pool/ovmf
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 661569 from home:gary_lin:branches:Virtualization

Browse Source 
- Add a new "smm" flavor to enable System Management Mode
  + Also add ovmf-add-exclude-shell-flag.patch to exclude shell
    from the resultant SMM firmware files
- Retire the old openSUSE 4096 bit certificates since all those
  programs are unmaintained.
- Amend the numbering of patches and sources
- Update README to reflect the current status

OBS-URL: https://build.opensuse.org/request/show/661569
OBS-URL: https://build.opensuse.org/package/show/Virtualization/ovmf?expand=0&rev=120
This commit is contained in:
Gary Ching-Pang Lin 2018-12-27 09:55:16 +00:00 committed by Git OBS Bridge
parent 79be880b8a
commit af887200c4
6 changed files with 121 additions and 239 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
README
View File

@ -1,53 +1,30 @@
Running the OVMF image in qemu
==============================
There are two flavors of the OVMF efi images: the 64 bit and 32 bit one.
For the 64 bit image, use the following command:
The easiest way to run the OVMF image is to specify a pflash device for the
firmware file. Here is the example to use OVMF in the flash mode:
qemu-system-x86_64 -bios /usr/share/qemu/ovmf-x86_64.bin
$ cp /usr/share/qemu/ovmf-x86_64.bin .
$ qemu-system-x86_64 -pflash ovmf-x86_64.bin
For 32 bit:
qemu-system-i386 -bios /usr/share/qemu/ovmf-ia32.bin
The rom will boot up to an EFI shell. If you add standard things like a USB
drive, you can also run efi executables.
To enrol the platform and key exchange keys, exit the efi shell, select
'Device Manager' then 'Secure Boot Configuration' and change the secure boot
mode from "Standard Mode" to "Custom Mode". This will cause an extra "Custom
Secure Boot Options" menu to appear from which you can enrol the Platform and
Key Exchange keys (these need to be present on external media, like a USB
key).
Note that enroling the KEK will require you to specify a GUID. The GUID is
used only to identify the keys later (it's essentially the globally unique
label for the key). If you only enrol one KEK, you can ignore this and it
will end up with a GUID of all zeros.
Flash Mode
----------
For version >= r14840, OVMF supports the qemu flash mode. The non-volatile
variables were originally stored in NvVars, a file in the ESP. With the flash
mode support, all changes will be saved in the firmware file directly.
Here is the example to use OVMF in the flash mode:
qemu-system-x86_64 -pflash ovmf-x86_64.bin
Please make sure the firmware is writable before using the flash mode, or all
Please make sure the file is writable before using the flash mode, or all
your changes won't be saved.
Starting from r15670, two extra firmware files are provided for the flash mode:
ovmf-*-code.bin and ovmf-*-vars.bin, and all non-volatile variables will be
stored in ovmf-*-vars.bin. Example:
qemu-system-x86_64 -drive if=pflash,format=raw,readonly,file=ovmf-x86_64-code.bin \
-drive if=pflash,format=raw,file=ovmf-x86_64-vars.bin
$ cp /usr/share/qemu/ovmf-x86_64-vars.bin .
$ qemu-system-x86_64 \
-drive if=pflash,format=raw,unit=0,readonly,file=/usr/share/qemu/ovmf-x86_64-code.bin \
-drive if=pflash,format=raw,unit=1,file=ovmf-x86_64-vars.bin
It would be easier to manage the NV variables with the separated vars firmware.
NOTE: Although it's possible to run OVMF with '-bios', this is not recommended.
In the BIOS mode, OVMF has to store the NV variables in a file, NvVars,
to emulate flash and this is usually unreliable and error-prone.
Image with preloaded keys
-------------------------
@ -68,7 +45,7 @@ ovmf-x86_64-opensuse.bin
ovmf-x86_64-suse.bin
- PK: SUSE Linux Enterprise Secure Boot CA
- KEK: SUSE Linux Enterprise Secure Boot CA
- db: SUSE Linux Enterprise Secure Boot Signkey
- db: SUSE Linux Enterprise Secure Boot CA
Note that the preloaded key images are all 64 bit because openSUSE/SLE and
Windows only support Secure Boot in 64 bit mode.
