-
Notifications
You must be signed in to change notification settings - Fork 2
/
Makefile
103 lines (78 loc) · 2.32 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
cn_secboot = Secure Boot CA
cn_vendor = Vendor CA
all : secboot.key secboot.crt secboot.db vendor.key vendor.crt \
shim.efi ipxe.efi Shell.secboot.efi Shell.vendor.efi
#
# Construct self-signed certificates
#
%.key :
openssl genrsa -out $@ 2048
.PRECIOUS : %.key
%.crt : %.key
openssl req -x509 -key $< -subj '/CN=$(cn_$*)' -days 3000 \
-config openssl.cnf -extensions extensions_ca -out $@
%.der : %.crt
openssl x509 -in $< -outform DER -out $@
#
# Construct DB signature list file
#
%.siglist : %.der
sbsiglist --owner $(shell uuidgen) --type x509 --output $@ $<
%.db : %.siglist %.key %.crt
sbvarsign --key $*.key --cert $*.crt --output $@ sb $<
#
# Build ProxyLoaderPkg and sign with Secure Boot key
#
BASETOOLS_CFLAGS = -Wno-stringop-truncation -Wno-stringop-overflow
edk2/BaseTools/Source/C/bin/GenFw : edk2/BaseTools/Source/C/Makefile
pushd edk2 && \
. ./edksetup.sh && \
make -C BaseTools/Source/C BUILD_CC="$(CC) $(BASETOOLS_CFLAGS)" && \
popd
edk2/Build/ProxyLoader/DEBUG_GCC5/X64/ProxyLoader.efi : \
edk2/BaseTools/Source/C/bin/GenFw
ln -sf ../ProxyLoaderPkg edk2/
pushd edk2 && \
. ./edksetup.sh && \
build -a X64 -t GCC5 -p ProxyLoaderPkg/ProxyLoaderPkg.dsc && \
popd
rm edk2/ProxyLoaderPkg
ProxyLoader.efi : edk2/Build/ProxyLoader/DEBUG_GCC5/X64/ProxyLoader.efi \
secboot.key secboot.crt
sbsign --key secboot.key --cert secboot.crt --output $@ $<
#
# Build shim and sign with Secure Boot key
#
multi.der : vendor.der fedora.der
cat $^ > $@
shim/shimx64.efi : multi.der ProxyLoader.efi
$(MAKE) -C shim VENDOR_CERT_FILE=$(CURDIR)/multi.der \
PROXY_LOADER_FILE=$(CURDIR)/ProxyLoader.efi \
DEFAULT_LOADER=ipxe.efi
shim.efi : shim/shimx64.efi secboot.key secboot.crt
sbsign --key secboot.key --cert secboot.crt --output $@ $<
#
# Build iPXE and sign with vendor key
#
ipxe/src/% :
$(MAKE) -C ipxe/src $*
ipxe.efi : ipxe/src/bin-x86_64-efi/ipxe.efi vendor.key vendor.crt
sbsign --key vendor.key --cert vendor.crt --output $@ $<
#
# Sign UEFI shell with each key
#
Shell.efi :
curl https://raw.githubusercontent.com/tianocore/edk2/master/ShellBinPkg/UefiShell/X64/Shell.efi -o $@
Shell.%.efi : Shell.efi %.key %.crt
sbsign --key $*.key --cert $*.crt --output $@ $<
#
# Cleanup
#
clean :
$(MAKE) -C shim clean
rm -f secboot.*
rm -f vendor.*
rm -f *.der
rm -f *.siglist
rm -f *.sb
rm -f *.efi