2022-10-19 07:10:15 -04:00
|
|
|
SHELL = /bin/bash
|
|
|
|
|
SRC_PATH = $(CURDIR)
|
|
|
|
|
BASE_PATH ?= $(SRC_PATH)
|
2022-10-21 04:11:53 -04:00
|
|
|
BOOTSTRAPPER_BINARY ?= $(BASE_PATH)/../build/bootstrapper
|
|
|
|
|
DISK_MAPPER_BINARY ?= $(BASE_PATH)/../build/disk-mapper
|
2022-10-19 07:10:15 -04:00
|
|
|
PKI ?= $(BASE_PATH)/pki
|
|
|
|
|
MKOSI_EXTRA ?= $(BASE_PATH)/mkosi.extra
|
2022-11-16 09:45:10 -05:00
|
|
|
IMAGE_VERSION ?= v0.0.0
|
2022-10-19 07:10:15 -04:00
|
|
|
-include $(CURDIR)/config.mk
|
2022-10-17 11:39:49 -04:00
|
|
|
csps := aws qemu gcp azure
|
2022-10-19 07:10:15 -04:00
|
|
|
certs := $(PKI)/PK.cer $(PKI)/KEK.cer $(PKI)/db.cer
|
|
|
|
|
|
2022-12-09 07:20:00 -05:00
|
|
|
GCP_FIXED_KERNEL_RPMS := kernel-5.19.17-300.fc37.x86_64.rpm kernel-core-5.19.17-300.fc37.x86_64.rpm kernel-modules-5.19.17-300.fc37.x86_64.rpm
|
|
|
|
|
PREBUILT_RPMS := $(addprefix prebuilt/rpms/,$(GCP_FIXED_KERNEL_RPMS))
|
|
|
|
|
|
2022-10-19 07:10:15 -04:00
|
|
|
.PHONY: all clean inject-bins $(csps)
|
|
|
|
|
|
|
|
|
|
all: $(csps)
|
|
|
|
|
|
2022-11-17 06:12:00 -05:00
|
|
|
$(csps): %: mkosi.output.%/fedora~37/image.raw
|
2022-10-19 07:10:15 -04:00
|
|
|
|
2022-12-09 07:20:00 -05:00
|
|
|
prebuilt/rpms/%.rpm:
|
|
|
|
|
@echo "Downloading $*"
|
|
|
|
|
@mkdir -p $(@D)
|
|
|
|
|
@curl -sL -o $@ https://kojipkgs.fedoraproject.org/packages/kernel/5.19.17/300.fc37/x86_64/$*.rpm
|
|
|
|
|
|
2022-11-17 06:12:00 -05:00
|
|
|
mkosi.output.%/fedora~37/image.raw: mkosi.files/mkosi.%.conf inject-bins inject-certs
|
2022-11-16 09:45:10 -05:00
|
|
|
mkosi --config mkosi.files/mkosi.$*.conf --image-version=$(IMAGE_VERSION) build
|
2022-10-19 07:10:15 -04:00
|
|
|
secure-boot/signed-shim.sh $@
|
|
|
|
|
@if [ -n $(SUDO_UID) ] && [ -n $(SUDO_GID) ]; then \
|
|
|
|
|
chown -R $(SUDO_UID):$(SUDO_GID) mkosi.output.$*; \
|
|
|
|
|
fi
|
|
|
|
|
@echo "Image is ready: $@"
|
|
|
|
|
|
2022-12-09 07:20:00 -05:00
|
|
|
inject-bins: $(PREBUILT_RPMS)
|
2022-10-19 07:10:15 -04:00
|
|
|
mkdir -p $(MKOSI_EXTRA)/usr/bin
|
|
|
|
|
mkdir -p $(MKOSI_EXTRA)/usr/sbin
|
|
|
|
|
cp $(BOOTSTRAPPER_BINARY) $(MKOSI_EXTRA)/usr/bin/bootstrapper
|
|
|
|
|
cp $(DISK_MAPPER_BINARY) $(MKOSI_EXTRA)/usr/sbin/disk-mapper
|
|
|
|
|
|
|
|
|
|
inject-certs: $(certs)
|
|
|
|
|
# for auto enrollment using systemd-boot (not working yet)
|
|
|
|
|
mkdir -p "$(MKOSI_EXTRA)/boot/loader/keys/auto"
|
|
|
|
|
cp $(PKI)/{PK,KEK,db}.cer "$(MKOSI_EXTRA)/boot/loader/keys/auto"
|
|
|
|
|
cp $(PKI)/{MicWinProPCA2011_2011-10-19,MicCorUEFCA2011_2011-06-27,MicCorKEKCA2011_2011-06-24}.crt "$(MKOSI_EXTRA)/boot/loader/keys/auto"
|
|
|
|
|
cp $(PKI)/{PK,KEK,db}.esl "$(MKOSI_EXTRA)/boot/loader/keys/auto"
|
|
|
|
|
cp $(PKI)/{PK,KEK,db}.auth "$(MKOSI_EXTRA)/boot/loader/keys/auto"
|
|
|
|
|
# for manual enrollment using sbkeysync
|
|
|
|
|
mkdir -p $(MKOSI_EXTRA)/etc/secureboot/keys/{db,dbx,KEK,PK}
|
|
|
|
|
cp $(PKI)/db.auth "$(MKOSI_EXTRA)/etc/secureboot/keys/db/"
|
|
|
|
|
cp $(PKI)/KEK.auth "$(MKOSI_EXTRA)/etc/secureboot/keys/KEK/"
|
|
|
|
|
cp $(PKI)/PK.auth "$(MKOSI_EXTRA)/etc/secureboot/keys/PK/"
|
|
|
|
|
|
|
|
|
|
clean-cache:
|
|
|
|
|
rm -rf mkosi.cache/*
|
|
|
|
|
|
|
|
|
|
clean-%:
|
|
|
|
|
mkosi --config mkosi.files/mkosi.$*.conf clean
|
|
|
|
|
|
|
|
|
|
clean:
|
|
|
|
|
rm -rf mkosi.output.*
|
|
|
|
|
rm -rf $(MKOSI_EXTRA)
|
|
|
|
|
mkdir -p $(MKOSI_EXTRA)
|