@ -82,6 +59,31 @@ a larger variable store. To maintain the backward compatibility, the 4MB
images are built separately. Only those images with 4m, e.g. ovmf-x86_64-4m.bin,
are the 4MB images. Otherwise, it's built with FD_SIZE_2MB, i.e. a 2MB image.
x86_64 SMM Support
------------------
The image files with "-smm", e.g. ovmf-x86_64-smm.bin, are the images
with SMM support. SMM provides better (virtual) hardware separation between
the guest OS and the firmware to prevent the runtime guest OS from tampering
with the variable store and S3 areas. Here are the requirements to use the
SMM images:
* SMM support requires QEMU 2.5.
* The minimum required QEMU machine type is "pc-q35-2.5".
* SMM with KVM requires Linux 4.4 (host).
Here are the qemu commands to start a VM with SMM support:
$ cp /usr/share/qemu/ovmf-x86_64-smm-vars.bin .
$ qemu-system-x86_64 \
-machine q35,smm=on,accel=(tcg|kvm) \
-global driver=cfi.pflash01,property=secure,value=on \
-drive if=pflash,format=raw,unit=0,readonly,file=/usr/share/qemu/ovmf-x86_64-smm-code.bin \
-drive if=pflash,format=raw,unit=1,file=ovmf-x86_64-smm-vars.bin \
-global ICH9-LPC.disable_s3=1 \
...
NOTE: The pflash variables store is required to use OVMF with SMM.
Creating Platform and Key Exchange keys
=======================================

37
openSUSE-UEFI-CA-Certificate-4096.crt
View File

@ -1,37 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIGdDCCBFygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNDUzMzBaFw0zNDEyMjQxNDUz
MzBaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE
BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv
amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuqmSgrdlO0B96sOK5mJj1k4OetzmP6l8
YKdy+HdzN/3bS97vfqIIqb0YCgzmJROSLsXv6WQReuAtKbftgla6R/dOvKU/CxCN
z0uCbzuM+gN5Q7pSWifnm81QNDowFpxZlJBFvIP92zh5yWNEGqVzMN0jDjOFxLfh
O1sx6W8YBOYzScWrlTKysH6uK79gWenwvh3nmkx+68PV08azmizG6As4IAPDqtd/
w92iLTzjLVGp32wFDhLuDleojjvJgnOGngKa8oRcLlvfh07wKO0urjt8/3HKxcUf
RmbSyaLdfP8lOt/mFPpfN4kev9wjqdbIhLIZs6iKbu+hR40QfAR46V8vnPoeIYeM
ibsl1mvr0U7O6w7kTQuzW7JmJkCYf7n4HoPBgxTzgjKlsBGY0I+dTvZXozsKuTKx
ir/w6WWcdkIWoXJh00Nb9eWqFQr0exG0hwa1o0ESXjv7aJHwg39B6m8MZVppdpmg
i0G8pOKtHQZ6OR87YeSUHJ400ocIfYMOAybuB/5rHfC58BvCcjaZwHKTkHlyx28i
EXgFyzGMqbWlgmI5RJ8UzaM6rTaieIRSsyGbYrDa89BFMhGmY8xMIeeT8191bLbH
CpX7CMW9npoEqslHL67FMI3LXC5fgYKoPwUnj/TlT0gkjVobEXmXZB6sCDQ6BFTg
