| Age | Commit message (Collapse) | Author |
|---|
|
When building in longer paths, the ovmf build changes in many ways. This adds a
patch addressing various causes of problems. Full details are in the patch header.
(From OE-Core rev: 9113a5815f3c682ef99fd777e35e892b2e08237f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
lto tends to break reproducibility and makes ovmf near impossible to debug
reproducibility issues in. Disable it and supress the warnings that then
generates from Werror.
(From OE-Core rev: 627b6ed763eca90192203932784872b60a65fcaa)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We want to pass ${DEBUG_PREFIX_MAP} to gcc commands and also pass in
--debug-prefix-map to nasm (we carry a patch to nasm for this). The
tools definitions are built by ovmf-native so we need to pass this in
at target build time when we know the right values.
By using determininistc file paths in the ovmf build, it removes the
opportunitity for gcc/ld to change the output binaries due to path
lengths overflowing section sizes and causing small changes in the
binary output.
This also means that if builds have reproducibility issues in future, it
becomes much easier to compare intermediate build artefacts.
(From OE-Core rev: 51f51310d6d5cced2b55bf27dbb9a5717740a206)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
OVMF is mostly reproducible, but the final .efi binaries have a 'NM10'
segment in that references the original input file, and this input file
has the build path in.
This can be solved by passing --zero to GenFw so that this segment is
zero'd out in release builds.
[ YOCTO #14264 ]
(From OE-Core rev: 8b4e5a3b8c3eabfbb94ab577529240b2e270efa7)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
0003-ovmf-enable-long-path-file.patch
removed since it is not available in 202102.
(From OE-Core rev: c364d64adcb8c7fdfe196186efa868381f8630e7)
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This image is only buildable for x86-64, so add a COMPATIBLE assignment
to ensure it isn't attempted on others.
(From OE-Core rev: bdd8208675c8a0c0232c678804a8b62cd74f1d48)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: f1382f73f1faa0653aebd2cbb492131972755c20)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 61cc9acb54be09a12aac7c79f4b14e7e525d5596)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
do_deploy should clean up ${DEPLOYDIR} before running, just like do_install
cleans up ${D} before running. This reduces the risk of DEPLOYDIR being
accidentally contaminated by files from previous runs, possibly even with
different config, in case of incremental builds.
It is convenient to have this in deploy.bbclass, so it doesn't have to be
duplicated in every recipe, considering for example meta-freescale, which
has 23 affected recipes.
All recipes using deploy.bbclass (grep -r 'inherit .*deploy') in poky,
meta-openembedded and meta-freescale look like they either benefit from
this or are at least not affected negatively by it. The only exception
I've noticed was uboot-sign.bbclass, which was however fixed by the
previous patch.
(From OE-Core rev: 7083a7d56f4d90c81d2e6652ee291d20fd908bbe)
Signed-off-by: Daniel Klauer <daniel.klauer@gin.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The OVMF target binaries are (currently) x86-specific, but the native
tools to build them are not.
Make the COMPATIBLE_HOST assignment target-specific, so that the native
tools can be built on an arm64 build server.
(From OE-Core rev: 58ebb47688fc98fdaeb78b4033bd31100218d5d6)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: f8bf6b5f9aedcc4490008000250e69f74529db75)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: c4301758f5a1560965ca5fb69eb1492adf351ed0)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Remove unused patch.
(From OE-Core rev: 159328dde56e35ba56ec0b1e3602a3b2df6ad691)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Instead of depending on iasl-native, depend on ovmf-native as iasl was merged
into that recipe some time ago.
bc-native doesn't appear to be a build requirement anymore, and for clarity
merge two overridden DEPENDS into a single DEPENDS.
(From OE-Core rev: 78d2f68a956ff49410b238456ce0a23c5a0667aa)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The license of ovmf is BSD-2-Clause
(From OE-Core rev: 8d53cbe59a10c065417ef6e87e657a5b590ea344)
Signed-off-by: Christophe Priouzeau <christophe.priouzeau@st.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 7ec9997c86df11a9a08e1531269435010b12e8da)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Commit from EDK2 be9470b3c91f ("OvmfPkg/EnrollDefaultKeys: enroll
PK/KEK1 from the Type 11 SMBIOS table") mandates that a Platform Key
and first Key Exchange Key certificate is provided to the
EnrollDefaultKeys application.
Previously, the application was using a hard-coded certificate
from Red Hat embedded in the application.
