mirror of
https://git.proxmox.com/git/efi-boot-shim
synced 2025-08-06 07:02:43 +00:00

In cases where we accept vendor shim binaries with additional patches, it may become necessary to identify those builds with additional SBAT data. When we consider such patches, we should be proactive in asking vendors to include that data in the .sbat sections of their trusted EFI binaries. This patch adds any data in data/sbat.*.csv (after a quick sanitizing pass) after data/sbat.csv in the .sbat section, so that no changes to the upstream data/sbat.csv are ever required. Signed-off-by: Peter Jones <pjones@redhat.com>
145 lines
4.7 KiB
Plaintext
145 lines
4.7 KiB
Plaintext
COMPILER ?= gcc
|
|
CC = $(CROSS_COMPILE)$(COMPILER)
|
|
LD = $(CROSS_COMPILE)ld
|
|
OBJCOPY = $(CROSS_COMPILE)objcopy
|
|
DOS2UNIX ?= dos2unix
|
|
D2UFLAGS ?= -r -l -F -f -n
|
|
OPENSSL ?= openssl
|
|
HEXDUMP ?= hexdump
|
|
INSTALL ?= install
|
|
PK12UTIL ?= pk12util
|
|
CERTUTIL ?= certutil
|
|
PESIGN ?= pesign
|
|
SBSIGN ?= sbsign
|
|
prefix ?= /usr
|
|
prefix := $(abspath $(prefix))
|
|
datadir ?= $(prefix)/share/
|
|
PKGNAME ?= shim
|
|
ESPROOTDIR ?= boot/efi/
|
|
EFIBOOTDIR ?= $(ESPROOTDIR)EFI/BOOT/
|
|
TARGETDIR ?= $(ESPROOTDIR)EFI/$(EFIDIR)/
|
|
DATATARGETDIR ?= $(datadir)/$(PKGNAME)/$(VERSION)$(DASHRELEASE)/$(ARCH_SUFFIX)/
|
|
DEBUGINFO ?= $(prefix)/lib/debug/
|
|
DEBUGSOURCE ?= $(prefix)/src/debug/
|
|
OSLABEL ?= $(EFIDIR)
|
|
DEFAULT_LOADER ?= \\\\grub$(ARCH_SUFFIX).efi
|
|
DASHJ ?= -j$(shell echo $$(($$(grep -c "^model name" /proc/cpuinfo) + 1)))
|
|
|
|
ARCH ?= $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
|
|
OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.*\((.*)\|version\) //g' | cut -f1-2 -d.` \>= 2.24)
|
|
|
|
SUBDIRS = $(TOPDIR)/Cryptlib $(TOPDIR)/lib
|
|
|
|
EFI_INCLUDE ?= /usr/include/efi
|
|
EFI_INCLUDES = -nostdinc -I$(TOPDIR)/Cryptlib -I$(TOPDIR)/Cryptlib/Include \
|
|
-I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol \
|
|
-I$(TOPDIR)/include -iquote $(TOPDIR) -iquote $(shell pwd)
|
|
|
|
EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
|
|
EFI_LDS = $(TOPDIR)/elf_$(ARCH)_efi.lds
|
|
|
|
CLANG_BUGS = $(if $(findstring gcc,$(CC)),-maccumulate-outgoing-args,)
|
|
|
|
COMMIT_ID ?= $(shell if [ -e .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo master; fi)
|
|
|
|
ifeq ($(ARCH),x86_64)
|
|
ARCH_CFLAGS ?= -mno-mmx -mno-sse -mno-red-zone -nostdinc \
|
|
$(CLANG_BUGS) -m64 \
|
|
-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
|
|
-DNO_BUILTIN_VA_FUNCS -DMDE_CPU_X64 \
|
|
-DPAGE_SIZE=4096
|
|
LIBDIR ?= $(prefix)/lib64
|
|
ARCH_SUFFIX ?= x64
|
|
ARCH_SUFFIX_UPPER ?= X64
|
|
ARCH_LDFLAGS ?=
|
|
TIMESTAMP_LOCATION := 136
|
|
endif
|
|
ifeq ($(ARCH),ia32)
|
|
ARCH_CFLAGS ?= -mno-mmx -mno-sse -mno-red-zone -nostdinc \
|
|
$(CLANG_BUGS) -m32 \
|
|
-DMDE_CPU_IA32 -DPAGE_SIZE=4096
