New upstream version 15.3upstream/15.3

author: Steve McIntyre <steve@einval.com> 2021-03-23 23:49:46 +0000
committer: Steve McIntyre <steve@einval.com> 2021-03-23 23:49:46 +0000
commit: 031e5cce385d3f96b1caa1d53495332a7eb03749 (patch)
tree: b4988dfbd191b2242b9294e24075b39a608b1155 /Makefile
parent: 7bf7a6d0852382bb645119b18df3ff461aaba247 (diff)
download: efi-boot-shim-upstream/15.3.tar.gz
efi-boot-shim-upstream/15.3.zip
1 files changed, 113 insertions, 53 deletions
diff --git a/Makefile b/Makefile
index 115e7f08..e349c6f9 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 default : all
 
 NAME		= shim
-VERSION		= 15
+VERSION		= 15.3
 ifneq ($(origin RELEASE),undefined)
 DASHRELEASE	?= -$(RELEASE)
 else
@@ -16,41 +16,64 @@ override TOPDIR := $(shell pwd)
 endif
 override TOPDIR	:= $(abspath $(TOPDIR))
 VPATH		= $(TOPDIR)
+export TOPDIR
 
-include $(TOPDIR)/Make.defaults
 include $(TOPDIR)/Make.rules
-include $(TOPDIR)/Make.coverity
-include $(TOPDIR)/Make.scan-build
+include $(TOPDIR)/Make.defaults
+include $(TOPDIR)/include/coverity.mk
+include $(TOPDIR)/include/scan-build.mk
+include $(TOPDIR)/include/fanalyzer.mk
 
 TARGETS	= $(SHIMNAME)
 TARGETS += $(SHIMNAME).debug $(MMNAME).debug $(FBNAME).debug
 ifneq ($(origin ENABLE_SHIM_HASH),undefined)
 TARGETS += $(SHIMHASHNAME)
 endif
+ifneq ($(origin ENABLE_SHIM_DEVEL),undefined)
+CFLAGS += -DENABLE_SHIM_DEVEL
+endif
 ifneq ($(origin ENABLE_SHIM_CERT),undefined)
 TARGETS	+= $(MMNAME).signed $(FBNAME).signed
 CFLAGS += -DENABLE_SHIM_CERT
 else
 TARGETS += $(MMNAME) $(FBNAME)
 endif
-OBJS	= shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o
+OBJS	= shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o httpboot.o csv.o
 KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
-ORIG_SOURCES	= shim.c mok.c netboot.c replacements.c tpm.c errlog.c shim.h version.h $(wildcard include/*.h)
-MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
+ORIG_SOURCES	= shim.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h)
+MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o
 ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
-FALLBACK_OBJS = fallback.o tpm.o errlog.o
+FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat_data.o
 ORIG_FALLBACK_SRCS = fallback.c
+SBATPATH = data/sbat.csv
 
-ifneq ($(origin ENABLE_HTTPBOOT), undefined)
-	OBJS += httpboot.o
-	SOURCES += httpboot.c include/httpboot.h
+ifeq ($(SOURCE_DATE_EPOCH),)
+	UNAME=$(shell uname -s -m -p -i -o)
+else
+	UNAME=buildhost
 endif
 
 SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c
 MOK_SOURCES = $(foreach source,$(ORIG_MOK_SOURCES),$(TOPDIR)/$(source))
 FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))
 
-all: $(TARGETS)
+ifneq ($(origin FALLBACK_VERBOSE), undefined)
+	CFLAGS += -DFALLBACK_VERBOSE
+endif
+
+ifneq ($(origin FALLBACK_VERBOSE_WAIT), undefined)
+	CFLAGS += -DFALLBACK_VERBOSE_WAIT=$(FALLBACK_VERBOSE_WAIT)
+endif
+
+all: confcheck $(TARGETS)
+
+confcheck:
+ifneq ($(origin EFI_PATH),undefined)
+	$(error EFI_PATH is no longer supported, you must build using the supplied copy of gnu-efi)
+endif
+
+update :
+	git submodule update --init --recursive
 
 shim.crt:
 	$(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
@@ -66,7 +89,7 @@ shim_cert.h: shim.cer
 
 version.c : $(TOPDIR)/version.c.in
 	sed	-e "s,@@VERSION@@,$(VERSION)," \
-		-e "s,@@UNAME@@,$(shell uname -s -m -p -i -o)," \
+		-e "s,@@UNAME@@,$(UNAME)," \
 		-e "s,@@COMMIT@@,$(COMMIT_ID)," \
 		< $< > $@
 
