pool/ovmf
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- ovmf-rpmlintrc: Add wildcard to make the filter effective on 15.x

Browse Source 
again

OBS-URL: https://build.opensuse.org/package/show/Virtualization/ovmf?expand=0&rev=295
This commit is contained in:
Dirk Mueller 2024-09-24 11:29:51 +00:00 committed by Git OBS Bridge
commit 657c31e211
41 changed files with 12812 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

185
README Normal file
View File

@ -0,0 +1,185 @@
Running the OVMF image in qemu
==============================
The easiest way to run the OVMF image is to specify a pflash device for the
firmware file. Here is the example to use OVMF in the flash mode:
$ cp /usr/share/qemu/ovmf-x86_64.bin .
$ qemu-system-x86_64 -pflash ovmf-x86_64.bin
Please make sure the file is writable before using the flash mode, or all
your changes won't be saved.
Starting from r15670, two extra firmware files are provided for the flash mode:
ovmf-*-code.bin and ovmf-*-vars.bin, and all non-volatile variables will be
stored in ovmf-*-vars.bin. Example:
$ cp /usr/share/qemu/ovmf-x86_64-vars.bin .
$ qemu-system-x86_64 \
-drive if=pflash,format=raw,unit=0,readonly,file=/usr/share/qemu/ovmf-x86_64-code.bin \
-drive if=pflash,format=raw,unit=1,file=ovmf-x86_64-vars.bin
It would be easier to manage the NV variables with the separated vars firmware.
NOTE: Running OVMF with '-bios' is deprecated and should not be used anymore.
Variable Stores with preloaded keys
-----------------------------------
Besides the generic OVMF images, there are images preloaded with different
vendor keys.
ovmf-x86_64-smm-ms-vars.bin
- PK: SUSE Linux Enterprise Secure Boot CA
- KEK: Microsoft Corporation KEK CA 2011, SUSE Linux Enterprise Secure Boot CA
- db: Microsoft Corporation UEFI CA 2011, Microsoft Windows Production PCA 2011
ovmf-x86_64-smm-opensuse-vars.bin
- PK: openSUSE Secure Boot CA
- KEK: openSUSE Secure Boot CA
- db: openSUSE Secure Boot CA
ovmf-x86_64-smm-suse-vars.bin
- PK: SUSE Linux Enterprise Secure Boot CA
- KEK: SUSE Linux Enterprise Secure Boot CA
- db: SUSE Linux Enterprise Secure Boot CA
Note that the preloaded key images are all 64 bit because openSUSE/SLE and
Windows only support Secure Boot in 64 bit mode.
Those variable stores are created with EnrollDefaultKeys.efi which enrolls
the Microsoft keys into KEK and db. It also reads the key from SMBIOS Type 11
and enrolls the key into PK and KEK. If the "--no-default" switch is provided,
the program will ignore the Microsoft keys and enroll the key from SMBIOS into
db instead.
x86_64 4MB images
-----------------
The OVMF upstream decides to switch the default flash size to 4MB since
the edk2 commit 1c47fcd465a496. It's mainly for Windows HCK which requests
a larger variable store. To maintain the backward compatibility, the 4MB
images are built separately. Only those images with 4m, e.g. ovmf-x86_64-4m.bin,
are the 4MB images. Otherwise, it's built with FD_SIZE_2MB, i.e. a 2MB image.
x86_64 SMM Support
------------------
The image files with "-smm", e.g. ovmf-x86_64-smm.bin, are the images
with SMM support. SMM provides better (virtual) hardware separation between
the guest OS and the firmware to prevent the runtime guest OS from tampering
with the variable store and S3 areas, so it's recommended to enable SMM along
with Secure Boot. Here are the requirements to use the SMM images:
* SMM support requires QEMU 2.5.
* The minimum required QEMU machine type is "pc-q35-2.5".
* SMM with KVM requires Linux 4.4 (host).
Here are the qemu commands to start a VM with SMM support:
$ cp /usr/share/qemu/ovmf-x86_64-smm-vars.bin .
$ qemu-system-x86_64 \
-machine q35,smm=on,accel=(tcg|kvm) \
-global driver=cfi.pflash01,property=secure,value=on \
-drive if=pflash,format=raw,unit=0,readonly,file=/usr/share/qemu/ovmf-x86_64-smm-code.bin \
-drive if=pflash,format=raw,unit=1,file=ovmf-x86_64-smm-vars.bin \
-global ICH9-LPC.disable_s3=1 \
...
NOTE: The pflash variable store is required to use OVMF with SMM.
Creating Platform and Key Exchange keys
=======================================
A note about terminology. In UEFI terms, "key" means certificate (not the
openssl key). UEFI keys are required to be based on RSA 2048 bit keys.
The Platform key and Key Exchange Keys should be the equivalent of CA root
certificates (i.e. a self signed certificate). Note that in current tianocore
OVMF, the input certificates, if taken from external media, *must* be in a
file with a .cer extension and in DER format.
The platform key is the key which controls updates to the Key Exchange Key
database. The Key Exchange Key controls updates to the signature databases.
Note that if the Key Exchange Key is an X509 key, any key which has the KEK as
its root signature can also be used to validate an efi binary without need for
any entries in the signatures database.
Create Platform Key (PK)
------------------------
openssl req -new -x509 -newkey rsa:2048 -keyout PK.key -out PK.crt -days <length>
Note that the Key is PK.crt (PK.key is the private key you use to sign other
certificates)
Now convert to DER format
openssl x509 -in PK.crt -out PK.cer -outform DER
The file PK.cer can be placed on a USB key for enrolling as the platform key.
Create Key Exchange Key (KEK)
-----------------------------
This is done exactly as the Platform key above, except call the file KEK.cer
instead.
Note, for expermentation purposes, there's no reason the KEK and the PK can't
be the same certificate.
Creating derived keys from the KEK
----------------------------------
This process can be used to create subordinate keys which can be used to sign
efi binaries (since their roots can be traced back to the KEK).
openssl req -new -newkey rsa:2048 -keyout new.key -out new.csr -days <length>
Now sign the certificate request with the KEK:
openssl x509 -req -in new.csr -CA KEK.crt -CAkey KEK.key -set_serial 1 -out new.crt
Note that since the new key doesn't have to be enrolled in the platform
because its root of trust can be traced back to the KEK, there's no need to
create a DER form of the key (the sbsign utilites used to sign efi binaries
take the key.crt file which is in PEM form).
Running the UEFI ARM image in qemu
==================================
There are two flavors of the UEFI ARM images: AArch32 and AArch64.
For the AArch64 image, use the following command:
qemu-system-aarch64 -m 1024 -M virt -cpu cortex-a57 -bios /usr/share/qemu/qemu-uefi-aarch64.bin -serial stdio
For AArch32:
qemu-system-arm -m 1024 -M virt -cpu cortex-a15 -bios /usr/share/qemu/qemu-uefi-aarch32.bin -serial stdio
Source Level Debugging
======================
It's possible to debug OVMF with gdb connecting to qemu with the following
steps:
(1) install the debug package: qemu-ovmf-x86_64-debug
(2) Start the virtual machine with '-s' or "-gdb tcp::1234"
(3) Start gdb in another terminal and issue the following commands:
(gdb) set architecture i386:x86-64:intel
(gdb) target remote localhost:1234
(gdb) source /usr/share/ovmf-x86_64/gdb_uefi-ovmf-x86_64-<flavor>.py
(gdb) reload-uefi -o /usr/lib/debug/ovmf-x86_64/DebugPkg/GdbSyms/GdbSyms/DEBUG/GdbSyms.dll
(4) Happy debugging
Reference: https://www.mail-archive.com/edk2-devel@lists.sourceforge.net/msg07075.html
Note: It's also possible to debug OVMF with Xen, but the way to set up the port
is differnt. Instead of adding the port number to qemu, you need gdbsx.
Before starting gdb, execute this command:
# gdbsx -a <domainid> 64 1234
Then gdbsx will listen to port 1234 for the specific domainU. The rest is
the same as qemu.

29
SLES-UEFI-CA-Certificate-2048.crt Normal file
View File

@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
QHN1c2UuZGUwHhcNMTMwNDE4MTQzMzQxWhcNMzUwMzE0MTQzMzQxWjCBpjEtMCsG
A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD
VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4
IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B
CQEWDWJ1aWxkQHN1c2UuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDN/avXKoT4gcM2NVA1LMfsBPH01sxgS8gTs3SbvfbEP2M+ZlHyfj9ufHZ7cZ1p
ISoVm6ql5VbIeZgSNc17Y4y4Nynud1C8t2SP/iZK5YMYHGxdtIfv1zPE+Bo/KZqE
WgHg2YFtMXdiKfXBZRTfSh37t0pGO/OQi6K4JioKw55UtQNggePZWDXtsAviT2vv
abqLR9+kxdrQ0iWqhWM+LwXbTGkCpg41s8KucLD/JYAxxw05dKPApFDNnz+Ft2L7
e5JtyB4S0u4PlvQBMNHt4hDs0rK4oeHFLbOxHvjF+nloneWhkg9eT0VCfpAYVYz+
whMxuCHerDCdmeFrRGEMQz11AgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/
MB0GA1UdDgQWBBTsqw1CxFbPdwQ2uXOZOGKWXocmLzCB0wYDVR0jBIHLMIHIgBTs
qw1CxFbPdwQ2uXOZOGKWXocmL6GBrKSBqTCBpjEtMCsGA1UEAwwkU1VTRSBMaW51
eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTESMBAGA1UE
BwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3RzIEdtYkgx
EzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxkQHN1c2Uu
ZGWCAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQASviyFhVqU
Wc1JUQgXwdljJynTnp0/FQOZJBSe7XdBGPmy91+3ITqrXgyqo/218KISiQl53Qlw
pq+cIiGRAia1D7p7wbg7wsg+Trt0zZFXes30wfYq5pjfWadEBAgNCffkBz10TSjL
jQrVwW5N+yUJMoq+r843TzV56Huy6LBOVhI5yTz7X7i2rSJYfyQWM8oeHLj8Yl5M
rOB9gyTumxB4mOLmSqwKzJiUB0ppGPohdLUSSEKDdo6KSH/GjR7M7uBicwnzwJD3
SVfT9nx9HKF2nXZlHvs5ViQQru3qP1tc6i0eXEnPTYW2+zkZcN0e5iHyozEZHsO0
rvc1p6G0YWtO
-----END CERTIFICATE-----

7
_constraints Normal file
View File

@ -0,0 +1,7 @@
<constraints>
<hardware>
<disk>
<size unit="G">6</size>
</disk>
</hardware>
</constraints>

14
_service Normal file
View File

@ -0,0 +1,14 @@
<services>
<service name="tar_scm" mode="disabled">
<param name="filename">ovmf</param>
<param name="versionformat">2017+git%at.%h</param>
<param name="revision">UDK2017</param>
<param name="url">https://github.com/tianocore/edk2.git</param>
<param name="scm">git</param>
</service>
<service name="recompress" mode="disabled">
<param name="compression">xz</param>
<param name="file">*.tar</param>
</service>
<service name="set_version" mode="disabled"/>
</services>

BIN
berkeley-softfloat-3-b64af41c3276f.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
brotli-f4153a09f87cbb9c826d8fc12c74642bb2d879ea.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
descriptors.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

10
descriptors.tar.xz.README Normal file
View File

@ -0,0 +1,10 @@
descriptors for libvirt
======================
All descriptors be maintained in SUSE repo on github:
https://github.com/SUSE/ovmf-descriptors
All elements of descriptor in .json have defined here:
https://gitlab.com/qemu/qemu/-/blob/master/docs/interop/firmware.json

BIN
edk2-edk2-stable202402.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
edk2-edk2-stable202405.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