4dpPIFEjnxsCAwEAAaOB9DCB8TAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSZ
DSa38E3ZzmTn0Y79aHtKXeKGpTCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79
aHtKXeKGpaGBh6SBhDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3Qg
Q0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9w
ZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9y
Z4IBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFsmHlxiAGKu
Qyx1qb6l7bEWgXAePQfVaaCEH4Mn+oq80kJ67S7s6We8e5QJOgYznk5mDk+PTUC/
phkP3aJRqZAf5UDrQkOHobpk7FFBxZKjZfULPls3H9+Hichw/XJ2/xJwG+Ja6pgD
dNO2UaKOjZHCiyZ4ehO7syle/EgQALVwKH4cVq6zIh4xUH4r9WvfdR5vkhhTgM/0
nzzoBnFRnCUpcsLPj10246wVuLQcliZBeKjiV4xqrMe6cXX8crHvZqqJPZ2jMTGD
eVIpVES12ZpMT7SbQbcDR1XgjqrL3U9vfcabdqLU60000ALvnDFNN0Sm7xhB+d3c
sDIyJMwSfIb9jWApsB/En5uRCM++ruqjyFiqTCORo9gzaocw6gut6WYs2TOrZ2NO
Tq4JNAFfCL/z0p8jdz1dJZmqpgFAlltKNNDWV6KlBPUAdxDEbIiuGoYweB+Zxed3
BKdlrKGcH0ewPmzt4vVLCl2yFoODxjVtndXieDt/BWIYltMjqYU1qrrOdISHdeAG
A24L/uxiU4Ej2bKKWNYtvrGMNLMUWBTx5afHMQnK9MD8Z6cpjccNaR0Pe9ZCBRGI
xyUitlfnU604q1GfYdymiq4mUvSEgy3vbbsVBvcAKElN+hWpAeZbiWc/KcBWKMtp
4aQ0yoLWDFkQNGU0rGazsu3hpOWta6mL
-----END CERTIFICATE-----

110
openSUSE-UEFI-SIGN-Certificate-4096.crt
View File

@ -1,110 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org
Validity
Not Before: Jan 28 15:10:28 2013 GMT
Not After : Dec 7 15:10:28 2022 GMT
Subject: CN=openSUSE Secure Boot Signkey, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cb:35:e0:9c:cf:d8:f7:4b:eb:e3:94:2c:f2:11:
77:33:86:9c:28:1d:19:de:45:69:21:5e:a0:94:4a:
0b:b5:41:2e:67:01:6b:91:76:3a:85:66:2a:63:8b:
87:2b:e8:94:8a:12:6e:25:13:b0:07:3f:28:2b:76:
25:3e:29:b2:55:42:e7:3b:44:24:1d:b7:99:32:cb:
44:d2:b4:88:cb:a9:4f:a7:b3:06:be:5c:aa:ee:2b:
04:09:aa:ec:58:63:5a:c8:62:c7:d9:68:43:fb:bd:
0e:92:ff:4c:ec:02:44:bc:95:c9:9f:d1:be:21:f8:
f4:b2:6d:5a:0a:d5:4d:98:65:cc:c1:8c:ef:df:f2:
9f:da:45:05:76:f9:1a:c0:8b:d5:1c:05:f2:c0:b8:
4a:b0:12:df:43:ca:d5:0b:18:46:b3:03:be:cd:a7:
d7:01:80:f1:c5:ca:ee:d9:3a:1f:4a:33:7d:50:01:
ab:d7:3a:48:6e:62:59:73:62:1e:38:ef:32:31:ee:
58:18:7d:59:05:8a:fb:7d:d4:0d:5e:9d:47:9b:d8:
af:b6:11:9f:3c:e7:13:84:e4:00:ec:0a:97:89:22:
90:f3:14:e6:df:c1:75:07:ad:24:38:d8:e0:8f:f6:
b9:c0:db:45:e3:6e:81:5c:1e:29:d0:78:ae:6c:a7:
4b:1f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
03:32:FA:9C:BF:0D:88:BF:21:92:4B:0D:E8:2A:09:A5:4D:5D:EF:C8
