1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
|
# Top-level package build for Cryptech Alpha board.
# What we call the package before we start mucking with branches and revision numbers
PACKAGE_BASE_NAME := cryptech-alpha
PACKAGE_BASE_VERSION := 4.0
# Git voodoo: plumbing commands to pull the current branch and list of
# all (local) branches, and to pull something we can use as a version
# number suffix.
#
# Using a timestamp here is not particularly friendly, but we're
# looking for something simple that all the packaging systems involved
# are willing to accept as a version number, so, at least for now, we
# avoid more interesting options such as git-describe.
GIT_VERSION := $(shell git show -s --format=%ct HEAD)
GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD)
GIT_BRANCHES := $(filter-out HEAD,$(sort $(notdir $(shell git for-each-ref --format '%(refname)' refs/heads/ refs/remotes/))))
# Make voodoo: construct the package name, version number, and list of
# other package names (constructed on other branches) with which this
# one conflicts.
PACKAGE_BRANCH = ${PACKAGE_BASE_NAME}$(and $(filter-out master,$(1)),-$(subst _,-,$(1)))
PACKAGE_NAME := $(call PACKAGE_BRANCH,${GIT_BRANCH})
PACKAGE_CONFLICT := $(foreach I,$(filter-out ${GIT_BRANCH},${GIT_BRANCHES}),$(call PACKAGE_BRANCH,${I}))
PACKAGE_VERSION := ${PACKAGE_BASE_VERSION}.${GIT_VERSION}
# gpg setup, for signing packages and repositories
export GNUPGHOME := /home/aptbot/gnupg
GPG_USER := APT Builder Robot <aptbot@cryptech.is>
GPG_KEYID := 37A8E93F5D7E7B9A
# Package repository setup
REPO_BASE := /home/aptbot
REPO_UMASK := 002
# Debian clean-room package builder setup
PBUILDER_BASE := ${HOME}/pbuilder
PBUILDER_TARGETS := \
$(addsuffix /amd64, debian/buster debian/bullseye ubuntu/bionic ubuntu/focal) \
$(addsuffix /i386, debian/buster debian/bullseye ubuntu/bionic) \
$(addsuffix /armhf, debian/buster debian/bullseye)
# Where we upload the final results (if we do)
REPO_UPLOAD_USER := aptbot
REPO_UPLOAD_HOST := bikeshed.cryptech.is
REPO_UPLOAD_DIRS := apt brew
# Yes, we really are putting the firmware tarball into the source package.
# We want to supply the firmware in both source and binary form, to save users
# the trouble of all the cross compilation and Verilog synthesis, and the Alpha
# firmware is the same regardless of the host platform, so including the firmware
# tarball in the source package lets us simplify installation for the user.
FIRMWARE_TARBALL := source/cryptech-alpha-firmware.tar.gz
BITSTREAM := build/core/platform/alpha/build/alpha_fmc.bit
ELVES := build/sw/stm32/projects/bootloader/bootloader.elf build/sw/stm32/projects/hsm/hsm.elf
TAMPER := build/sw/tamper/tamper.hex
all: init firmware dsc pbuilder homebrew expire
enchilada: all upload
init:
git submodule update --init --recursive
tidy:
rm -rf tap
git clean -dfx -e build -e .pbuilder-sell-by-date
git submodule foreach --recursive git clean -dfx
clean: tidy
git clean -dfx
sandblast: clean
git submodule deinit -f .
firmware: shadow ${FIRMWARE_TARBALL}
shadow:
./scripts/build-shadow-tree.py
${FIRMWARE_TARBALL}: ${BITSTREAM} $(sort ${ELVES} ${ELVES:.elf=.bin}) ${TAMPER}
rm -f $@
fakeroot ./scripts/build-firmware-package.py $@ $^
bitstream: ${BITSTREAM}
${BITSTREAM}: $(shell find source/core -name .git -prune -o -type f -print)
${MAKE} -C build/core/platform/alpha/build
${ELVES:.elf=.bin}: shadow elves
elves:
${MAKE} -C build/sw/stm32 distclean bootloader hsm
${TAMPER}: tamper
tamper:
${MAKE} -C $(dir ${TAMPER})