365
gdb_uefi.py.in Normal file
View File

@ -0,0 +1,365 @@
"""
Allows loading TianoCore symbols into a GDB session attached to EFI
Firmware.
This is how it works: build GdbSyms - it's a dummy binary that
contains the relevant symbols needed to find and load image symbols.
$ gdb
(gdb) taget remote ....
(gdb) source Scripts/gdb_uefi.py
(gdb) reload-uefi -o /path/to/GdbSyms.dll
The -o option should be used if you've debugging EFI, where the PE
images were converted from MACH-O or ELF binaries.
"""
import array
import getopt
import binascii
import re
__license__ = "BSD"
__version = "1.0.0"
__maintainer__ = "Andrei Warkentin"
__email__ = "andrey.warkentin@gmail.com"
__status__ = "Works"
# FOR RPM PACKAGE replace the strings in the spec file
build_path="__BUILD_PATH__"
source_path="__SOURCE_PATH__"
gdb_src_path="__GDB_SRC_PATH__"
flavor="__FLAVOR__"
class ReloadUefi (gdb.Command):
"""Reload UEFI symbols"""
#
# Various constants.
#
EINVAL = 0xffffffff
CV_NB10 = 0x3031424E
CV_RSDS = 0x53445352
CV_MTOC = 0x434F544D
DOS_MAGIC = 0x5A4D
PE32PLUS_MAGIC = 0x20b
EST_SIGNATURE = 0x5453595320494249
DEBUG_GUID = [0x49152E77, 0x1ADA, 0x4764,
[0xB7,0xA2,0x7A,0xFE,
0xFE,0xD9,0x5E, 0x8B]]
DEBUG_IS_UPDATING = 0x1
#
# If the images were built as ELF/MACH-O and then converted to PE,
# then the base address needs to be offset by PE headers.
#
offset_by_headers = False
def __init__ (self):
super (ReloadUefi, self).__init__ ("reload-uefi", gdb.COMMAND_OBSCURE)
#
# Returns gdb.Type for a type.
#
def type (self, typename):
return gdb.lookup_type (typename)
#
# Returns gdb.Type for a pointer to a type.
#
def ptype (self, typename):
return gdb.lookup_type (typename).pointer ()
#
# Computes CRC32 on an array of data.
#
def crc32 (self, data):
return binascii.crc32 (data) & 0xFFFFFFFF
#
# Sets a field in a struct to a value, i.e.
# value->field_name = data.
#
# Newer Py bindings to Gdb provide access to the inferior
# memory, but not all, so have to do it this awkward way.
#
def set_field (self, value, field_name, data):
gdb.execute ("set *(%s *) 0x%x = 0x%x" % \
(str (value[field_name].type), \
int (value[field_name].address), \
data))
#
# Returns data backing a gdb.Value as an array.
# Same comment as above regarding newer Py bindings...
#
def value_data (self, value, bytes=0):
value_address = gdb.Value (value.address)
array_t = self.ptype ('UINT8')
value_array = value_address.cast (array_t)
if bytes == 0:
bytes = value.type.sizeof
data = array.array ('B')
for i in range (0, bytes):
data.append (value_array[i])
return data
#
# Locates the EFI_SYSTEM_TABLE as per UEFI spec 17.4.
# Returns base address or -1.
#
def search_est (self):
address = 0
estp_t = self.ptype ('EFI_SYSTEM_TABLE_POINTER')
while True:
estp = gdb.Value(address).cast(estp_t)
if estp['Signature'] == self.EST_SIGNATURE:
oldcrc = int (estp['Crc32'])
self.set_field (estp, 'Crc32', 0)
newcrc = self.crc32 (self.value_data (estp.dereference (), 0))
self.set_field (estp, 'Crc32', int (oldcrc))
if newcrc == oldcrc:
return estp['EfiSystemTableBase']
address = address + 4*1024*1024
if int (address) == 0:
return gdb.Value(self.EINVAL)
#
# Searches for a vendor-specific configuration table (in EST),
# given a vendor-specific table GUID. GUID is a list like -
# [32-bit, 16-bit, 16-bit, [8 bytes]]
#
def search_config (self, cfg_table, count, guid):
index = 0
while index != count:
cfg_entry = cfg_table[index]['VendorGuid']
if cfg_entry['Data1'] == guid[0] and \
cfg_entry['Data2'] == guid[1] and \
cfg_entry['Data3'] == guid[2] and \
self.value_data (cfg_entry['Data4']).tolist () == guid[3]:
return cfg_table[index]['VendorTable']
index = index + 1
return gdb.Value(self.EINVAL)
#
# Returns a UTF16 string corresponding to a (CHAR16 *) value in EFI.
#
def parse_utf16 (self, value):
index = 0
data = array.array ('H')
while value[index] != 0:
data.append (value[index])
index = index + 1
return data.tostring ().decode ('utf-16')
#
# Returns offset of a field within structure. Useful
# for getting container of a structure.
#
def offsetof (self, typename, field):
t = gdb.Value (0).cast (self.ptype (typename))
return int (t[field].address)
#
# Returns sizeof of a type.
#
def sizeof (self, typename):
return self.type (typename).sizeof
#
# Returns the EFI_IMAGE_NT_HEADERS32 pointer, given
# an ImageBase address as a gdb.Value.
#
def pe_headers (self, imagebase):
dosh_t = self.ptype ('EFI_IMAGE_DOS_HEADER')
head_t = self.ptype ('EFI_IMAGE_OPTIONAL_HEADER_UNION')
dosh = imagebase.cast(dosh_t)
h_addr = imagebase
if dosh['e_magic'] == self.DOS_MAGIC:
h_addr = h_addr + dosh['e_lfanew']
return gdb.Value(h_addr).cast (head_t)
#
# Returns True if pe_headers refer to a PE32+ image.
#
def pe_is_64 (self, pe_headers):
if pe_headers['Pe32']['OptionalHeader']['Magic'] == self.PE32PLUS_MAGIC:
return True
return False
#
# Returns the PE (not so) optional header.
#
def pe_optional (self, pe):
if self.pe_is_64 (pe):
return pe['Pe32Plus']['OptionalHeader']
else:
return pe['Pe32']['OptionalHeader']
#
# Returns the symbol file name for a PE image.
#
def pe_parse_debug (self, pe):
opt = self.pe_optional (pe)
debug_dir_entry = opt['DataDirectory'][6]
dep = debug_dir_entry['VirtualAddress'] + opt['ImageBase']
dep = dep.cast (self.ptype ('EFI_IMAGE_DEBUG_DIRECTORY_ENTRY'))
cvp = dep.dereference ()['RVA'] + opt['ImageBase']
cvv = cvp.cast(self.ptype ('UINT32')).dereference ()
if cvv == self.CV_NB10:
return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY')
elif cvv == self.CV_RSDS:
return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_RSDS_ENTRY')
elif cvv == self.CV_MTOC:
return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_MTOC_ENTRY')
return gdb.Value(self.EINVAL)
#
# Parses an EFI_LOADED_IMAGE_PROTOCOL, figuring out the symbol file name.
# This file name is then appended to list of loaded symbols.
#
# TBD: Support TE images.
#
def parse_image (self, image, syms):
base = image['ImageBase']
pe = self.pe_headers (base)
opt = self.pe_optional (pe)
sym_name = self.pe_parse_debug (pe)
# For ELF and Mach-O-derived images...
if self.offset_by_headers:
base = base + opt['SizeOfHeaders']
if sym_name != self.EINVAL:
sym_name = sym_name.cast (self.ptype('CHAR8')).string ()
# Ignore the driver from qemu
if re.search (r"\.efidrv$", sym_name):
return
# FOR RPM PACKAGE substitute the build path
sym_name = re.sub(r"^"+re.escape(build_path), "/usr/lib/debug/"+flavor, sym_name)
sym_name = re.sub(r"\.dll$", ".debug", sym_name)
syms.append ("add-symbol-file %s 0x%x" % \
(sym_name,
int (base)))
#
# Parses table EFI_DEBUG_IMAGE_INFO structures, builds
# a list of add-symbol-file commands, and reloads debugger
# symbols.
#
def parse_edii (self, edii, count):
index = 0
syms = []
while index != count:
entry = edii[index]
if entry['ImageInfoType'].dereference () == 1:
entry = entry['NormalImage']
self.parse_image(entry['LoadedImageProtocolInstance'], syms)
else:
print ('Skipping unknown EFI_DEBUG_IMAGE_INFO (Type 0x%x)' % \
entry['ImageInfoType'].dereference ())
index = index + 1
gdb.execute ("symbol-file")
print ('Loading new symbols...')
for sym in syms:
print (sym)
gdb.execute (sym)
#
# Parses EFI_DEBUG_IMAGE_INFO_TABLE_HEADER, in order to load
# image symbols.
#
def parse_dh (self, dh):
dh_t = self.ptype ('EFI_DEBUG_IMAGE_INFO_TABLE_HEADER')
dh = dh.cast (dh_t)
print ('DebugImageInfoTable @ 0x%x, 0x%x entries' \
% (int (dh['EfiDebugImageInfoTable']), dh['TableSize']))
if dh['UpdateStatus'] & self.DEBUG_IS_UPDATING:
print ('EfiDebugImageInfoTable update in progress, retry later')
return
self.parse_edii (dh['EfiDebugImageInfoTable'], dh['TableSize'])
#
# Parses EFI_SYSTEM_TABLE, in order to load image symbols.
#
def parse_est (self, est):
est_t = self.ptype ('EFI_SYSTEM_TABLE')
est = est.cast (est_t)
print ('Connected to %s (Rev. 0x%x)' % \
(self.parse_utf16 (est['FirmwareVendor']), \
int (est['FirmwareRevision'])))
print ('ConfigurationTable @ 0x%x, 0x%x entries' \
% (int (est['ConfigurationTable']), est['NumberOfTableEntries']))
dh = self.search_config(est['ConfigurationTable'],
est['NumberOfTableEntries'],
self.DEBUG_GUID)
if dh == self.EINVAL:
print ('No EFI_DEBUG_IMAGE_INFO_TABLE_HEADER')
return
self.parse_dh (dh)
#
# Usage information.
#
def usage (self):
print ('Usage: reload-uefi [-o] /path/to/GdbSyms.dll')
#
# Handler for reload-uefi.
#
def invoke (self, arg, from_tty):
args = arg.split(' ')
try:
opts, args = getopt.getopt(args, "o", ["offset-by-headers"])
except (getopt.GetoptError, err):
self.usage ()
return
for opt, arg in opts:
if opt == "-o":
self.offset_by_headers = True
if len(args) < 1:
self.usage ()
return
# FOR RPM PACKAGE substitute the path of the source code
gdb.execute ("set substitute-path "+source_path+" "+gdb_src_path)
gdb.execute ("symbol-file")
gdb.execute ("symbol-file %s" % args[0])
est = self.search_est ()
if est == self.EINVAL:
print ('No EFI_SYSTEM_TABLE...')
return
print ('EFI_SYSTEM_TABLE @ 0x%x' % est)
self.parse_est (est)
ReloadUefi ()

113
gen-key-enrollment-iso.sh Normal file
View File

@ -0,0 +1,113 @@
#!/bin/bash -e
# The script to generate the key enrollment iso file
# based on build_iso() in https://git.kraxel.org/cgit/jenkins/edk2/tree/edk2.git.spec
# Example: $0 X64 Shell.efi EnrollDefaultKeys.efi default key.iso
usage()
{
PROG_NAME=$1
echo "Usage: $PROG_NAME <Arch> <Shell> <Enroller> <Type> <ISO NAME>"
echo "ex: $PROG_NAME X64 Shell.efi EnrollDefaultKeys.efi default key.iso"
}
ARCH=$(echo $1 | tr '[:lower:'] '[:upper:]')
UEFI_SHELL_BINARY="$2"
ENROLLER_BINARY="$3"
TYPE="$4"
ISO_NAME="$5"
# Check the arguments
if [ x$ARCH != xX64 ] && [ x$ARCH != xAARCH64 ]; then
echo "Supported architecture: X64, AARCH64"
usage $0
exit 1
fi
if [ x$UEFI_SHELL_BINARY == x ] || [ ! -e "$UEFI_SHELL_BINARY" ]; then
echo "Please specify the UEFI shell binary"
usage $0
exit 1
fi
if [ x$ENROLLER_BINARY == x ] || [ ! -e "$ENROLLER_BINARY" ]; then
echo "Please specify the enroller binary"
usage $0
exit 1
fi
if [ x$TYPE == x ]; then
echo "Please specify the type of image: default or no-default"
usage $0
exit 1
fi
if [ x$ISO_NAME == x ]; then
echo "Please specify the name of output iso"
usage $0
exit 1
fi
ISO_PATH=$(realpath $ISO_NAME)
TMP_DIR=$(mktemp -d)
cp $UEFI_SHELL_BINARY $TMP_DIR/Shell.efi
cp $ENROLLER_BINARY $TMP_DIR/EnrollDefaultKeys.efi
UEFI_BOOT_EFI=$(
if [ $ARCH == "X64" ]; then
echo bootx64.efi
elif [ $ARCH == "AARCH64" ]; then
echo bootaa64.efi
else
exit 1
fi
)
UEFI_SHELL_SIZE=$(stat --format=%s -- "$UEFI_SHELL_BINARY")
ENROLLER_SIZE=$(stat --format=%s -- "$ENROLLER_BINARY")
START_SCRIPT=$TMP_DIR/"startup.nsh"
# Enter the first ESP
echo "fs0:" > $START_SCRIPT
# Enroll the keys
if [ $TYPE == "default" ]; then
echo "EnrollDefaultKeys.efi" >> $START_SCRIPT
else
echo "EnrollDefaultKeys.efi --no-default" >> $START_SCRIPT
fi
# Reset BootOrder
echo "setvar BootOrder -guid 8be4df61-93ca-11d2-aa0d-00e098032b8c -bs -rt -nv =" >> $START_SCRIPT
# Shutdown the system
echo "reset -s" >> $START_SCRIPT
UEFI_SHELL_IMAGE=uefi_shell_${ARCH}_${TYPE}.img
# Add 1MB then 10% for metadata
UEFI_SHELL_IMAGE_KB=$((
(UEFI_SHELL_SIZE + ENROLLER_SIZE +
1 * 1024 * 1024) * 11 / 10 / 1024
))
pushd $TMP_DIR
# Create non-partitioned FAT image
rm -f -- "$UEFI_SHELL_IMAGE"
/usr/sbin/mkdosfs -C "$UEFI_SHELL_IMAGE" -n UEFI_SHELL -- "$UEFI_SHELL_IMAGE_KB"
export MTOOLS_SKIP_CHECK=1
mmd -i "$UEFI_SHELL_IMAGE" ::efi
mmd -i "$UEFI_SHELL_IMAGE" ::efi/boot
mcopy -i "$UEFI_SHELL_IMAGE" Shell.efi ::efi/boot/$UEFI_BOOT_EFI
mcopy -i "$UEFI_SHELL_IMAGE" "$START_SCRIPT" ::efi/boot/startup.nsh
mcopy -i "$UEFI_SHELL_IMAGE" EnrollDefaultKeys.efi ::EnrollDefaultKeys.efi
mdir -i "$UEFI_SHELL_IMAGE" -/ ::
# build ISO with FAT image file as El Torito EFI boot image
mkisofs -input-charset ASCII -J -rational-rock \
-eltorito-platform efi -eltorito-boot "$UEFI_SHELL_IMAGE" \
-no-emul-boot -o "$ISO_PATH" -- "$UEFI_SHELL_IMAGE"
popd
#rm -rf $TMP_DIR

BIN
libspdm-50924a4c8145fc721e17208f55814d2b38766fe6.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
mbedtls-3.3.0.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
oniguruma-v6.9.4_mark1-src.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

26
openSUSE-UEFI-CA-Certificate-2048.crt Normal file
View File

@ -0,0 +1,26 @@
-----BEGIN CERTIFICATE-----
MIIEdDCCA1ygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzA4MjYxNjEyMDdaFw0zNTA3MjIxNjEy
MDdaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE
BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv
amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3t9hknqk/oPRfTtoDrGn8E6Sk/xHPnAt
Tojcmp76M7Sm2w4jwQ2owdVlBIQE/zpIGE85MuTKTvkEnp8PzSBdYaunANil/yt/
vuhHwy9bAsi73o4a6UbThu//iJmQ6xCJuIs/PqgHxlV6btNf/IM8PRbtJsUTc5Kx
cB4ilcgAbCV2RvGi2dCwmGgPpy2xDWeJypRK6hLFkVV2f2x6LvkYiZ/49CRD1TVq
ywAOLu1L4l0J2BuXcJmeWm+mgaidqVh2fWlxgtO6OpZDm/DaFcZO6cgVuenLx+Rx
zuoQG2vEKnABqVK0F94AUs995P0PTQMYspAo1G/Erla8NmBJRotrCwIDAQABo4H0
MIHxMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGhCYA3iLExHfpW+I9/qlRPl
lxdiMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPllxdioYGHpIGEMIGB
MSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUx
EjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEh
MB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEBMA4GA1UdDwEB/wQE
AwIBhjANBgkqhkiG9w0BAQsFAAOCAQEAiqOJwo7Z+YIL8zPO6RkXF6NlgM0zrgZR
Vim2OId79J38KI6q4FMSDjpgxwbYOmF2O3cI9JSkjHxHOpnYhJsXzCBiLuJ25MY2
DSbpLlM1Cvs6NZNFw5OCwQvzCOlXH1k3qdBsafto6n87r9P3WSeO1MeWc/QMCvc+
5K9sjMd6bwl59EEf428R+z5ssaB75JK3yvky9d7DsHN947OCXc3sYdz+DD7Gteds
LV2Sc//tqmqpm2aeXjptcLAxwM7fLyEQaAyH83egMzEKDxX27jKIxZpTcc0NGqEo
idC/9lasSzs2BisBxevl3HKDPZSsKIMT+8FdJ5wT9jJf9h9Ktz5Tig==
-----END CERTIFICATE-----

27
openSUSE-UEFI-SIGN-Certificate-2048.crt Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN CERTIFICATE-----
MIIEjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzA4MjYxNjE4MzdaFw0yMzA3MDUxNjE4
MzdaMIGGMSUwIwYDVQQDDBxvcGVuU1VTRSBTZWN1cmUgQm9vdCBTaWdua2V5MQsw
CQYDVQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMRkwFwYDVQQKDBBvcGVuU1VT
RSBQcm9qZWN0MSEwHwYJKoZIhvcNAQkBFhJidWlsZEBvcGVuc3VzZS5vcmcwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLNeCcz9j3S+vjlCzyEXczhpwo
HRneRWkhXqCUSgu1QS5nAWuRdjqFZipji4cr6JSKEm4lE7AHPygrdiU+KbJVQuc7
RCQdt5kyy0TStIjLqU+nswa+XKruKwQJquxYY1rIYsfZaEP7vQ6S/0zsAkS8lcmf
0b4h+PSybVoK1U2YZczBjO/f8p/aRQV2+RrAi9UcBfLAuEqwEt9DytULGEazA77N
p9cBgPHFyu7ZOh9KM31QAavXOkhuYllzYh447zIx7lgYfVkFivt91A1enUeb2K+2
EZ885xOE5ADsCpeJIpDzFObfwXUHrSQ42OCP9rnA20XjboFcHinQeK5sp0sfAgMB
AAGjggEHMIIBAzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQDMvqcvw2IvyGSSw3o
KgmlTV3vyDCBrgYDVR0jBIGmMIGjgBRoQmAN4ixMR36VviPf6pUT5ZcXYqGBh6SB
hDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYT
AkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2pl
Y3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9yZ4IBATAOBgNVHQ8B
Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEB
AI3sxNvPFB/+Cjj9GVCvNbaOGFV+5X6Dd7ZMJat0xI93GS+FvUOO1i53iCpnfSld
gE+2chifX2W3u6RyiJTTfwke4EVU4GWjFy78WwwszCih0byVa/YSQguvPuMjvQY6
mw+exom0ri68328yWb1oCDaPOhI9Fr51hj50yUWWBbmpu2YPi5blN6CBE+9B2cbp
HVDPxoUWjYJ9leK951nfSu0E1+cLNYDpZ39h4dBHNvU1a3AueVKIXyEYaiwy0VDS
8CQJluUCE4eLlt/cbJqMs0/iY7nRnbVOOyZUYTYxq7ACvDrMyStkfdR4KLDzvLWo
8Gu+1aY2qw6wZ+TKiiRRYjQ=
-----END CERTIFICATE-----

