Add a new [DETECT] mode for DB that reuses an existing cert if present #39
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Linux (gcc with EDK2) | |
on: | |
workflow_dispatch: | |
branches: [main] | |
push: | |
branches: [main] | |
tags: | |
- '**' | |
pull_request: | |
branches: [main] | |
env: | |
BUILD_TYPE: RELEASE | |
COMPILER: GCC5 | |
GCC5_ARM_PREFIX: arm-linux-gnueabi- | |
GCC5_AARCH64_PREFIX: aarch64-linux-gnu- | |
GCC5_RISCV64_PREFIX: riscv64-linux-gnu- | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
TARGET_TYPE: [ia32, x64, aa64, arm, riscv64] | |
include: | |
- TARGET_TYPE: x64 | |
TARGET_ARCH: X64 | |
TARGET_PKGS: nasm gcc-multilib | |
- TARGET_TYPE: ia32 | |
TARGET_ARCH: IA32 | |
TARGET_PKGS: nasm gcc-multilib | |
- TARGET_TYPE: aa64 | |
TARGET_ARCH: AARCH64 | |
TARGET_PKGS: gcc-aarch64-linux-gnu | |
- TARGET_TYPE: arm | |
TARGET_ARCH: ARM | |
TARGET_PKGS: gcc-arm-linux-gnueabi | |
- TARGET_TYPE: riscv64 | |
TARGET_ARCH: RISCV64 | |
TARGET_PKGS: gcc-riscv64-linux-gnu | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
fetch-depth: 0 | |
- name: Set version | |
id: set_version | |
run: echo "version=$(git describe --tags)" >> $GITHUB_OUTPUT | |
- name: Create version.h file | |
run: | | |
git update-index --skip-worktree src/version.h | |
echo '#define VERSION_STRING L"${{steps.set_version.outputs.version}}"' > src/version.h | |
- name: Set up Linux environment | |
run: | | |
sudo apt-get update | |
sudo apt-get -y --no-install-recommends install python3-distutils uuid-dev ${{ matrix.TARGET_PKGS }} | |
- name: Set up EDK2 | |
run: | | |
# We must patch EDK2's OpenSSL module to be able to import/export certificates and keys | |
patch --binary -d edk2 -p1 -i ../Add-extra-PKCS-encoding-and-decoding-to-OpensslLibFull.patch | |
# And we must patch OpenSSL itself to fix ARM and RISCV64 compilation | |
patch -d edk2/CryptoPkg/Library/OpensslLib/openssl -p1 -i ../../../../../OpenSSL-submodule-fixes-for-ARM-compilation.patch | |
patch -d edk2/CryptoPkg/Library/OpensslLib/openssl -p1 -i ../../../../../OpenSSL-submodule-fixes-for-RISCV64-compilation.patch | |
make -C edk2/BaseTools | |
- name: Build UEFI application | |
run: | | |
export WORKSPACE=$PWD | |
export PACKAGES_PATH=$WORKSPACE:$WORKSPACE/edk2 | |
source edk2/edksetup.sh | |
build -a ${{ matrix.TARGET_ARCH }} -b ${{ env.BUILD_TYPE }} -t ${{ env.COMPILER }} -p MosbyPkg.dsc | |
mv Build/${{ env.BUILD_TYPE }}_${{ env.COMPILER }}/${{ matrix.TARGET_ARCH }}/Mosby.efi Mosby_${{ matrix.TARGET_TYPE }}.efi | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ matrix.TARGET_TYPE }} | |
path: ./*.efi | |
- name: Display SHA-256 | |
run: sha256sum ./*.efi | |
create-release: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
if: startsWith(github.ref, 'refs/tags/') | |
needs: build | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Set version | |
id: set_version | |
run: echo "version=$(git describe --tags)" >> $GITHUB_OUTPUT | |
- name: Download artifacts | |
uses: actions/download-artifact@v4 | |
- name: Download resources | |
run: | | |
curl --create-dirs -L https://go.microsoft.com/fwlink/?LinkId=321185 -o certs/kek_ms1.cer | |
curl --create-dirs -L https://go.microsoft.com/fwlink/?linkid=2239775 -o certs/kek_ms2.cer | |
curl --create-dirs -L https://go.microsoft.com/fwlink/?linkid=321192 -o certs/db_ms1.cer | |
curl --create-dirs -L https://go.microsoft.com/fwlink/?linkid=321194 -o certs/db_ms2.cer | |
curl --create-dirs -L https://go.microsoft.com/fwlink/?linkid=2239776 -o certs/db_ms3.cer | |
curl --create-dirs -L https://go.microsoft.com/fwlink/?linkid=2239872 -o certs/db_ms4.cer | |
curl --create-dirs -L https://uefi.org/sites/default/files/resources/x86_DBXUpdate.bin -o dbx/dbx_ia32.bin | |
curl --create-dirs -L https://uefi.org/sites/default/files/resources/x64_DBXUpdate.bin -o dbx/dbx_x64.bin | |
curl --create-dirs -L https://uefi.org/sites/default/files/resources/arm_DBXUpdate.bin -o dbx/dbx_arm.bin | |
curl --create-dirs -L https://uefi.org/sites/default/files/resources/arm64_DBXUpdate.bin -o dbx/dbx_aa64.bin | |
- name: Create release archive | |
run: 7z a -tzip -r Mosby_${{ steps.set_version.outputs.version }}.zip README.md ./image/MosbyList.txt certs/ dbx/ ./*/*.efi | |
- name: Create release | |
uses: softprops/action-gh-release@v2 | |
with: | |
token: ${{secrets.GITHUB_TOKEN}} | |
name: Mosby ${{ steps.set_version.outputs.version }} | |
files: ./*.zip |