Makefile 9.39 KB
Newer Older
1 2 3 4
default : all

NAME		= shim
VERSION		= 15
5 6 7 8
ifneq ($(origin RELEASE),undefined)
DASHRELEASE	?= -$(RELEASE)
else
DASHRELEASE	?=
9 10
endif

11 12 13
ifeq ($(MAKELEVEL),0)
TOPDIR		?= $(shell pwd)
endif
14 15 16
ifeq ($(TOPDIR),)
override TOPDIR := $(shell pwd)
endif
17 18 19
override TOPDIR	:= $(abspath $(TOPDIR))
VPATH		= $(TOPDIR)

20 21 22 23
include $(TOPDIR)/Make.defaults
include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.coverity
include $(TOPDIR)/Make.scan-build
24

25 26 27 28 29 30 31 32 33 34 35
TARGETS	= $(SHIMNAME)
TARGETS += $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug
ifneq ($(origin ENABLE_SHIM_HASH),undefined)
TARGETS += $(SHIMHASHNAME)
endif
ifneq ($(origin ENABLE_SHIM_CERT),undefined)
TARGETS	+= $(MMNAME).signed $(FBNAME).signed
CFLAGS += -DENABLE_SHIM_CERT
else
TARGETS += $(MMNAME) $(FBNAME)
endif
36
OBJS	= shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o
37
KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
38
ORIG_SOURCES	= shim.c mok.c netboot.c replacements.c tpm.c errlog.c shim.h version.h $(wildcard include/*.h)
39
MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
40 41
ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
FALLBACK_OBJS = fallback.o tpm.o errlog.o
42
ORIG_FALLBACK_SRCS = fallback.c
Matthew Garrett's avatar
Matthew Garrett committed
43

44 45
ifneq ($(origin ENABLE_HTTPBOOT), undefined)
	OBJS += httpboot.o
46
	SOURCES += httpboot.c include/httpboot.h
47 48
endif

49 50 51 52
SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c
MOK_SOURCES = $(foreach source,$(ORIG_MOK_SOURCES),$(TOPDIR)/$(source))
FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))

53
all: $(TARGETS)
Matthew Garrett's avatar
Matthew Garrett committed
54

55
shim.crt:
56
	$(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
57 58

shim.cer: shim.crt
59
	$(OPENSSL) x509 -outform der -in $< -out $@
60

61
.NOTPARALLEL: shim_cert.h
62
shim_cert.h: shim.cer
63
	echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
64
	$(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@
65 66
	echo "};" >> $@

67
version.c : $(TOPDIR)/version.c.in
68
	sed	-e "s,@@VERSION@@,$(VERSION)," \
69 70
		-e "s,@@UNAME@@,$(shell uname -s -m -p -i -o)," \
		-e "s,@@COMMIT@@,$(COMMIT_ID)," \
71
		< $< > $@
72

73 74
certdb/secmod.db: shim.crt
	-mkdir certdb
75 76
	$(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K ""
	$(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u
77

78 79 80 81 82
shim.o: $(SOURCES)
ifneq ($(origin ENABLE_SHIM_CERT),undefined)
shim.o: shim_cert.h
endif
shim.o: $(wildcard $(TOPDIR)/*.h)
Matthew Garrett's avatar
Matthew Garrett committed
83

84
cert.o : $(TOPDIR)/cert.S
85 86
	$(CC) $(CFLAGS) -c -o $@ $<

87 88 89 90 91
$(SHIMNAME) : $(SHIMSONAME)
$(MMNAME) : $(MMSONAME)
$(FBNAME) : $(FBSONAME)

$(SHIMSONAME): $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
Matthew Garrett's avatar
Matthew Garrett committed
92 93
	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)

94 95
fallback.o: $(FALLBACK_SRCS)

96
$(FBSONAME): $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
97 98
	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)

99
MokManager.o: $(MOK_SOURCES)
100

101
$(MMSONAME): $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
102
	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
103

Matthew Garrett's avatar
Matthew Garrett committed
104
Cryptlib/libcryptlib.a:
105 106
	mkdir -p Cryptlib/{Hash,Hmac,Cipher,Rand,Pk,Pem,SysCall}
	$(MAKE) VPATH=$(TOPDIR)/Cryptlib TOPDIR=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
Matthew Garrett's avatar
Matthew Garrett committed
107 108

Cryptlib/OpenSSL/libopenssl.a:
109 110
	mkdir -p Cryptlib/OpenSSL/crypto/{x509v3,x509,txt_db,stack,sha,rsa,rc4,rand,pkcs7,pkcs12,pem,ocsp,objects,modes,md5,lhash,kdf,hmac,evp,err,dso,dh,conf,comp,cmac,buffer,bn,bio,async{,/arch},asn1,aes}/
	$(MAKE) VPATH=$(TOPDIR)/Cryptlib/OpenSSL TOPDIR=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
Matthew Garrett's avatar
Matthew Garrett committed
111

112
lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch])
113
	if [ ! -d lib ]; then mkdir lib ; fi
114
	$(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) CFLAGS="$(CFLAGS)" -C lib -f $(TOPDIR)/lib/Makefile lib.a
115

116 117 118 119 120
buildid : $(TOPDIR)/buildid.c
	$(CC) -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf

$(BOOTCSVNAME) :
	@echo Making $@
121
	@echo "$(SHIMNAME),$(OSLABEL),,This is the boot entry for $(OSLABEL)" | iconv -t UCS-2LE > $@
122 123 124 125 126 127 128

install-check :
ifeq ($(origin LIBDIR),undefined)
	$(error Architecture $(ARCH) is not a supported build target.)
endif
ifeq ($(origin EFIDIR),undefined)
	$(error EFIDIR must be set to your reserved EFI System Partition subdirectory name)
129 130
endif

