* [PATCH 0/9] UEFI + Secure Boot + qemu @ 2016-12-21 13:11 Patrick Ohly 2016-12-21 13:11 ` [PATCH 1/9] ovmf: move from meta-luv to OE-core Patrick Ohly ` (10 more replies) 0 siblings, 11 replies; 35+ messages in thread From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw) To: openembedded-core, ricardo.neri There seems to be a consensus that supporting UEFI in OE-core for qemu would be valuable, and there have been some (stalled) attempts to add it. For reference, see: [OE-core] [PATCH V3 0/3] Add UEFI firmware for qemux86* [OE-core] Add ovmf-native to make qemu-native/runqemu support boot UEFI image? https://bugzilla.yoctoproject.org/show_bug.cgi?id=5654 https://github.com/01org/luv-yocto/issues/38 This patch set includes the necessary recipes (ovmf and iasl from meta-luv), some improvements to them (in particular, enabling Secure Boot), and changes to runqemu to make it easier to boot with UEFI. A special image recipes builds an image which can be used to lock down a virtual machine by enrolling the "normal" pre-installed certificates. I decided to keep the setup simple and use just a single file for UEFI code and variables because that makes the usage via runqemu very easy. See the "runqemu: support UEFI with OVMF firmware" patch for details. The downside is that the firmware can't be updated without loosing variables. I don't see a big need for long-lived virtual machine instances, but would like to hear from others about that. What's missing is automated testing of this new feature. I'm open for suggestions here; right now I don't know enough about the automated testing in the AB to propose something. I've discussed the usage of ovmf/iasl with Ricardo and he agreed that moving ovmf and iasl from meta-luv to OE-core makes sense. Ricardo, would you be willing to act as maintainer of it there, like you did in meta-luv? Beware that "git am --keep-cr" must be used to import the ovmf patches correctly. The following changes since commit 5e21afc9395060b489156d3f90505a372b713f37: Revert "selftest/wic: extending test coverage for WIC script options" (2016-12-20 17:06:01 +0000) are available in the git repository at: git://github.com/pohly/openembedded-core secure-boot https://github.com/pohly/openembedded-core/tree/secure-boot Patrick Ohly (7): ovmf: explicitly depend on nasm-native ovmf: deploy firmware in image directory ovmf_git.bb: enable parallel compilation ovmf_git.bb: enable Secure Boot runqemu: let command line parameters override defaults runqemu: support UEFI with OVMF firmware ovmf: build image which enrolls standard keys meta-luv (2): ovmf: move from meta-luv to OE-core iasl: move from meta-luv to OE-core meta/recipes-core/ovmf/ovmf-shell-image.bb | 22 + ...s-Force-tools-variables-to-host-toolchain.patch | 48 + .../ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch | 110 ++ ...0002-ovmf-update-path-to-native-BaseTools.patch | 32 + ...makefile-adjust-to-build-in-under-bitbake.patch | 39 + ...ollDefaultKeys-application-for-enrolling-.patch | 1123 ++++++++++++++++++++ meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks | 4 + meta/recipes-core/ovmf/ovmf_git.bb | 178 ++++ meta/recipes-extended/iasl/iasl_20120215.bb | 27 + meta/recipes-extended/iasl/iasl_20150410.bb | 27 + meta/recipes-extended/iasl/iasl_20150515.bb | 27 + scripts/runqemu | 37 +- 12 files changed, 1673 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-core/ovmf/ovmf-shell-image.bb create mode 100644 meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch create mode 100644 meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch create mode 100644 meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch create mode 100644 meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch create mode 100644 meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch create mode 100644 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks create mode 100644 meta/recipes-core/ovmf/ovmf_git.bb create mode 100644 meta/recipes-extended/iasl/iasl_20120215.bb create mode 100644 meta/recipes-extended/iasl/iasl_20150410.bb create mode 100644 meta/recipes-extended/iasl/iasl_20150515.bb -- 2.1.4 ^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 1/9] ovmf: move from meta-luv to OE-core 2016-12-21 13:11 [PATCH 0/9] UEFI + Secure Boot + qemu Patrick Ohly @ 2016-12-21 13:11 ` Patrick Ohly 2016-12-28 2:58 ` Ricardo Neri 2016-12-21 13:11 ` [PATCH 2/9] iasl: " Patrick Ohly ` (9 subsequent siblings) 10 siblings, 1 reply; 35+ messages in thread From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw) To: openembedded-core, ricardo.neri; +Cc: meta-luv From: meta-luv <luv@lists.01.org> This is an unmodified copy of github.com/01org/luv-yocto/meta-luv/recipes-core/ovmf revision 4be4329. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> --- ...s-Force-tools-variables-to-host-toolchain.patch | 48 ++++++++ .../ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch | 110 +++++++++++++++++++ ...0002-ovmf-update-path-to-native-BaseTools.patch | 32 ++++++ ...makefile-adjust-to-build-in-under-bitbake.patch | 39 +++++++ meta/recipes-core/ovmf/ovmf_git.bb | 121 +++++++++++++++++++++ 5 files changed, 350 insertions(+) create mode 100644 meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch create mode 100644 meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch create mode 100644 meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch create mode 100644 meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch create mode 100644 meta/recipes-core/ovmf/ovmf_git.bb diff --git a/meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch b/meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch new file mode 100644 index 0000000..644b99d --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch @@ -0,0 +1,48 @@ +From 6e24bde1979c2d7149b37d142fb882dfde0e9770 Mon Sep 17 00:00:00 2001 +From: Matt Fleming <matt.fleming@intel.com> +Date: Fri, 27 Jun 2014 11:12:18 +0100 +Subject: [PATCH] BaseTools: Force tools variables to host toolchain + +Signed-off-by: Matt Fleming <matt.fleming@intel.com> +--- + BaseTools/Source/C/Makefiles/app.makefile | 7 +++++++ + BaseTools/Source/C/VfrCompile/GNUmakefile | 5 +++++ + 2 files changed, 12 insertions(+) + +diff --git a/BaseTools/Source/C/Makefiles/app.makefile b/BaseTools/Source/C/Makefiles/app.makefile +index 19269a1..62aad0f 100644 +--- a/BaseTools/Source/C/Makefiles/app.makefile ++++ b/BaseTools/Source/C/Makefiles/app.makefile +@@ -16,6 +16,13 @@ include $(MAKEROOT)/Makefiles/header.makefile + + APPLICATION = $(MAKEROOT)/bin/$(APPNAME) + ++CC = gcc ++CXX = g++ ++AS = gcc ++AR = ar ++LD = ld ++LINKER = $(CC) ++ + .PHONY:all + all: $(MAKEROOT)/bin $(APPLICATION) + +diff --git a/BaseTools/Source/C/VfrCompile/GNUmakefile b/BaseTools/Source/C/VfrCompile/GNUmakefile +index 82005e1..5ac5f7e 100644 +--- a/BaseTools/Source/C/VfrCompile/GNUmakefile ++++ b/BaseTools/Source/C/VfrCompile/GNUmakefile +@@ -26,6 +26,11 @@ OBJECTS = AParser.o DLexerBase.o ATokenBuffer.o EfiVfrParser.o VfrLexer.o VfrSyn + + VFR_CPPFLAGS = -DPCCTS_USE_NAMESPACE_STD $(CPPFLAGS) + ++CC = gcc ++CXX = g++ ++AS = gcc ++AR = ar ++LD = ld + LINKER = $(BUILD_CXX) + + EXTRA_CLEAN_OBJECTS = EfiVfrParser.cpp EfiVfrParser.h VfrParser.dlg VfrTokens.h VfrLexer.cpp VfrLexer.h VfrSyntax.cpp tokens.h +-- +1.9.0 + diff --git a/meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch b/meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch new file mode 100644 index 0000000..4531a6d --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch @@ -0,0 +1,110 @@ +From 66a4020c3c2163aeffc9757851f33c346ecfd870 Mon Sep 17 00:00:00 2001 +From: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com> +Date: Mon, 4 Apr 2016 12:15:12 -0700 +Subject: [PATCH] OvmfPkg: Enable BGRT in OVMF + +By default, firmware (OVMF - Open source Virtual Machine Firmware) +never publishes BGRT (Boot Graphics Resource Table) and in the boot +process Linux kernel checks for this table and if it fails to find BGRT +table then corresponding code in Linux kernel is not executed. EDK II +(EFI Development Kit, thus OVMF) already has BGRT source code packaged +into it but it is excluded from the build process of OVMF. These changes +to build system of OVMF enables BGRT in 32-bit and 64-bit OVMF. + +There are only two files that need to be modified in order to do this. +The first one being OvmfPkg*.dsc (this file describes the platform) and +the second one being OvmfPkg*.fdf (this file describes firmware descriptor +volume). A *.inf file (here "BootGraphicsResourceTableDxe.inf") +describes a module (here BGRT). So, include +"BootGraphicsResourceTableDxe.inf" file in "OvmfPkg*.dsc" so that BGRT +source code will be compiled and "BootGraphicsResourceTableDxe.efi" file +is generated and we should also include +"BootGraphicsResourceTableDxe.inf" file in "OvmfPkg*.fdf" file so that +"BootGraphicsResourceTableDxe.efi" will be placed in a firmware volume +and thus gets published. + +Signed-off-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com> +--- + OvmfPkg/OvmfPkgIa32.dsc | 1 + + OvmfPkg/OvmfPkgIa32.fdf | 1 + + OvmfPkg/OvmfPkgIa32X64.dsc | 1 + + OvmfPkg/OvmfPkgIa32X64.fdf | 1 + + OvmfPkg/OvmfPkgX64.dsc | 1 + + OvmfPkg/OvmfPkgX64.fdf | 1 + + 6 files changed, 6 insertions(+) + +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 9e5b477..0582219 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -647,6 +647,7 @@ + OvmfPkg/AcpiS3SaveDxe/AcpiS3SaveDxe.inf + MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf + MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf ++ MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf + + # + # Network Support +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index fc203f2..f968cb7 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -274,6 +274,7 @@ INF RuleOverride=ACPITABLE OvmfPkg/AcpiTables/AcpiTables.inf + INF OvmfPkg/AcpiS3SaveDxe/AcpiS3SaveDxe.inf + INF MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf + INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf ++INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf + + INF RuleOverride = BINARY FatBinPkg/EnhancedFatDxe/Fat.inf + +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 6e4da4f..8289385 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -656,6 +656,7 @@ + OvmfPkg/AcpiS3SaveDxe/AcpiS3SaveDxe.inf + MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf + MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf ++ MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf + + # + # Network Support +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index d3f46f3..282d40b 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -274,6 +274,7 @@ INF RuleOverride=ACPITABLE OvmfPkg/AcpiTables/AcpiTables.inf + INF OvmfPkg/AcpiS3SaveDxe/AcpiS3SaveDxe.inf + INF MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf + INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf ++INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf + + INF RuleOverride = BINARY USE = X64 FatBinPkg/EnhancedFatDxe/Fat.inf + +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 3d6d43e..0f956a7 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -654,6 +654,7 @@ + OvmfPkg/AcpiS3SaveDxe/AcpiS3SaveDxe.inf + MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf + MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf ++ MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf + + # + # Network Support +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index 15ef13a..9708fd5 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -274,6 +274,7 @@ INF RuleOverride=ACPITABLE OvmfPkg/AcpiTables/AcpiTables.inf + INF OvmfPkg/AcpiS3SaveDxe/AcpiS3SaveDxe.inf + INF MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf + INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf ++INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf + + INF RuleOverride = BINARY FatBinPkg/EnhancedFatDxe/Fat.inf + +-- +2.7.4 + diff --git a/meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch b/meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch new file mode 100644 index 0000000..94029a5 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch @@ -0,0 +1,32 @@ +From 9e632e3f9edd09632cc877dff6ea57608f979aab Mon Sep 17 00:00:00 2001 +From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> +Date: Thu, 9 Jun 2016 02:23:01 -0700 +Subject: [PATCH] ovmf: update path to native BaseTools + +BaseTools is a set of utilities to build EDK-based firmware. These utilities +are used during the build process. Thus, they need to be built natively. +When cross-compiling, we need to provide a path to the location of these +tools. The BBAKE_EDK_TOOLS_PATH string is used as a pattern to be replaced +with the appropriate location before building. + +Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> +--- + OvmfPkg/build.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/OvmfPkg/build.sh b/OvmfPkg/build.sh +index eb5eb73..9058fca 100755 +--- a/OvmfPkg/build.sh ++++ b/OvmfPkg/build.sh +@@ -30,7 +30,7 @@ then + # this assumes svn pulls have the same root dir + # export EDK_TOOLS_PATH=`pwd`/../BaseTools + # This version is for the tools source in edk2 +- export EDK_TOOLS_PATH=`pwd`/BaseTools ++ export EDK_TOOLS_PATH=BBAKE_EDK_TOOLS_PATH/BaseTools + echo $EDK_TOOLS_PATH + source edksetup.sh BaseTools + else +-- +2.8.1 + diff --git a/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch b/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch new file mode 100644 index 0000000..0fdc278 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch @@ -0,0 +1,39 @@ +From 2320650c6d381b914fe91b2dedaa5870279a8bcf Mon Sep 17 00:00:00 2001 +From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> +Date: Sun, 27 Nov 2016 18:42:55 -0800 +Subject: [PATCH] BaseTools: makefile: adjust to build in under bitbake + +Prepend the build flags with those of bitbake. This is to build +using the bitbake native sysroot include and library directories. + +Signed-off-by: Ricardo Neri <ricardo.neri@linux.intel.com> +--- + BaseTools/Source/C/Makefiles/header.makefile | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/BaseTools/Source/C/Makefiles/header.makefile b/BaseTools/Source/C/Makefiles/header.makefile +index 821d114..fe0f08b 100644 +--- a/BaseTools/Source/C/Makefiles/header.makefile ++++ b/BaseTools/Source/C/Makefiles/header.makefile +@@ -44,14 +44,14 @@ ARCH_INCLUDE = -I $(MAKEROOT)/Include/AArch64/ + endif + + INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT) -I $(MAKEROOT)/Include/Common -I $(MAKEROOT)/Include/ -I $(MAKEROOT)/Include/IndustryStandard -I $(MAKEROOT)/Common/ -I .. -I . $(ARCH_INCLUDE) +-BUILD_CPPFLAGS = $(INCLUDE) -O2 ++BUILD_CPPFLAGS := $(BUILD_CPPFLAGS) $(INCLUDE) -O2 + ifeq ($(DARWIN),Darwin) + # assume clang or clang compatible flags on OS X +-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g ++BUILD_CFLAGS := $(BUILD_CFLAGS) -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g + else +-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-unused-result -nostdlib -c -g ++BUILD_CFLAGS := $(BUILD_CFLAGS) -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-unused-result -nostdlib -c -g + endif +-BUILD_LFLAGS = ++BUILD_LFLAGS := $(LDFLAGS) + BUILD_CXXFLAGS = + + ifeq ($(ARCH), IA32) +-- +2.9.3 + diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb new file mode 100644 index 0000000..e722db5 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -0,0 +1,121 @@ +DESCRIPTION = "OVMF - UEFI firmware for Qemu and KVM" +HOMEPAGE = "http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF" +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496" + +SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \ + file://0001-BaseTools-Force-tools-variables-to-host-toolchain.patch \ + file://0001-OvmfPkg-Enable-BGRT-in-OVMF.patch \ + file://0002-ovmf-update-path-to-native-BaseTools.patch \ + file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \ + " + +SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588" + +PARALLEL_MAKE = "" + +S = "${WORKDIR}/git" + +DEPENDS_class-native="util-linux-native iasl-native ossp-uuid-native" + +DEPENDS_class-target="ovmf-native" + +EDK_TOOLS_DIR="edk2_basetools" + +# OVMF has trouble building with the default optimization of -O2. +BUILD_OPTIMIZATION="-pipe" + +# OVMF supports IA only, although it could conceivably support ARM someday. +COMPATIBLE_HOST='(i.86|x86_64).*' + +do_patch_append_class-native() { + bb.build.exec_func('do_fix_iasl', d) + bb.build.exec_func('do_fix_toolchain', d) +} + +do_fix_basetools_location() { + sed -i -e 's#BBAKE_EDK_TOOLS_PATH#${STAGING_BINDIR_NATIVE}/${EDK_TOOLS_DIR}#' ${S}/OvmfPkg/build.sh +} + +do_patch_append_class-target() { + bb.build.exec_func('do_fix_basetools_location', d) +} + + +do_fix_iasl() { + sed -i -e 's#/usr/bin/iasl#${STAGING_BINDIR_NATIVE}/iasl#' ${S}/BaseTools/Conf/tools_def.template +} + +do_fix_toolchain(){ + sed -i -e 's#DEF(ELFGCC_BIN)/#${TARGET_PREFIX}#' ${S}/BaseTools/Conf/tools_def.template + sed -i -e 's#DEF(GCC.*PREFIX)#${TARGET_PREFIX}#' ${S}/BaseTools/Conf/tools_def.template + sed -i -e "s#^LINKER\(.*\)#LINKER\1\nLFLAGS += ${BUILD_LDFLAGS}#" ${S}/BaseTools/Source/C/Makefiles/app.makefile + sed -i -e "s#^LINKER\(.*\)#LINKER\1\nCFLAGS += ${BUILD_CFLAGS}#" ${S}/BaseTools/Source/C/Makefiles/app.makefile + sed -i -e "s#^LINKER\(.*\)#LINKER\1\nLFLAGS += ${BUILD_LDFLAGS}#" ${S}/BaseTools/Source/C/VfrCompile/GNUmakefile + sed -i -e "s#^LINKER\(.*\)#LINKER\1\nCFLAGS += ${BUILD_CFLAGS}#" ${S}/BaseTools/Source/C/VfrCompile/GNUmakefile +} + +GCC_VER="$(${CC} -v 2>&1 | tail -n1 | awk '{print $3}')" + +fixup_target_tools() { + case ${1} in + 4.4.*) + FIXED_GCCVER=GCC44 + ;; + 4.5.*) + FIXED_GCCVER=GCC45 + ;; + 4.6.*) + FIXED_GCCVER=GCC46 + ;; + 4.7.*) + FIXED_GCCVER=GCC47 + ;; + 4.8.*) + FIXED_GCCVER=GCC48 + ;; + 4.9.*) + FIXED_GCCVER=GCC49 + ;; + *) + FIXED_GCCVER=GCC5 + ;; + esac + echo ${FIXED_GCCVER} +} + +do_compile_class-native() { + oe_runmake -C ${S}/BaseTools +} + +do_compile_class-target() { + export LFLAGS="${LDFLAGS}" + OVMF_ARCH="X64" + if [ "${TARGET_ARCH}" != "x86_64" ] ; then + OVMF_ARCH="IA32" + fi + + FIXED_GCCVER=$(fixup_target_tools ${GCC_VER}) + echo FIXED_GCCVER is ${FIXED_GCCVER} + ${S}/OvmfPkg/build.sh -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} +} + +do_install_class-native() { + install -d ${D}/${bindir}/edk2_basetools + cp -r ${S}/BaseTools ${D}/${bindir}/${EDK_TOOLS_DIR} +} + +do_install_class-target() { + OVMF_DIR_SUFFIX="X64" + if [ "${TARGET_ARCH}" != "x86_64" ] ; then + OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization + fi + install -d ${D}${datadir}/ovmf + + FIXED_GCCVER=$(fixup_target_tools ${GCC_VER}) + build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}" + install -m 0755 ${build_dir}/FV/OVMF.fd \ + ${D}${datadir}/ovmf/bios.bin +} + +BBCLASSEXTEND = "native" -- 2.1.4 ^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH 1/9] ovmf: move from meta-luv to OE-core 2016-12-21 13:11 ` [PATCH 1/9] ovmf: move from meta-luv to OE-core Patrick Ohly @ 2016-12-28 2:58 ` Ricardo Neri 0 siblings, 0 replies; 35+ messages in thread From: Ricardo Neri @ 2016-12-28 2:58 UTC (permalink / raw) To: Patrick Ohly; +Cc: meta-luv, openembedded-core On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote: > create mode 100644 > meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch We added this patch because we were interested in enabling BGRT for our own Linux kernel testing purposes. I am not sure if this patch is of the interest of the wider OE-core audience. I would think it does not. ^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 2/9] iasl: move from meta-luv to OE-core 2016-12-21 13:11 [PATCH 0/9] UEFI + Secure Boot + qemu Patrick Ohly 2016-12-21 13:11 ` [PATCH 1/9] ovmf: move from meta-luv to OE-core Patrick Ohly @ 2016-12-21 13:11 ` Patrick Ohly 2016-12-21 14:11 ` Fathi Boudra 2016-12-28 3:08 ` Ricardo Neri 2016-12-21 13:11 ` [PATCH 3/9] ovmf: explicitly depend on nasm-native Patrick Ohly ` (8 subsequent siblings) 10 siblings, 2 replies; 35+ messages in thread From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw) To: openembedded-core, ricardo.neri; +Cc: meta-luv From: meta-luv <luv@lists.01.org> This is an unmodified copy of github.com/01org/luv-yocto/meta-luv/recipes-extended/iasl revision 4be4329. iasl is also provided by the meta-oe layer's acpica recipe. iasl is a bit simpler and thus seems more suitable for OE-core. When the meta-oe layer is active, PREFERRED_PROVIDER_iasl-native must be set to avoid a warning. It can be set to "acpica-native" when something from acpica besides just iasl is needed. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> --- meta/recipes-extended/iasl/iasl_20120215.bb | 27 +++++++++++++++++++++++++++ meta/recipes-extended/iasl/iasl_20150410.bb | 27 +++++++++++++++++++++++++++ meta/recipes-extended/iasl/iasl_20150515.bb | 27 +++++++++++++++++++++++++++ 3 files changed, 81 insertions(+) create mode 100644 meta/recipes-extended/iasl/iasl_20120215.bb create mode 100644 meta/recipes-extended/iasl/iasl_20150410.bb create mode 100644 meta/recipes-extended/iasl/iasl_20150515.bb diff --git a/meta/recipes-extended/iasl/iasl_20120215.bb b/meta/recipes-extended/iasl/iasl_20120215.bb new file mode 100644 index 0000000..a14d2ec --- /dev/null +++ b/meta/recipes-extended/iasl/iasl_20120215.bb @@ -0,0 +1,27 @@ +DESCRIPTION = "This is a cross development C compiler, assembler and linker environment for the production of 8086 executables (Optionally MSDOS COM)" +HOMEPAGE = "http://www.acpica.org/" +LICENSE = "Intel-ACPI" +LIC_FILES_CHKSUM = "file://asldefine.h;endline=115;md5=d4d7cf809b8b5e03131327b3f718e8f0" +SECTION = "console/tools" +PR="r1" + +DEPENDS="flex-native bison-native" + +SRC_URI="https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz" + +SRC_URI[md5sum] = "324c89e5bb9002e2711e0494290ceacc" +SRC_URI[sha256sum] = "b2b497415f29ddbefe7be8b9429b62c1f1f6e1ec11456928e4e7da86578e5b8d" + +S="${WORKDIR}/acpica-unix-${PV}/source/compiler" + +NATIVE_INSTALL_WORKS = "1" +BBCLASSEXTEND = "native" + +do_compile() { + CFLAGS="-Wno-error=redundant-decls" $MAKE +} + +do_install() { + mkdir -p ${D}${prefix}/bin + cp ${S}/iasl ${D}${prefix}/bin +} diff --git a/meta/recipes-extended/iasl/iasl_20150410.bb b/meta/recipes-extended/iasl/iasl_20150410.bb new file mode 100644 index 0000000..4e44817 --- /dev/null +++ b/meta/recipes-extended/iasl/iasl_20150410.bb @@ -0,0 +1,27 @@ +DESCRIPTION = "This is a cross development C compiler, assembler and linker environment for the production of 8086 executables (Optionally MSDOS COM)" +HOMEPAGE = "http://www.acpica.org/" +LICENSE = "Intel-ACPI" +LIC_FILES_CHKSUM = "file://Makefile;endline=22;md5=b15414d545d190713f1bab9023dba3be" +SECTION = "console/tools" +PR="r1" + +DEPENDS="flex-native bison-native" + +SRC_URI="https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz" + +SRC_URI[md5sum] = "7b49c79728dde65ab1ba4edbee6f0b22" +SRC_URI[sha256sum] = "1dce8d9edeb234fd553806987471f6206f429c2aab45556f62a5b2bfe2464875" + +S="${WORKDIR}/acpica-unix-${PV}" + +NATIVE_INSTALL_WORKS = "1" +BBCLASSEXTEND = "native" + +do_compile() { + make iasl +} + +do_install() { + mkdir -p ${D}${prefix}/bin + cp ${S}/generate/unix/bin/iasl ${D}${prefix}/bin +} diff --git a/meta/recipes-extended/iasl/iasl_20150515.bb b/meta/recipes-extended/iasl/iasl_20150515.bb new file mode 100644 index 0000000..c7e1cd5 --- /dev/null +++ b/meta/recipes-extended/iasl/iasl_20150515.bb @@ -0,0 +1,27 @@ +DESCRIPTION = "This is a cross development C compiler, assembler and linker environment for the production of 8086 executables (Optionally MSDOS COM)" +HOMEPAGE = "http://www.acpica.org/" +LICENSE = "Intel-ACPI" +LIC_FILES_CHKSUM = "file://Makefile;endline=22;md5=b15414d545d190713f1bab9023dba3be" +SECTION = "console/tools" +PR="r1" + +DEPENDS="flex-native bison-native" + +SRC_URI="https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz" + +SRC_URI[md5sum] = "c8c128b2d4859b52bc9c802faba2e908" +SRC_URI[sha256sum] = "bfa1f296a3cc13421331dbaad3b62e0184678cc312104c3e8ac799ead0742c45" + +S="${WORKDIR}/acpica-unix-${PV}" + +NATIVE_INSTALL_WORKS = "1" +BBCLASSEXTEND = "native" + +do_compile() { + make iasl +} + +do_install() { + mkdir -p ${D}${prefix}/bin + cp ${S}/generate/unix/bin/iasl ${D}${prefix}/bin +} -- 2.1.4 ^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH 2/9] iasl: move from meta-luv to OE-core 2016-12-21 13:11 ` [PATCH 2/9] iasl: " Patrick Ohly @ 2016-12-21 14:11 ` Fathi Boudra 2016-12-21 15:38 ` Patrick Ohly 2016-12-28 3:08 ` Ricardo Neri 1 sibling, 1 reply; 35+ messages in thread From: Fathi Boudra @ 2016-12-21 14:11 UTC (permalink / raw) To: Patrick Ohly; +Cc: meta-luv, Neri, Ricardo, openembedded-core Hi Patrick, On 21 December 2016 at 15:11, Patrick Ohly <patrick.ohly@intel.com> wrote: > From: meta-luv <luv@lists.01.org> > > This is an unmodified copy of > github.com/01org/luv-yocto/meta-luv/recipes-extended/iasl revision > 4be4329. > > iasl is also provided by the meta-oe layer's acpica recipe. iasl is a > bit simpler and thus seems more suitable for OE-core. Simpler in what sense? acpica recipe is trivial and provide fully acpica tools. Would you mind to import meta-oe acpica recipe instead of providing a reduced set of acpica for not much benefit? > When the meta-oe layer is active, PREFERRED_PROVIDER_iasl-native must > be set to avoid a warning. It can be set to "acpica-native" when > something from acpica besides just iasl is needed. > > Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> > --- > meta/recipes-extended/iasl/iasl_20120215.bb | 27 +++++++++++++++++++++++++++ > meta/recipes-extended/iasl/iasl_20150410.bb | 27 +++++++++++++++++++++++++++ > meta/recipes-extended/iasl/iasl_20150515.bb | 27 +++++++++++++++++++++++++++ > 3 files changed, 81 insertions(+) > create mode 100644 meta/recipes-extended/iasl/iasl_20120215.bb > create mode 100644 meta/recipes-extended/iasl/iasl_20150410.bb > create mode 100644 meta/recipes-extended/iasl/iasl_20150515.bb > > diff --git a/meta/recipes-extended/iasl/iasl_20120215.bb b/meta/recipes-extended/iasl/iasl_20120215.bb > new file mode 100644 > index 0000000..a14d2ec > --- /dev/null > +++ b/meta/recipes-extended/iasl/iasl_20120215.bb > @@ -0,0 +1,27 @@ > +DESCRIPTION = "This is a cross development C compiler, assembler and linker environment for the production of 8086 executables (Optionally MSDOS COM)" > +HOMEPAGE = "http://www.acpica.org/" > +LICENSE = "Intel-ACPI" > +LIC_FILES_CHKSUM = "file://asldefine.h;endline=115;md5=d4d7cf809b8b5e03131327b3f718e8f0" > +SECTION = "console/tools" > +PR="r1" > + > +DEPENDS="flex-native bison-native" > + > +SRC_URI="https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz" > + > +SRC_URI[md5sum] = "324c89e5bb9002e2711e0494290ceacc" > +SRC_URI[sha256sum] = "b2b497415f29ddbefe7be8b9429b62c1f1f6e1ec11456928e4e7da86578e5b8d" > + > +S="${WORKDIR}/acpica-unix-${PV}/source/compiler" > + > +NATIVE_INSTALL_WORKS = "1" > +BBCLASSEXTEND = "native" > + > +do_compile() { > + CFLAGS="-Wno-error=redundant-decls" $MAKE > +} > + > +do_install() { > + mkdir -p ${D}${prefix}/bin > + cp ${S}/iasl ${D}${prefix}/bin > +} > diff --git a/meta/recipes-extended/iasl/iasl_20150410.bb b/meta/recipes-extended/iasl/iasl_20150410.bb > new file mode 100644 > index 0000000..4e44817 > --- /dev/null > +++ b/meta/recipes-extended/iasl/iasl_20150410.bb > @@ -0,0 +1,27 @@ > +DESCRIPTION = "This is a cross development C compiler, assembler and linker environment for the production of 8086 executables (Optionally MSDOS COM)" > +HOMEPAGE = "http://www.acpica.org/" > +LICENSE = "Intel-ACPI" > +LIC_FILES_CHKSUM = "file://Makefile;endline=22;md5=b15414d545d190713f1bab9023dba3be" > +SECTION = "console/tools" > +PR="r1" > + > +DEPENDS="flex-native bison-native" > + > +SRC_URI="https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz" > + > +SRC_URI[md5sum] = "7b49c79728dde65ab1ba4edbee6f0b22" > +SRC_URI[sha256sum] = "1dce8d9edeb234fd553806987471f6206f429c2aab45556f62a5b2bfe2464875" > + > +S="${WORKDIR}/acpica-unix-${PV}" > + > +NATIVE_INSTALL_WORKS = "1" > +BBCLASSEXTEND = "native" > + > +do_compile() { > + make iasl > +} > + > +do_install() { > + mkdir -p ${D}${prefix}/bin > + cp ${S}/generate/unix/bin/iasl ${D}${prefix}/bin > +} > diff --git a/meta/recipes-extended/iasl/iasl_20150515.bb b/meta/recipes-extended/iasl/iasl_20150515.bb > new file mode 100644 > index 0000000..c7e1cd5 > --- /dev/null > +++ b/meta/recipes-extended/iasl/iasl_20150515.bb > @@ -0,0 +1,27 @@ > +DESCRIPTION = "This is a cross development C compiler, assembler and linker environment for the production of 8086 executables (Optionally MSDOS COM)" > +HOMEPAGE = "http://www.acpica.org/" > +LICENSE = "Intel-ACPI" > +LIC_FILES_CHKSUM = "file://Makefile;endline=22;md5=b15414d545d190713f1bab9023dba3be" > +SECTION = "console/tools" > +PR="r1" > + > +DEPENDS="flex-native bison-native" > + > +SRC_URI="https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz" > + > +SRC_URI[md5sum] = "c8c128b2d4859b52bc9c802faba2e908" > +SRC_URI[sha256sum] = "bfa1f296a3cc13421331dbaad3b62e0184678cc312104c3e8ac799ead0742c45" > + > +S="${WORKDIR}/acpica-unix-${PV}" > + > +NATIVE_INSTALL_WORKS = "1" > +BBCLASSEXTEND = "native" > + > +do_compile() { > + make iasl > +} > + > +do_install() { > + mkdir -p ${D}${prefix}/bin > + cp ${S}/generate/unix/bin/iasl ${D}${prefix}/bin > +} > -- > 2.1.4 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core Cheers, -- Fathi ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 2/9] iasl: move from meta-luv to OE-core 2016-12-21 14:11 ` Fathi Boudra @ 2016-12-21 15:38 ` Patrick Ohly 2016-12-21 18:17 ` Fathi Boudra 0 siblings, 1 reply; 35+ messages in thread From: Patrick Ohly @ 2016-12-21 15:38 UTC (permalink / raw) To: Fathi Boudra; +Cc: meta-luv, Neri, Ricardo, openembedded-core On Wed, 2016-12-21 at 16:11 +0200, Fathi Boudra wrote: > On 21 December 2016 at 15:11, Patrick Ohly <patrick.ohly@intel.com> wrote: > > iasl is also provided by the meta-oe layer's acpica recipe. iasl is a > > bit simpler and thus seems more suitable for OE-core. > > Simpler in what sense? Less code to compile, which might matter for people who just want a working UEFI for qemu and nothing else. I haven't measured the difference, though. > acpica recipe is trivial and provide fully acpica tools. > Would you mind to import meta-oe acpica recipe instead of providing a > reduced set of acpica for not much benefit? I don't have a strong opinion about this and would be fine with moving acpica to OE-core instead, too. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 2/9] iasl: move from meta-luv to OE-core 2016-12-21 15:38 ` Patrick Ohly @ 2016-12-21 18:17 ` Fathi Boudra 0 siblings, 0 replies; 35+ messages in thread From: Fathi Boudra @ 2016-12-21 18:17 UTC (permalink / raw) To: Patrick Ohly; +Cc: meta-luv, Neri, Ricardo, openembedded-core On 21 December 2016 at 17:38, Patrick Ohly <patrick.ohly@intel.com> wrote: > On Wed, 2016-12-21 at 16:11 +0200, Fathi Boudra wrote: >> On 21 December 2016 at 15:11, Patrick Ohly <patrick.ohly@intel.com> wrote: >> > iasl is also provided by the meta-oe layer's acpica recipe. iasl is a >> > bit simpler and thus seems more suitable for OE-core. >> >> Simpler in what sense? > > Less code to compile, which might matter for people who just want a > working UEFI for qemu and nothing else. I haven't measured the > difference, though. to build, it's taking 3-4 minutes on a 3 year old laptop (i5-2520m @ 2.5 Ghz). >> acpica recipe is trivial and provide fully acpica tools. >> Would you mind to import meta-oe acpica recipe instead of providing a >> reduced set of acpica for not much benefit? > > I don't have a strong opinion about this and would be fine with moving > acpica to OE-core instead, too. It would be nice. thanks. > -- > Best Regards, Patrick Ohly > > The content of this message is my personal opinion only and although > I am an employee of Intel, the statements I make here in no way > represent Intel's position on the issue, nor am I authorized to speak > on behalf of Intel on this matter. ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 2/9] iasl: move from meta-luv to OE-core 2016-12-21 13:11 ` [PATCH 2/9] iasl: " Patrick Ohly 2016-12-21 14:11 ` Fathi Boudra @ 2016-12-28 3:08 ` Ricardo Neri 1 sibling, 0 replies; 35+ messages in thread From: Ricardo Neri @ 2016-12-28 3:08 UTC (permalink / raw) To: Patrick Ohly; +Cc: naresh.bhat, meta-luv, openembedded-core On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote: > From: meta-luv <luv@lists.01.org> > > This is an unmodified copy of > github.com/01org/luv-yocto/meta-luv/recipes-extended/iasl revision > 4be4329. > > iasl is also provided by the meta-oe layer's acpica recipe. iasl is a > bit simpler and thus seems more suitable for OE-core. > > When the meta-oe layer is active, PREFERRED_PROVIDER_iasl-native must > be set to avoid a warning. It can be set to "acpica-native" when > something from acpica besides just iasl is needed. It would be worth pondering whether to use this recipe or the one that Fathi Boudra maintains. ^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 3/9] ovmf: explicitly depend on nasm-native 2016-12-21 13:11 [PATCH 0/9] UEFI + Secure Boot + qemu Patrick Ohly 2016-12-21 13:11 ` [PATCH 1/9] ovmf: move from meta-luv to OE-core Patrick Ohly 2016-12-21 13:11 ` [PATCH 2/9] iasl: " Patrick Ohly @ 2016-12-21 13:11 ` Patrick Ohly [not found] ` <1482893989.106950.45.camel@ranerica-desktop> 2016-12-21 13:11 ` [PATCH 4/9] ovmf: deploy firmware in image directory Patrick Ohly ` (7 subsequent siblings) 10 siblings, 1 reply; 35+ messages in thread From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw) To: openembedded-core, ricardo.neri Fixes a build issue when nasm was not build already because of something else. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> --- meta/recipes-core/ovmf/ovmf_git.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index e722db5..13b583b 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -20,6 +20,8 @@ DEPENDS_class-native="util-linux-native iasl-native ossp-uuid-native" DEPENDS_class-target="ovmf-native" +DEPENDS_append = " nasm-native" + EDK_TOOLS_DIR="edk2_basetools" # OVMF has trouble building with the default optimization of -O2. -- 2.1.4 ^ permalink raw reply related [flat|nested] 35+ messages in thread
[parent not found: <1482893989.106950.45.camel@ranerica-desktop>]
* Re: [PATCH 3/9] ovmf: explicitly depend on nasm-native [not found] ` <1482893989.106950.45.camel@ranerica-desktop> @ 2017-01-04 12:56 ` Patrick Ohly 0 siblings, 0 replies; 35+ messages in thread From: Patrick Ohly @ 2017-01-04 12:56 UTC (permalink / raw) To: Neri, Ricardo; +Cc: openembedded-core On Wed, 2016-12-28 at 02:59 +0000, Neri, Ricardo wrote: > On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote: > > +DEPENDS_append = " nasm-native" > > + > Is this dependency needed for both native and target builds? If not, it > can be done with DEPENDS_class... I'm not sure anymore. As it doesn't matter in practice because ovmf depends on ovmf-native and thys nasm-native is built either way, I'd prefer to keep it as-is. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. ^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 4/9] ovmf: deploy firmware in image directory 2016-12-21 13:11 [PATCH 0/9] UEFI + Secure Boot + qemu Patrick Ohly ` (2 preceding siblings ...) 2016-12-21 13:11 ` [PATCH 3/9] ovmf: explicitly depend on nasm-native Patrick Ohly @ 2016-12-21 13:11 ` Patrick Ohly 2016-12-28 3:12 ` Ricardo Neri 2016-12-28 21:38 ` Ricardo Neri 2016-12-21 13:11 ` [PATCH 5/9] ovmf_git.bb: enable parallel compilation Patrick Ohly ` (6 subsequent siblings) 10 siblings, 2 replies; 35+ messages in thread From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw) To: openembedded-core, ricardo.neri When used with '-drive if=pflash', qemu will store UEFI variables inside the firmware image file. That is unexpected for a file located in the sysroot, which should be read-only, while it is normal for image files in the deploy/images directory. Therefore that directory is a better place for use with runqemu. The name was chose so that "runqemu ovmf" can be used as shorthand for "runqemu <full path>/ovmf.qcow2" by treating "ovmf" as the base name of the BIOS file. "ovmf_secboot.qcow2" is meant to be used for the Secure Boot enabled BIOS. qcow2 is used because it is needed for "savevm" snapshots of a virtual machine. Alternatively, OVMF_CODE.fd (read-only) and OVMF_VARS.fd (read/write) could be used. That would then allow updating the firmware of an existing machine without wiping out the variables set earlier. Configuring that in qemu would be more complicated, so for now the simpler approach with combined code and variable store is used. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> --- meta/recipes-core/ovmf/ovmf_git.bb | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index 13b583b..d0441d1 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -16,7 +16,7 @@ PARALLEL_MAKE = "" S = "${WORKDIR}/git" -DEPENDS_class-native="util-linux-native iasl-native ossp-uuid-native" +DEPENDS_class-native="util-linux-native iasl-native ossp-uuid-native qemu-native" DEPENDS_class-target="ovmf-native" @@ -97,9 +97,20 @@ do_compile_class-target() { OVMF_ARCH="IA32" fi + # ${WORKDIR}/ovmf is a well-known location where do_install and + # do_deploy will be able to find the files. + rm -rf ${WORKDIR}/ovmf + mkdir ${WORKDIR}/ovmf + OVMF_DIR_SUFFIX="X64" + if [ "${TARGET_ARCH}" != "x86_64" ] ; then + OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization + fi FIXED_GCCVER=$(fixup_target_tools ${GCC_VER}) - echo FIXED_GCCVER is ${FIXED_GCCVER} + bbnote FIXED_GCCVER is ${FIXED_GCCVER} + build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}" + ${S}/OvmfPkg/build.sh -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} + ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd } do_install_class-native() { @@ -108,16 +119,18 @@ do_install_class-native() { } do_install_class-target() { - OVMF_DIR_SUFFIX="X64" - if [ "${TARGET_ARCH}" != "x86_64" ] ; then - OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization - fi + # Traditional location. install -d ${D}${datadir}/ovmf + install -m 0755 ${WORKDIR}/ovmf/OVMF.fd ${D}${datadir}/ovmf/bios.bin +} - FIXED_GCCVER=$(fixup_target_tools ${GCC_VER}) - build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}" - install -m 0755 ${build_dir}/FV/OVMF.fd \ - ${D}${datadir}/ovmf/bios.bin +inherit deploy +do_deploy() { +} +do_deploy_class-target() { + # For use with "runqemu ovmf". + qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2 } +addtask do_deploy after do_compile before do_build BBCLASSEXTEND = "native" -- 2.1.4 ^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH 4/9] ovmf: deploy firmware in image directory 2016-12-21 13:11 ` [PATCH 4/9] ovmf: deploy firmware in image directory Patrick Ohly @ 2016-12-28 3:12 ` Ricardo Neri 2016-12-28 21:38 ` Ricardo Neri 1 sibling, 0 replies; 35+ messages in thread From: Ricardo Neri @ 2016-12-28 3:12 UTC (permalink / raw) To: Patrick Ohly; +Cc: openembedded-core On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote: > When used with '-drive if=pflash', qemu will store UEFI variables > inside the firmware image file. That is unexpected for a file located > in > the sysroot, which should be read-only, while it is normal for image > files in the deploy/images directory. Therefore that directory is a > better place for use with runqemu. > > The name was chose so that "runqemu ovmf" can be used as shorthand for > "runqemu <full path>/ovmf.qcow2" by treating "ovmf" as the base name > of the BIOS file. "ovmf_secboot.qcow2" is meant to be used for the > Secure Boot enabled BIOS. qcow2 is used because it is needed for > "savevm" snapshots of a virtual machine. > > Alternatively, OVMF_CODE.fd (read-only) and OVMF_VARS.fd (read/write) > could be used. That would then allow updating the firmware of an > existing machine without wiping out the variables set > earlier. Configuring that in qemu would be more complicated, so for > now the simpler approach with combined code and variable store is > used. This looks good to me! ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 4/9] ovmf: deploy firmware in image directory 2016-12-21 13:11 ` [PATCH 4/9] ovmf: deploy firmware in image directory Patrick Ohly 2016-12-28 3:12 ` Ricardo Neri @ 2016-12-28 21:38 ` Ricardo Neri 2016-12-28 23:25 ` Ricardo Neri 2017-01-04 10:01 ` Patrick Ohly 1 sibling, 2 replies; 35+ messages in thread From: Ricardo Neri @ 2016-12-28 21:38 UTC (permalink / raw) To: Patrick Ohly; +Cc: openembedded-core On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote: > When used with '-drive if=pflash', qemu will store UEFI variables > inside the firmware image file. That is unexpected for a file located in > the sysroot, which should be read-only, while it is normal for image > files in the deploy/images directory. Therefore that directory is a > better place for use with runqemu. > > The name was chose so that "runqemu ovmf" can be used as shorthand for > "runqemu <full path>/ovmf.qcow2" by treating "ovmf" as the base name > of the BIOS file. "ovmf_secboot.qcow2" is meant to be used for the > Secure Boot enabled BIOS. qcow2 is used because it is needed for > "savevm" snapshots of a virtual machine. > > Alternatively, OVMF_CODE.fd (read-only) and OVMF_VARS.fd (read/write) > could be used. That would then allow updating the firmware of an > existing machine without wiping out the variables set > earlier. Configuring that in qemu would be more complicated, so for > now the simpler approach with combined code and variable store is > used. > > Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> > --- > meta/recipes-core/ovmf/ovmf_git.bb | 33 +++++++++++++++++++++++---------- > 1 file changed, 23 insertions(+), 10 deletions(-) > > diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb > index 13b583b..d0441d1 100644 > --- a/meta/recipes-core/ovmf/ovmf_git.bb > +++ b/meta/recipes-core/ovmf/ovmf_git.bb > @@ -16,7 +16,7 @@ PARALLEL_MAKE = "" > > S = "${WORKDIR}/git" > > -DEPENDS_class-native="util-linux-native iasl-native ossp-uuid-native" > +DEPENDS_class-native="util-linux-native iasl-native ossp-uuid-native qemu-native" > > DEPENDS_class-target="ovmf-native" > > @@ -97,9 +97,20 @@ do_compile_class-target() { > OVMF_ARCH="IA32" > fi > > + # ${WORKDIR}/ovmf is a well-known location where do_install and > + # do_deploy will be able to find the files. > + rm -rf ${WORKDIR}/ovmf > + mkdir ${WORKDIR}/ovmf > + OVMF_DIR_SUFFIX="X64" > + if [ "${TARGET_ARCH}" != "x86_64" ] ; then > + OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization > + fi > FIXED_GCCVER=$(fixup_target_tools ${GCC_VER}) > - echo FIXED_GCCVER is ${FIXED_GCCVER} > + bbnote FIXED_GCCVER is ${FIXED_GCCVER} > + build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}" > + > ${S}/OvmfPkg/build.sh -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} > + ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd > } > > do_install_class-native() { > @@ -108,16 +119,18 @@ do_install_class-native() { > } > > do_install_class-target() { > - OVMF_DIR_SUFFIX="X64" > - if [ "${TARGET_ARCH}" != "x86_64" ] ; then > - OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization > - fi > + # Traditional location. > install -d ${D}${datadir}/ovmf > + install -m 0755 ${WORKDIR}/ovmf/OVMF.fd ${D}${datadir}/ovmf/bios.bin Now that I think about it. Installing here does not sever any purpose. Thus, I think this can be removed by perhaps doing do_install[noexec] = "1" > +} > > - FIXED_GCCVER=$(fixup_target_tools ${GCC_VER}) > - build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}" > - install -m 0755 ${build_dir}/FV/OVMF.fd \ > - ${D}${datadir}/ovmf/bios.bin > +inherit deploy I am not sure if there is a right way for inheriting in bitbake. However, a quick grep -n inherit reveals that the majority of the recipes put their inheritances towards the top of the recipe. Thanks and BR, Ricardo > +do_deploy() { > +} > +do_deploy_class-target() { > + # For use with "runqemu ovmf". > + qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2 > } > +addtask do_deploy after do_compile before do_build > > BBCLASSEXTEND = "native" ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 4/9] ovmf: deploy firmware in image directory 2016-12-28 21:38 ` Ricardo Neri @ 2016-12-28 23:25 ` Ricardo Neri 2017-01-04 10:01 ` Patrick Ohly 1 sibling, 0 replies; 35+ messages in thread From: Ricardo Neri @ 2016-12-28 23:25 UTC (permalink / raw) To: Patrick Ohly; +Cc: openembedded-core On Wed, 2016-12-28 at 13:38 -0800, Ricardo Neri wrote: > > do_install_class-target() { > > - OVMF_DIR_SUFFIX="X64" > > - if [ "${TARGET_ARCH}" != "x86_64" ] ; then > > - OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization > > - fi > > + # Traditional location. > > install -d ${D}${datadir}/ovmf > > + install -m 0755 ${WORKDIR}/ovmf/OVMF.fd > ${D}${datadir}/ovmf/bios.bin > > Now that I think about it. Installing here does not sever any purpose. > Thus, I think this can be removed by perhaps doing do_install[noexec] > = > "1" I take back this. I seems that scripts/runqemu does look for OVMF in STAGING_DIR_HOST/NATIVE. Perhaps this can be changed how that you are also updating runqemu. ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 4/9] ovmf: deploy firmware in image directory 2016-12-28 21:38 ` Ricardo Neri 2016-12-28 23:25 ` Ricardo Neri @ 2017-01-04 10:01 ` Patrick Ohly 2017-01-10 3:50 ` Ricardo Neri 1 sibling, 1 reply; 35+ messages in thread From: Patrick Ohly @ 2017-01-04 10:01 UTC (permalink / raw) To: Ricardo Neri; +Cc: openembedded-core On Wed, 2016-12-28 at 13:38 -0800, Ricardo Neri wrote: > > do_install_class-target() { > > - OVMF_DIR_SUFFIX="X64" > > - if [ "${TARGET_ARCH}" != "x86_64" ] ; then > > - OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization > > - fi > > + # Traditional location. > > install -d ${D}${datadir}/ovmf > > + install -m 0755 ${WORKDIR}/ovmf/OVMF.fd ${D}${datadir}/ovmf/bios.bin > > Now that I think about it. Installing here does not sever any purpose. > Thus, I think this can be removed by perhaps doing do_install[noexec] = > "1" I was trying not to break traditional usage patterns. If we keep the "bios" runqemu parameters, then we should also keep the bios.bin file. > > +} > > > > - FIXED_GCCVER=$(fixup_target_tools ${GCC_VER}) > > - build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}" > > - install -m 0755 ${build_dir}/FV/OVMF.fd \ > > - ${D}${datadir}/ovmf/bios.bin > > +inherit deploy > > I am not sure if there is a right way for inheriting in bitbake. > However, a quick grep -n inherit reveals that the majority of the > recipes put their inheritances towards the top of the recipe. Agreed, that seems to be more common, although there are also examples where "inherit deploy" is directly in front of "do_deploy". I chose the latter because it was a more localized change, but will change it in rev2. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 4/9] ovmf: deploy firmware in image directory 2017-01-04 10:01 ` Patrick Ohly @ 2017-01-10 3:50 ` Ricardo Neri 2017-01-10 7:32 ` Patrick Ohly 0 siblings, 1 reply; 35+ messages in thread From: Ricardo Neri @ 2017-01-10 3:50 UTC (permalink / raw) To: Patrick Ohly; +Cc: openembedded-core On Wed, 2017-01-04 at 11:01 +0100, Patrick Ohly wrote: > On Wed, 2016-12-28 at 13:38 -0800, Ricardo Neri wrote: > > > do_install_class-target() { > > > - OVMF_DIR_SUFFIX="X64" > > > - if [ "${TARGET_ARCH}" != "x86_64" ] ; then > > > - OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization > > > - fi > > > + # Traditional location. > > > install -d ${D}${datadir}/ovmf > > > + install -m 0755 ${WORKDIR}/ovmf/OVMF.fd ${D}${datadir}/ovmf/bios.bin > > > > Now that I think about it. Installing here does not sever any purpose. > > Thus, I think this can be removed by perhaps doing do_install[noexec] = > > "1" > > I was trying not to break traditional usage patterns. If we keep the > "bios" runqemu parameters, then we should also keep the bios.bin file. I think OVMF is not a traditional recipe. There are two use cases to ponder. 1) a Yocto Project disk image wants to include OVMF along with qemu to run a VM from the YP image. 2) we want to run a YP image in a host system. I am not sure if someone is interested in 1) and I think your use case and LUV's is 2). I think that putting things in the deploy directory makes more sense because, as you said, these images will be written to. I reckon the the "bios" parameters in runqemu should look there. This is not a must for this patchset but something nice to have. Thanks and BR, Ricardo ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 4/9] ovmf: deploy firmware in image directory 2017-01-10 3:50 ` Ricardo Neri @ 2017-01-10 7:32 ` Patrick Ohly 0 siblings, 0 replies; 35+ messages in thread From: Patrick Ohly @ 2017-01-10 7:32 UTC (permalink / raw) To: Ricardo Neri; +Cc: openembedded-core On Mon, 2017-01-09 at 19:50 -0800, Ricardo Neri wrote: > On Wed, 2017-01-04 at 11:01 +0100, Patrick Ohly wrote: > > On Wed, 2016-12-28 at 13:38 -0800, Ricardo Neri wrote: > > > > do_install_class-target() { > > > > - OVMF_DIR_SUFFIX="X64" > > > > - if [ "${TARGET_ARCH}" != "x86_64" ] ; then > > > > - OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization > > > > - fi > > > > + # Traditional location. > > > > install -d ${D}${datadir}/ovmf > > > > + install -m 0755 ${WORKDIR}/ovmf/OVMF.fd ${D}${datadir}/ovmf/bios.bin > > > > > > Now that I think about it. Installing here does not sever any purpose. > > > Thus, I think this can be removed by perhaps doing do_install[noexec] = > > > "1" > > > > I was trying not to break traditional usage patterns. If we keep the > > "bios" runqemu parameters, then we should also keep the bios.bin file. > > I think OVMF is not a traditional recipe. There are two use cases to > ponder. 1) a Yocto Project disk image wants to include OVMF along with > qemu to run a VM from the YP image. 2) we want to run a YP image in a > host system. I am not sure if someone is interested in 1) and I think > your use case and LUV's is 2). I think that putting things in the deploy > directory makes more sense because, as you said, these images will be > written to. I reckon the the "bios" parameters in runqemu should look > there. This is not a must for this patchset but something nice to have. Okay, so let's remove that "traditional location" already in this patch set. I still want to keep the "bios" parameters in runqemu (because they might have some other uses), but for OVMF, the only supported approach will be via the "ovmf" parameters and the deploy directory. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. ^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 5/9] ovmf_git.bb: enable parallel compilation 2016-12-21 13:11 [PATCH 0/9] UEFI + Secure Boot + qemu Patrick Ohly ` (3 preceding siblings ...) 2016-12-21 13:11 ` [PATCH 4/9] ovmf: deploy firmware in image directory Patrick Ohly @ 2016-12-21 13:11 ` Patrick Ohly 2016-12-28 3:17 ` Ricardo Neri 2016-12-21 13:11 ` [PATCH 6/9] ovmf_git.bb: enable Secure Boot Patrick Ohly ` (5 subsequent siblings) 10 siblings, 1 reply; 35+ messages in thread From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw) To: openembedded-core, ricardo.neri The Fedora srpm [1] seems to have no problems with parallel compilation, so let's also use that for the target. The native tools however indeed have dependency problems: | test_Ecc_CParser (CheckPythonSyntax.Tests) ... gcc -o ../bin/EfiRom -L/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/usr/lib -L/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/lib -Wl,-rpath-link,/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/usr/lib -Wl,-rpath-link,/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/lib -Wl,-rpath,/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/usr/lib -Wl,-rpath,/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/lib -Wl,-O1 EfiRom.o -L../libs -lCommon | /usr/bin/ld: cannot find -lCommon | collect2: error: ld returned 1 exit status ERROR: Task (virtual:native:.../meta/recipes-core/ovmf/ovmf_git.bb:do_compile) failed with exit code '1' [1] https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> --- meta/recipes-core/ovmf/ovmf_git.bb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index d0441d1..67e65b8 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -12,7 +12,7 @@ SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \ SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588" -PARALLEL_MAKE = "" +PARALLEL_MAKE_class-native = "" S = "${WORKDIR}/git" @@ -92,6 +92,7 @@ do_compile_class-native() { do_compile_class-target() { export LFLAGS="${LDFLAGS}" + PARALLEL_JOBS="${@ '${PARALLEL_MAKE}'.replace('-j', '-n')}" OVMF_ARCH="X64" if [ "${TARGET_ARCH}" != "x86_64" ] ; then OVMF_ARCH="IA32" @@ -109,7 +110,7 @@ do_compile_class-target() { bbnote FIXED_GCCVER is ${FIXED_GCCVER} build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}" - ${S}/OvmfPkg/build.sh -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} + ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd } -- 2.1.4 ^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH 5/9] ovmf_git.bb: enable parallel compilation 2016-12-21 13:11 ` [PATCH 5/9] ovmf_git.bb: enable parallel compilation Patrick Ohly @ 2016-12-28 3:17 ` Ricardo Neri 0 siblings, 0 replies; 35+ messages in thread From: Ricardo Neri @ 2016-12-28 3:17 UTC (permalink / raw) To: Patrick Ohly; +Cc: openembedded-core On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote: > The Fedora srpm [1] seems to have no problems with parallel > compilation, so let's also use that for the target. The native > tools however indeed have dependency problems: True. It is good to paralize what we can. This also looks good to me. ^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 6/9] ovmf_git.bb: enable Secure Boot 2016-12-21 13:11 [PATCH 0/9] UEFI + Secure Boot + qemu Patrick Ohly ` (4 preceding siblings ...) 2016-12-21 13:11 ` [PATCH 5/9] ovmf_git.bb: enable parallel compilation Patrick Ohly @ 2016-12-21 13:11 ` Patrick Ohly 2016-12-28 22:54 ` Ricardo Neri 2016-12-21 13:11 ` [PATCH 7/9] runqemu: let command line parameters override defaults Patrick Ohly ` (4 subsequent siblings) 10 siblings, 1 reply; 35+ messages in thread From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw) To: openembedded-core, ricardo.neri The recipe now compiles OVMF twice, once without Secure Boot, once with. This is the same approach as in https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec The results are "ovmf.qcow2" and "ovmf.secboot.qcow2" in the image deploy directory, so runqemu <machine> <image> ovmf.secboot will boot with Secure Boot enabled. In contrast to Fedora, no attempt is made to strip potentially patent encumbered algorithms out of the OpenSSL archive. OVMF does not use the ones considered problematic for Fedora, so this shouldn't be a problem. Fixes: luv-yocto/#38 Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> --- meta/recipes-core/ovmf/ovmf_git.bb | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index 67e65b8..c4eedf0 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -1,6 +1,6 @@ DESCRIPTION = "OVMF - UEFI firmware for Qemu and KVM" HOMEPAGE = "http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF" -LICENSE = "BSD" +LICENSE = "BSD & OpenSSL" LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496" SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \ @@ -10,7 +10,13 @@ SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \ file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \ " +SRC_URI_append_class-target = " \ + http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib \ +" + SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588" +SRC_URI[openssl.md5sum] = "96322138f0b69e61b7212bc53d5e912b" +SRC_URI[openssl.sha256sum] = "e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431" PARALLEL_MAKE_class-native = "" @@ -30,6 +36,10 @@ BUILD_OPTIMIZATION="-pipe" # OVMF supports IA only, although it could conceivably support ARM someday. COMPATIBLE_HOST='(i.86|x86_64).*' +# Additional build flags for OVMF with Secure Boot. +# Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD". +OVMF_SECURE_BOOT_FLAGS = "-DSECURE_BOOT_ENABLE=TRUE" + do_patch_append_class-native() { bb.build.exec_func('do_fix_iasl', d) bb.build.exec_func('do_fix_toolchain', d) @@ -110,8 +120,22 @@ do_compile_class-target() { bbnote FIXED_GCCVER is ${FIXED_GCCVER} build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}" + bbnote "Building without Secure Boot." + rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd + + # See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and + # https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for + # building with Secure Boot enabled. + bbnote "Building with Secure Boot." + rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX + if ! [ -f ${S}/CryptoPkg/Library/OpensslLib/openssl-*/edk2-patch-applied ]; then + ( cd ${S}/CryptoPkg/Library/OpensslLib/openssl-* && patch -p1 <$(echo ../EDKII_openssl-*.patch) && touch edk2-patch-applied ) + fi + ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh ) + ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} + ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd } do_install_class-native() { @@ -131,6 +155,7 @@ do_deploy() { do_deploy_class-target() { # For use with "runqemu ovmf". qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2 + qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.secboot.fd ${DEPLOYDIR}/ovmf.secboot.qcow2 } addtask do_deploy after do_compile before do_build -- 2.1.4 ^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH 6/9] ovmf_git.bb: enable Secure Boot 2016-12-21 13:11 ` [PATCH 6/9] ovmf_git.bb: enable Secure Boot Patrick Ohly @ 2016-12-28 22:54 ` Ricardo Neri 2017-01-04 10:10 ` Patrick Ohly 0 siblings, 1 reply; 35+ messages in thread From: Ricardo Neri @ 2016-12-28 22:54 UTC (permalink / raw) To: Patrick Ohly; +Cc: openembedded-core On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote: > The recipe now compiles OVMF twice, once without Secure Boot, once > with. This is the same approach as in > https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec Besides the fact that Fedora does it, is there a particular reason to build twice? On my side, I am able to build with secure boot with a single build. Also, the Ubuntu documentation does not mention that two builds are needed [1]. I do see that in Fedora, the build parameters change. OVMF without secure boot support is built with -a X64 -p OvmfPkg/OvmfPkgX64.dsc while OVMF with secure boot support is built with -a IA32 -a X64 -p OvmfPkg/OvmfPkgIa32X64.dsc. Perhaps this is the reason? > > The results are "ovmf.qcow2" and "ovmf.secboot.qcow2" in the > image deploy directory, so > runqemu <machine> <image> ovmf.secboot > will boot with Secure Boot enabled. > > In contrast to Fedora, no attempt is made to strip potentially patent > encumbered algorithms out of the OpenSSL archive. OVMF does not use > the ones considered problematic for Fedora, so this shouldn't be a > problem. > > Fixes: luv-yocto/#38 Also, I think it would be nice if we could choose between to not have secure boot at all for OVMF. Maybe this could be achieved by having a common ovmf.inc and two ovmf_git.bb and ovmf_sb_git.bb with the different the specific things to support secure boot or not. Maybe all that is needed in the secure boot recipe are the extra variables for OpenSSL and a prepend to do_compile_class-target with the OpenSSL patching. Something to ponder. > > Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> > --- > meta/recipes-core/ovmf/ovmf_git.bb | 27 ++++++++++++++++++++++++++- > 1 file changed, 26 insertions(+), 1 deletion(-) > > diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb > index 67e65b8..c4eedf0 100644 > --- a/meta/recipes-core/ovmf/ovmf_git.bb > +++ b/meta/recipes-core/ovmf/ovmf_git.bb > @@ -1,6 +1,6 @@ > DESCRIPTION = "OVMF - UEFI firmware for Qemu and KVM" > HOMEPAGE = "http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF" > -LICENSE = "BSD" > +LICENSE = "BSD & OpenSSL" > LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496" > > SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \ > @@ -10,7 +10,13 @@ SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \ > file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \ > " > > +SRC_URI_append_class-target = " \ > + http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib \ > +" > + > SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588" > +SRC_URI[openssl.md5sum] = "96322138f0b69e61b7212bc53d5e912b" > +SRC_URI[openssl.sha256sum] = "e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431" > > PARALLEL_MAKE_class-native = "" > > @@ -30,6 +36,10 @@ BUILD_OPTIMIZATION="-pipe" > # OVMF supports IA only, although it could conceivably support ARM someday. > COMPATIBLE_HOST='(i.86|x86_64).