#!/usr/bin/make -f

include /usr/share/dpkg/architecture.mk

# Other vendors, add your certs here.  No sense in using
# dpkg-vendor --derives-from, because only Canonical-generated binaries will
# be signed with this key; so if you are building your own shim binary you
# should be building the other binaries also.
ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
	cert=debian/canonical-uefi-ca.der
	distributor=ubuntu
COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1
else
	cert=debian/debian-uefi-ca.der
	distributor=debian
endif

DBX_LIST = dbx.esl
DBX_HASHES = debian/$(distributor)-dbx.hashes

include /usr/share/dpkg/architecture.mk

ifeq ($(DEB_HOST_ARCH),amd64)
export EFI_ARCH := x64
endif
ifeq ($(DEB_HOST_ARCH),arm64)
export EFI_ARCH := aa64
endif
ifeq ($(DEB_HOST_ARCH),i386)
export EFI_ARCH := ia32
endif

COMMON_OPTIONS += \
	RELEASE=15 \
	COMMIT_ID=3beb971b10659cf78144ddc5eeea83501384440c \
	MAKELEVEL=0 \
	EFI_PATH=/usr/lib \
	ENABLE_HTTPBOOT=true \
	VENDOR_CERT_FILE=$(cert) \
	VENDOR_DBX_FILE=$(DBX_LIST) \
	EFIDIR=$(distributor) \
	CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- \
	CC=$(DEB_HOST_GNU_TYPE)-gcc-9 \
	$(NULL)

$(DBX_LIST): $(DBX_HASHES)
	rm -f $@
	set -e; \
	for HASH in $$(grep -E [[:xdigit:]]{32} $< | sort | uniq); do \
            echo efisiglist -o $@ -a -h $$HASH; \
            efisiglist -o $@ -a -h $$HASH; \
        done
	# Support an empty $(DBX_HASHES)
	touch $@

%:
	dh $@

override_dh_auto_clean:
	dh_auto_clean -- MAKELEVEL=0
	rm -f $(DBX_LIST)

override_dh_auto_build: $(DBX_LIST)
	dh_auto_build -- $(COMMON_OPTIONS)

override_dh_auto_install:
	dh_auto_install --destdir=debian/tmp -- $(COMMON_OPTIONS)
	./debian/signing-template.generate