Hello community, here is the log from the commit of package ovmf for openSUSE:Factory checked in at 2019-01-03 18:03:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ovmf (Old) and /work/SRC/openSUSE:Factory/.ovmf.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ovmf" Thu Jan 3 18:03:39 2019 rev:30 rq:661570 version:2018+git1542164568.85588389222a Changes: -------- --- /work/SRC/openSUSE:Factory/ovmf/ovmf.changes 2018-12-11 15:41:58.966591929 +0100 +++ /work/SRC/openSUSE:Factory/.ovmf.new.28833/ovmf.changes 2019-01-03 18:03:40.936297518 +0100 @@ -1,0 +2,11 @@ +Thu Dec 27 07:43:41 UTC 2018 - Gary Ching-Pang Lin <[email protected]> + +- Add a new "smm" flavor to enable System Management Mode + + Also add ovmf-add-exclude-shell-flag.patch to exclude shell + from the resultant SMM firmware files +- Retire the old openSUSE 4096 bit certificates since all those + programs are unmaintained. +- Amend the numbering of patches and sources +- Update README to reflect the current status + +------------------------------------------------------------------- Old: ---- openSUSE-UEFI-CA-Certificate-4096.crt openSUSE-UEFI-SIGN-Certificate-4096.crt New: ---- ovmf-add-exclude-shell-flag.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ovmf.spec ++++++ --- /var/tmp/diff_new_pack.HhHIGf/_old 2019-01-03 18:03:41.836296718 +0100 +++ /var/tmp/diff_new_pack.HhHIGf/_new 2019-01-03 18:03:41.836296718 +0100 @@ -33,18 +33,17 @@ Source112: openssl.keyring Source2: README Source3: SLES-UEFI-CA-Certificate-2048.crt -Source5: MicCorKEKCA2011_2011-06-24.crt -Source6: MicCorUEFCA2011_2011-06-27.crt -Source7: openSUSE-UEFI-CA-Certificate-2048.crt -Source8: openSUSE-UEFI-SIGN-Certificate-2048.crt -Source9: openSUSE-UEFI-CA-Certificate-4096.crt -Source10: openSUSE-UEFI-SIGN-Certificate-4096.crt -Source11: http://www.uefi.org/sites/default/files/resources/dbxupdate.zip -Source12: strip_authinfo.pl -Source13: MicWinProPCA2011_2011-10-19.crt -Source14: owner-guid-zero.h +Source4: MicCorKEKCA2011_2011-06-24.crt +Source5: MicCorUEFCA2011_2011-06-27.crt +Source6: MicWinProPCA2011_2011-10-19.crt +Source7: http://www.uefi.org/sites/default/files/resources/dbxupdate.zip +Source8: openSUSE-UEFI-CA-Certificate-2048.crt +Source9: openSUSE-UEFI-SIGN-Certificate-2048.crt +Source10: strip_authinfo.pl +Source11: owner-guid-zero.h Source100: %{name}-rpmlintrc Source101: gdb_uefi.py.in +Patch1: %{name}-add-exclude-shell-flag.patch Patch2: %{name}-embed-default-keys.patch Patch3: %{name}-gdb-symbols.patch Patch4: %{name}-pie.patch @@ -159,6 +158,7 @@ rm -rf $PKG_TO_REMOVE %ifarch x86_64 +%patch1 -p1 %patch2 -p1 %endif %patch3 -p1 @@ -218,9 +218,6 @@ %else %ifarch x86_64 -# Build the 2MB UEFI image for the backward compatibility -build $BUILD_OPTIONS -D FD_SIZE_2MB - collect_debug_files() { target="$1" @@ -242,12 +239,32 @@ %{SOURCE101} > gdb_uefi-$target.py } -cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd ovmf-x86_64.bin -cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd ovmf-x86_64-code.bin -cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd ovmf-x86_64-vars.bin +build_ovmf() +{ + name="$1" + case $name in + *-smm) + build $BUILD_OPTIONS -D FD_SIZE_4MB -D SMM_REQUIRE -D EXCLUDE_SHELL + ;; + *-4m) + build $BUILD_OPTIONS -D FD_SIZE_4MB + ;; + *) + build $BUILD_OPTIONS -D FD_SIZE_2MB + ;; + esac +} + +# OVMF without any default keys +for name in ovmf-x86_64 ovmf-x86_64-4m ovmf-x86_64-smm; do + build_ovmf $name + cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd $name.bin + cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd $name-code.bin + cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd $name-vars.bin + + collect_debug_files $name +done -# Collect the debug files -collect_debug_files ovmf-x86_64 # Collect the source mkdir -p source/ovmf-x86_64 # TODO get the source list from debug files @@ -255,14 +272,6 @@ find $src_list \( -name "*.c" -o -name "*.h" \) -type f -exec cp --parents -a {} source/ovmf-x86_64 \; find source/ovmf-x86_64 -name *.c -type f -exec chmod 0644 {} \; -# Build the 4MB UEFI image -build $BUILD_OPTIONS -D FD_SIZE_4MB -cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd ovmf-x86_64-4m.bin -cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd ovmf-x86_64-4m-code.bin -cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd ovmf-x86_64-4m-vars.bin - -collect_debug_files ovmf-x86_64-4m - build_with_keys() { suffix_base="$1" @@ -273,12 +282,8 @@ xxd -i Default_DBX > SecurityPkg/Library/AuthVariableLib/Default_DBX.h cat Default_Owner > SecurityPkg/Library/AuthVariableLib/Default_Owner.h - for suffix in $suffix_base $suffix_base-4m; do - if [ "$suffix" = "$suffix_base-4m" ]; then - build $BUILD_OPTIONS -D FD_SIZE_4MB - else - build $BUILD_OPTIONS -D FD_SIZE_2MB - fi + for suffix in $suffix_base $suffix_base-4m $suffix_base-smm; do + build_ovmf $suffix cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd ovmf-x86_64-$suffix.bin cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd ovmf-x86_64-$suffix-code.bin cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd ovmf-x86_64-$suffix-vars.bin @@ -286,50 +291,42 @@ collect_debug_files ovmf-x86_64-$suffix done } + # OVMF with SUSE keys openssl x509 -in %{SOURCE3} -outform DER > Default_PK openssl x509 -in %{SOURCE3} -outform DER > Default_KEK openssl x509 -in %{SOURCE3} -outform DER > Default_DB truncate -s 0 Default_DB_EX truncate -s 0 Default_DBX -cat %{SOURCE14} > Default_Owner +cat %{SOURCE11} > Default_Owner build_with_keys suse #unpack the UEFI revocation list -unzip %{SOURCE11} +unzip %{SOURCE7} # OVMF with MS keys -cat %{SOURCE5} > Default_PK -cat %{SOURCE5} > Default_KEK -cat %{SOURCE6} > Default_DB -cat %{SOURCE13} > Default_DB_EX -chmod 755 %{SOURCE12} -%{SOURCE12} dbxupdate.bin Default_DBX +cat %{SOURCE4} > Default_PK +cat %{SOURCE4} > Default_KEK +cat %{SOURCE5} > Default_DB +cat %{SOURCE6} > Default_DB_EX +chmod 755 %{SOURCE10} +%{SOURCE10} dbxupdate.bin Default_DBX echo "EFI_GUID DefaultOwnerGUID = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}};" > \ Default_Owner build_with_keys ms # OVMF with openSUSE keys -openssl x509 -in %{SOURCE7} -outform DER > Default_PK -openssl x509 -in %{SOURCE7} -outform DER > Default_KEK -openssl x509 -in %{SOURCE8} -outform DER > Default_DB +openssl x509 -in %{SOURCE8} -outform DER > Default_PK +openssl x509 -in %{SOURCE8} -outform DER > Default_KEK +openssl x509 -in %{SOURCE9} -outform DER > Default_DB truncate -s 0 Default_DB_EX truncate -s 0 Default_DBX -cat %{SOURCE14} > Default_Owner +cat %{SOURCE11} > Default_Owner build_with_keys opensuse -# OVMF with openSUSE keys (4096 bit CA) -openssl x509 -in %{SOURCE9} -outform DER > Default_PK -openssl x509 -in %{SOURCE9} -outform DER > Default_KEK -openssl x509 -in %{SOURCE10} -outform DER > Default_DB -truncate -s 0 Default_DB_EX -truncate -s 0 Default_DBX -cat %{SOURCE14} > Default_Owner -build_with_keys opensuse-4096 - if [ -e %{_sourcedir}/_projectcert.crt ]; then prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash) - opensusesubject=$(openssl x509 -in %{SOURCE7} -noout -subject_hash) + opensusesubject=$(openssl x509 -in %{SOURCE8} -noout -subject_hash) slessubject=$(openssl x509 -in %{SOURCE3} -noout -subject_hash) if [ "$prjissuer" != "$opensusesubject" -a "$prjissuer" != "$slessubject" ]; then openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER > Default_PK @@ -337,7 +334,7 @@ openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER > Default_DB truncate -s 0 Default_DB_EX truncate -s 0 Default_DBX - cat %{SOURCE14} > Default_Owner + cat %{SOURCE11} > Default_Owner build_with_keys devel fi fi ++++++ README ++++++ --- /var/tmp/diff_new_pack.HhHIGf/_old 2019-01-03 18:03:41.876296682 +0100 +++ /var/tmp/diff_new_pack.HhHIGf/_new 2019-01-03 18:03:41.876296682 +0100 @@ -1,53 +1,30 @@ Running the OVMF image in qemu ============================== -There are two flavors of the OVMF efi images: the 64 bit and 32 bit one. -For the 64 bit image, use the following command: +The easiest way to run the OVMF image is to specify a pflash device for the +firmware file. Here is the example to use OVMF in the flash mode: -qemu-system-x86_64 -bios /usr/share/qemu/ovmf-x86_64.bin + $ cp /usr/share/qemu/ovmf-x86_64.bin . + $ qemu-system-x86_64 -pflash ovmf-x86_64.bin -For 32 bit: - -qemu-system-i386 -bios /usr/share/qemu/ovmf-ia32.bin - -The rom will boot up to an EFI shell. If you add standard things like a USB -drive, you can also run efi executables. - -To enrol the platform and key exchange keys, exit the