From: "Su, Bao Cheng" <baocheng.su@siemens.com>
To: "cip-dev@lists.cip-project.org" <cip-dev@lists.cip-project.org>
Cc: "Schultschik, Sven" <sven.schultschik@siemens.com>,
"Kiszka, Jan" <jan.kiszka@siemens.com>
Subject: Re: [cip-dev] [isar-cip-core][PATCH 1/8] add recipe for edk2
Date: Mon, 9 Jan 2023 06:42:32 +0000 [thread overview]
Message-ID: <ce17712b66a6faf582f44903a2732cf6a48c6db6.camel@siemens.com> (raw)
In-Reply-To: <20221120204711.5826-2-sven.schultschik@siemens.com>
On Sun, 2022-11-20 at 21:47 +0100, Schultschik, Sven via lists.cip-
project.org wrote:
> From: Sven Schultschik <sven.schultschik@siemens.com>
>
> provide a recipe to create the BL32_AP_MM.fd binary by edk2 which is needed for the qemu optee generation as dependency.
>
> Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
> ---
> .../edk2/edk2-platformstandalonemmrpmb.inc | 56 +++++++++++++++++
> .../edk2-platformstandalonemmrpmb_202205.bb | 12 ++++
> recipes-bsp/edk2/files/rules.tmpl | 61 +++++++++++++++++++
> 3 files changed, 129 insertions(+)
> create mode 100644 recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc
> create mode 100644 recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb
> create mode 100755 recipes-bsp/edk2/files/rules.tmpl
>
> diff --git a/recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc b/recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc
> new file mode 100644
> index 0000000..3277cc8
> --- /dev/null
> +++ b/recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc
> @@ -0,0 +1,56 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2022
> +#
> +# Authors:
> +# Sven Schultschik <sven.schultschik@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +HOMEPAGE = "https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftianocore%2Fedk2&data=05%7C01%7Cbaocheng.su%40ad011.siemens.com%7Cd8e95371c5514a59b97208dacb389eee%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638045741292237684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9P%2FE9X1XBTC3KyoKEEdnFQMk75K0kWyJ27GIaNYLt8I%3D&reserved=0"
> +MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
> +LICENSE = "BSD-2-Clause-Patent"
> +
> +inherit dpkg
> +
> +SRC_URI = "https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftianocore%2Fedk2%2Farchive%2Frefs%2Ftags%2Fedk2-stable%24&data=05%7C01%7Cbaocheng.su%40ad011.siemens.com%7Cd8e95371c5514a59b97208dacb389eee%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638045741292237684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iRpR%2FuUjJ7fm14hsvfXPeWP6IlyaUzHToet79uU2e4Y%3D&reserved=0{PV}.tar.gz;name=edk2 \
> + https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgoogle%2Fbrotli%2Farchive%2F%24&data=05%7C01%7Cbaocheng.su%40ad011.siemens.com%7Cd8e95371c5514a59b97208dacb389eee%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638045741292237684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pxp4gT%2Fm7pxMANDx0oXWpjknB%2ByUWFupdtQQsZn%2B1g8%3D&reserved=0{SRC_REV_brotli}.tar.gz;name=brotli \
> + https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Farchive%2Frefs%2Ftags%2F%24&data=05%7C01%7Cbaocheng.su%40ad011.siemens.com%7Cd8e95371c5514a59b97208dacb389eee%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638045741292237684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=po8JpMAv3G51dPOvS6lDetWvdZiY6LjDruaR%2BejGESA%3D&reserved=0{SRC_REV_openssl}.tar.gz;name=openssl \
> + git://github.com/tianocore/edk2-platforms.git;protocol=https;destsuffix=git/edk2-platforms;name=edk2-platforms \
> + file://rules.tmpl \
> + "
> +SRC_URI[edk2.sha256sum] = "e6cf93bae78b30a10732b8afb5cc438735dc9ec976ae65d12dab041c18bb7987"
> +SRC_URI[brotli.sha256sum] = "6d6cacce05086b7debe75127415ff9c3661849f564fe2f5f3b0383d48aa4ed77"
> +SRC_URI[openssl.sha256sum] = "6b2d2440ced8c802aaa61475919f0870ec556694c466ebea460e35ea2b14839e"
> +
> +SRC_REV_brotli = "f4153a09f87cbb9c826d8fc12c74642bb2d879ea"
> +SRC_REV_openssl = "OpenSSL_1_1_1n"
> +SRCREV_edk2-platforms = "3b896d1a325686de3942723c42f286090453e37a"
> +
> +S = "${WORKDIR}/git"
> +
> +DEBIAN_BUILD_DEPENDS = "python3:native, dh-python, uuid-dev:native"
