diff --git a/README b/README index 8637886..4e95385 100644 --- a/README +++ b/README @@ -1,53 +1,30 @@ Running the OVMF image in qemu ============================== -There are two flavors of the OVMF efi images: the 64 bit and 32 bit one. -For the 64 bit image, use the following command: +The easiest way to run the OVMF image is to specify a pflash device for the +firmware file. Here is the example to use OVMF in the flash mode: -qemu-system-x86_64 -bios /usr/share/qemu/ovmf-x86_64.bin + $ cp /usr/share/qemu/ovmf-x86_64.bin . + $ qemu-system-x86_64 -pflash ovmf-x86_64.bin -For 32 bit: - -qemu-system-i386 -bios /usr/share/qemu/ovmf-ia32.bin - -The rom will boot up to an EFI shell. If you add standard things like a USB -drive, you can also run efi executables. - -To enrol the platform and key exchange keys, exit the efi shell, select -'Device Manager' then 'Secure Boot Configuration' and change the secure boot -mode from "Standard Mode" to "Custom Mode". This will cause an extra "Custom -Secure Boot Options" menu to appear from which you can enrol the Platform and -Key Exchange keys (these need to be present on external media, like a USB -key). - -Note that enroling the KEK will require you to specify a GUID. The GUID is -used only to identify the keys later (it's essentially the globally unique -label for the key). If you only enrol one KEK, you can ignore this and it -will end up with a GUID of all zeros. - -Flash Mode ----------- - -For version >= r14840, OVMF supports the qemu flash mode. The non-volatile -variables were originally stored in NvVars, a file in the ESP. With the flash -mode support, all changes will be saved in the firmware file directly. - -Here is the example to use OVMF in the flash mode: - -qemu-system-x86_64 -pflash ovmf-x86_64.bin - -Please make sure the firmware is writable before using the flash mode, or all +Please make sure the file is writable before using the flash mode, or all your changes won't be saved. Starting from r15670, two extra firmware files are provided for the flash mode: ovmf-*-code.bin and ovmf-*-vars.bin, and all non-volatile variables will be stored in ovmf-*-vars.bin. Example: -qemu-system-x86_64 -drive if=pflash,format=raw,readonly,file=ovmf-x86_64-code.bin \ - -drive if=pflash,format=raw,file=ovmf-x86_64-vars.bin + $ cp /usr/share/qemu/ovmf-x86_64-vars.bin . + $ qemu-system-x86_64 \ + -drive if=pflash,format=raw,unit=0,readonly,file=/usr/share/qemu/ovmf-x86_64-code.bin \ + -drive if=pflash,format=raw,unit=1,file=ovmf-x86_64-vars.bin It would be easier to manage the NV variables with the separated vars firmware. +NOTE: Although it's possible to run OVMF with '-bios', this is not recommended. + In the BIOS mode, OVMF has to store the NV variables in a file, NvVars, + to emulate flash and this is usually unreliable and error-prone. + Image with preloaded keys ------------------------- @@ -68,7 +45,7 @@ ovmf-x86_64-opensuse.bin ovmf-x86_64-suse.bin - PK: SUSE Linux Enterprise Secure