X509v3 Authority Key Identifier:
keyid:99:0D:26:B7:F0:4D:D9:CE:64:E7:D1:8E:FD:68:7B:4A:5D:E2:86:A5
DirName:/CN=openSUSE Secure Boot CA/C=DE/L=Nuremberg/O=openSUSE Project/emailAddress=build@opensuse.org
serial:01
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
Code Signing
Signature Algorithm: sha256WithRSAEncryption
ad:b9:27:89:ed:02:85:3c:c8:5d:fb:28:45:04:16:78:74:58:
49:41:55:88:a7:4c:20:77:55:53:6a:d2:72:5b:70:ba:b6:02:
4f:f2:3d:be:3f:85:52:46:bd:44:31:33:61:20:69:f1:81:7e:
30:3a:b1:5b:ea:bd:91:2a:6e:7d:1b:42:74:93:26:a8:e5:c0:
05:29:cd:50:7d:96:5d:ef:6a:74:f4:4b:0c:26:45:d6:c7:b4:
52:df:92:67:dc:ea:cb:fb:75:4b:22:cd:27:17:7a:d8:76:0b:
bb:df:da:bc:6a:24:a0:48:74:2b:3b:12:45:16:89:b2:a6:df:
8c:b9:f7:02:58:aa:c6:53:fe:32:de:16:b6:8b:8b:ff:91:35:
67:a2:59:8f:40:97:25:e6:e5:0c:cd:a8:4a:f7:aa:a8:55:42:
88:4a:23:48:11:53:02:52:d1:dc:77:c5:23:05:77:cb:5d:fa:
af:b6:da:26:2e:34:cc:76:0e:4d:c0:0f:d1:de:9c:53:19:89:
2c:38:af:ef:11:e6:69:bc:0e:7e:83:24:40:7b:63:99:89:85:
1d:73:66:4e:d0:de:05:61:c2:37:91:fe:c7:6b:20:5f:4a:f2:
d4:a4:c8:81:ed:4f:87:fe:a8:d1:75:bc:17:d0:f7:ef:33:1e:
a4:3f:5f:6a:36:0a:4c:bf:7b:25:bd:af:1d:d5:fd:f6:0b:39:
7c:ce:75:bc:48:cb:99:c3:39:de:60:6d:72:03:a1:93:55:70:
99:ff:69:ff:8c:80:ca:d4:23:bb:ea:0d:9d:40:d5:49:b0:29:
20:09:45:98:c8:24:25:fe:da:68:eb:02:d4:25:f5:6e:e1:f2:
a6:6d:d8:78:2a:ff:8c:c2:08:d4:87:bf:88:06:a0:3b:58:12:
d7:2f:b3:59:2a:4b:9e:bf:5d:04:72:66:29:03:7c:45:24:04:
4d:61:5c:e5:b8:85:ea:6e:4b:d6:6c:e8:b8:a1:1a:92:92:7d:
fa:90:1f:43:b2:82:f0:9a:5a:32:cd:cc:4a:e3:c7:91:e5:f6:
94:ef:1f:6a:a4:2c:b5:fa:3f:58:bf:62:e6:d6:fb:71:3a:02:
e0:e4:b3:db:ba:78:5e:fc:1a:42:9b:e8:02:ec:73:34:1f:8c:
77:f6:d8:2d:6b:97:dc:b7:13:1f:bd:ab:7b:ca:cd:ea:3d:1e:
d2:01:bf:f1:44:ca:df:86:13:37:42:5d:d7:f8:2e:68:e6:7f:
59:75:b8:15:fa:f8:42:45:01:5b:06:50:fc:6a:88:96:4b:3a:
8f:1d:11:b5:88:0f:3a:31:13:cb:d7:8d:94:cd:14:10:3d:9a:
46:26:8a:97:59:c0:66:95
-----BEGIN CERTIFICATE-----
MIIFjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNTEwMjhaFw0yMjEyMDcxNTEw
MjhaMIGGMSUwIwYDVQQDDBxvcGVuU1VTRSBTZWN1cmUgQm9vdCBTaWdua2V5MQsw
CQYDVQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMRkwFwYDVQQKDBBvcGVuU1VT
RSBQcm9qZWN0MSEwHwYJKoZIhvcNAQkBFhJidWlsZEBvcGVuc3VzZS5vcmcwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLNeCcz9j3S+vjlCzyEXczhpwo
HRneRWkhXqCUSgu1QS5nAWuRdjqFZipji4cr6JSKEm4lE7AHPygrdiU+KbJVQuc7