Create a certificate that can QEMU can subsequently pass to
EnrollDefaultKeys when running qemu-shell-image.
Cc: Ross Burton <ross.burton@intel.com>
Cc: Patrick Ohly <patrick.ohly@intel.com>
Cc: Alexander Kanavin <alex.kanavin@gmail.com>
(From OE-Core rev: daaf9d7bd8c3586609ab0eccf49af38dbdb0b02e)
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Use the variable PYTHON_COMMAND to let know EDK2 base tools that python3
in the host shall be used.
In order build successfully, the host must have installed the
python3-distutils package or equivalent.
Based on an original patch by Ross Burton.
Cc: Ross Burton <ross.burton@intel.com>
Cc: Patrick Ohly <patrick.ohly@intel.com>
(From OE-Core rev: 435d1f8ffe9df86367316d25cb6def2ea2041642)
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Now that EDK2 has been tagging stable releases, we can also set PV
and drop UPSTREAM_VERSION_UNKNOWN.
Cc: Ross Burton <ross.burton@intel.com>
Cc: Patrick Ohly <patrick.ohly@intel.com>
(From OE-Core rev: b9851d612be842d35ebd78f5f21158beaaed8e64)
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fixes [YOCTO #13438]
Update OVMF to edk2-stable201905. Since the last update, several things
have changed. Many of the patches we were carrying have now been taken
upstream in EDK2 or become obsolete. See below for details.
Also, as of commit 0c1ffb9504c3("CryptoPkg: Adding OpenSSL as one
submodule of EDKII repo"), openssl is not embedded into EDK2 using a
patching script but a git submodule. Then, use the gitsm bitbabke fetcher
and drop the extra SRC_URI from openssl when building with secureboot
enabled. Also remove all related variables.
OVMF switched to BSD+Patent license as detailed in
https://bugzilla.tianocore.org/show_bug.cgi?id=1373. Hence, update
LIC_FILES_CHKSUM accordingly to reflect this change.
Patches are updated as follows:
Drop 0001-ia32-Dont-use-pie.patch as it is implemented in upstream EDK2
in commits are 11d0cd23dd1b ("BaseTools/tools_def IA32: drop -no-pie linker
option for GCC49" and c25d3905523a ("BaseTools/tools_def IA32: disable PIE
code generation explicitly") for the applicable GCC versions.
Rebase 0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
to edk2-stable201905.
Drop VfrCompile-increase-path-length-limit.patch as it has been taken
upstream in EDK2 in commit ba78032bc8c9f("BaseTools/VfrCompile: Remove the
MAX_PATH limitation").
Rebase no-stack-protector-all-archs.patch to keep behavior on not using
stack protector on all archs.
Drop 0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch,
0002-BaseTools-header.makefile-add-Wno-restrict.patch, and
0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch. These
patches have been taken in upstream EDK2 in commits 9222154ae7b3("BaseTools
/header.makefile: add "-Wno-restrict"), 1d212a83df0e("BaseTools/
header.makefile: add "-Wno-stringop-truncation"), and 777f4aa083e9
("BaseTools/header.makefile: revert gcc-8 '-Wno-xxx' options on OSX"),
respectively.
Also, drop 0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch.
GenVtf has been removed from EDK2 in commit 64ab2c82e8f6("BaseTools:
Remove GenVtf"). Also, this patch had been taken in EDK2 upstream in
commit 9de306701312("BaseTools/GenVtf: silence false 'stringop-overflow'
warning with memcpy()").
Drop patch 0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
as it also has been taken by EDK2.
Patches 0002-ovmf-update-path-to-native-BaseTools.patch and
0004-ovmf-enable-long-path-file.patch did not need any update.
Lastly, add a needed dependency on bc.
Cc: Ross Burton <ross.burton@intel.com>
Cc: Patrick Ohly <patrick.ohly@intel.com>
(From OE-Core rev: 1f64ecf92fa77b682b18efe72fb6b27ff64ee052)
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The rationale is to streamline the overall build.
The system parts are only needed to run target images, and so can be
built towards the end of the build process. At the same time, the
system parts may need gtk+-native and mesa-native which add significantly
to the build time.
On the other hand, the usermode parts have almost no dependencies
and can be built quickly. They are needed at recipes build time to
run target binaries, and so are required quite early in the typical
build process.
(From OE-Core rev: 4a558a5f2db68538e0edad798ddf48eb9510a7d6)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This was added back in the meta-luv days[1] presumably under the impression that
it needs ossp-uuid but in reality we rename ossp-uuid's library and uuid.h comes
from util-linux.
