diff options
| author | Steve Langasek <steve.langasek@canonical.com> | 2019-02-09 21:28:06 -0800 |
|---|---|---|
| committer | Steve Langasek <steve.langasek@canonical.com> | 2019-02-09 21:32:44 -0800 |
| commit | ab4c731c1dd379acd3e95971af57401fb0a650a1 (patch) | |
| tree | 6a26fb8d0746cbbaa6c2d4b242c73442bcc1df06 /Makefile | |
| parent | 0d63079c7da8e86104ce4bbdae2f6cb8d2ea40c6 (diff) | |
| parent | 9c12130f9cd2ae11a9336813dd1f1669c0b64ad0 (diff) | |
| download | efi-boot-shim-debian/15+1533136590.3beb971-1.tar.gz efi-boot-shim-debian/15+1533136590.3beb971-1.zip | |
* New upstream release.debian/15+1533136590.3beb971-1
- debian/patches/second-stage-path: dropped; the default loader path now
includes an arch suffix.
- debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
* Drop remaining patches that were not being applied.
* Sync packaging from Ubuntu:
- debian/copyright: Update upstream source location.
- debian/control: add a Build-Depends on libelf-dev.
- Enable arm64 build.
- debian/patches/fixup_git.patch: don't run git in clean; we're not
really in a git tree.
- debian/rules, debian/shim.install: use the upstream install target as
intended, and move files to the target directory using dh_install.
- define RELEASE and COMMIT_ID for the snapshot.
- Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
- Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
options: set MAKELEVEL.
- Define an EFI_ARCH variable, and use that for paths to shim. This
makes it possible to build a shim for other architectures than amd64.
- Set EFIDIR=$distro for dh_auto_install; that will let files be installed
in the "right" final directories, and makes boot.csv for us.
- Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
at compile-time for MokManager and fallback.
- Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
and MokManager.
Diffstat (limited to 'Makefile')
| -rw-r--r-- | Makefile | 309 |
1 files changed, 175 insertions, 134 deletions
@@ -1,197 +1,235 @@ -VERSION = 0.9 -RELEASE := -ifneq ($(RELEASE),"") - RELEASE:="-$(RELEASE)" +default : all + +NAME = shim +VERSION = 15 +ifneq ($(origin RELEASE),undefined) +DASHRELEASE ?= -$(RELEASE) +else +DASHRELEASE ?= endif -CC = $(CROSS_COMPILE)gcc -LD = $(CROSS_COMPILE)ld -OBJCOPY = $(CROSS_COMPILE)objcopy - -ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,) -OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.*\((.*)\|version\) //g' | cut -f1-2 -d.` \>= 2.24) - -SUBDIRS = Cryptlib lib - -EFI_INCLUDE := /usr/include/efi -EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I$(shell pwd)/include - -LIB_GCC = $(shell $(CC) -print-libgcc-file-name) -EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) - -EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o -EFI_LDS = elf_$(ARCH)_efi.lds - -DEFAULT_LOADER := \\\\grub.efi -CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ - -Werror=sign-compare -ffreestanding -std=gnu89 \ - -I$(shell $(CC) -print-file-name=include) \ - "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ - "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ - $(EFI_INCLUDES) -SHIMNAME = shim -MMNAME = MokManager -FBNAME = fallback - -ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined) - CFLAGS += -DOVERRIDE_SECURITY_POLICY +ifeq ($(MAKELEVEL),0) +TOPDIR ?