> +
> +EDK2_BINARIES ?= "Build/MmStandaloneRpmb/RELEASE_GCC5/FV/BL32_AP_MM.fd"
> +
> +BUILD_DEPENDS += ""
> +
> +TEMPLATE_FILES = "rules.tmpl"
> +
> +do_prepare_build() {
> + deb_debianize
> +
> + mkdir -p ${S}/edk2
> + cp -a ${WORKDIR}/edk2-edk2-stable${PV}/* "${S}/edk2/"
> + cp -a ${WORKDIR}/brotli-${SRC_REV_brotli}/* "${S}/edk2/BaseTools/Source/C/BrotliCompress/brotli"
> + cp -a ${WORKDIR}/brotli-${SRC_REV_brotli}/* "${S}/edk2/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli"
> + cp -a ${WORKDIR}/openssl-${SRC_REV_openssl}/* "${S}/edk2/CryptoPkg/Library/OpensslLib/openssl"
> +
> + rm -f ${S}/debian/edk2.install
> + for binary in ${EDK2_BINARIES}; do
> + echo "$binary /usr/lib/edk2/" >> \
> + ${S}/debian/edk2-platformstandalonemmrpmb.install
> + done
> +}
> diff --git a/recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb b/recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb
> new file mode 100644
> index 0000000..84761c9
> --- /dev/null
> +++ b/recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb
2022.05 is a bit older version, the latest ones are 2022.08 and even
2022.11.
Not sure if any security updates between these versions, but I would
blindly use the newer version.
- Baocheng
> @@ -0,0 +1,12 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2022
> +#
> +# Authors:
> +# Sven Schultschik <sven.schultschik@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +require edk2-platformstandalonemmrpmb.inc
Sorry, after some rethinking, I find maybe it's not a good idea to have
the multiple version supportive for EDK2, since:
1. EDK2 has too many sub-components, if multi version need be supported,
somebody must have to maintain a list of these sub-components for each
version, which could be a not easy job. Also, it's hard to notice if the
wrong versions of some sub-components are selected. So it would increase
the chance of making mistake.
2. Unlike kernel, there should be no real requirement of using different
version of EDK2 stmm for different products/projects, from security
point of view, the latest security version should always be used.
3. Best practice, per my understanding, is we have an unified EDK2-stmm
version in cip-core and downstreams just use it. if new version is
required, then upsteam it into cip-core.
- Baocheng
> diff --git a/recipes-bsp/edk2/files/rules.tmpl b/recipes-bsp/edk2/files/rules.tmpl
> new file mode 100755
> index 0000000..388e49a
> --- /dev/null
> +++ b/recipes-bsp/edk2/files/rules.tmpl
> @@ -0,0 +1,61 @@
> +#!/usr/bin/make -f
> +#
> +# Copyright (c) Siemens AG, 2022
> +#
> +# SPDX-License-Identifier: MIT
> +
> +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
> +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
> +endif
> +
> +export WORKSPACE=$(shell pwd)
> +export PACKAGES_PATH=$(WORKSPACE)/edk2:$(WORKSPACE)/edk2-platforms
> +export ACTIVE_PLATFORM="Platform/StandaloneMm/PlatformStandaloneMmPkg/PlatformStandaloneMmRpmb.dsc"
> +
> +# https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftianocore%2Fedk2-platforms%2Fblob%2Fmaster%2FReadme.md%23if-cross-compiling&data=05%7C01%7Cbaocheng.su%40ad011.siemens.com%7Cd8e95371c5514a59b97208dacb389eee%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638045741292237684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FewD9iEjYriBF2%2FwENcbaS594qR18lg%2BQZ8HgHRt6JQ%3D&reserved=0
> +ifeq (arm64,$(DEB_TARGET_ARCH))
> +export TARGET_ARCH = 'AARCH64'
> +else ifeq ((armhf,$(DEB_TARGET_ARCH))
> +export TARGET_ARCH = 'ARM'
> +else ifeq ((amd64,$(DEB_TARGET_ARCH))
> +export TARGET_ARCH = 'X64'
> +else ifeq ((i386,$(DEB_TARGET_ARCH))
> +export TARGET_ARCH = 'IA32'
> +else
> +$(error DEB_TARGET_ARCH $(DEB_TARGET_ARCH) unsupported)
> +endif
> +# When cross-compiling, or building with a different version of the compiler than
> +# the default `gcc`, we additionally need to inform the
> +# build command which toolchain to use. We do this by setting the environment
> +# variable `{TOOL_CHAIN_TAG}_{TARGET_ARCH}_PREFIX` - in the case above,
> +# **GCC5_AARCH64_PREFIX**.
