[PATCH 0/9] UEFI + Secure Boot + qemu

[PATCH 0/9] UEFI + Secure Boot + qemu

[Patrick Ohly]

There seems to be a consensus that supporting UEFI in OE-core for qemu
would be valuable, and there have been some (stalled) attempts to add
it. For reference, see:
   [OE-core] [PATCH V3 0/3] Add UEFI firmware for qemux86*
   [OE-core] Add ovmf-native to make qemu-native/runqemu support boot UEFI image?
   https://bugzilla.yoctoproject.org/show_bug.cgi?id=5654
   https://github.com/01org/luv-yocto/issues/38

This patch set includes the necessary recipes (ovmf and iasl from
meta-luv), some improvements to them (in particular, enabling Secure
Boot), and changes to runqemu to make it easier to boot with UEFI. A
special image recipes builds an image which can be used to lock down a
virtual machine by enrolling the "normal" pre-installed certificates.

I decided to keep the setup simple and use just a single file for UEFI
code and variables because that makes the usage via runqemu very
easy. See the "runqemu: support UEFI with OVMF firmware" patch for
details. The downside is that the firmware can't be updated without
loosing variables. I don't see a big need for long-lived virtual
machine instances, but would like to hear from others about that.

What's missing is automated testing of this new feature. I'm open for
suggestions here; right now I don't know enough about the automated
testing in the AB to propose something.

I've discussed the usage of ovmf/iasl with Ricardo and he agreed that
moving ovmf and iasl from meta-luv to OE-core makes sense. Ricardo,
would you be willing to act as maintainer of it there, like you did in
meta-luv?

Beware that "git am --keep-cr" must be used to import the ovmf patches
correctly.

The following changes since commit 5e21afc9395060b489156d3f90505a372b713f37:

  Revert "selftest/wic: extending test coverage for WIC script options" (2016-12-20 17:06:01 +0000)

are available in the git repository at:

  git://github.com/pohly/openembedded-core secure-boot
  https://github.com/pohly/openembedded-core/tree/secure-boot

Patrick Ohly (7):
  ovmf: explicitly depend on nasm-native
  ovmf: deploy firmware in image directory
  ovmf_git.bb: enable parallel compilation
  ovmf_git.bb: enable Secure Boot
  runqemu: let command line parameters override defaults
  runqemu: support UEFI with OVMF firmware
  ovmf: build image which enrolls standard keys

meta-luv (2):
  ovmf: move from meta-luv to OE-core
  iasl: move from meta-luv to OE-core

 meta/recipes-core/ovmf/ovmf-shell-image.bb         |   22 +
 ...s-Force-tools-variables-to-host-toolchain.patch |   48 +
 .../ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch    |  110 ++
 ...0002-ovmf-update-path-to-native-BaseTools.patch |   32 +
 ...makefile-adjust-to-build-in-under-bitbake.patch |   39 +
 ...ollDefaultKeys-application-for-enrolling-.patch | 1123 ++++++++++++++++++++
 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks   |    4 +
 meta/recipes-core/ovmf/ovmf_git.bb                 |  178 ++++
 meta/recipes-extended/iasl/iasl_20120215.bb        |   27 +
 meta/recipes-extended/iasl/iasl_20150410.bb        |   27 +
 meta/recipes-extended/iasl/iasl_20150515.bb        |   27 +
 scripts/runqemu                                    |   37 +-
 12 files changed, 1673 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-core/ovmf/ovmf-shell-image.bb
 create mode 100644 meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks
 create mode 100644 meta/recipes-core/ovmf/ovmf_git.bb
 create mode 100644 meta/recipes-extended/iasl/iasl_20120215.bb
 create mode 100644 meta/recipes-extended/iasl/iasl_20150410.bb
 create mode 100644 meta/recipes-extended/iasl/iasl_20150515.bb

-- 
2.1.4

[PATCH 1/9] ovmf: move from meta-luv to OE-core

[Patrick Ohly]

From: meta-luv <luv@lists.01.org>

This is an unmodified copy of
github.com/01org/luv-yocto/meta-luv/recipes-core/ovmf revision
4be4329.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 ...s-Force-tools-variables-to-host-toolchain.patch |  48 ++++++++
 .../ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch    | 110 +++++++++++++++++++
 ...0002-ovmf-update-path-to-native-BaseTools.patch |  32 ++++++
 ...makefile-adjust-to-build-in-under-bitbake.patch |  39 +++++++
 meta/recipes-core/ovmf/ovmf_git.bb                 | 121 +++++++++++++++++++++
 5 files changed, 350 insertions(+)
 create mode 100644 meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf_git.bb

diff --git a/meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch b/meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch
new file mode 100644
index 0000000..644b99d
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch
@@ -0,0 +1,48 @@
+From 6e24bde1979c2d7149b37d142fb882dfde0e9770 Mon Sep 17 00:00:00 2001
+From: Matt Fleming <matt.fleming@intel.com>
+Date: Fri, 27 Jun 2014 11:12:18 +0100
+Subject: [PATCH] BaseTools: Force tools variables to host toolchain
+
+Signed-off-by: Matt Fleming <matt.fleming@intel.com>
+---
+ BaseTools/Source/C/Makefiles/app.makefile | 7 +++++++
+ BaseTools/Source/C/VfrCompile/GNUmakefile | 5 +++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/BaseTools/Source/C/Makefiles/app.makefile b/BaseTools/Source/C/Makefiles/app.makefile
+index 19269a1..62aad0f 100644
+--- a/BaseTools/Source/C/Makefiles/app.makefile
++++ b/BaseTools/Source/C/Makefiles/app.makefile
+@@ -16,6 +16,13 @@ include $(MAKEROOT)/Makefiles/header.makefile
+ 
+ APPLICATION = $(MAKEROOT)/bin/$(APPNAME)
+ 
++CC = gcc
++CXX = g++
++AS = gcc
++AR = ar
++LD = ld
++LINKER = $(CC)
++
+ .PHONY:all
+ all: $(MAKEROOT)/bin $(APPLICATION) 
+ 
+diff --git a/BaseTools/Source/C/VfrCompile/GNUmakefile b/BaseTools/Source/C/VfrCompile/GNUmakefile
+index 82005e1..5ac5f7e 100644
+--- a/BaseTools/Source/C/VfrCompile/GNUmakefile
++++ b/BaseTools/Source/C/VfrCompile/GNUmakefile
+@@ -26,6 +26,11 @@ OBJECTS = AParser.o DLexerBase.o ATokenBuffer.o EfiVfrParser.o VfrLexer.o VfrSyn
+ 
+ VFR_CPPFLAGS = -DPCCTS_USE_NAMESPACE_STD $(CPPFLAGS)
+ 
++CC = gcc
++CXX = g++
++AS = gcc
++AR = ar
++LD = ld
+ LINKER = $(BUILD_CXX)
+ 
+ EXTRA_CLEAN_OBJECTS = EfiVfrParser.cpp EfiVfrParser.h VfrParser.dlg VfrTokens.h VfrLexer.cpp VfrLexer.h VfrSyntax.cpp tokens.h
+-- 
+1.9.0
+
diff --git a/meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch b/meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch
new file mode 100644
index 0000000..4531a6d
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch
@@ -0,0 +1,110 @@
+From 66a4020c3c2163aeffc9757851f33c346ecfd870 Mon Sep 17 00:00:00 2001
+From: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+Date: Mon, 4 Apr 2016 12:15:12 -0700
+Subject: [PATCH] OvmfPkg: Enable BGRT in OVMF
+
+By default, firmware (OVMF - Open source Virtual Machine Firmware)
+never publishes BGRT (Boot Graphics Resource Table) and in the boot
+process Linux kernel checks for this table and if it fails to find BGRT
+table then corresponding code in Linux kernel is not executed. EDK II
+(EFI Development Kit, thus OVMF) already has BGRT source code packaged
+into it but it is excluded from the build process of OVMF. These changes
+to build system of OVMF enables BGRT in 32-bit and 64-bit OVMF.
+
+There are only two files that need to be modified in order to do this.
+The first one being OvmfPkg*.dsc (this file describes the platform) and
+the second one being OvmfPkg*.fdf (this file describes firmware descriptor
+volume). A *.inf file (here "BootGraphicsResourceTableDxe.inf")
+describes a module (here BGRT). So, include
+"BootGraphicsResourceTableDxe.inf" file in "OvmfPkg*.dsc" so that BGRT
+source code will be compiled and "BootGraphicsResourceTableDxe.efi" file
+is generated and we should also include
+"BootGraphicsResourceTableDxe.inf" file in "OvmfPkg*.fdf" file so that
+"BootGraphicsResourceTableDxe.efi" will be placed in a firmware volume
+and thus gets published.
+
+Signed-off-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+---
+ OvmfPkg/OvmfPkgIa32.dsc    | 1 +
+ OvmfPkg/OvmfPkgIa32.fdf    | 1 +
+ OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
+ OvmfPkg/OvmfPkgIa32X64.fdf | 1 +
+ OvmfPkg/OvmfPkgX64.dsc     | 1 +
+ OvmfPkg/OvmfPkgX64.fdf     | 1 +
+ 6 files changed, 6 insertions(+)
+
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 9e5b477..0582219 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -647,6 +647,7 @@
+   OvmfPkg/AcpiS3SaveDxe/AcpiS3SaveDxe.inf
+   MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf
+   MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
++  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+ 
+   #
+   # Network Support
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index fc203f2..f968cb7 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -274,6 +274,7 @@ INF  RuleOverride=ACPITABLE OvmfPkg/AcpiTables/AcpiTables.inf
+ INF  OvmfPkg/AcpiS3SaveDxe/AcpiS3SaveDxe.inf
+ INF  MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf
+ INF  MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
++INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+ 
+ INF  RuleOverride = BINARY FatBinPkg/EnhancedFatDxe/Fat.inf
+ 
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 6e4da4f..8289385 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -656,6 +656,7 @@
+   OvmfPkg/AcpiS3SaveDxe/AcpiS3SaveDxe.inf
+   MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf
+   MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
++  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+ 
+   #
+   # Network Support
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index d3f46f3..282d40b 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -274,6 +274,7 @@ INF  RuleOverride=ACPITABLE OvmfPkg/AcpiTables/AcpiTables.inf
+ INF  OvmfPkg/AcpiS3SaveDxe/AcpiS3SaveDxe.inf
+ INF  MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf
+ INF  MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
++INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+ 
+ INF  RuleOverride = BINARY USE = X64 FatBinPkg/EnhancedFatDxe/Fat.inf
+ 
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 3d6d43e..0f956a7 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -654,6 +654,7 @@
+   OvmfPkg/AcpiS3SaveDxe/AcpiS3SaveDxe.inf
+   MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf
+   MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
++  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+ 
+   #
+   # Network Support
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index 15ef13a..9708fd5 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -274,6 +274,7 @@ INF  RuleOverride=ACPITABLE OvmfPkg/AcpiTables/AcpiTables.inf
+ INF  OvmfPkg/AcpiS3SaveDxe/AcpiS3SaveDxe.inf
+ INF  MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf
+ INF  MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
++INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+ 
+ INF  RuleOverride = BINARY FatBinPkg/EnhancedFatDxe/Fat.inf
+ 
+-- 
+2.7.4
+
diff --git a/meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch b/meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch
new file mode 100644
index 0000000..94029a5
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch
@@ -0,0 +1,32 @@
+From 9e632e3f9edd09632cc877dff6ea57608f979aab Mon Sep 17 00:00:00 2001
+From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
+Date: Thu, 9 Jun 2016 02:23:01 -0700
+Subject: [PATCH] ovmf: update path to native BaseTools
+
+BaseTools is a set of utilities to build EDK-based firmware. These utilities
+are used during the build process. Thus, they need to be built natively.
+When cross-compiling, we need to provide a path to the location of these
+tools. The BBAKE_EDK_TOOLS_PATH string is used as a pattern to be replaced
+with the appropriate location before building.
+
+Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
+---
+ OvmfPkg/build.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/OvmfPkg/build.sh b/OvmfPkg/build.sh
+index eb5eb73..9058fca 100755
+--- a/OvmfPkg/build.sh
++++ b/OvmfPkg/build.sh
+@@ -30,7 +30,7 @@ then
+ # this assumes svn pulls have the same root dir
+ #  export EDK_TOOLS_PATH=`pwd`/../BaseTools
+ # This version is for the tools source in edk2
+-  export EDK_TOOLS_PATH=`pwd`/BaseTools
++  export EDK_TOOLS_PATH=BBAKE_EDK_TOOLS_PATH/BaseTools
+   echo $EDK_TOOLS_PATH
+   source edksetup.sh BaseTools
+ else
+-- 
+2.8.1
+
diff --git a/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch b/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
new file mode 100644
index 0000000..0fdc278
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
@@ -0,0 +1,39 @@
+From 2320650c6d381b914fe91b2dedaa5870279a8bcf Mon Sep 17 00:00:00 2001
+From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
+Date: Sun, 27 Nov 2016 18:42:55 -0800
+Subject: [PATCH] BaseTools: makefile: adjust to build in under bitbake
+
+Prepend the build flags with those of bitbake. This is to build
+using the bitbake native sysroot include and library directories.
+
+Signed-off-by: Ricardo Neri <ricardo.neri@linux.intel.com>
+---
+ BaseTools/Source/C/Makefiles/header.makefile | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/BaseTools/Source/C/Makefiles/header.makefile b/BaseTools/Source/C/Makefiles/header.makefile
+index 821d114..fe0f08b 100644
+--- a/BaseTools/Source/C/Makefiles/header.makefile
++++ b/BaseTools/Source/C/Makefiles/header.makefile
+@@ -44,14 +44,14 @@ ARCH_INCLUDE = -I $(MAKEROOT)/Include/AArch64/
+ endif
+ 
+ INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT) -I $(MAKEROOT)/Include/Common -I $(MAKEROOT)/Include/ -I $(MAKEROOT)/Include/IndustryStandard -I $(MAKEROOT)/Common/ -I .. -I . $(ARCH_INCLUDE) 
+-BUILD_CPPFLAGS = $(INCLUDE) -O2
++BUILD_CPPFLAGS := $(BUILD_CPPFLAGS) $(INCLUDE) -O2
+ ifeq ($(DARWIN),Darwin)
+ # assume clang or clang compatible flags on OS X
+-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g
++BUILD_CFLAGS := $(BUILD_CFLAGS) -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g
+ else
+-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-unused-result -nostdlib -c -g
++BUILD_CFLAGS := $(BUILD_CFLAGS) -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-unused-result -nostdlib -c -g
+ endif
+-BUILD_LFLAGS =
++BUILD_LFLAGS := $(LDFLAGS)
+ BUILD_CXXFLAGS =
+ 
+ ifeq ($(ARCH), IA32)
+-- 
+2.9.3
+
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
new file mode 100644
index 0000000..e722db5
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -0,0 +1,121 @@
+DESCRIPTION = "OVMF - UEFI firmware for Qemu and KVM"
+HOMEPAGE = "http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF"
+LICENSE = "BSD"
+LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496"
+
+SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
+	file://0001-BaseTools-Force-tools-variables-to-host-toolchain.patch \
+	file://0001-OvmfPkg-Enable-BGRT-in-OVMF.patch \
+	file://0002-ovmf-update-path-to-native-BaseTools.patch \
+	file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
+        "
+
+SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588"
+
+PARALLEL_MAKE = ""
+
+S = "${WORKDIR}/git"
+
+DEPENDS_class-native="util-linux-native iasl-native ossp-uuid-native"
+
+DEPENDS_class-target="ovmf-native"
+
+EDK_TOOLS_DIR="edk2_basetools"
+
+# OVMF has trouble building with the default optimization of -O2.
+BUILD_OPTIMIZATION="-pipe"
+
+# OVMF supports IA only, although it could conceivably support ARM someday.
+COMPATIBLE_HOST='(i.86|x86_64).*'
+
+do_patch_append_class-native() {
+    bb.build.exec_func('do_fix_iasl', d)
+    bb.build.exec_func('do_fix_toolchain', d)
+}
+
+do_fix_basetools_location() {
+    sed -i -e 's#BBAKE_EDK_TOOLS_PATH#${STAGING_BINDIR_NATIVE}/${EDK_TOOLS_DIR}#' ${S}/OvmfPkg/build.sh
+}
+
+do_patch_append_class-target() {
+    bb.build.exec_func('do_fix_basetools_location', d)
+}
+
+
+do_fix_iasl() {
+    sed -i -e 's#/usr/bin/iasl#${STAGING_BINDIR_NATIVE}/iasl#' ${S}/BaseTools/Conf/tools_def.template
+}
+
+do_fix_toolchain(){
+    sed -i -e 's#DEF(ELFGCC_BIN)/#${TARGET_PREFIX}#' ${S}/BaseTools/Conf/tools_def.template
+    sed -i -e 's#DEF(GCC.*PREFIX)#${TARGET_PREFIX}#' ${S}/BaseTools/Conf/tools_def.template
+    sed -i -e "s#^LINKER\(.*\)#LINKER\1\nLFLAGS += ${BUILD_LDFLAGS}#" ${S}/BaseTools/Source/C/Makefiles/app.makefile
+    sed -i -e "s#^LINKER\(.*\)#LINKER\1\nCFLAGS += ${BUILD_CFLAGS}#" ${S}/BaseTools/Source/C/Makefiles/app.makefile
+    sed -i -e "s#^LINKER\(.*\)#LINKER\1\nLFLAGS += ${BUILD_LDFLAGS}#" ${S}/BaseTools/Source/C/VfrCompile/GNUmakefile
+    sed -i -e "s#^LINKER\(.*\)#LINKER\1\nCFLAGS += ${BUILD_CFLAGS}#" ${S}/BaseTools/Source/C/VfrCompile/GNUmakefile
+}
+
+GCC_VER="$(${CC} -v 2>&1 | tail -n1 | awk '{print $3}')"
+
+fixup_target_tools() {
+    case ${1} in
+      4.4.*)
+        FIXED_GCCVER=GCC44
+        ;;
+      4.5.*)
+        FIXED_GCCVER=GCC45
+        ;;
+      4.6.*)
+        FIXED_GCCVER=GCC46
+        ;;
+      4.7.*)
+        FIXED_GCCVER=GCC47
+        ;;
+      4.8.*)
+        FIXED_GCCVER=GCC48
+        ;;
+      4.9.*)
+        FIXED_GCCVER=GCC49
+        ;;
+      *)
+        FIXED_GCCVER=GCC5
+        ;;
+    esac
+    echo ${FIXED_GCCVER}
+}
+
+do_compile_class-native() {
+    oe_runmake -C ${S}/BaseTools
+}
+
+do_compile_class-target() {
+    export LFLAGS="${LDFLAGS}"
+    OVMF_ARCH="X64"
+    if [ "${TARGET_ARCH}" != "x86_64" ] ; then
+        OVMF_ARCH="IA32"
+    fi
+
+    FIXED_GCCVER=$(fixup_target_tools ${GCC_VER})
+    echo FIXED_GCCVER is ${FIXED_GCCVER}
+    ${S}/OvmfPkg/build.sh -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
+}
+
+do_install_class-native() {
+    install -d ${D}/${bindir}/edk2_basetools
+    cp -r ${S}/BaseTools ${D}/${bindir}/${EDK_TOOLS_DIR}
+}
+
+do_install_class-target() {
+    OVMF_DIR_SUFFIX="X64"
+    if [ "${TARGET_ARCH}" != "x86_64" ] ; then
+        OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization
+    fi
+    install -d ${D}${datadir}/ovmf
+
+    FIXED_GCCVER=$(fixup_target_tools ${GCC_VER})
+    build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
+    install -m 0755 ${build_dir}/FV/OVMF.fd \
+	${D}${datadir}/ovmf/bios.bin
+}
+
+BBCLASSEXTEND = "native"
-- 
2.1.4

Re: [PATCH 1/9] ovmf: move from meta-luv to OE-core

[Ricardo Neri]

On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote:
>  create mode 100644
> meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch

We added this patch because we were interested in enabling BGRT for our
own Linux kernel testing purposes. I am not sure if this patch is of the
interest of the wider OE-core audience. I would think it does not.