Boot CA - KEK: SUSE Linux Enterprise Secure Boot CA -- db: SUSE Linux Enterprise Secure Boot Signkey +- db: SUSE Linux Enterprise Secure Boot CA Note that the preloaded key images are all 64 bit because openSUSE/SLE and Windows only support Secure Boot in 64 bit mode. @@ -82,6 +59,31 @@ a larger variable store. To maintain the backward compatibility, the 4MB images are built separately. Only those images with 4m, e.g. ovmf-x86_64-4m.bin, are the 4MB images. Otherwise, it's built with FD_SIZE_2MB, i.e. a 2MB image. +x86_64 SMM Support +------------------ +The image files with "-smm", e.g. ovmf-x86_64-smm.bin, are the images +with SMM support. SMM provides better (virtual) hardware separation between +the guest OS and the firmware to prevent the runtime guest OS from tampering +with the variable store and S3 areas. Here are the requirements to use the +SMM images: + +* SMM support requires QEMU 2.5. +* The minimum required QEMU machine type is "pc-q35-2.5". +* SMM with KVM requires Linux 4.4 (host). + +Here are the qemu commands to start a VM with SMM support: + + $ cp /usr/share/qemu/ovmf-x86_64-smm-vars.bin . + $ qemu-system-x86_64 \ + -machine q35,smm=on,accel=(tcg|kvm) \ + -global driver=cfi.pflash01,property=secure,value=on \ + -drive if=pflash,format=raw,unit=0,readonly,file=/usr/share/qemu/ovmf-x86_64-smm-code.bin \ + -drive if=pflash,format=raw,unit=1,file=ovmf-x86_64-smm-vars.bin \ + -global ICH9-LPC.disable_s3=1 \ + ... + +NOTE: The pflash variables store is required to use OVMF with SMM. + Creating Platform and Key Exchange keys ======================================= diff --git a/openSUSE-UEFI-CA-Certificate-4096.crt b/openSUSE-UEFI-CA-Certificate-4096.crt deleted file mode 100644 index 7a4c704..0000000 --- a/openSUSE-UEFI-CA-Certificate-4096.crt +++ /dev/null @@ -1,37 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIGdDCCBFygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl -blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl -bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW -EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNDUzMzBaFw0zNDEyMjQxNDUz -MzBaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE -BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv -amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIICIjANBgkq -hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuqmSgrdlO0B96sOK5mJj1k4OetzmP6l8 -YKdy+HdzN/3bS97vfqIIqb0YCgzmJROSLsXv6WQReuAtKbftgla6R/dOvKU/CxCN -z0uCbzuM+gN5Q7pSWifnm81QNDowFpxZlJBFvIP92zh5yWNEGqVzMN0jDjOFxLfh -O1sx6W8YBOYzScWrlTKysH6uK79gWenwvh3nmkx+68PV08azmizG6As4IAPDqtd/ -w92iLTzjLVGp32wFDhLuDleojjvJgnOGngKa8oRcLlvfh07wKO0urjt8/3HKxcUf -RmbSyaLdfP8lOt/mFPpfN4kev9wjqdbIhLIZs6iKbu+hR40QfAR46V8vnPoeIYeM -ibsl1mvr0U7O6w7kTQuzW7JmJkCYf7n4HoPBgxTzgjKlsBGY0I+dTvZXozsKuTKx -ir/w6WWcdkIWoXJh00Nb9eWqFQr0exG0hwa1o0ESXjv7aJHwg39B6m8MZVppdpmg -i0G8pOKtHQZ6OR87YeSUHJ400ocIfYMOAybuB/5rHfC58BvCcjaZwHKTkHlyx28i -EXgFyzGMqbWlgmI5RJ8UzaM6rTaieIRSsyGbYrDa89BFMhGmY8xMIeeT8191bLbH -CpX7CMW9npoEqslHL67FMI3LXC5fgYKoPwUnj/TlT0gkjVobEXmXZB6sCDQ6BFTg -4dpPIFEjnxsCAwEAAaOB9DCB8TAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSZ -DSa38E3ZzmTn0Y79aHtKXeKGpTCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79 -aHtKXeKGpaGBh6SBhDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3Qg -Q0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9w -ZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9y -Z4IBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFsmHlxiAGKu -Qyx1qb6l7bEWgXAePQfVaaCEH4Mn+oq80kJ67S7s6We8e5QJOgYznk5mDk+PTUC/ -phkP3aJRqZAf5UDrQkOHobpk7FFBxZKjZfULPls3H9+Hichw/XJ2/xJwG+Ja6pgD -dNO2UaKOjZHCiyZ4ehO7syle/EgQALVwKH4cVq6zIh4xUH4r9WvfdR5vkhhTgM/0 -nzzoBnFRnCUpcsLPj10246wVuLQcliZBeKjiV4xqrMe6cXX8crHvZqqJPZ2jMTGD -eVIpVES12ZpMT7SbQbcDR1XgjqrL3U9vfcabdqLU60000ALvnDFNN0Sm7xhB+d3c -sDIyJMwSfIb9jWApsB/En5uRCM++ruqjyFiqTCORo9gzaocw6gut6WYs2TOrZ2NO -Tq4JNAFfCL/z0p8jdz1dJZmqpgFAlltKNNDWV6KlBPUAdxDEbIiuGoYweB+Zxed3 -BKdlrKGcH0ewPmzt4vVLCl2yFoODxjVtndXieDt/BWIYltMjqYU1qrrOdISHdeAG -A24L/uxiU4Ej2bKKWNYtvrGMNLMUWBTx5afHMQnK9MD8Z6cpjccNaR0Pe9ZCBRGI -xyUitlfnU604q1GfYdymiq4mUvSEgy3vbbsVBvcAKElN+hWpAeZbiWc/KcBWKMtp -4aQ0yoLWDFkQNGU0rGazsu3hpOWta6mL ------END CERTIFICATE----- diff --git a/openSUSE-UEFI-SIGN-Certificate-4096.crt b/openSUSE-UEFI-SIGN-Certificate-4096.crt deleted file mode 100644 index d373a23..0000000 --- a/openSUSE-UEFI-SIGN-Certificate-4096.crt +++ /dev/null @@ -1,110 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1 (0x1) - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org - Validity - Not Before: Jan 28 15:10:28 2013 GMT - Not After : Dec 7 15:10:28 2022 GMT - Subject: CN=openSUSE Secure Boot Signkey, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:cb:35:e0:9c:cf:d8:f7:4b:eb:e3:94:2c:f2:11: - 77:33:86:9c:28:1d:19:de:45:69:21:5e:a0:94:4a: - 0b:b5:41:2e:67:01:6b:91:76:3a:85:66:2a:63:8b: - 87:2b:e8:94:8a:12:6e:25:13:b0:07:3f:28:2b:76: - 25:3e:29:b2:55:42:e7:3b:44:24:1d:b7:99:32:cb: - 44:d2:b4:88:cb:a9:4f:a7:b3:06:be:5c:aa:ee:2b: - 04:09:aa:ec:58:63:5a:c8:62:c7:d9:68:43:fb:bd: - 0e:92:ff:4c:ec:02:44:bc:95:c9:9f:d1:be:21:f8: - f4:b2:6d:5a:0a:d5:4d:98:65:cc:c1:8c:ef:df:f2: - 9f:da:45:05:76:f9:1a:c0:8b:d5:1c:05:f2:c0:b8: - 4a:b0:12:df:43:ca:d5:0b:18:46:b3:03:be:cd:a7: - d7:01:80:f1:c5:ca:ee:d9:3a:1f:4a:33:7d:50:01: - ab:d7:3a:48:6e:62:59:73:62:1e:38:ef:32:31:ee: - 58:18:7d:59:05:8a:fb:7d:d4:0d:5e:9d:47:9b:d8: - af:b6:11:9f:3c:e7:13:84:e4:00:ec:0a:97:89:22: - 90:f3:14:e6:df:c1:75:07:ad:24:38:d8:e0:8f:f6: - b9:c0:db:45:e3:6e:81:5c:1e:29:d0:78:ae:6c:a7: - 4b:1f - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Subject Key Identifier: - 03:32:FA:9C:BF:0D:88:BF:21:92:4B:0D:E8:2A:09:A5:4D:5D:EF:C8 - X509v3 Authority Key Identifier: - keyid:99:0D:26:B7:F0:4D:D9:CE:64:E7:D1:8E:FD:68:7B:4A:5D:E2:86:A5 - DirName:/CN=openSUSE Secure Boot CA/C=DE/L=Nuremberg/O=openSUSE Project/emailAddress=build@opensuse.org - serial:01 - - X509v3 Key Usage: critical - Digital Signature - X509v3 