path: root/Makefile

                                                   
 
# Top-level package build for Cryptech Alpha board.

# What we call the package before we start mucking with branches and revision numbers

PACKAGE_BASE_NAME    := cryptech-alpha
PACKAGE_BASE_VERSION := 4.0

# Git voodoo: plumbing commands to pull the current branch and list of
# all (local) branches, and to pull something we can use as a version
# number suffix.
#
# Using a timestamp here is not particularly friendly, but we're
# looking for something simple that all the packaging systems involved
# are willing to accept as a version number, so, at least for now, we
# avoid more interesting options such as git-describe.

GIT_VERSION	 := $(shell git show -s --format=%ct HEAD)
GIT_BRANCH	 := $(shell git rev-parse --abbrev-ref HEAD)
GIT_BRANCHES	 := $(filter-out HEAD,$(sort $(notdir $(shell git for-each-ref --format '%(refname)' refs/heads/ refs/remotes/))))

# Make voodoo: construct the package name, version number, and list of
# other package names (constructed on other branches) with which this
# one conflicts.

PACKAGE_BRANCH	  = ${PACKAGE_BASE_NAME}$(and $(filter-out master,$(1)),-$(subst _,-,$(1)))
PACKAGE_NAME	 := $(call PACKAGE_BRANCH,${GIT_BRANCH})
PACKAGE_CONFLICT := $(foreach I,$(filter-out ${GIT_BRANCH},${GIT_BRANCHES}),$(call PACKAGE_BRANCH,${I}))
PACKAGE_VERSION  := ${PACKAGE_BASE_VERSION}.${GIT_VERSION}

# gpg setup, for signing packages and repositories

export GNUPGHOME := /home/aptbot/gnupg
GPG_USER	 := APT Builder Robot <aptbot@cryptech.is>
GPG_KEYID	 := 37A8E93F5D7E7B9A

# Package repository setup

REPO_BASE	 := /home/aptbot
REPO_UMASK	 := 002

# Debian clean-room package builder setup

PBUILDER_BASE	 := ${HOME}/pbuilder
PBUILDER_TARGETS := \
	$(addsuffix /amd64, debian/buster debian/bullseye ubuntu/bionic ubuntu/focal) \
	$(addsuffix /i386,  debian/buster debian/bullseye ubuntu/bionic) \
	$(addsuffix /armhf, debian/buster debian/bullseye)

# Where we upload the final results (if we do)

REPO_UPLOAD_USER := aptbot
REPO_UPLOAD_HOST := bikeshed.cryptech.is
REPO_UPLOAD_DIRS := apt brew

# Yes, we really are putting the firmware tarball into the source package.
# We want to supply the firmware in both source and binary form, to save users
# the trouble of all the cross compilation and Verilog synthesis, and the Alpha
# firmware is the same regardless of the host platform, so including the firmware
# tarball in the source package lets us simplify installation for the user.

FIRMWARE_TARBALL := source/cryptech-alpha-firmware.tar.gz
BITSTREAM	 := build/core/platform/alpha/build/alpha_fmc.bit
ELVES		 := build/sw/stm32/projects/bootloader/bootloader.elf build/sw/stm32/projects/hsm/hsm.elf
TAMPER		 := build/sw/tamper/tamper.hex

all: init firmware dsc pbuilder homebrew expire

enchilada: all upload

init:
	git submodule update --init --recursive

tidy:
	rm -rf tap
	git clean -dfx -e build -e .pbuilder-sell-by-date
	git submodule foreach --recursive git clean -dfx

clean: tidy
	git clean -dfx

sandblast: clean
	git submodule deinit -f .

firmware: shadow ${FIRMWARE_TARBALL}

shadow:
	./scripts/build-shadow-tree.py

${FIRMWARE_TARBALL}: ${BITSTREAM} $(sort ${ELVES} ${ELVES:.elf=.bin}) ${TAMPER}
	rm -f $@
	fakeroot ./scripts/build-firmware-package.py $@ $^

bitstream: ${BITSTREAM}

${BITSTREAM}: $(shell find source/core -name .git -prune -o -type f -print)
	${MAKE} -C build/core/platform/alpha/build

${ELVES:.elf=.bin}: shadow elves

elves:
	${MAKE} -C build/sw/stm32 distclean bootloader hsm

${TAMPER}: tamper

tamper:
	${MAKE} -C $(dir ${TAMPER})

# For extra credit, figure out how to put the right path names into
# the initial source tarball so we don't need to mess with it in the loop.
#
# For more extra credit, figure out how to do the pbuilder stuff as
# GNU make $(eval) rules rather than as a shell for loop.  Maybe.