[PATCH 2/9] iasl: move from meta-luv to OE-core

[Patrick Ohly]

From: meta-luv <luv@lists.01.org>

This is an unmodified copy of
github.com/01org/luv-yocto/meta-luv/recipes-extended/iasl revision
4be4329.

iasl is also provided by the meta-oe layer's acpica recipe. iasl is a
bit simpler and thus seems more suitable for OE-core.

When the meta-oe layer is active, PREFERRED_PROVIDER_iasl-native must
be set to avoid a warning. It can be set to "acpica-native" when
something from acpica besides just iasl is needed.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 meta/recipes-extended/iasl/iasl_20120215.bb | 27 +++++++++++++++++++++++++++
 meta/recipes-extended/iasl/iasl_20150410.bb | 27 +++++++++++++++++++++++++++
 meta/recipes-extended/iasl/iasl_20150515.bb | 27 +++++++++++++++++++++++++++
 3 files changed, 81 insertions(+)
 create mode 100644 meta/recipes-extended/iasl/iasl_20120215.bb
 create mode 100644 meta/recipes-extended/iasl/iasl_20150410.bb
 create mode 100644 meta/recipes-extended/iasl/iasl_20150515.bb

diff --git a/meta/recipes-extended/iasl/iasl_20120215.bb b/meta/recipes-extended/iasl/iasl_20120215.bb
new file mode 100644
index 0000000..a14d2ec
--- /dev/null
+++ b/meta/recipes-extended/iasl/iasl_20120215.bb
@@ -0,0 +1,27 @@
+DESCRIPTION = "This is a cross development C compiler, assembler and linker environment for the production of 8086 executables (Optionally MSDOS COM)"
+HOMEPAGE = "http://www.acpica.org/"
+LICENSE = "Intel-ACPI"
+LIC_FILES_CHKSUM = "file://asldefine.h;endline=115;md5=d4d7cf809b8b5e03131327b3f718e8f0"
+SECTION = "console/tools"
+PR="r1"
+
+DEPENDS="flex-native bison-native"
+
+SRC_URI="https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz"
+
+SRC_URI[md5sum] = "324c89e5bb9002e2711e0494290ceacc"
+SRC_URI[sha256sum] = "b2b497415f29ddbefe7be8b9429b62c1f1f6e1ec11456928e4e7da86578e5b8d"
+
+S="${WORKDIR}/acpica-unix-${PV}/source/compiler"
+
+NATIVE_INSTALL_WORKS = "1"
+BBCLASSEXTEND = "native"
+
+do_compile() {
+	CFLAGS="-Wno-error=redundant-decls" $MAKE
+}
+
+do_install() {
+	mkdir -p ${D}${prefix}/bin
+	cp ${S}/iasl ${D}${prefix}/bin
+}
diff --git a/meta/recipes-extended/iasl/iasl_20150410.bb b/meta/recipes-extended/iasl/iasl_20150410.bb
new file mode 100644
index 0000000..4e44817
--- /dev/null
+++ b/meta/recipes-extended/iasl/iasl_20150410.bb
@@ -0,0 +1,27 @@
+DESCRIPTION = "This is a cross development C compiler, assembler and linker environment for the production of 8086 executables (Optionally MSDOS COM)"
+HOMEPAGE = "http://www.acpica.org/"
+LICENSE = "Intel-ACPI"
+LIC_FILES_CHKSUM = "file://Makefile;endline=22;md5=b15414d545d190713f1bab9023dba3be"
+SECTION = "console/tools"
+PR="r1"
+
+DEPENDS="flex-native bison-native"
+
+SRC_URI="https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz"
+
+SRC_URI[md5sum] = "7b49c79728dde65ab1ba4edbee6f0b22"
+SRC_URI[sha256sum] = "1dce8d9edeb234fd553806987471f6206f429c2aab45556f62a5b2bfe2464875"
+
+S="${WORKDIR}/acpica-unix-${PV}"
+
+NATIVE_INSTALL_WORKS = "1"
+BBCLASSEXTEND = "native"
+
+do_compile() {
+	make iasl
+}
+
+do_install() {
+	mkdir -p ${D}${prefix}/bin
+	cp ${S}/generate/unix/bin/iasl ${D}${prefix}/bin
+}
diff --git a/meta/recipes-extended/iasl/iasl_20150515.bb b/meta/recipes-extended/iasl/iasl_20150515.bb
new file mode 100644
index 0000000..c7e1cd5
--- /dev/null
+++ b/meta/recipes-extended/iasl/iasl_20150515.bb
@@ -0,0 +1,27 @@
+DESCRIPTION = "This is a cross development C compiler, assembler and linker environment for the production of 8086 executables (Optionally MSDOS COM)"
+HOMEPAGE = "http://www.acpica.org/"
+LICENSE = "Intel-ACPI"
+LIC_FILES_CHKSUM = "file://Makefile;endline=22;md5=b15414d545d190713f1bab9023dba3be"
+SECTION = "console/tools"
+PR="r1"
+
+DEPENDS="flex-native bison-native"
+
+SRC_URI="https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz"
+
+SRC_URI[md5sum] = "c8c128b2d4859b52bc9c802faba2e908"
+SRC_URI[sha256sum] = "bfa1f296a3cc13421331dbaad3b62e0184678cc312104c3e8ac799ead0742c45"
+
+S="${WORKDIR}/acpica-unix-${PV}"
+
+NATIVE_INSTALL_WORKS = "1"
+BBCLASSEXTEND = "native"
+
+do_compile() {
+	make iasl
+}
+
+do_install() {
+	mkdir -p ${D}${prefix}/bin
+	cp ${S}/generate/unix/bin/iasl ${D}${prefix}/bin
+}
-- 
2.1.4

Re: [PATCH 2/9] iasl: move from meta-luv to OE-core

[Fathi Boudra]

Hi Patrick,

On 21 December 2016 at 15:11, Patrick Ohly <patrick.ohly@intel.com> wrote:
> From: meta-luv <luv@lists.01.org>
>
> This is an unmodified copy of
> github.com/01org/luv-yocto/meta-luv/recipes-extended/iasl revision
> 4be4329.
>
> iasl is also provided by the meta-oe layer's acpica recipe. iasl is a
> bit simpler and thus seems more suitable for OE-core.

Simpler in what sense? acpica recipe is trivial and provide fully acpica tools.
Would you mind to import meta-oe acpica recipe instead of providing a
reduced set of acpica for not much benefit?

> When the meta-oe layer is active, PREFERRED_PROVIDER_iasl-native must
> be set to avoid a warning. It can be set to "acpica-native" when
> something from acpica besides just iasl is needed.
>
> Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
> ---
>  meta/recipes-extended/iasl/iasl_20120215.bb | 27 +++++++++++++++++++++++++++
>  meta/recipes-extended/iasl/iasl_20150410.bb | 27 +++++++++++++++++++++++++++
>  meta/recipes-extended/iasl/iasl_20150515.bb | 27 +++++++++++++++++++++++++++
>  3 files changed, 81 insertions(+)
>  create mode 100644 meta/recipes-extended/iasl/iasl_20120215.bb
>  create mode 100644 meta/recipes-extended/iasl/iasl_20150410.bb
>  create mode 100644 meta/recipes-extended/iasl/iasl_20150515.bb
>
> diff --git a/meta/recipes-extended/iasl/iasl_20120215.bb b/meta/recipes-extended/iasl/iasl_20120215.bb
> new file mode 100644
> index 0000000..a14d2ec
> --- /dev/null
> +++ b/meta/recipes-extended/iasl/iasl_20120215.bb
> @@ -0,0 +1,27 @@
> +DESCRIPTION = "This is a cross development C compiler, assembler and linker environment for the production of 8086 executables (Optionally MSDOS COM)"
> +HOMEPAGE = "http://www.acpica.org/"
> +LICENSE = "Intel-ACPI"
> +LIC_FILES_CHKSUM = "file://asldefine.h;endline=115;md5=d4d7cf809b8b5e03131327b3f718e8f0"
> +SECTION = "console/tools"
> +PR="r1"
> +
> +DEPENDS="flex-native bison-native"
> +
> +SRC_URI="https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz"
> +
> +SRC_URI[md5sum] = "324c89e5bb9002e2711e0494290ceacc"
> +SRC_URI[sha256sum] = "b2b497415f29ddbefe7be8b9429b62c1f1f6e1ec11456928e4e7da86578e5b8d"
> +
> +S="${WORKDIR}/acpica-unix-${PV}/source/compiler"
> +
> +NATIVE_INSTALL_WORKS = "1"
> +BBCLASSEXTEND = "native"
> +
> +do_compile() {
> +       CFLAGS="-Wno-error=redundant-decls" $MAKE
> +}
> +
> +do_install() {
> +       mkdir -p ${D}${prefix}/bin
> +       cp ${S}/iasl ${D}${prefix}/bin
> +}
> diff --git a/meta/recipes-extended/iasl/iasl_20150410.bb b/meta/recipes-extended/iasl/iasl_20150410.bb
> new file mode 100644
> index 0000000..4e44817
> --- /dev/null
> +++ b/meta/recipes-extended/iasl/iasl_20150410.bb
> @@ -0,0 +1,27 @@
> +DESCRIPTION = "This is a cross development C compiler, assembler and linker environment for the production of 8086 executables (Optionally MSDOS COM)"
> +HOMEPAGE = "http://www.acpica.org/"
> +LICENSE = "Intel-ACPI"
> +LIC_FILES_CHKSUM = "file://Makefile;endline=22;md5=b15414d545d190713f1bab9023dba3be"
> +SECTION = "console/tools"
> +PR="r1"
> +
> +DEPENDS="flex-native bison-native"
> +
> +SRC_URI="https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz"
> +
> +SRC_URI[md5sum] = "7b49c79728dde65ab1ba4edbee6f0b22"
> +SRC_URI[sha256sum] = "1dce8d9edeb234fd553806987471f6206f429c2aab45556f62a5b2bfe2464875"
> +
> +S="${WORKDIR}/acpica-unix-${PV}"
> +
> +NATIVE_INSTALL_WORKS = "1"
> +BBCLASSEXTEND = "native"
> +
> +do_compile() {
> +       make iasl
> +}
> +
> +do_install() {
> +       mkdir -p ${D}${prefix}/bin
> +       cp ${S}/generate/unix/bin/iasl ${D}${prefix}/bin
> +}
> diff --git a/meta/recipes-extended/iasl/iasl_20150515.bb b/meta/recipes-extended/iasl/iasl_20150515.bb
> new file mode 100644
> index 0000000..c7e1cd5
> --- /dev/null
> +++ b/meta/recipes-extended/iasl/iasl_20150515.bb
> @@ -0,0 +1,27 @@
> +DESCRIPTION = "This is a cross development C compiler, assembler and linker environment for the production of 8086 executables (Optionally MSDOS COM)"
> +HOMEPAGE = "http://www.acpica.org/"
> +LICENSE = "Intel-ACPI"
> +LIC_FILES_CHKSUM = "file://Makefile;endline=22;md5=b15414d545d190713f1bab9023dba3be"
> +SECTION = "console/tools"
> +PR="r1"
> +
> +DEPENDS="flex-native bison-native"
> +
> +SRC_URI="https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz"
> +
> +SRC_URI[md5sum] = "c8c128b2d4859b52bc9c802faba2e908"
> +SRC_URI[sha256sum] = "bfa1f296a3cc13421331dbaad3b62e0184678cc312104c3e8ac799ead0742c45"
> +
> +S="${WORKDIR}/acpica-unix-${PV}"
> +
> +NATIVE_INSTALL_WORKS = "1"
> +BBCLASSEXTEND = "native"
> +
> +do_compile() {
> +       make iasl
> +}
> +
> +do_install() {
> +       mkdir -p ${D}${prefix}/bin
> +       cp ${S}/generate/unix/bin/iasl ${D}${prefix}/bin
> +}
> --
> 2.1.4
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Cheers,
-- 
Fathi

Re: [PATCH 2/9] iasl: move from meta-luv to OE-core

[Patrick Ohly]

On Wed, 2016-12-21 at 16:11 +0200, Fathi Boudra wrote:
> On 21 December 2016 at 15:11, Patrick Ohly <patrick.ohly@intel.com> wrote:
> > iasl is also provided by the meta-oe layer's acpica recipe. iasl is a
> > bit simpler and thus seems more suitable for OE-core.
> 
> Simpler in what sense?

Less code to compile, which might matter for people who just want a
working UEFI for qemu and nothing else. I haven't measured the
difference, though.

>  acpica recipe is trivial and provide fully acpica tools.
> Would you mind to import meta-oe acpica recipe instead of providing a
> reduced set of acpica for not much benefit?

I don't have a strong opinion about this and would be fine with moving
acpica to OE-core instead, too.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: [PATCH 2/9] iasl: move from meta-luv to OE-core

[Fathi Boudra]

On 21 December 2016 at 17:38, Patrick Ohly <patrick.ohly@intel.com> wrote:
> On Wed, 2016-12-21 at 16:11 +0200, Fathi Boudra wrote:
>> On 21 December 2016 at 15:11, Patrick Ohly <patrick.ohly@intel.com> wrote:
>> > iasl is also provided by the meta-oe layer's acpica recipe. iasl is a
>> > bit simpler and thus seems more suitable for OE-core.
>>
>> Simpler in what sense?
>
> Less code to compile, which might matter for people who just want a
> working UEFI for qemu and nothing else. I haven't measured the
> difference, though.

to build, it's taking 3-4 minutes on a 3 year old laptop (i5-2520m @ 2.5 Ghz).

>>  acpica recipe is trivial and provide fully acpica tools.
>> Would you mind to import meta-oe acpica recipe instead of providing a
>> reduced set of acpica for not much benefit?
>
> I don't have a strong opinion about this and would be fine with moving
> acpica to OE-core instead, too.

It would be nice. thanks.

> --
> Best Regards, Patrick Ohly
>
> The content of this message is my personal opinion only and although
> I am an employee of Intel, the statements I make here in no way
> represent Intel's position on the issue, nor am I authorized to speak
> on behalf of Intel on this matter.

Re: [PATCH 2/9] iasl: move from meta-luv to OE-core

[Ricardo Neri]

On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote:
> From: meta-luv <luv@lists.01.org>
> 
> This is an unmodified copy of
> github.com/01org/luv-yocto/meta-luv/recipes-extended/iasl revision
> 4be4329.
> 
> iasl is also provided by the meta-oe layer's acpica recipe. iasl is a
> bit simpler and thus seems more suitable for OE-core.
> 
> When the meta-oe layer is active, PREFERRED_PROVIDER_iasl-native must
> be set to avoid a warning. It can be set to "acpica-native" when
> something from acpica besides just iasl is needed.

It would be worth pondering whether to use this recipe or the one that
Fathi Boudra maintains.

[PATCH 3/9] ovmf: explicitly depend on nasm-native

[Patrick Ohly]

Fixes a build issue when nasm was not build already because of
something else.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 meta/recipes-core/ovmf/ovmf_git.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index e722db5..13b583b 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -20,6 +20,8 @@ DEPENDS_class-native="util-linux-native iasl-native ossp-uuid-native"
 
 DEPENDS_class-target="ovmf-native"
 
+DEPENDS_append = " nasm-native"
+
 EDK_TOOLS_DIR="edk2_basetools"
 
 # OVMF has trouble building with the default optimization of -O2.
-- 
2.1.4

Re: [PATCH 3/9] ovmf: explicitly depend on nasm-native

[Patrick Ohly]

On Wed, 2016-12-28 at 02:59 +0000, Neri, Ricardo wrote:
> On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote:
> > +DEPENDS_append = " nasm-native"
> > +
> Is this dependency needed for both native and target builds? If not, it
> can be done with DEPENDS_class...

I'm not sure anymore. As it doesn't matter in practice because ovmf
depends on ovmf-native and thys nasm-native is built either way, I'd
prefer to keep it as-is.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

[PATCH 4/9] ovmf: deploy firmware in image directory

[Patrick Ohly]

When used with '-drive if=pflash', qemu will store UEFI variables
inside the firmware image file. That is unexpected for a file located in
the sysroot, which should be read-only, while it is normal for image
files in the deploy/images directory. Therefore that directory is a
better place for use with runqemu.

The name was chose so that "runqemu ovmf" can be used as shorthand for
"runqemu <full path>/ovmf.qcow2" by treating "ovmf" as the base name
of the BIOS file. "ovmf_secboot.qcow2" is meant to be used for the
Secure Boot enabled BIOS. qcow2 is used because it is needed for
"savevm" snapshots of a virtual machine.