[1] https://github.com/intel/luv-yocto/commit/e08817342b9ea7381944e6c10c555d1c5c62aa6e
(From OE-Core rev: 2a2da0fb7b42c92864f39dcdaf949a5c34ef4eda)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This can fail for target, not just native.
(From OE-Core rev: 747c7dc8702d2241475894876d06a2f1f2b29fed)
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 278b00ddccb274150ed85e48e984675b40fc9aaa)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
(From OE-Core rev: 68d567bd64debc3dfb37df3c814287549da56a3b)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The code to extract the integer number of parallel build threads and
construct a new argument from them has started to be copied in multiple
locations, so create two new helper utilities to aid recipes.
The first helper (parallel_make()) extracts the integer number of
parallel build threads from PARALLEL_MAKE. The second
(parallel_make_argument()) does the same and then puts the result back
into a format string, optionally clamping it to some maximum value.
Additionally, rework the oe-core recipes that were manually doing this
to use the new helper utilities.
(From OE-Core rev: ccd1142d22b31ed85d8823b1bc9e11ccfd72b61f)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The ovmf package fails to build if you use a PARALLEL_MAKE flag
without a space in it. If you put the following in local.conf for
example:
PARALLEL_MAKE = "-j4"
The build will fail with as follows:
| build.exe: error: Option -n only allows one instance in command line!
| WARNING: /opt/build/ovmf/git-r0/temp/run.do_compile.26080:1 exit 2 from '/opt/build/ovmf/git-r0/git/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}'
| ERROR: Function failed: do_compile (log file is located at /opt/build/ovmf/git-r0/temp/log.do_compile.26080)
The failure is because the build.sh expects a space. The simple work
around is to fix the recipe to add some white space. The build.sh
only cares that it gets at least one space between the arguments, the
extra space if someone uses "-j 4" does not cause problems.
(From OE-Core rev: cf7f4705e65a877cb4b3ac8872369c1b2e81a7be)
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 23155b607c509b799775949774ad7da23c10b373)
Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
[YOCTO #11354]
(From OE-Core rev: b6f344bd311faca36cb3a4acdafac2728409ad90)
(From OE-Core rev: 4aab5f369bbe083922de65b0509635060ce905ab)
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
... instead of a global exception list which was problematic.
[YOCTO #11896]
(From OE-Core rev: 89dfede4ca795ba085f1ee7290c6dede573c11db)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The image consists only of the EFI system partition, therefore
we can avoid depending on the default wic tools.
(From OE-Core rev: f147b2502ae53d63a884a46e994ae18e12ec4ef6)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
GCC44_IA32_X64_DLINK_COMMON and GCC49_IA32_X64_DLINK_COMMON
variables add to final linker flags that ovmf build forms
on its own, so trying to inject it from environment will not
work.
Here we add option to disable pie during linking, which should
have been accompanied with correcponding gcc/cflags.
Fixes
| /mnt/a/oe/build/tmp/work/i586-bec-linux/ovmf/git-r0/git/Build/OvmfIa32/RELEASE_GCC5/IA32/OvmfPkg/AcpiTables/AcpiTables/OUTPUT/./Facs.dll: Bad definition for symbol '<unknown>'@0 or unsupported symbol type. For example, absolute and undefined symbols are not supported.
(From OE-Core rev: 85476cdb19d5c383966ba753a71eaeb3622bd6b4)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This adds or fixes the Upstream-Status for all remaining patches missing it
in OE-Core.
(From OE-Core rev: 563cab8e823c3fde8ae4785ceaf4d68a5d3e25df)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The recent ovmf update broke secureboot because upstream changed the
way how openssl gets compiled into ovmf. It's now integrated directly
into the ovmf build process, without having to patch it first.
In addition, more recent OpenSSL releases are supported. 1.1.0e was
explicitly mentioned in the ovmf commits and because the current
1.1.0f only has minor build enhancements, 1.1.0e is used here.
(From OE-Core rev: 1d9a88f635549e68562de681e297b9270ad02d4e)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fix build with gcc7
clang can not compile it therefore mark it gcc only recipe
(From OE-Core rev: 835b705ee92900f0d73cee612ce790fde4b1e2a4)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
backport a patch which fixing warnings with gcc7
(From OE-Core rev: 74fb6043f6d74b84f7efc282ac6cfc54fcb71882)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Linking with gold fails due to an internal error in gold. The ovmf
linker is gcc, which has a -fuse-ld=bfd option to choose the linker
which (for ovmf) is known to work.