BIN
openssl-3.0.9.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
openssl-3.0.9.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmR17NgACgkQUnRmohyn
nm2DuQ/+PxsaZnPjeBsFYNu8soZzJptfzHsM/9pqsdb3JY0IJhvFx4Y+GkoYZ/5/
+Q+tkomRl6pBkqUrMfJbcEbP8dIjQuOGzFxpfnzzVgS0JOZUlYamTyNGTbNIY5uw
ZjCFNOAD9fMl7WrZRps39Ksf1C4cmiyoujK0sa7hTXmz4pG/xDZew1JelYJ48vXb
KK7jUqh2KVnByY/gwdxiEge8GV0xZgV/MykJVPUy1AFH0YGVx+/dFwY/qIo5kSVJ
kCrSNYD19pWi9xVNVnrGY2rtPnjd0+8r+ZGMfXRJtmA6/rqfJA0YgsUBbb6WunFM
LdDiAykAWcsoY/fUdsYXXi1lotRm8PHpoXTF3HcbSadlQo3aAJyrv4SCWh0pJNQs
5R4Buy9oOK4M+nsw7Syn16JSkm/Go0lgYxNYwIY6qJaPPXCRX6B+Ra8hZ7ZHFOGt
Q+4eg0HExtUOiX1rF0a1oUyLR54xQQS0GgsdWaQn8WyWndETf0zX/+gGOgk5eqKT
xduOrHHsGDHxzgwL+kKN56/1nyysZ4Dz0exDugLdj6FPm/CRz1oGZ9lLLr2Wum8K
D6NWA5EoE+NfN9esPBZWyHsGzqSLrUT1Z79/IzS3FX3OctQwmWS10vGtH+XKVVjp
0x6drrPInjBOuX5d271rvB9k6sW9VE7gRkuVeBL8oX8pARDK8yo=
=rUmE
-----END PGP SIGNATURE-----

113
openssl.keyring Normal file
View File

@ -0,0 +1,113 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGDxTCUBEACi0J1AgwXxjrAV/Gam5o4aZSVcPFBcO0bfWML5mT8ZUc3xO1cr
55DscbkXb27OK/FSdrq1YP7+pCtSZOstNPY/7k4VzNS1o8VoMzJZ3LAiXI5WB/LH
F8XSyzGuFEco/VT1hjTvb8EW2KlcBCR6Y22z5Wm1rVLqu7Q8b/ff1+M/kaWM6BFi
UKqfBZdqJuDDNFRGqFr0JjCol0D1v1vollm612OARKpzuUSOERdc11utidkGihag
pJDyP5a+qHZ4GNzZkZ+BBduuZDMUdEKgK28Pi0P0Nm17XRzX1Of1uXojMvroov7K
/Bkbpv+uvZoiSEAeD+G/+Tyk9VLhmyji9P+0lwYyHb3ACgS3wElz7CZwFgB3kjJv
MX93OlCAMruFht/+6hQu0zx1KPxx+55j/w7oSVzH8ZmYND5kM4zlGVnJxJk6aBu8
laOARZw7EENz3c+hdgo+C+kXostNsbiuQTQnlFFaIM7Uy029wWnlCKSEmyElW9ZB
HnPhcihi8WbfoRdTcdfMraxCEIU1G/oVxYKfzV2koZTSkwPpqJYckyjHs7Zez5A3
zVlAXPFEVLECEr02ESpWxFabk8itAz0oMZSn5tb3lBHs1XFqDvJaqME1unasjj06
YUuDgKHxCWZLxo/cfJRrVxlRcsDgZ3s4PjxKkAmzUXt5yb7K3EVWDQri0wARAQAB
tBtUb23DocWhIE1yw6F6IDx0bUB0OG0uaW5mbz6JAlQEEwEIAD4WIQSiH6t0sAiK
o2EVJYa47xprqdotXAUCYPFMkQIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIe
AQIXgAAKCRC47xprqdotXEGoD/9CyRFM8tzcdQsQBeQewKGTGdJvPx9saDLO6EVy
U9lEy8vLKMHnmAk+9myVBf0UHxCjVZblvXEL6U/eCINW8TBu9ZH56AMkPQgvfZkE
KrpBoP2yfkA9/2rfChec7jkFUwArWKAB8hyLPiABXdm3vRZMhiBAsFTv9rdrr89W
nAvcd9OXPxrEM7mNkkCDUlRkfRwdxSezStmJ/18bM5lrlR4Dj9MYUOieYICsu/nh
1u9C+QDOGruo/xku7B87qVSnKM4My28/RtSeGjTBNw3QPEmumArINNUDNZbe3e+I
m23l6tyP7nmtLbo0wPcRB9q4K1GlmecqzSgLsdf8YCOZKax9DLaA2fWVJCyp22Uj
kCmHkVgeXmByndWVdfYyJO4LGJhM7BfmWGa/yIRKRKZGlJavRY+UAkfqkXCbzhFD
IMyRTU3zqJfJcXrVDslvB1mMbBGIR7gmL2HSToNvN5E2xiEamHbSOv0ze0Vw5A1M
8S71i+jLUSenGTgjLdu52+K7SGLtyhG/kA5NpvMyCLBOYZ+4HPgbIwKLlcm5SRJ6
z4sKLSZmU7HLMp69jXfGQqjYbJoUEHsCsLOeVMGiOVZqoZWQWcMHy9VvOA0FVx41
xrpdDLft9ad+cM/oaiYXEWhqYRnBM5eIH0B3HOk/kmLZ6crNE+X5xG1qhoZgAurM
MriPFbQfVG9tw6HFoSBNcsOheiA8dG9tYXNAYXJsZXRvLmN6PokCVAQTAQgAPhYh
BKIfq3SwCIqjYRUlhrjvGmup2i1cBQJg8UxqAhsDBQkSzAMABQsJCAcCBhUKCQgL
AgQWAgMBAh4BAheAAAoJELjvGmup2i1cessP/jG7dFv/YEIn7p47wA+q+43Korjk
8LLpdb+YhVEpXgLK3yUNOcghs+e+UxSlS4jDV9ThpKgBEgTCn6V8vEWe5djvLVcO
UNG/wx33ksZKDOrZt2qGzz9VBd2ur100HjA3ibGClMjchMQCctlAHBCI/jV7g9Sv
FIHr/qECDnr50lh4kNeBZH/6gYEnB1Uqkc+7y/0gopk3kEcxO00qKj9d8QPatsoW
FOBW6OT0ldX5m19EL+x4Ku2/ayBwmobsQyj3cDV8cJN9QxJxB1AqLAKXK3XpEQ8Q
UERor6Z2gQu9bCRoQCl3Xu+lfqh2gmfoXoWiZFinoBzEETtILEUdNa2MsJheNuVy
Tf+W/vrfyAKVl7DgPk+n360frxmR8n7pkSpDq12s9J4eimX7aUlbhDX2XiMo/kGS
2oo2ulB083oJq09UieI2acwRIn6fFAOXx4Cr9IRAnKtvGxT3XzkDJ8WkC/+QE7wW
kjtD994kD2Jf1GCqFIWPx+J88VXp5UbobOENYBGWvc5Pki541aFKkXe5mvK9n2Fm
T3fOeBnyhT27J79UYSkOg9Zk0o7lcLKvgX3TqOwRrwMOGqyBIrHkLprIbeX5KOBI
yvtovyTuq3piF6OcfOYuZJOcV4LnnW6Ok9sgia1WgqNyJ+FSdSl6tLabzcM6sZ1I
8tmXB4BcoHFB9N0AtCFUb23DocWhIE1yw6F6IDx0b21hc0BvcGVuc3NsLm9yZz6J
AlQEEwEIAD4WIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMJQIbAwUJEswDAAUL
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC47xprqdotXJUfD/9qFJURXryr8/Uh
KJIAYQawc3rgSCeMaSi60fgPhteBf9VPA5w84OKLtnZFcPcpvGpaHuRxj+mchOSo
2HkYz7eseTsWbfguDiBNf1sA0IW6/WfIjqfGliw/ikLn/mA8GgLzgPPEiEbZH+gZ
+J1ttxv15E8dWVSYILJcn7VLX8EgYc93uaiPbcc6wG3qBz5UD7FW6pg6AjEhz6j4
yQBq/dAUUL9nfrrx8p6548aslAR5A7e1kWPSMkrXD6ECdlJ8LReaPjiWrvLCtf1M
cmAQJkXX9PLHtPtkXzfT97GdcEWtPF3qpu9k8gK3QC/dPoACIsDUU1+muaqlRB3A
ozLVFbSJ2kA0BqnHvhB+7cIB/ZkAasiI1jJ9XPwJJnzZGlRFGJnUg6MRX//FIvly
Vi+hFt1DQ2tWMo6peu1sNDDONYKL7/NhFedJhIRoYUiQtcEuWqtTjOUn7ErkaC2y
q8hzWgYCe2afy1sUvyDtUjuldVTNzV1ic4MPC+QZ5ZEw2uHfP2oELlK2zUlLZIpt
Bwvgzqw5qcxj0nBHoaDTRyJXrXDWf/DsyS6Df1t8Uidoc6W3zNEhKbabvTb4gtWj
hh/QezJNtyRSg4SZ2Zx+ExgAngFdhKUk01XytLcEqYHjOjO6ZHpP0/+E7T8yZ7sI
w5AnBC/mkTbqp5Nsbk/spoN0Wl7PZbkCDQRg8UyoARAApiWRrHjdEu9Fp2yd7K93
VpttsAWGeZo6adA7kKrdB+DFwyQdQQIGF1MoxzKb3rcO2sxoU/SnY/TpxdVbSO27
1MLUcqoEc5F+uxuXsp4Tx5s6iXY9xTwQeBi8pAUQSLlWc/yoakF4sahG+5+0NUDp
djCEevRw2nHVbMbyzACgB0VRErhpY6gOBK7LkHwXAEXh1pN836P1s3DLLInjoM50
IGQJLJ38/dBeWf9lqJrDif3lZ9Br7h2xHVhaj+08iWKFXb+MDkW6lXOuT+A8pzHK
bz1TVhopid9NOcw8ws00Vnq9R0/dhk+FT81XJC6GmoBi2GjjKpLNMzfBE6IkJjhn
gMY9Wz5sSfXhyd0x7ZGdS3w9SiIXXoxw35woC1/Ue6QVasm/ldCNSNH63y8G5b7w
NA84/fhVa9/Tug8zyzRj9p5Ge7b1yMbtVy9Ret8e1xB3yOJH8rjwmd13ocNBrFYh
D4b1+P0DScr4TburR3S4gwzawB2juIToELQGseR8nQg8k6Fk5vZ8MaYslMU2za7H
a379C8+A9h0C2mobqtw7Gq8NzDH2H4Bgpy0Ce8ByWnRHEIrZcK4vZDTzBfW+lYJB
HFlNc0mheV2ih6vjmz940cakzLvGF65UA69tsS8Q/3sWH2QLFTywdcEUZNgZRWnc
nAaLOI/nw1ydegw8F+s1ALEAEQEAAYkEcgQYAQgAJhYhBKIfq3SwCIqjYRUlhrjv
Gmup2i1cBQJg8UyoAhsCBQkLRzUAAkAJELjvGmup2i1cwXQgBBkBCAAdFiEE3HAy
Zir4heL0fyQ/UnRmohynnm0FAmDxTKgACgkQUnRmohynnm3v+Q/+NpYQuO+0a57+
otwvuN3xoMsOmiingnd6u5fefi8qCjHgYJxnZQhihk4MOyiY46CxJImFKI6M13H5
SlsuaGMbl17f5V8dE7rUDD9D9tD4+hVe504UsAdqaKHFhE8xyWJ24it9LmIXY358
cQ7gm/EzA/wCKEez1Z/IUlx6hrG6BnAuE6FYhLTQt5WcCGbA17I72M1H50rX8fa0
8qOg4rzyNEOesz1auI3pt1VOy/VJo7V+oO2yz4NNGBqjCN1mMOmBl1vBldZz4oZJ
vqoCFgx4Bj4h8LHilyg2OWZV4Xh7fUGH2/RIdfAYhCTz495N1sdDHew9Qc3PP0vV
yzwoCJY2moCiZ16K0o215rgYAJcY2KCCithjw+ktHZ/E108cmJJE0ZXG9sFVdF6A
HEEofaYRgXEvwFOwEBnytAq2l1ePmlTe6eu5/hSMYlan93YpsF2tol+jw7F+aspg
K2JPWqB4FsupxnvvAvzGBrTTGfCL4z7K8/6QmYrJBByx0W/lkFsebEfOz0SY/Rvs
aGQ3LEmQkbn+Cz2c2PwmIuYJisunHNC1rH6lF1a19D2lpe82Eh3TsXEsgjty2+sh
uHsKCX/snSa+zySqMbsE6o/8AquuT7tkdHO1rYfr3ffvIeX8HVj6NKm1eyk6uyCE
cb08jqBWOG8tzpNt6PIviyrQRrK+ncSLjw/9GT4LhZKnfLM5pVAFV0jVqf29lVhk
RHDeiNmdprqpvW35cAS7LH2wv2xGj4+wGaJmksruiJj2KtNAWa+7Uvd4xvntrL3F
9kG5qC04iTx9nng4qliZAI1wGxT/fAKS165L5sdTXRvcywokshxtsPgCXcH/J2v/
JC6BGn44o8qo/CLGIaTBk6V8NfY4YqNFyMaMRAQSQ9Pk0KXQxswdxASaYzTTb93g
muoO7XrIu7ae1lppeL3HB5hQ0/zF1cVzCrLXffsEZNVW/1/9VamicTOWP8dV/ylN
86d7NvfJk8L7O+YIsEKYhKEDfCXIZrF7Ynu9SCWiR8LAqxZpBx2/6lommQJ7RlKr
HBkWUGyC8WHYr/sxORy0uxSevGFcfK2sFMnpLJhC6C830O05B6SFTWTrD9c/NC2S
DDWQCr1Tud3GZ634BowTlQRgJpGJc2s4wOMaARnhVtr/GZQhfCzOhcaHAVMBX0FE
ce+LktihEnzEJJgc/bzTH+t3fIW8bS4c65YlwCzMCJ1oYyALlD1BlZ6whFSVUZro
uYVu8diJ4Alf9+hcYOU/Gnbyi3bFbRGhBVz8lB3TcEeP02+gSSFD7iDi2Wt3hkmY
YaT7k3YGM2ksXdQ25SGM1aW4drxaqAj5sZ48OXTMNT9ira3TL/o/Xp6GRhVE8iOl
JKbGoqC+wchHmOK5Ag0EYPFMJQEQAN/J6BypHYuzqwVDH8hrCQJ0s9I1fFdiu60u
aeLTQPeB2JVwV4t9WZsM6mVMEUZJGIobk2Y5FFzLsHtbPlSs7MXtLhlLa05iiMXq
oZsS7EYI+GDNO6OP1j8h9On2Ik5EnK/0dWGQglSY/ryw+5ShdAjHSd4hCRvBxfX7
FJGNrvIkIp8AxlTvNBQyuR4rluOnfS1LXFDlaTWxRAZBJdB/GyAbCqKmkfbkXZbM
ZFA93E2skrLJ66CPgaK83r+DUi6+EyvOKTkZw0OU6S0k7xT4Z1f0AbS/ON5G8wjL
vxKu+Tmd2LHLMUTMiSQ7/K0iw4+pms1+MOBWFDX8aS/poRe0NS779RIk+Hy4OG7+
i9Rpf4wU+Z2QHbUYrun6h7+RySv+E27QWCgNuAdm2F8cIsxQ3B0mAapqf2ECIkNb
PftDlv/iDqzAxAobNJzlsKQrcRmEPIOqNxi3TP+H85ekwHTdwwdPb5u8pgehpDum
ciyHfYZ7A3eNl6RubQMIWQgQzxUbreUJkKjHwLoqkTHDafJeKI7+2nII4r3peQfE
N0jZ5HSXHTHu4520FUBHNutvuHqCy0nQrhvoXEfD4woYk27OOwSKHu1ZdEFa6iJH
eAW0f6pSOMkEMDRtFWv0/hVpNDbhA+jAswzD4+XYDk+xZdDONua9inO930MGI2Bs
LQ1kotFTABEBAAGJAjwEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFM
JQIbDAUJEswDAAAKCRC47xprqdotXBU2D/4vF/5FrkPz78jSl7YN77gc/sTpBGMh
QxhZxKpf+8xE/oig9/F90BMKaFAflChiEMPc+Dj0VrCGwP2xMTVO4J7lw7bTr3RB
uETuVq8S3XgtmTlXwoRQL91XtoGjAjhfgpXbi/DEyZ6+34QwMYr474rsKiMsBcMS
nWTDuqRqkFYAaF4LRbD6RkWck+C7k4ps/KIflEKiSEuvpjk1TpibwoSt+zIeZI6u
sSLWbGcADqnXHe0GClUqcMYbIgLzVyXQQzUvfrwAzi8XvfW+8QhP+B5oZT6y8YBD
NHQDcITC4OYaVHYnZWS+tPtPQZK4duAlZRd/lBxKPbNWee5ufPh5ALFAINpBWP0C
nHKVj/P3fBcCrz2ZYaH5iQmqhSbJ3lyFKJoQQgrcnWbnOWI91DdhmvE2GIyn1JJE
FT2YQqRH52dDX5gOl5OcwT7PxV1jc03bhZsOCylBoq1Yd9iD3U0bgiqI71dGZrXZ
qaQzuigCRxlv8nF97SUGLDCuvqC5ejmecQBYmLCrgIiRcI+FXSVnZhUYkeBbg9sX
Cla8mCgxF1RhH2S9z9blrLEf2r+l/8P0+IWmmaTvCbZ7kIrUsbGv7FNCubVA3UXc
zPrDR7hQC/xNAX1RXMGNmPru9wVtgnn72UneoD/dLYY65U/ZFLNeQAnq9c3VJKQ2
TIdjvGbJ/k4qxw==
=Ctij
-----END PGP PUBLIC KEY BLOCK-----

