diff options
| author | Steve Langasek <steve.langasek@canonical.com> | 2013-09-20 12:55:24 -0500 |
|---|---|---|
| committer | Steve Langasek <steve.langasek@canonical.com> | 2013-09-20 12:55:24 -0500 |
| commit | 5a187fadda0e4b00eeebb7b43a04c16d983b8d37 (patch) | |
| tree | 319b86e298653eda862cba00ede0998a7189c594 | |
| parent | 4d21772d2a3a0c3d031c2b6d9c3c057bebbf1d45 (diff) | |
| download | efi-boot-shim-5a187fadda0e4b00eeebb7b43a04c16d983b8d37.tar.gz efi-boot-shim-5a187fadda0e4b00eeebb7b43a04c16d983b8d37.zip | |
Build with -Werror to catch future prototype mismatches.
| -rw-r--r-- | .pc/applied-patches | 1 | ||||
| -rw-r--r-- | .pc/build-with-Werror/Makefile | 132 | ||||
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | debian/changelog | 1 | ||||
| -rw-r--r-- | debian/patches/build-with-Werror | 16 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
6 files changed, 152 insertions, 1 deletions
diff --git a/.pc/applied-patches b/.pc/applied-patches index 6e35cc4f..8717a913 100644 --- a/.pc/applied-patches +++ b/.pc/applied-patches @@ -4,3 +4,4 @@ sbsigntool-not-pesign no-output-by-default.patch no-print-on-unsigned fix-tftp-prototype +build-with-Werror diff --git a/.pc/build-with-Werror/Makefile b/.pc/build-with-Werror/Makefile new file mode 100644 index 00000000..f72f411c --- /dev/null +++ b/.pc/build-with-Werror/Makefile @@ -0,0 +1,132 @@ +ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) + +SUBDIRS = Cryptlib + +LIB_PATH = /usr/lib64 + +EFI_INCLUDE = /usr/include/efi +EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol +EFI_PATH = /usr/lib64/gnuefi + +LIB_GCC = $(shell $(CC) -print-libgcc-file-name) +EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) + +EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o +EFI_LDS = elf_$(ARCH)_efi.lds + +CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ + -fshort-wchar -Wall -mno-red-zone -maccumulate-outgoing-args \ + -mno-mmx -mno-sse \ + $(EFI_INCLUDES) +ifeq ($(ARCH),x86_64) + CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI +endif +ifneq ($(origin VENDOR_CERT_FILE), undefined) + CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\" +endif +ifneq ($(origin VENDOR_DBX_FILE), undefined) + CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\" +endif + +LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) + +VERSION = 0.4 + +TARGET = shim.efi MokManager.efi.signed fallback.efi.signed +OBJS = shim.o netboot.o cert.o dbx.o +KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key +SOURCES = shim.c shim.h netboot.c signature.h PeImage.h +MOK_OBJS = MokManager.o +MOK_SOURCES = MokManager.c shim.h +FALLBACK_OBJS = fallback.o +FALLBACK_SRCS = fallback.c + +all: $(TARGET) + +shim.crt: + ./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null + +shim.cer: shim.crt + openssl x509 -outform der -in $< -out $@ + +shim_cert.h: shim.cer + echo "static UINT8 shim_cert[] = {" > $@ + hexdump -v -e '1/1 "0x%02x, "' $< >> $@ + echo "};" >> $@ + +certdb/secmod.db: shim.crt + -mkdir certdb + certutil -A -n 'my CA' -d certdb/ -t CT,CT,CT -i ca.crt + pk12util -d certdb/ -i shim.p12 -W "" -K "" + certutil -d certdb/ -A -i shim.crt -n shim -t u + +shim.o: $(SOURCES) shim_cert.h + +cert.o : cert.S + $(CC) $(CFLAGS) -c -o $@ $< + +dbx.o : dbx.S + $(CC) $(CFLAGS) -c -o $@ $< + +shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a + $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) + +fallback.o: $(FALLBACK_SRCS) + +fallback.so: $(FALLBACK_OBJS) + $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) + +MokManager.o: $(SOURCES) + +MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a + $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) + +Cryptlib/libcryptlib.a: + $(MAKE) -C Cryptlib + +Cryptlib/OpenSSL/libopenssl.a: + $(MAKE) -C Cryptlib/OpenSSL + +%.efi: %.so + objcopy -j .text -j .sdata -j .data \ + -j .dynamic -j .dynsym -j .rel \ + -j .rela -j .reloc -j .eh_frame \ + -j .vendor_cert \ + --target=efi-app-$(ARCH) $^ $@ + objcopy -j .text -j .sdata -j .data \ + -j .dynamic -j .dynsym -j .rel \ + -j .rela -j .reloc -j .eh_frame \ + -j .debug_info -j .debug_abbrev -j .debug_aranges \ + -j .debug_line -j .debug_str -j .debug_ranges \ + --target=efi-app-$(ARCH) $^ $@.debug + +%.efi.signed: %.efi shim.crt + sbsign --key shim.key --cert shim.crt $< + +clean: + $(MAKE) -C Cryptlib clean + $(MAKE) -C Cryptlib/OpenSSL clean + rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb + rm -f *.debug *.so *.efi + +GITTAG = $(VERSION) + +test-archive: + @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp + @mkdir -p /tmp/shim-$(VERSION)-tmp + @git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x ) + @git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff ) + @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/ + @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION) + @rm -rf /tmp/shim-$(VERSION) + @echo "The archive is in shim-$(VERSION).tar.bz2" + +archive: + git tag $(GITTAG) refs/heads/master + @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp + @mkdir -p /tmp/shim-$(VERSION)-tmp + @git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x ) + @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/ + @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION) + @rm -rf /tmp/shim-$(VERSION) + @echo "The archive is in shim-$(VERSION).tar.bz2" @@ -15,7 +15,7 @@ EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o EFI_LDS = elf_$(ARCH)_efi.lds CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -mno-red-zone -maccumulate-outgoing-args \ + -fshort-wchar -Wall -Werror -mno-red-zone -maccumulate-outgoing-args \ -mno-mmx -mno-sse \ $(EFI_INCLUDES) ifeq ($(ARCH),x86_64) diff --git a/debian/changelog b/debian/changelog index a32df9ce..8de51d79 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,7 @@ shim (0.4-0ubuntu4) UNRELEASED; urgency=low * debian/patches/fix-tftp-prototype: pass the right arguments to EFI_PXE_BASE_CODE_TFTP_READ_FILE. + * Build with -Werror to catch future prototype mismatches. -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 20 Sep 2013 14:43:23 +0000 diff --git a/debian/patches/build-with-Werror b/debian/patches/build-with-Werror new file mode 100644 index 00000000..50992460 --- /dev/null +++ b/debian/patches/build-with-Werror @@ -0,0 +1,16 @@ +Description: Buiild with -Werror to catch future prototype mismatches. +Author: Steve Langasek <steve.langasek@ubuntu.com> + +Index: shim/Makefile +=================================================================== +--- shim.orig/Makefile ++++ shim/Makefile +@@ -15,7 +15,7 @@ + EFI_LDS = elf_$(ARCH)_efi.lds + + CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ +- -fshort-wchar -Wall -mno-red-zone -maccumulate-outgoing-args \ ++ -fshort-wchar -Wall -Werror -mno-red-zone -maccumulate-outgoing-args \ + -mno-mmx -mno-sse \ + $(EFI_INCLUDES) + ifeq ($(ARCH),x86_64) diff --git a/debian/patches/series b/debian/patches/series index 6e35cc4f..8717a913 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,4 @@ sbsigntool-not-pesign no-output-by-default.patch no-print-on-unsigned fix-tftp-prototype +build-with-Werror |