Alternatively, OVMF_CODE.fd (read-only) and OVMF_VARS.fd (read/write)
could be used. That would then allow updating the firmware of an
existing machine without wiping out the variables set
earlier. Configuring that in qemu would be more complicated, so for
now the simpler approach with combined code and variable store is
used.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 meta/recipes-core/ovmf/ovmf_git.bb | 33 +++++++++++++++++++++++----------
 1 file changed, 23 insertions(+), 10 deletions(-)

diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 13b583b..d0441d1 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -16,7 +16,7 @@ PARALLEL_MAKE = ""
 
 S = "${WORKDIR}/git"
 
-DEPENDS_class-native="util-linux-native iasl-native ossp-uuid-native"
+DEPENDS_class-native="util-linux-native iasl-native ossp-uuid-native qemu-native"
 
 DEPENDS_class-target="ovmf-native"
 
@@ -97,9 +97,20 @@ do_compile_class-target() {
         OVMF_ARCH="IA32"
     fi
 
+    # ${WORKDIR}/ovmf is a well-known location where do_install and
+    # do_deploy will be able to find the files.
+    rm -rf ${WORKDIR}/ovmf
+    mkdir ${WORKDIR}/ovmf
+    OVMF_DIR_SUFFIX="X64"
+    if [ "${TARGET_ARCH}" != "x86_64" ] ; then
+        OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization
+    fi
     FIXED_GCCVER=$(fixup_target_tools ${GCC_VER})
-    echo FIXED_GCCVER is ${FIXED_GCCVER}
+    bbnote FIXED_GCCVER is ${FIXED_GCCVER}
+    build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
+
     ${S}/OvmfPkg/build.sh -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
+    ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd
 }
 
 do_install_class-native() {
@@ -108,16 +119,18 @@ do_install_class-native() {
 }
 
 do_install_class-target() {
-    OVMF_DIR_SUFFIX="X64"
-    if [ "${TARGET_ARCH}" != "x86_64" ] ; then
-        OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization
-    fi
+    # Traditional location.
     install -d ${D}${datadir}/ovmf
+    install -m 0755 ${WORKDIR}/ovmf/OVMF.fd ${D}${datadir}/ovmf/bios.bin
+}
 
-    FIXED_GCCVER=$(fixup_target_tools ${GCC_VER})
-    build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
-    install -m 0755 ${build_dir}/FV/OVMF.fd \
-	${D}${datadir}/ovmf/bios.bin
+inherit deploy
+do_deploy() {
+}
+do_deploy_class-target() {
+    # For use with "runqemu ovmf".
+    qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2
 }
+addtask do_deploy after do_compile before do_build
 
 BBCLASSEXTEND = "native"
-- 
2.1.4

Re: [PATCH 4/9] ovmf: deploy firmware in image directory

[Ricardo Neri]

On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote:
> When used with '-drive if=pflash', qemu will store UEFI variables
> inside the firmware image file. That is unexpected for a file located
> in
> the sysroot, which should be read-only, while it is normal for image
> files in the deploy/images directory. Therefore that directory is a
> better place for use with runqemu.
> 
> The name was chose so that "runqemu ovmf" can be used as shorthand for
> "runqemu <full path>/ovmf.qcow2" by treating "ovmf" as the base name
> of the BIOS file. "ovmf_secboot.qcow2" is meant to be used for the
> Secure Boot enabled BIOS. qcow2 is used because it is needed for
> "savevm" snapshots of a virtual machine.
> 
> Alternatively, OVMF_CODE.fd (read-only) and OVMF_VARS.fd (read/write)
> could be used. That would then allow updating the firmware of an
> existing machine without wiping out the variables set
> earlier. Configuring that in qemu would be more complicated, so for
> now the simpler approach with combined code and variable store is
> used.

This looks good to me!

Re: [PATCH 4/9] ovmf: deploy firmware in image directory

[Ricardo Neri]

On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote:
> When used with '-drive if=pflash', qemu will store UEFI variables
> inside the firmware image file. That is unexpected for a file located in
> the sysroot, which should be read-only, while it is normal for image
> files in the deploy/images directory. Therefore that directory is a
> better place for use with runqemu.
> 
> The name was chose so that "runqemu ovmf" can be used as shorthand for
> "runqemu <full path>/ovmf.qcow2" by treating "ovmf" as the base name
> of the BIOS file. "ovmf_secboot.qcow2" is meant to be used for the
> Secure Boot enabled BIOS. qcow2 is used because it is needed for
> "savevm" snapshots of a virtual machine.
> 
> Alternatively, OVMF_CODE.fd (read-only) and OVMF_VARS.fd (read/write)
> could be used. That would then allow updating the firmware of an
> existing machine without wiping out the variables set
> earlier. Configuring that in qemu would be more complicated, so for
> now the simpler approach with combined code and variable store is
> used.
> 
> Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
> ---
>  meta/recipes-core/ovmf/ovmf_git.bb | 33 +++++++++++++++++++++++----------
>  1 file changed, 23 insertions(+), 10 deletions(-)
> 
> diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
> index 13b583b..d0441d1 100644
> --- a/meta/recipes-core/ovmf/ovmf_git.bb
> +++ b/meta/recipes-core/ovmf/ovmf_git.bb
> @@ -16,7 +16,7 @@ PARALLEL_MAKE = ""
>  
>  S = "${WORKDIR}/git"
>  
> -DEPENDS_class-native="util-linux-native iasl-native ossp-uuid-native"
> +DEPENDS_class-native="util-linux-native iasl-native ossp-uuid-native qemu-native"
>  
>  DEPENDS_class-target="ovmf-native"
>  
> @@ -97,9 +97,20 @@ do_compile_class-target() {
>          OVMF_ARCH="IA32"
>      fi
>  
> +    # ${WORKDIR}/ovmf is a well-known location where do_install and
> +    # do_deploy will be able to find the files.
> +    rm -rf ${WORKDIR}/ovmf
> +    mkdir ${WORKDIR}/ovmf
> +    OVMF_DIR_SUFFIX="X64"
> +    if [ "${TARGET_ARCH}" != "x86_64" ] ; then
> +        OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization
> +    fi
>      FIXED_GCCVER=$(fixup_target_tools ${GCC_VER})
> -    echo FIXED_GCCVER is ${FIXED_GCCVER}
> +    bbnote FIXED_GCCVER is ${FIXED_GCCVER}
> +    build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
> +
>      ${S}/OvmfPkg/build.sh -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
> +    ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd
>  }
>  
>  do_install_class-native() {
> @@ -108,16 +119,18 @@ do_install_class-native() {
>  }
>  
>  do_install_class-target() {
> -    OVMF_DIR_SUFFIX="X64"
> -    if [ "${TARGET_ARCH}" != "x86_64" ] ; then
> -        OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization
> -    fi
> +    # Traditional location.
>      install -d ${D}${datadir}/ovmf
> +    install -m 0755 ${WORKDIR}/ovmf/OVMF.fd ${D}${datadir}/ovmf/bios.bin

Now that I think about it. Installing here does not sever any purpose.
Thus, I think this can be removed by perhaps doing do_install[noexec] =
"1"

> +}
>  
> -    FIXED_GCCVER=$(fixup_target_tools ${GCC_VER})
> -    build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
> -    install -m 0755 ${build_dir}/FV/OVMF.fd \
> -	${D}${datadir}/ovmf/bios.bin
> +inherit deploy

I am not sure if there is a right way for inheriting in bitbake.
However, a quick grep -n inherit reveals that the majority of the
recipes put their inheritances towards the top of the recipe.

Thanks and BR,
Ricardo
> +do_deploy() {
> +}
> +do_deploy_class-target() {
> +    # For use with "runqemu ovmf".
> +    qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2
>  }
> +addtask do_deploy after do_compile before do_build
>  
>  BBCLASSEXTEND = "native"

Re: [PATCH 4/9] ovmf: deploy firmware in image directory

[Ricardo Neri]

On Wed, 2016-12-28 at 13:38 -0800, Ricardo Neri wrote:
> >  do_install_class-target() {
> > -    OVMF_DIR_SUFFIX="X64"
> > -    if [ "${TARGET_ARCH}" != "x86_64" ] ; then
> > -        OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization
> > -    fi
> > +    # Traditional location.
> >      install -d ${D}${datadir}/ovmf
> > +    install -m 0755 ${WORKDIR}/ovmf/OVMF.fd
> ${D}${datadir}/ovmf/bios.bin
> 
> Now that I think about it. Installing here does not sever any purpose.
> Thus, I think this can be removed by perhaps doing do_install[noexec]
> =
> "1"

I take back this. I seems that scripts/runqemu does look for OVMF in
STAGING_DIR_HOST/NATIVE. Perhaps this can be changed how that you are
also updating runqemu.

Re: [PATCH 4/9] ovmf: deploy firmware in image directory

[Patrick Ohly]

On Wed, 2016-12-28 at 13:38 -0800, Ricardo Neri wrote:
> >  do_install_class-target() {
> > -    OVMF_DIR_SUFFIX="X64"
> > -    if [ "${TARGET_ARCH}" != "x86_64" ] ; then
> > -        OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization
> > -    fi
> > +    # Traditional location.
> >      install -d ${D}${datadir}/ovmf
> > +    install -m 0755 ${WORKDIR}/ovmf/OVMF.fd ${D}${datadir}/ovmf/bios.bin
> 
> Now that I think about it. Installing here does not sever any purpose.
> Thus, I think this can be removed by perhaps doing do_install[noexec] =
> "1"

I was trying not to break traditional usage patterns. If we keep the
"bios" runqemu parameters, then we should also keep the bios.bin file.

> > +}
> >  
> > -    FIXED_GCCVER=$(fixup_target_tools ${GCC_VER})
> > -    build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
> > -    install -m 0755 ${build_dir}/FV/OVMF.fd \
> > -	${D}${datadir}/ovmf/bios.bin
> > +inherit deploy
> 
> I am not sure if there is a right way for inheriting in bitbake.
> However, a quick grep -n inherit reveals that the majority of the
> recipes put their inheritances towards the top of the recipe.

Agreed, that seems to be more common, although there are also examples
where "inherit deploy" is directly in front of "do_deploy". I chose the
latter because it was a more localized change, but will change it in
rev2.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: [PATCH 4/9] ovmf: deploy firmware in image directory

[Ricardo Neri]

On Wed, 2017-01-04 at 11:01 +0100, Patrick Ohly wrote:
> On Wed, 2016-12-28 at 13:38 -0800, Ricardo Neri wrote:
> > >  do_install_class-target() {
> > > -    OVMF_DIR_SUFFIX="X64"
> > > -    if [ "${TARGET_ARCH}" != "x86_64" ] ; then
> > > -        OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization
> > > -    fi
> > > +    # Traditional location.
> > >      install -d ${D}${datadir}/ovmf
> > > +    install -m 0755 ${WORKDIR}/ovmf/OVMF.fd ${D}${datadir}/ovmf/bios.bin
> > 
> > Now that I think about it. Installing here does not sever any purpose.
> > Thus, I think this can be removed by perhaps doing do_install[noexec] =
> > "1"
> 
> I was trying not to break traditional usage patterns. If we keep the
> "bios" runqemu parameters, then we should also keep the bios.bin file.

I think OVMF is not a traditional recipe. There are two use cases to
ponder. 1) a Yocto Project disk image wants to include OVMF along with
qemu to run a VM from the YP image. 2) we want to run a YP image in a
host system. I am not sure if someone is interested in 1) and I think
your use case and LUV's is 2). I think that putting things in the deploy
directory makes more sense because, as you said, these images will be
written to. I reckon the the "bios" parameters in runqemu should look
there. This is not a must for this patchset but something nice to have.

Thanks and BR,
Ricardo

Re: [PATCH 4/9] ovmf: deploy firmware in image directory

[Patrick Ohly]

On Mon, 2017-01-09 at 19:50 -0800, Ricardo Neri wrote:
> On Wed, 2017-01-04 at 11:01 +0100, Patrick Ohly wrote:
> > On Wed, 2016-12-28 at 13:38 -0800, Ricardo Neri wrote:
> > > >  do_install_class-target() {
> > > > -    OVMF_DIR_SUFFIX="X64"
> > > > -    if [ "${TARGET_ARCH}" != "x86_64" ] ; then
> > > > -        OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization
> > > > -    fi
> > > > +    # Traditional location.
> > > >      install -d ${D}${datadir}/ovmf
> > > > +    install -m 0755 ${WORKDIR}/ovmf/OVMF.fd ${D}${datadir}/ovmf/bios.bin
> > > 
> > > Now that I think about it. Installing here does not sever any purpose.
> > > Thus, I think this can be removed by perhaps doing do_install[noexec] =
> > > "1"
> > 
> > I was trying not to break traditional usage patterns. If we keep the
> > "bios" runqemu parameters, then we should also keep the bios.bin file.
> 
> I think OVMF is not a traditional recipe. There are two use cases to
> ponder. 1) a Yocto Project disk image wants to include OVMF along with
> qemu to run a VM from the YP image. 2) we want to run a YP image in a
> host system. I am not sure if someone is interested in 1) and I think
> your use case and LUV's is 2). I think that putting things in the deploy
> directory makes more sense because, as you said, these images will be
> written to. I reckon the the "bios" parameters in runqemu should look
> there. This is not a must for this patchset but something nice to have.

Okay, so let's remove that "traditional location" already in this patch
set. I still want to keep the "bios" parameters in runqemu (because they
might have some other uses), but for OVMF, the only supported approach
will be via the "ovmf" parameters and the deploy directory.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

[PATCH 5/9] ovmf_git.bb: enable parallel compilation

[Patrick Ohly]

The Fedora srpm [1] seems to have no problems with parallel
compilation, so let's also use that for the target. The native
tools however indeed have dependency problems:

| test_Ecc_CParser (CheckPythonSyntax.Tests) ... gcc -o ../bin/EfiRom -L/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/usr/lib -L/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/lib -Wl,-rpath-link,/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/usr/lib -Wl,-rpath-link,/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/lib -Wl,-rpath,/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/usr/lib -Wl,-rpath,/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/lib -Wl,-O1 EfiRom.o -L../libs -lCommon
| /usr/bin/ld: cannot find -lCommon
| collect2: error: ld returned 1 exit status

ERROR: Task (virtual:native:.../meta/recipes-core/ovmf/ovmf_git.bb:do_compile) failed with exit code '1'

[1] https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 meta/recipes-core/ovmf/ovmf_git.bb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index d0441d1..67e65b8 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -12,7 +12,7 @@ SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
 
 SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588"
 
-PARALLEL_MAKE = ""
+PARALLEL_MAKE_class-native = ""
 
 S = "${WORKDIR}/git"
 
@@ -92,6 +92,7 @@ do_compile_class-native() {
 
 do_compile_class-target() {
     export LFLAGS="${LDFLAGS}"
+    PARALLEL_JOBS="${@ '${PARALLEL_MAKE}'.replace('-j', '-n')}"
     OVMF_ARCH="X64"
     if [ "${TARGET_ARCH}" != "x86_64" ] ; then
         OVMF_ARCH="IA32"
@@ -109,7 +110,7 @@ do_compile_class-target() {
     bbnote FIXED_GCCVER is ${FIXED_GCCVER}
     build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
 
-    ${S}/OvmfPkg/build.sh -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
+    ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
     ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd
 }
 
-- 
2.1.4

Re: [PATCH 5/9] ovmf_git.bb: enable parallel compilation

[Ricardo Neri]

On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote:
> The Fedora srpm [1] seems to have no problems with parallel
> compilation, so let's also use that for the target. The native
> tools however indeed have dependency problems:

True. It is good to paralize what we can. This also looks good to me.

[PATCH 6/9] ovmf_git.bb: enable Secure Boot

[Patrick Ohly]

The recipe now compiles OVMF twice, once without Secure Boot, once
with. This is the same approach as in
https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec

The results are "ovmf.qcow2" and "ovmf.secboot.qcow2" in the
image deploy directory, so
  runqemu <machine> <image> ovmf.secboot
will boot with Secure Boot enabled.

In contrast to Fedora, no attempt is made to strip potentially patent
encumbered algorithms out of the OpenSSL archive. OVMF does not use
the ones considered problematic for Fedora, so this shouldn't be a
problem.

Fixes: luv-yocto/#38

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 meta/recipes-core/ovmf/ovmf_git.bb | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 67e65b8..c4eedf0 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -1,6 +1,6 @@
 DESCRIPTION = "OVMF - UEFI firmware for Qemu and KVM"
 HOMEPAGE = "http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF"
-LICENSE = "BSD"
+LICENSE = "BSD & OpenSSL"
 LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496"
 
 SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
@@ -10,7 +10,13 @@ SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
 	file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
         "
 
+SRC_URI_append_class-target = " \
+	http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib \
+"
+
 SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588"
+SRC_URI[openssl.md5sum] = "96322138f0b69e61b7212bc53d5e912b"
+SRC_URI[openssl.sha256sum] = "e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431"
 
 PARALLEL_MAKE_class-native = ""
 
@@ -30,6 +36,10 @@ BUILD_OPTIMIZATION="-pipe"
 # OVMF supports IA only, although it could conceivably support ARM someday.
 COMPATIBLE_HOST='(i.86|x86_64).*'
 
+# Additional build flags for OVMF with Secure Boot.
+# Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD".
+OVMF_SECURE_BOOT_FLAGS = "-DSECURE_BOOT_ENABLE=TRUE"
+
 do_patch_append_class-native() {
     bb.build.exec_func('do_fix_iasl', d)
     bb.build.exec_func('do_fix_toolchain', d)
@@ -110,8 +120,22 @@ do_compile_class-target() {
     bbnote FIXED_GCCVER is ${FIXED_GCCVER}
     build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
 
+    bbnote "Building without Secure Boot."
+    rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
     ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
     ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd
+
+    # See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and
+    # https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for
+    # building with Secure Boot enabled.
+    bbnote "Building with Secure Boot."
+    rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
+    if ! [ -f ${S}/CryptoPkg/Library/OpensslLib/openssl-*/edk2-patch-applied ]; then
+        ( cd ${S}/CryptoPkg/Library/OpensslLib/openssl-* && patch -p1 <$(echo ../EDKII_openssl-*.patch) && touch edk2-patch-applied )
+    fi
+    ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
+    ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
+    ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd
 }
 
 do_install_class-native() {
@@ -131,6 +155,7 @@ do_deploy() {
 do_deploy_class-target() {
     # For use with "runqemu ovmf".
     qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2
+    qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.secboot.fd ${DEPLOYDIR}/ovmf.secboot.qcow2
 }
 addtask do_deploy after do_compile before do_build
 
-- 
2.1.4

Re: [PATCH 6/9] ovmf_git.bb: enable Secure Boot

[Ricardo Neri]

On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote:
> The recipe now compiles OVMF twice, once without Secure Boot, once
> with. This is the same approach as in
> https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec

Besides the fact that Fedora does it, is there a particular reason to
build twice? On my side, I am able to build with secure boot with a
single build. Also, the Ubuntu documentation does not mention that two
builds are needed [1].

