting
- ARCH
LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1
TARGETS = $(SHIMNAME)
+ifneq ($(origin ENABLE_SHIM_CERT),undefined)
TARGETS += $(MMNAME).signed $(FBNAME).signed
+CFLAGS += -DENABLE_SHIM_CERT
+else
TARGETS += $(MMNAME) $(FBNAME)
+endif
OBJS = shim.o netboot.o cert.o replacements.o tpm.o version.o
KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
ORIG_SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.h
$(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u
shim.o: $(SOURCES)
+ifneq ($(origin ENABLE_SHIM_CERT),undefined)
shim.o: shim_cert.h
+endif
shim.o: $(wildcard $(TOPDIR)/*.h)
cert.o : $(TOPDIR)/cert.S
$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(EFIBOOTDIR)/$(BOOTEFINAME)
$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(TARGETDIR)/
$(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(TARGETDIR)/
+ifneq ($(origin ENABLE_SHIM_CERT),undefined)
$(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(FBNAME)
$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(MMNAME)
$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(TARGETDIR)/$(MMNAME)
+else
$(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(EFIBOOTDIR)/
$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(EFIBOOTDIR)/
$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(TARGETDIR)/
+endif
install-as-data : install-deps
$(INSTALL) -d -m 0755 $(DESTDIR)/$(DATATARGETDIR)
$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(DATATARGETDIR)/
+ifneq ($(origin ENABLE_SHIM_CERT),undefined)
$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
$(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
+else
$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
$(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
+endif
%.efi: %.so
ifneq ($(OBJCOPY_GTE224),1)
#include "shim.h"
#include "netboot.h"
#include "httpboot.h"
-#include "shim_cert.h"
#include "replacements.h"
#include "tpm.h"
#include "ucs2.h"
#include "console.h"
#include "version.h"
+#ifdef ENABLE_SHIM_CERT
+#include "shim_cert.h"
+#endif
+
#include <stdarg.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
return status;
if (cert) {
+#if defined(ENABLE_SHIM_CERT)
/*
* Check against the shim build key
*/
status = EFI_SUCCESS;
return status;
}
+#endif /* defined(ENABLE_SHIM_CERT) */
/*
* And finally, check against shim's built-in key