> +# export GCC5_AARCH64_PREFIX=aarch64-linux-gnu-
> +# using export here at TOP Level does not work, because
> +# GCC5_$(TARGET_ARCH)_PREFIX gets deleted again for what reason ever
> +# Therefore it is set right before the build command
> +# export GCC5_$(TARGET_ARCH)_PREFIX=$(DEB_HOST_GNU_TYPE)-
> +
> +
> +export SHELL=/bin/bash
> +
> +# ENV Vars which should get set by edksetup.sh
> +export PYTHON_COMMAND=python3
> +export PYTHONHASHSEED=1
> +export CONF_PATH=$(WORKSPACE)/edk2/Conf
> +export EDK_TOOLS_PATH=$(WORKSPACE)/edk2/BaseTools
> +export PATH=$(WORKSPACE)/edk2/BaseTools/Bin/Linux-$(TARGET_ARCH):$(WORKSPACE)/edk2/BaseTools/BinWrappers/PosixLike::/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
> +
> +override_dh_auto_build:
> + source edk2/edksetup.sh --reconfig
> +
> + CFLAGS= LDFLAGS= make -C edk2/BaseTools
> +
> + (export GCC5_$(TARGET_ARCH)_PREFIX=$(DEB_HOST_GNU_TYPE)- && \
> + build -p $(ACTIVE_PLATFORM) -b RELEASE -a $(TARGET_ARCH) -t GCC5 -n $(shell nproc))
> +
> +override_dh_auto_install:
> +
> +override_dh_auto_test:
> +
> +%:
> + dh $@ --no-parallel
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#10054): https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cip-project.org%2Fg%2Fcip-dev%2Fmessage%2F10054&data=05%7C01%7Cbaocheng.su%40ad011.siemens.com%7Cd8e95371c5514a59b97208dacb389eee%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638045741292393442%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Uzt%2FAb%2BnKgZ81uNRCUFzUUuJCOxGygQQeLNLfAlk7o8%3D&reserved=0
> Mute This Topic: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cip-project.org%2Fmt%2F95159771%2F7250105&data=05%7C01%7Cbaocheng.su%40ad011.siemens.com%7Cd8e95371c5514a59b97208dacb389eee%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638045741292393442%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=62QQ74sWZvvjriGsZcya2cHDgIR7J8dKlzzoJ%2BKGpdw%3D&reserved=0
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cip-project.org%2Fg%2Fcip-dev%2Fleave%2F11766303%2F7250105%2F167695058%2Fxyzzy&data=05%7C01%7Cbaocheng.su%40ad011.siemens.com%7Cd8e95371c5514a59b97208dacb389eee%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638045741292393442%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Tw5KKrRJg0bwdgQ%2B%2FT976DlNRizAVKdH%2F8DhyitmGUI%3D&reserved=0 [baocheng.su@siemens.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
next prev parent reply other threads:[~2023-01-09 6:42 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-20 20:47 [isar-cip-core][PATCH 0/8] Secureboot on QEMU with EDK2, OP-TEE and RPMB sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 1/8] add recipe for edk2 sven.schultschik
2023-01-09 6:42 ` Su, Bao Cheng [this message]
2023-01-09 7:40 ` [cip-dev] " Jan Kiszka
2023-01-11 8:47 ` Schultschik, Sven
2023-01-11 8:37 ` Schultschik, Sven
2022-11-20 20:47 ` [isar-cip-core][PATCH 2/8] add recipe for optee qemu arm64 sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 3/8] Include optee into u-boot sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 4/8] add u-boot patch for qemu to support RPMB sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 5/8] add recipe for trusted firmware a qemu arm64 sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 6/8] change ebg sb signer and secrets to pk kek db sven.schultschik
2022-11-21 10:40 ` Jan Kiszka
2022-11-21 15:10 ` AW: " Schultschik, Sven
2022-11-21 17:25 ` Jan Kiszka
2022-11-20 20:47 ` [isar-cip-core][PATCH 7/8] enhance start-qemu.sh for arm64 secure boot sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 8/8] Use of snakeoil keys for qemu use case sven.schultschik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ce17712b66a6faf582f44903a2732cf6a48c6db6.camel@siemens.com \
--to=baocheng.su@siemens.com \
--cc=cip-dev@lists.cip-project.org \
--cc=jan.kiszka@siemens.com \
--cc=sven.schultschik@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.