*' > > +# Additional build flags for OVMF with Secure Boot. > +# Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD". > +OVMF_SECURE_BOOT_FLAGS = "-DSECURE_BOOT_ENABLE=TRUE" > + > do_patch_append_class-native() { > bb.build.exec_func('do_fix_iasl', d) > bb.build.exec_func('do_fix_toolchain', d) > @@ -110,8 +120,22 @@ do_compile_class-target() { > bbnote FIXED_GCCVER is ${FIXED_GCCVER} > build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}" > > + bbnote "Building without Secure Boot." > + rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX > ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} > ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd > + > + # See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and > + # https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for > + # building with Secure Boot enabled. > + bbnote "Building with Secure Boot." > + rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX > + if ! [ -f ${S}/CryptoPkg/Library/OpensslLib/openssl-*/edk2-patch-applied ]; then > + ( cd ${S}/CryptoPkg/Library/OpensslLib/openssl-* && patch -p1 <$(echo ../EDKII_openssl-*.patch) && touch edk2-patch-applied ) > + fi > + ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh ) > + ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} > + ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd At this point both ${WORKDIR}/ovmf/OVMF.secboot.fd and ${WORKDIR}/ovmf/OVMF.fd will be linked to the same OVMF.fd with secure boot support. Maybe this could be fixed by copying the files rather than creating a symbolic link. > } > > do_install_class-native() { > @@ -131,6 +155,7 @@ do_deploy() { > do_deploy_class-target() { > # For use with "runqemu ovmf". > qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2 > + qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.secboot.fd ${DEPLOYDIR}/ovmf.secboot.qcow2 In the same line as my previous comment, these two images will have secure boot support. Thanks and BR, Ricardo [1]. https://wiki.ubuntu.com/UEFI/EDK2 > } > addtask do_deploy after do_compile before do_build > > -- > 2.1.4 > ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 6/9] ovmf_git.bb: enable Secure Boot 2016-12-28 22:54 ` Ricardo Neri @ 2017-01-04 10:10 ` Patrick Ohly 2017-01-10 3:51 ` Ricardo Neri 0 siblings, 1 reply; 35+ messages in thread From: Patrick Ohly @ 2017-01-04 10:10 UTC (permalink / raw) To: Ricardo Neri; +Cc: openembedded-core On Wed, 2016-12-28 at 14:54 -0800, Ricardo Neri wrote: > On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote: > > The recipe now compiles OVMF twice, once without Secure Boot, once > > with. This is the same approach as in > > https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec > > Besides the fact that Fedora does it, is there a particular reason to > build twice? The ${build_dir}/FV/OVMF.fd file changes depending on the configuration. There's only one such file after a build. > On my side, I am able to build with secure boot with a > single build. Also, the Ubuntu documentation does not mention that two > builds are needed [1]. Can you build with and without secure boot in a single build? I wasn't sure how to achieve that, so I just copied what Fedora does. > Also, I think it would be nice if we could choose between to not have > secure boot at all for OVMF. Maybe this could be achieved by having a > common ovmf.inc and two ovmf_git.bb and ovmf_sb_git.bb with the > different the specific things to support secure boot or not. Maybe all > that is needed in the secure boot recipe are the extra variables for > OpenSSL and a prepend to do_compile_class-target with the OpenSSL > patching. Something to ponder. I think I would prefer to have a single recipe with a PACKAGECONFIG for secure boot. Having different recipes doesn't scale when adding more such options. If you agree, then I'll add that. > > + ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh ) > > + ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} > > + ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd > > At this point both ${WORKDIR}/ovmf/OVMF.secboot.fd and > ${WORKDIR}/ovmf/OVMF.fd will be linked to the same OVMF.fd with secure > boot support. Maybe this could be fixed by copying the files rather than > creating a symbolic link. This is intentionally a hardlink, not a symbolic link, exactly because of the problem you mentioned ;-) -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 6/9] ovmf_git.bb: enable Secure Boot 2017-01-04 10:10 ` Patrick Ohly @ 2017-01-10 3:51 ` Ricardo Neri 0 siblings, 0 replies; 35+ messages in thread From: Ricardo Neri @ 2017-01-10 3:51 UTC (permalink / raw) To: Patrick Ohly; +Cc: openembedded-core On Wed, 2017-01-04 at 11:10 +0100, Patrick Ohly wrote: > On Wed, 2016-12-28 at 14:54 -0800, Ricardo Neri wrote: > > On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote: > > > The recipe now compiles OVMF twice, once without Secure Boot, once > > > with. This is the same approach as in > > > https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec > > > > Besides the fact that Fedora does it, is there a particular reason to > > build twice? > > The ${build_dir}/FV/OVMF.fd file changes depending on the configuration. > There's only one such file after a build. > > > On my side, I am able to build with secure boot with a > > single build. Also, the Ubuntu documentation does not mention that two > > builds are needed [1]. > > Can you build with and without secure boot in a single build? I wasn't > sure how to achieve that, so I just copied what Fedora does. Oh I see, I didn't understand in your commit message that you intend to keep the secure boot and the non-secure boot images. Then it makes sense to build twice. > > > Also, I think it would be nice if we could choose between to not have > > secure boot at all for OVMF. Maybe this could be achieved by having a > > common ovmf.inc and two ovmf_git.bb and ovmf_sb_git.bb with the > > different the specific things to support secure boot or not. Maybe all > > that is needed in the secure boot recipe are the extra variables for > > OpenSSL and a prepend to do_compile_class-target with the OpenSSL > > patching. Something to ponder. > > I think I would prefer to have a single recipe with a PACKAGECONFIG for > secure boot. Having different recipes doesn't scale when adding more > such options. If you agree, then I'll add that. Yes, I agree that a PACKAGECONFIG makes more sense. > > > > + ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh ) > > > + ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} > > > + ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd > > > > At this point both ${WORKDIR}/ovmf/OVMF.secboot.fd and > > ${WORKDIR}/ovmf/OVMF.fd will be linked to the same OVMF.fd with secure > > boot support. Maybe this could be fixed by copying the files rather than > > creating a symbolic link. > > This is intentionally a hardlink, not a symbolic link, exactly because > of the problem you mentioned ;-) Oh, a hardlink. I see now. Thanks for clarifying. > ^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 7/9] runqemu: let command line parameters override defaults 2016-12-21 13:11 [PATCH 0/9] UEFI + Secure Boot + qemu Patrick Ohly ` (5 preceding siblings ...) 2016-12-21 13:11 ` [PATCH 6/9] ovmf_git.bb: enable Secure Boot Patrick Ohly @ 2016-12-21 13:11 ` Patrick Ohly 2016-12-21 13:11 ` [PATCH 8/9] runqemu: support UEFI with OVMF firmware Patrick Ohly ` (3 subsequent siblings) 10 siblings, 0 replies; 35+ messages in thread From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw) To: openembedded-core, ricardo.neri It may be necessary to override the parameters gathered for the qemu invocation. For example, the qemux86 machine configuration sets "-vga vmware", but when using OVMF as BIOS, only "-vga std" is supported. By putting the parameters derived from custom runqemu parameters like "qemuparams" after the parameters derived from the machine configuration the user gets the possibility to override those. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> --- scripts/runqemu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/runqemu b/scripts/runqemu index 0a9cb94..203992a 100755 --- a/scripts/runqemu +++ b/scripts/runqemu @@ -926,7 +926,7 @@ class BaseConfig(object): check_libgl(qemu_bin) - self.qemu_opt = "%s %s %s %s %s" % (qemu_bin, self.get('NETWORK_CMD'), self.qemu_opt_script, self.get('ROOTFS_OPTIONS'), self.get('QB_OPT_APPEND')) + self.qemu_opt = "%s %s %s %s %s" % (qemu_bin, self.get('NETWORK_CMD'), self.get('ROOTFS_OPTIONS'), self.get('QB_OPT_APPEND'), self.qemu_opt_script) if self.snapshot: self.qemu_opt += " -snapshot" -- 2.1.4 ^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 8/9] runqemu: support UEFI with OVMF firmware 2016-12-21 13:11 [PATCH 0/9] UEFI + Secure Boot + qemu Patrick Ohly ` (6 preceding siblings ...) 2016-12-21 13:11 ` [PATCH 7/9] runqemu: let command line parameters override defaults Patrick Ohly @ 2016-12-21 13:11 ` Patrick Ohly 2016-12-28 23:33 ` Ricardo Neri 2016-12-21 13:11 ` [PATCH 9/9] ovmf: build image which enrolls standard keys Patrick Ohly ` (2 subsequent siblings) 10 siblings, 1 reply; 35+ messages in thread From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw) To: openembedded-core, ricardo.neri In the simplest case, "runqemu qemux86 <some-image> qcow2 ovmf" for an EFI-enabled image in the qcow2 format will locate the OVMF firmware file, override the graphics hardware with "-vga std" because that is all that OVMF supports, and boot with UEFI enabled. This depends on "bitbake ovmf" deploying a "ovmf.qcow2" firmware file in the image deploy directory. The firmware file is activated as a flash drive instead of using the qemu BIOS parameters, because that is the recommended method (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764918#47) as it allows storing UEFI variables in the file. Instead of just "ovmf", a full path to an existing file can also be used, just as with the rootfs. That may be useful when making a permanent copy of the virtual machine data files. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> --- scripts/runqemu | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/scripts/runqemu b/scripts/runqemu index 203992a..257dcec 100755 --- a/scripts/runqemu +++ b/scripts/runqemu @@ -74,6 +74,7 @@ of the following environment variables (in any order): kvm-vhost - enable KVM with vhost when running x86/x86_64 (VT-capable CPU required) publicvnc - enable a VNC server open to all hosts audio - enable audio + [*/]ovmf* - OVMF BIOS file or base name for booting with UEFI tcpserial=<port> - specify tcp serial port number biosdir=<dir> - specify custom bios dir biosfilename=<filename> - specify bios filename @@ -162,6 +163,12 @@ class BaseConfig(object): self.clean_nfs_dir = False self.nfs_server = '' self.rootfs = '' + # File name of a OVMF BIOS file, to be added with -drive if=pflash. + # Found in the same places as the rootfs, with or without one of + # these suffices: qcow2, bin. + # Setting one also adds "-vga std" because that is all that + # OVMF supports. + self.ovmf_bios = '' self.qemuboot = '' self.qbconfload = False self.kernel = '' @@ -369,6 +376,8 @@ class BaseConfig(object): self.qemu_opt_script += ' %s' % arg[len('qemuparams='):] elif arg.startswith('bootparams='): self.kernel_cmdline_script += ' %s' % arg[len('bootparams='):] + elif os.path.basename(arg).startswith('ovmf'): + self.ovmf_bios = arg elif os.path.exists(arg) or (re.search(':', arg) and re.search('/', arg)): self.check_arg_path(os.path.abspath(arg)) elif re.search('-image-', arg): @@ -472,6 +481,20 @@ class BaseConfig(object): if not os.path.exists(self.rootfs): raise Exception("Can't find rootfs: %s" % self.rootfs) + def check_ovmf(self): + """Check and set full path for OVMF BIOS file.""" + + if self.ovmf_bios is None or os.path.exists(self.ovmf_bios): + return + + for suffix in ('qcow2', 'bin'): + ovmf_bios = '%s/%s.%s' % (self.get('DEPLOY_DIR_IMAGE'), self.ovmf_bios, suffix) + if os.path.exists(ovmf_bios): + self.ovmf_bios = ovmf_bios + return + + raise Exception("Can't find OVMF BIOS: %s" % self.ovmf_bios) + def check_kernel(self): """Check and set kernel, dtb""" # The vm image doesn't need a kernel @@ -562,6 +585,7 @@ class BaseConfig(object): self.check_kvm() self.check_fstype() self.check_rootfs() + self.check_ovmf() self.check_kernel() self.check_biosdir() self.check_mem() @@ -670,6 +694,8 @@ class BaseConfig(object): print('NFS_DIR: [%s]' % self.nfs_dir) else: print('ROOTFS: [%s]' % self.rootfs) + if self.ovmf_bios: + print('OVMF: [%s]' % self.ovmf_bios) print('CONFFILE: [%s]' % self.qemuboot) print('') @@ -926,7 +952,16 @@ class BaseConfig(object): check_libgl(qemu_bin) - self.qemu_opt = "%s %s %s %s %s" % (qemu_bin, self.get('NETWORK_CMD'), self.get('ROOTFS_OPTIONS'), self.get('QB_OPT_APPEND'), self.qemu_opt_script) + self.qemu_opt = "%s %s %s %s" % (qemu_bin, self.get('NETWORK_CMD'), self.get('ROOTFS_OPTIONS'), self.get('QB_OPT_APPEND')) + + if self.ovmf_bios: + format = self.ovmf_bios.rsplit('.', 1)[-1] + self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, self.ovmf_bios) + # OVMF only supports normal VGA, i.e. we need to override a -vga vmware + # that gets added for example for normal qemux86. + self.qemu_opt += ' -vga std' + + self.qemu_opt += ' ' + self.qemu_opt_script if self.snapshot: self.qemu_opt += " -snapshot" -- 2.1.4 ^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH 8/9] runqemu: support UEFI with OVMF firmware 2016-12-21 13:11 ` [PATCH 8/9] runqemu: support UEFI with OVMF firmware Patrick Ohly @ 2016-12-28 23:33 ` Ricardo Neri 2017-01-04 9:43 ` Patrick Ohly 0 siblings, 1 reply; 35+ messages in thread From: Ricardo Neri @ 2016-12-28 23:33 UTC (permalink / raw) To: Patrick Ohly; +Cc: openembedded-core On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote: > + # File name of a OVMF BIOS file, to be added with -drive > if=pflash. > + # Found in the same places as the rootfs, with or without one > of > + # these suffices: qcow2, bin. > + # Setting one also adds "-vga std" because that is all that > + # OVMF supports. > + self.ovmf_bios = '' runqemu has the options biosdir and biosfilename. Although the log for these options was lost when the script was migrated to python, the motivation of adding these options was to use OVMF. It uses the -L and -bios options of qemu. To my knowledge, the only custom bios at the moment is OVMF. Thus, you would ponder either removing or tweaking these options with your approach; which makes more sense to me. Thanks and BR, Ricardo ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 8/9] runqemu: support UEFI with OVMF firmware 2016-12-28 23:33 ` Ricardo Neri @ 2017-01-04 9:43 ` Patrick Ohly 2017-01-10 3:50 ` Ricardo Neri 0 siblings, 1 reply; 35+ messages in thread From: Patrick Ohly @ 2017-01-04 9:43 UTC (permalink / raw) To: Ricardo Neri; +Cc: openembedded-core On Wed, 2016-12-28 at 15:33 -0800, Ricardo Neri wrote: > On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote: > > + # File name of a OVMF BIOS file, to be added with -drive > > if=pflash. > > + # Found in the same places as the rootfs, with or without one > > of > > + # these suffices: qcow2, bin. > > + # Setting one also adds "-vga std" because that is all that > > + # OVMF supports. > > + self.ovmf_bios = '' > > runqemu has the options biosdir and biosfilename. Although the log for > these options was lost when the script was migrated to python, You probably mean this: http://git.openembedded.org/openembedded-core/commit/?id=d302f5683dd736ac4cd4b601a046d22000d41e68 http://git.openembedded.org/openembedded-core/commit/?id=29c9e6f44541b7f8731e21e9d1a0adca9da28e37 > the > motivation of adding these options was to use OVMF. It uses the -L and > -bios options of qemu. To my knowledge, the only custom bios at the > moment is OVMF. Thus, you would ponder either removing or tweaking these > options with your approach; which makes more sense to me. I have no personal opinion about the usefulness of the "biosdir" and "biosfilename" options. Just looking at what they do, they might have value also when not using OVMF (for example, the "VGA BIOS" that is mentioned in the first commit). But if no-one is actually using these options, then they should indeed be removed to simplify runqemu. The problem just is to determine whether they are used :-/ As I don't know, I'd prefer to keep them for now and remove them separately. Regarding the approach that I proposed for the "ovmf" file(s): what's your opinion about that? I was a bit worried that too much "magic" is involved here (special keyword that expands to files and sets -vga), but it is convenient and quite naturally supports additional use cases (explicitly selecting files at non-standard locations, separate code and variable files). Regarding that last argument: in the current patch series, only the combined ovmf.fd gets deployed and I argued that this is sufficient. To test that supporting separate code and variables also works, I've implemented that locally so that ovmf.fd ovmf_secboot.fd, ovmf_code.fd, ovmf_secboot_code.fd and ovmf_vars.fd get deployed and runqemu supports more than one "ovmf" parameter - this worked nicely. Full change below. Now that I've implemented it, I wonder whether it would be worth submitting that as part of rev2 of this patch series. Any opinions? diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index ef61b16..391274b 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -125,6 +125,8 @@ do_compile_class-target() { rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd + ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/OVMF.code.fd + ln ${build_dir}/FV/OVMF_VARS.fd ${WORKDIR}/ovmf/OVMF.vars.fd # See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and # https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for @@ -137,6 +139,7 @@ do_compile_class-target() { ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh ) ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd + ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/OVMF.code.secboot.fd for i in Shell.efi EnrollDefaultKeys.efi; do ln ${build_dir}/${OVMF_ARCH}/$i ${WORKDIR}/ovmf/$i done @@ -170,8 +173,9 @@ do_deploy() { } do_deploy_class-target() { # For use with "runqemu ovmf". - qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2 - qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.secboot.fd ${DEPLOYDIR}/ovmf.secboot.qcow2 + for i in OVMF OVMF.secboot OVMF.code OVMF.vars OVMF.code.secboot; do + qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/$i.fd ${DEPLOYDIR}/`echo $i | tr A-Z a-z`.qcow2 + done } addtask do_deploy after do_compile before do_build diff --git a/scripts/runqemu b/scripts/runqemu index c8b7c8a..c3fed89 100755 --- a/scripts/runqemu +++ b/scripts/runqemu @@ -163,12 +163,12 @@ class BaseConfig(object): self.clean_nfs_dir = False self.nfs_server = '' self.rootfs = '' - # File name of a OVMF BIOS file, to be added with -drive if=pflash. + # File name(s) of a OVMF BIOS file or variable store, to be added with -drive if=pflash. # Found in the same places as the rootfs, with or without one of # these suffices: qcow2, bin. # Setting one also adds "-vga std" because that is all that # OVMF supports. - self.ovmf_bios = '' + self.ovmf_bios = [] self.qemuboot = '' self.qbconfload = False self.kernel = '' @@ -376,13 +376,13 @@ class BaseConfig(object): self.qemu_opt_script += ' %s' % arg[len('qemuparams='):] elif arg.startswith('bootparams='): self.kernel_cmdline_script += ' %s' % arg[len('bootparams='):] - elif os.path.basename(arg).startswith('ovmf'): - self.ovmf_bios = arg elif os.path.exists(arg) or (re.search(':', arg) and re.search('/', arg)): self.check_arg_path(os.path.abspath(arg)) - elif re.search('-image-', arg): + elif re.search('-image-', arg) or arg.endswith('-image'): # Lazy rootfs self.rootfs = arg + elif os.path.basename(arg).startswith('ovmf'): + self.ovmf_bios.append(arg) else: # At last, assume is it the MACHINE if (not unknown_arg) or unknown_arg == arg: @@ -482,18 +482,18 @@ class BaseConfig(object): raise Exception("Can't find rootfs: %s" % self.rootfs) def check_ovmf(self): - """Check and set full path for OVMF BIOS file.""" + """Check and set full path for OVMF BIOS file(s).""" - if self.ovmf_bios is None or os.path.exists(self.ovmf_bios): - return - - for suffix in ('qcow2', 'bin'): - ovmf_bios = '%s/%s.%s' % (self.get('DEPLOY_DIR_IMAGE'), self.ovmf_bios, suffix) - if os.path.exists(ovmf_bios): - self.ovmf_bios = ovmf_bios - return - - raise Exception("Can't find OVMF BIOS: %s" % self.ovmf_bios) + for index, ovmf in enumerate(self.ovmf_bios): + if os.path.exists(ovmf): + continue + for suffix in ('qcow2', 'bin'): + path = '%s/%s.