= $(shell pwd) endif - -ifneq ($(origin ENABLE_HTTPBOOT), undefined) - CFLAGS += -DENABLE_HTTPBOOT -endif - -ifeq ($(ARCH),x86_64) - CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ - -maccumulate-outgoing-args \ - -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \ - -DNO_BUILTIN_VA_FUNCS \ - -DMDE_CPU_X64 "-DEFI_ARCH=L\"x64\"" -DPAGE_SIZE=4096 \ - "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\"" - MMNAME = mmx64 - FBNAME = fbx64 - SHIMNAME= shimx64 - EFI_PATH:=/usr/lib64/gnuefi - LIB_PATH:=/usr/lib64 - -endif -ifeq ($(ARCH),ia32) - CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ - -maccumulate-outgoing-args -m32 \ - -DMDE_CPU_IA32 "-DEFI_ARCH=L\"ia32\"" -DPAGE_SIZE=4096 \ - "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/ia32-$(VERSION)$(RELEASE)/\"" - MMNAME = mmia32 - FBNAME = fbia32 - SHIMNAME= shimia32 - EFI_PATH:=/usr/lib/gnuefi - LIB_PATH:=/usr/lib -endif -ifeq ($(ARCH),aarch64) - CFLAGS += -DMDE_CPU_AARCH64 "-DEFI_ARCH=L\"aa64\"" -DPAGE_SIZE=4096 \ - "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/aa64-$(VERSION)$(RELEASE)/\"" - MMNAME = mmaa64 - FBNAME = fbaa64 - SHIMNAME= shimaa64 - EFI_PATH:=/usr/lib64/gnuefi - LIB_PATH:=/usr/lib64 -endif - -ifneq ($(origin VENDOR_CERT_FILE), undefined) - CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\" -endif -ifneq ($(origin VENDOR_DBX_FILE), undefined) - CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\" -endif - -LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 - -TARGET = $(SHIMNAME).efi $(MMNAME).efi.signed $(FBNAME).efi.signed -OBJS = shim.o netboot.o cert.o replacements.o tpm.o version.o +ifeq ($(TOPDIR),) +override TOPDIR := $(shell pwd) +endif +override TOPDIR := $(abspath $(TOPDIR)) +VPATH = $(TOPDIR) + +include $(TOPDIR)/Make.defaults +include $(TOPDIR)/Make.rules +include $(TOPDIR)/Make.coverity +include $(TOPDIR)/Make.scan-build + +TARGETS = $(SHIMNAME) +TARGETS += $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug +ifneq ($(origin ENABLE_SHIM_HASH),undefined) +TARGETS += $(SHIMHASHNAME) +endif +ifneq ($(origin ENABLE_SHIM_CERT),undefined) +TARGETS += $(MMNAME).signed $(FBNAME).signed +CFLAGS += -DENABLE_SHIM_CERT +else +TARGETS += $(MMNAME) $(FBNAME) +endif +OBJS = shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer -SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h +ORIG_SOURCES = shim.c mok.c netboot.c replacements.c tpm.c errlog.c shim.h version.h $(wildcard include/*.h) MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o -MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h -FALLBACK_OBJS = fallback.o -FALLBACK_SRCS = fallback.c +ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h) +FALLBACK_OBJS = fallback.o tpm.o errlog.o +ORIG_FALLBACK_SRCS = fallback.c ifneq ($(origin ENABLE_HTTPBOOT), undefined) OBJS += httpboot.o - SOURCES += httpboot.c httpboot.h + SOURCES += httpboot.c include/httpboot.h endif -all: $(TARGET) +SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c +MOK_SOURCES = $(foreach source,$(ORIG_MOK_SOURCES),$(TOPDIR)/$(source)) +FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source)) + +all: $(TARGETS) shim.crt: - ./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null + $(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null shim.cer: shim.crt - openssl x509 -outform der -in $< -out $@ + $(OPENSSL) x509 -outform der -in $< -out $@ +.NOTPARALLEL: shim_cert.h shim_cert.h: shim.cer - echo "static UINT8 shim_cert[] = {" > $@ - hexdump -v -e '1/1 "0x%02x, "' $< >> $@ + echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@ + $(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@ echo "};" >> $@ -version.c : version.c.in +version.c : $(TOPDIR)/version.c.in sed -e "s,@@VERSION@@,$(VERSION)," \ - -e "s,@@UNAME@@,$(shell uname -a)," \ - -e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \ - < version.c.in > version.c + -e "s,@@UNAME@@,$(shell uname -s -m -p -i -o)," \ + -e "s,@@COMMIT@@,$(COMMIT_ID)," \ + < $< > $@ certdb/secmod.db: shim.crt -mkdir certdb - pk12util -d certdb/ -i shim.p12 -W "" -K "" - certutil -d certdb/ -A -i shim.crt -n shim -t u + $(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K "" + $(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u -shim.o: $(SOURCES) shim_cert.h -shim.o: $(wildcard *.h) +shim.o: $(SOURCES) +ifneq ($(origin ENABLE_SHIM_CERT),undefined) +shim.o: shim_cert.h +endif +shim.o: $(wildcard $(TOPDIR)/*.h) -cert.o : cert.S +cert.o : $(TOPDIR)/cert.S $(CC) $(CFLAGS) -c -o $@ $< -$(SHIMNAME).so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a +$(SHIMNAME) : $(SHIMSONAME) +$(MMNAME) : $(MMSONAME) +$(FBNAME) : $(FBSONAME) + +$(SHIMSONAME): $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) fallback.o: $(FALLBACK_SRCS) -$(FBNAME).so: $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a +$(FBSONAME): $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) MokManager.o: $(MOK_SOURCES) -$(MMNAME).so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a +$(MMSONAME): $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a Cryptlib/libcryptlib.a: - $(MAKE) -C Cryptlib + mkdir -p Cryptlib/{Hash,Hmac,Cipher,Rand,Pk,Pem,SysCall} + $(MAKE) VPATH=$(TOPDIR)/Cryptlib TOPDIR=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile Cryptlib/OpenSSL/libopenssl.a: - $(MAKE) -C Cryptlib/OpenSSL + mkdir -p Cryptlib/OpenSSL/crypto/{x509v3,x509,txt_db,stack,sha,rsa,rc4,rand,pkcs7,pkcs12,pem,ocsp,objects,modes,md5,lhash,kdf,hmac,evp,err,dso,dh,conf,comp,cmac,buffer,bn,bio,async{,/arch},asn1,aes}/ + $(MAKE) VPATH=$(TOPDIR)/Cryptlib/OpenSSL TOPDIR=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile -lib/lib.a: - $(MAKE) CFLAGS="$(CFLAGS)" -C lib +lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch]) + if [ ! -d lib ]; then mkdir lib ; fi + $(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) CFLAGS="$(CFLAGS)" -C lib -f $(TOPDIR)/lib/Makefile lib.a -ifeq ($(ARCH),aarch64) -FORMAT := -O binary -SUBSYSTEM := 0xa -LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) +buildid : $(TOPDIR)/buildid.c + $(CC) -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf + +$(BOOTCSVNAME) : + @echo Making $@ + @echo "$(SHIMNAME),$(OSLABEL),,This is the boot entry for $(OSLABEL)" | iconv -t UCS-2LE > $@ + +install-check : +ifeq ($(origin LIBDIR),undefined) + $(error Architecture $(ARCH) is not a supported build target.) +endif +ifeq ($(origin EFIDIR),undefined) + $(error EFIDIR must be set to your reserved EFI System Partition subdirectory name) endif -ifeq ($(ARCH),arm) -FORMAT := -O binary -SUBSYSTEM := 0xa -LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) +install-deps : $(TARGETS) +install-deps : $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug buildid +install-deps : $(BOOTCSVNAME) + +install-debugsource : install-deps + $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE) + find $(TOPDIR) -type f -a '(' -iname '*.c' -o -iname '*.h' -o -iname '*.S' ')' | while read file ; do \ + outfile=$$(echo $${file} | sed -e "s,^$(TOPDIR),,") ; \ + $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$$(dirname $${outfile}) ; \ + $(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGSOURCE)/$(PKGNAME)-$(VERSION)$(DASHRELEASE)/$${outfile} ; \ + done + +install-debuginfo : install-deps + $(INSTALL) -d -m 0755 $(DESTDIR)/ + $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR)/ + @./buildid $(wildcard *.efi.debug) | while read file buildid ; do \ + first=$$(echo $${buildid} | cut -b -2) ; \ + rest=$$(echo $${buildid} | cut -b 3-) ; \ + $(INSTALL) -d -m 0755 $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/ ;\ + $(INSTALL) -m 0644 $${file} $(DESTDIR)/$(DEBUGINFO)$(TARGETDIR) ; \ + ln -s ../../../../..