85
openssl.keyring.README Normal file
View File

@ -0,0 +1,85 @@
Upgrade openssl tarball
======================
Sometimes you need also update openssl source code tarball when
upgrading EDK2 source code. Normally you should see similar patch
commit in EDK2 git repo:
commit 4ca4041b0dbb310109d9cb047ed428a0082df395
Author: Sheng Wei <w.sheng@intel.com>
Date: Tue Feb 28 10:43:57 2023 +0800
CryptoPkg/OpensslLib: Upgrade OpenSSL to 1.1.1t
Then you will need to update openssl-%{openssl_version}.tar.gz and
openssl-%{openssl_version}.tar.gz.asc signature. You can find them
from https://www.openssl.org/source/old/1.1.1/
e.g.
https://www.openssl.org/source/old/1.1.1/openssl-1.1.1t.tar.gz
https://www.openssl.org/source/old/1.1.1/openssl-1.1.1t.tar.gz.asc
Update the key of signature for tarball
----------------------------------------
You will use "osc ci" command to commit new openssl tarball to OBS.
But sometimes you will see fail like this:
ovmf> osc ci -m "Upgrade OpenSSL to 1.1.1t"
- package has ovmf-rpmlintrc: (unchanged)
gpg: Signature made Tue 07 Feb 2023 09:37:18 PM CST
gpg: using RSA key 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C
gpg: Can't check signature: No public key
ERROR: signature ovmf/openssl-1.1.1t.tar.gz.asc does not validate
It means that osc caommand didn't find corresponding key to validate
openssl-%{openssl_version}.tar.gz.asc. It will stop to submit your change
to OBS.
In the above example, it indicates that the signature is using RSA key
7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C. You should go to openssl's
"OpenSSL Technical Committee" page to download the corresponding key
to local. In this case:
https://www.openssl.org/community/otc.html
Richard Levitte (I) 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C
Then you just use downloaded key to overwrite openssl.keyring file.
e.g.
ovmf> cp 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C openssl.keyring
Then the osc verification of openssl-%{openssl_version}.tar.gz.asc will pass.
Like this:
ovmf> osc ci -m "Upgrade OpenSSL to 1.1.1t"
(W) Attention, 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C is not mentioned in spec files as source or patch.
###ASK ovmf/7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C
- package has ovmf-rpmlintrc: (unchanged)
gpg: Signature made Tue 07 Feb 2023 09:37:18 PM CST
gpg: using RSA key 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C
gpg: Good signature from "Richard Levitte <richard@levitte.org>" [unknown]
gpg: aka "Richard Levitte <levitte@lp.se>" [unknown]
gpg: aka "Richard Levitte <levitte@openssl.org>" [unknown]
Please maintain the openssl.keyring file in ovmf package with new openssl
tarball and signature.
Take the key of signature from gpg server
-----------------------------------------
Sometimes that the gpg key will be removed or changed from otc.html on
www.openssl.org, you can NOT find the key for tarball verification.
Another way for getting the gpg key is from key server.
e.g.
gpg --keyserver 'keys.openpgp.org' --recv-keys 'DC7032662AF885E2F47F243F527466A21CA79E6D'
The above command will download the key from gpg key server to your local
machine. Then you can use it to verify openssl source code tarball:
gpg --verify openssl-1.1.1u.tar.gz.asc openssl-1.1.1u.tar.gz
If you confirmed that the key can be used to verify tarball. Then you can
export it to openssl.keyring file for uploading to OBS/IBS:
gpg2 -a --export DC7032662AF885E2F47F243F527466A21CA79E6D > openssl.keyring

36
ovmf-EmbeddedPkg-Library-Support-SOURCE_DATE_EPOCH-in-Vir.patch Normal file
View File

@ -0,0 +1,36 @@
From 441bc6b75c8edcfa825b324e05f7cd838feac2bb Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Thu, 11 Apr 2024 19:36:30 +0800
Subject: [PATCH] EmbeddedPkg/Library: Support SOURCE_DATE_EPOCH in
VirtualRealTimeClockLib for reproducible
RISC-V ovmf used VirtualRealTimeClockLib but the default epoch is a
compilation time. It causes that the RISC-V ovmf binary image is NOT
reproducible.
This patch added the support of SOURCE_DATE_EPOCH by printenv command.
If SOURCE_DATE_EPOCH be found then we use it as BUILD_EPOCH. Otherwise
we run date command for setting BUILD_EPOCH.
For distributions want a reproducible RISC-V ovmf image, they should
export SOURCE_DATE_EPOCH environment variable before building ovmf.
References: https://reproducible-builds.org/docs/source-date-epoch/
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
.../Library/VirtualRealTimeClockLib/VirtualRealTimeClockLib.inf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/EmbeddedPkg/Library/VirtualRealTimeClockLib/VirtualRealTimeClockLib.inf b/EmbeddedPkg/Library/VirtualRealTimeClockLib/VirtualRealTimeClockLib.inf
index 5d0f867eb6..0bd6bcee75 100644
--- a/EmbeddedPkg/Library/VirtualRealTimeClockLib/VirtualRealTimeClockLib.inf
+++ b/EmbeddedPkg/Library/VirtualRealTimeClockLib/VirtualRealTimeClockLib.inf
@@ -34,4 +34,4 @@
# Current usage of this library expects GCC in a UNIX-like shell environment with the date command
[BuildOptions]
- GCC:*_*_*_CC_FLAGS = -DBUILD_EPOCH=`date +%s`
+ GCC:*_*_*_CC_FLAGS = -DBUILD_EPOCH=`printenv SOURCE_DATE_EPOCH || date +%s`
--
2.44.0

56
ovmf-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch Normal file
View File

@ -0,0 +1,56 @@
From ced13b93afea87a8a1fe6ddbb67240a84cb2e3d3 Mon Sep 17 00:00:00 2001
From: Sam <Sam_Tsai@wiwynn.com>
Date: Wed, 29 May 2024 07:46:03 +0800
Subject: [PATCH] NetworkPkg TcpDxe: Fixed system stuck on PXE boot flow in
iPXE environment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This bug fix is based on the following commit "NetworkPkg TcpDxe: SECURITY PATCH"
REF: 1904a64
Issue Description:
An "Invalid handle" error was detected during runtime when attempting to destroy a child instance of the hashing protocol. The problematic code segment was:
NetworkPkg\TcpDxe\TcpDriver.c
Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, &mHash2ServiceHandle);
Root Cause Analysis:
The root cause of the error was the passing of an incorrect parameter type, a pointer to an EFI_HANDLE instead of an EFI_HANDLE itself, to the DestroyChild function. This mismatch resulted in the function receiving an invalid handle.
Implemented Solution:
To resolve this issue, the function call was corrected to pass mHash2ServiceHandle directly:
NetworkPkg\TcpDxe\TcpDriver.c
Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, mHash2ServiceHandle);
This modification ensures the correct handle type is used, effectively rectifying the "Invalid handle" error.
Verification:
Testing has been conducted, confirming the efficacy of the fix. Additionally, the BIOS can boot into the OS in an iPXE environment.
Cc: Doug Flick [MSFT] <doug.edk2@gmail.com>
Signed-off-by: Sam Tsai [Wiwynn] <sam_tsai@wiwynn.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
---
NetworkPkg/TcpDxe/TcpDriver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c
index 40bba4080c..c6e7c0df54 100644
--- a/NetworkPkg/TcpDxe/TcpDriver.c
+++ b/NetworkPkg/TcpDxe/TcpDriver.c
@@ -509,7 +509,7 @@ TcpDestroyService (
//
// Destroy the instance of the hashing protocol for this controller.
//
- Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle);
+ Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, mHash2ServiceHandle);
if (EFI_ERROR (Status)) {
return EFI_UNSUPPORTED;
}
--
2.35.3

48
ovmf-OvmfPkg-SmbiosPlatformDxe-tweak-fallback-release-dat.patch Normal file
View File

@ -0,0 +1,48 @@
From 9aa057b298345f868dc0ca55e76128037c54e3aa Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Sun, 4 Feb 2024 17:32:13 +0800
Subject: [PATCH] OvmfPkg/SmbiosPlatformDxe: tweak fallback release date again
In case PcdFirmwareReleaseDateString is not set use a valid date
as fallback. But the default valid date can _NOT_ pass the Microsoft
SVVP test "Check SMBIOS Table Specific Requirements". The test emitted
the error message:
BIOS Release Date string is unexpected length: 8. This string must be in
MM/DD/YYYY format. No other format is allowed and no additional information
may be included. See field description in the SMBIOS specification.
Base on SMBIOS spec v3.7.0:
08h 2.0+ BIOS Release Date BYTE STRING
String number of the BIOS release date. The date
string, if supplied, is in either mm/dd/yy or
mm/dd/yyyy format. If the year portion of the string
is two digits, the year is assumed to be 19yy.
NOTE: The mm/dd/yyyy format is required for SMBIOS
version 2.3 and later.
So, let's tweek the fallback release date again.
Fixes: a0f9628705e3 ("OvmfPkg/SmbiosPlatformDxe: tweak fallback release date") [edk2-stable202305~327]
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
---
OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.c b/OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.c
index 0ca3776..e929da6 100644
--- a/OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.c
+++ b/OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.c
@@ -160,7 +160,7 @@ InstallAllStructures (
DateStr = (CHAR16 *)FixedPcdGetPtr (PcdFirmwareReleaseDateString);
DateLen = StrLen (DateStr);
if (DateLen < 3) {
- DateStr = L"2/2/2022";
+ DateStr = L"02/02/2022";
DateLen = StrLen (DateStr);
}
--
2.35.3

13
ovmf-Revert-ArmVirtPkg-make-EFI_LOADER_DATA-non-executabl.patch Normal file
View File

@ -0,0 +1,13 @@
Index: edk2-edk2-stable202305/ArmVirtPkg/ArmVirt.dsc.inc
===================================================================
--- edk2-edk2-stable202305.orig/ArmVirtPkg/ArmVirt.dsc.inc
+++ edk2-edk2-stable202305/ArmVirtPkg/ArmVirt.dsc.inc
@@ -365,7 +365,7 @@
# reserved ones, with the exception of LoaderData regions, of which OS loaders
# (i.e., GRUB) may assume that its contents are executable.
#
- gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD5
+ gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1
gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard|TRUE

60
ovmf-Revert-OvmfPkg-OvmfXen-Set-PcdFSBClock.patch Normal file
View File

@ -0,0 +1,60 @@
From b8324bc3d5d44e5b1644a66f1b6e07b6e4ad9350 Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Wed, 15 Feb 2023 14:39:37 +0800
Subject: [PATCH] Revert "OvmfPkg/OvmfXen: Set PcdFSBClock"
This reverts commit 71cdb91f313380152d7bf38cfeebe76f5b2d39ac.
---
OvmfPkg/OvmfXen.dsc | 4 +++-
OvmfPkg/XenPlatformPei/Xen.c | 4 ----
OvmfPkg/XenPlatformPei/XenPlatformPei.inf | 1 -
3 files changed, 3 insertions(+), 6 deletions(-)
Index: edk2-edk2-stable202302/OvmfPkg/OvmfXen.dsc
===================================================================
--- edk2-edk2-stable202302.orig/OvmfPkg/OvmfXen.dsc
+++ edk2-edk2-stable202302/OvmfPkg/OvmfXen.dsc
@@ -456,6 +456,9 @@
# Point to the MdeModulePkg/Application/UiApp/UiApp.inf
gEfiMdeModulePkgTokenSpaceGuid.PcdBootManagerMenuFile|{ 0x21, 0xaa, 0x2c, 0x46, 0x14, 0x76, 0x03, 0x45, 0x83, 0x6e, 0x8a, 0xb6, 0xf4, 0x66, 0x23, 0x31 }
+ ## Xen vlapic's frequence is 100 MHz
+ gEfiMdePkgTokenSpaceGuid.PcdFSBClock|100000000
+
# We populate DXE IPL tables with 1G pages preferably on Xen
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable|TRUE
@@ -486,7 +489,6 @@
gUefiOvmfPkgTokenSpaceGuid.PcdPciMmio64Base|0x0
gUefiOvmfPkgTokenSpaceGuid.PcdPciMmio64Size|0x800000000
- gEfiMdePkgTokenSpaceGuid.PcdFSBClock|100000000
gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|0
# Set video resolution for text setup.
Index: edk2-edk2-stable202302/OvmfPkg/XenPlatformPei/Xen.c
===================================================================
--- edk2-edk2-stable202302.orig/OvmfPkg/XenPlatformPei/Xen.c
+++ edk2-edk2-stable202302/OvmfPkg/XenPlatformPei/Xen.c
@@ -634,9 +634,5 @@ CalibrateLapicTimer (
Freq = DivU64x64Remainder (Dividend, TscTick2 - TscTick, NULL);
DEBUG ((DEBUG_INFO, "APIC Freq % 8lu Hz\n", Freq));
- ASSERT (Freq <= MAX_UINT32);
- Status = PcdSet32S (PcdFSBClock, (UINT32)Freq);
- ASSERT_EFI_ERROR (Status);
-
UnmapXenPage (SharedInfo);
}
Index: edk2-edk2-stable202302/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
===================================================================
--- edk2-edk2-stable202302.orig/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
+++ edk2-edk2-stable202302/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
@@ -86,7 +86,6 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask
- gEfiMdePkgTokenSpaceGuid.PcdFSBClock
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy
gUefiCpuPkgTokenSpaceGuid.PcdCpuLocalApicBaseAddress