dsc:
	rm -f source/debian/changelog ${PACKAGE_NAME}_*.dsc ${PACKAGE_NAME}_*.tar.xz ${PACKAGE_NAME}_*_source.build ${PACKAGE_NAME}_*_source.changes
	cd source; ../scripts/build-debian-control-files.py --debemail='${GPG_USER}' --package='${PACKAGE_NAME}' --newversion='${PACKAGE_VERSION}' --conflicts='${PACKAGE_CONFLICT}'
	cd source; debuild -S -uc -us

pbuilder:
	rm -f ${PBUILDER_BASE}/*result/*
	touch -d 'last week' .pbuilder-sell-by-date
	set -x; umask ${REPO_UMASK}; \
	for target in ${PBUILDER_TARGETS}; do echo $$target | tr '/' ' '; done | \
	while read dist code arch; do \
		reprepro -b ${REPO_BASE}/apt/$$dist -A $$arch list $$code ${PACKAGE_NAME} | awk -v "c=$$code" '{v = $$3} END {exit v != "${PACKAGE_VERSION}~" c}' && continue; \
		if test $${HOME}/pbuilder/$${code}-$${arch}-base.tgz -ot .pbuilder-sell-by-date; then pbuilder-dist $$code $$arch update; else true; fi; \
		pbuilder-dist $$code $$arch build ${PACKAGE_NAME}_${PACKAGE_VERSION}.dsc; \
		test -f ${REPO_BASE}/brew/tarballs/${PACKAGE_NAME}_${PACKAGE_VERSION}.tar.xz || \
		cp -p ${PBUILDER_BASE}/$${code}-$${arch}_result/${PACKAGE_NAME}_${PACKAGE_VERSION}.tar.xz ${REPO_BASE}/brew/tarballs/; \
		reprepro -b ${REPO_BASE}/apt/$$dist -T dsc list $$code ${PACKAGE_NAME} | awk '{v = $$3} END {exit v != "${PACKAGE_VERSION}"}' || \
		reprepro -b ${REPO_BASE}/apt/$$dist includedsc $$code ${PBUILDER_BASE}/$${code}-$${arch}_result/${PACKAGE_NAME}_${PACKAGE_VERSION}.dsc; \
		reprepro -b ${REPO_BASE}/apt/$$dist includedeb $$code ${PBUILDER_BASE}/$${code}-$${arch}_result/${PACKAGE_NAME}_${PACKAGE_VERSION}~$${code}_$${arch}.deb; \
	done

homebrew:
	rm -rf tap
	umask ${REPO_UMASK}; \
	git clone ${REPO_BASE}/brew/tap tap; \
	cd tap; \
	../scripts/build-homebrew-formula.py --tarball='${REPO_BASE}/brew/tarballs/${PACKAGE_NAME}_${PACKAGE_VERSION}.tar.xz' --formula='${PACKAGE_NAME}.rb' \
		--package='${PACKAGE_NAME}' --version='${PACKAGE_VERSION}' --conflicts='${PACKAGE_CONFLICT}'; \
	git add ${PACKAGE_NAME}.rb; \
	git commit -S${GPG_KEYID} --author='${GPG_USER}' -m '${PACKAGE_NAME} ${PACKAGE_VERSION}'; \
	git push
#	rm -rf tap

expire:
	find ${REPO_BASE}/brew/tarballs \
		-name '${PACKAGE_NAME}_*.tar.xz' \
	      ! -name '${PACKAGE_NAME}_${PACKAGE_VERSION}.tar.xz' \
		-mtime +7 -ls -delete

RSYNC	:= rsync --rsh 'ssh -l ${REPO_UPLOAD_USER}' --archive --itemize-changes

upload:
	for dir in ${REPO_UPLOAD_DIRS}; do \
		${RSYNC} --ignore-existing       ${REPO_BASE}/$${dir}/	rsync://${REPO_UPLOAD_HOST}/$${dir}/; \
		${RSYNC} --delete --delete-delay ${REPO_BASE}/$${dir}/	rsync://${REPO_UPLOAD_HOST}/$${dir}/; \
	done

bother:
	for dir in ${REPO_UPLOAD_DIRS}; do \
		${RSYNC} --delete rsync://${REPO_UPLOAD_HOST}/$${dir}/ ${REPO_BASE}/$${dir}/; \
	done

happy:
	git pull
	git submodule update --remote

.PHONY: all init tidy clean firmware shadow bitstream elves tamper dsc pbuilder homebrew expire upload enchilada sandblast happy bother
# Top-level package build for Cryptech Alpha board.