$(DEBUGINFO)$(TARGETDIR)$${file} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest}.debug ;\ + ln -s ../../../.build-id/$${first}/$${rest} $(DESTDIR)/$(DEBUGINFO).build-id/$${first}/$${rest} ;\ + done + +install : | install-check +install : install-deps install-debuginfo install-debugsource + $(INSTALL) -d -m 0755 $(DESTDIR)/ + $(INSTALL) -d -m 0700 $(DESTDIR)/$(ESPROOTDIR) + $(INSTALL) -d -m 0755 $(DESTDIR)/$(EFIBOOTDIR) + $(INSTALL) -d -m 0755 $(DESTDIR)/$(TARGETDIR) + $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(EFIBOOTDIR)/$(BOOTEFINAME) + $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(TARGETDIR)/ + $(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(TARGETDIR)/ +ifneq ($(origin ENABLE_SHIM_CERT),undefined) + $(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(FBNAME) + $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(MMNAME) + $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(TARGETDIR)/$(MMNAME) +else + $(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(EFIBOOTDIR)/ + $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(EFIBOOTDIR)/ + $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(TARGETDIR)/ endif -FORMAT ?= --target efi-app-$(ARCH) +install-as-data : install-deps + $(INSTALL) -d -m 0755 $(DESTDIR)/$(DATATARGETDIR) + $(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(DATATARGETDIR)/ +ifneq ($(origin ENABLE_SHIM_HASH),undefined) + $(INSTALL) -m 0644 $(SHIMHASHNAME) $(DESTDIR)/$(DATATARGETDIR)/ +endif +ifneq ($(origin ENABLE_SHIM_CERT),undefined) + $(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME) + $(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME) +else + $(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME) + $(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME) +endif %.efi: %.so ifneq ($(OBJCOPY_GTE224),1) $(error objcopy >= 2.24 is required) endif - $(OBJCOPY) -j .text -j .sdata -j .data \ - -j .dynamic -j .dynsym -j .rel* \ + $(OBJCOPY) -j .text -j .sdata -j .data -j .data.ident \ + -j .dynamic -j .dynsym -j .rel* \ -j .rela* -j .reloc -j .eh_frame \ -j .vendor_cert \ - $(FORMAT) $^ $@ + $(FORMAT) $^ $@ + +ifneq ($(origin ENABLE_SHIM_HASH),undefined) +%.hash : %.efi + $(PESIGN) -i $< -P -h > $@ +endif + +%.efi.debug : %.so +ifneq ($(OBJCOPY_GTE224),1) + $(error objcopy >= 2.24 is required) +endif $(OBJCOPY) -j .text -j .sdata -j .data \ - -j .dynamic -j .dynsym -j .rel* \ + -j .dynamic -j .dynsym -j .rel* \ -j .rela* -j .reloc -j .eh_frame \ -j .debug_info -j .debug_abbrev -j .debug_aranges \ -j .debug_line -j .debug_str -j .debug_ranges \ -j .note.gnu.build-id \ - $(FORMAT) $^ $@.debug + $^ $@ +ifneq ($(origin ENABLE_SBSIGN),undefined) +%.efi.signed: %.efi shim.key shim.crt + $(SBSIGN) --key shim.key --cert shim.crt --output $@ $< +else %.efi.signed: %.efi certdb/secmod.db - pesign -n certdb -i $< -c "shim" -s -o $@ -f + $(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f +endif + +clean-shim-objs: + $(MAKE) -C lib -f $(TOPDIR)/lib/Makefile clean + @rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME) + @rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid + @rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa] + @git clean -f -d -e 'Cryptlib/OpenSSL/*' -clean: - $(MAKE) -C Cryptlib clean - $(MAKE) -C Cryptlib/OpenSSL clean - $(MAKE) -C lib clean - rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb - rm -f *.debug *.so *.efi *.tar.* version.c +clean: clean-shim-objs + $(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean + $(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean GITTAG = $(VERSION) @@ -208,6 +246,7 @@ test-archive: tag: git tag --sign $(GITTAG) refs/heads/master + git tag -f latest-release $(GITTAG) archive: tag @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp @@ -219,4 +258,6 @@ archive: tag @rm -rf /tmp/shim-$(VERSION) @echo "The archive is in shim-$(VERSION).tar.bz2" +.PHONY : install-deps shim.key + export ARCH CC LD OBJCOPY EFI_INCLUDE |