28
ovmf-Revert-OvmfPkg-PlatformInitLib-dynamic-mmio-window-s.patch Normal file
View File

@ -0,0 +1,28 @@
From 5b3a40038886774228826b42c9aa3c9645a799a9 Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Wed, 15 Mar 2023 17:21:25 +0800
Subject: [PATCH 6/6] Revert "OvmfPkg/PlatformInitLib: dynamic mmio window
size"
This reverts commit ecb778d0ac62560aa172786ba19521f27bc3f650.
Joey Lee:
Only revert one line to keep this workaround patch simple. Because
bsc#1205588 is a SUSE specific issue.
---
OvmfPkg/Library/PlatformInitLib/MemDetect.c | 28 ---------------------
1 file changed, 28 deletions(-)
Index: edk2-edk2-stable202305/OvmfPkg/Library/PlatformInitLib/MemDetect.c
===================================================================
--- edk2-edk2-stable202305.orig/OvmfPkg/Library/PlatformInitLib/MemDetect.c
+++ edk2-edk2-stable202305/OvmfPkg/Library/PlatformInitLib/MemDetect.c
@@ -855,7 +855,6 @@ PlatformAddressWidthInitialization (
PlatformAddressWidthFromCpuid (PlatformInfoHob, TRUE);
if (PlatformInfoHob->PhysMemAddressWidth != 0) {
// physical address width is known
- PlatformDynamicMmioWindow (PlatformInfoHob);
return;
}

51
ovmf-Revert-OvmfPkg-PlatformPei-Update-ReserveEmuVariable.patch Normal file
View File

@ -0,0 +1,51 @@
From 251820bfcd28abecf8a67ee94d82c8ab47547b0b Mon Sep 17 00:00:00 2001
From: Joey Lee <jlee@suse.com>
Date: Mon, 20 Mar 2023 13:14:57 +0100
Subject: [PATCH] Revert "OvmfPkg/PlatformPei: Update
ReserveEmuVariableNvStore"
This reverts commit 58eb8517ad7b56574f8f04b770a59a9cbed796c4.
(bsc#1209266)
Signed-off-by: Joey Lee <jlee@suse.com>
---
OvmfPkg/PlatformPei/Platform.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
Index: edk2-edk2-stable202305/OvmfPkg/PlatformPei/Platform.c
===================================================================
--- edk2-edk2-stable202305.orig/OvmfPkg/PlatformPei/Platform.c
+++ edk2-edk2-stable202305/OvmfPkg/PlatformPei/Platform.c
@@ -219,14 +219,24 @@ ReserveEmuVariableNvStore (
EFI_PHYSICAL_ADDRESS VariableStore;
RETURN_STATUS PcdStatus;
- VariableStore = (EFI_PHYSICAL_ADDRESS)(UINTN)PlatformReserveEmuVariableNvStore ();
- PcdStatus = PcdSet64S (PcdEmuVariableNvStoreReserved, VariableStore);
-
- if (FeaturePcdGet (PcdSecureBootSupported)) {
- // restore emulated VarStore from pristine ROM copy
- PlatformInitEmuVariableNvStore ((VOID *)(UINTN)VariableStore);
- }
-
+ //
+ // Allocate storage for NV variables early on so it will be
+ // at a consistent address. Since VM memory is preserved
+ // across reboots, this allows the NV variable storage to survive
+ // a VM reboot.
+ //
+ VariableStore =
+ (EFI_PHYSICAL_ADDRESS)(UINTN)
+ AllocateRuntimePages (
+ EFI_SIZE_TO_PAGES (2 * PcdGet32 (PcdFlashNvStorageFtwSpareSize))
+ );
+ DEBUG ((
+ DEBUG_INFO,
+ "Reserved variable store memory: 0x%lX; size: %dkb\n",
+ VariableStore,
+ (2 * PcdGet32 (PcdFlashNvStorageFtwSpareSize)) / 1024
+ ));
+ PcdStatus = PcdSet64S (PcdEmuVariableNvStoreReserved, VariableStore);
ASSERT_RETURN_ERROR (PcdStatus);
}

90
ovmf-build-funcs.sh Normal file
View File

@ -0,0 +1,90 @@
#!/bin/bash
# Generate PK/KEK OEM strings
pkkek_oemstr()
{
local CERT_FILE=$1
sed \
-e 's/^-----BEGIN CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \
-e '/^-----END CERTIFICATE-----$/d' \
$CERT_FILE \
| tr -d '\n'
}
# Build the varstore template
build_template()
{
local ARCH=$(echo $1 | tr '[:lower:'] '[:upper:]')
local PREFIX="$2"
local KEY="$3"
local PKKEK_FILE="$4"
local ISO_FILE="$5"
local TYPE="$6"
# QEMU parameters
# pflash parameters
local PFLASH=""
if [ $TYPE == "separate" ]; then
local FW_CODE_ORIG="${PREFIX}-code.bin"
local FW_VARS_ORIG="${PREFIX}-vars.bin"
local FW_CODE="${PREFIX}-${KEY}-code.bin"
local FW_VARS="${PREFIX}-${KEY}-vars.bin"
local PFLASH_CODE="-drive if=pflash,format=raw,unit=0,readonly=on,file=$FW_CODE"
local PFLASH_VARS="-drive if=pflash,format=raw,unit=1,file=$FW_VARS"
ln -s "$FW_CODE_ORIG" "$FW_CODE"
cp "$FW_VARS_ORIG" "$FW_VARS"
PFLASH="$PFLASH_CODE $PFLASH_VARS"
elif [ $TYPE == "unified" ]; then
local UNIFIED_FW_ORIG="${PREFIX}.bin"
local UNIFIED_FW="${PREFIX}-${KEY}.bin"
cp "$UNIFIED_FW_ORIG" "$UNIFIED_FW"
PFLASH="-drive if=pflash,format=raw,unit=0,file=$UNIFIED_FW"
fi
# smbios parameters for PK and KEK
local SMBIOS="-smbios type=11,value=$(pkkek_oemstr $PKKEK_FILE)"
# memory: 256MB
local MEMORY="-m 256"
# kvm
local FW_CFG="-fw_cfg name=opt/org.tianocore/X-Cpuhp-Bugcheck-Override,string=yes"
# redirect display to stdio and disable network
local MISC="-display none -no-user-config -nodefaults -smp 1"
MISC="$MISC -serial stdio"
# set cdrom device
local CDROM="-device virtio-scsi-pci,id=scsi0"
CDROM="$CDROM -device scsi-cd,drive=cd0,bus=scsi0.0,bootindex=0"
CDROM="$CDROM -drive media=cdrom,if=none,id=cd0,format=raw,readonly=on"
CDROM="$CDROM,file=${ISO_FILE}"
if [ $ARCH == "X64" ]; then
# qemu command
local QEMU="qemu-system-x86_64"
# machine parameters
local MACHINE="-machine q35"
if [[ "$PREFIX" == *"-smm" ]]; then
MACHINE="$MACHINE,smm=on,accel=tcg"
MACHINE="$MACHINE -global driver=cfi.pflash01,property=secure,value=on"
MACHINE="$MACHINE -global ICH9-LPC.disable_s3=1"
fi
MACHINE="$MACHINE -chardev pty,id=charserial1"
MACHINE="$MACHINE -device isa-serial,chardev=charserial1,id=serial1"
elif [ $ARCH == "AARCH64" ]; then
# qemu command
local QEMU="qemu-system-aarch64"
# machine parameters
local MACHINE="-cpu cortex-a57 -machine virt"
fi
# Launch the VM
$QEMU $MACHINE $MEMORY $FW_CFG $PFLASH $SMBIOS $CDROM $MISC
}

54
ovmf-disable-brotli.patch Normal file
View File

@ -0,0 +1,54 @@
From 278d7e48deeaf8fcf2ac347a452c4e7ca0389007 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 1 Apr 2021 17:25:59 +0800
Subject: [PATCH 1/1] Disable brotli
The brotli compression/decompression function was never used and it
requires additional source tarball for packaging. Remove brotli from
building for good.
Signed-off-by: Gary Lin <glin@suse.com>
---
BaseTools/Source/C/GNUmakefile | 1 -
MdeModulePkg/MdeModulePkg.dec | 3 ---
MdeModulePkg/MdeModulePkg.dsc | 1 -
3 files changed, 5 deletions(-)
Index: edk2-edk2-stable202305/BaseTools/Source/C/GNUmakefile
===================================================================
--- edk2-edk2-stable202305.orig/BaseTools/Source/C/GNUmakefile
+++ edk2-edk2-stable202305/BaseTools/Source/C/GNUmakefile
@@ -51,7 +51,6 @@ all: makerootdir subdirs
LIBRARIES = Common
VFRAUTOGEN = VfrCompile/VfrLexer.h
APPLICATIONS = \
- BrotliCompress \
VfrCompile \
EfiRom \
GenFfs \
Index: edk2-edk2-stable202305/MdeModulePkg/MdeModulePkg.dec
===================================================================
--- edk2-edk2-stable202305.orig/MdeModulePkg/MdeModulePkg.dec
+++ edk2-edk2-stable202305/MdeModulePkg/MdeModulePkg.dec
@@ -26,9 +26,6 @@
Include
Test/Mock/Include
-[Includes.Common.Private]
- Library/BrotliCustomDecompressLib/brotli/c/include
-
[LibraryClasses]
## @libraryclass Defines a set of methods to reset whole system.
ResetSystemLib|Include/Library/ResetSystemLib.h
Index: edk2-edk2-stable202305/MdeModulePkg/MdeModulePkg.dsc
===================================================================
--- edk2-edk2-stable202305.orig/MdeModulePkg/MdeModulePkg.dsc
+++ edk2-edk2-stable202305/MdeModulePkg/MdeModulePkg.dsc
@@ -453,7 +453,6 @@
MdeModulePkg/Universal/EbcDxe/EbcDebuggerConfig.inf
[Components.IA32, Components.X64, Components.ARM, Components.AARCH64]
- MdeModulePkg/Library/BrotliCustomDecompressLib/BrotliCustomDecompressLib.inf
MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf
MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
MdeModulePkg/Core/Dxe/DxeMain.inf {

13
ovmf-disable-ia32-firmware-piepic.patch Normal file
View File

@ -0,0 +1,13 @@
Index: edk2-edk2-stable202302/BaseTools/Conf/tools_def.template
===================================================================
--- edk2-edk2-stable202302.orig/BaseTools/Conf/tools_def.template
+++ edk2-edk2-stable202302/BaseTools/Conf/tools_def.template
@@ -1888,7 +1888,7 @@ DEFINE GCC_DEPS_FLAGS = -MM
DEFINE GCC48_ALL_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20
-DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -Wno-address -fno-omit-frame-pointer
+DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -Wno-address -fno-omit-frame-pointer -fno-pic -fno-pie
DEFINE GCC48_X64_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address -fno-omit-frame-pointer
DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable
DEFINE GCC48_IA32_X64_DLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive

565
ovmf-gdb-symbols.patch Normal file
View File

@ -0,0 +1,565 @@
From 263791566fbe25755aebde54c98d5aea061414f3 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 24 Jun 2014 11:57:32 +0800
Subject: [PATCH 1/3] Add DebugPkg
---
DebugPkg/DebugPkg.dec | 34 ++++
DebugPkg/GdbSyms/GdbSyms.c | 70 +++++++
DebugPkg/GdbSyms/GdbSyms.inf | 57 ++++++
DebugPkg/Scripts/gdb_uefi.py | 348 +++++++++++++++++++++++++++++++++++
4 files changed, 509 insertions(+)
create mode 100644 DebugPkg/DebugPkg.dec
create mode 100644 DebugPkg/GdbSyms/GdbSyms.c
create mode 100644 DebugPkg/GdbSyms/GdbSyms.inf
create mode 100644 DebugPkg/Scripts/gdb_uefi.py
Index: edk2-edk2-stable202302/DebugPkg/DebugPkg.dec
===================================================================
--- /dev/null
+++ edk2-edk2-stable202302/DebugPkg/DebugPkg.dec
@@ -0,0 +1,34 @@
+## @file
+# Debug package - various useful stuff for debugging.
+#
+# Copyright (c) 2006 - 2011, Andrei Warkentin <andreiw@motorola.com>
+#
+# This program and the accompanying materials
+# are licensed and made available under the terms and conditions of the BSD License
+# which accompanies this distribution. The full text of the license may be found at
+# http://opensource.org/licenses/bsd-license.php
+#
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+#
+##
+
+[Defines]
+ DEC_VERSION = 0x00010005
+ PACKAGE_NAME = DebugPkg
+ PACKAGE_GUID = 2d234f34-50e5-4b9d-b8e3-5562334d87e5
+ PACKAGE_VERSION = 0.1
+
+[Includes]
+ Include
+
+[Guids]
+
+[Protocols]
+
+[PcdsFixedAtBuild]
+
+[PcdsDynamic]
+
+[LibraryClasses]
+
Index: edk2-edk2-stable202302/DebugPkg/GdbSyms/GdbSyms.c
===================================================================
--- /dev/null
+++ edk2-edk2-stable202302/DebugPkg/GdbSyms/GdbSyms.c
@@ -0,0 +1,78 @@
+/** @file
+
+ Bare-minimum GDB symbols needed for reloading symbols.
+
+ This is not a "driver" and should not be placed in a FD.
+
+ Copyright (c) 2011, Andrei Warkentin <andreiw@motorola.com>
+
+ This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD License
+ which accompanies this distribution. The full text of the license may be found at
+ http://opensource.org/licenses/bsd-license.php
+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "PiDxe.h"
+
+#include <Library/UefiLib.h>
+#include <Library/UefiDriverEntryPoint.h>
+#include <Library/BaseLib.h>
+#include <Library/UefiRuntimeLib.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/DevicePathLib.h>
+#include <Library/PcdLib.h>
+#include <Guid/DebugImageInfoTable.h>
+
+/**
+ Main entry point.
+
+ @param[in] ImageHandle The firmware allocated handle for the EFI image.
+ @param[in] SystemTable A pointer to the EFI System Table.
+
+ @retval EFI_SUCCESS Successfully initialized.
+
+**/
+EFI_STATUS
+EFIAPI
+Initialize (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ EFI_SYSTEM_TABLE_POINTER ESTP;
+ EFI_DEBUG_IMAGE_INFO_TABLE_HEADER EDIITH;
+ EFI_IMAGE_DOS_HEADER EIDH;
+ EFI_IMAGE_OPTIONAL_HEADER_UNION EIOHU;
+ EFI_IMAGE_DEBUG_DIRECTORY_ENTRY EIDDE;
+ EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY EIDCNE;
+ EFI_IMAGE_DEBUG_CODEVIEW_RSDS_ENTRY EIDCRE;
+ EFI_IMAGE_DEBUG_CODEVIEW_MTOC_ENTRY EIDCME;
+ UINTN Dummy =
+ (UINTN) &ESTP |
+ (UINTN) &EDIITH |
+ (UINTN) &EIDH |
+ (UINTN) &EIOHU |
+ (UINTN) &EIDDE |
+ (UINTN) &EIDCNE |
+ (UINTN) &EIDCRE |
+ (UINTN) &EIDCME |
+ 1
+ ;
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &ESTP));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EDIITH));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDH));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIOHU));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDDE));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCNE));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCRE));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCME));
+ return !!Dummy & EFI_SUCCESS;
+}
+
+
Index: edk2-edk2-stable202302/DebugPkg/GdbSyms/GdbSyms.inf
===================================================================
--- /dev/null
+++ edk2-edk2-stable202302/DebugPkg/GdbSyms/GdbSyms.inf
@@ -0,0 +1,57 @@
+## @file
+#
+# Bare-minimum GDB symbols needed for reloading symbols.
+#
+# This is not a "driver" and should not be placed in a FD.
+#
+# Copyright (c) 2011, Andrei Warkentin <andreiw@motorola.com>
+#
+# This program and the accompanying materials
+# are licensed and made available under the terms and conditions of the BSD License
+# which accompanies this distribution. The full text of the license may be found at
+# http://opensource.org/licenses/bsd-license.php
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = GdbSyms
+ FILE_GUID = 22abcb60-fb40-42ac-b01f-3ab1fad9aad8
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ ENTRY_POINT = Initialize
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 IPF EBC ARM
+#
+
+[Sources]
+ GdbSyms.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ DxeServicesTableLib
+ HobLib
+ MemoryAllocationLib
+ PcdLib
+ UefiBootServicesTableLib
+ UefiDriverEntryPoint
+ UefiLib
+
+[Guids]
+
+[Protocols]
+
+[Depex]
+ TRUE
+
Index: edk2-edk2-stable202302/DebugPkg/Scripts/gdb_uefi.py
===================================================================
--- /dev/null
+++ edk2-edk2-stable202302/DebugPkg/Scripts/gdb_uefi.py
@@ -0,0 +1,350 @@
+"""
+Allows loading TianoCore symbols into a GDB session attached to EFI
+Firmware.
+
+This is how it works: build GdbSyms - it's a dummy binary that
+contains the relevant symbols needed to find and load image symbols.
+
+$ gdb
+(gdb) taget remote ....
+(gdb) source Scripts/gdb_uefi.py
+(gdb) reload-uefi -o /path/to/GdbSyms.dll
+
+The -o option should be used if you've debugging EFI, where the PE
+images were converted from MACH-O or ELF binaries.
+
+"""
+
+import array
+import getopt
+import binascii
+import re
+
+__license__ = "BSD"
+__version = "1.0.0"
+__maintainer__ = "Andrei Warkentin"
+__email__ = "andrey.warkentin@gmail.com"
+__status__ = "Works"
+
+class ReloadUefi (gdb.Command):
+ """Reload UEFI symbols"""
+
+ #
+ # Various constants.
+ #
+
+ EINVAL = 0xffffffff
+ CV_NB10 = 0x3031424E
+ CV_RSDS = 0x53445352
+ CV_MTOC = 0x434F544D
+ DOS_MAGIC = 0x5A4D
+ PE32PLUS_MAGIC = 0x20b
+ EST_SIGNATURE = 0x5453595320494249L
+ DEBUG_GUID = [0x49152E77, 0x1ADA, 0x4764,
+ [0xB7,0xA2,0x7A,0xFE,
+ 0xFE,0xD9,0x5E, 0x8B]]
+ DEBUG_IS_UPDATING = 0x1
+
+ #
+ # If the images were built as ELF/MACH-O and then converted to PE,
+ # then the base address needs to be offset by PE headers.
+ #
+
+ offset_by_headers = False
+
+ def __init__ (self):
+ super (ReloadUefi, self).__init__ ("reload-uefi", gdb.COMMAND_OBSCURE)
+
+ #
+ # Returns gdb.Type for a type.
+ #
+
+ def type (self, typename):
+ return gdb.lookup_type (typename)
+
+ #
+ # Returns gdb.Type for a pointer to a type.
+ #
+
+ def ptype (self, typename):
+ return gdb.lookup_type (typename).pointer ()
+
+ #
+ # Computes CRC32 on an array of data.
+ #
+
+ def crc32 (self, data):
+ return binascii.crc32 (data) & 0xFFFFFFFF
+
+ #
+ # Sets a field in a struct to a value, i.e.
+ # value->field_name = data.
+ #
+ # Newer Py bindings to Gdb provide access to the inferior
+ # memory, but not all, so have to do it this awkward way.
+ #
+
+ def set_field (self, value, field_name, data):
+ gdb.execute ("set *(%s *) 0x%x = 0x%x" % \
+ (str (value[field_name].type), \
+ long (value[field_name].address), \
+ data))
+
+ #
+ # Returns data backing a gdb.Value as an array.
+ # Same comment as above regarding newer Py bindings...
+ #
+
+ def value_data (self, value, bytes=0):
+ value_address = gdb.Value (value.address)
+ array_t = self.ptype ('UINT8')
+ value_array = value_address.cast (array_t)
+ if bytes == 0:
+ bytes = value.type.sizeof
+ data = array.array ('B')
+ for i in range (0, bytes):
+ data.append (value_array[i])
+ return data
+
+ #
+ # Locates the EFI_SYSTEM_TABLE as per UEFI spec 17.4.
+ # Returns base address or -1.
+ #
+
+ def search_est (self):
+ address = 0
+ estp_t = self.ptype ('EFI_SYSTEM_TABLE_POINTER')
+ while True:
+ estp = gdb.Value(address).cast(estp_t)
+ if estp['Signature'] == self.EST_SIGNATURE:
+ oldcrc = long (estp['Crc32'])
+ self.set_field (estp, 'Crc32', 0)
+ newcrc = self.crc32 (self.value_data (estp.dereference (), 0))
+ self.set_field (estp, 'Crc32', long (oldcrc))
+ if newcrc == oldcrc:
+ return estp['EfiSystemTableBase']
+
+ address = address + 4*1024*1024
+ if long (address) == 0:
+ return gdb.Value(self.EINVAL)
+
+ #
+ # Searches for a vendor-specific configuration table (in EST),
+ # given a vendor-specific table GUID. GUID is a list like -
+ # [32-bit, 16-bit, 16-bit, [8 bytes]]
+ #
+
+ def search_config (self, cfg_table, count, guid):
+ index = 0
+ while index != count:
+ cfg_entry = cfg_table[index]['VendorGuid']
+ if cfg_entry['Data1'] == guid[0] and \
+ cfg_entry['Data2'] == guid[1] and \
+ cfg_entry['Data3'] == guid[2] and \
+ self.value_data (cfg_entry['Data4']).tolist () == guid[3]:
+ return cfg_table[index]['VendorTable']
+ index = index + 1
+ return gdb.Value(self.EINVAL)
+
+ #
+ # Returns a UTF16 string corresponding to a (CHAR16 *) value in EFI.
+ #
+
+ def parse_utf16 (self, value):
+ index = 0
+ data = array.array ('H')
+ while value[index] != 0:
+ data.append (value[index])
+ index = index + 1
+ return data.tostring ().decode ('utf-16')
+
+ #
+ # Returns offset of a field within structure. Useful
+ # for getting container of a structure.
+ #
+
+ def offsetof (self, typename, field):
+ t = gdb.Value (0).cast (self.ptype (typename))
+ return long (t[field].address)
+
+ #
+ # Returns sizeof of a type.
+ #
+
+ def sizeof (self, typename):
+ return self.type (typename).sizeof
+
+ #
+ # Returns the EFI_IMAGE_NT_HEADERS32 pointer, given
+ # an ImageBase address as a gdb.Value.
+ #
+
+ def pe_headers (self, imagebase):
+ dosh_t = self.ptype ('EFI_IMAGE_DOS_HEADER')
+ head_t = self.ptype ('EFI_IMAGE_OPTIONAL_HEADER_UNION')
+ dosh = imagebase.cast(dosh_t)
+ h_addr = imagebase
+ if dosh['e_magic'] == self.DOS_MAGIC:
+ h_addr = h_addr + dosh['e_lfanew']
+ return gdb.Value(h_addr).cast (head_t)
+
+ #
+ # Returns True if pe_headers refer to a PE32+ image.
+ #
+
+ def pe_is_64 (self, pe_headers):
+ if pe_headers['Pe32']['OptionalHeader']['Magic'] == self.PE32PLUS_MAGIC:
+ return True
+ return False
+
+ #
+ # Returns the PE (not so) optional header.
+ #
+
+ def pe_optional (self, pe):
+ if self.pe_is_64 (pe):
+ return pe['Pe32Plus']['OptionalHeader']
+ else:
+ return pe['Pe32']['OptionalHeader']
+
+ #
+ # Returns the symbol file name for a PE image.
+ #
+
+ def pe_parse_debug (self, pe):
+ opt = self.pe_optional (pe)
+ debug_dir_entry = opt['DataDirectory'][6]
+ dep = debug_dir_entry['VirtualAddress'] + opt['ImageBase']
+ dep = dep.cast (self.ptype ('EFI_IMAGE_DEBUG_DIRECTORY_ENTRY'))
+ cvp = dep.dereference ()['RVA'] + opt['ImageBase']
+ cvv = cvp.cast(self.ptype ('UINT32')).dereference ()
+ if cvv == self.CV_NB10:
+ return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY')
+ elif cvv == self.CV_RSDS:
+ return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_RSDS_ENTRY')
+ elif cvv == self.CV_MTOC:
+ return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_MTOC_ENTRY')
+ return gdb.Value(self.EINVAL)
+
+ #
+ # Parses an EFI_LOADED_IMAGE_PROTOCOL, figuring out the symbol file name.
+ # This file name is then appended to list of loaded symbols.
+ #
+ # TBD: Support TE images.
+ #
+
+ def parse_image (self, image, syms):
+ base = image['ImageBase']
+ pe = self.pe_headers (base)
+ opt = self.pe_optional (pe)
+ sym_name = self.pe_parse_debug (pe)
+
+ # For ELF and Mach-O-derived images...
+ if self.offset_by_headers:
+ base = base + opt['SizeOfHeaders']
+ if sym_name != self.EINVAL:
+ sym_name = sym_name.cast (self.ptype('CHAR8')).string ()
+ sym_name = re.sub(r"\.dll$", ".debug", sym_name)
+ syms.append ("add-symbol-file %s 0x%x" % \
+ (sym_name,
+ long (base)))
+
+ #
+ # Parses table EFI_DEBUG_IMAGE_INFO structures, builds
+ # a list of add-symbol-file commands, and reloads debugger
+ # symbols.
+ #
+
+ def parse_edii (self, edii, count):
+ index = 0
+ syms = []
+ while index != count:
+ entry = edii[index]
+ if entry['ImageInfoType'].dereference () == 1:
+ entry = entry['NormalImage']
+ self.parse_image(entry['LoadedImageProtocolInstance'], syms)
+ else:
+ print "Skipping unknown EFI_DEBUG_IMAGE_INFO (Type 0x%x)" % \
+ entry['ImageInfoType'].dereference ()
+ index = index + 1
+ gdb.execute ("symbol-file")
+ print "Loading new symbols..."
+ for sym in syms:
+ print sym
+ gdb.execute (sym)
+
+ #
+ # Parses EFI_DEBUG_IMAGE_INFO_TABLE_HEADER, in order to load
+ # image symbols.
+ #
+
+ def parse_dh (self, dh):
+ dh_t = self.ptype ('EFI_DEBUG_IMAGE_INFO_TABLE_HEADER')
+ dh = dh.cast (dh_t)
+ print "DebugImageInfoTable @ 0x%x, 0x%x entries" \
+ % (long (dh['EfiDebugImageInfoTable']), dh['TableSize'])
+ if dh['UpdateStatus'] & self.DEBUG_IS_UPDATING:
+ print "EfiDebugImageInfoTable update in progress, retry later"
+ return
+ self.parse_edii (dh['EfiDebugImageInfoTable'], dh['TableSize'])
+
+ #
+ # Parses EFI_SYSTEM_TABLE, in order to load image symbols.
+ #
+
+ def parse_est (self, est):
+ est_t = self.ptype ('EFI_SYSTEM_TABLE')
+ est = est.cast (est_t)
+ print "Connected to %s (Rev. 0x%x)" % \
+ (self.parse_utf16 (est['FirmwareVendor']), \
+ long (est['FirmwareRevision']))
+ print "ConfigurationTable @ 0x%x, 0x%x entries" \
+ % (long (est['ConfigurationTable']), est['NumberOfTableEntries'])
+
+ dh = self.search_config(est['ConfigurationTable'],
+ est['NumberOfTableEntries'],
+ self.DEBUG_GUID)
+ if dh == self.EINVAL:
+ print "No EFI_DEBUG_IMAGE_INFO_TABLE_HEADER"
+ return
+ self.parse_dh (dh)
+
+ #
+ # Usage information.
+ #
+
+ def usage (self):
+ print "Usage: reload-uefi [-o] /path/to/GdbSyms.dll"
+
+ #
+ # Handler for reload-uefi.
+ #
+
+ def invoke (self, arg, from_tty):
+ args = arg.split(' ')
+ try:
+ opts, args = getopt.getopt(args, "o", ["offset-by-headers"])
+ except getopt.GetoptError, err:
+ self.usage ()
+ return
+ for opt, arg in opts:
+ if opt == "-o":
+ self.offset_by_headers = True
+
+ if len(args) < 1:
+ self.usage ()
+ return
+
+ gdb.execute ("symbol-file")
+ gdb.execute ("symbol-file %s" % args[0])
+ est = self.search_est ()
+ if est == self.EINVAL:
+ print "No EFI_SYSTEM_TABLE..."
+ return
+
+ print "EFI_SYSTEM_TABLE @ 0x%x" % est
+ self.parse_est (est)
+
+ReloadUefi ()
+
+
Index: edk2-edk2-stable202302/OvmfPkg/OvmfPkgX64.dsc
===================================================================
--- edk2-edk2-stable202302.orig/OvmfPkg/OvmfPkgX64.dsc
+++ edk2-edk2-stable202302/OvmfPkg/OvmfPkgX64.dsc
@@ -1123,3 +1123,5 @@
# TPM support
#
!include OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc
+
+ DebugPkg/GdbSyms/GdbSyms.inf

60
ovmf-ignore-spurious-GCC-12-warning.patch Normal file
View File

@ -0,0 +1,60 @@
diff --git a/BaseTools/Source/C/DevicePath/DevicePathUtilities.c b/BaseTools/Source/C/DevicePath/DevicePathUtilities.c
index 2ffefa8..c9fb432 100644
--- a/BaseTools/Source/C/DevicePath/DevicePathUtilities.c
+++ b/BaseTools/Source/C/DevicePath/DevicePathUtilities.c
@@ -16,6 +16,10 @@
#include "UefiDevicePathLib.h"
#include <Protocol/DevicePathUtilities.h>
+#if __GNUC__ >= 12
+# pragma GCC diagnostic ignored "-Wstringop-overflow"
+#endif
+
//
// Template for an end-of-device path node.
//
diff --git a/BaseTools/Source/C/GenFfs/GenFfs.c b/BaseTools/Source/C/GenFfs/GenFfs.c
index 949025c..be55a52 100644
--- a/BaseTools/Source/C/GenFfs/GenFfs.c
+++ b/BaseTools/Source/C/GenFfs/GenFfs.c
@@ -36,6 +36,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#define UTILITY_MAJOR_VERSION 0
#define UTILITY_MINOR_VERSION 1
+#if __GNUC__ >= 12
+# pragma GCC diagnostic ignored "-Wuse-after-free"
+#endif
+
STATIC CHAR8 *mFfsFileType[] = {
NULL, // 0x00
"EFI_FV_FILETYPE_RAW", // 0x01
diff --git a/BaseTools/Source/C/GenSec/GenSec.c b/BaseTools/Source/C/GenSec/GenSec.c
index d54a4f9..fb40ad3 100644
--- a/BaseTools/Source/C/GenSec/GenSec.c
+++ b/BaseTools/Source/C/GenSec/GenSec.c
@@ -37,6 +37,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#define UTILITY_MAJOR_VERSION 0
#define UTILITY_MINOR_VERSION 1
+#if __GNUC__ >= 12
+# pragma GCC diagnostic ignored "-Wuse-after-free"
+#endif
+
STATIC CHAR8 *mSectionTypeName[] = {
NULL, // 0x00 - reserved
"EFI_SECTION_COMPRESSION", // 0x01
diff --git a/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c b/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c
index 4e9b499..ab9b7cc 100644
--- a/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c
+++ b/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c
@@ -40,6 +40,10 @@ static unsigned g_STAT_OFFSET = 0;
#define REP_LEN_COUNT 64
+#if __GNUC__ >= 12
+# pragma GCC diagnostic ignored "-Wdangling-pointer"
+#endif
+
void LzmaEncProps_Init(CLzmaEncProps *p)
{
p->level = 5;