|
|
LIBDIR ?= $(prefix)/lib
|
|
ARCH_SUFFIX ?= ia32
|
|
ARCH_SUFFIX_UPPER ?= IA32
|
|
ARCH_LDFLAGS ?=
|
|
ARCH_CFLAGS ?= -m32
|
|
TIMESTAMP_LOCATION := 136
|
|
endif
|
|
ifeq ($(ARCH),aarch64)
|
|
ARCH_CFLAGS ?= -DMDE_CPU_AARCH64 -DPAGE_SIZE=4096 -mstrict-align
|
|
LIBDIR ?= $(prefix)/lib64
|
|
ARCH_SUFFIX ?= aa64
|
|
ARCH_SUFFIX_UPPER ?= AA64
|
|
FORMAT := -O binary
|
|
SUBSYSTEM := 0xa
|
|
ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
|
|
ARCH_CFLAGS ?=
|
|
TIMESTAMP_LOCATION := 72
|
|
endif
|
|
ifeq ($(ARCH),arm)
|
|
ARCH_CFLAGS ?= -DMDE_CPU_ARM -DPAGE_SIZE=4096 -mno-unaligned-access
|
|
LIBDIR ?= $(prefix)/lib
|
|
ARCH_SUFFIX ?= arm
|
|
ARCH_SUFFIX_UPPER ?= ARM
|
|
FORMAT := -O binary
|
|
SUBSYSTEM := 0xa
|
|
ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
|
|
TIMESTAMP_LOCATION := 72
|
|
endif
|
|
|
|
CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
|
|
-fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
|
|
-Werror=sign-compare -ffreestanding -std=gnu89 \
|
|
-I$(shell $(CC) $(ARCH_CFLAGS) -print-file-name=include) \
|
|
"-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
|
|
"-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
|
|
$(EFI_INCLUDES) $(ARCH_CFLAGS)
|
|
|
|
ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
|
|
CFLAGS += -DOVERRIDE_SECURITY_POLICY
|
|
endif
|
|
|
|
ifneq ($(origin ENABLE_HTTPBOOT), undefined)
|
|
CFLAGS += -DENABLE_HTTPBOOT
|
|
endif
|
|
|
|
ifneq ($(origin REQUIRE_TPM), undefined)
|
|
CFLAGS += -DREQUIRE_TPM
|
|
endif
|
|
|
|
ifneq ($(origin DISABLE_EBS_PROTECTION), undefined)
|
|
CFLAGS += -DDISABLE_EBS_PROTECTION
|
|
endif
|
|
|
|
LIB_GCC = $(shell $(CC) $(ARCH_CFLAGS) -print-libgcc-file-name)
|
|
EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC)
|
|
FORMAT ?= --target efi-app-$(ARCH)
|
|
EFI_PATH ?= $(LIBDIR)/gnuefi
|
|
|
|
MMSTEM ?= mm$(ARCH_SUFFIX)
|
|
MMNAME = $(MMSTEM).efi
|
|
MMSONAME = $(MMSTEM).so
|
|
FBSTEM ?= fb$(ARCH_SUFFIX)
|
|
FBNAME = $(FBSTEM).efi
|
|
FBSONAME = $(FBSTEM).so
|
|
SHIMSTEM ?= shim$(ARCH_SUFFIX)
|
|
SHIMNAME = $(SHIMSTEM).efi
|
|
SHIMSONAME = $(SHIMSTEM).so
|
|
SHIMHASHNAME = $(SHIMSTEM).hash
|
|
BOOTEFINAME ?= BOOT$(ARCH_SUFFIX_UPPER).EFI
|
|
BOOTCSVNAME ?= BOOT$(ARCH_SUFFIX_UPPER).CSV
|
|
|
|
CFLAGS += "-DEFI_ARCH=L\"$(ARCH_SUFFIX)\"" "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/$(ARCH_SUFFIX)-$(VERSION)$(DASHRELEASE)/\""
|
|
|
|
ifneq ($(origin VENDOR_DB_FILE), undefined)
|
|
CFLAGS += -DVENDOR_DB_FILE=\"$(VENDOR_DB_FILE)\"
|
|
endif
|
|
ifneq ($(origin VENDOR_CERT_FILE), undefined)
|
|
CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
|
|
endif
|
|
ifneq ($(origin VENDOR_DBX_FILE), undefined)
|
|
CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
|
|
endif
|
|
|
|
LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 $(ARCH_LDFLAGS) --no-undefined
|