Like the choice of the compilers, this is done in ovmf-native. To keep
that recipe independent of DISTRO_FEATURES, choosing bfd is done
unconditionally.
(From OE-Core rev: 7ee548b9f6f2893caf6b5ade8c892f2968d4ec47)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
For the native tools, a static patch inserted gcc/g++/ld/ar while later
adding BUILD_LDFLAGS and BUILD_CFLAGS with sed. Now it's all done with sed,
which has the advantage that it uses the actual compile variables. However,
in practice those are the same.
More importantly, picking the build tools for the target was
broken. ovmf-native tried to insert TARGET_PREFIX into the tools
definition file, but that variable is empty in a native recipe. As a
result, "gcc" was used instead of "${HOST_PREFIX}gcc", leading to an
undesirable dependency on the host compiler and potentially
(probably?!) causing some of the build issues that were seen for ovmf.
The new approach is to override the tool selection in ovmf-native so
that the HOST_PREFIX env variable is used, which then gets exported
during do_compile for the target.
While at it, Python code that gets appened to do_patch only to call
shell functions gets replaced with the do_patch[postfuncs] mechanism.
Incremental builds now always use the tools definition from the
current ovmf-native; previously, only the initial build copied the
template file.
Probably the entire split into ovmf-native and ovmf could be
removed. This merely hasn't been attempted yet.
(From OE-Core rev: 23a12d87a6e82f80f4ccc1a01c707faa89ff7abd)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The VfrCompile tool has a hard-coded maximum length for path names
which turned out to be too small by around 20 characters in the
Yocto autobuilder setup. Increasing the maximum by a factor of 4
is relatively easy and makes the problem less likely.
(From OE-Core rev: ea296ab42a7a65055657b950d8248d94f0ac56f1)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch was added to meta-luv for kernel testing purposes and
probably is not relevant for OE-core.
(From OE-Core rev: 240e96e6196c32ddabb0c1aff3ee83458c98a9bd)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When booting a qemu virtual machine with ovmf.secboot, it comes up
with no keys installed and thus Secure Boot disabled. To lock down
the machine like a typical PC, one has to enroll the same keys
that PC vendors normally install, i.e. the ones from Microsoft.
This can be done manually (see
https://wiki.ubuntu.com/SecurityTeam/SecureBoot and
https://github.com/tianocore-docs/Docs/raw/master/White_Papers/A_Tour_Beyond_BIOS_into_UEFI_Secure_Boot_White_Paper.pdf) or automatically with the EnrollDefaultKeys.efi helper
from the Fedora ovmf rpm.
To use this with qemu:
$ bitbake ovmf-shell-image
...
$ runqemu serial nographic qemux86 ovmf-shell-image wic ovmf.secboot
...
UEFI Interactive Shell v2.1
EDK II
UEFI v2.60 (EDK II, 0x00010000)
Mapping table
FS0: Alias(s):HD2b:;BLK4:
PciRoot(0x0)/Pci(0x5,0x0)/HD(1,GPT,06AEF759-3982-4AF6-B517-70BA6304FC1C,0x800,0x566C)
BLK0: Alias(s):
PciRoot(0x0)/Pci(0x1,0x0)/Floppy(0x0)
BLK1: Alias(s):
PciRoot(0x0)/Pci(0x1,0x0)/Floppy(0x1)
BLK2: Alias(s):
PciRoot(0x0)/Pci(0x1,0x1)/Ata(0x0)
BLK3: Alias(s):
PciRoot(0x0)/Pci(0x5,0x0)
Press ESC in 1 seconds to skip startup.nsh or any other key to continue.
Shell> fs0:EnrollDefaultKeys.efi
info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
info: success
Shell> reset
Remember that this will modify
deploy/images/qemux86/ovmf.secboot.qcow2, so make a copy and use the
full path of that copy instead of the "ovmf" argument if needed.
The ovmf-shell-image contains an EFI shell, which is what got started
here directly. After enrolling the keys, Secure Boot is active and the
same image cannot be booted anymore, so the BIOS goes through the
normal boot targets (including network boot, which can take a while to
time out), and ends up in the internal EFI shell. Trying to invoke
bootia32.efi (the shell from the image) or EnrollDefaultKeys.efi then
fails:
Shell> bootia32.efi
Command Error Status: Security Violation
The main purpose at the moment is to test that Secure Boot enforcement
really works. If we had a way to sign generated images, that part could
also be tested by booting in a locked down qemu instance.