131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171
install-deps : $(TARGETS)
install-deps : $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug buildid
install-deps : $(BOOTCSVNAME)

install-debugsource : install-deps
	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)
	find $(TOPDIR) -type f -a '(' -iname '*.c' -o -iname '*.h' -o -iname '*.S' ')' | while read file ; do \
		outfile=$$(echo $${file} | sed -e "s,^$(TOPDIR),,") ; \
		$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$$(dirname $${outfile}) ; \
		$(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$${outfile} ; \
	done

install-debuginfo : install-deps
	$(INSTALL) -d -m 0755 $(DESTDIR)/
	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR)/
	@./buildid $(wildcard *.efi.debug) | while read file buildid ; do \
		first=$$(echo $${buildid} | cut -b -2) ; \
		rest=$$(echo $${buildid} | cut -b 3-) ; \
		$(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/ ;\
		$(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR) ; \
		ln -s ../../../../..$(DEBUGINFO)$(TARGETDIR)$${file} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest}.debug ;\
		ln -s ../../../.build-id/$${first}/$${rest} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest} ;\
	done

install : | install-check
install : install-deps install-debuginfo install-debugsource
	$(INSTALL) -d -m 0755 $(DESTDIR)/
	$(INSTALL) -d -m 0700 $(DESTDIR)/$(ESPROOTDIR)
	$(INSTALL) -d -m 0755 $(DESTDIR)/$(EFIBOOTDIR)
	$(INSTALL) -d -m 0755 $(DESTDIR)/$(TARGETDIR)
	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(EFIBOOTDIR)/$(BOOTEFINAME)
	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(TARGETDIR)/
	$(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(TARGETDIR)/
ifneq ($(origin ENABLE_SHIM_CERT),undefined)
	$(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(FBNAME)
	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(MMNAME)
	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(TARGETDIR)/$(MMNAME)
else
	$(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(EFIBOOTDIR)/
	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(EFIBOOTDIR)/
	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(TARGETDIR)/
172 173
endif

174 175 176 177 178 179 180 181 182 183 184 185 186
install-as-data : install-deps
	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DATATARGETDIR)
	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(DATATARGETDIR)/
ifneq ($(origin ENABLE_SHIM_HASH),undefined)
	$(INSTALL) -m 0644 $(SHIMHASHNAME) $(DESTDIR)/$(DATATARGETDIR)/
endif
ifneq ($(origin ENABLE_SHIM_CERT),undefined)
	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
	$(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
else
	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
	$(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
endif
187

Matthew Garrett's avatar
Matthew Garrett committed
188
%.efi: %.so
189 190 191
ifneq ($(OBJCOPY_GTE224),1)
	$(error objcopy >= 2.24 is required)
endif
192
	$(OBJCOPY) -j .text -j .sdata -j .data -j .data.ident \
193
		-j .dynamic -j .dynsym -j .rel* \
194
		-j .rela* -j .reloc -j .eh_frame \
195
		-j .vendor_cert \
196 197 198 199 200 201 202 203 204 205 206
		$(FORMAT) $^ $@

ifneq ($(origin ENABLE_SHIM_HASH),undefined)
%.hash : %.efi
	$(PESIGN) -i $< -P -h > $@
endif

%.efi.debug : %.so
ifneq ($(OBJCOPY_GTE224),1)
	$(error objcopy >= 2.24 is required)
endif
207
	$(OBJCOPY) -j .text -j .sdata -j .data \
208
		-j .dynamic -j .dynsym -j .rel* \
209
		-j .rela* -j .reloc -j .eh_frame \
Matthew Garrett's avatar
Matthew Garrett committed
210 211
		-j .debug_info -j .debug_abbrev -j .debug_aranges \
		-j .debug_line -j .debug_str -j .debug_ranges \
212
		-j .note.gnu.build-id \
213
		$^ $@
Matthew Garrett's avatar
Matthew Garrett committed
214

215 216 217 218
ifneq ($(origin ENABLE_SBSIGN),undefined)
%.efi.signed: %.efi shim.key shim.crt
	$(SBSIGN) --key shim.key --cert shim.crt --output $@ $<
else
219
%.efi.signed: %.efi certdb/secmod.db
220
	$(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f
221
endif
222

223 224 225 226 227 228 229 230
clean-shim-objs:
	$(MAKE) -C lib -f $(TOPDIR)/lib/Makefile clean
	@rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
	@rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid
	@rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa]
	@git clean -f -d -e 'Cryptlib/OpenSSL/*'

clean: clean-shim-objs
231 232
	$(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean
	$(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean
233 234 235 236 237 238 239 240 241

GITTAG = $(VERSION)

test-archive:
	@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
	@mkdir -p /tmp/shim-$(VERSION)-tmp
	@git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
	@git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff )
	@mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
242
	@git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
243 244 245 246
	@dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
	@rm -rf /tmp/shim-$(VERSION)
	@echo "The archive is in shim-$(VERSION).tar.bz2"

247 248
tag:
	git tag --sign $(GITTAG) refs/heads/master
249
	git tag -f latest-release $(GITTAG)
250 251

archive: tag
252 253 254 255
	@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
	@mkdir -p /tmp/shim-$(VERSION)-tmp
	@git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
	@mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
256
	@git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
257 258 259
	@dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
	@rm -rf /tmp/shim-$(VERSION)
	@echo "The archive is in shim-$(VERSION).tar.bz2"
260

261 262
.PHONY : install-deps shim.key

263
export ARCH CC LD OBJCOPY EFI_INCLUDE