proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-08-06 14:26:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b017e4554b
efi-boot-shim/BUILDING
Fabian Grünbichler b017e4554b New upstream version 16.0
2025-03-24 10:18:24 +01:00

86 lines
3.3 KiB
Plaintext
Raw Blame History

It's pretty straightforward:
cp $MY_DER_ENCODED_CERT pub.cer
make VENDOR_CERT_FILE=pub.cer
make EFIDIR=my_esp_dir_name install
There are a couple of ways to customize the build:
Install targets:
- install
installs shim as if to a hard drive, including installing MokManager and
fallback appropriately.
- install-as-data
installs shim files to /usr/share/shim/$(EFI_ARCH)-$(VERSION)/
Variables you should set to customize the build:
- EFIDIR
This is the name of the ESP directory. The install targets won't work
without it.
- DESTDIR
This will be prepended to any install targets, so you don't have to
install to a live root directory.
- DEFAULT_LOADER
defaults to \\\\grub$(EFI_ARCH).efi , but you could set it to whatever.
Be careful with the leading backslashes, they can be hard to get
correct.
Variables you could set to customize the build:
- ENABLE_SHIM_CERT
if this variable is defined on the make command line, shim will
generate keys during the build and sign MokManager and fallback with
them, and the signed version will be what gets installed with the
install targets
- ENABLE_SHIM_DEVEL
If this is set, we look for SHIM_DEVEL_DEBUG instead of SHIM_DEBUG in
our debugger delay hook, thus meaning you can have it pause for a
debugger only on the development branch and not the OS you need to boot
to scp in a new development build. Likewise, we look for
SHIM_DEVEL_VERBOSE rather than SHIM_VERBOSE.
- DISABLE_REMOVABLE_LOAD_OPTIONS
Do not parse load options when invoked as boot*.efi. This prevents boot
failures because of unexpected data in boot entries automatically generated
by firmware. It breaks loading non-default second-stage loaders when invoked
via that path, and requires using a binary named shim*.efi (or really anything
else).
- REQUIRE_TPM
if tpm logging or extends return an error code, treat that as a fatal error.
- ARCH
This allows you to do a build for a different arch that we support. For
instance, on x86_64 you could do "setarch linux32 make ARCH=ia32" to get
the ia32 build instead. (DEFAULT_LOADER will be automatically adjusted
in that case.)
- TOPDIR
You can use this along with make -f to build in a subdir. For instance,
on an x86_64 machine you could do:
mkdir build-ia32 build-x64 inst
cd build-ia32
setarch linux32 make TOPDIR=.. ARCH=ia32 -f ../Makefile
setarch linux32 make TOPDIR=.. ARCH=ia32 \
DESTDIR=../inst EFIDIR=debian \
-f ../Makefile install
cd ../build-x64
make TOPDIR=.. -f ../Makefile
make TOPDIR=.. DESTDIR=../inst EFIDIR=debian \
-f ../Makefile install
That would get you x86_64 and ia32 builds in the "inst" subdir.
- OSLABEL
This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS.
By default this is the same value as EFIDIR .
- POST_PROCESS_PE_FLAGS
This allows you to add flags to the invocation of "post-process-pe", for
example to disable the NX compatibility flag.
- ENABLE_CODESIGN_EKU
This changes the certificate validation logic to require Extended Key
Usage 1.3.6.1.5.5.7.3.3 ("Code Signing").
Vendor SBAT data:
It will sometimes be requested by reviewers that a build includes extra
.sbat data. The mechanism to do so is to add a CSV file in data/ with the
name sbat.FOO.csv, where foo is your EFI subdirectory name. The build
system will automatically include any such files.
# vim:filetype=mail:tw=74
Reference in New Issue View Git Blame Copy Permalink