@@ -84,37 +107,63 @@ shim.o: $(wildcard $(TOPDIR)/*.h)
 cert.o : $(TOPDIR)/cert.S
 	$(CC) $(CFLAGS) -c -o $@ $<
 
+sbat.%.csv : data/sbat.%.csv
+	$(DOS2UNIX) $(D2UFLAGS) $< $@
+	tail -c1 $@ | read -r _ || echo >> $@ # ensure a trailing newline
+
+VENDOR_SBATS := $(foreach x,$(wildcard data/sbat.*.csv),$(notdir $(x)))
+
+sbat_data.o : | $(SBATPATH) $(VENDOR_SBATS)
+sbat_data.o : /dev/null
+	$(CC) $(CFLAGS) -x c -c -o $@ $<
+	$(OBJCOPY) --add-section .sbat=$(SBATPATH) \
+		--set-section-flags .sbat=contents,alloc,load,readonly,data \
+		$@
+	$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
+
 $(SHIMNAME) : $(SHIMSONAME)
 $(MMNAME) : $(MMSONAME)
 $(FBNAME) : $(FBSONAME)
 
-$(SHIMSONAME): $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
-	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
+LIBS = Cryptlib/libcryptlib.a \
+       Cryptlib/OpenSSL/libopenssl.a \
+       lib/lib.a \
+       gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a \
+       gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a
+
+$(SHIMSONAME): $(OBJS) $(LIBS)
+	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
 
 fallback.o: $(FALLBACK_SRCS)
 
-$(FBSONAME): $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
-	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
+$(FBSONAME): $(FALLBACK_OBJS) $(LIBS)
+	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
 
 MokManager.o: $(MOK_SOURCES)
 
-$(MMSONAME): $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
+$(MMSONAME): $(MOK_OBJS) $(LIBS)
 	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
 
+gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a: CFLAGS+=-DGNU_EFI_USE_EXTERNAL_STDARG
+gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a:
+	$(MAKE) -C gnu-efi \
+		ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \
+		lib gnuefi inc
+
 Cryptlib/libcryptlib.a:
-	mkdir -p Cryptlib/{Hash,Hmac,Cipher,Rand,Pk,Pem,SysCall}
-	$(MAKE) VPATH=$(TOPDIR)/Cryptlib TOPDIR=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
+	for i in Hash Hmac Cipher Rand Pk Pem SysCall; do mkdir -p Cryptlib/$$i; done
+	$(MAKE) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
 
 Cryptlib/OpenSSL/libopenssl.a:
-	mkdir -p Cryptlib/OpenSSL/crypto/{x509v3,x509,txt_db,stack,sha,rsa,rc4,rand,pkcs7,pkcs12,pem,ocsp,objects,modes,md5,lhash,kdf,hmac,evp,err,dso,dh,conf,comp,cmac,buffer,bn,bio,async{,/arch},asn1,aes}/
-	$(MAKE) VPATH=$(TOPDIR)/Cryptlib/OpenSSL TOPDIR=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
+	for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done
+	$(MAKE) VPATH=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
 
 lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch])
 	if [ ! -d lib ]; then mkdir lib ; fi
-	$(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) CFLAGS="$(CFLAGS)" -C lib -f $(TOPDIR)/lib/Makefile lib.a
+	$(MAKE) VPATH=$(TOPDIR)/lib -C lib -f $(TOPDIR)/lib/Makefile lib.a
 
 buildid : $(TOPDIR)/buildid.c
-	$(CC) -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf
+	$(HOSTCC) -I/usr/include -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf
 
 $(BOOTCSVNAME) :
 	@echo Making $@
@@ -189,11 +238,13 @@ endif
 ifneq ($(OBJCOPY_GTE224),1)
 	$(error objcopy >= 2.24 is required)
 endif
-	$(OBJCOPY) -j .text -j .sdata -j .data -j .data.ident \
+	$(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
 		-j .dynamic -j .dynsym -j .rel* \
 		-j .rela* -j .reloc -j .eh_frame \
-		-j .vendor_cert \
-		$(FORMAT) $^ $@
+		-j .vendor_cert -j .sbat \
+		$(FORMAT) $< $@
+	# I am tired of wasting my time fighting binutils timestamp code.
+	dd conv=notrunc bs=1 count=4 seek=$(TIMESTAMP_LOCATION) if=/dev/zero of=$@
 