I do see that in Fedora, the build parameters change. OVMF without
secure boot support is built with -a X64 -p OvmfPkg/OvmfPkgX64.dsc while
OVMF with secure boot support is built with -a IA32 -a X64 -p
OvmfPkg/OvmfPkgIa32X64.dsc. Perhaps this is the reason?
> 
> The results are "ovmf.qcow2" and "ovmf.secboot.qcow2" in the
> image deploy directory, so
>   runqemu <machine> <image> ovmf.secboot
> will boot with Secure Boot enabled.
> 
> In contrast to Fedora, no attempt is made to strip potentially patent
> encumbered algorithms out of the OpenSSL archive. OVMF does not use
> the ones considered problematic for Fedora, so this shouldn't be a
> problem.
> 
> Fixes: luv-yocto/#38

Also, I think it would be nice if we could choose between to not have
secure boot at all for OVMF. Maybe this could be achieved by having a
common ovmf.inc and two ovmf_git.bb and ovmf_sb_git.bb with the
different the specific things to support secure boot or not. Maybe all
that is needed in the secure boot recipe are the extra variables for
OpenSSL and a prepend to do_compile_class-target with the OpenSSL
patching. Something to ponder.


> 
> Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
> ---
>  meta/recipes-core/ovmf/ovmf_git.bb | 27 ++++++++++++++++++++++++++-
>  1 file changed, 26 insertions(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
> index 67e65b8..c4eedf0 100644
> --- a/meta/recipes-core/ovmf/ovmf_git.bb
> +++ b/meta/recipes-core/ovmf/ovmf_git.bb
> @@ -1,6 +1,6 @@
>  DESCRIPTION = "OVMF - UEFI firmware for Qemu and KVM"
>  HOMEPAGE = "http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF"
> -LICENSE = "BSD"
> +LICENSE = "BSD & OpenSSL"
>  LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496"
>  
>  SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
> @@ -10,7 +10,13 @@ SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
>  	file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
>          "
>  
> +SRC_URI_append_class-target = " \
> +	http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib \
> +"
> +
>  SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588"
> +SRC_URI[openssl.md5sum] = "96322138f0b69e61b7212bc53d5e912b"
> +SRC_URI[openssl.sha256sum] = "e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431"
>  
>  PARALLEL_MAKE_class-native = ""
>  
> @@ -30,6 +36,10 @@ BUILD_OPTIMIZATION="-pipe"
>  # OVMF supports IA only, although it could conceivably support ARM someday.
>  COMPATIBLE_HOST='(i.86|x86_64).*'
>  
> +# Additional build flags for OVMF with Secure Boot.
> +# Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD".
> +OVMF_SECURE_BOOT_FLAGS = "-DSECURE_BOOT_ENABLE=TRUE"
> +
>  do_patch_append_class-native() {
>      bb.build.exec_func('do_fix_iasl', d)
>      bb.build.exec_func('do_fix_toolchain', d)
> @@ -110,8 +120,22 @@ do_compile_class-target() {
>      bbnote FIXED_GCCVER is ${FIXED_GCCVER}
>      build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
>  
> +    bbnote "Building without Secure Boot."
> +    rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
>      ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
>      ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd
> +
> +    # See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and
> +    # https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for
> +    # building with Secure Boot enabled.
> +    bbnote "Building with Secure Boot."
> +    rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
> +    if ! [ -f ${S}/CryptoPkg/Library/OpensslLib/openssl-*/edk2-patch-applied ]; then
> +        ( cd ${S}/CryptoPkg/Library/OpensslLib/openssl-* && patch -p1 <$(echo ../EDKII_openssl-*.patch) && touch edk2-patch-applied )
> +    fi
> +    ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
> +    ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
> +    ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd

At this point both ${WORKDIR}/ovmf/OVMF.secboot.fd and
${WORKDIR}/ovmf/OVMF.fd will be linked to the same OVMF.fd with secure
boot support. Maybe this could be fixed by copying the files rather than
creating a symbolic link.

>  }
>  
>  do_install_class-native() {
> @@ -131,6 +155,7 @@ do_deploy() {
>  do_deploy_class-target() {
>      # For use with "runqemu ovmf".
>      qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2
> +    qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.secboot.fd ${DEPLOYDIR}/ovmf.secboot.qcow2

In the same line as my previous comment, these two images will have
secure boot support.

Thanks and BR,
Ricardo

[1]. https://wiki.ubuntu.com/UEFI/EDK2
>  }
>  addtask do_deploy after do_compile before do_build
>  
> -- 
> 2.1.4
> 

Re: [PATCH 6/9] ovmf_git.bb: enable Secure Boot

[Patrick Ohly]

On Wed, 2016-12-28 at 14:54 -0800, Ricardo Neri wrote:
> On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote:
> > The recipe now compiles OVMF twice, once without Secure Boot, once
> > with. This is the same approach as in
> > https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec
> 
> Besides the fact that Fedora does it, is there a particular reason to
> build twice?

The ${build_dir}/FV/OVMF.fd file changes depending on the configuration.
There's only one such file after a build.

>  On my side, I am able to build with secure boot with a
> single build. Also, the Ubuntu documentation does not mention that two
> builds are needed [1].

Can you build with and without secure boot in a single build? I wasn't
sure how to achieve that, so I just copied what Fedora does.

> Also, I think it would be nice if we could choose between to not have
> secure boot at all for OVMF. Maybe this could be achieved by having a
> common ovmf.inc and two ovmf_git.bb and ovmf_sb_git.bb with the
> different the specific things to support secure boot or not. Maybe all
> that is needed in the secure boot recipe are the extra variables for
> OpenSSL and a prepend to do_compile_class-target with the OpenSSL
> patching. Something to ponder.

I think I would prefer to have a single recipe with a PACKAGECONFIG for
secure boot. Having different recipes doesn't scale when adding more
such options. If you agree, then I'll add that.

> > +    ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
> > +    ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
> > +    ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd
> 
> At this point both ${WORKDIR}/ovmf/OVMF.secboot.fd and
> ${WORKDIR}/ovmf/OVMF.fd will be linked to the same OVMF.fd with secure
> boot support. Maybe this could be fixed by copying the files rather than
> creating a symbolic link.

This is intentionally a hardlink, not a symbolic link, exactly because
of the problem you mentioned ;-)

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: [PATCH 6/9] ovmf_git.bb: enable Secure Boot

[Ricardo Neri]

On Wed, 2017-01-04 at 11:10 +0100, Patrick Ohly wrote:
> On Wed, 2016-12-28 at 14:54 -0800, Ricardo Neri wrote:
> > On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote:
> > > The recipe now compiles OVMF twice, once without Secure Boot, once
> > > with. This is the same approach as in
> > > https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec
> > 
> > Besides the fact that Fedora does it, is there a particular reason to
> > build twice?
> 
> The ${build_dir}/FV/OVMF.fd file changes depending on the configuration.
> There's only one such file after a build.
> 
> >  On my side, I am able to build with secure boot with a
> > single build. Also, the Ubuntu documentation does not mention that two
> > builds are needed [1].
> 
> Can you build with and without secure boot in a single build? I wasn't
> sure how to achieve that, so I just copied what Fedora does.

Oh I see, I didn't understand in your commit message that you intend to
keep the secure boot and the non-secure boot images. Then it makes sense
to build twice.
> 
> > Also, I think it would be nice if we could choose between to not have
> > secure boot at all for OVMF. Maybe this could be achieved by having a
> > common ovmf.inc and two ovmf_git.bb and ovmf_sb_git.bb with the
> > different the specific things to support secure boot or not. Maybe all
> > that is needed in the secure boot recipe are the extra variables for
> > OpenSSL and a prepend to do_compile_class-target with the OpenSSL
> > patching. Something to ponder.
> 
> I think I would prefer to have a single recipe with a PACKAGECONFIG for
> secure boot. Having different recipes doesn't scale when adding more
> such options. If you agree, then I'll add that.

Yes, I agree that a PACKAGECONFIG makes more sense.
> 
> > > +    ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
> > > +    ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
> > > +    ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd
> > 
> > At this point both ${WORKDIR}/ovmf/OVMF.secboot.fd and
> > ${WORKDIR}/ovmf/OVMF.fd will be linked to the same OVMF.fd with secure
> > boot support. Maybe this could be fixed by copying the files rather than
> > creating a symbolic link.
> 
> This is intentionally a hardlink, not a symbolic link, exactly because
> of the problem you mentioned ;-)

Oh, a hardlink. I see now. Thanks for clarifying.
> 

[PATCH 7/9] runqemu: let command line parameters override defaults

[Patrick Ohly]

It may be necessary to override the parameters gathered for the qemu
invocation. For example, the qemux86 machine configuration sets "-vga
vmware", but when using OVMF as BIOS, only "-vga std" is supported.

By putting the parameters derived from custom runqemu parameters like
"qemuparams" after the parameters derived from the machine
configuration the user gets the possibility to override those.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 scripts/runqemu | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/runqemu b/scripts/runqemu
index 0a9cb94..203992a 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -926,7 +926,7 @@ class BaseConfig(object):
 
         check_libgl(qemu_bin)
 
-        self.qemu_opt = "%s %s %s %s %s" % (qemu_bin, self.get('NETWORK_CMD'), self.qemu_opt_script, self.get('ROOTFS_OPTIONS'), self.get('QB_OPT_APPEND'))
+        self.qemu_opt = "%s %s %s %s %s" % (qemu_bin, self.get('NETWORK_CMD'), self.get('ROOTFS_OPTIONS'), self.get('QB_OPT_APPEND'), self.qemu_opt_script)
 
         if self.snapshot:
             self.qemu_opt += " -snapshot"
-- 
2.1.4

[PATCH 8/9] runqemu: support UEFI with OVMF firmware

[Patrick Ohly]

In the simplest case, "runqemu qemux86 <some-image> qcow2 ovmf" for an
EFI-enabled image in the qcow2 format will locate the OVMF firmware file,
override the graphics hardware with "-vga std" because that is all
that OVMF supports, and boot with UEFI enabled. This depends on
"bitbake ovmf" deploying a "ovmf.qcow2" firmware file in the image deploy
directory.

The firmware file is activated as a flash drive instead of using the
qemu BIOS parameters, because that is the recommended method
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764918#47) as it
allows storing UEFI variables in the file.

Instead of just "ovmf", a full path to an existing file can also be
used, just as with the rootfs. That may be useful when making a
permanent copy of the virtual machine data files.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 scripts/runqemu | 37 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/scripts/runqemu b/scripts/runqemu
index 203992a..257dcec 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -74,6 +74,7 @@ of the following environment variables (in any order):
     kvm-vhost - enable KVM with vhost when running x86/x86_64 (VT-capable CPU required)
     publicvnc - enable a VNC server open to all hosts
     audio - enable audio
+    [*/]ovmf* - OVMF BIOS file or base name for booting with UEFI
   tcpserial=<port> - specify tcp serial port number
   biosdir=<dir> - specify custom bios dir
   biosfilename=<filename> - specify bios filename
@@ -162,6 +163,12 @@ class BaseConfig(object):
         self.clean_nfs_dir = False
         self.nfs_server = ''
         self.rootfs = ''
+        # File name of a OVMF BIOS file, to be added with -drive if=pflash.
+        # Found in the same places as the rootfs, with or without one of
+        # these suffices: qcow2, bin.
+        # Setting one also adds "-vga std" because that is all that
+        # OVMF supports.
+        self.ovmf_bios = ''
         self.qemuboot = ''
         self.qbconfload = False
         self.kernel = ''
@@ -369,6 +376,8 @@ class BaseConfig(object):
                 self.qemu_opt_script += ' %s' % arg[len('qemuparams='):]
             elif arg.startswith('bootparams='):
                 self.kernel_cmdline_script += ' %s' % arg[len('bootparams='):]
+            elif os.path.basename(arg).startswith('ovmf'):
+                self.ovmf_bios = arg
             elif os.path.exists(arg) or (re.search(':', arg) and re.search('/', arg)):
                 self.check_arg_path(os.path.abspath(arg))
             elif re.search('-image-', arg):
@@ -472,6 +481,20 @@ class BaseConfig(object):
         if not os.path.exists(self.rootfs):
             raise Exception("Can't find rootfs: %s" % self.rootfs)
 
+    def check_ovmf(self):
+        """Check and set full path for OVMF BIOS file."""
+
+        if self.ovmf_bios is None or os.path.exists(self.ovmf_bios):
+            return
+
+        for suffix in ('qcow2', 'bin'):
+            ovmf_bios = '%s/%s.%s' % (self.get('DEPLOY_DIR_IMAGE'), self.ovmf_bios, suffix)
+            if os.path.exists(ovmf_bios):
+                self.ovmf_bios = ovmf_bios
+                return
+
+        raise Exception("Can't find OVMF BIOS: %s" % self.ovmf_bios)
+
     def check_kernel(self):
         """Check and set kernel, dtb"""
         # The vm image doesn't need a kernel
@@ -562,6 +585,7 @@ class BaseConfig(object):
         self.check_kvm()
         self.check_fstype()
         self.check_rootfs()
+        self.check_ovmf()
         self.check_kernel()
         self.check_biosdir()
         self.check_mem()
@@ -670,6 +694,8 @@ class BaseConfig(object):
             print('NFS_DIR: [%s]' % self.nfs_dir)
         else:
             print('ROOTFS: [%s]' % self.rootfs)
+        if self.ovmf_bios:
+            print('OVMF: [%s]' % self.ovmf_bios)
         print('CONFFILE: [%s]' % self.qemuboot)
         print('')
 
@@ -926,7 +952,16 @@ class BaseConfig(object):
 
         check_libgl(qemu_bin)
 
-        self.qemu_opt = "%s %s %s %s %s" % (qemu_bin, self.get('NETWORK_CMD'), self.get('ROOTFS_OPTIONS'), self.get('QB_OPT_APPEND'), self.qemu_opt_script)
+        self.qemu_opt = "%s %s %s %s" % (qemu_bin, self.get('NETWORK_CMD'), self.get('ROOTFS_OPTIONS'), self.get('QB_OPT_APPEND'))
+
+        if self.ovmf_bios:
+            format = self.ovmf_bios.rsplit('.', 1)[-1]
+            self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, self.ovmf_bios)
+            # OVMF only supports normal VGA, i.e. we need to override a -vga vmware
+            # that gets added for example for normal qemux86.
+            self.qemu_opt += ' -vga std'
+
+        self.qemu_opt += ' ' + self.qemu_opt_script
 
         if self.snapshot:
             self.qemu_opt += " -snapshot"
-- 
2.1.4

Re: [PATCH 8/9] runqemu: support UEFI with OVMF firmware

[Ricardo Neri]

On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote:
> +        # File name of a OVMF BIOS file, to be added with -drive
> if=pflash.
> +        # Found in the same places as the rootfs, with or without one
> of
> +        # these suffices: qcow2, bin.
> +        # Setting one also adds "-vga std" because that is all that
> +        # OVMF supports.
> +        self.ovmf_bios = ''

runqemu has the options biosdir and biosfilename. Although the log for
these options was lost when the script was migrated to python, the
motivation of adding these options was to use OVMF. It uses the -L and
-bios options of qemu. To my knowledge, the only custom bios at the
moment is OVMF. Thus, you would ponder either removing or tweaking these
options with your approach; which makes more sense to me.

Thanks and BR,
Ricardo

Re: [PATCH 8/9] runqemu: support UEFI with OVMF firmware

[Patrick Ohly]

On Wed, 2016-12-28 at 15:33 -0800, Ricardo Neri wrote:
> On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote:
> > +        # File name of a OVMF BIOS file, to be added with -drive
> > if=pflash.
> > +        # Found in the same places as the rootfs, with or without one
> > of
> > +        # these suffices: qcow2, bin.
> > +        # Setting one also adds "-vga std" because that is all that
> > +        # OVMF supports.
> > +        self.ovmf_bios = ''
> 
> runqemu has the options biosdir and biosfilename. Although the log for
> these options was lost when the script was migrated to python,

You probably mean this:
http://git.openembedded.org/openembedded-core/commit/?id=d302f5683dd736ac4cd4b601a046d22000d41e68
http://git.openembedded.org/openembedded-core/commit/?id=29c9e6f44541b7f8731e21e9d1a0adca9da28e37

>  the
> motivation of adding these options was to use OVMF. It uses the -L and
> -bios options of qemu. To my knowledge, the only custom bios at the
> moment is OVMF. Thus, you would ponder either removing or tweaking these
> options with your approach; which makes more sense to me.

I have no personal opinion about the usefulness of the "biosdir" and
"biosfilename" options. Just looking at what they do, they might have
value also when not using OVMF (for example, the "VGA BIOS" that is
mentioned in the first commit). But if no-one is actually using these
options, then they should indeed be removed to simplify runqemu.

The problem just is to determine whether they are used :-/ As I don't
know, I'd prefer to keep them for now and remove them separately.

Regarding the approach that I proposed for the "ovmf" file(s): what's
your opinion about that? I was a bit worried that too much "magic" is
involved here (special keyword that expands to files and sets -vga), but
it is convenient and quite naturally supports additional use cases
(explicitly selecting files at non-standard locations, separate code and
variable files).

Regarding that last argument: in the current patch series, only the
combined ovmf.fd gets deployed and I argued that this is sufficient. To
test that supporting separate code and variables also works, I've
implemented that locally so that ovmf.fd ovmf_secboot.fd, ovmf_code.fd,
ovmf_secboot_code.fd and ovmf_vars.fd get deployed and runqemu supports
more than one "ovmf" parameter - this worked nicely. Full change below.

