#!/usr/bin/make -f

include /usr/share/dpkg/architecture.mk

# Other vendors, add your certs here.  No sense in using
# dpkg-vendor --derives-from, because only Canonical-generated binaries will
# be signed with this key; so if you are building your own shim binary you
# should be building the other binaries also.
ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
	cert=debian/canonical-uefi-ca.der
	distributor=ubuntu
COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1
else
	cert=debian/debian-uefi-ca.der
	distributor=debian
endif

deb_version             := $(shell dpkg-parsechangelog | sed -ne "s/^Version: \(.*\)/\1/p")
upstream_version        := $(shell echo $(deb_version) | sed -e "s/-[^-]*$$//")
plain_upstream_version  := $(shell echo $(upstream_version) | sed -e "s/+dfsg.*//")

DBX_LIST = dbx.esl
DBX_HASHES = debian/$(distributor)-dbx.hashes
SBAT_IN = debian/sbat.$(distributor).csv.in
SBAT_DATA = data/sbat.$(distributor).csv

include /usr/share/dpkg/architecture.mk

ifeq ($(DEB_HOST_ARCH),amd64)
export EFI_ARCH := x64
endif
ifeq ($(DEB_HOST_ARCH),arm64)
export EFI_ARCH := aa64
endif
ifeq ($(DEB_HOST_ARCH),i386)
export EFI_ARCH := ia32
endif

COMMON_OPTIONS += \
	RELEASE=$(plain_upstream_version) \
	COMMIT_ID=657b2483ca6e9fcf2ad8ac7ee577ff546d24c3aa \
	MAKELEVEL=0 \
	ENABLE_HTTPBOOT=true \
	VENDOR_CERT_FILE=$(cert) \
	VENDOR_DBX_FILE=$(DBX_LIST) \
	EFIDIR=$(distributor) \
	CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- \
	CC=$(DEB_HOST_GNU_TYPE)-gcc-12 \
	$(NULL)

# Force shim to use the latest revocations by default to block some
# older grub / peimage issues. This is:
# "shim,4\ngrub,4\ngrub.peimage,2\n"
COMMON_OPTIONS += SBAT_AUTOMATIC_DATE=2024010900

$(DBX_LIST): $(DBX_HASHES)
	./debian/generate_dbx_list $(EFI_ARCH) $< $@

$(SBAT_DATA): $(SBAT_IN)
	rm -f $@
	set -e; \
	sed -e "s/@DEB_VERSION@/$(deb_version)/g" \
		-e "s/@UPSTREAM_VERSION@/$(plain_upstream_version)/g" \
		< $(SBAT_IN) > $(SBAT_DATA)
	# If we have an empty $(SBAT_DATA), delete
	if [ ! -s $(SBAT_DATA) ]; then rm -f $(SBAT_DATA); fi

%:
	dh $@

override_dh_auto_clean:
	dh_auto_clean -- MAKELEVEL=0
	rm -f $(DBX_LIST) $(SBAT_DATA) sbat.*.csv BOOT*.CSV
	rm -f test-csv test-sbat test-str test-load-options
	rm -f test-mock-variables test-mok-mirror test-pe-relocate test-pe-util

override_dh_auto_build: $(DBX_LIST) $(SBAT_DATA)
	dh_auto_build -- INSTALL=install $(COMMON_OPTIONS)

override_dh_auto_test: $(DBX_LIST) $(SBAT_DATA)
	dh_auto_test -- INSTALL=install $(COMMON_OPTIONS)

override_dh_auto_install:
	dh_auto_install --destdir=debian/tmp -- INSTALL=install $(COMMON_OPTIONS)
	# Remove the copy of the source that's installed - we have git
	# already...
	rm -rf debian/tmp/usr
	# And remove the extra removable-media copy of shim too, it's
	# not needed for our build and causes debhelper to complain
	rm -f debian/tmp/boot/efi/EFI/BOOT/BOOT*.EFI

	install -m 644 $(cert) debian/shim-unsigned/usr/share/shim

	# Generate the template packages that we'll use for SB signing later
	./debian/signing-template.generate

	# Log some useful things about the build here
	./debian/check_nx shim*.efi
	sha256sum *.efi

generate-gnu-efi:
	git -C gnu-efi archive --prefix=gnu-efi/ HEAD | xz -9 \
		> ../shim_$(plain_upstream_version).orig-gnu-efi.tar.xz