# For extra credit, figure out how to put the right path names into
# the initial source tarball so we don't need to mess with it in the loop.
#
# For more extra credit, figure out how to do the pbuilder stuff as
# GNU make $(eval) rules rather than as a shell for loop. Maybe.
dsc:
rm -f source/debian/changelog ${PACKAGE_NAME}_*.dsc ${PACKAGE_NAME}_*.tar.xz ${PACKAGE_NAME}_*_source.build ${PACKAGE_NAME}_*_source.changes
cd source; ../scripts/build-debian-control-files.py --debemail='${GPG_USER}' --package='${PACKAGE_NAME}' --newversion='${PACKAGE_VERSION}' --conflicts='${PACKAGE_CONFLICT}'
cd source; debuild -S -uc -us
pbuilder:
rm -f ${PBUILDER_BASE}/*result/*
touch -d 'last week' .pbuilder-sell-by-date
set -x; umask ${REPO_UMASK}; \
for target in ${PBUILDER_TARGETS}; do echo $$target | tr '/' ' '; done | \
while read dist code arch; do \
reprepro -b ${REPO_BASE}/apt/$$dist -A $$arch list $$code ${PACKAGE_NAME} | awk -v "c=$$code" '{v = $$3} END {exit v != "${PACKAGE_VERSION}~" c}' && continue; \
if test $${HOME}/pbuilder/$${code}-$${arch}-base.tgz -ot .pbuilder-sell-by-date; then pbuilder-dist $$code $$arch update; else true; fi; \
pbuilder-dist $$code $$arch build ${PACKAGE_NAME}_${PACKAGE_VERSION}.dsc; \
test -f ${REPO_BASE}/brew/tarballs/${PACKAGE_NAME}_${PACKAGE_VERSION}.tar.xz || \
cp -p ${PBUILDER_BASE}/$${code}-$${arch}_result/${PACKAGE_NAME}_${PACKAGE_VERSION}.tar.xz ${REPO_BASE}/brew/tarballs/; \
reprepro -b ${REPO_BASE}/apt/$$dist -T dsc list $$code ${PACKAGE_NAME} | awk '{v = $$3} END {exit v != "${PACKAGE_VERSION}"}' || \
reprepro -b ${REPO_BASE}/apt/$$dist includedsc $$code ${PBUILDER_BASE}/$${code}-$${arch}_result/${PACKAGE_NAME}_${PACKAGE_VERSION}.dsc; \
reprepro -b ${REPO_BASE}/apt/$$dist includedeb $$code ${PBUILDER_BASE}/$${code}-$${arch}_result/${PACKAGE_NAME}_${PACKAGE_VERSION}~$${code}_$${arch}.deb; \
done
homebrew:
rm -rf tap
umask ${REPO_UMASK}; \
git clone ${REPO_BASE}/brew/tap tap; \
cd tap; \
../scripts/build-homebrew-formula.py --tarball='${REPO_BASE}/brew/tarballs/${PACKAGE_NAME}_${PACKAGE_VERSION}.tar.xz' --formula='${PACKAGE_NAME}.rb' \
--package='${PACKAGE_NAME}' --version='${PACKAGE_VERSION}' --conflicts='${PACKAGE_CONFLICT}'; \
git add ${PACKAGE_NAME}.rb; \
git commit -S${GPG_KEYID} --author='${GPG_USER}' -m '${PACKAGE_NAME} ${PACKAGE_VERSION}'; \
git push
# rm -rf tap
expire:
find ${REPO_BASE}/brew/tarballs \
-name '${PACKAGE_NAME}_*.tar.xz' \
! -name '${PACKAGE_NAME}_${PACKAGE_VERSION}.tar.xz' \
-mtime +7 -ls -delete
RSYNC := rsync --rsh 'ssh -l ${REPO_UPLOAD_USER}' --archive --itemize-changes
upload:
for dir in ${REPO_UPLOAD_DIRS}; do \
${RSYNC} --ignore-existing ${REPO_BASE}/$${dir}/ rsync://${REPO_UPLOAD_HOST}/$${dir}/; \
${RSYNC} --delete --delete-delay ${REPO_BASE}/$${dir}/ rsync://${REPO_UPLOAD_HOST}/$${dir}/; \
done
bother:
for dir in ${REPO_UPLOAD_DIRS}; do \
${RSYNC} --delete rsync://${REPO_UPLOAD_HOST}/$${dir}/ ${REPO_BASE}/$${dir}/; \
done
happy:
git pull
git submodule update --remote
.PHONY: all init tidy clean firmware shadow bitstream elves tamper dsc pbuilder homebrew expire upload enchilada sandblast happy bother
|