RCQdt5kyy0TStIjLqU+nswa+XKruKwQJquxYY1rIYsfZaEP7vQ6S/0zsAkS8lcmf
0b4h+PSybVoK1U2YZczBjO/f8p/aRQV2+RrAi9UcBfLAuEqwEt9DytULGEazA77N
p9cBgPHFyu7ZOh9KM31QAavXOkhuYllzYh447zIx7lgYfVkFivt91A1enUeb2K+2
EZ885xOE5ADsCpeJIpDzFObfwXUHrSQ42OCP9rnA20XjboFcHinQeK5sp0sfAgMB
AAGjggEHMIIBAzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQDMvqcvw2IvyGSSw3o
KgmlTV3vyDCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79aHtKXeKGpaGBh6SB
hDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYT
AkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2pl
Y3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9yZ4IBATAOBgNVHQ8B
Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggIB
AK25J4ntAoU8yF37KEUEFnh0WElBVYinTCB3VVNq0nJbcLq2Ak/yPb4/hVJGvUQx
M2EgafGBfjA6sVvqvZEqbn0bQnSTJqjlwAUpzVB9ll3vanT0SwwmRdbHtFLfkmfc
6sv7dUsizScXeth2C7vf2rxqJKBIdCs7EkUWibKm34y59wJYqsZT/jLeFraLi/+R
NWeiWY9AlyXm5QzNqEr3qqhVQohKI0gRUwJS0dx3xSMFd8td+q+22iYuNMx2Dk3A
D9HenFMZiSw4r+8R5mm8Dn6DJEB7Y5mJhR1zZk7Q3gVhwjeR/sdrIF9K8tSkyIHt
T4f+qNF1vBfQ9+8zHqQ/X2o2Cky/eyW9rx3V/fYLOXzOdbxIy5nDOd5gbXIDoZNV
cJn/af+MgMrUI7vqDZ1A1UmwKSAJRZjIJCX+2mjrAtQl9W7h8qZt2Hgq/4zCCNSH
v4gGoDtYEtcvs1kqS56/XQRyZikDfEUkBE1hXOW4hepuS9Zs6LihGpKSffqQH0Oy
gvCaWjLNzErjx5Hl9pTvH2qkLLX6P1i/YubW+3E6AuDks9u6eF78GkKb6ALsczQf
jHf22C1rl9y3Ex+9q3vKzeo9HtIBv/FEyt+GEzdCXdf4Lmjmf1l1uBX6+EJFAVsG
UPxqiJZLOo8dEbWIDzoxE8vXjZTNFBA9mkYmipdZwGaV
-----END CERTIFICATE-----

19
ovmf-add-exclude-shell-flag.patch Normal file
View File

@ -0,0 +1,19 @@
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 96a114a2..9102d1e0 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -289,12 +289,14 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+!ifndef $(EXCLUDE_SHELL)
!ifndef $(USE_OLD_SHELL)
INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
INF ShellPkg/Application/Shell/Shell.inf
!else
INF RuleOverride = BINARY EdkShellBinPkg/FullShell/FullShell.inf
!endif
+!endif
INF MdeModulePkg/Logo/LogoDxe.inf

11
ovmf.changes
View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Thu Dec 27 07:43:41 UTC 2018 - Gary Ching-Pang Lin <glin@suse.com>
- Add a new "smm" flavor to enable System Management Mode
+ Also add ovmf-add-exclude-shell-flag.patch to exclude shell
from the resultant SMM firmware files
- Retire the old openSUSE 4096 bit certificates since all those
programs are unmaintained.