%s' % (self.get('DEPLOY_DIR_IMAGE'), ovmf, suffix) + if os.path.exists(path): + self.ovmf_bios[index] = path + break + else: + raise Exception("Can't find OVMF BIOS: %s" % ovmf) def check_kernel(self): """Check and set kernel, dtb""" @@ -695,7 +695,7 @@ class BaseConfig(object): else: print('ROOTFS: [%s]' % self.rootfs) if self.ovmf_bios: - print('OVMF: [%s]' % self.ovmf_bios) + print('OVMF: %s' % self.ovmf_bios) print('CONFFILE: [%s]' % self.qemuboot) print('') @@ -939,9 +939,10 @@ class BaseConfig(object): self.qemu_opt = "%s %s %s %s" % (qemu_bin, self.get('NETWORK_CMD'), self.get('ROOTFS_OPTIONS'), self.get('QB_OPT_APPEND')) + for ovmf in self.ovmf_bios: + format = ovmf.rsplit('.', 1)[-1] + self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, ovmf) if self.ovmf_bios: - format = self.ovmf_bios.rsplit('.', 1)[-1] - self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, self.ovmf_bios) # OVMF only supports normal VGA, i.e. we need to override a -vga vmware # that gets added for example for normal qemux86. self.qemu_opt += ' -vga std' -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. ^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH 8/9] runqemu: support UEFI with OVMF firmware 2017-01-04 9:43 ` Patrick Ohly @ 2017-01-10 3:50 ` Ricardo Neri 2017-01-10 7:29 ` Patrick Ohly 0 siblings, 1 reply; 35+ messages in thread From: Ricardo Neri @ 2017-01-10 3:50 UTC (permalink / raw) To: Patrick Ohly; +Cc: openembedded-core On Wed, 2017-01-04 at 10:43 +0100, Patrick Ohly wrote: > On Wed, 2016-12-28 at 15:33 -0800, Ricardo Neri wrote: > > On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote: > > > + # File name of a OVMF BIOS file, to be added with -drive > > > if=pflash. > > > + # Found in the same places as the rootfs, with or without one > > > of > > > + # these suffices: qcow2, bin. > > > + # Setting one also adds "-vga std" because that is all that > > > + # OVMF supports. > > > + self.ovmf_bios = '' > > > > runqemu has the options biosdir and biosfilename. Although the log for > > these options was lost when the script was migrated to python, > > You probably mean this: > http://git.openembedded.org/openembedded-core/commit/?id=d302f5683dd736ac4cd4b601a046d22000d41e68 > http://git.openembedded.org/openembedded-core/commit/?id=29c9e6f44541b7f8731e21e9d1a0adca9da28e37 > > > the > > motivation of adding these options was to use OVMF. It uses the -L and > > -bios options of qemu. To my knowledge, the only custom bios at the > > moment is OVMF. Thus, you would ponder either removing or tweaking these > > options with your approach; which makes more sense to me. > > I have no personal opinion about the usefulness of the "biosdir" and > "biosfilename" options. Just looking at what they do, they might have > value also when not using OVMF (for example, the "VGA BIOS" that is > mentioned in the first commit). But if no-one is actually using these > options, then they should indeed be removed to simplify runqemu. > > The problem just is to determine whether they are used :-/ As I don't > know, I'd prefer to keep them for now and remove them separately. This makes sense. > > Regarding the approach that I proposed for the "ovmf" file(s): what's > your opinion about that? I was a bit worried that too much "magic" is > involved here (special keyword that expands to files and sets -vga), but > it is convenient and quite naturally supports additional use cases > (explicitly selecting files at non-standard locations, separate code and > variable files). > > Regarding that last argument: in the current patch series, only the > combined ovmf.fd gets deployed and I argued that this is sufficient. It would be certainly enough for me :) as in most of my use cases I always test brand new images without any variables in it. Also, you kindly included facilitiesto lockdown the image. I can't speak for other people but this is more than enough for me. If you pursue this path, perhaps you can include a big warning in the recipe saying that people will lose their variables if they rebuild OVMF. On the other hand... > To > test that supporting separate code and variables also works, I've > implemented that locally so that ovmf.fd ovmf_secboot.fd, ovmf_code.fd, > ovmf_secboot_code.fd and ovmf_vars.fd get deployed and runqemu supports > more than one "ovmf" parameter - this worked nicely. Full change below. ... Now that you have took the time to prototype the solution, we could put it to use. > > Now that I've implemented it, I wonder whether it would be worth > submitting that as part of rev2 of this patch series. Any opinions? > > diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb > index ef61b16..391274b 100644 > --- a/meta/recipes-core/ovmf/ovmf_git.bb > +++ b/meta/recipes-core/ovmf/ovmf_git.bb > @@ -125,6 +125,8 @@ do_compile_class-target() { > rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX > ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} > ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd > + ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/OVMF.code.fd > + ln ${build_dir}/FV/OVMF_VARS.fd ${WORKDIR}/ovmf/OVMF.vars.fd > > # See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and > # https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for > @@ -137,6 +139,7 @@ do_compile_class-target() { > ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh ) > ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} > ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd > + ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/OVMF.code.secboot.fd > for i in Shell.efi EnrollDefaultKeys.efi; do > ln ${build_dir}/${OVMF_ARCH}/$i ${WORKDIR}/ovmf/$i > done > @@ -170,8 +173,9 @@ do_deploy() { > } > do_deploy_class-target() { > # For use with "runqemu ovmf". > - qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2 > - qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.secboot.fd ${DEPLOYDIR}/ovmf.secboot.qcow2 > + for i in OVMF OVMF.secboot OVMF.code OVMF.vars OVMF.code.secboot; do > + qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/$i.fd ${DEPLOYDIR}/`echo $i | tr A-Z a-z`.qcow2 Will this preserve any previous OVMF_vars.fd that might exist in the directory. > + done > } > addtask do_deploy after do_compile before do_build > > diff --git a/scripts/runqemu b/scripts/runqemu > index c8b7c8a..c3fed89 100755 > --- a/scripts/runqemu > +++ b/scripts/runqemu > @@ -163,12 +163,12 @@ class BaseConfig(object): > self.clean_nfs_dir = False > self.nfs_server = '' > self.rootfs = '' > - # File name of a OVMF BIOS file, to be added with -drive if=pflash. > + # File name(s) of a OVMF BIOS file or variable store, to be added with -drive if=pflash. > # Found in the same places as the rootfs, with or without one of > # these suffices: qcow2, bin. > # Setting one also adds "-vga std" because that is all that > # OVMF supports. > - self.ovmf_bios = '' > + self.ovmf_bios = [] > self.qemuboot = '' > self.qbconfload = False > self.kernel = '' > @@ -376,13 +376,13 @@ class BaseConfig(object): > self.qemu_opt_script += ' %s' % arg[len('qemuparams='):] > elif arg.startswith('bootparams='): > self.kernel_cmdline_script += ' %s' % arg[len('bootparams='):] > - elif os.path.basename(arg).startswith('ovmf'): > - self.ovmf_bios = arg > elif os.path.exists(arg) or (re.search(':', arg) and re.search('/', arg)): > self.check_arg_path(os.path.abspath(arg)) > - elif re.search('-image-', arg): > + elif re.search('-image-', arg) or arg.endswith('-image'): > # Lazy rootfs > self.rootfs = arg > + elif os.path.basename(arg).startswith('ovmf'): > + self.ovmf_bios.append(arg) > else: > # At last, assume is it the MACHINE > if (not unknown_arg) or unknown_arg == arg: > @@ -482,18 +482,18 @@ class BaseConfig(object): > raise Exception("Can't find rootfs: %s" % self.rootfs) > > def check_ovmf(self): > - """Check and set full path for OVMF BIOS file.""" > + """Check and set full path for OVMF BIOS file(s).""" > > - if self.ovmf_bios is None or os.path.exists(self.ovmf_bios): > - return > - > - for suffix in ('qcow2', 'bin'): > - ovmf_bios = '%s/%s.%s' % (self.get('DEPLOY_DIR_IMAGE'), self.ovmf_bios, suffix) > - if os.path.exists(ovmf_bios): > - self.ovmf_bios = ovmf_bios > - return > - > - raise Exception("Can't find OVMF BIOS: %s" % self.ovmf_bios) > + for index, ovmf in enumerate(self.ovmf_bios): > + if os.path.exists(ovmf): > + continue > + for suffix in ('qcow2', 'bin'): > + path = '%s/%s.%s' % (self.get('DEPLOY_DIR_IMAGE'), ovmf, suffix) > + if os.path.exists(path): > + self.ovmf_bios[index] = path > + break > + else: > + raise Exception("Can't find OVMF BIOS: %s" % ovmf) > > def check_kernel(self): > """Check and set kernel, dtb""" > @@ -695,7 +695,7 @@ class BaseConfig(object): > else: > print('ROOTFS: [%s]' % self.rootfs) > if self.ovmf_bios: > - print('OVMF: [%s]' % self.ovmf_bios) > + print('OVMF: %s' % self.ovmf_bios) Is there a reason to remove the brackets here? > print('CONFFILE: [%s]' % self.qemuboot) > print('') > > @@ -939,9 +939,10 @@ class BaseConfig(object): > > self.qemu_opt = "%s %s %s %s" % (qemu_bin, self.get('NETWORK_CMD'), self.get('ROOTFS_OPTIONS'), self.get('QB_OPT_APPEND')) > > + for ovmf in self.ovmf_bios: > + format = ovmf.rsplit('.', 1)[-1] > + self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, ovmf) > if self.ovmf_bios: > - format = self.ovmf_bios.rsplit('.', 1)[-1] > - self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, self.ovmf_bios) > # OVMF only supports normal VGA, i.e. we need to override a -vga vmware > # that gets added for example for normal qemux86. > self.qemu_opt += ' -vga std' > > I think this solution looks good as having separate file does not pose an extra hassle in the user: the recipe builds all that is needed and runqemu takes all that it needs. If in the future people shows an interest in having unified images, maybe that can be added as another PACKAGECONFIG? Also, the usage of runqemu needs to be updated as well. Perhaps the usage can include a note stating that code and vars are are split but no extra action is needed. Thanks and BR, Ricardo > ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 8/9] runqemu: support UEFI with OVMF firmware 2017-01-10 3:50 ` Ricardo Neri @ 2017-01-10 7:29 ` Patrick Ohly 0 siblings, 0 replies; 35+ messages in thread From: Patrick Ohly @ 2017-01-10 7:29 UTC (permalink / raw) To: Ricardo Neri; +Cc: openembedded-core On Mon, 2017-01-09 at 19:50 -0800, Ricardo Neri wrote: > On Wed, 2017-01-04 at 10:43 +0100, Patrick Ohly wrote: > > To > > test that supporting separate code and variables also works, I've > > implemented that locally so that ovmf.fd ovmf_secboot.fd, ovmf_code.fd, > > ovmf_secboot_code.fd and ovmf_vars.fd get deployed and runqemu supports > > more than one "ovmf" parameter - this worked nicely. Full change below. > > ... Now that you have took the time to prototype the solution, we could > put it to use. > > > > > Now that I've implemented it, I wonder whether it would be worth > > submitting that as part of rev2 of this patch series. Any opinions? > > > > diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb > > index ef61b16..391274b 100644 > > --- a/meta/recipes-core/ovmf/ovmf_git.bb > > +++ b/meta/recipes-core/ovmf/ovmf_git.bb > > @@ -125,6 +125,8 @@ do_compile_class-target() { > > rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX > > ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} > > ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd > > + ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/OVMF.code.fd > > + ln ${build_dir}/FV/OVMF_VARS.fd ${WORKDIR}/ovmf/OVMF.vars.fd > > > > # See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and > > # https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for > > @@ -137,6 +139,7 @@ do_compile_class-target() { > > ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh ) > > ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} > > ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd > > + ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/OVMF.code.secboot.fd > > for i in Shell.efi EnrollDefaultKeys.efi; do > > ln ${build_dir}/${OVMF_ARCH}/$i ${WORKDIR}/ovmf/$i > > done > > @@ -170,8 +173,9 @@ do_deploy() { > > } > > do_deploy_class-target() { > > # For use with "runqemu ovmf". > > - qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2 > > - qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.secboot.fd ${DEPLOYDIR}/ovmf.secboot.qcow2 > > + for i in OVMF OVMF.secboot OVMF.code OVMF.vars OVMF.code.secboot; do > > + qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/$i.fd ${DEPLOYDIR}/`echo $i | tr A-Z a-z`.qcow2 > > Will this preserve any previous OVMF_vars.fd that might exist in the > directory. No, it will overwrite ovmf.vars.qcow2 and any variables stored in that get lost. That is consistent with rebuilding the disk image: a user who wants to have a "persistent" virtual machine must copy the relevant file and then use the full file paths. In this case, that means invoking runqemu with the file path to the copy of ovmf.vars.qcow2 instead of just "ovmf.vars". > > if self.ovmf_bios: > > - print('OVMF: [%s]' % self.ovmf_bios) > > + print('OVMF: %s' % self.ovmf_bios) > > Is there a reason to remove the brackets here? self.ovmf_bios is a list, so formatting it as string will add the brackets. I found that more readable than the (from a semantic point of view more correct) double brackets: [['.../ovmf.code.qcow2', '.../ovmf.vars.qcow2']] > > + for ovmf in self.ovmf_bios: > > + format = ovmf.rsplit('.', 1)[-1] > > + self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, ovmf) > > if self.ovmf_bios: > > - format = self.ovmf_bios.rsplit('.', 1)[-1] > > - self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, self.ovmf_bios) > > # OVMF only supports normal VGA, i.e. we need to override a -vga vmware > > # that gets added for example for normal qemux86. > > self.qemu_opt += ' -vga std' > > > > > I think this solution looks good as having separate file does not pose > an extra hassle in the user: the recipe builds all that is needed and > runqemu takes all that it needs. But not automatically. "runqemu ovmf" would expand "ovmf" to tmp/deploy/images/.../ovmf.qcow2 and thus use the combined file while "runqemu ovmf.code ovmf.vars" tells runqemu that it is supposed to use two flash drives, one with the code and one with the variables. > If in the future people shows an > interest in having unified images, maybe that can be added as another > PACKAGECONFIG? As the unified code+vars is slightly easier to use, I'd prefer to keep it around and just offer both. That's not such a big deal in terms of performance and disk usage. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. ^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 9/9] ovmf: build image which enrolls standard keys 2016-12-21 13:11 [PATCH 0/9] UEFI + Secure Boot + qemu Patrick Ohly ` (7 preceding siblings ...) 2016-12-21 13:11 ` [PATCH 8/9] runqemu: support UEFI with OVMF firmware Patrick Ohly @ 2016-12-21 13:11 ` Patrick Ohly 2016-12-21 14:19 ` [PATCH 0/9] UEFI + Secure Boot + qemu Fathi Boudra 2016-12-28 2:55 ` Ricardo Neri 10 siblings, 0 replies; 35+ messages in thread From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw) To: openembedded-core, ricardo.neri When booting a qemu virtual machine with ovmf.secboot, it comes up with no keys installed and thus Secure Boot disabled. To lock down the machine like a typical PC, one has to enroll the same keys that PC vendors normally install, i.e. the ones from Microsoft. This can be done manually (see https://wiki.ubuntu.com/SecurityTeam/SecureBoot and https://github.com/tianocore-docs/Docs/raw/master/White_Papers/A_Tour_Beyond_BIOS_into_UEFI_Secure_Boot_White_Paper.pdf) or automatically with the EnrollDefaultKeys.efi helper from the Fedora ovmf rpm. To use this with qemu: $ bitbake ovmf-shell-image ... $ runqemu serial nographic qemux86 ovmf-shell-image wic ovmf.secboot ... UEFI Interactive Shell v2.1 EDK II UEFI v2.60 (EDK II, 0x00010000) Mapping table FS0: Alias(s):HD2b:;BLK4: PciRoot(0x0)/Pci(0x5,0x0)/HD(1,GPT,06AEF759-3982-4AF6-B517-70BA6304FC1C,0x800,0x566C) BLK0: Alias(s): PciRoot(0x0)/Pci(0x1,0x0)/Floppy(0x0) BLK1: Alias(s): PciRoot(0x0)/Pci(0x1,0x0)/Floppy(0x1) BLK2: Alias(s): PciRoot(0x0)/Pci(0x1,0x1)/Ata(0x0) BLK3: Alias(s): PciRoot(0x0)/Pci(0x5,0x0) Press ESC in 1 seconds to skip startup.nsh or any other key to continue. Shell> fs0:EnrollDefaultKeys.efi info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1 info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0 info: success Shell> reset Remember that this will modify deploy/images/qemux86/ovmf.secboot.qcow2, so make a copy and use the full path of that copy instead of the "ovmf" argument if needed. The ovmf-shell-image contains an EFI shell, which is what got started here directly. After enrolling the keys, Secure Boot is active and the same image cannot be booted anymore, so the BIOS goes through the normal boot targets (including network boot, which can take a while to time out), and ends up in the internal EFI shell. Trying to invoke bootia32.efi (the shell from the image) or EnrollDefaultKeys.efi then fails: Shell> bootia32.efi Command Error Status: Security Violation The main purpose at the moment is to test that Secure Boot enforcement really works. If we had a way to sign generated images, that part could also be tested by booting in a locked down qemu instance. 0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch is from https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch?id=b1781931894bf2057464e634beed68b1e3218c9e with one line changed to fix https://bugzilla.redhat.com/show_bug.cgi?id=132502: "EFI_STATUS Status = EFI_SUCCESS;" in EnrollListOfX509Certs() lacked the initializer. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> --- meta/recipes-core/ovmf/ovmf-shell-image.bb | 22 + ...ollDefaultKeys-application-for-enrolling-.patch | 1123 ++++++++++++++++++++ meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks | 4 + meta/recipes-core/ovmf/ovmf_git.bb | 16 + 4 files changed, 1165 insertions(+) create mode 100644 meta/recipes-core/ovmf/ovmf-shell-image.bb create mode 100644 meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch create mode 100644 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks diff --git a/meta/recipes-core/ovmf/ovmf-shell-image.bb b/meta/recipes-core/ovmf/ovmf-shell-image.bb new file mode 100644 index 0000000..fecde9c --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf-shell-image.bb @@ -0,0 +1,22 @@ +# This needs to run before image.bbclass reads IMAGE_FSTYPES, +# which is guaranteed by the ordering of anonymous functions +# in a recipe. +python () { + # Ignore customization of IMAGE_FSTYPES because + # for this image recipe, only the .wic format + # with a single vfat partition makes sense. + d.setVar('IMAGE_FSTYPES', 'wic') +} +WKS_FILE = "ovmf/ovmf-shell-image.wks" + +inherit image + +# We want a minimal image with just ovmf-shell-efi +# unpacked in it. We avoid installing unnecessary +# stuff as much as possible, but some things still +# get through and need to be removed. +PACKAGE_INSTALL = "ovmf-shell-efi" +LINGUAS_INSTALL = "" +do_image () { + rm -rf `ls -d ${IMAGE_ROOTFS}/* | grep -v efi` +} diff --git a/meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch b/meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch new file mode 100644 index 0000000..12d43df --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch @@ -0,0 +1,1123 @@ +From: Laszlo Ersek <lersek@redhat.com> +Date: Mon, 6 Jul 2015 20:22:02 +0200 +Subject: [PATCH] OvmfPkg: EnrollDefaultKeys: application for enrolling default + keys + +(A port of the <https://bugzilla.redhat.com/show_bug.cgi?id=1148296> patch +to Gerd's public RPMs.) + +This application is meant to be invoked by the management layer, after +booting the UEFI shell and getting a shell prompt on the serial console. +The app enrolls a number of certificates (see below), and then reports +status to the serial console as well. The expected output is "info: +success": + +> Shell> EnrollDefaultKeys.efi +> info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1 +> info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0 +> info: success +> Shell> + +In case of success, the management layer can force off or reboot the VM +(for example with the "reset -s" or "reset -c" UEFI shell commands, +respectively), and start the guest installation with SecureBoot enabled. + +PK: +- A unique, static, ad-hoc certificate whose private half has been + destroyed (more precisely, never saved) and is therefore unusable for + signing. (The command for creating this certificate is saved in the + source code.) + +KEK: +- same ad-hoc certificate as used for the PK, +- "Microsoft Corporation KEK CA 2011" -- the dbx data in Fedora's dbxtool + package is signed (indirectly, through a chain) with this; enrolling + such a KEK should allow guests to install those updates. + +DB: +- "Microsoft Windows Production PCA 2011" -- to load Windows 8 and Windows + Server 2012 R2, +- "Microsoft Corporation UEFI CA 2011" -- to load Linux and signed PCI + oproms. + +Contributed-under: TianoCore Contribution Agreement 1.0 +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 960 ++++++++++++++++++++++++ + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 51 ++ + OvmfPkg/OvmfPkgIa32.dsc | 4 + + OvmfPkg/OvmfPkgIa32X64.dsc | 4 + + OvmfPkg/OvmfPkgX64.dsc | 4 + + 5 files changed, 1023 insertions(+) + create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c + create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf + +diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +new file mode 100644 +index 0000000..081212b +--- /dev/null ++++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +@@ -0,0 +1,960 @@ ++/** @file ++ Enroll default PK, KEK, DB. ++ ++ Copyright (C) 2014, Red Hat, Inc. ++ ++ This program and the accompanying materials are licensed and made available ++ under the terms and conditions of the BSD License which accompanies this ++ distribution. The full text of the license may be found at ++ http://opensource.org/licenses/bsd-license. ++ ++ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT ++ WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. ++**/ ++#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid ++#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME ++#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE ++#include <Library/BaseMemoryLib.h> // CopyGuid() ++#include <Library/DebugLib.h> // ASSERT() ++#include <Library/MemoryAllocationLib.h> // FreePool() ++#include <Library/ShellCEntryLib.h> // ShellAppMain() ++#include <Library/UefiLib.h> // AsciiPrint() ++#include <Library/UefiRuntimeServicesTableLib.h> // gRT ++ ++// ++// The example self-signed certificate below, which we'll use for both Platform ++// Key, and first Key Exchange Key, has been generated with the following ++// non-interactive openssl command. The passphrase is read from /dev/urandom, ++// and not saved, and the private key is written to /dev/null. In other words, ++// we can't sign anything else against this certificate, which is our purpose. ++// ++/* ++ openssl req \ ++ -passout file:<(head -c 16 /dev/urandom) \ ++ -x509 \ ++ -newkey rsa:2048 \ ++ -keyout /dev/null \ ++ -outform DER \ ++ -subj $( ++ printf /C=US ++ printf /ST=TestStateOrProvince ++ printf /L=TestLocality ++ printf /O=TestOrganization ++ printf /OU=TestOrganizationalUnit ++ printf /CN=TestCommonName ++ printf /emailAddress=test@example.com ++ ) \ ++ 2>/dev/null \ ++ | xxd -i ++*/ ++STATIC CONST UINT8 ExampleCert[] = { ++ 0x30, 0x82, 0x04, 0x45, 0x30, 0x82, 0x03, 0x2d, 0xa0, 0x03, 0x02, 0x01, 0x02, ++ 0x02, 0x09, 0x00, 0xcf, 0x9f, 0x51, 0xa3, 0x07, 0xdb, 0x54, 0xa1, 0x30, 0x0d, ++ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, ++ 0x30, 0x81, 0xb8, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, ++ 0x02, 0x55, 0x53, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, ++ 0x13, 0x54, 0x65, 0x73, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x4f, 0x72, 0x50, ++ 0x72, 0x6f, 0x76, 0x69, 0x6e, 0x63, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, ++ 0x55, 0x04, 0x07, 0x0c, 0x0c, 0x54, 0x65, 0x73, 0x74, 0x4c, 0x6f, 0x63, 0x61, ++ 0x6c, 0x69, 0x74, 0x79, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a, ++ 0x0c, 0x10, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, ++ 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, ++ 0x0b, 0x0c, 0x16, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, ++ 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x55, 0x6e, 0x69, 0x74, 0x31, ++ 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0e, 0x54, 0x65, 0x73, ++ 0x74, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x31, 0x1f, ++ 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, ++ 0x16, 0x10, 0x74, 0x65, 0x73, 0x74, 0x40, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, ++ 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30, ++ 0x30, 0x39, 0x31, 0x33, 0x32, 0x38, 0x32, 0x32, 0x5a, 0x17, 0x0d, 0x31, 0x34, ++ 0x31, 0x31, 0x30, 0x38, 0x31, 0x33, 0x32, 0x38, 0x32, 0x32, 0x5a, 0x30, 0x81, ++ 0xb8, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, ++ 0x53, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x13, 0x54, ++ 0x65, 0x73, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x4f, 0x72, 0x50, 0x72, 0x6f, ++ 0x76, 0x69, 0x6e, 0x63, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, ++ 0x07, 0x0c, 0x0c, 0x54, 0x65, 0x73, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x69, ++ 0x74, 0x79, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x10, ++ 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74, ++ 0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, ++ 0x16, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, ++ 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x55, 0x6e, 0x69, 0x74, 0x31, 0x17, 0x30, ++ 0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0e, 0x54, 0x65, 0x73, 0x74, 0x43, ++ 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x31, 0x1f, 0x30, 0x1d, ++ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, ++ 0x74, 0x65, 0x73, 0x74, 0x40, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, ++ 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, ++ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, ++ 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbf, 0xf1, 0xce, ++ 0x17, 0x32, 0xac, 0xc4, 0x4b, 0xb2, 0xed, 0x84, 0x76, 0xe5, 0xd0, 0xf8, 0x21, ++ 0xac, 0x10, 0xf8, 0x18, 0x09, 0x0e, 0x07, 0x13, 0x76, 0x21, 0x5c, 0xc4, 0xcc, ++ 0xd5, 0xe6, 0x25, 0xa7, 0x26, 0x53, 0x79, 0x2f, 0x16, 0x4b, 0x85, 0xbd, 0xae, ++ 0x42, 0x64, 0x58, 0xcb, 0x5e, 0xe8, 0x6e, 0x5a, 0xd0, 0xc4, 0x0f, 0x38, 0x16, ++ 0xbe, 0xd3, 0x22, 0xa7, 0x3c, 0x9b, 0x8b, 0x5e, 0xcb, 0x62, 0x35, 0xc5, 0x9b, ++ 0xe2, 0x8e, 0x4c, 0x65, 0x57, 0x4f, 0xcb, 0x27, 0xad, 0xe7, 0x63, 0xa7, 0x77, ++ 0x2b, 0xd5, 0x02, 0x42, 0x70, 0x46, 0xac, 0xba, 0xb6, 0x60, 0x57, 0xd9, 0xce, ++ 0x31, 0xc5, 0x12, 0x03, 0x4a, 0xf7, 0x2a, 0x2b, 0x40, 0x06, 0xb4, 0xdb, 0x31, ++ 0xb7, 0x83, 0x6c, 0x67, 0x87, 0x98, 0x8b, 0xce, 0x1b, 0x30, 0x7a, 0xfa, 0x35, ++ 0x6c, 0x86, 0x20, 0x74, 0xc5, 0x7d, 0x32, 0x31, 0x18, 0xeb, 0x69, 0xf7, 0x2d, ++ 0x20, 0xc4, 0xf0, 0xd2, 0xfa, 0x67, 0x81, 0xc1, 0xbb, 0x23, 0xbb, 0x75, 0x1a, ++ 0xe4, 0xb4, 0x49, 0x99, 0xdf, 0x12, 0x4c, 0xe3, 0x6d, 0x76, 0x24, 0x85, 0x24, ++ 0xae, 0x5a, 0x9e, 0xbd, 0x54, 0x1c, 0xf9, 0x0e, 0xed, 0x96, 0xb5, 0xd8, 0xa2, ++ 0x0d, 0x2a, 0x38, 0x5d, 0x12, 0x97, 0xb0, 0x4d, 0x75, 0x85, 0x1e, 0x47, 0x6d, ++ 0xe1, 0x25, 0x59, 0xcb, 0xe9, 0x33, 0x86, 0x6a, 0xef, 0x98, 0x24, 0xa0, 0x2b, ++ 0x02, 0x7b, 0xc0, 0x9f, 0x88, 0x03, 0xb0, 0xbe, 0x22, 0x65, 0x83, 0x77, 0xb3, ++ 0x30, 0xba, 0xe0, 0x3b, 0x54, 0x31, 0x3a, 0x45, 0x81, 0x9c, 0x48, 0xaf, 0xc1, ++ 0x11, 0x5b, 0xf2, 0x3a, 0x1e, 0x33, 0x1b, 0x8f, 0x0e, 0x04, 0xa4, 0x16, 0xd4, ++ 0x6b, 0x57, 0xee, 0xe7, 0xba, 0xf5, 0xee, 0xaf, 0xe2, 0x4c, 0x50, 0xf8, 0x68, ++ 0x57, 0x88, 0xfb, 0x7f, 0xa3, 0xcf, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x50, ++ 0x30, 0x4e, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, ++ 0x1e, 0x44, 0xe5, 0xef, 0xcd, 0x6e, 0x1f, 0xdb, 0xcb, 0x4f, 0x94, 0x8f, 0xe3, ++ 0x3b, 0x1a, 0x8c, 0xe6, 0x95, 0x29, 0x61, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, ++ 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x1e, 0x44, 0xe5, 0xef, 0xcd, 0x6e, ++ 0x1f, 0xdb, 0xcb, 0x4f, 0x94, 0x8f, 0xe3, 0x3b, 0x1a, 0x8c, 0xe6, 0x95, 0x29, ++ 0x61, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, ++ 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, ++ 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x12, 0x9c, 0x3e, 0x38, ++ 0xfc, 0x26, 0xea, 0x6d, 0xb7, 0x5c, 0x29, 0x3c, 0x76, 0x20, 0x0c, 0xb2, 0xa9, ++ 0x0f, 0xdf, 0xc0, 0x85, 0xfe, 0xeb, 0xec, 0x1d, 0x5d, 0x73, 0x84, 0xac, 0x8a, ++ 0xb4, 0x2a, 0x86, 0x38, 0x30, 0xaf, 0xd2, 0x2d, 0x2a, 0xde, 0x54, 0xc8, 0x5c, ++ 0x29, 0x90, 0x24, 0xf2, 0x39, 0xc1, 0xa5, 0x00, 0xb4, 0xb7, 0xd8, 0xdc, 0x59, ++ 0x64, 0x50, 0x62, 0x5f, 0x54, 0xf1, 0x73, 0x02, 0x4d, 0x43, 0xc5, 0xc3, 0xc4, ++ 0x0e, 0x62, 0x60, 0x8c, 0x53, 0x66, 0x57, 0x77, 0xb5, 0x81, 0xda, 0x1f, 0x81, ++ 0xda, 0xe9, 0xd6, 0x5e, 0x82, 0xce, 0xa7, 0x5c, 0xc0, 0xa6, 0xbe, 0x9c, 0x5c, ++ 0x7b, 0xa5, 0x15, 0xc8, 0xd7, 0x14, 0x53, 0xd3, 0x5c, 0x1c, 0x9f, 0x8a, 0x9f, ++ 0x66, 0x15, 0xd5, 0xd3, 0x2a, 0x27, 0x0c, 0xee, 0x9f, 0x80, 0x39, 0x88, 0x7b, ++ 0x24, 0xde, 0x0c, 0x61, 0xa3, 0x44, 0xd8, 0x8d, 0x2e, 0x79, 0xf8, 0x1e, 0x04, ++ 0x5a, 0xcb, 0xd6, 0x9c, 0xa3, 0x22, 0x8f, 0x09, 0x32, 0x1e, 0xe1, 0x65, 0x8f, ++ 0x10, 0x5f, 0xd8, 0x52, 0x56, 0xd5, 0x77, 0xac, 0x58, 0x46, 0x60, 0xba, 0x2e, ++ 0xe2, 0x3f, 0x58, 0x7d, 0x60, 0xfc, 0x31, 0x4a, 0x3a, 0xaf, 0x61, 0x55, 0x5f, ++ 0xfb, 0x68, 0x14, 0x74, 0xda, 0xdc, 0x42, 0x78, 0xcc, 0xee, 0xff, 0x5c, 0x03, ++ 0x24, 0x26, 0x2c, 0xb8, 0x3a, 0x81, 0xad, 0xdb, 0xe7, 0xed, 0xe1, 0x62, 0x84, ++ 0x07, 0x1a, 0xc8, 0xa4, 0x4e, 0xb0, 0x87, 0xf7, 0x96, 0xd8, 0x33, 0x9b, 0x0d, ++ 0xa7, 0x77, 0xae, 0x5b, 0xaf, 0xad, 0xe6, 0x5a, 0xc9, 0xfa, 0xa4, 0xe4, 0xe5, ++ 0x57, 0xbb, 0x97, 0xdd, 0x92, 0x85, 0xd8, 0x03, 0x45, 0xfe, 0xd8, 0x6b, 0xb1, ++ 0xdb, 0x85, 0x36, 0xb9, 0xd9, 0x28, 0xbf, 0x17, 0xae, 0x11, 0xde, 0x10, 0x19, ++ 0x26, 0x5b, 0xc0, 0x3d, 0xc7 ++}; ++ ++// ++// Second KEK: "Microsoft Corporation KEK CA 2011". ++// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30 ++// ++// "dbx" updates in "dbxtool" are signed with a key derived from this KEK. ++// ++STATIC CONST UINT8 MicrosoftKEK[] = { ++ 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02, ++ 0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30, ++ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, ++ 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, ++ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, ++ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, ++ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, ++ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, ++ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, ++ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30, ++ 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f, ++ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, ++ 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72, ++ 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63, ++ 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30, ++ 0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32, ++ 0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, 0x30, ++ 0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, ++ 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a, ++ 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, ++ 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f, ++ 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, ++ 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, ++ 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06, ++ 0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, ++ 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, ++ 0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, ++ 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, ++ 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, ++ 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, 0xad, ++ 0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, 0x5d, ++ 0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, 0xeb, ++ 0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, 0xe3, ++ 0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, 0x9b, ++ 0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, 0xac, ++ 0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, 0xc8, ++ 0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, 0xc0, ++ 0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, 0xe2, ++ 0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, 0x89, ++ 0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, 0xc2, ++ 0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, 0x03, ++ 0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, 0x7e, ++ 0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, 0xeb, ++ 0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, 0x2f, ++ 0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, 0xaa, ++ 0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, 0x9f, ++ 0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, 0xc6, ++ 0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, 0xaf, ++ 0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, 0x07, ++ 0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, 0x30, ++ 0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, ++ 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, ++ 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, 0xa4, ++ 0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, 0x5f, ++ 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, ++ 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, ++ 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, ++ 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, ++ 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, ++ 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, 0x11, ++ 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, 0x30, ++ 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, 0xa0, ++ 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, ++ 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, ++ 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, ++ 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, ++ 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, ++ 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, ++ 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, ++ 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, ++ 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, ++ 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, ++ 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, 0x74, ++ 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, ++ 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, ++ 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, ++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, ++ 0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, 0x2a, ++ 0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, 0x66, ++ 0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, 0x5a, ++ 0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, 0x64, ++ 0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, 0x58, ++ 0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, 0xd0, ++ 0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, 0xf5, ++ 0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, 0xec, ++ 0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, 0xd7, ++ 0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, 0x28, ++ 0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, 0x79, ++ 0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, 0x7b, ++ 0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, 0xd8, ++ 0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, 0x19, ++ 0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, 0x58, ++ 0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, 0x0d, ++ 0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, 0x2d, ++ 0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, 0xc8, ++ 0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, 0x60, ++ 0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, 0xac, ++ 0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, 0x87, ++ 0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, 0xcd, ++ 0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, 0x81, ++ 0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, 0x92, ++ 0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, 0xe0, ++ 0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, 0xaf, ++ 0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, 0xfb, ++ 0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, 0x68, ++ 0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, 0xad, ++ 0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, 0x82, ++ 0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, 0x14, ++ 0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, 0x4f, ++ 0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, 0x9b, ++ 0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, 0xb0, ++ 0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d, ++ 0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38, ++ 0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c, ++ 0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14, ++ 0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5, ++ 0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e ++}; ++ ++// ++// First DB entry: "Microsoft Windows Production PCA 2011" ++// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d ++// ++// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain ++// rooted in this certificate. ++// ++STATIC CONST UINT8 MicrosoftPCA[] = { ++ 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02, ++ 0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, ++ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, ++ 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, ++ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, ++ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, ++ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, ++ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, ++ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, ++ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30, ++ 0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f, ++ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72, ++ 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, ++ 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17, ++ 0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, 0x32, ++ 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, 0x31, ++ 0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, ++ 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, ++ 0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, ++ 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, ++ 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, ++ 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, ++ 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, ++ 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, 0x63, ++ 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, ++ 0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, ++ 0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30, ++ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, ++ 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, ++ 0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, 0xf7, ++ 0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, 0xcb, ++ 0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, 0x8b, ++ 0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, 0xe3, ++ 0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, 0xc0, ++ 0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, 0x74, ++ 0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, 0x67, ++ 0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, 0x53, ++ 0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, 0x23, ++ 0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, 0xa3, ++ 0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, 0xff, ++ 0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, 0xe2, ++ 0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, 0x22, ++ 0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, 0xf3, ++ 0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, 0x2b, ++ 0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, 0xbc, ++ 0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, 0xd6, ++ 0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, 0xe8, ++ 0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, 0xa8, ++ 0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, 0x03, ++ 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, 0x10, ++ 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03, ++ 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, ++ 0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, 0xf9, ++ 0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, 0x2b, ++ 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, ++ 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, ++ 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, ++ 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, ++ 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, ++ 0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, 0x94, ++ 0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, 0x1d, ++ 0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, 0x45, ++ 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, ++ 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, ++ 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, ++ 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41, ++ 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33, ++ 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, ++ 0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06, ++ 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, 0x3a, ++ 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, ++ 