Now that I've implemented it, I wonder whether it would be worth
submitting that as part of rev2 of this patch series. Any opinions?

diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index ef61b16..391274b 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -125,6 +125,8 @@ do_compile_class-target() {
     rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
     ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
     ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd
+    ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/OVMF.code.fd
+    ln ${build_dir}/FV/OVMF_VARS.fd ${WORKDIR}/ovmf/OVMF.vars.fd
 
     # See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and
     # https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for
@@ -137,6 +139,7 @@ do_compile_class-target() {
     ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
     ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
     ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd
+    ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/OVMF.code.secboot.fd
     for i in Shell.efi EnrollDefaultKeys.efi; do
         ln ${build_dir}/${OVMF_ARCH}/$i ${WORKDIR}/ovmf/$i
     done
@@ -170,8 +173,9 @@ do_deploy() {
 }
 do_deploy_class-target() {
     # For use with "runqemu ovmf".
-    qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2
-    qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.secboot.fd ${DEPLOYDIR}/ovmf.secboot.qcow2
+    for i in OVMF OVMF.secboot OVMF.code OVMF.vars OVMF.code.secboot; do
+        qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/$i.fd ${DEPLOYDIR}/`echo $i | tr A-Z a-z`.qcow2
+    done
 }
 addtask do_deploy after do_compile before do_build
 
diff --git a/scripts/runqemu b/scripts/runqemu
index c8b7c8a..c3fed89 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -163,12 +163,12 @@ class BaseConfig(object):
         self.clean_nfs_dir = False
         self.nfs_server = ''
         self.rootfs = ''
-        # File name of a OVMF BIOS file, to be added with -drive if=pflash.
+        # File name(s) of a OVMF BIOS file or variable store, to be added with -drive if=pflash.
         # Found in the same places as the rootfs, with or without one of
         # these suffices: qcow2, bin.
         # Setting one also adds "-vga std" because that is all that
         # OVMF supports.
-        self.ovmf_bios = ''
+        self.ovmf_bios = []
         self.qemuboot = ''
         self.qbconfload = False
         self.kernel = ''
@@ -376,13 +376,13 @@ class BaseConfig(object):
                 self.qemu_opt_script += ' %s' % arg[len('qemuparams='):]
             elif arg.startswith('bootparams='):
                 self.kernel_cmdline_script += ' %s' % arg[len('bootparams='):]
-            elif os.path.basename(arg).startswith('ovmf'):
-                self.ovmf_bios = arg
             elif os.path.exists(arg) or (re.search(':', arg) and re.search('/', arg)):
                 self.check_arg_path(os.path.abspath(arg))
-            elif re.search('-image-', arg):
+            elif re.search('-image-', arg) or arg.endswith('-image'):
                 # Lazy rootfs
                 self.rootfs = arg
+            elif os.path.basename(arg).startswith('ovmf'):
+                self.ovmf_bios.append(arg)
             else:
                 # At last, assume is it the MACHINE
                 if (not unknown_arg) or unknown_arg == arg:
@@ -482,18 +482,18 @@ class BaseConfig(object):
             raise Exception("Can't find rootfs: %s" % self.rootfs)
 
     def check_ovmf(self):
-        """Check and set full path for OVMF BIOS file."""
+        """Check and set full path for OVMF BIOS file(s)."""
 
-        if self.ovmf_bios is None or os.path.exists(self.ovmf_bios):
-            return
-
-        for suffix in ('qcow2', 'bin'):
-            ovmf_bios = '%s/%s.%s' % (self.get('DEPLOY_DIR_IMAGE'), self.ovmf_bios, suffix)
-            if os.path.exists(ovmf_bios):
-                self.ovmf_bios = ovmf_bios
-                return
-
-        raise Exception("Can't find OVMF BIOS: %s" % self.ovmf_bios)
+        for index, ovmf in enumerate(self.ovmf_bios):
+            if os.path.exists(ovmf):
+                continue
+            for suffix in ('qcow2', 'bin'):
+                path = '%s/%s.%s' % (self.get('DEPLOY_DIR_IMAGE'), ovmf, suffix)
+                if os.path.exists(path):
+                    self.ovmf_bios[index] = path
+                    break
+            else:
+                raise Exception("Can't find OVMF BIOS: %s" % ovmf)
 
     def check_kernel(self):
         """Check and set kernel, dtb"""
@@ -695,7 +695,7 @@ class BaseConfig(object):
         else:
             print('ROOTFS: [%s]' % self.rootfs)
         if self.ovmf_bios:
-            print('OVMF: [%s]' % self.ovmf_bios)
+            print('OVMF: %s' % self.ovmf_bios)
         print('CONFFILE: [%s]' % self.qemuboot)
         print('')
 
@@ -939,9 +939,10 @@ class BaseConfig(object):
 
         self.qemu_opt = "%s %s %s %s" % (qemu_bin, self.get('NETWORK_CMD'), self.get('ROOTFS_OPTIONS'), self.get('QB_OPT_APPEND'))
 
+        for ovmf in self.ovmf_bios:
+            format = ovmf.rsplit('.', 1)[-1]
+            self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, ovmf)
         if self.ovmf_bios:
-            format = self.ovmf_bios.rsplit('.', 1)[-1]
-            self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, self.ovmf_bios)
             # OVMF only supports normal VGA, i.e. we need to override a -vga vmware
             # that gets added for example for normal qemux86.
             self.qemu_opt += ' -vga std'



-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: [PATCH 8/9] runqemu: support UEFI with OVMF firmware

[Ricardo Neri]

On Wed, 2017-01-04 at 10:43 +0100, Patrick Ohly wrote:
> On Wed, 2016-12-28 at 15:33 -0800, Ricardo Neri wrote:
> > On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote:
> > > +        # File name of a OVMF BIOS file, to be added with -drive
> > > if=pflash.
> > > +        # Found in the same places as the rootfs, with or without one
> > > of
> > > +        # these suffices: qcow2, bin.
> > > +        # Setting one also adds "-vga std" because that is all that
> > > +        # OVMF supports.
> > > +        self.ovmf_bios = ''
> > 
> > runqemu has the options biosdir and biosfilename. Although the log for
> > these options was lost when the script was migrated to python,
> 
> You probably mean this:
> http://git.openembedded.org/openembedded-core/commit/?id=d302f5683dd736ac4cd4b601a046d22000d41e68
> http://git.openembedded.org/openembedded-core/commit/?id=29c9e6f44541b7f8731e21e9d1a0adca9da28e37
> 
> >  the
> > motivation of adding these options was to use OVMF. It uses the -L and
> > -bios options of qemu. To my knowledge, the only custom bios at the
> > moment is OVMF. Thus, you would ponder either removing or tweaking these
> > options with your approach; which makes more sense to me.
> 
> I have no personal opinion about the usefulness of the "biosdir" and
> "biosfilename" options. Just looking at what they do, they might have
> value also when not using OVMF (for example, the "VGA BIOS" that is
> mentioned in the first commit). But if no-one is actually using these
> options, then they should indeed be removed to simplify runqemu.
> 
> The problem just is to determine whether they are used :-/ As I don't
> know, I'd prefer to keep them for now and remove them separately.

This makes sense.
> 
> Regarding the approach that I proposed for the "ovmf" file(s): what's
> your opinion about that? I was a bit worried that too much "magic" is
> involved here (special keyword that expands to files and sets -vga), but
> it is convenient and quite naturally supports additional use cases
> (explicitly selecting files at non-standard locations, separate code and
> variable files).
> 
> Regarding that last argument: in the current patch series, only the
> combined ovmf.fd gets deployed and I argued that this is sufficient. 

It would be certainly enough for me :) as in most of my use cases I
always test brand new images without any variables in it. Also, you
kindly included facilitiesto lockdown the image. I can't speak for other
people but this is more than enough for me. If you pursue this path,
perhaps you can include a big warning in the recipe saying that people
will lose their variables if they rebuild OVMF. On the other hand...

> To
> test that supporting separate code and variables also works, I've
> implemented that locally so that ovmf.fd ovmf_secboot.fd, ovmf_code.fd,
> ovmf_secboot_code.fd and ovmf_vars.fd get deployed and runqemu supports
> more than one "ovmf" parameter - this worked nicely. Full change below.

... Now that you have took the time to prototype the solution, we could
put it to use.

> 
> Now that I've implemented it, I wonder whether it would be worth
> submitting that as part of rev2 of this patch series. Any opinions?
> 
> diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
> index ef61b16..391274b 100644
> --- a/meta/recipes-core/ovmf/ovmf_git.bb
> +++ b/meta/recipes-core/ovmf/ovmf_git.bb
> @@ -125,6 +125,8 @@ do_compile_class-target() {
>      rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
>      ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
>      ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd
> +    ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/OVMF.code.fd
> +    ln ${build_dir}/FV/OVMF_VARS.fd ${WORKDIR}/ovmf/OVMF.vars.fd
>  
>      # See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and
>      # https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for
> @@ -137,6 +139,7 @@ do_compile_class-target() {
>      ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
>      ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
>      ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd
> +    ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/OVMF.code.secboot.fd
>      for i in Shell.efi EnrollDefaultKeys.efi; do
>          ln ${build_dir}/${OVMF_ARCH}/$i ${WORKDIR}/ovmf/$i
>      done
> @@ -170,8 +173,9 @@ do_deploy() {
>  }
>  do_deploy_class-target() {
>      # For use with "runqemu ovmf".
> -    qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2
> -    qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.secboot.fd ${DEPLOYDIR}/ovmf.secboot.qcow2
> +    for i in OVMF OVMF.secboot OVMF.code OVMF.vars OVMF.code.secboot; do
> +        qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/$i.fd ${DEPLOYDIR}/`echo $i | tr A-Z a-z`.qcow2

Will this preserve any previous OVMF_vars.fd that might exist in the
directory.

> +    done
>  }
>  addtask do_deploy after do_compile before do_build
>  
> diff --git a/scripts/runqemu b/scripts/runqemu
> index c8b7c8a..c3fed89 100755
> --- a/scripts/runqemu
> +++ b/scripts/runqemu
> @@ -163,12 +163,12 @@ class BaseConfig(object):
>          self.clean_nfs_dir = False
>          self.nfs_server = ''
>          self.rootfs = ''
> -        # File name of a OVMF BIOS file, to be added with -drive if=pflash.
> +        # File name(s) of a OVMF BIOS file or variable store, to be added with -drive if=pflash.
>          # Found in the same places as the rootfs, with or without one of
>          # these suffices: qcow2, bin.
>          # Setting one also adds "-vga std" because that is all that
>          # OVMF supports.
> -        self.ovmf_bios = ''
> +        self.ovmf_bios = []
>          self.qemuboot = ''
>          self.qbconfload = False
>          self.kernel = ''
> @@ -376,13 +376,13 @@ class BaseConfig(object):
>                  self.qemu_opt_script += ' %s' % arg[len('qemuparams='):]
>              elif arg.startswith('bootparams='):
>                  self.kernel_cmdline_script += ' %s' % arg[len('bootparams='):]
> -            elif os.path.basename(arg).startswith('ovmf'):
> -                self.ovmf_bios = arg
>              elif os.path.exists(arg) or (re.search(':', arg) and re.search('/', arg)):
>                  self.check_arg_path(os.path.abspath(arg))
> -            elif re.search('-image-', arg):
> +            elif re.search('-image-', arg) or arg.endswith('-image'):
>                  # Lazy rootfs
>                  self.rootfs = arg
> +            elif os.path.basename(arg).startswith('ovmf'):
> +                self.ovmf_bios.append(arg)
>              else:
>                  # At last, assume is it the MACHINE
>                  if (not unknown_arg) or unknown_arg == arg:
> @@ -482,18 +482,18 @@ class BaseConfig(object):
>              raise Exception("Can't find rootfs: %s" % self.rootfs)
>  
>      def check_ovmf(self):
> -        """Check and set full path for OVMF BIOS file."""
> +        """Check and set full path for OVMF BIOS file(s)."""
>  
> -        if self.ovmf_bios is None or os.path.exists(self.ovmf_bios):
> -            return
> -
> -        for suffix in ('qcow2', 'bin'):
> -            ovmf_bios = '%s/%s.%s' % (self.get('DEPLOY_DIR_IMAGE'), self.ovmf_bios, suffix)
> -            if os.path.exists(ovmf_bios):
> -                self.ovmf_bios = ovmf_bios
> -                return
> -
> -        raise Exception("Can't find OVMF BIOS: %s" % self.ovmf_bios)
> +        for index, ovmf in enumerate(self.ovmf_bios):
> +            if os.path.exists(ovmf):
> +                continue
> +            for suffix in ('qcow2', 'bin'):
> +                path = '%s/%s.%s' % (self.get('DEPLOY_DIR_IMAGE'), ovmf, suffix)
> +                if os.path.exists(path):
> +                    self.ovmf_bios[index] = path
> +                    break
> +            else:
> +                raise Exception("Can't find OVMF BIOS: %s" % ovmf)
>  
>      def check_kernel(self):
>          """Check and set kernel, dtb"""
> @@ -695,7 +695,7 @@ class BaseConfig(object):
>          else:
>              print('ROOTFS: [%s]' % self.rootfs)
>          if self.ovmf_bios:
> -            print('OVMF: [%s]' % self.ovmf_bios)
> +            print('OVMF: %s' % self.ovmf_bios)

Is there a reason to remove the brackets here?
>          print('CONFFILE: [%s]' % self.qemuboot)
>          print('')
>  
> @@ -939,9 +939,10 @@ class BaseConfig(object):
>  
>          self.qemu_opt = "%s %s %s %s" % (qemu_bin, self.get('NETWORK_CMD'), self.get('ROOTFS_OPTIONS'), self.get('QB_OPT_APPEND'))
>  
> +        for ovmf in self.ovmf_bios:
> +            format = ovmf.rsplit('.', 1)[-1]
> +            self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, ovmf)
>          if self.ovmf_bios:
> -            format = self.ovmf_bios.rsplit('.', 1)[-1]
> -            self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, self.ovmf_bios)
>              # OVMF only supports normal VGA, i.e. we need to override a -vga vmware
>              # that gets added for example for normal qemux86.
>              self.qemu_opt += ' -vga std'
> 
> 
I think this solution looks good as having separate file does not pose
an extra hassle in the user: the recipe builds all that is needed and
runqemu takes all that it needs. If in the future people shows an
interest in having unified images, maybe that can be added as another
PACKAGECONFIG?

Also, the usage of runqemu needs to be updated as well. Perhaps the
usage can include a note stating that code and vars are are split but no
extra action is needed.

Thanks and BR,
Ricardo
> 

Re: [PATCH 8/9] runqemu: support UEFI with OVMF firmware

[Patrick Ohly]

On Mon, 2017-01-09 at 19:50 -0800, Ricardo Neri wrote:
> On Wed, 2017-01-04 at 10:43 +0100, Patrick Ohly wrote:
> > To
> > test that supporting separate code and variables also works, I've
> > implemented that locally so that ovmf.fd ovmf_secboot.fd, ovmf_code.fd,
> > ovmf_secboot_code.fd and ovmf_vars.fd get deployed and runqemu supports
> > more than one "ovmf" parameter - this worked nicely. Full change below.
> 
> ... Now that you have took the time to prototype the solution, we could
> put it to use.
> 
> > 
> > Now that I've implemented it, I wonder whether it would be worth
> > submitting that as part of rev2 of this patch series. Any opinions?
> > 
> > diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
> > index ef61b16..391274b 100644
> > --- a/meta/recipes-core/ovmf/ovmf_git.bb
> > +++ b/meta/recipes-core/ovmf/ovmf_git.bb
> > @@ -125,6 +125,8 @@ do_compile_class-target() {
> >      rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
> >      ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
> >      ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd
> > +    ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/OVMF.code.fd
> > +    ln ${build_dir}/FV/OVMF_VARS.fd ${WORKDIR}/ovmf/OVMF.vars.fd
> >  
> >      # See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and
> >      # https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for
> > @@ -137,6 +139,7 @@ do_compile_class-target() {
> >      ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
> >      ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
> >      ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd
> > +    ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/OVMF.code.secboot.fd
> >      for i in Shell.efi EnrollDefaultKeys.efi; do
> >          ln ${build_dir}/${OVMF_ARCH}/$i ${WORKDIR}/ovmf/$i
> >      done
> > @@ -170,8 +173,9 @@ do_deploy() {
> >  }
> >  do_deploy_class-target() {
> >      # For use with "runqemu ovmf".
> > -    qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2
> > -    qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.secboot.fd ${DEPLOYDIR}/ovmf.secboot.qcow2
> > +    for i in OVMF OVMF.secboot OVMF.code OVMF.vars OVMF.code.secboot; do
> > +        qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/$i.fd ${DEPLOYDIR}/`echo $i | tr A-Z a-z`.qcow2
> 
> Will this preserve any previous OVMF_vars.fd that might exist in the
> directory.

No, it will overwrite ovmf.vars.qcow2 and any variables stored in that
get lost. That is consistent with rebuilding the disk image: a user who
wants to have a "persistent" virtual machine must copy the relevant file
and then use the full file paths. In this case, that means invoking
runqemu with the file path to the copy of ovmf.vars.qcow2 instead of
just "ovmf.vars".

> >          if self.ovmf_bios:
> > -            print('OVMF: [%s]' % self.ovmf_bios)
> > +            print('OVMF: %s' % self.ovmf_bios)
> 
> Is there a reason to remove the brackets here?

self.ovmf_bios is a list, so formatting it as string will add the
brackets. I found that more readable than the (from a semantic point of
view more correct) double brackets: [['.../ovmf.code.qcow2',
'.../ovmf.vars.qcow2']]

> > +        for ovmf in self.ovmf_bios:
> > +            format = ovmf.rsplit('.', 1)[-1]
> > +            self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, ovmf)
> >          if self.ovmf_bios:
> > -            format = self.ovmf_bios.rsplit('.', 1)[-1]
> > -            self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, self.ovmf_bios)
> >              # OVMF only supports normal VGA, i.e. we need to override a -vga vmware
> >              # that gets added for example for normal qemux86.
> >              self.qemu_opt += ' -vga std'
> > 
> > 
> I think this solution looks good as having separate file does not pose
> an extra hassle in the user: the recipe builds all that is needed and
> runqemu takes all that it needs.

But not automatically. "runqemu ovmf" would expand "ovmf" to
tmp/deploy/images/.../ovmf.qcow2 and thus use the combined file while
"runqemu ovmf.code ovmf.vars" tells runqemu that it is supposed to use
two flash drives, one with the code and one with the variables.


>  If in the future people shows an
> interest in having unified images, maybe that can be added as another
> PACKAGECONFIG?

As the unified code+vars is slightly easier to use, I'd prefer to keep
it around and just offer both. That's not such a big deal in terms of
performance and disk usage.


-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

[PATCH 9/9] ovmf: build image which enrolls standard keys

[Patrick Ohly]

When booting a qemu virtual machine with ovmf.secboot, it comes up
with no keys installed and thus Secure Boot disabled. To lock down
the machine like a typical PC, one has to enroll the same keys
that PC vendors normally install, i.e. the ones from Microsoft.

This can be done manually (see
https://wiki.ubuntu.com/SecurityTeam/SecureBoot and
https://github.com/tianocore-docs/Docs/raw/master/White_Papers/A_Tour_Beyond_BIOS_into_UEFI_Secure_Boot_White_Paper.pdf) or automatically with the EnrollDefaultKeys.efi helper
from the Fedora ovmf rpm.