- Amend the numbering of patches and sources
- Update README to reflect the current status
-------------------------------------------------------------------
Mon Dec 3 08:05:38 UTC 2018 - Gary Ching-Pang Lin <glin@suse.com>

107
ovmf.spec
View File

@ -33,18 +33,17 @@ Source111: https://www.openssl.org/source/openssl-%{openssl_version}.tar.gz
Source112: openssl.keyring
Source2: README
Source3: SLES-UEFI-CA-Certificate-2048.crt
Source5: MicCorKEKCA2011_2011-06-24.crt
Source6: MicCorUEFCA2011_2011-06-27.crt
Source7: openSUSE-UEFI-CA-Certificate-2048.crt
Source8: openSUSE-UEFI-SIGN-Certificate-2048.crt
Source9: openSUSE-UEFI-CA-Certificate-4096.crt
Source10: openSUSE-UEFI-SIGN-Certificate-4096.crt
Source11: http://www.uefi.org/sites/default/files/resources/dbxupdate.zip
Source12: strip_authinfo.pl
Source13: MicWinProPCA2011_2011-10-19.crt
Source14: owner-guid-zero.h
Source4: MicCorKEKCA2011_2011-06-24.crt
Source5: MicCorUEFCA2011_2011-06-27.crt
Source6: MicWinProPCA2011_2011-10-19.crt
Source7: http://www.uefi.org/sites/default/files/resources/dbxupdate.zip
Source8: openSUSE-UEFI-CA-Certificate-2048.crt
Source9: openSUSE-UEFI-SIGN-Certificate-2048.crt
Source10: strip_authinfo.pl
Source11: owner-guid-zero.h
Source100: %{name}-rpmlintrc
Source101: gdb_uefi.py.in
Patch1: %{name}-add-exclude-shell-flag.patch
Patch2: %{name}-embed-default-keys.patch
Patch3: %{name}-gdb-symbols.patch
Patch4: %{name}-pie.patch
@ -159,6 +158,7 @@ StdLibPrivateInternalFiles UnixPkg Vlv2DeviceRefCodePkg Vlv2TbltDevicePkg"
rm -rf $PKG_TO_REMOVE
%ifarch x86_64
%patch1 -p1
%patch2 -p1
%endif
%patch3 -p1
@ -218,9 +218,6 @@ cp Build/OvmfIa32/DEBUG_*/FV/OVMF_VARS.fd ovmf-ia32-vars.bin
%else
%ifarch x86_64
# Build the 2MB UEFI image for the backward compatibility
build $BUILD_OPTIONS -D FD_SIZE_2MB
collect_debug_files()
{
target="$1"
@ -242,12 +239,32 @@ collect_debug_files()
%{SOURCE101} > gdb_uefi-$target.py
}
cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd ovmf-x86_64.bin
cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd ovmf-x86_64-code.bin
cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd ovmf-x86_64-vars.bin
build_ovmf()
{
name="$1"
case $name in
*-smm)
build $BUILD_OPTIONS -D FD_SIZE_4MB -D SMM_REQUIRE -D EXCLUDE_SHELL
;;
*-4m)
build $BUILD_OPTIONS -D FD_SIZE_4MB
;;
*)
build $BUILD_OPTIONS -D FD_SIZE_2MB
;;
esac
}
# OVMF without any default keys
for name in ovmf-x86_64 ovmf-x86_64-4m ovmf-x86_64-smm; do
build_ovmf $name
cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd $name.bin
cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd $name-code.bin
cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd $name-vars.bin
collect_debug_files $name
done
# Collect the debug files
collect_debug_files ovmf-x86_64
# Collect the source
mkdir -p source/ovmf-x86_64
# TODO get the source list from debug files
@ -255,14 +272,6 @@ src_list=`find Build/OvmfX64/DEBUG_GCC*/X64/ -mindepth 1 -maxdepth 1 -type d -ex
find $src_list \( -name "*.c" -o -name "*.h" \) -type f -exec cp --parents -a {} source/ovmf-x86_64 \;
find source/ovmf-x86_64 -name *.c -type f -exec chmod 0644 {} \;
# Build the 4MB UEFI image
build $BUILD_OPTIONS -D FD_SIZE_4MB
cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd ovmf-x86_64-4m.bin
cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd ovmf-x86_64-4m-code.bin
cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd ovmf-x86_64-4m-vars.bin
collect_debug_files ovmf-x86_64-4m
build_with_keys()
{
suffix_base="$1"
@ -273,12 +282,8 @@ build_with_keys()
xxd -i Default_DBX > SecurityPkg/Library/AuthVariableLib/Default_DBX.h
cat Default_Owner > SecurityPkg/Library/AuthVariableLib/Default_Owner.h
for suffix in $suffix_base $suffix_base-4m; do
if [ "$suffix" = "$suffix_base-4m" ]; then
build $BUILD_OPTIONS -D FD_SIZE_4MB
else
build $BUILD_OPTIONS -D FD_SIZE_2MB
fi
for suffix in $suffix_base $suffix_base-4m $suffix_base-smm; do
build_ovmf $suffix
cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd ovmf-x86_64-$suffix.bin
cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd ovmf-x86_64-$suffix-code.bin
cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd ovmf-x86_64-$suffix-vars.bin
@ -286,50 +291,42 @@ build_with_keys()
collect_debug_files ovmf-x86_64-$suffix
done
}
# OVMF with SUSE keys
openssl x509 -in %{SOURCE3} -outform DER > Default_PK
openssl x509 -in %{SOURCE3} -outform DER > Default_KEK
openssl x509 -in %{SOURCE3} -outform DER > Default_DB
truncate -s 0 Default_DB_EX
truncate -s 0 Default_DBX
cat %{SOURCE14} > Default_Owner
cat %{SOURCE11} > Default_Owner
build_with_keys suse
#unpack the UEFI revocation list
unzip %{SOURCE11}
unzip %{SOURCE7}
# OVMF with MS keys
cat %{SOURCE5} > Default_PK
cat %{SOURCE5} > Default_KEK
cat %{SOURCE6} > Default_DB
cat %{SOURCE13} > Default_DB_EX
chmod 755 %{SOURCE12}
%{SOURCE12} dbxupdate.bin Default_DBX
cat %{SOURCE4} > Default_PK
cat %{SOURCE4} > Default_KEK
cat %{SOURCE5} > Default_DB
cat %{SOURCE6} > Default_DB_EX
chmod 755 %{SOURCE10}
%{SOURCE10} dbxupdate.bin Default_DBX
echo "EFI_GUID DefaultOwnerGUID = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}};" > \
Default_Owner
build_with_keys ms
# OVMF with openSUSE keys
openssl x509 -in %{SOURCE7} -outform DER > Default_PK
openssl x509 -in %{SOURCE7} -outform DER > Default_KEK
openssl x509 -in %{SOURCE8} -outform DER > Default_DB
openssl x509 -in %{SOURCE8} -outform DER > Default_PK
openssl x509 -in %{SOURCE8} -outform DER > Default_KEK
openssl x509 -in %{SOURCE9} -outform DER > Default_DB
truncate -s 0 Default_DB_EX
truncate -s 0 Default_DBX
cat %{SOURCE14} > Default_Owner
cat %{SOURCE11} > Default_Owner
build_with_keys opensuse
# OVMF with openSUSE keys (4096 bit CA)
openssl x509 -in %{SOURCE9} -outform DER > Default_PK
openssl x509 -in %{SOURCE9} -outform DER > Default_KEK
openssl x509 -in %{SOURCE10} -outform DER > Default_DB
truncate -s 0 Default_DB_EX
truncate -s 0 Default_DBX
cat %{SOURCE14} > Default_Owner
build_with_keys opensuse-4096
if [ -e %{_sourcedir}/_projectcert.crt ]; then
prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
opensusesubject=$(openssl x509 -in %{SOURCE7} -noout -subject_hash)
opensusesubject=$(openssl x509 -in %{SOURCE8} -noout -subject_hash)
slessubject=$(openssl x509 -in %{SOURCE3} -noout -subject_hash)
if [ "$prjissuer" != "$opensusesubject" -a "$prjissuer" != "$slessubject" ]; then
openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER > Default_PK
@ -337,7 +334,7 @@ if [ -e %{_sourcedir}/_projectcert.crt ]; then
openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER > Default_DB
truncate -s 0 Default_DB_EX
truncate -s 0 Default_DBX
cat %{SOURCE14} > Default_Owner
cat %{SOURCE11} > Default_Owner
build_with_keys devel
fi
fi