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, ++ 0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, ++ 0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, ++ 0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, ++ 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x14, ++ 0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, 0xbc, ++ 0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, 0xd0, ++ 0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, 0x61, ++ 0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, 0xda, ++ 0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, 0x6a, ++ 0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, 0xe2, ++ 0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, 0xea, ++ 0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, 0x30, ++ 0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, 0x86, ++ 0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, 0xc8, ++ 0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, 0xae, ++ 0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, 0xb8, ++ 0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, 0xac, ++ 0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, 0x84, ++ 0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, 0x73, ++ 0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, 0x73, ++ 0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, 0x60, ++ 0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, 0xb6, ++ 0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, 0x2a, ++ 0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, 0xba, ++ 0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, 0xce, ++ 0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, 0x0f, ++ 0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, 0x6e, ++ 0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, 0xd3, ++ 0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, 0x45, ++ 0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, 0xd0, ++ 0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, 0x24, ++ 0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, 0x2c, ++ 0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, 0xdf, ++ 0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, 0x6c, ++ 0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, 0xf2, ++ 0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, 0x5c, ++ 0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, 0x47, ++ 0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, 0x5a, ++ 0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21, ++ 0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86, ++ 0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6, ++ 0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9, ++ 0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4, ++ 0x62, 0x1c, 0x59, 0x7e ++}; ++ ++// ++// Second DB entry: "Microsoft Corporation UEFI CA 2011" ++// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3 ++// ++// To verify the "shim" binary and PCI expansion ROMs with. ++// ++STATIC CONST UINT8 MicrosoftUefiCA[] = { ++ 0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02, ++ 0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, ++ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, ++ 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, ++ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, ++ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, ++ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, ++ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, ++ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, ++ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30, ++ 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f, ++ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, ++ 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72, ++ 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63, ++ 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30, ++ 0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x32, ++ 0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, 0x30, ++ 0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, ++ 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a, ++ 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, ++ 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f, ++ 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, ++ 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, ++ 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, 0x06, ++ 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, ++ 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, ++ 0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, ++ 0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, ++ 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, ++ 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, 0xc7, ++ 0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, 0x43, ++ 0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, 0x73, ++ 0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, 0xd3, ++ 0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, 0x54, ++ 0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, 0x5c, ++ 0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, 0x4f, ++ 0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, 0xae, ++ 0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, 0x1d, ++ 0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, 0xfa, ++ 0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, 0xff, ++ 0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, 0x7b, ++ 0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, 0xe6, ++ 0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, 0x62, ++ 0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, 0x08, ++ 0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, 0xe7, ++ 0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, 0xb2, ++ 0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, 0x7f, ++ 0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, 0x8b, ++ 0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, 0x6a, ++ 0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x76, ++ 0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, ++ 0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x23, ++ 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, 0x16, ++ 0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, 0x37, ++ 0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, 0x03, ++ 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, 0xbd, ++ 0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, 0x1b, ++ 0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, ++ 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, ++ 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, ++ 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, ++ 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, ++ 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, ++ 0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, ++ 0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, ++ 0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, ++ 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, ++ 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, ++ 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, ++ 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, ++ 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, ++ 0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, ++ 0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, ++ 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, ++ 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, ++ 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, ++ 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, ++ 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, ++ 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, ++ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, ++ 0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, 0x76, ++ 0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, 0xef, ++ 0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, 0x13, ++ 0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, 0x82, ++ 0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, 0x1a, ++ 0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, 0x20, ++ 0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, 0x90, ++ 0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, 0x52, ++ 0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, 0x6d, ++ 0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, 0xaf, ++ 0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, 0x49, ++ 0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, 0x34, ++ 0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, 0x75, ++ 0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, 0xb9, ++ 0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, 0x8f, ++ 0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, 0x8c, ++ 0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, 0x56, ++ 0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, 0xae, ++ 0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, 0x4a, ++ 0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, 0x3c, ++ 0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, 0x59, ++ 0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, 0x3d, ++ 0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, 0x53, ++ 0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, 0x1b, ++ 0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, 0x98, ++ 0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, 0x85, ++ 0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, 0xd2, ++ 0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, 0xe2, ++ 0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, 0x6c, ++ 0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, 0x3b, ++ 0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, 0x27, ++ 0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, 0xa6, ++ 0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, 0x3f, ++ 0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, 0x55, ++ 0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e, ++ 0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62, ++ 0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8, ++ 0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6, ++ 0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75, ++ 0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58 ++}; ++ ++// ++// The most important thing about the variable payload is that it is a list of ++// lists, where the element size of any given *inner* list is constant. ++// ++// Since X509 certificates vary in size, each of our *inner* lists will contain ++// one element only (one X.509 certificate). This is explicitly mentioned in ++// the UEFI specification, in "28.4.1 Signature Database", in a Note. ++// ++// The list structure looks as follows: ++// ++// struct EFI_VARIABLE_AUTHENTICATION_2 { | ++// struct EFI_TIME { | ++// UINT16 Year; | ++// UINT8 Month; | ++// UINT8 Day; | ++// UINT8 Hour; | ++// UINT8 Minute; | ++// UINT8 Second; | ++// UINT8 Pad1; | ++// UINT32 Nanosecond; | ++// INT16 TimeZone; | ++// UINT8 Daylight; | ++// UINT8 Pad2; | ++// } TimeStamp; | ++// | ++// struct WIN_CERTIFICATE_UEFI_GUID { | | ++// struct WIN_CERTIFICATE { | | ++// UINT32 dwLength; ----------------------------------------+ | ++// UINT16 wRevision; | | ++// UINT16 wCertificateType; | | ++// } Hdr; | +- DataSize ++// | | ++// EFI_GUID CertType; | | ++// UINT8 CertData[1] = { <--- "struct hack" | | ++// struct EFI_SIGNATURE_LIST { | | | ++// EFI_GUID SignatureType; | | | ++// UINT32 SignatureListSize; -------------------------+ | | ++// UINT32 SignatureHeaderSize; | | | ++// UINT32 SignatureSize; ---------------------------+ | | | ++// UINT8 SignatureHeader[SignatureHeaderSize]; | | | | ++// v | | | ++// struct EFI_SIGNATURE_DATA { | | | | ++// EFI_GUID SignatureOwner; | | | | ++// UINT8 SignatureData[1] = { <--- "struct hack" | | | | ++// X.509 payload | | | | ++// } | | | | ++// } Signatures[]; | | | ++// } SigLists[]; | | ++// }; | | ++// } AuthInfo; | | ++// }; | ++// ++// Given that the "struct hack" invokes undefined behavior (which is why C99 ++// introduced the flexible array member), and because subtracting those pesky ++// sizes of 1 is annoying, and because the format is fully specified in the ++// UEFI specification, we'll introduce two matching convenience structures that ++// are customized for our X.509 purposes. ++// ++#pragma pack(1) ++typedef struct { ++ EFI_TIME TimeStamp; ++ ++ // ++ // dwLength covers data below ++ // ++ UINT32 dwLength; ++ UINT16 wRevision; ++ UINT16 wCertificateType; ++ EFI_GUID CertType; ++} SINGLE_HEADER; ++ ++typedef struct { ++ // ++ // SignatureListSize covers data below ++ // ++ EFI_GUID SignatureType; ++ UINT32 SignatureListSize; ++ UINT32 SignatureHeaderSize; // constant 0 ++ UINT32 SignatureSize; ++ ++ // ++ // SignatureSize covers data below ++ // ++ EFI_GUID SignatureOwner; ++ ++ // ++ // X.509 certificate follows ++ // ++} REPEATING_HEADER; ++#pragma pack() ++ ++/** ++ Enroll a set of DER-formatted X.509 certificates in a global variable, ++ overwriting it. ++ ++ The variable will be rewritten with NV+BS+RT+AT attributes. ++ ++ @param[in] VariableName The name of the variable to overwrite. ++ ++ @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to ++ overwrite. ++ ++ @param[in] ... A list of ++ ++ IN CONST UINT8 *Cert, ++ IN UINTN CertSize, ++ IN CONST EFI_GUID *OwnerGuid ++ ++ triplets. If the first component of a triplet is ++ NULL, then the other two components are not ++ accessed, and processing is terminated. The list of ++ X.509 certificates is enrolled in the variable ++ specified, overwriting it. The OwnerGuid component ++ identifies the agent installing the certificate. ++ ++ @retval EFI_INVALID_PARAMETER The triplet list is empty (ie. the first Cert ++ value is NULL), or one of the CertSize values ++ is 0, or one of the CertSize values would ++ overflow the accumulated UINT32 data size. ++ ++ @retval EFI_OUT_OF_RESOURCES Out of memory while formatting variable ++ payload. ++ ++ @retval EFI_SUCCESS Enrollment successful; the variable has been ++ overwritten (or created). ++ ++ @return Error codes from gRT->GetTime() and ++ gRT->SetVariable(). ++**/ ++STATIC ++EFI_STATUS ++EFIAPI ++EnrollListOfX509Certs ( ++ IN CHAR16 *VariableName, ++ IN EFI_GUID *VendorGuid, ++ ... ++ ) ++{ ++ UINTN DataSize; ++ SINGLE_HEADER *SingleHeader; ++ REPEATING_HEADER *RepeatingHeader; ++ VA_LIST Marker; ++ CONST UINT8 *Cert; ++ EFI_STATUS Status = EFI_SUCCESS; ++ UINT8 *Data; ++ UINT8 *Position; ++ ++ // ++ // compute total size first, for UINT32 range check, and allocation ++ // ++ DataSize = sizeof *SingleHeader; ++ VA_START (Marker, VendorGuid); ++ for (Cert = VA_ARG (Marker, CONST UINT8 *); ++ Cert != NULL; ++ Cert = VA_ARG (Marker, CONST UINT8 *)) { ++ UINTN CertSize; ++ ++ CertSize = VA_ARG (Marker, UINTN); ++ (VOID)VA_ARG (Marker, CONST EFI_GUID *); ++ ++ if (CertSize == 0 || ++ CertSize > MAX_UINT32 - sizeof *RepeatingHeader || ++ DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) { ++ Status = EFI_INVALID_PARAMETER; ++ break; ++ } ++ DataSize += sizeof *RepeatingHeader + CertSize; ++ } ++ VA_END (Marker); ++ ++ if (DataSize == sizeof *SingleHeader) { ++ Status = EFI_INVALID_PARAMETER; ++ } ++ if (EFI_ERROR (Status)) { ++ goto Out; ++ } ++ ++ Data = AllocatePool (DataSize); ++ if (Data == NULL) { ++ Status = EFI_OUT_OF_RESOURCES; ++ goto Out; ++ } ++ ++ Position = Data; ++ ++ SingleHeader = (SINGLE_HEADER *)Position; ++ Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL); ++ if (EFI_ERROR (Status)) { ++ goto FreeData; ++ } ++ SingleHeader->TimeStamp.Pad1 = 0; ++ SingleHeader->TimeStamp.Nanosecond = 0; ++ SingleHeader->TimeStamp.TimeZone = 0; ++ SingleHeader->TimeStamp.Daylight = 0; ++ SingleHeader->TimeStamp.Pad2 = 0; ++#if 0 ++ SingleHeader->dwLength = DataSize - sizeof SingleHeader->TimeStamp; ++#else ++ // ++ // This looks like a bug in edk2. According to the UEFI specification, ++ // dwLength is "The length of the entire certificate, including the length of ++ // the header, in bytes". That shouldn't stop right after CertType -- it ++ // should include everything below it. ++ // ++ SingleHeader->dwLength = sizeof *SingleHeader ++ - sizeof SingleHeader->TimeStamp; ++#endif ++ SingleHeader->wRevision = 0x0200; ++ SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID; ++ CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid); ++ Position += sizeof *SingleHeader; ++ ++ VA_START (Marker, VendorGuid); ++ for (Cert = VA_ARG (Marker, CONST UINT8 *); ++ Cert != NULL; ++ Cert = VA_ARG (Marker, CONST UINT8 *)) { ++ UINTN CertSize; ++ CONST EFI_GUID *OwnerGuid; ++ ++ CertSize = VA_ARG (Marker, UINTN); ++ OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *); ++ ++ RepeatingHeader = (REPEATING_HEADER *)Position; ++ CopyGuid (&RepeatingHeader->SignatureType, &gEfiCertX509Guid); ++ RepeatingHeader->SignatureListSize = sizeof *RepeatingHeader + CertSize; ++ RepeatingHeader->SignatureHeaderSize = 0; ++ RepeatingHeader->SignatureSize = ++ sizeof RepeatingHeader->SignatureOwner + CertSize; ++ CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid); ++ Position += sizeof *RepeatingHeader; ++ ++ CopyMem (Position, Cert, CertSize); ++ Position += CertSize; ++ } ++ VA_END (Marker); ++ ++ ASSERT (Data + DataSize == Position); ++ ++ Status = gRT->SetVariable (VariableName, VendorGuid, ++ (EFI_VARIABLE_NON_VOLATILE | ++ EFI_VARIABLE_BOOTSERVICE_ACCESS | ++ EFI_VARIABLE_RUNTIME_ACCESS | ++ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), ++ DataSize, Data); ++ ++FreeData: ++ FreePool (Data); ++ ++Out: ++ if (EFI_ERROR (Status)) { ++ AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName, ++ VendorGuid, Status); ++ } ++ return Status; ++} ++ ++ ++STATIC ++EFI_STATUS ++EFIAPI ++GetExact ( ++ IN CHAR16 *VariableName, ++ IN EFI_GUID *VendorGuid, ++ OUT VOID *Data, ++ IN UINTN DataSize, ++ IN BOOLEAN AllowMissing ++ ) ++{ ++ UINTN Size; ++ EFI_STATUS Status; ++ ++ Size = DataSize; ++ Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data); ++ if (EFI_ERROR (Status)) { ++ if (Status == EFI_NOT_FOUND && AllowMissing) { ++ ZeroMem (Data, DataSize); ++ return EFI_SUCCESS; ++ } ++ ++ AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName, ++ VendorGuid, Status); ++ return Status; ++ } ++ ++ if (Size != DataSize) { ++ AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, " ++ "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size); ++ return EFI_PROTOCOL_ERROR; ++ } ++ ++ return EFI_SUCCESS; ++} ++ ++typedef struct { ++ UINT8 SetupMode; ++ UINT8 SecureBoot; ++ UINT8 SecureBootEnable; ++ UINT8 CustomMode; ++ UINT8 VendorKeys; ++} SETTINGS; ++ ++STATIC ++EFI_STATUS ++EFIAPI ++GetSettings ( ++ OUT SETTINGS *Settings ++ ) ++{ ++ EFI_STATUS Status; ++ ++ Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, ++ &Settings->SetupMode, sizeof Settings->SetupMode, FALSE); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ ++ Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, ++ &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ ++ Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME, ++ &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable, ++ sizeof Settings->SecureBootEnable, TRUE); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ ++ Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, ++ &Settings->CustomMode, sizeof Settings->CustomMode, FALSE); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ ++ Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid, ++ &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE); ++ return Status; ++} ++ ++STATIC ++VOID ++EFIAPI ++PrintSettings ( ++ IN CONST SETTINGS *Settings ++ ) ++{ ++ AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d " ++ "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot, ++ Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys); ++} ++ ++ ++INTN ++EFIAPI ++ShellAppMain ( ++ IN UINTN Argc, ++ IN CHAR16 **Argv ++ ) ++{ ++ EFI_STATUS Status; ++ SETTINGS Settings; ++ ++ Status = GetSettings (&Settings); ++ if (EFI_ERROR (Status)) { ++ return 1; ++ } ++ PrintSettings (&Settings); ++ ++ if (Settings.SetupMode != 1) { ++ AsciiPrint ("error: already in User Mode\n"); ++ return 1; ++ } ++ ++ if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) { ++ Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE; ++ Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, ++ (EFI_VARIABLE_NON_VOLATILE | ++ EFI_VARIABLE_BOOTSERVICE_ACCESS), ++ sizeof Settings.CustomMode, &Settings.CustomMode); ++ if (EFI_ERROR (Status)) { ++ AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME, ++ &gEfiCustomModeEnableGuid, Status); ++ return 1; ++ } ++ } ++ ++ Status = EnrollListOfX509Certs ( ++ EFI_IMAGE_SECURITY_DATABASE, ++ &gEfiImageSecurityDatabaseGuid, ++ MicrosoftPCA, sizeof MicrosoftPCA, &gEfiCallerIdGuid, ++ MicrosoftUefiCA, sizeof MicrosoftUefiCA, &gEfiCallerIdGuid, ++ NULL); ++ if (EFI_ERROR (Status)) { ++ return 1; ++ } ++ ++ Status = EnrollListOfX509Certs ( ++ EFI_KEY_EXCHANGE_KEY_NAME, ++ &gEfiGlobalVariableGuid, ++ ExampleCert, sizeof ExampleCert, &gEfiCallerIdGuid, ++ MicrosoftKEK, sizeof MicrosoftKEK, &gEfiCallerIdGuid, ++ NULL); ++ if (EFI_ERROR (Status)) { ++ return 1; ++ } ++ ++ Status = EnrollListOfX509Certs ( ++ EFI_PLATFORM_KEY_NAME, ++ &gEfiGlobalVariableGuid, ++ ExampleCert, sizeof ExampleCert, &gEfiGlobalVariableGuid, ++ NULL); ++ if (EFI_ERROR (Status)) { ++ return 1; ++ } ++ ++ Settings.CustomMode = STANDARD_SECURE_BOOT_MODE; ++ Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, ++ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, ++ sizeof Settings.CustomMode, &Settings.CustomMode); ++ if (EFI_ERROR (Status)) { ++ AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME, ++ &gEfiCustomModeEnableGuid, Status); ++ return 1; ++ } ++ ++ Status = GetSettings (&Settings); ++ if (EFI_ERROR (Status)) { ++ return 1; ++ } ++ PrintSettings (&Settings); ++ ++ if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 || ++ Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 || ++ Settings.VendorKeys != 0) { ++ AsciiPrint ("error: unexpected\n"); ++ return 1; ++ } ++ ++ AsciiPrint ("info: success\n"); ++ return 0; ++} +diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf +new file mode 100644 +index 0000000..ac919bb +--- /dev/null ++++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf +@@ -0,0 +1,51 @@ ++## @file ++# Enroll default PK, KEK, DB. ++# ++# Copyright (C) 2014, Red Hat, Inc. ++# ++# This program and the accompanying materials are licensed and made available ++# under the terms and conditions of the BSD License which accompanies this ++# distribution. The full text of the license may be found at ++# http://opensource.org/licenses/bsd-license. ++# ++# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, ++# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR ++# IMPLIED. ++## ++ ++[Defines] ++ INF_VERSION = 0x00010006 ++ BASE_NAME = EnrollDefaultKeys ++ FILE_GUID = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A ++ MODULE_TYPE = UEFI_APPLICATION ++ VERSION_STRING = 0.1 ++ ENTRY_POINT = ShellCEntryLib ++ ++# ++# VALID_ARCHITECTURES = IA32 X64 ++# ++ ++[Sources] ++ EnrollDefaultKeys.c ++ ++[Packages] ++ MdePkg/MdePkg.dec ++ MdeModulePkg/MdeModulePkg.dec ++ SecurityPkg/SecurityPkg.dec ++ ShellPkg/ShellPkg.dec ++ ++[Guids] ++ gEfiCertPkcs7Guid ++ gEfiCertX509Guid ++ gEfiCustomModeEnableGuid ++ gEfiGlobalVariableGuid ++ gEfiImageSecurityDatabaseGuid ++ gEfiSecureBootEnableDisableGuid ++ ++[LibraryClasses] ++ BaseMemoryLib ++ DebugLib ++ MemoryAllocationLib ++ ShellCEntryLib ++ UefiLib ++ UefiRuntimeServicesTableLib +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index fa9661c..e2e6ba3 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -764,6 +764,10 @@ + + !if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf ++ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf { ++ <LibraryClasses> ++ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf ++ } + !endif + + OvmfPkg/PlatformDxe/Platform.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 667584a..a0ae1aa 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -773,6 +773,10 @@ + + !if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf ++ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf { ++ <LibraryClasses> ++ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf ++ } + !endif + + OvmfPkg/PlatformDxe/Platform.inf +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 5ae8469..87cee52 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -771,6 +771,10 @@ + + !if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf ++ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf { ++ <LibraryClasses> ++ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf ++ } + !endif + + OvmfPkg/PlatformDxe/Platform.inf diff --git a/meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks b/meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks new file mode 100644 index 0000000..1d2f16b --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks @@ -0,0 +1,4 @@ +# short-description: Create an EFI disk image with just the EFI system partition + +part / --source rootfs --ondisk sda --fstype=vfat --align 1024 +bootloader --ptable gpt --timeout=5 diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index c4eedf0..ef61b16 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -12,6 +12,7 @@ SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \ SRC_URI_append_class-target = " \ http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib \ + file://0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch \ " SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588" @@ -136,6 +137,9 @@ do_compile_class-target() { ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh ) ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd + for i in Shell.efi EnrollDefaultKeys.efi; do + ln ${build_dir}/${OVMF_ARCH}/$i ${WORKDIR}/ovmf/$i + done } do_install_class-native() { @@ -147,8 +151,20 @@ do_install_class-target() { # Traditional location. install -d ${D}${datadir}/ovmf install -m 0755 ${WORKDIR}/ovmf/OVMF.fd ${D}${datadir}/ovmf/bios.bin + # Content for UEFI shell iso. We install the EFI shell as + # bootx64/ia32.efi because then it can be started even when the + # firmware itself does not contain it. + install -d ${D}/efi/boot + install ${WORKDIR}/ovmf/Shell.efi ${D}/efi/boot/boot${@ "ia32" if "${TARGET_ARCH}" != "x86_64" else "x64"}.efi + install ${WORKDIR}/ovmf/EnrollDefaultKeys.efi ${D} } +PACKAGES =+ "ovmf-shell-efi" +FILES_ovmf-shell-efi = " \ + EnrollDefaultKeys.efi \ + efi/ \ +" + inherit deploy do_deploy() { } -- 2.1.4 ^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH 0/9] UEFI + Secure Boot + qemu 2016-12-21 13:11 [PATCH 0/9] UEFI + Secure Boot + qemu Patrick Ohly ` (8 preceding siblings ...) 2016-12-21 13:11 ` [PATCH 9/9] ovmf: build image which enrolls standard keys Patrick Ohly @ 2016-12-21 14:19 ` Fathi Boudra 2016-12-28 2:56 ` Ricardo Neri 2016-12-28 2:55 ` Ricardo Neri 10 siblings, 1 reply; 35+ messages in thread From: Fathi Boudra @ 2016-12-21 14:19 UTC (permalink / raw) To: Patrick Ohly; +Cc: Neri, Ricardo, openembedded-core Hi, On 21 December 2016 at 15:11, Patrick Ohly <patrick.ohly@intel.com> wrote: > There seems to be a consensus that supporting UEFI in OE-core for qemu > would be valuable, and there have been some (stalled) attempts to add > it. For reference, see: > [OE-core] [PATCH V3 0/3] Add UEFI firmware for qemux86* > [OE-core] Add ovmf-native to make qemu-native/runqemu support boot UEFI image? > https://bugzilla.yoctoproject.org/show_bug.cgi?id=5654 > https://github.com/01org/luv-yocto/issues/38 > > This patch set includes the necessary recipes (ovmf and iasl from > meta-luv), some improvements to them (in particular, enabling Secure > Boot), and changes to runqemu to make it easier to boot with UEFI. A > special image recipes builds an image which can be used to lock down a > virtual machine by enrolling the "normal" pre-installed certificates. > > I decided to keep the setup simple and use just a single file for UEFI > code and variables because that makes the usage via runqemu very > easy. See the "runqemu: support UEFI with OVMF firmware" patch for > details. The downside is that the firmware can't be updated without > loosing variables. I don't see a big need for long-lived virtual > machine instances, but would like to hear from others about that. > > What's missing is automated testing of this new feature. I'm open for > suggestions here; right now I don't know enough about the automated > testing in the AB to propose something. > > I've discussed the usage of ovmf/iasl with Ricardo and he agreed that > moving ovmf and iasl from meta-luv to OE-core makes sense. Ricardo, > would you be willing to act as maintainer of it there, like you did in > meta-luv? fwiw, I've been maintaining acpica recipe in meta-oe, and will keep an eye here as well. meta-luv supports both x86* and arm*, and we have an interest in having the same features available and working for qemuaarch64. > Beware that "git am --keep-cr" must be used to import the ovmf patches > correctly. > > The following changes since commit 5e21afc9395060b489156d3f90505a372b713f37: > > Revert "selftest/wic: extending test coverage for WIC script options" (2016-12-20 17:06:01 +0000) > > are available in the git repository at: > > git://github.com/pohly/openembedded-core secure-boot > https://github.com/pohly/openembedded-core/tree/secure-boot > > Patrick Ohly (7): > ovmf: explicitly depend on nasm-native > ovmf: deploy firmware in image directory > ovmf_git.bb: enable parallel compilation > ovmf_git.bb: enable Secure Boot > runqemu: let command line parameters override defaults > runqemu: support UEFI with OVMF firmware > ovmf: build image which enrolls standard keys > > meta-luv (2): > ovmf: move from meta-luv to OE-core > iasl: move from meta-luv to OE-core > > meta/recipes-core/ovmf/ovmf-shell-image.bb | 22 + > ...s-Force-tools-variables-to-host-toolchain.patch | 48 + > .../ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch | 110 ++ > ...0002-ovmf-update-path-to-native-BaseTools.patch | 32 + > ...makefile-adjust-to-build-in-under-bitbake.patch | 39 + > ...ollDefaultKeys-application-for-enrolling-.patch | 1123 ++++++++++++++++++++ > meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks | 4 + > meta/recipes-core/ovmf/ovmf_git.bb | 178 ++++ > meta/recipes-extended/iasl/iasl_20120215.bb | 27 + > meta/recipes-extended/iasl/iasl_20150410.bb | 27 + > meta/recipes-extended/iasl/iasl_20150515.bb | 27 + > scripts/runqemu | 37 +- > 12 files changed, 1673 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-core/ovmf/ovmf-shell-image.bb > create mode 100644 meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch > create mode 100644 meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch > create mode 100644 meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch > create mode 100644 meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch > create mode 100644 meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch > create mode 100644 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks > create mode 100644 meta/recipes-core/ovmf/ovmf_git.bb > create mode 100644 meta/recipes-extended/iasl/iasl_20120215.bb > create mode 100644 meta/recipes-extended/iasl/iasl_20150410.bb > create mode 100644 meta/recipes-extended/iasl/iasl_20150515.bb > > -- > 2.1.4 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core Cheers, -- Fathi ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 0/9] UEFI + Secure Boot + qemu 2016-12-21 14:19 ` [PATCH 0/9] UEFI + Secure Boot + qemu Fathi Boudra @ 2016-12-28 2:56 ` Ricardo Neri 2016-12-28 19:27 ` Patrick Ohly 0 siblings, 1 reply; 35+ messages in thread From: Ricardo Neri @ 2016-12-28 2:56 UTC (permalink / raw) To: Fathi Boudra; +Cc: openembedded-core On Wed, 2016-12-21 at 16:19 +0200, Fathi Boudra wrote: > > fwiw, I've been maintaining acpica recipe in meta-oe, and will keep an > eye here as well. > meta-luv supports both x86* and arm*, and we have an interest in > having the same features available and working for qemuaarch64. I was not aware of this. Perhaps there is no need for us to maintain a separate recipe in meta-luv. ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 0/9] UEFI + Secure Boot + qemu 2016-12-28 2:56 ` Ricardo Neri @ 2016-12-28 19:27 ` Patrick Ohly 2016-12-28 23:26 ` Ricardo Neri 0 siblings, 1 reply; 35+ messages in thread From: Patrick Ohly @ 2016-12-28 19:27 UTC (permalink / raw) To: Ricardo Neri; +Cc: openembedded-core On Tue, 2016-12-27 at 18:56 -0800, Ricardo Neri wrote: > On Wed, 2016-12-21 at 16:19 +0200, Fathi Boudra wrote: > > > > fwiw, I've been maintaining acpica recipe in meta-oe, and will keep an > > eye here as well. > > meta-luv supports both x86* and arm*, and we have an interest in > > having the same features available and working for qemuaarch64. > > I was not aware of this. Perhaps there is no need for us to maintain a > separate recipe in meta-luv. Looks like there is consensus that maintaining an acpica recipe in OE-core is the right approach. I'll prepare a revision of this patch series that includes acpica instead of iasl and also addresses the other points that Ricardo raised. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 0/9] UEFI + Secure Boot + qemu 2016-12-28 19:27 ` Patrick Ohly @ 2016-12-28 23:26 ` Ricardo Neri 0 siblings, 0 replies; 35+ messages in thread From: Ricardo Neri @ 2016-12-28 23:26 UTC (permalink / raw) To: Patrick Ohly; +Cc: openembedded-core On Wed, 2016-12-28 at 20:27 +0100, Patrick Ohly wrote: > > > fwiw, I've been maintaining acpica recipe in meta-oe, and will > keep an > > > eye here as well. > > > meta-luv supports both x86* and arm*, and we have an interest in > > > having the same features available and working for qemuaarch64. > > > > I was not aware of this. Perhaps there is no need for us to maintain > a > > separate recipe in meta-luv. > > Looks like there is consensus that maintaining an acpica recipe in > OE-core is the right approach. I'll prepare a revision of this patch > series that includes acpica instead of iasl and also addresses the > other > points that Ricardo raised. Just to be clear. I meant that it would be better for meta-luv to leverage the acpica recipe present in meta-OE :). ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 0/9] UEFI + Secure Boot + qemu 2016-12-21 13:11 [PATCH 0/9] UEFI + Secure Boot + qemu Patrick Ohly ` (9 preceding siblings ...) 2016-12-21 14:19 ` [PATCH 0/9] UEFI + Secure Boot + qemu Fathi Boudra @ 2016-12-28 2:55 ` Ricardo Neri 10 siblings, 0 replies; 35+ messages in thread From: Ricardo Neri @ 2016-12-28 2:55 UTC (permalink / raw) To: Patrick Ohly; +Cc: openembedded-core On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote: > There seems to be a consensus that supporting UEFI in OE-core for qemu > would be valuable, and there have been some (stalled) attempts to add > it. For reference, see: > [OE-core] [PATCH V3 0/3] Add UEFI firmware for qemux86* > [OE-core] Add ovmf-native to make qemu-native/runqemu support boot UEFI image? > https://bugzilla.yoctoproject.org/show_bug.cgi?id=5654 > https://github.com/01org/luv-yocto/issues/38 > > This patch set includes the necessary recipes (ovmf and iasl from > meta-luv), some improvements to them (in particular, enabling Secure > Boot), and changes to runqemu to make it easier to boot with UEFI. A > special image recipes builds an image which can be used to lock down a > virtual machine by enrolling the "normal" pre-installed certificates. > > I decided to keep the setup simple and use just a single file for UEFI > code and variables because that makes the usage via runqemu very > easy. See the "runqemu: support UEFI with OVMF firmware" patch for > details. The downside is that the firmware can't be updated without > loosing variables. I don't see a big need for long-lived virtual > machine instances, but would like to hear from others about that. > > What's missing is automated testing of this new feature. I'm open for > suggestions here; right now I don't know enough about the automated > testing in the AB to propose something. I guess that tests could be written for buildbot. In the LUV buildbot, we build OVMF as part of our sanity tests for LUV. We do it mostly because we need to boot some UEFI firmware in qemu, though. We don't extensively test OVMF. We also build OVMF with Secure Boot separately. Now that you have kindly written the recipe, we want to leverage it. :) > > I've discussed the usage of ovmf/iasl with Ricardo and he agreed that > moving ovmf and iasl from meta-luv to OE-core makes sense. Ricardo, > would you be willing to act as maintainer of it there, like you did in > meta-luv? Yes, I can keep doing the same work I did in meta-luv for OVMF now in OE-core. Thanks and BR, Ricardo > > Beware that "git am --keep-cr" must be used to import the ovmf patches > correctly. > > The following changes since commit 5e21afc9395060b489156d3f90505a372b713f37: > > Revert "selftest/wic: extending test coverage for WIC script options" (2016-12-20 17:06:01 +0000) > > are available in the git repository at: > > git://github.com/pohly/openembedded-core secure-boot > https://github.com/pohly/openembedded-core/tree/secure-boot > > Patrick Ohly (7): > ovmf: explicitly depend on nasm-native > ovmf: deploy firmware in image directory > ovmf_git.bb: enable parallel compilation > ovmf_git.bb: enable Secure Boot > runqemu: let command line parameters override defaults > runqemu: support UEFI with OVMF firmware > ovmf: build image which enrolls standard keys > > meta-luv (2): > ovmf: move from meta-luv to OE-core > iasl: move from meta-luv to OE-core > > meta/recipes-core/ovmf/ovmf-shell-image.bb | 22 + > ...s-Force-tools-variables-to-host-toolchain.patch | 48 + > .../ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch | 110 ++ > ...0002-ovmf-update-path-to-native-BaseTools.patch | 32 + > ...makefile-adjust-to-build-in-under-bitbake.patch | 39 + > ...ollDefaultKeys-application-for-enrolling-.patch | 1123 ++++++++++++++++++++ > meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks | 4 + > meta/recipes-core/ovmf/ovmf_git.bb | 178 ++++ > meta/recipes-extended/iasl/iasl_20120215.bb | 27 + > meta/recipes-extended/iasl/iasl_20150410.bb | 27 + > meta/recipes-extended/iasl/iasl_20150515.bb | 27 + > scripts/runqemu | 37 +- > 12 files changed, 1673 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-core/ovmf/ovmf-shell-image.bb > create mode 100644 meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch > create mode 100644 meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch > create mode 100644 meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch > create mode 100644 meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch > create mode 100644 meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch > create mode 100644 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks > create mode 100644 meta/recipes-core/ovmf/ovmf_git.bb > create mode 100644 meta/recipes-extended/iasl/iasl_20120215.bb > create mode 100644 meta/recipes-extended/iasl/iasl_20150410.bb > create mode 100644 meta/recipes-extended/iasl/iasl_20150515.bb > > -- > 2.1.4 > ^ permalink raw reply [flat|nested] 35+ messages in thread
end of thread, other threads:[~2017-01-10 7:32 UTC | newest] Thread overview: 35+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-12-21 13:11 [PATCH 0/9] UEFI + Secure Boot + qemu Patrick Ohly 2016-12-21 13:11 ` [PATCH 1/9] ovmf: move from meta-luv to OE-core Patrick Ohly 2016-12-28 2:58 ` Ricardo Neri 2016-12-21 13:11 ` [PATCH 2/9] iasl: " Patrick Ohly 2016-12-21 14:11 ` Fathi Boudra 2016-12-21 15:38 ` Patrick Ohly 2016-12-21 18:17 ` Fathi Boudra 2016-12-28 3:08 ` Ricardo Neri 2016-12-21 13:11 ` [PATCH 3/9] ovmf: explicitly depend on nasm-native Patrick Ohly [not found] ` <1482893989.106950.45.camel@ranerica-desktop> 2017-01-04 12:56 ` Patrick Ohly 2016-12-21 13:11 ` [PATCH 4/9] ovmf: deploy firmware in image directory Patrick Ohly 2016-12-28 3:12 ` Ricardo Neri 2016-12-28 21:38 ` Ricardo Neri 2016-12-28 23:25 ` Ricardo Neri 2017-01-04 10:01 ` Patrick Ohly 2017-01-10 3:50 ` Ricardo Neri 2017-01-10 7:32 ` Patrick Ohly 2016-12-21 13:11 ` [PATCH 5/9] ovmf_git.bb: enable parallel compilation Patrick Ohly 2016-12-28 3:17 ` Ricardo Neri 2016-12-21 13:11 ` [PATCH 6/9] ovmf_git.bb: enable Secure Boot Patrick Ohly 2016-12-28 22:54 ` Ricardo Neri 2017-01-04 10:10 ` Patrick Ohly 2017-01-10 3:51 ` Ricardo Neri 2016-12-21 13:11 ` [PATCH 7/9] runqemu: let command line parameters override defaults Patrick Ohly 2016-12-21 13:11 ` [PATCH 8/9] runqemu: support UEFI with OVMF firmware Patrick Ohly 2016-12-28 23:33 ` Ricardo Neri 2017-01-04 9:43 ` Patrick Ohly 2017-01-10 3:50 ` Ricardo Neri 2017-01-10 7:29 ` Patrick Ohly 2016-12-21 13:11 ` [PATCH 9/9] ovmf: build image which enrolls standard keys Patrick Ohly 2016-12-21 14:19 ` [PATCH 0/9] UEFI + Secure Boot + qemu Fathi Boudra 2016-12-28 2:56 ` Ricardo Neri 2016-12-28 19:27 ` Patrick Ohly 2016-12-28 23:26 ` Ricardo Neri 2016-12-28 2:55 ` Ricardo Neri
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.