efi shell, select -'Device Manager' then 'Secure Boot Configuration' and change the secure boot -mode from "Standard Mode" to "Custom Mode". This will cause an extra "Custom -Secure Boot Options" menu to appear from which you can enrol the Platform and -Key Exchange keys (these need to be present on external media, like a USB -key). - -Note that enroling the KEK will require you to specify a GUID. The GUID is -used only to identify the keys later (it's essentially the globally unique -label for the key). If you only enrol one KEK, you can ignore this and it -will end up with a GUID of all zeros. - -Flash Mode ----------- - -For version >= r14840, OVMF supports the qemu flash mode. The non-volatile -variables were originally stored in NvVars, a file in the ESP. With the flash -mode support, all changes will be saved in the firmware file directly. - -Here is the example to use OVMF in the flash mode: - -qemu-system-x86_64 -pflash ovmf-x86_64.bin - -Please make sure the firmware is writable before using the flash mode, or all +Please make sure the file is writable before using the flash mode, or all your changes won't be saved. Starting from r15670, two extra firmware files are provided for the flash mode: ovmf-*-code.bin and ovmf-*-vars.bin, and all non-volatile variables will be stored in ovmf-*-vars.bin. Example: -qemu-system-x86_64 -drive if=pflash,format=raw,readonly,file=ovmf-x86_64-code.bin \ - -drive if=pflash,format=raw,file=ovmf-x86_64-vars.bin + $ cp /usr/share/qemu/ovmf-x86_64-vars.bin . + $ qemu-system-x86_64 \ + -drive if=pflash,format=raw,unit=0,readonly,file=/usr/share/qemu/ovmf-x86_64-code.bin \ + -drive if=pflash,format=raw,unit=1,file=ovmf-x86_64-vars.bin It would be easier to manage the NV variables with the separated vars firmware. +NOTE: Although it's possible to run OVMF with '-bios', this is not recommended. + In the BIOS mode, OVMF has to store the NV variables in a file, NvVars, + to emulate flash and this is usually unreliable and error-prone. + Image with preloaded keys ------------------------- @@ -68,7 +45,7 @@ ovmf-x86_64-suse.bin - PK: SUSE Linux Enterprise Secure Boot CA - KEK: SUSE Linux Enterprise Secure Boot CA -- db: SUSE Linux Enterprise Secure Boot Signkey +- db: SUSE Linux Enterprise Secure Boot CA Note that the preloaded key images are all 64 bit because openSUSE/SLE and Windows only support Secure Boot in 64 bit mode. @@ -82,6 +59,31 @@ images are built separately. Only those images with 4m, e.g. ovmf-x86_64-4m.bin, are the 4MB images. Otherwise, it's built with FD_SIZE_2MB, i.e. a 2MB image. +x86_64 SMM Support +------------------ +The image files with "-smm", e.g. ovmf-x86_64-smm.bin, are the images +with SMM support. SMM provides better (virtual) hardware separation between +the guest OS and the firmware to prevent the runtime guest OS from tampering +with the variable store and S3 areas. Here are the requirements to use the +SMM images: + +* SMM support requires QEMU 2.5. +* The minimum required QEMU machine type is "pc-q35-2.5". +* SMM with KVM requires Linux 4.4 (host). + +Here are the qemu commands to start a VM with SMM support: + + $ cp /usr/share/qemu/ovmf-x86_64-smm-vars.bin . + $ qemu-system-x86_64 \ + -machine q35,smm=on,accel=(tcg|kvm) \ + -global driver=cfi.pflash01,property=secure,value=on \ + -drive if=pflash,format=raw,unit=0,readonly,file=/usr/share/qemu/ovmf-x86_64-smm-code.bin \ + -drive if=pflash,format=raw,unit=1,file=ovmf-x86_64-smm-vars.bin \ + -global ICH9-LPC.disable_s3=1 \ + ... + +NOTE: The pflash variables store is required to use OVMF with SMM. + Creating Platform and Key Exchange keys ======================================= ++++++ ovmf-add-exclude-shell-flag.patch ++++++ diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 96a114a2..9102d1e0 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -289,12 +289,14 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour INF FatPkg/EnhancedFatDxe/Fat.inf INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf +!ifndef $(EXCLUDE_SHELL) !ifndef $(USE_OLD_SHELL) INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf INF ShellPkg/Application/Shell/Shell.inf !else INF RuleOverride = BINARY EdkShellBinPkg/FullShell/FullShell.inf !endif +!endif INF MdeModulePkg/Logo/LogoDxe.inf