# What we call the package before we start mucking with branches and revision numbers

PACKAGE_BASE_NAME    := cryptech-alpha
PACKAGE_BASE_VERSION := 4.0

# Git voodoo: plumbing commands to pull the current branch and list of
# all (local) branches, and to pull something we can use as a version
# number suffix.
#
# Using a timestamp here is not particularly friendly, but we're
# looking for something simple that all the packaging systems involved
# are willing to accept as a version number, so, at least for now, we
# avoid more interesting options such as git-describe.

GIT_VERSION	 := $(shell git show -s --format=%ct HEAD)
GIT_BRANCH	 := $(shell git rev-parse --abbrev-ref HEAD)
GIT_BRANCHES	 := $(filter-out HEAD,$(sort $(notdir $(shell git for-each-ref --format '%(refname)' refs/heads/ refs/remotes/))))

# Make voodoo: construct the package name, version number, and list of
# other package names (constructed on other branches) with which this
# one conflicts.

PACKAGE_BRANCH	  = ${PACKAGE_BASE_NAME}$(and $(filter-out master,$(1)),-$(subst _,-,$(1)))
PACKAGE_NAME	 := $(call PACKAGE_BRANCH,${GIT_BRANCH})
PACKAGE_CONFLICT := $(foreach I,$(filter-out ${GIT_BRANCH},${GIT_BRANCHES}),$(call PACKAGE_BRANCH,${I}))
PACKAGE_VERSION  := ${PACKAGE_BASE_VERSION}.${GIT_VERSION}

# gpg setup, for signing packages and repositories

export GNUPGHOME := /home/aptbot/gnupg
GPG_USER	 := APT Builder Robot <aptbot@cryptech.is>
GPG_KEYID	 := 37A8E93F5D7E7B9A

# Package repository setup

REPO_BASE	 := /home/aptbot
REPO_UMASK	 := 002

# Debian clean-room package builder setup

PBUILDER_BASE	 := ${HOME}/pbuilder
PBUILDER_TARGETS := \
	$(addsuffix /amd64, debian/buster debian/bullseye ubuntu/bionic ubuntu/focal) \
	$(addsuffix /i386,  debian/buster debian/bullseye ubuntu/bionic) \
	$(addsuffix /armhf, debian/buster debian/bullseye)

# Where we upload the final results (if we do)

REPO_UPLOAD_USER := aptbot
REPO_UPLOAD_HOST := bikeshed.cryptech.is
REPO_UPLOAD_DIRS := apt brew

# Yes, we really are putting the firmware tarball into the source package.
# We want to supply the firmware in both source and binary form, to save users
# the trouble of all the cross compilation and Verilog synthesis, and the Alpha
# firmware is the same regardless of the host platform, so including the firmware
# tarball in the source package lets us simplify installation for the user.

FIRMWARE_TARBALL := source/cryptech-alpha-firmware.tar.gz
BITSTREAM	 := build/core/platform/alpha/build/alpha_fmc.bit
ELVES		 := build/sw/stm32/projects/bootloader/bootloader.elf build/sw/stm32/projects/hsm/hsm.elf
TAMPER		 := build/sw/tamper/tamper.hex

all: init firmware dsc pbuilder homebrew expire

enchilada: all upload

init:
	git submodule update --init --recursive

tidy:
	rm -rf tap
	git clean -dfx -e build -e .pbuilder-sell-by-date
	git submodule foreach --recursive git clean -dfx

clean: tidy
	git clean -dfx

sandblast: clean
	git submodule deinit -f .

firmware: shadow ${FIRMWARE_TARBALL}

shadow:
	./scripts/build-shadow-tree.py

${FIRMWARE_TARBALL}: ${BITSTREAM} $(sort ${ELVES} ${ELVES:.elf=.bin}) ${TAMPER}
	rm -f $@
	fakeroot ./scripts/build-firmware-package.py $@ $^

bitstream: ${BITSTREAM}

${BITSTREAM}: $(shell find source/core -name .git -prune -o -type f -print)
	${MAKE} -C build/core/platform/alpha/build

${ELVES:.elf=.bin}: shadow elves

elves:
	${MAKE} -C build/sw/stm32 distclean bootloader hsm

${TAMPER}: tamper

tamper:
	${MAKE} -C $(dir ${TAMPER})

# For extra credit, figure out how to put the right path names into
# the initial source tarball so we don't need to mess with it in the loop.
#
# For more extra credit, figure out how to do the pbuilder stuff as
# GNU make $(eval) rules rather than as a shell for loop.  Maybe.