13
ovmf-pie.patch Normal file
View File

@ -0,0 +1,13 @@
Index: edk2-edk2-stable202305/BaseTools/Source/C/Makefiles/header.makefile
===================================================================
--- edk2-edk2-stable202305.orig/BaseTools/Source/C/Makefiles/header.makefile
+++ edk2-edk2-stable202305/BaseTools/Source/C/Makefiles/header.makefile
@@ -101,7 +101,7 @@ else
CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
-fno-delete-null-pointer-checks -Wall -Werror \
-Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict \
--Wno-unused-result -nostdlib -g
+-Wno-unused-result -nostdlib -g -fPIE
endif
endif
ifneq ($(CLANG),)

6
ovmf-rpmlintrc Normal file
View File

@ -0,0 +1,6 @@
addFilter("unstripped-binary-or-object /usr/lib/debug/*")
addFilter("statically-linked-binary /usr/lib/debug/*")
addFilter("executable-stack /usr/lib/debug/*")
addFilter("position-independent-executable-suggested /usr/lib/debug/*")
addFilter("arch-independent-package-contains-binary-or-object .*/usr/share/qemu/ovmf-x86_64-xen-4m.bin")
addFilter("arch-independent-package-contains-binary-or-object .*/usr/share/qemu/ovmf-x86_64-xen.bin")

33
ovmf-set-fixed-enroll-time.patch Normal file
View File

@ -0,0 +1,33 @@
From c0cec3409f3abda1e2359a79ccac575b4ea1838b Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 21 May 2019 16:56:06 +0800
Subject: [PATCH 1/1] OvmfPkg/EnrollDefaultKeys: Set the fixed time
For the reproducible build, we need to set the fixed time when setting
the authenticate variables.
Signed-off-by: Gary Lin <glin@suse.com>
---
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 10 ++++++++++
1 file changed, 10 insertions(+)
Index: edk2-edk2-stable202202/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
===================================================================
--- edk2-edk2-stable202202.orig/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+++ edk2-edk2-stable202202/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -324,6 +324,15 @@ EnrollListOfCerts (
goto FreeData;
}
+ // Set the fixed time for the reproducible build
+ // 2019-5-20 00:00:00
+ SingleHeader->TimeStamp.Year = 2019;
+ SingleHeader->TimeStamp.Month = 5;
+ SingleHeader->TimeStamp.Day = 20;
+ SingleHeader->TimeStamp.Hour = 0;
+ SingleHeader->TimeStamp.Minute = 0;
+ SingleHeader->TimeStamp.Second = 0;
+
SingleHeader->TimeStamp.Pad1 = 0;
SingleHeader->TimeStamp.Nanosecond = 0;
SingleHeader->TimeStamp.TimeZone = 0;