To use this with qemu:
$ bitbake ovmf-shell-image
...
$ runqemu serial nographic qemux86 ovmf-shell-image wic ovmf.secboot
...
UEFI Interactive Shell v2.1
EDK II
UEFI v2.60 (EDK II, 0x00010000)
Mapping table
      FS0: Alias(s):HD2b:;BLK4:
          PciRoot(0x0)/Pci(0x5,0x0)/HD(1,GPT,06AEF759-3982-4AF6-B517-70BA6304FC1C,0x800,0x566C)
     BLK0: Alias(s):
          PciRoot(0x0)/Pci(0x1,0x0)/Floppy(0x0)
     BLK1: Alias(s):
          PciRoot(0x0)/Pci(0x1,0x0)/Floppy(0x1)
     BLK2: Alias(s):
          PciRoot(0x0)/Pci(0x1,0x1)/Ata(0x0)
     BLK3: Alias(s):
          PciRoot(0x0)/Pci(0x5,0x0)

Press ESC in 1 seconds to skip startup.nsh or any other key to continue.
Shell> fs0:EnrollDefaultKeys.efi
info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
info: success
Shell> reset

Remember that this will modify
deploy/images/qemux86/ovmf.secboot.qcow2, so make a copy and use the
full path of that copy instead of the "ovmf" argument if needed.

The ovmf-shell-image contains an EFI shell, which is what got started
here directly. After enrolling the keys, Secure Boot is active and the
same image cannot be booted anymore, so the BIOS goes through the
normal boot targets (including network boot, which can take a while to
time out), and ends up in the internal EFI shell. Trying to invoke
bootia32.efi (the shell from the image) or EnrollDefaultKeys.efi then
fails:
Shell> bootia32.efi
Command Error Status: Security Violation

The main purpose at the moment is to test that Secure Boot enforcement
really works. If we had a way to sign generated images, that part could
also be tested by booting in a locked down qemu instance.

0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch is
from
https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch?id=b1781931894bf2057464e634beed68b1e3218c9e
with one line changed to fix
https://bugzilla.redhat.com/show_bug.cgi?id=132502:
"EFI_STATUS Status = EFI_SUCCESS;" in EnrollListOfX509Certs() lacked
the initializer.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 meta/recipes-core/ovmf/ovmf-shell-image.bb         |   22 +
 ...ollDefaultKeys-application-for-enrolling-.patch | 1123 ++++++++++++++++++++
 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks   |    4 +
 meta/recipes-core/ovmf/ovmf_git.bb                 |   16 +
 4 files changed, 1165 insertions(+)
 create mode 100644 meta/recipes-core/ovmf/ovmf-shell-image.bb
 create mode 100644 meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks

diff --git a/meta/recipes-core/ovmf/ovmf-shell-image.bb b/meta/recipes-core/ovmf/ovmf-shell-image.bb
new file mode 100644
index 0000000..fecde9c
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf-shell-image.bb
@@ -0,0 +1,22 @@
+# This needs to run before image.bbclass reads IMAGE_FSTYPES,
+# which is guaranteed by the ordering of anonymous functions
+# in a recipe.
+python () {
+    # Ignore customization of IMAGE_FSTYPES because
+    # for this image recipe, only the .wic format
+    # with a single vfat partition makes sense.
+    d.setVar('IMAGE_FSTYPES', 'wic')
+}
+WKS_FILE = "ovmf/ovmf-shell-image.wks"
+
+inherit image
+
+# We want a minimal image with just ovmf-shell-efi
+# unpacked in it. We avoid installing unnecessary
+# stuff as much as possible, but some things still
+# get through and need to be removed.
+PACKAGE_INSTALL = "ovmf-shell-efi"
+LINGUAS_INSTALL = ""
+do_image () {
+    rm -rf `ls -d ${IMAGE_ROOTFS}/* | grep -v efi`
+}
diff --git a/meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch b/meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
new file mode 100644
index 0000000..12d43df
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
@@ -0,0 +1,1123 @@
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Mon, 6 Jul 2015 20:22:02 +0200
+Subject: [PATCH] OvmfPkg: EnrollDefaultKeys: application for enrolling default
+ keys
+
+(A port of the <https://bugzilla.redhat.com/show_bug.cgi?id=1148296> patch
+to Gerd's public RPMs.)
+
+This application is meant to be invoked by the management layer, after
+booting the UEFI shell and getting a shell prompt on the serial console.
+The app enrolls a number of certificates (see below), and then reports
+status to the serial console as well. The expected output is "info:
+success":
+
+> Shell> EnrollDefaultKeys.efi
+> info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
+> info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
+> info: success
+> Shell>
+
+In case of success, the management layer can force off or reboot the VM
+(for example with the "reset -s" or "reset -c" UEFI shell commands,
+respectively), and start the guest installation with SecureBoot enabled.
+
+PK:
+- A unique, static, ad-hoc certificate whose private half has been
+  destroyed (more precisely, never saved) and is therefore unusable for
+  signing. (The command for creating this certificate is saved in the
+  source code.)
+
+KEK:
+- same ad-hoc certificate as used for the PK,
+- "Microsoft Corporation KEK CA 2011" -- the dbx data in Fedora's dbxtool
+  package is signed (indirectly, through a chain) with this; enrolling
+  such a KEK should allow guests to install those updates.
+
+DB:
+- "Microsoft Windows Production PCA 2011" -- to load Windows 8 and Windows
+  Server 2012 R2,
+- "Microsoft Corporation UEFI CA 2011" -- to load Linux and signed PCI
+  oproms.
+
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+---
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c   | 960 ++++++++++++++++++++++++
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf |  51 ++
+ OvmfPkg/OvmfPkgIa32.dsc                         |   4 +
+ OvmfPkg/OvmfPkgIa32X64.dsc                      |   4 +
+ OvmfPkg/OvmfPkgX64.dsc                          |   4 +
+ 5 files changed, 1023 insertions(+)
+ create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+ create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
+
+diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+new file mode 100644
+index 0000000..081212b
+--- /dev/null
++++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+@@ -0,0 +1,960 @@
++/** @file
++  Enroll default PK, KEK, DB.
++
++  Copyright (C) 2014, Red Hat, Inc.
++
++  This program and the accompanying materials are licensed and made available
++  under the terms and conditions of the BSD License which accompanies this
++  distribution. The full text of the license may be found at
++  http://opensource.org/licenses/bsd-license.
++
++  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
++  WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
++**/
++#include <Guid/AuthenticatedVariableFormat.h>    // gEfiCustomModeEnableGuid
++#include <Guid/GlobalVariable.h>                 // EFI_SETUP_MODE_NAME
++#include <Guid/ImageAuthentication.h>            // EFI_IMAGE_SECURITY_DATABASE
++#include <Library/BaseMemoryLib.h>               // CopyGuid()
++#include <Library/DebugLib.h>                    // ASSERT()
++#include <Library/MemoryAllocationLib.h>         // FreePool()
++#include <Library/ShellCEntryLib.h>              // ShellAppMain()
++#include <Library/UefiLib.h>                     // AsciiPrint()
++#include <Library/UefiRuntimeServicesTableLib.h> // gRT
++
++//
++// The example self-signed certificate below, which we'll use for both Platform
++// Key, and first Key Exchange Key, has been generated with the following
++// non-interactive openssl command. The passphrase is read from /dev/urandom,
++// and not saved, and the private key is written to /dev/null. In other words,
++// we can't sign anything else against this certificate, which is our purpose.
++//
++/*
++   openssl req \
++     -passout file:<(head -c 16 /dev/urandom) \
++     -x509 \
++     -newkey rsa:2048 \
++     -keyout /dev/null \
++     -outform DER \
++     -subj $(
++       printf /C=US
++       printf /ST=TestStateOrProvince
++       printf /L=TestLocality
++       printf /O=TestOrganization
++       printf /OU=TestOrganizationalUnit
++       printf /CN=TestCommonName
++       printf /emailAddress=test@example.com
++     ) \
++     2>/dev/null \
++   | xxd -i
++*/
++STATIC CONST UINT8 ExampleCert[] = {
++  0x30, 0x82, 0x04, 0x45, 0x30, 0x82, 0x03, 0x2d, 0xa0, 0x03, 0x02, 0x01, 0x02,
++  0x02, 0x09, 0x00, 0xcf, 0x9f, 0x51, 0xa3, 0x07, 0xdb, 0x54, 0xa1, 0x30, 0x0d,
++  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
++  0x30, 0x81, 0xb8, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
++  0x02, 0x55, 0x53, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
++  0x13, 0x54, 0x65, 0x73, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x4f, 0x72, 0x50,
++  0x72, 0x6f, 0x76, 0x69, 0x6e, 0x63, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03,
++  0x55, 0x04, 0x07, 0x0c, 0x0c, 0x54, 0x65, 0x73, 0x74, 0x4c, 0x6f, 0x63, 0x61,
++  0x6c, 0x69, 0x74, 0x79, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a,
++  0x0c, 0x10, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a,
++  0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04,
++  0x0b, 0x0c, 0x16, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69,
++  0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x55, 0x6e, 0x69, 0x74, 0x31,
++  0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0e, 0x54, 0x65, 0x73,
++  0x74, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x31, 0x1f,
++  0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01,
++  0x16, 0x10, 0x74, 0x65, 0x73, 0x74, 0x40, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c,
++  0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
++  0x30, 0x39, 0x31, 0x33, 0x32, 0x38, 0x32, 0x32, 0x5a, 0x17, 0x0d, 0x31, 0x34,
++  0x31, 0x31, 0x30, 0x38, 0x31, 0x33, 0x32, 0x38, 0x32, 0x32, 0x5a, 0x30, 0x81,
++  0xb8, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
++  0x53, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x13, 0x54,
++  0x65, 0x73, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x4f, 0x72, 0x50, 0x72, 0x6f,
++  0x76, 0x69, 0x6e, 0x63, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04,
++  0x07, 0x0c, 0x0c, 0x54, 0x65, 0x73, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x69,
++  0x74, 0x79, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x10,
++  0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74,
++  0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c,
++  0x16, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61,
++  0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x55, 0x6e, 0x69, 0x74, 0x31, 0x17, 0x30,
++  0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0e, 0x54, 0x65, 0x73, 0x74, 0x43,
++  0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x31, 0x1f, 0x30, 0x1d,
++  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10,
++  0x74, 0x65, 0x73, 0x74, 0x40, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e,
++  0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
++  0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
++  0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbf, 0xf1, 0xce,
++  0x17, 0x32, 0xac, 0xc4, 0x4b, 0xb2, 0xed, 0x84, 0x76, 0xe5, 0xd0, 0xf8, 0x21,
++  0xac, 0x10, 0xf8, 0x18, 0x09, 0x0e, 0x07, 0x13, 0x76, 0x21, 0x5c, 0xc4, 0xcc,
++  0xd5, 0xe6, 0x25, 0xa7, 0x26, 0x53, 0x79, 0x2f, 0x16, 0x4b, 0x85, 0xbd, 0xae,
++  0x42, 0x64, 0x58, 0xcb, 0x5e, 0xe8, 0x6e, 0x5a, 0xd0, 0xc4, 0x0f, 0x38, 0x16,
++  0xbe, 0xd3, 0x22, 0xa7, 0x3c, 0x9b, 0x8b, 0x5e, 0xcb, 0x62, 0x35, 0xc5, 0x9b,
++  0xe2, 0x8e, 0x4c, 0x65, 0x57, 0x4f, 0xcb, 0x27, 0xad, 0xe7, 0x63, 0xa7, 0x77,
++  0x2b, 0xd5, 0x02, 0x42, 0x70, 0x46, 0xac, 0xba, 0xb6, 0x60, 0x57, 0xd9, 0xce,
++  0x31, 0xc5, 0x12, 0x03, 0x4a, 0xf7, 0x2a, 0x2b, 0x40, 0x06, 0xb4, 0xdb, 0x31,
++  0xb7, 0x83, 0x6c, 0x67, 0x87, 0x98, 0x8b, 0xce, 0x1b, 0x30, 0x7a, 0xfa, 0x35,
++  0x6c, 0x86, 0x20, 0x74, 0xc5, 0x7d, 0x32, 0x31, 0x18, 0xeb, 0x69, 0xf7, 0x2d,
++  0x20, 0xc4, 0xf0, 0xd2, 0xfa, 0x67, 0x81, 0xc1, 0xbb, 0x23, 0xbb, 0x75, 0x1a,
++  0xe4, 0xb4, 0x49, 0x99, 0xdf, 0x12, 0x4c, 0xe3, 0x6d, 0x76, 0x24, 0x85, 0x24,
++  0xae, 0x5a, 0x9e, 0xbd, 0x54, 0x1c, 0xf9, 0x0e, 0xed, 0x96, 0xb5, 0xd8, 0xa2,
++  0x0d, 0x2a, 0x38, 0x5d, 0x12, 0x97, 0xb0, 0x4d, 0x75, 0x85, 0x1e, 0x47, 0x6d,
++  0xe1, 0x25, 0x59, 0xcb, 0xe9, 0x33, 0x86, 0x6a, 0xef, 0x98, 0x24, 0xa0, 0x2b,
++  0x02, 0x7b, 0xc0, 0x9f, 0x88, 0x03, 0xb0, 0xbe, 0x22, 0x65, 0x83, 0x77, 0xb3,
++  0x30, 0xba, 0xe0, 0x3b, 0x54, 0x31, 0x3a, 0x45, 0x81, 0x9c, 0x48, 0xaf, 0xc1,
++  0x11, 0x5b, 0xf2, 0x3a, 0x1e, 0x33, 0x1b, 0x8f, 0x0e, 0x04, 0xa4, 0x16, 0xd4,
++  0x6b, 0x57, 0xee, 0xe7, 0xba, 0xf5, 0xee, 0xaf, 0xe2, 0x4c, 0x50, 0xf8, 0x68,
++  0x57, 0x88, 0xfb, 0x7f, 0xa3, 0xcf, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x50,
++  0x30, 0x4e, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
++  0x1e, 0x44, 0xe5, 0xef, 0xcd, 0x6e, 0x1f, 0xdb, 0xcb, 0x4f, 0x94, 0x8f, 0xe3,
++  0x3b, 0x1a, 0x8c, 0xe6, 0x95, 0x29, 0x61, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
++  0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x1e, 0x44, 0xe5, 0xef, 0xcd, 0x6e,
++  0x1f, 0xdb, 0xcb, 0x4f, 0x94, 0x8f, 0xe3, 0x3b, 0x1a, 0x8c, 0xe6, 0x95, 0x29,
++  0x61, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
++  0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
++  0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x12, 0x9c, 0x3e, 0x38,
++  0xfc, 0x26, 0xea, 0x6d, 0xb7, 0x5c, 0x29, 0x3c, 0x76, 0x20, 0x0c, 0xb2, 0xa9,
++  0x0f, 0xdf, 0xc0, 0x85, 0xfe, 0xeb, 0xec, 0x1d, 0x5d, 0x73, 0x84, 0xac, 0x8a,
++  0xb4, 0x2a, 0x86, 0x38, 0x30, 0xaf, 0xd2, 0x2d, 0x2a, 0xde, 0x54, 0xc8, 0x5c,
++  0x29, 0x90, 0x24, 0xf2, 0x39, 0xc1, 0xa5, 0x00, 0xb4, 0xb7, 0xd8, 0xdc, 0x59,
++  0x64, 0x50, 0x62, 0x5f, 0x54, 0xf1, 0x73, 0x02, 0x4d, 0x43, 0xc5, 0xc3, 0xc4,
++  0x0e, 0x62, 0x60, 0x8c, 0x53, 0x66, 0x57, 0x77, 0xb5, 0x81, 0xda, 0x1f, 0x81,
++  0xda, 0xe9, 0xd6, 0x5e, 0x82, 0xce, 0xa7, 0x5c, 0xc0, 0xa6, 0xbe, 0x9c, 0x5c,
++  0x7b, 0xa5, 0x15, 0xc8, 0xd7, 0x14, 0x53, 0xd3, 0x5c, 0x1c, 0x9f, 0x8a, 0x9f,
++  0x66, 0x15, 0xd5, 0xd3, 0x2a, 0x27, 0x0c, 0xee, 0x9f, 0x80, 0x39, 0x88, 0x7b,
++  0x24, 0xde, 0x0c, 0x61, 0xa3, 0x44, 0xd8, 0x8d, 0x2e, 0x79, 0xf8, 0x1e, 0x04,
++  0x5a, 0xcb, 0xd6, 0x9c, 0xa3, 0x22, 0x8f, 0x09, 0x32, 0x1e, 0xe1, 0x65, 0x8f,
++  0x10, 0x5f, 0xd8, 0x52, 0x56, 0xd5, 0x77, 0xac, 0x58, 0x46, 0x60, 0xba, 0x2e,
++  0xe2, 0x3f, 0x58, 0x7d, 0x60, 0xfc, 0x31, 0x4a, 0x3a, 0xaf, 0x61, 0x55, 0x5f,
++  0xfb, 0x68, 0x14, 0x74, 0xda, 0xdc, 0x42, 0x78, 0xcc, 0xee, 0xff, 0x5c, 0x03,
++  0x24, 0x26, 0x2c, 0xb8, 0x3a, 0x81, 0xad, 0xdb, 0xe7, 0xed, 0xe1, 0x62, 0x84,
++  0x07, 0x1a, 0xc8, 0xa4, 0x4e, 0xb0, 0x87, 0xf7, 0x96, 0xd8, 0x33, 0x9b, 0x0d,
++  0xa7, 0x77, 0xae, 0x5b, 0xaf, 0xad, 0xe6, 0x5a, 0xc9, 0xfa, 0xa4, 0xe4, 0xe5,
++  0x57, 0xbb, 0x97, 0xdd, 0x92, 0x85, 0xd8, 0x03, 0x45, 0xfe, 0xd8, 0x6b, 0xb1,
++  0xdb, 0x85, 0x36, 0xb9, 0xd9, 0x28, 0xbf, 0x17, 0xae, 0x11, 0xde, 0x10, 0x19,
++  0x26, 0x5b, 0xc0, 0x3d, 0xc7
++};
++
++//
++// Second KEK: "Microsoft Corporation KEK CA 2011".
++// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
++//
++// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
++//
++STATIC CONST UINT8 MicrosoftKEK[] = {
++  0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
++  0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
++  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++  0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
++  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
++  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
++  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
++  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
++  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
++  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
++  0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++  0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
++  0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
++  0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
++  0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
++  0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32,
++  0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, 0x30,
++  0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
++  0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
++  0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
++  0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
++  0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
++  0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
++  0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06,
++  0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
++  0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
++  0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31,
++  0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
++  0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
++  0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, 0xad,
++  0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, 0x5d,
++  0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, 0xeb,
++  0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, 0xe3,
++  0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, 0x9b,
++  0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, 0xac,
++  0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, 0xc8,
++  0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, 0xc0,
++  0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, 0xe2,
++  0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, 0x89,
++  0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, 0xc2,
++  0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, 0x03,
++  0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, 0x7e,
++  0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, 0xeb,
++  0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, 0x2f,
++  0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, 0xaa,
++  0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, 0x9f,
++  0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, 0xc6,
++  0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, 0xaf,
++  0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, 0x07,
++  0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, 0x30,
++  0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
++  0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,
++  0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, 0xa4,
++  0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, 0x5f,
++  0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02,
++  0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00,
++  0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01,
++  0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
++  0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
++  0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, 0x11,
++  0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, 0x30,
++  0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, 0xa0,
++  0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63,
++  0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e,
++  0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70,
++  0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f,
++  0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f,
++  0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63,
++  0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01,
++  0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
++  0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
++  0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, 0x74,
++  0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61,
++  0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d,
++  0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09,
++  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
++  0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, 0x2a,
++  0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, 0x66,
++  0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, 0x5a,
++  0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, 0x64,
++  0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, 0x58,
++  0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, 0xd0,
++  0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, 0xf5,
++  0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, 0xec,
++  0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, 0xd7,
++  0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, 0x28,
++  0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, 0x79,
++  0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, 0x7b,
++  0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, 0xd8,
++  0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, 0x19,
++  0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, 0x58,
++  0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, 0x0d,
++  0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, 0x2d,
++  0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, 0xc8,
++  0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, 0x60,
++  0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, 0xac,
++  0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, 0x87,
++  0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, 0xcd,
++  0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, 0x81,
++  0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, 0x92,
++  0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, 0xe0,
++  0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, 0xaf,
++  0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, 0xfb,
++  0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, 0x68,
++  0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, 0xad,
++  0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, 0x82,
++  0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, 0x14,
++  0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, 0x4f,
++  0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, 0x9b,
++  0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, 0xb0,
++  0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d,
++  0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38,
++  0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c,
++  0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14,
++  0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5,
++  0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e
++};
++
++//
++// First DB entry: "Microsoft Windows Production PCA 2011"
++// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
++//
++// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
++// rooted in this certificate.
++//
++STATIC CONST UINT8 MicrosoftPCA[] = {
++  0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
++  0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
++  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++  0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
++  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
++  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
++  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
++  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
++  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
++  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30,
++  0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++  0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72,
++  0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68,
++  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17,
++  0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, 0x32,
++  0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, 0x31,
++  0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
++  0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
++  0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f,
++  0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52,
++  0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55,
++  0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++  0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31,
++  0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, 0x63,
++  0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77,
++  0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20,
++  0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30,
++  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
++  0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
++  0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, 0xf7,
++  0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, 0xcb,
++  0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, 0x8b,
++  0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, 0xe3,
++  0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, 0xc0,
++  0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, 0x74,
++  0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, 0x67,
++  0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, 0x53,
++  0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, 0x23,
++  0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, 0xa3,
++  0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, 0xff,
++  0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, 0xe2,
++  0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, 0x22,
++  0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, 0xf3,
++  0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, 0x2b,
++  0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, 0xbc,
++  0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, 0xd6,
++  0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, 0xe8,
++  0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, 0xa8,
++  0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, 0x03,
++  0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, 0x10,
++  0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03,
++  0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
++  0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, 0xf9,
++  0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, 0x2b,
++  0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00,
++  0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03,
++  0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03,
++  0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
++  0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
++  0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, 0x94,
++  0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, 0x1d,
++  0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, 0x45,
++  0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69,
++  0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70,
++  0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63,
++  0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41,
++  0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33,
++  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
++  0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06,
++  0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, 0x3a,
++  0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
++  0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65,
++  0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72,
++  0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32,
++  0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
++  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x14,
++  0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, 0xbc,
++  0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, 0xd0,
++  0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, 0x61,
++  0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, 0xda,
++  0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, 0x6a,
++  0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, 0xe2,
++  0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, 0xea,
++  0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, 0x30,
++  0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, 0x86,
++  0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, 0xc8,
++  0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, 0xae,
++  0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, 0xb8,
++  0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, 0xac,
++  0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, 0x84,
++  0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, 0x73,
++  0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, 0x73,
++  0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, 0x60,
++  0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, 0xb6,
++  0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, 0x2a,
++  0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, 0xba,
++  0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, 0xce,
++  0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, 0x0f,
++  0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, 0x6e,
++  0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, 0xd3,
++  0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, 0x45,
++  0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, 0xd0,
++  0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, 0x24,
++  0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, 0x2c,
++  0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, 0xdf,
++  0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, 0x6c,
++  0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, 0xf2,
++  0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, 0x5c,
++  0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, 0x47,
++  0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, 0x5a,
++  0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21,
++  0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86,
++  0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6,
++  0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9,
++  0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4,
++  0x62, 0x1c, 0x59, 0x7e
++};
++
++//
++// Second DB entry: "Microsoft Corporation UEFI CA 2011"
++// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
++//
++// To verify the "shim" binary and PCI expansion ROMs with.
++//
++STATIC CONST UINT8 MicrosoftUefiCA[] = {
++  0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
++  0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
++  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++  0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
++  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
++  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
++  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
++  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
++  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
++  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
++  0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++  0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
++  0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
++  0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
++  0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
++  0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x32,
++  0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, 0x30,
++  0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
++  0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
++  0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
++  0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
++  0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
++  0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
++  0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, 0x06,
++  0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
++  0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
++  0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31,
++  0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
++  0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
++  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, 0xc7,
++  0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, 0x43,
++  0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, 0x73,
++  0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, 0xd3,
++  0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, 0x54,
++  0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, 0x5c,
++  0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, 0x4f,
++  0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, 0xae,
++  0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, 0x1d,
++  0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, 0xfa,
++  0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, 0xff,
++  0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, 0x7b,
++  0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, 0xe6,
++  0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, 0x62,
++  0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, 0x08,
++  0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, 0xe7,
++  0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, 0xb2,
++  0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, 0x7f,
++  0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, 0x8b,
++  0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, 0x6a,
++  0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x76,
++  0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01,
++  0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x23,
++  0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, 0x16,
++  0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, 0x37,
++  0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, 0x03,
++  0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, 0xbd,
++  0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, 0x1b,
++  0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14,
++  0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43,
++  0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
++  0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
++  0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
++  0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58,
++  0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8,
++  0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51,
++  0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
++  0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f,
++  0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43,
++  0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f,
++  0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e,
++  0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
++  0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01,
++  0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
++  0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
++  0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72,
++  0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50,
++  0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30,
++  0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06,
++  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
++  0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, 0x76,
++  0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, 0xef,
++  0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, 0x13,
++  0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, 0x82,
++  0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, 0x1a,
++  0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, 0x20,
++  0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, 0x90,
++  0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, 0x52,
++  0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, 0x6d,
++  0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, 0xaf,
++  0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, 0x49,
++  0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, 0x34,
++  0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, 0x75,
++  0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, 0xb9,
++  0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, 0x8f,
++  0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, 0x8c,
++  0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, 0x56,
++  0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, 0xae,
++  0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, 0x4a,
++  0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, 0x3c,
++  0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, 0x59,
++  0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, 0x3d,
++  0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, 0x53,
++  0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, 0x1b,
++  0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, 0x98,
++  0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, 0x85,
++  0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, 0xd2,
++  0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, 0xe2,
++  0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, 0x6c,
++  0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, 0x3b,
++  0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, 0x27,
++  0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, 0xa6,
++  0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, 0x3f,
++  0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, 0x55,
++  0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e,
++  0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62,
++  0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8,
++  0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6,
++  0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75,
++  0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
++};
++
++//
++// The most important thing about the variable payload is that it is a list of
++// lists, where the element size of any given *inner* list is constant.
++//
++// Since X509 certificates vary in size, each of our *inner* lists will contain
++// one element only (one X.509 certificate). This is explicitly mentioned in
++// the UEFI specification, in "28.4.1 Signature Database", in a Note.
++//
++// The list structure looks as follows:
++//
++// struct EFI_VARIABLE_AUTHENTICATION_2 {                           |
++//   struct EFI_TIME {                                              |
++//     UINT16 Year;                                                 |
++//     UINT8  Month;                                                |
++//     UINT8  Day;                                                  |
++//     UINT8  Hour;                                                 |
++//     UINT8  Minute;                                               |
++//     UINT8  Second;                                               |
++//     UINT8  Pad1;                                                 |
++//     UINT32 Nanosecond;                                           |
++//     INT16  TimeZone;                                             |
++//     UINT8  Daylight;                                             |
++//     UINT8  Pad2;                                                 |
++//   } TimeStamp;                                                   |
++//                                                                  |
++//   struct WIN_CERTIFICATE_UEFI_GUID {                           | |
++//     struct WIN_CERTIFICATE {                                   | |
++//       UINT32 dwLength; ----------------------------------------+ |
++//       UINT16 wRevision;                                        | |
++//       UINT16 wCertificateType;                                 | |
++//     } Hdr;                                                     | +- DataSize
++//                                                                | |
++//     EFI_GUID CertType;                                         | |
++//     UINT8    CertData[1] = { <--- "struct hack"                | |
++//       struct EFI_SIGNATURE_LIST {                            | | |
++//         EFI_GUID SignatureType;                              | | |
++//         UINT32   SignatureListSize; -------------------------+ | |
++//         UINT32   SignatureHeaderSize;                        | | |
++//         UINT32   SignatureSize; ---------------------------+ | | |
++//         UINT8    SignatureHeader[SignatureHeaderSize];     | | | |
++//                                                            v | | |
++//         struct EFI_SIGNATURE_DATA {                        | | | |
++//           EFI_GUID SignatureOwner;                         | | | |
++//           UINT8    SignatureData[1] = { <--- "struct hack" | | | |
++//             X.509 payload                                  | | | |
++//           }                                                | | | |
++//         } Signatures[];                                      | | |
++//       } SigLists[];                                            | |
++//     };                                                         | |
++//   } AuthInfo;                                                  | |
++// };                                                               |
++//
++// Given that the "struct hack" invokes undefined behavior (which is why C99
++// introduced the flexible array member), and because subtracting those pesky
++// sizes of 1 is annoying, and because the format is fully specified in the
++// UEFI specification, we'll introduce two matching convenience structures that
++// are customized for our X.509 purposes.
++//
++#pragma pack(1)
++typedef struct {
++  EFI_TIME TimeStamp;
++
++  //
++  // dwLength covers data below
++  //
++  UINT32   dwLength;
++  UINT16   wRevision;
++  UINT16   wCertificateType;
++  EFI_GUID CertType;
++} SINGLE_HEADER;
++
++typedef struct {
++  //
++  // SignatureListSize covers data below
++  //
++  EFI_GUID SignatureType;
++  UINT32   SignatureListSize;
++  UINT32   SignatureHeaderSize; // constant 0
++  UINT32   SignatureSize;
++
++  //
++  // SignatureSize covers data below
++  //
++  EFI_GUID SignatureOwner;
++
++  //
++  // X.509 certificate follows
++  //
++} REPEATING_HEADER;
++#pragma pack()
++
++/**
++  Enroll a set of DER-formatted X.509 certificates in a global variable,
++  overwriting it.
++
++  The variable will be rewritten with NV+BS+RT+AT attributes.
++
++  @param[in] VariableName  The name of the variable to overwrite.
++
++  @param[in] VendorGuid    The namespace (ie. vendor GUID) of the variable to
++                           overwrite.
++
++  @param[in] ...           A list of
++
++                             IN CONST UINT8    *Cert,
++                             IN UINTN          CertSize,
++                             IN CONST EFI_GUID *OwnerGuid
++
++                           triplets. If the first component of a triplet is
++                           NULL, then the other two components are not
++                           accessed, and processing is terminated. The list of
++                           X.509 certificates is enrolled in the variable
++                           specified, overwriting it. The OwnerGuid component
++                           identifies the agent installing the certificate.
++
++  @retval EFI_INVALID_PARAMETER  The triplet list is empty (ie. the first Cert
++                                 value is NULL), or one of the CertSize values
++                                 is 0, or one of the CertSize values would
++                                 overflow the accumulated UINT32 data size.
++
++  @retval EFI_OUT_OF_RESOURCES   Out of memory while formatting variable
++                                 payload.
++
++  @retval EFI_SUCCESS            Enrollment successful; the variable has been
++                                 overwritten (or created).
++
++  @return                        Error codes from gRT->GetTime() and
++                                 gRT->SetVariable().
++**/
++STATIC
++EFI_STATUS
++EFIAPI
++EnrollListOfX509Certs (
++  IN CHAR16   *VariableName,
++  IN EFI_GUID *VendorGuid,
++  ...
++  )
++{
++  UINTN            DataSize;
++  SINGLE_HEADER    *SingleHeader;
++  REPEATING_HEADER *RepeatingHeader;
++  VA_LIST          Marker;
++  CONST UINT8      *Cert;
++  EFI_STATUS       Status = EFI_SUCCESS;
++  UINT8            *Data;
++  UINT8            *Position;
++
++  //
++  // compute total size first, for UINT32 range check, and allocation
++  //
++  DataSize = sizeof *SingleHeader;
++  VA_START (Marker, VendorGuid);
++  for (Cert = VA_ARG (Marker, CONST UINT8 *);
++       Cert != NULL;
++       Cert = VA_ARG (Marker, CONST UINT8 *)) {
++    UINTN          CertSize;
++
++    CertSize = VA_ARG (Marker, UINTN);
++    (VOID)VA_ARG (Marker, CONST EFI_GUID *);
++
++    if (CertSize == 0 ||
++        CertSize > MAX_UINT32 - sizeof *RepeatingHeader ||
++        DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {
++      Status = EFI_INVALID_PARAMETER;
++      break;
++    }
++    DataSize += sizeof *RepeatingHeader + CertSize;
++  }
++  VA_END (Marker);
++
++  if (DataSize == sizeof *SingleHeader) {
++    Status = EFI_INVALID_PARAMETER;
++  }
++  if (EFI_ERROR (Status)) {
++    goto Out;
++  }
++
++  Data = AllocatePool (DataSize);
++  if (Data == NULL) {
++    Status = EFI_OUT_OF_RESOURCES;
++    goto Out;
++  }
++
++  Position = Data;
++
++  SingleHeader = (SINGLE_HEADER *)Position;
++  Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);
++  if (EFI_ERROR (Status)) {
++    goto FreeData;
++  }
++  SingleHeader->TimeStamp.Pad1       = 0;
++  SingleHeader->TimeStamp.Nanosecond = 0;
++  SingleHeader->TimeStamp.TimeZone   = 0;
++  SingleHeader->TimeStamp.Daylight   = 0;
++  SingleHeader->TimeStamp.Pad2       = 0;
++#if 0
++  SingleHeader->dwLength         = DataSize - sizeof SingleHeader->TimeStamp;
++#else
++  //
++  // This looks like a bug in edk2. According to the UEFI specification,
++  // dwLength is "The length of the entire certificate, including the length of
++  // the header, in bytes". That shouldn't stop right after CertType -- it
++  // should include everything below it.
++  //
++  SingleHeader->dwLength         = sizeof *SingleHeader
++                                     - sizeof SingleHeader->TimeStamp;
++#endif
++  SingleHeader->wRevision        = 0x0200;
++  SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;
++  CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);
++  Position += sizeof *SingleHeader;
++
++  VA_START (Marker, VendorGuid);
++  for (Cert = VA_ARG (Marker, CONST UINT8 *);
++       Cert != NULL;
++       Cert = VA_ARG (Marker, CONST UINT8 *)) {
++    UINTN            CertSize;
++    CONST EFI_GUID   *OwnerGuid;
++
++    CertSize  = VA_ARG (Marker, UINTN);
++    OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);
++
++    RepeatingHeader = (REPEATING_HEADER *)Position;
++    CopyGuid (&RepeatingHeader->SignatureType, &gEfiCertX509Guid);
++    RepeatingHeader->SignatureListSize   = sizeof *RepeatingHeader + CertSize;
++    RepeatingHeader->SignatureHeaderSize = 0;
++    RepeatingHeader->SignatureSize       =
++      sizeof RepeatingHeader->SignatureOwner + CertSize;
++    CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);
++    Position += sizeof *RepeatingHeader;
++
++    CopyMem (Position, Cert, CertSize);
++    Position += CertSize;
++  }
++  VA_END (Marker);
++
++  ASSERT (Data + DataSize == Position);
++
++  Status = gRT->SetVariable (VariableName, VendorGuid,
++                  (EFI_VARIABLE_NON_VOLATILE |
++                   EFI_VARIABLE_BOOTSERVICE_ACCESS |
++                   EFI_VARIABLE_RUNTIME_ACCESS |
++                   EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
++                  DataSize, Data);
++
++FreeData:
++  FreePool (Data);
++
++Out:
++  if (EFI_ERROR (Status)) {
++    AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,
++      VendorGuid, Status);
++  }
++  return Status;
++}
++
++
++STATIC
++EFI_STATUS
++EFIAPI
++GetExact (
++  IN CHAR16   *VariableName,
++  IN EFI_GUID *VendorGuid,
++  OUT VOID    *Data,
++  IN UINTN    DataSize,
++  IN BOOLEAN  AllowMissing
++  )
++{
++  UINTN      Size;
++  EFI_STATUS Status;
++
++  Size = DataSize;
++  Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);
++  if (EFI_ERROR (Status)) {
++    if (Status == EFI_NOT_FOUND && AllowMissing) {
++      ZeroMem (Data, DataSize);
++      return EFI_SUCCESS;
++    }
++
++    AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,
++      VendorGuid, Status);
++    return Status;
++  }
++
++  if (Size != DataSize) {
++    AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
++      "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
++    return EFI_PROTOCOL_ERROR;
++  }
++
++  return EFI_SUCCESS;
++}
++
++typedef struct {
++  UINT8 SetupMode;
++  UINT8 SecureBoot;
++  UINT8 SecureBootEnable;
++  UINT8 CustomMode;
++  UINT8 VendorKeys;
++} SETTINGS;
++
++STATIC
++EFI_STATUS
++EFIAPI
++GetSettings (
++  OUT SETTINGS *Settings
++  )
++{
++  EFI_STATUS Status;
++
++  Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,
++             &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);
++  if (EFI_ERROR (Status)) {
++    return Status;
++  }
++
++  Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,
++             &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);
++  if (EFI_ERROR (Status)) {
++    return Status;
++  }
++
++  Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,
++             &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,
++             sizeof Settings->SecureBootEnable, TRUE);
++  if (EFI_ERROR (Status)) {
++    return Status;
++  }
++
++  Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
++             &Settings->CustomMode, sizeof Settings->CustomMode, FALSE);
++  if (EFI_ERROR (Status)) {
++    return Status;
++  }
++
++  Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
++             &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
++  return Status;
++}
++
++STATIC
++VOID
++EFIAPI
++PrintSettings (
++  IN CONST SETTINGS *Settings
++  )
++{
++  AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
++    "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
++    Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
++}
++
++
++INTN
++EFIAPI
++ShellAppMain (
++  IN UINTN  Argc,
++  IN CHAR16 **Argv
++  )
++{
++  EFI_STATUS Status;
++  SETTINGS   Settings;
++
++  Status = GetSettings (&Settings);
++  if (EFI_ERROR (Status)) {
++    return 1;
++  }
++  PrintSettings (&Settings);
++
++  if (Settings.SetupMode != 1) {
++    AsciiPrint ("error: already in User Mode\n");
++    return 1;
++  }
++
++  if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
++    Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
++    Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
++                    (EFI_VARIABLE_NON_VOLATILE |
++                     EFI_VARIABLE_BOOTSERVICE_ACCESS),
++                    sizeof Settings.CustomMode, &Settings.CustomMode);
++    if (EFI_ERROR (Status)) {
++      AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
++        &gEfiCustomModeEnableGuid, Status);
++      return 1;
++    }
++  }
++
++  Status = EnrollListOfX509Certs (
++             EFI_IMAGE_SECURITY_DATABASE,
++             &gEfiImageSecurityDatabaseGuid,
++             MicrosoftPCA,    sizeof MicrosoftPCA,    &gEfiCallerIdGuid,
++             MicrosoftUefiCA, sizeof MicrosoftUefiCA, &gEfiCallerIdGuid,
++             NULL);
++  if (EFI_ERROR (Status)) {
++    return 1;
++  }
++
++  Status = EnrollListOfX509Certs (
++             EFI_KEY_EXCHANGE_KEY_NAME,
++             &gEfiGlobalVariableGuid,
++             ExampleCert,  sizeof ExampleCert,  &gEfiCallerIdGuid,
++             MicrosoftKEK, sizeof MicrosoftKEK, &gEfiCallerIdGuid,
++             NULL);
++  if (EFI_ERROR (Status)) {
++    return 1;
++  }
++
++  Status = EnrollListOfX509Certs (
++             EFI_PLATFORM_KEY_NAME,
++             &gEfiGlobalVariableGuid,
++             ExampleCert, sizeof ExampleCert, &gEfiGlobalVariableGuid,
++             NULL);
++  if (EFI_ERROR (Status)) {
++    return 1;
++  }
++
++  Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
++  Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
++                  EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
++                  sizeof Settings.CustomMode, &Settings.CustomMode);
++  if (EFI_ERROR (Status)) {
++    AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
++      &gEfiCustomModeEnableGuid, Status);
++    return 1;
++  }
++
++  Status = GetSettings (&Settings);
++  if (EFI_ERROR (Status)) {
++    return 1;
++  }
++  PrintSettings (&Settings);
++
++  if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
++      Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
++      Settings.VendorKeys != 0) {
++    AsciiPrint ("error: unexpected\n");
++    return 1;
++  }
++
++  AsciiPrint ("info: success\n");
++  return 0;
++}
+diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
+new file mode 100644
+index 0000000..ac919bb
+--- /dev/null
++++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
+@@ -0,0 +1,51 @@
++## @file
++#  Enroll default PK, KEK, DB.
++#
++#  Copyright (C) 2014, Red Hat, Inc.
++#
++#  This program and the accompanying materials are licensed and made available
++#  under the terms and conditions of the BSD License which accompanies this
++#  distribution. The full text of the license may be found at
++#  http://opensource.org/licenses/bsd-license.
++#
++#  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
++#  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
++#  IMPLIED.
++##
++
++[Defines]
++  INF_VERSION                    = 0x00010006
++  BASE_NAME                      = EnrollDefaultKeys
++  FILE_GUID                      = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A
++  MODULE_TYPE                    = UEFI_APPLICATION
++  VERSION_STRING                 = 0.1
++  ENTRY_POINT                    = ShellCEntryLib
++
++#
++#  VALID_ARCHITECTURES           = IA32 X64
++#
++
++[Sources]
++  EnrollDefaultKeys.c
++
++[Packages]
++  MdePkg/MdePkg.dec
++  MdeModulePkg/MdeModulePkg.dec
++  SecurityPkg/SecurityPkg.dec
++  ShellPkg/ShellPkg.dec
++
++[Guids]
++  gEfiCertPkcs7Guid
++  gEfiCertX509Guid
++  gEfiCustomModeEnableGuid
++  gEfiGlobalVariableGuid
++  gEfiImageSecurityDatabaseGuid
++  gEfiSecureBootEnableDisableGuid
++
++[LibraryClasses]
++  BaseMemoryLib
++  DebugLib
++  MemoryAllocationLib
++  ShellCEntryLib
++  UefiLib
++  UefiRuntimeServicesTableLib
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index fa9661c..e2e6ba3 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -764,6 +764,10 @@
+ 
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
++  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
++    <LibraryClasses>
++      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
++  }
+ !endif
+ 
+   OvmfPkg/PlatformDxe/Platform.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 667584a..a0ae1aa 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -773,6 +773,10 @@
+ 
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
++  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
++    <LibraryClasses>
++      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
++  }
+ !endif
+ 
+   OvmfPkg/PlatformDxe/Platform.inf
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 5ae8469..87cee52 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -771,6 +771,10 @@
+ 
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
++  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
++    <LibraryClasses>
++      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
++  }
+ !endif
+ 
+   OvmfPkg/PlatformDxe/Platform.inf
diff --git a/meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks b/meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks
new file mode 100644
index 0000000..1d2f16b
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks
@@ -0,0 +1,4 @@
+# short-description: Create an EFI disk image with just the EFI system partition
+
+part / --source rootfs --ondisk sda --fstype=vfat --align 1024
+bootloader --ptable gpt --timeout=5
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index c4eedf0..ef61b16 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -12,6 +12,7 @@ SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
 