Extended Key Usage: - Code Signing - Signature Algorithm: sha256WithRSAEncryption - ad:b9:27:89:ed:02:85:3c:c8:5d:fb:28:45:04:16:78:74:58: - 49:41:55:88:a7:4c:20:77:55:53:6a:d2:72:5b:70:ba:b6:02: - 4f:f2:3d:be:3f:85:52:46:bd:44:31:33:61:20:69:f1:81:7e: - 30:3a:b1:5b:ea:bd:91:2a:6e:7d:1b:42:74:93:26:a8:e5:c0: - 05:29:cd:50:7d:96:5d:ef:6a:74:f4:4b:0c:26:45:d6:c7:b4: - 52:df:92:67:dc:ea:cb:fb:75:4b:22:cd:27:17:7a:d8:76:0b: - bb:df:da:bc:6a:24:a0:48:74:2b:3b:12:45:16:89:b2:a6:df: - 8c:b9:f7:02:58:aa:c6:53:fe:32:de:16:b6:8b:8b:ff:91:35: - 67:a2:59:8f:40:97:25:e6:e5:0c:cd:a8:4a:f7:aa:a8:55:42: - 88:4a:23:48:11:53:02:52:d1:dc:77:c5:23:05:77:cb:5d:fa: - af:b6:da:26:2e:34:cc:76:0e:4d:c0:0f:d1:de:9c:53:19:89: - 2c:38:af:ef:11:e6:69:bc:0e:7e:83:24:40:7b:63:99:89:85: - 1d:73:66:4e:d0:de:05:61:c2:37:91:fe:c7:6b:20:5f:4a:f2: - d4:a4:c8:81:ed:4f:87:fe:a8:d1:75:bc:17:d0:f7:ef:33:1e: - a4:3f:5f:6a:36:0a:4c:bf:7b:25:bd:af:1d:d5:fd:f6:0b:39: - 7c:ce:75:bc:48:cb:99:c3:39:de:60:6d:72:03:a1:93:55:70: - 99:ff:69:ff:8c:80:ca:d4:23:bb:ea:0d:9d:40:d5:49:b0:29: - 20:09:45:98:c8:24:25:fe:da:68:eb:02:d4:25:f5:6e:e1:f2: - a6:6d:d8:78:2a:ff:8c:c2:08:d4:87:bf:88:06:a0:3b:58:12: - d7:2f:b3:59:2a:4b:9e:bf:5d:04:72:66:29:03:7c:45:24:04: - 4d:61:5c:e5:b8:85:ea:6e:4b:d6:6c:e8:b8:a1:1a:92:92:7d: - fa:90:1f:43:b2:82:f0:9a:5a:32:cd:cc:4a:e3:c7:91:e5:f6: - 94:ef:1f:6a:a4:2c:b5:fa:3f:58:bf:62:e6:d6:fb:71:3a:02: - e0:e4:b3:db:ba:78:5e:fc:1a:42:9b:e8:02:ec:73:34:1f:8c: - 77:f6:d8:2d:6b:97:dc:b7:13:1f:bd:ab:7b:ca:cd:ea:3d:1e: - d2:01:bf:f1:44:ca:df:86:13:37:42:5d:d7:f8:2e:68:e6:7f: - 59:75:b8:15:fa:f8:42:45:01:5b:06:50:fc:6a:88:96:4b:3a: - 8f:1d:11:b5:88:0f:3a:31:13:cb:d7:8d:94:cd:14:10:3d:9a: - 46:26:8a:97:59:c0:66:95 ------BEGIN CERTIFICATE----- -MIIFjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl -blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl -bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW -EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNTEwMjhaFw0yMjEyMDcxNTEw -MjhaMIGGMSUwIwYDVQQDDBxvcGVuU1VTRSBTZWN1cmUgQm9vdCBTaWdua2V5MQsw -CQYDVQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMRkwFwYDVQQKDBBvcGVuU1VT -RSBQcm9qZWN0MSEwHwYJKoZIhvcNAQkBFhJidWlsZEBvcGVuc3VzZS5vcmcwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLNeCcz9j3S+vjlCzyEXczhpwo -HRneRWkhXqCUSgu1QS5nAWuRdjqFZipji4cr6JSKEm4lE7AHPygrdiU+KbJVQuc7 -RCQdt5kyy0TStIjLqU+nswa+XKruKwQJquxYY1rIYsfZaEP7vQ6S/0zsAkS8lcmf -0b4h+PSybVoK1U2YZczBjO/f8p/aRQV2+RrAi9UcBfLAuEqwEt9DytULGEazA77N -p9cBgPHFyu7ZOh9KM31QAavXOkhuYllzYh447zIx7lgYfVkFivt91A1enUeb2K+2 -EZ885xOE5ADsCpeJIpDzFObfwXUHrSQ42OCP9rnA20XjboFcHinQeK5sp0sfAgMB -AAGjggEHMIIBAzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQDMvqcvw2IvyGSSw3o -KgmlTV3vyDCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79aHtKXeKGpaGBh6SB -hDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYT -AkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2pl -Y3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9yZ4IBATAOBgNVHQ8B -Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggIB -AK25J4ntAoU8yF37KEUEFnh0WElBVYinTCB3VVNq0nJbcLq2Ak/yPb4/hVJGvUQx -M2EgafGBfjA6sVvqvZEqbn0bQnSTJqjlwAUpzVB9ll3vanT0SwwmRdbHtFLfkmfc -6sv7dUsizScXeth2C7vf2rxqJKBIdCs7EkUWibKm34y59wJYqsZT/jLeFraLi/+R -NWeiWY9AlyXm5QzNqEr3qqhVQohKI0gRUwJS0dx3xSMFd8td+q+22iYuNMx2Dk3A -D9HenFMZiSw4r+8R5mm8Dn6DJEB7Y5mJhR1zZk7Q3gVhwjeR/sdrIF9K8tSkyIHt -T4f+qNF1vBfQ9+8zHqQ/X2o2Cky/eyW9rx3V/fYLOXzOdbxIy5nDOd5gbXIDoZNV -cJn/af+MgMrUI7vqDZ1A1UmwKSAJRZjIJCX+2mjrAtQl9W7h8qZt2Hgq/4zCCNSH -v4gGoDtYEtcvs1kqS56/XQRyZikDfEUkBE1hXOW4hepuS9Zs6LihGpKSffqQH0Oy -gvCaWjLNzErjx5Hl9pTvH2qkLLX6P1i/YubW+3E6AuDks9u6eF78GkKb6ALsczQf -jHf22C1rl9y3Ex+9q3vKzeo9HtIBv/FEyt+GEzdCXdf4Lmjmf1l1uBX6+EJFAVsG -UPxqiJZLOo8dEbWIDzoxE8vXjZTNFBA9mkYmipdZwGaV ------END CERTIFICATE----- - diff --git a/ovmf-add-exclude-shell-flag.patch b/ovmf-add-exclude-shell-flag.patch new file mode 100644 index 0000000..e12c1ba --- /dev/null +++ b/ovmf-add-exclude-shell-flag.patch @@ -0,0 +1,19 @@ +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index 96a114a2..9102d1e0 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -289,12 +289,14 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour + INF FatPkg/EnhancedFatDxe/Fat.inf + INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf + ++!ifndef $(EXCLUDE_SHELL) + !ifndef $(USE_OLD_SHELL) + INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF ShellPkg/Application/Shell/Shell.inf + !else + INF RuleOverride = BINARY EdkShellBinPkg/FullShell/FullShell.inf + !endif ++!endif + + INF MdeModulePkg/Logo/LogoDxe.inf + diff --git a/ovmf.changes b/ovmf.changes index f603dd4..7f86c6c 100644 --- a/ovmf.changes +++ b/ovmf.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Thu Dec 27 07:43:41 UTC 2018 - Gary Ching-Pang Lin + +- Add a new "smm" flavor to enable System Management Mode + + Also add ovmf-add-exclude-shell-flag.patch to exclude shell + from the resultant SMM firmware files +- Retire the old openSUSE 4096 bit certificates since all those + programs are unmaintained. +- Amend the numbering of patches and sources +- Update README to reflect the current status + ------------------------------------------------------------------- Mon Dec 3 08:05:38 UTC 2018 - Gary Ching-Pang Lin diff --git a/ovmf.spec b/ovmf.spec index dc4d4a1..ca52263 100644 --- a/ovmf.spec +++ b/ovmf.spec @@ -33,18 +33,17 @@ Source111: https://www.openssl.org/source/openssl-%{openssl_version}.tar.gz Source112: openssl.keyring Source2: README Source3: SLES-UEFI-CA-Certificate-2048.crt -Source5: MicCorKEKCA2011_2011-06-24.crt -Source6: MicCorUEFCA2011_2011-06-27.crt -Source7: openSUSE-UEFI-CA-Certificate-2048.crt -Source8: openSUSE-UEFI-SIGN-Certificate-2048.crt -Source9: openSUSE-UEFI-CA-Certificate-4096.crt -Source10: openSUSE-UEFI-SIGN-Certificate-4096.crt -Source11: http://www.uefi.org/sites/default/files/resources/dbxupdate.zip -Source12: strip_authinfo.pl -Source13: MicWinProPCA2011_2011-10-19.crt -Source14: owner-guid-zero.h +Source4: MicCorKEKCA2011_2011-06-24.crt +Source5: MicCorUEFCA2011_2011-06-27.crt +Source6: MicWinProPCA2011_2011-10-19.crt +Source7: http://www.uefi.org/sites/default/files/resources/dbxupdate.zip +Source8: openSUSE-UEFI-CA-Certificate-2048.crt +Source9: openSUSE-UEFI-SIGN-Certificate-2048.crt +Source10: strip_authinfo.pl +Source11: owner-guid-zero.h Source100: %{name}-rpmlintrc Source101: gdb_uefi.py.in +Patch1: %{name}-add-exclude-shell-flag.patch Patch2: %{name}-embed-default-keys.patch Patch3: %{name}-gdb-symbols.patch Patch4: %{name}-pie.patch @@ -159,6 +158,7 @@ StdLibPrivateInternalFiles UnixPkg Vlv2DeviceRefCodePkg Vlv2TbltDevicePkg" rm -rf $PKG_TO_REMOVE %ifarch x86_64 +%patch1 -p1 %patch2 -p1 %endif %patch3 -p1 @@ -218,9 +218,6 @@ cp Build/OvmfIa32/DEBUG_*/FV/OVMF_VARS.fd ovmf-ia32-vars.bin %else %ifarch x86_64 -# Build the 2MB UEFI image for the backward compatibility -build $BUILD_OPTIONS -D FD_SIZE_2MB - collect_debug_files() { target="$1" @@ -242,12 +239,32 @@ collect_debug_files() %{SOURCE101} > gdb_uefi-$target.py } -cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd ovmf-x86_64.bin -cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd ovmf-x86_64-code.bin -cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd ovmf-x86_64-vars.bin +build_ovmf() +{ + name="$1" + case $name in + *-smm) + build $BUILD_OPTIONS -D FD_SIZE_4MB -D SMM_REQUIRE -D EXCLUDE_SHELL + ;; + *-4m) + build $BUILD_OPTIONS -D FD_SIZE_4MB + ;; + *) + build $BUILD_OPTIONS -D FD_SIZE_2MB + ;; + esac +} + +# OVMF without any default keys +for name in ovmf-x86_64 ovmf-x86_64-4m ovmf-x86_64-smm; do + build_ovmf $name + cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd $name.bin + cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd $name-code.bin + cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd $name-vars.bin + + collect_debug_files $name +done -# Collect the debug files -collect_debug_files ovmf-x86_64 # Collect the source mkdir -p source/ovmf-x86_64 # TODO get the source list from debug files @@ -255,14 +272,6 @@ src_list=`find Build/OvmfX64/DEBUG_GCC*/X64/ -mindepth 1 -maxdepth 1 -type d -ex find $src_list \( -name "*.c" -o -name "*.h" \) -type f -exec cp --parents -a {} source/ovmf-x86_64 \; find source/ovmf-x86_64 -name *.c -type f -exec chmod 0644 {} \; -# Build the 4MB UEFI image -build $BUILD_OPTIONS -D FD_SIZE_4MB -cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd ovmf-x86_64-4m.bin -cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd ovmf-x86_64-4m-code.bin -cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd ovmf-x86_64-4m-vars.bin - -collect_debug_files ovmf-x86_64-4m - build_with_keys() { suffix_base="$1" @@ -273,12 +282,8 @@ build_with_keys() xxd -i Default_DBX > SecurityPkg/Library/AuthVariableLib/Default_DBX.h cat Default_Owner > SecurityPkg/Library/AuthVariableLib/Default_Owner.h - for suffix in $suffix_base $suffix_base-4m; do - if [ "$suffix" = "$suffix_base-4m" ]; then - build $BUILD_OPTIONS -D