 ifneq ($(origin ENABLE_SHIM_HASH),undefined)
 %.hash : %.efi
@@ -204,60 +255,69 @@ endif
 ifneq ($(OBJCOPY_GTE224),1)
 	$(error objcopy >= 2.24 is required)
 endif
-	$(OBJCOPY) -j .text -j .sdata -j .data \
+	$(OBJCOPY) -D -j .text -j .sdata -j .data \
 		-j .dynamic -j .dynsym -j .rel* \
-		-j .rela* -j .reloc -j .eh_frame \
+		-j .rela* -j .reloc -j .eh_frame -j .sbat \
 		-j .debug_info -j .debug_abbrev -j .debug_aranges \
 		-j .debug_line -j .debug_str -j .debug_ranges \
 		-j .note.gnu.build-id \
-		$^ $@
+		$< $@
 
 ifneq ($(origin ENABLE_SBSIGN),undefined)
 %.efi.signed: %.efi shim.key shim.crt
-	$(SBSIGN) --key shim.key --cert shim.crt --output $@ $<
+	@$(SBSIGN) \
+		--key shim.key \
+		--cert shim.crt \
+		--output $@ $<
 else
 %.efi.signed: %.efi certdb/secmod.db
 	$(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f
 endif
 
+test :
+	@make -f include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" all
+
+$(patsubst %.c,%,$(wildcard test-*.c)) :
+	@make -f include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" $@
+
+.PHONY : $(patsubst %.c,%,$(wildcard test-*.c)) test
+
+clean-test-objs:
+	@make -f include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" clean
+
+clean-gnu-efi:
+	$(MAKE) -C gnu-efi \
+		ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \
+		clean
+
 clean-shim-objs:
 	$(MAKE) -C lib -f $(TOPDIR)/lib/Makefile clean
 	@rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
 	@rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid
 	@rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa]
-	@git clean -f -d -e 'Cryptlib/OpenSSL/*'
+	@if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi
 
-clean: clean-shim-objs
-	$(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean
+clean-openssl-objs:
 	$(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean
 
+clean-cryptlib-objs:
+	$(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean
+
+clean: clean-shim-objs clean-test-objs clean-gnu-efi clean-openssl-objs clean-cryptlib-objs
+
 GITTAG = $(VERSION)
 
 test-archive:
-	@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
-	@mkdir -p /tmp/shim-$(VERSION)-tmp
-	@git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
-	@git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff )
-	@mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
-	@git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
-	@dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
-	@rm -rf /tmp/shim-$(VERSION)
-	@echo "The archive is in shim-$(VERSION).tar.bz2"
+	@./make-archive $(if $(call get-config,shim.origin),--origin "$(call get-config,shim.origin)") --test "$(VERSION)"
 
 tag:
-	git tag --sign $(GITTAG) refs/heads/master
+	git tag --sign $(GITTAG) refs/heads/main
 	git tag -f latest-release $(GITTAG)
 
 archive: tag
-	@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
-	@mkdir -p /tmp/shim-$(VERSION)-tmp
-	@git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
-	@mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
-	@git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
-	@dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
-	@rm -rf /tmp/shim-$(VERSION)
-	@echo "The archive is in shim-$(VERSION).tar.bz2"
+	@./make-archive $(if $(call get-config,shim.origin),--origin "$(call get-config,shim.origin)") --release "$(VERSION)" "$(GITTAG)" "shim-$(GITTAG)"
 
 .PHONY : install-deps shim.key
 
-export ARCH CC LD OBJCOPY EFI_INCLUDE
+export ARCH CC CROSS_COMPILE LD OBJCOPY EFI_INCLUDE EFI_INCLUDES OPTIMIZATIONS
+export FEATUREFLAGS WARNFLAGS WERRFLAGS
author	Steve McIntyre <steve@einval.com>	2021-03-23 23:49:46 +0000
committer	Steve McIntyre <steve@einval.com>	2021-03-23 23:49:46 +0000
commit	031e5cce385d3f96b1caa1d53495332a7eb03749 (patch)
tree	b4988dfbd191b2242b9294e24075b39a608b1155 /Makefile
parent	7bf7a6d0852382bb645119b18df3ff461aaba247 (diff)
download	efi-boot-shim-upstream/15.3.tar.gz efi-boot-shim-upstream/15.3.zip