proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-10-31 11:22:05 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
00d057c5fd
efi-boot-shim/debian/rules
Steve McIntyre bd9f3bf331 Force usage of newest revocations at build time 
Force shim to use the latest revocations by default to block some
older grub / peimage issues. This is:

"shim,4\ngrub,4\ngrub.peimage,2\n"

This should work with the current released grub builds in all of
buster, bullseye, bookwork and trixie/unstable. Let's not leave known
security holes in the wild.
2024-05-03 16:06:30 +01:00

100 lines
3.0 KiB
Makefile
Executable File
Raw Blame History

#!/usr/bin/make -f
include /usr/share/dpkg/architecture.mk
# Other vendors, add your certs here. No sense in using
# dpkg-vendor --derives-from, because only Canonical-generated binaries will
# be signed with this key; so if you are building your own shim binary you
# should be building the other binaries also.
ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
cert=debian/canonical-uefi-ca.der
distributor=ubuntu
COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1
else
cert=debian/debian-uefi-ca.der
distributor=debian
endif
deb_version := $(shell dpkg-parsechangelog | sed -ne "s/^Version: \(.*\)/\1/p")
upstream_version := $(shell echo $(deb_version) | sed -e "s/-[^-]*$$//")
plain_upstream_version := $(shell echo $(upstream_version) | sed -e "s/+dfsg.*//")
DBX_LIST = dbx.esl
DBX_HASHES = debian/$(distributor)-dbx.hashes
SBAT_IN = debian/sbat.$(distributor).csv.in
SBAT_DATA = data/sbat.$(distributor).csv
include /usr/share/dpkg/architecture.mk
ifeq ($(DEB_HOST_ARCH),amd64)
export EFI_ARCH := x64
endif
ifeq ($(DEB_HOST_ARCH),arm64)
export EFI_ARCH := aa64
endif
ifeq ($(DEB_HOST_ARCH),i386)
export EFI_ARCH := ia32
endif
COMMON_OPTIONS += \
RELEASE=$(plain_upstream_version) \
COMMIT_ID=657b2483ca6e9fcf2ad8ac7ee577ff546d24c3aa \
MAKELEVEL=0 \
ENABLE_HTTPBOOT=true \
VENDOR_CERT_FILE=$(cert) \
VENDOR_DBX_FILE=$(DBX_LIST) \
EFIDIR=$(distributor) \
CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- \
CC=$(DEB_HOST_GNU_TYPE)-gcc-12 \
$(NULL)
# Force shim to use the latest revocations by default to block some
# older grub / peimage issues. This is:
# "shim,4\ngrub,4\ngrub.peimage,2\n"
COMMON_OPTIONS += SBAT_AUTOMATIC_DATE=2024010900
$(DBX_LIST): $(DBX_HASHES)
./debian/generate_dbx_list $(EFI_ARCH) $< $@
$(SBAT_DATA): $(SBAT_IN)
rm -f $@
set -e; \
sed -e "s/@DEB_VERSION@/$(deb_version)/g" \
-e "s/@UPSTREAM_VERSION@/$(plain_upstream_version)/g" \
< $(SBAT_IN) > $(SBAT_DATA)
# If we have an empty $(SBAT_DATA), delete
if [ ! -s $(SBAT_DATA) ]; then rm -f $(SBAT_DATA); fi
%:
dh $@
override_dh_auto_clean:
dh_auto_clean -- MAKELEVEL=0
rm -f $(DBX_LIST) $(SBAT_DATA) sbat.*.csv BOOT*.CSV test-csv test-sbat test-str
override_dh_auto_build: $(DBX_LIST) $(SBAT_DATA)
dh_auto_build -- INSTALL=install $(COMMON_OPTIONS)
override_dh_auto_test: $(DBX_LIST) $(SBAT_DATA)
dh_auto_test -- INSTALL=install $(COMMON_OPTIONS)
override_dh_auto_install:
dh_auto_install --destdir=debian/tmp -- INSTALL=install $(COMMON_OPTIONS)
# Remove the copy of the source that's installed - we have git
# already...
rm -rf debian/tmp/usr
# And remove the extra removable-media copy of shim too, it's
# not needed for our build and causes debhelper to complain
rm -f debian/tmp/boot/efi/EFI/BOOT/BOOT*.EFI
# Generate the template packages that we'll use for SB signing later
./debian/signing-template.generate
# Log some useful things about the build here
./debian/check_nx shim*.efi
sha256sum *.efi
generate-gnu-efi:
git -C gnu-efi archive --prefix=gnu-efi/ HEAD | xz -9 \
> ../shim_$(plain_upstream_version).orig-gnu-efi.tar.xz
Reference in New Issue View Git Blame Copy Permalink