1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
EFISIGNED = $(patsubst %.efi,%-signed.efi,$(EFIFILES))
MANPAGES = $(patsubst doc/%.1.in,doc/%.1,$(wildcard doc/*.1.in))
HELP2MAN = help2man
ARCH = $(shell uname -m | sed 's/i.86/ia32/;s/arm.*/arm/')
ifeq ($(ARCH),ia32)
ARCH3264 = -m32
else ifeq ($(ARCH),x86_64)
ARCH3264 =
else ifeq ($(ARCH),aarch64)
ARCH3264 =
else ifeq ($(ARCH),riscv64)
ARCH3264 =
else ifeq ($(ARCH),loongarch64)
ARCH3264 =
else ifeq ($(ARCH),arm)
ARCH3264 =
else
$(error unknown architecture $(ARCH))
endif
INCDIR = -I$(TOPDIR)include/ -I/usr/include/efi -I/usr/include/efi/$(ARCH) -I/usr/include/efi/protocol
CPPFLAGS = -DCONFIG_$(ARCH)
CFLAGS = -O2 -g $(ARCH3264) -fno-stack-protector -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -D_XOPEN_SOURCE=700
LDFLAGS = -nostdlib
CRTOBJ = crt0-efi-$(ARCH).o
CRTPATHS = /lib /lib64 /lib/efi /lib64/efi /usr/lib /usr/lib64 /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi
CRTPATH = $(shell for f in $(CRTPATHS); do if [ -e $$f/$(CRTOBJ) ]; then echo $$f; break; fi; done)
CRTOBJS = $(CRTPATH)/$(CRTOBJ)
# there's a bug in the gnu tools ... the .reloc section has to be
# aligned otherwise the file alignment gets screwed up
LDSCRIPT = elf_$(ARCH)_efi.lds
LDFLAGS += -shared -Bsymbolic $(CRTOBJS) -L $(CRTPATH) -L /usr/lib -L /usr/lib64 -T $(LDSCRIPT)
LOADLIBES = -lefi -lgnuefi $(shell $(CC) $(ARCH3264) -print-libgcc-file-name)
FORMAT = --target=efi-app-$(ARCH)
OBJCOPY = objcopy
MYGUID = 11111111-2222-3333-4444-123456789abc
INSTALL = install
BINDIR = $(DESTDIR)/usr/bin
MANDIR = $(DESTDIR)/usr/share/man/man1
EFIDIR = $(DESTDIR)/usr/share/efitools/efi
DOCDIR = $(DESTDIR)/usr/share/efitools
# globally use EFI calling conventions (requires gcc >= 4.7)
CFLAGS += -DGNU_EFI_USE_MS_ABI
ifeq ($(ARCH),x86_64)
CFLAGS += -DEFI_FUNCTION_WRAPPER -mno-red-zone
endif
ifeq ($(ARCH),ia32)
CFLAGS += -mno-red-zone
endif
ifeq ($(ARCH),arm)
LDFLAGS += --defsym=EFI_SUBSYSTEM=0x0a
FORMAT = -O binary
endif
ifeq ($(ARCH),aarch64)
LDFLAGS += --defsym=EFI_SUBSYSTEM=0x0a
FORMAT = -O binary
endif
ifeq ($(ARCH),riscv64)
LDFLAGS += --defsym=EFI_SUBSYSTEM=0x0a
FORMAT = -O binary
endif
ifeq ($(ARCH),loongarch64)
LDFLAGS += --defsym=EFI_SUBSYSTEM=0x0a
endif
%.efi: %.so
$(OBJCOPY) -j .text -j .sdata -j .data -j .dynamic -j .dynsym \
-j .rel -j .rela -j .rel.* -j .rela.* -j .rel* -j .rela* \
-j .reloc $(FORMAT) $*.so $@
%.so: %.o
$(LD) $(LDFLAGS) $^ -o $@ $(LOADLIBES)
# check we have no undefined symbols
nm -D $@ | grep ' U ' && exit 1 || exit 0
%.h: %.auth
./xxdi.pl $< > $@
%.hash: %.efi hash-to-efi-sig-list
./hash-to-efi-sig-list $< $@
%-blacklist.esl: %.crt cert-to-efi-sig-list
./cert-to-efi-sig-list $< $@
%-hash-blacklist.esl: %.crt cert-to-efi-hash-list
./cert-to-efi-hash-list $< $@
%.esl: %.crt cert-to-efi-sig-list
./cert-to-efi-sig-list -g $(MYGUID) $< $@
getcert = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo "-c PK.crt -k PK.key"; else echo "-c KEK.crt -k KEK.key"; fi)
getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else echo db; fi)
%.auth: %.esl PK.crt KEK.crt sign-efi-sig-list
./sign-efi-sig-list $(call getcert,$*) $(call getvar,$*) $< $@
%-update.auth: %.esl PK.crt KEK.crt sign-efi-sig-list
./sign-efi-sig-list -a $(call getcert,$*) $(call getvar,$*) $< $@
%-pkupdate.auth: %.esl PK.crt sign-efi-sig-list
./sign-efi-sig-list -a -c PK.crt -k PK.key $(call getvar,$*) $< $@
%-blacklist.auth: %-blacklist.esl KEK.crt sign-efi-sig-list
./sign-efi-sig-list -a -c KEK.crt -k KEK.key dbx $< $@
%-pkblacklist.auth: %-blacklist.esl PK.crt sign-efi-sig-list
./sign-efi-sig-list -a -c PK.crt -k PK.key dbx $< $@
%.o: %.c
$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
%.efi.o: %.c
$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@
%.efi.s: %.c
$(CC) -S $(INCDIR) $(CFLAGS) $(CPPFLAGS) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@
%.crt:
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$*/" -keyout $*.key -out $@ -days 3650 -nodes -sha256
%.cer: %.crt
openssl x509 -in $< -out $@ -outform DER
%-subkey.csr:
openssl req -new -newkey rsa:2048 -keyout $*-subkey.key -subj "/CN=Subkey $* of KEK/" -out $@ -nodes
%-subkey.crt: %-subkey.csr KEK.crt
openssl x509 -req -in $< -CA DB.crt -CAkey DB.key -set_serial 1 -out $@ -days 365
%-signed.efi: %.efi DB.crt
sbsign --key DB.key --cert DB.crt --output $@ $<
##
# No need for KEK signing
##
#%-kek-signed.efi: %.efi KEK.crt
# sbsign --key KEK.key --cert KEK.crt --output $@ $<
%.a:
ar rcv $@ $^
doc/%.1: doc/%.1.in %
$(HELP2MAN) --no-info -i $< -o $@ ./$*
|