dsc:
	rm -f source/debian/changelog ${PACKAGE_NAME}_*.dsc ${PACKAGE_NAME}_*.tar.xz ${PACKAGE_NAME}_*_source.build ${PACKAGE_NAME}_*_source.changes
	cd source; ../scripts/build-debian-control-files.py --debemail='${GPG_USER}' --package='${PACKAGE_NAME}' --newversion='${PACKAGE_VERSION}' --conflicts='${PACKAGE_CONFLICT}'
	cd source; debuild -S -uc -us

pbuilder:
	rm -f ${PBUILDER_BASE}/*result/*
	touch -d 'last week' .pbuilder-sell-by-date
	set -x; umask ${REPO_UMASK}; \
	for target in ${PBUILDER_TARGETS}; do echo $$target | tr '/' ' '; done | \
	while read dist code arch; do \
		reprepro -b ${REPO_BASE}/apt/$$dist -A $$arch list $$code ${PACKAGE_NAME} | awk -v "c=$$code" '{v = $$3} END {exit v != "${PACKAGE_VERSION}~" c}' && continue; \
		if test $${HOME}/pbuilder/$${code}-$${arch}-base.tgz -ot .pbuilder-sell-by-date; then pbuilder-dist $$code $$arch update; else true; fi; \
		pbuilder-dist $$code $$arch build ${PACKAGE_NAME}_${PACKAGE_VERSION}.dsc; \
		test -f ${REPO_BASE}/brew/tarballs/${PACKAGE_NAME}_${PACKAGE_VERSION}.tar.xz || \
		cp -p ${PBUILDER_BASE}/$${code}-$${arch}_result/${PACKAGE_NAME}_${PACKAGE_VERSION}.tar.xz ${REPO_BASE}/brew/tarballs/; \
		reprepro -b ${REPO_BASE}/apt/$$dist -T dsc list $$code ${PACKAGE_NAME} | awk '{v = $$3} END {exit v != "${PACKAGE_VERSION}"}' || \
		reprepro -b ${REPO_BASE}/apt/$$dist includedsc $$code ${PBUILDER_BASE}/$${code}-$${arch}_result/${PACKAGE_NAME}_${PACKAGE_VERSION}.dsc; \
		reprepro -b ${REPO_BASE}/apt/$$dist includedeb $$code ${PBUILDER_BASE}/$${code}-$${arch}_result/${PACKAGE_NAME}_${PACKAGE_VERSION}~$${code}_$${arch}.deb; \
	done

homebrew:
	rm -rf tap
	umask ${REPO_UMASK}; \
	git clone ${REPO_BASE}/brew/tap tap; \
	cd tap; \
	../scripts/build-homebrew-formula.py --tarball='${REPO_BASE}/brew/tarballs/${PACKAGE_NAME}_${PACKAGE_VERSION}.tar.xz' --formula='${PACKAGE_NAME}.rb' \
		--package='${PACKAGE_NAME}' --version='${PACKAGE_VERSION}' --conflicts='${PACKAGE_CONFLICT}'; \
	git add ${PACKAGE_NAME}.rb; \
	git commit -S${GPG_KEYID} --author='${GPG_USER}' -m '${PACKAGE_NAME} ${PACKAGE_VERSION}'; \
	git push
#	rm -rf tap

expire:
	find ${REPO_BASE}/brew/tarballs \
		-name '${PACKAGE_NAME}_*.tar.xz' \
	      ! -name '${PACKAGE_NAME}_${PACKAGE_VERSION}.tar.xz' \
		-mtime +7 -ls -delete

RSYNC	:= rsync --rsh 'ssh -l ${REPO_UPLOAD_USER}' --archive --itemize-changes

upload:
	for dir in ${REPO_UPLOAD_DIRS}; do \
		${RSYNC} --ignore-existing       ${REPO_BASE}/$${dir}/	rsync://${REPO_UPLOAD_HOST}/$${dir}/; \
		${RSYNC} --delete --delete-delay ${REPO_BASE}/$${dir}/	rsync://${REPO_UPLOAD_HOST}/$${dir}/; \
	done

bother:
	for dir in ${REPO_UPLOAD_DIRS}; do \
		${RSYNC} --delete rsync://${REPO_UPLOAD_HOST}/$${dir}/ ${REPO_BASE}/$${dir}/; \
	done

happy:
	git pull
	git submodule update --remote

.PHONY: all init tidy clean firmware shadow bitstream elves tamper dsc pbuilder homebrew expire upload enchilada sandblast happy bother