mirror of
https://git.proxmox.com/git/efi-boot-shim
synced 2025-08-16 06:16:46 +00:00
5ecfcdc1ef
revoking Grub binaries for the 2025-02 batch of CVEs Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
94 lines
2.7 KiB
Makefile
Executable File
94 lines
2.7 KiB
Makefile
Executable File
#!/usr/bin/make -f
|
|
|
|
include /usr/share/dpkg/architecture.mk
|
|
|
|
cert=debian/proxmox-uefi-ca.der
|
|
distributor=proxmox
|
|
|
|
deb_version := $(shell dpkg-parsechangelog | sed -ne "s/^Version: \(.*\)/\1/p")
|
|
upstream_version := $(shell echo $(deb_version) | sed -e "s/-[^-]*$$//")
|
|
plain_upstream_version := $(shell echo $(upstream_version) | sed -e "s/+dfsg.*//")
|
|
|
|
DBX_LIST = dbx.esl
|
|
DBX_HASHES = debian/$(distributor)-dbx.hashes
|
|
SBAT_IN = debian/sbat.$(distributor).csv.in
|
|
SBAT_DATA = data/sbat.$(distributor).csv
|
|
|
|
include /usr/share/dpkg/architecture.mk
|
|
|
|
ifeq ($(DEB_HOST_ARCH),amd64)
|
|
export EFI_ARCH := x64
|
|
endif
|
|
ifeq ($(DEB_HOST_ARCH),arm64)
|
|
export EFI_ARCH := aa64
|
|
endif
|
|
ifeq ($(DEB_HOST_ARCH),i386)
|
|
export EFI_ARCH := ia32
|
|
endif
|
|
|
|
COMMON_OPTIONS += \
|
|
RELEASE=$(plain_upstream_version) \
|
|
COMMIT_ID=657b2483ca6e9fcf2ad8ac7ee577ff546d24c3aa \
|
|
MAKELEVEL=0 \
|
|
ENABLE_HTTPBOOT=true \
|
|
VENDOR_CERT_FILE=$(cert) \
|
|
VENDOR_DBX_FILE=$(DBX_LIST) \
|
|
EFIDIR=$(distributor) \
|
|
CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- \
|
|
CC=$(DEB_HOST_GNU_TYPE)-gcc-12 \
|
|
$(NULL)
|
|
|
|
# Force shim to use the latest revocations by default to block some
|
|
# older grub issues. This is:
|
|
# "shim,4\ngrub,5\n"
|
|
COMMON_OPTIONS += SBAT_AUTOMATIC_DATE=2025021800
|
|
|
|
$(DBX_LIST): $(DBX_HASHES)
|
|
./debian/generate_dbx_list $(EFI_ARCH) $< $@
|
|
|
|
$(SBAT_DATA): $(SBAT_IN)
|
|
rm -f $@
|
|
set -e; \
|
|
sed -e "s/@DEB_VERSION@/$(deb_version)/g" \
|
|
-e "s/@UPSTREAM_VERSION@/$(plain_upstream_version)/g" \
|
|
< $(SBAT_IN) > $(SBAT_DATA)
|
|
# If we have an empty $(SBAT_DATA), delete
|
|
if [ ! -s $(SBAT_DATA) ]; then rm -f $(SBAT_DATA); fi
|
|
|
|
%:
|
|
dh $@
|
|
|
|
override_dh_auto_clean:
|
|
dh_auto_clean -- MAKELEVEL=0
|
|
rm -f $(DBX_LIST) $(SBAT_DATA) sbat.*.csv BOOT*.CSV
|
|
rm -f test-csv test-sbat test-str test-load-options
|
|
rm -f test-mock-variables test-mok-mirror test-pe-relocate test-pe-util
|
|
|
|
override_dh_auto_build: $(DBX_LIST) $(SBAT_DATA)
|
|
dh_auto_build -- INSTALL=install $(COMMON_OPTIONS)
|
|
|
|
override_dh_auto_test: $(DBX_LIST) $(SBAT_DATA)
|
|
dh_auto_test -- INSTALL=install $(COMMON_OPTIONS)
|
|
|
|
override_dh_auto_install:
|
|
dh_auto_install --destdir=debian/tmp -- INSTALL=install $(COMMON_OPTIONS)
|
|
# Remove the copy of the source that's installed - we have git
|
|
# already...
|
|
rm -rf debian/tmp/usr
|
|
# And remove the extra removable-media copy of shim too, it's
|
|
# not needed for our build and causes debhelper to complain
|
|
rm -f debian/tmp/boot/efi/EFI/BOOT/BOOT*.EFI
|
|
|
|
install -m 644 $(cert) debian/shim-unsigned/usr/share/shim
|
|
|
|
# Generate the template packages that we'll use for SB signing later
|
|
./debian/signing-template.generate
|
|
|
|
# Log some useful things about the build here
|
|
./debian/check_nx shim*.efi
|
|
sha256sum *.efi
|
|
|
|
generate-gnu-efi:
|
|
git -C gnu-efi archive --prefix=gnu-efi/ HEAD | xz -9 \
|
|
> ../shim_$(plain_upstream_version).orig-gnu-efi.tar.xz
|