 SRC_URI_append_class-target = " \
 	http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib \
+	file://0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch \
 "
 
 SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588"
@@ -136,6 +137,9 @@ do_compile_class-target() {
     ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
     ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
     ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd
+    for i in Shell.efi EnrollDefaultKeys.efi; do
+        ln ${build_dir}/${OVMF_ARCH}/$i ${WORKDIR}/ovmf/$i
+    done
 }
 
 do_install_class-native() {
@@ -147,8 +151,20 @@ do_install_class-target() {
     # Traditional location.
     install -d ${D}${datadir}/ovmf
     install -m 0755 ${WORKDIR}/ovmf/OVMF.fd ${D}${datadir}/ovmf/bios.bin
+    # Content for UEFI shell iso. We install the EFI shell as
+    # bootx64/ia32.efi because then it can be started even when the
+    # firmware itself does not contain it.
+    install -d ${D}/efi/boot
+    install ${WORKDIR}/ovmf/Shell.efi ${D}/efi/boot/boot${@ "ia32" if "${TARGET_ARCH}" != "x86_64" else "x64"}.efi
+    install ${WORKDIR}/ovmf/EnrollDefaultKeys.efi ${D}
 }
 
+PACKAGES =+ "ovmf-shell-efi"
+FILES_ovmf-shell-efi = " \
+    EnrollDefaultKeys.efi \
+    efi/ \
+"
+
 inherit deploy
 do_deploy() {
 }
-- 
2.1.4

Re: [PATCH 0/9] UEFI + Secure Boot + qemu

[Fathi Boudra]

Hi,

On 21 December 2016 at 15:11, Patrick Ohly <patrick.ohly@intel.com> wrote:
> There seems to be a consensus that supporting UEFI in OE-core for qemu
> would be valuable, and there have been some (stalled) attempts to add
> it. For reference, see:
>    [OE-core] [PATCH V3 0/3] Add UEFI firmware for qemux86*
>    [OE-core] Add ovmf-native to make qemu-native/runqemu support boot UEFI image?
>    https://bugzilla.yoctoproject.org/show_bug.cgi?id=5654
>    https://github.com/01org/luv-yocto/issues/38
>
> This patch set includes the necessary recipes (ovmf and iasl from
> meta-luv), some improvements to them (in particular, enabling Secure
> Boot), and changes to runqemu to make it easier to boot with UEFI. A
> special image recipes builds an image which can be used to lock down a
> virtual machine by enrolling the "normal" pre-installed certificates.
>
> I decided to keep the setup simple and use just a single file for UEFI
> code and variables because that makes the usage via runqemu very
> easy. See the "runqemu: support UEFI with OVMF firmware" patch for
> details. The downside is that the firmware can't be updated without
> loosing variables. I don't see a big need for long-lived virtual
> machine instances, but would like to hear from others about that.
>
> What's missing is automated testing of this new feature. I'm open for
> suggestions here; right now I don't know enough about the automated
> testing in the AB to propose something.
>
> I've discussed the usage of ovmf/iasl with Ricardo and he agreed that
> moving ovmf and iasl from meta-luv to OE-core makes sense. Ricardo,
> would you be willing to act as maintainer of it there, like you did in
> meta-luv?

fwiw, I've been maintaining acpica recipe in meta-oe, and will keep an
eye here as well.
meta-luv supports both x86* and arm*, and we have an interest in
having the same features available and working for qemuaarch64.

> Beware that "git am --keep-cr" must be used to import the ovmf patches
> correctly.
>
> The following changes since commit 5e21afc9395060b489156d3f90505a372b713f37:
>
>   Revert "selftest/wic: extending test coverage for WIC script options" (2016-12-20 17:06:01 +0000)
>
> are available in the git repository at:
>
>   git://github.com/pohly/openembedded-core secure-boot
>   https://github.com/pohly/openembedded-core/tree/secure-boot
>
> Patrick Ohly (7):
>   ovmf: explicitly depend on nasm-native
>   ovmf: deploy firmware in image directory
>   ovmf_git.bb: enable parallel compilation
>   ovmf_git.bb: enable Secure Boot
>   runqemu: let command line parameters override defaults
>   runqemu: support UEFI with OVMF firmware
>   ovmf: build image which enrolls standard keys
>
> meta-luv (2):
>   ovmf: move from meta-luv to OE-core
>   iasl: move from meta-luv to OE-core
>
>  meta/recipes-core/ovmf/ovmf-shell-image.bb         |   22 +
>  ...s-Force-tools-variables-to-host-toolchain.patch |   48 +
>  .../ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch    |  110 ++
>  ...0002-ovmf-update-path-to-native-BaseTools.patch |   32 +
>  ...makefile-adjust-to-build-in-under-bitbake.patch |   39 +
>  ...ollDefaultKeys-application-for-enrolling-.patch | 1123 ++++++++++++++++++++
>  meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks   |    4 +
>  meta/recipes-core/ovmf/ovmf_git.bb                 |  178 ++++
>  meta/recipes-extended/iasl/iasl_20120215.bb        |   27 +
>  meta/recipes-extended/iasl/iasl_20150410.bb        |   27 +
>  meta/recipes-extended/iasl/iasl_20150515.bb        |   27 +
>  scripts/runqemu                                    |   37 +-
>  12 files changed, 1673 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-core/ovmf/ovmf-shell-image.bb
>  create mode 100644 meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch
>  create mode 100644 meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch
>  create mode 100644 meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch
>  create mode 100644 meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
>  create mode 100644 meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
>  create mode 100644 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks
>  create mode 100644 meta/recipes-core/ovmf/ovmf_git.bb
>  create mode 100644 meta/recipes-extended/iasl/iasl_20120215.bb
>  create mode 100644 meta/recipes-extended/iasl/iasl_20150410.bb
>  create mode 100644 meta/recipes-extended/iasl/iasl_20150515.bb
>
> --
> 2.1.4
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core


Cheers,
-- 
Fathi

Re: [PATCH 0/9] UEFI + Secure Boot + qemu

[Ricardo Neri]

On Wed, 2016-12-21 at 16:19 +0200, Fathi Boudra wrote:
> 
> fwiw, I've been maintaining acpica recipe in meta-oe, and will keep an
> eye here as well.
> meta-luv supports both x86* and arm*, and we have an interest in
> having the same features available and working for qemuaarch64.

I was not aware of this. Perhaps there is no need for us to maintain a
separate recipe in meta-luv.

Re: [PATCH 0/9] UEFI + Secure Boot + qemu

[Patrick Ohly]

On Tue, 2016-12-27 at 18:56 -0800, Ricardo Neri wrote:
> On Wed, 2016-12-21 at 16:19 +0200, Fathi Boudra wrote:
> > 
> > fwiw, I've been maintaining acpica recipe in meta-oe, and will keep an
> > eye here as well.
> > meta-luv supports both x86* and arm*, and we have an interest in
> > having the same features available and working for qemuaarch64.
> 
> I was not aware of this. Perhaps there is no need for us to maintain a
> separate recipe in meta-luv.

Looks like there is consensus that maintaining an acpica recipe in
OE-core is the right approach. I'll prepare a revision of this patch
series that includes acpica instead of iasl and also addresses the other
points that Ricardo raised.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: [PATCH 0/9] UEFI + Secure Boot + qemu

[Ricardo Neri]

On Wed, 2016-12-28 at 20:27 +0100, Patrick Ohly wrote:
> > > fwiw, I've been maintaining acpica recipe in meta-oe, and will
> keep an
> > > eye here as well.
> > > meta-luv supports both x86* and arm*, and we have an interest in
> > > having the same features available and working for qemuaarch64.
> > 
> > I was not aware of this. Perhaps there is no need for us to maintain
> a
> > separate recipe in meta-luv.
> 
> Looks like there is consensus that maintaining an acpica recipe in
> OE-core is the right approach. I'll prepare a revision of this patch
> series that includes acpica instead of iasl and also addresses the
> other
> points that Ricardo raised.

Just to be clear. I meant that it would be better for meta-luv to
leverage the acpica recipe present in meta-OE :).

Re: [PATCH 0/9] UEFI + Secure Boot + qemu

[Ricardo Neri]

On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote:
> There seems to be a consensus that supporting UEFI in OE-core for qemu
> would be valuable, and there have been some (stalled) attempts to add
> it. For reference, see:
>    [OE-core] [PATCH V3 0/3] Add UEFI firmware for qemux86*
>    [OE-core] Add ovmf-native to make qemu-native/runqemu support boot UEFI image?
>    https://bugzilla.yoctoproject.org/show_bug.cgi?id=5654
>    https://github.com/01org/luv-yocto/issues/38
> 
> This patch set includes the necessary recipes (ovmf and iasl from
> meta-luv), some improvements to them (in particular, enabling Secure
> Boot), and changes to runqemu to make it easier to boot with UEFI. A
> special image recipes builds an image which can be used to lock down a
> virtual machine by enrolling the "normal" pre-installed certificates.
> 
> I decided to keep the setup simple and use just a single file for UEFI
> code and variables because that makes the usage via runqemu very
> easy. See the "runqemu: support UEFI with OVMF firmware" patch for
> details. The downside is that the firmware can't be updated without
> loosing variables. I don't see a big need for long-lived virtual
> machine instances, but would like to hear from others about that.
> 
> What's missing is automated testing of this new feature. I'm open for
> suggestions here; right now I don't know enough about the automated
> testing in the AB to propose something.

I guess that tests could be written for buildbot. In the LUV buildbot,
we build OVMF as part of our sanity tests for LUV. We do it mostly
because we need to boot some UEFI firmware in qemu, though. We don't
extensively test OVMF. We also build OVMF with Secure Boot separately.
Now that you have kindly written the recipe, we want to leverage it. :)
> 
> I've discussed the usage of ovmf/iasl with Ricardo and he agreed that
> moving ovmf and iasl from meta-luv to OE-core makes sense. Ricardo,
> would you be willing to act as maintainer of it there, like you did in
> meta-luv?

Yes, I can keep doing the same work I did in meta-luv for OVMF now in
OE-core.

Thanks and BR,
Ricardo
> 
> Beware that "git am --keep-cr" must be used to import the ovmf patches
> correctly.
> 
> The following changes since commit 5e21afc9395060b489156d3f90505a372b713f37:
> 
>   Revert "selftest/wic: extending test coverage for WIC script options" (2016-12-20 17:06:01 +0000)
> 
> are available in the git repository at:
> 
>   git://github.com/pohly/openembedded-core secure-boot
>   https://github.com/pohly/openembedded-core/tree/secure-boot
> 
> Patrick Ohly (7):
>   ovmf: explicitly depend on nasm-native
>   ovmf: deploy firmware in image directory
>   ovmf_git.bb: enable parallel compilation
>   ovmf_git.bb: enable Secure Boot
>   runqemu: let command line parameters override defaults
>   runqemu: support UEFI with OVMF firmware
>   ovmf: build image which enrolls standard keys
> 
> meta-luv (2):
>   ovmf: move from meta-luv to OE-core
>   iasl: move from meta-luv to OE-core
> 
>  meta/recipes-core/ovmf/ovmf-shell-image.bb         |   22 +
>  ...s-Force-tools-variables-to-host-toolchain.patch |   48 +
>  .../ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch    |  110 ++
>  ...0002-ovmf-update-path-to-native-BaseTools.patch |   32 +
>  ...makefile-adjust-to-build-in-under-bitbake.patch |   39 +
>  ...ollDefaultKeys-application-for-enrolling-.patch | 1123 ++++++++++++++++++++
>  meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks   |    4 +
>  meta/recipes-core/ovmf/ovmf_git.bb                 |  178 ++++
>  meta/recipes-extended/iasl/iasl_20120215.bb        |   27 +
>  meta/recipes-extended/iasl/iasl_20150410.bb        |   27 +
>  meta/recipes-extended/iasl/iasl_20150515.bb        |   27 +
>  scripts/runqemu                                    |   37 +-
>  12 files changed, 1673 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-core/ovmf/ovmf-shell-image.bb
>  create mode 100644 meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch
>  create mode 100644 meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch
>  create mode 100644 meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch
>  create mode 100644 meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
>  create mode 100644 meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
>  create mode 100644 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks
>  create mode 100644 meta/recipes-core/ovmf/ovmf_git.bb
>  create mode 100644 meta/recipes-extended/iasl/iasl_20120215.bb
>  create mode 100644 meta/recipes-extended/iasl/iasl_20150410.bb
>  create mode 100644 meta/recipes-extended/iasl/iasl_20150515.bb
> 
> -- 
> 2.1.4
>