0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch is
from
https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch?id=b1781931894bf2057464e634beed68b1e3218c9e
with one line changed to fix
https://bugzilla.redhat.com/show_bug.cgi?id=132502:
"EFI_STATUS Status = EFI_SUCCESS;" in EnrollListOfX509Certs() lacked
the initializer.
(From OE-Core rev: 1913ace7d0898b5a23a2dbdc574ab1d8648927c5)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When enabled via PACCKAGECONFIG = "secureboot" (off by default because
of the extra work and license change), the recipe compiles OVMF twice,
once without Secure Boot, once with. This is the same approach as in
https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec
The results are "ovmf.qcow2" and "ovmf.secboot.qcow2" in the
image deploy directory, so
runqemu <machine> <image> ovmf.secboot
will boot with Secure Boot enabled.
ovmf.secboot.code.qcow2 is provided for those who want separate code
and variable flash drives. The normal ovmf.vars.qcow2 can be used with
it.
In contrast to Fedora, no attempt is made to strip potentially patent
encumbered algorithms out of the OpenSSL archive. OVMF does not use
the ones considered problematic for Fedora, so this shouldn't be a
problem.
Fixes: luv-yocto/#38
(From OE-Core rev: d493f0b4760808f880a0fd6dedf918a3b85006b7)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The Fedora srpm [1] seems to have no problems with parallel
compilation, so let's also use that for the target. The native
tools however indeed have dependency problems:
| test_Ecc_CParser (CheckPythonSyntax.Tests) ... gcc -o ../bin/EfiRom -L/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/usr/lib -L/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/lib -Wl,-rpath-link,/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/usr/lib -Wl,-rpath-link,/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/lib -Wl,-rpath,/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/usr/lib -Wl,-rpath,/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/lib -Wl,-O1 EfiRom.o -L../libs -lCommon
| /usr/bin/ld: cannot find -lCommon
| collect2: error: ld returned 1 exit status
ERROR: Task (virtual:native:.../meta/recipes-core/ovmf/ovmf_git.bb:do_compile) failed with exit code '1'
[1] https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec
(From OE-Core rev: be307609a067b7d23dc2cd8e39e3a35f770bebc7)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When used with '-drive if=pflash', qemu will store UEFI variables
inside the firmware image file. That is unexpected for a file located in
the sysroot, which should be read-only, while it is normal for image
files in the deploy/images directory. Therefore that directory is a
better place for use with runqemu.
The name was chose so that "runqemu ovmf" can be used as shorthand for
"runqemu <full path>/ovmf.qcow2" by treating "ovmf" as the base name
of the firmware file. "ovmf.secboot.qcow2" is meant to be used for the
Secure Boot enabled firmware.
qcow2 is used because it is needed for "savevm" snapshots of a virtual
machine.
With code and variables stored in the same ovmf.qcow2 it is not
possible to update the firmware code without also overwriting the
variables. For users who care about persistent variables, the code and
variables are also provided as separate files, in ovmf.code.qcow2 and
ovmf.vars.qcow2.
The traditional usage of OVMF via the qemu bios parameter ("biosdir"
and/or "biosfilename" in runqemu) is no longer recommended, and
therefore this recipe no longer provides the bios.bin file. Instead,
OVMF is meant to be used as flash drive in qemu. See the "runqemu:
support UEFI with OVMF firmware" patch for details on how to use OVMF
that way.
(From OE-Core rev: 6f84653e34b75a821fbf31b9f1aa912858e27f43)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fixes a build issue when nasm was not build already because of
something else.
(From OE-Core rev: 92198bdda7add49f2c76ce55ab1f310e2128bf8f)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This is an unmodified copy of
github.com/01org/luv-yocto/meta-luv/recipes-core/ovmf revision
4be4329.
(From OE-Core rev: 49cdce8716ded0b612069d7614c3efe7724e5b40)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
Richard Purdie
Ross Burton
Wang Mingyu
Alexander Kanavin
Daniel Klauer
Ross Burton
Ross Burton
Christophe PRIOUZEAU
Ricardo Neri
Christopher Larson
Khem Raj
Joshua Watt
Jason Wessel
Leonardo Sandoval
Dengke Du
Alexander Kanavin
Patrick Ohly
meta-luv