FD_SIZE_4MB - else - build $BUILD_OPTIONS -D FD_SIZE_2MB - fi + for suffix in $suffix_base $suffix_base-4m $suffix_base-smm; do + build_ovmf $suffix cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd ovmf-x86_64-$suffix.bin cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd ovmf-x86_64-$suffix-code.bin cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd ovmf-x86_64-$suffix-vars.bin @@ -286,50 +291,42 @@ build_with_keys() collect_debug_files ovmf-x86_64-$suffix done } + # OVMF with SUSE keys openssl x509 -in %{SOURCE3} -outform DER > Default_PK openssl x509 -in %{SOURCE3} -outform DER > Default_KEK openssl x509 -in %{SOURCE3} -outform DER > Default_DB truncate -s 0 Default_DB_EX truncate -s 0 Default_DBX -cat %{SOURCE14} > Default_Owner +cat %{SOURCE11} > Default_Owner build_with_keys suse #unpack the UEFI revocation list -unzip %{SOURCE11} +unzip %{SOURCE7} # OVMF with MS keys -cat %{SOURCE5} > Default_PK -cat %{SOURCE5} > Default_KEK -cat %{SOURCE6} > Default_DB -cat %{SOURCE13} > Default_DB_EX -chmod 755 %{SOURCE12} -%{SOURCE12} dbxupdate.bin Default_DBX +cat %{SOURCE4} > Default_PK +cat %{SOURCE4} > Default_KEK +cat %{SOURCE5} > Default_DB +cat %{SOURCE6} > Default_DB_EX +chmod 755 %{SOURCE10} +%{SOURCE10} dbxupdate.bin Default_DBX echo "EFI_GUID DefaultOwnerGUID = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}};" > \ Default_Owner build_with_keys ms # OVMF with openSUSE keys -openssl x509 -in %{SOURCE7} -outform DER > Default_PK -openssl x509 -in %{SOURCE7} -outform DER > Default_KEK -openssl x509 -in %{SOURCE8} -outform DER > Default_DB +openssl x509 -in %{SOURCE8} -outform DER > Default_PK +openssl x509 -in %{SOURCE8} -outform DER > Default_KEK +openssl x509 -in %{SOURCE9} -outform DER > Default_DB truncate -s 0 Default_DB_EX truncate -s 0 Default_DBX -cat %{SOURCE14} > Default_Owner +cat %{SOURCE11} > Default_Owner build_with_keys opensuse -# OVMF with openSUSE keys (4096 bit CA) -openssl x509 -in %{SOURCE9} -outform DER > Default_PK -openssl x509 -in %{SOURCE9} -outform DER > Default_KEK -openssl x509 -in %{SOURCE10} -outform DER > Default_DB -truncate -s 0 Default_DB_EX -truncate -s 0 Default_DBX -cat %{SOURCE14} > Default_Owner -build_with_keys opensuse-4096 - if [ -e %{_sourcedir}/_projectcert.crt ]; then prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash) - opensusesubject=$(openssl x509 -in %{SOURCE7} -noout -subject_hash) + opensusesubject=$(openssl x509 -in %{SOURCE8} -noout -subject_hash) slessubject=$(openssl x509 -in %{SOURCE3} -noout -subject_hash) if [ "$prjissuer" != "$opensusesubject" -a "$prjissuer" != "$slessubject" ]; then openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER > Default_PK @@ -337,7 +334,7 @@ if [ -e %{_sourcedir}/_projectcert.crt ]; then openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER > Default_DB truncate -s 0 Default_DB_EX truncate -s 0 Default_DBX - cat %{SOURCE14} > Default_Owner + cat %{SOURCE11} > Default_Owner build_with_keys devel fi fi