9972
ovmf.changes Normal file
View File

File diff suppressed because it is too large Load Diff

670
ovmf.spec Normal file
View File

@ -0,0 +1,670 @@
#
# spec file for package ovmf
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
# needssslcertforbuild
%undefine _build_create_debug
%global openssl_version 3.0.9
%global softfloat_version b64af41c3276f
%if 0%{?suse_version} < 1599
%bcond_with build_riscv64
%else
%bcond_without build_riscv64
%endif
Name: ovmf
Version: 202405
Release: 0
Summary: Open Virtual Machine Firmware
License: BSD-2-Clause-Patent
Group: System/Emulators/PC
URL: https://github.com/tianocore/edk2
Source0: edk2-edk2-stable%{version}.tar.gz
Source1: https://www.openssl.org/source/old/3.0/openssl-%{openssl_version}.tar.gz
Source111: https://www.openssl.org/source/old/3.0/openssl-%{openssl_version}.tar.gz.asc
Source112: openssl.keyring
Source113: openssl.keyring.README
Source114: descriptors.tar.xz.README
Source2: README
Source3: SLES-UEFI-CA-Certificate-2048.crt
Source4: openSUSE-UEFI-CA-Certificate-2048.crt
# berkeley-softfloat-3: https://github.com/ucb-bar/berkeley-softfloat-3
Source6: berkeley-softfloat-3-%{softfloat_version}.tar.xz
Source7: descriptors.tar.xz
# oniguruma: https://github.com/kkos/oniguruma, "src" directory only
Source8: oniguruma-v6.9.4_mark1-src.tar.xz
# public-mipi-sys-t: https://github.com/MIPI-Alliance/public-mipi-sys-t
Source9: public-mipi-sys-t-1.1-edk2.tar.gz
# mbedtls: https://github.com/Mbed-TLS/mbedtls
Source10: mbedtls-3.3.0.tar.gz
# brotli: https://github.com/google/brotli
Source11: brotli-f4153a09f87cbb9c826d8fc12c74642bb2d879ea.tar.gz
# libspdm: https://github.com/DMTF/libspdm.git
Source12: libspdm-50924a4c8145fc721e17208f55814d2b38766fe6.tar.gz
Source100: %{name}-rpmlintrc
Source101: gdb_uefi.py.in
Patch1: %{name}-gdb-symbols.patch
Patch2: %{name}-pie.patch
Patch3: %{name}-disable-ia32-firmware-piepic.patch
Patch6: %{name}-ignore-spurious-GCC-12-warning.patch
# Bug 1205978 - Got Page-Fault exception when VM is booting with edk2-stable202211 ovmf
Patch7: %{name}-Revert-OvmfPkg-PlatformInitLib-dynamic-mmio-window-s.patch
# Bug 1207095 - ASSERT [ArmCpuDxe] /home/abuild/rpmbuild/BUILD/edk2-edk2-stable202211/ArmPkg/Library/DefaultExceptionHandlerLib/AArch64/DefaultExceptionHandler.c(333): ((BOOLEAN)(0==1))
Patch8: %{name}-Revert-ArmVirtPkg-make-EFI_LOADER_DATA-non-executabl.patch
# Bug 1205613 - L3: win 2k22 UEFI xen VMs cannot boot in xen after upgrade
Patch9: %{name}-Revert-OvmfPkg-OvmfXen-Set-PcdFSBClock.patch
# Bug 1217704 - ovmf: reproducible builds problem in ovmf-riscv64-code.bin
Patch10: %{name}-EmbeddedPkg-Library-Support-SOURCE_DATE_EPOCH-in-Vir.patch
# Bug 1230587 - OVMF 202405 hangs due to missing fix
Patch11: %{name}-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch
BuildRequires: bc
BuildRequires: cross-arm-binutils
BuildRequires: cross-arm-gcc%{gcc_version}
BuildRequires: dosfstools
BuildRequires: fdupes
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: iasl
BuildRequires: libuuid-devel
BuildRequires: mkisofs
BuildRequires: mtools
BuildRequires: nasm
BuildRequires: openssl
BuildRequires: python3
BuildRequires: unzip
BuildRequires: virt-firmware
%ifnarch aarch64
BuildRequires: cross-aarch64-binutils
BuildRequires: cross-aarch64-gcc%{gcc_version}
%endif
%ifnarch x86_64
BuildRequires: cross-x86_64-binutils
BuildRequires: cross-x86_64-gcc%{gcc_version}
%endif
%ifnarch riscv64
%if %{with build_riscv64}
BuildRequires: cross-riscv64-binutils
BuildRequires: cross-riscv64-gcc%{gcc_version}
%endif
%endif
# Only build on the architectures with
# 1. cross-compilers, 2. iasl
ExclusiveArch: x86_64 aarch64 riscv64
%description
The Open Virtual Machine Firmware (OVMF) project aims to support
firmware for Virtual Machines using the edk2 code base.
%package tools
Summary: The BaseTools from edk2
Group: System/Emulators/PC
%description tools
The Open Virtual Machine Firmware (OVMF) project aims to support
firmware for Virtual Machines using the edk2 code base.
This package contains the tools from edk2.
%package -n qemu-ovmf-ia32
Summary: Open Virtual Machine Firmware - QEMU rom images (IA32)
Group: System/Emulators/PC
Requires: qemu
BuildArch: noarch
%description -n qemu-ovmf-ia32
The Open Virtual Machine Firmware (OVMF) project aims to support
firmware for Virtual Machines using the edk2 code base.
This package contains UEFI rom images for exercising UEFI secure
boot in a qemu environment (IA32)
%package -n qemu-ovmf-x86_64
Summary: Open Virtual Machine Firmware - QEMU rom images (x86_64)
Group: System/Emulators/PC
Requires: qemu
BuildArch: noarch
%description -n qemu-ovmf-x86_64
The Open Virtual Machine Firmware (OVMF) project aims to support
firmware for Virtual Machines using the edk2 code base.
This package contains UEFI rom images for exercising UEFI secure
boot in a qemu environment (x86_64)
%ifarch x86_64
%package -n qemu-ovmf-x86_64-debug
Summary: Open Virtual Machine Firmware - debug symbols (x86_64)
Group: Development/Sources
Requires: qemu
%description -n qemu-ovmf-x86_64-debug
The Open Virtual Machine Firmware (OVMF) project aims to support
firmware for Virtual Machines using the edk2 code base.
This package contains the debug symbols for UEFI rom images (x86_64)
%endif
%package -n qemu-uefi-aarch64
Summary: UEFI QEMU rom image (AArch64)
Group: System/Emulators/PC
BuildArch: noarch
%description -n qemu-uefi-aarch64
This package contains the UEFI rom image (AArch64) for QEMU cortex-a57
virt board.
%package -n qemu-uefi-aarch32
Summary: UEFI QEMU rom image (AArch32)
Group: System/Emulators/PC
BuildArch: noarch
%description -n qemu-uefi-aarch32
This package contains the UEFI rom image (AArch32) for QEMU cortex-a15
virt board.
%if %{with build_riscv64}
%package -n qemu-uefi-riscv64
Summary: UEFI QEMU rom image (RISC-V 64)
Group: System/Emulators/PC
BuildArch: noarch
%description -n qemu-uefi-riscv64
This package contains the UEFI rom image (RISC-V 64) for QEMU
virt board.
%endif
%prep
# We download the edk2-edk2-stable%{version}.tar.gz from
# https://github.com/tianocore/edk2. Then we repackage the tarball for
# renaming the root build folder from edk2-edk2-stable%{version}/ to edk2/
# . This approach can reduce the size of FV image against FD_SIZE_2MB config.
# Please check ovmf.change rpm changelog for more detail.
%setup -q -n edk2
# bsc#973038 Remove the packages we don't need to avoid any potential
# license issue.
PKG_TO_REMOVE="EmulatorPkg"
rm -rf $PKG_TO_REMOVE
%autopatch -p1
# add openssl
pushd CryptoPkg/Library/OpensslLib/openssl
tar -xf %{SOURCE1} --strip 1
popd
# add berkeley-softfloat-3
pushd ArmPkg/Library/ArmSoftFloatLib/berkeley-softfloat-3
tar -xf %{SOURCE6} --strip 1
popd
# prepare the firmware descriptors for qemu
tar -xf %{SOURCE7}
# add oniguruma
pushd MdeModulePkg/Universal/RegularExpressionDxe/oniguruma
tar -xf %{SOURCE8} --strip 1
popd
# add public-mipi-sys-t
pushd MdePkg/Library/MipiSysTLib/mipisyst
tar -xf %{SOURCE9} --strip 1
popd
# add mbedtls
pushd CryptoPkg/Library/MbedTlsLib/mbedtls
tar -xf %{SOURCE10} --strip 1
popd
# add brotli
pushd BaseTools/Source/C/BrotliCompress/brotli
tar -xf %{SOURCE11} --strip 1
popd
pushd MdeModulePkg/Library/BrotliCustomDecompressLib/brotli
tar -xf %{SOURCE11} --strip 1
popd
# add libspdm
pushd SecurityPkg/DeviceSecurity/SpdmLib/libspdm
tar -xf %{SOURCE12} --strip 1
popd
%build
# Enable python3 build
export PYTHON3_ENABLE=TRUE
export PYTHON_COMMAND=python3
# For some reason ARM still uses TPM2_CONFIG_ENABLE
OVMF_FLAGS=" \
-D TPM2_ENABLE \
-D TPM2_CONFIG_ENABLE \
-D NETWORK_IP6_ENABLE \
-D NETWORK_HTTP_BOOT_ENABLE \
"
%if 0%{?suse_version} > 1320
TOOL_CHAIN=GCC5
%else
echo `gcc -dumpversion`
TOOL_CHAIN=GCC$(gcc -dumpversion|sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/')
%endif
# Flavors for x86
FLAVORS_X86=("ovmf-ia32")
BUILD_OPTIONS_X86=" \
$OVMF_FLAGS \
-D FD_SIZE_2MB \
-D SECURE_BOOT_ENABLE \
-D BUILD_SHELL=FALSE \
-a IA32 \
-p OvmfPkg/OvmfPkgIa32.dsc \
-b DEBUG \
-t $TOOL_CHAIN \
"
# Flavors for x86_64: 2MB, 4MB, 4MB+SMM and AMD SEV
FLAVORS_X64=("ovmf-x86_64" "ovmf-x86_64-4m" "ovmf-x86_64-smm" "ovmf-x86_64-sev")
# Flavors will NOT enroll default kek/db keys
FLAVORS_X64_SKIP_SB_KEY=("ovmf-x86_64-sev")
# Flavors only support unified image (no separate *-code/-vars files)
FLAVORS_X64_UNIFIED_ONLY=("ovmf-x86_64-sev")
BUILD_OPTIONS_X64=" \
$OVMF_FLAGS \
-D BUILD_SHELL=FALSE \
-a X64 \
-b DEBUG \
-t $TOOL_CHAIN \
"
# Flavors for aarch64
FLAVORS_AA64=("aavmf-aarch64")
BUILD_OPTIONS_AA64=" \
$OVMF_FLAGS \
-D SECURE_BOOT_ENABLE \
-D NETWORK_TLS_ENABLE \
-a AARCH64 \
-p ArmVirtPkg/ArmVirtQemu.dsc \
-b DEBUG \
-t $TOOL_CHAIN \
"
# Flavors for arm
FLAVORS_AA32=("aavmf-aarch32")
BUILD_OPTIONS_AA32=" \
-a ARM \
-p ArmVirtPkg/ArmVirtQemu.dsc \
-b DEBUG \
-t $TOOL_CHAIN \
"
%if %{with build_riscv64}
# Flavors for riscv
FLAVORS_RV64=("riscv")
BUILD_OPTIONS_RV64=" \
$OVMF_FLAGS \
-D SECURE_BOOT_ENABLE \
-a RISCV64 \
-p OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc \
-b DEBUG \
-t $TOOL_CHAIN \
"
%endif
# Build BaseTools
%ifarch x86_64
make -C BaseTools
%endif
%ifarch aarch64
ARCH=AARCH64 make -C BaseTools
%endif
%ifarch riscv64
ARCH=RISCV64 make -C BaseTools
%endif
# Import the build functions
source ./edksetup.sh
### Build x86 UEFI Images ###
%ifnarch %{ix86} x86_64
# Assign the cross-compiler prefix
export ${TOOL_CHAIN}_BIN="x86_64-suse-linux-"
%endif
build $BUILD_OPTIONS_X86
cp Build/OvmfIa32/DEBUG_*/FV/OVMF.fd ovmf-ia32.bin
cp Build/OvmfIa32/DEBUG_*/FV/OVMF_CODE.fd ovmf-ia32-code.bin
cp Build/OvmfIa32/DEBUG_*/FV/OVMF_VARS.fd ovmf-ia32-vars.bin
# Remove the temporary build files to reduce the disk usage (bsc#1178244)
rm -rf Build/OvmfIa32/
### Build x86_64 UEFI Images ###
%ifarch x86_64
collect_x86_64_debug_files()
{
local target="$1"
local out_dir="debug/$target"
local abs_path="`pwd`/$out_dir/"
local source_path="`pwd`"
local gdb_src_path="%{_prefix}/src/debug/ovmf-x86_64"
# copy the debug symbols
mkdir -p $out_dir
pushd Build/OvmfX64/DEBUG_GCC*/X64/
find . -mindepth 2 -type f -name "*.debug" -print0 | sort -z | xargs -i -0 cp --parents -a {} $abs_path
cp --parents -a DebugPkg/GdbSyms/GdbSyms/DEBUG/GdbSyms.dll $abs_path
build_path=`pwd`
popd
# Change the path in the python gdb script
sed "s:__BUILD_PATH__:$build_path:;s:__SOURCE_PATH__:$source_path:;s:__GDB_SRC_PATH__:$gdb_src_path:;s/__FLAVOR__/$target/" \
%{SOURCE101} > gdb_uefi-$target.py
}
%endif
declare -A EXTRA_FLAGS_X64
EXTRA_FLAGS_X64=(
[ovmf-x86_64]="-p OvmfPkg/OvmfPkgX64.dsc -D FD_SIZE_2MB -D SECURE_BOOT_ENABLE"
[ovmf-x86_64-4m]="-p OvmfPkg/OvmfPkgX64.dsc -D FD_SIZE_4MB -D NETWORK_TLS_ENABLE -D SECURE_BOOT_ENABLE"
[ovmf-x86_64-smm]="-a IA32 -p OvmfPkg/OvmfPkgIa32X64.dsc -D FD_SIZE_4MB -D NETWORK_TLS_ENABLE -D SMM_REQUIRE -D SECURE_BOOT_ENABLE"
[ovmf-x86_64-sev]="-p OvmfPkg/OvmfPkgX64.dsc -D FD_SIZE_4MB -D NETWORK_TLS_ENABLE"
)
declare -A OUTDIR_X64
OUTDIR_X64=(
[ovmf-x86_64]="OvmfX64"
[ovmf-x86_64-4m]="OvmfX64"
[ovmf-x86_64-smm]="Ovmf3264"
[ovmf-x86_64-sev]="OvmfX64"
)
%ifnarch x86_64
# Assign the cross-compiler prefix
export ${TOOL_CHAIN}_BIN="x86_64-suse-linux-"
%endif
for flavor in ${FLAVORS_X64[@]}; do
build $BUILD_OPTIONS_X64 ${EXTRA_FLAGS_X64[$flavor]}
cp Build/${OUTDIR_X64[$flavor]}/DEBUG_*/FV/OVMF.fd $flavor.bin
cp Build/${OUTDIR_X64[$flavor]}/DEBUG_*/FV/OVMF_CODE.fd $flavor-code.bin
cp Build/${OUTDIR_X64[$flavor]}/DEBUG_*/FV/OVMF_VARS.fd $flavor-vars.bin
%ifarch x86_64
collect_x86_64_debug_files $flavor
%endif
done
# remove -code/-vars files for unfied only flavors
for flavor in ${FLAVORS_X64_UNIFIED_ONLY[@]}; do
rm $flavor-code.bin
rm $flavor-vars.bin
done
%ifarch x86_64
# Collect the source
mkdir -p source/ovmf-x86_64
# TODO get the source list from debug files
src_list=`find Build/OvmfX64/DEBUG_GCC*/X64/ -mindepth 1 -maxdepth 1 -type d -print0 | sort -z | xargs -0 -i basename {}`
find $src_list \( -name "*.c" -o -name "*.h" \) -type f -print0 | sort -z | xargs -0 -i cp --parents -a {} source/ovmf-x86_64
find source/ovmf-x86_64 -name *.c -type f -exec chmod 0644 {} \;
%endif
# The extra Xen flavor for x86_64
BUILD_OPTION_X64_XEN=" \
-p OvmfPkg/OvmfXen.dsc \
-a X64 \
-b DEBUG \
-t $TOOL_CHAIN \
"
# Build the 2MB Xen flavor
build $BUILD_OPTION_X64_XEN -D FD_SIZE_2MB
cp Build/OvmfXen/DEBUG_*/FV/OVMF.fd ovmf-x86_64-xen.bin
# Build the 4MB Xen flavor
build $BUILD_OPTION_X64_XEN -D FD_SIZE_4MB
cp Build/OvmfXen/DEBUG_*/FV/OVMF.fd ovmf-x86_64-xen-4m.bin
# Remove the temporary build files to reduce the disk usage (bsc#1178244)
rm -rf Build/OvmfX64/ Build/Ovmf3264/ Build/OvmfXen/
# Build with keys done later (shared between archs)
### Build AARCH64 UEFI Images ###
%ifnarch aarch64
# Assign the cross-compiler prefix
export ${TOOL_CHAIN}_AARCH64_PREFIX="aarch64-suse-linux-"
%endif
# Build the UEFI image without keys
build $BUILD_OPTIONS_AA64
cp Build/ArmVirtQemu-AARCH64/DEBUG_GCC*/FV/QEMU_EFI.fd qemu-uefi-aarch64.bin
cp Build/ArmVirtQemu-AARCH64/DEBUG_GCC*/FV/QEMU_EFI.fd aavmf-aarch64-code.bin
truncate -s 64M aavmf-aarch64-code.bin
cp Build/ArmVirtQemu-AARCH64/DEBUG_GCC*/FV/QEMU_VARS.fd aavmf-aarch64-vars.bin
truncate -s 64M aavmf-aarch64-vars.bin
# Remove the temporary build files to reduce the disk usage (bsc#1178244)
rm -rf Build/ArmVirtQemu-AARCH64/
# Build with keys done later (shared between archs)
### Build AARCH32 UEFI Images ###
%ifnarch armv7hl
# Assign the cross-compiler prefix
export ${TOOL_CHAIN}_ARM_PREFIX="arm-suse-linux-gnueabi-"
%endif
# Build the UEFI image
build $BUILD_OPTIONS_AA32
cp Build/ArmVirtQemu-ARM/DEBUG_GCC*/FV/QEMU_EFI.fd qemu-uefi-aarch32.bin
cp Build/ArmVirtQemu-ARM/DEBUG_GCC*/FV/QEMU_EFI.fd aavmf-aarch32-code.bin
truncate -s 64M aavmf-aarch32-code.bin
cp Build/ArmVirtQemu-ARM/DEBUG_GCC*/FV/QEMU_VARS.fd aavmf-aarch32-vars.bin
truncate -s 64M aavmf-aarch32-vars.bin
# Remove the temporary build files to reduce the disk usage (bsc#1178244)
rm -rf Build/ArmVirtQemu-ARM/
### Build RISCV64 UEFI Images ###
%if %{with build_riscv64}
%ifnarch riscv64
# Assign the cross-compiler prefix
export ${TOOL_CHAIN}_RISCV64_PREFIX="riscv64-suse-linux-"
%endif
# Build the UEFI image without keys
build $BUILD_OPTIONS_RV64
cp Build/RiscVVirtQemu/DEBUG_GCC*/FV/RISCV_VIRT_CODE.fd ovmf-riscv64-code.bin
truncate -s 32M ovmf-riscv64-code.bin
cp Build/RiscVVirtQemu/DEBUG_GCC*/FV/RISCV_VIRT_VARS.fd ovmf-riscv64-vars.bin
truncate -s 32M ovmf-riscv64-vars.bin
# Remove the temporary build files to reduce the disk usage (bsc#1178244)
rm -rf Build/RiscVVirtQemu/
%endif
### Build the variable store templates ###
# Default key sources: ms suse opensuse
KEY_SOURCES=(ms suse opensuse)
# Add 'devel' if necessary
if [ -e %{_sourcedir}/_projectcert.crt ]; then
prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
opensusesubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash)
slessubject=$(openssl x509 -in %{SOURCE3} -noout -subject_hash)
if [ "$prjissuer" != "$opensusesubject" -a "$prjissuer" != "$slessubject" ]; then
KEY_SOURCES+=(devel)
fi
fi
# Assign the default PK/KEK
declare -A PKKEK
PKKEK=(
[ms]=%{SOURCE3}
[suse]=%{SOURCE3}
[opensuse]=%{SOURCE4}
[devel]=%{_sourcedir}/_projectcert.crt
)
generate_sb_var_templates()
{
local ARCH=$1
# We only build the variable templates for X64 and AARCH64
if [ "$ARCH" == "X64" ]; then
FLAVORS=${FLAVORS_X64[@]}
# some flavors should NOT enroll default keys
for skip in ${FLAVORS_X64_SKIP_SB_KEY[@]}; do
FLAVORS=("${FLAVORS[@]/$skip}")
done
elif [ "$ARCH" == "AARCH64" ]; then
FLAVORS=${FLAVORS_AA64[@]}
fi
# Generate the varstore templates
for flavor in ${FLAVORS[@]}; do
for key in ${KEY_SOURCES[@]}; do
ln "${flavor}-code.bin" "${flavor}-${key}-code.bin"
if [ "$key" == "ms" ]; then
virt-fw-vars --secure-boot --enroll-cert "${PKKEK[$key]}" -i "${flavor}-vars.bin" -o "${flavor}-${key}-vars.bin"
else
# GUID of EnrollDefaultKeys.efi, already used by virt-fw-vars for PK and KEK
virt-fw-vars --secure-boot --enroll-cert "${PKKEK[$key]}" -i "${flavor}-vars.bin" -o "${flavor}-${key}-vars.bin" \
--no-microsoft --microsoft-kek none --add-db a0baa8a3-041d-48a8-bc87-c36d121b5e3d "${PKKEK[$key]}"
fi
done
done
if [ "$ARCH" == "X64" ]; then
# Generate the unified firmware with preloaded keys for
# backward compatibility. (bsc#1159793)
for flavor in ${FLAVORS[@]}; do
for key in ${KEY_SOURCES[@]}; do
cat "${flavor}-${key}-vars.bin" "${flavor}-code.bin" > "${flavor}-${key}.bin"
done
done
fi
}
# Generate the variable stores with default Secure Boot keys
generate_sb_var_templates X64
generate_sb_var_templates AARCH64
# Rename the x86_64 4MB firmware
# We use ovmf-x86_64-$key-4m instead of ovmf-x86_64-4m-$key in the
# version < stable201905. Rename the 4MB firmware files for backward
# compatibility.
for key in ${KEY_SOURCES[@]}; do
rename "4m-$key" "$key-4m" *"4m-$key"*.bin
done
%install
cp %{SOURCE2} README
sed -i s/'\r'// License.txt
# Install BaseTools
install -d %{buildroot}/%{_bindir}
install -m 0755 --strip BaseTools/Source/C/bin/EfiRom %{buildroot}/%{_bindir}
# Replace @DATADIR@ in the firmware descriptors
sed -i "s:@DATADIR@:%{_datadir}/qemu:" descriptors/*.json
tr -d '\r' < OvmfPkg/License.txt > License-ovmf.txt
install -m 0644 -D ovmf-*.bin -t %{buildroot}/%{_datadir}/qemu/
install -m 0644 -D qemu-uefi-*.bin -t %{buildroot}/%{_datadir}/qemu/
install -m 0644 -D aavmf-*.bin -t %{buildroot}/%{_datadir}/qemu/
install -m 0644 -D descriptors/*.json \
-t %{buildroot}/%{_datadir}/qemu/firmware
%fdupes %{buildroot}/%{_datadir}/qemu/
%ifarch x86_64
# Install debug symbols, gdb-uefi.py
install -d %{buildroot}/%{_datadir}/ovmf-x86_64/
install -m 0644 gdb_uefi-*.py %{buildroot}/%{_datadir}/ovmf-x86_64/
mkdir -p %{buildroot}%{_prefix}/lib/debug
mv debug/ovmf-x86_64* %{buildroot}%{_prefix}/lib/debug
%fdupes %{buildroot}%{_prefix}/lib/debug/ovmf-x86_64*
mkdir -p %{buildroot}%{_prefix}/src/debug
mv source/ovmf-x86_64* %{buildroot}%{_prefix}/src/debug
%fdupes -s %{buildroot}%{_prefix}/src/debug/ovmf-x86_64
%endif
%if %{without build_riscv64}
rm %{buildroot}%{_datadir}/qemu/firmware/*-riscv64*.json
%endif
%files
%doc README
%files tools
%doc BaseTools/UserManuals/EfiRom_Utility_Man_Page.rtf
%{_bindir}/EfiRom
%files -n qemu-ovmf-ia32
%license License.txt License-ovmf.txt
%dir %{_datadir}/qemu/
%{_datadir}/qemu/ovmf-ia32*.bin
%dir %{_datadir}/qemu/firmware
%{_datadir}/qemu/firmware/*-ia32*.json
%files -n qemu-ovmf-x86_64
%license License.txt License-ovmf.txt
%dir %{_datadir}/qemu/
%{_datadir}/qemu/ovmf-x86_64*.bin
%dir %{_datadir}/qemu/firmware
%{_datadir}/qemu/firmware/*-x86_64*.json
%ifarch x86_64
%files -n qemu-ovmf-x86_64-debug
%{_datadir}/ovmf-x86_64/
%dir %{_prefix}/lib/debug/
%{_prefix}/lib/debug/ovmf-x86_64*
%dir %{_prefix}/src/debug/
%{_prefix}/src/debug/ovmf-x86_64*
%endif
%files -n qemu-uefi-aarch64
%license License.txt
%dir %{_datadir}/qemu/
%{_datadir}/qemu/qemu-uefi-aarch64*.bin
%{_datadir}/qemu/aavmf-aarch64-*code.bin
%{_datadir}/qemu/aavmf-aarch64-*vars.bin
%dir %{_datadir}/qemu/firmware
%{_datadir}/qemu/firmware/*-aarch64*.json
%files -n qemu-uefi-aarch32
%license License.txt
%dir %{_datadir}/qemu/
%{_datadir}/qemu/qemu-uefi-aarch32.bin
%{_datadir}/qemu/aavmf-aarch32-code.bin
%{_datadir}/qemu/aavmf-aarch32-vars.bin
%dir %{_datadir}/qemu/firmware
%{_datadir}/qemu/firmware/*-aarch32*.json
%if %{with build_riscv64}
%files -n qemu-uefi-riscv64
%license License.txt
%dir %{_datadir}/qemu/
%{_datadir}/qemu/ovmf-riscv64-code.bin
%{_datadir}/qemu/ovmf-riscv64-vars.bin
%dir %{_datadir}/qemu/firmware
%{_datadir}/qemu/firmware/*-riscv64*.json
%endif
%changelog

BIN
public-mipi-sys-t-1.1-edk2.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.