Hello community, here is the log from the commit of package ovmf for openSUSE:Factory checked in at 2019-06-24 21:50:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ovmf (Old) and /work/SRC/openSUSE:Factory/.ovmf.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ovmf" Mon Jun 24 21:50:05 2019 rev:35 rq:710231 version:201905 Changes: -------- --- /work/SRC/openSUSE:Factory/ovmf/ovmf.changes 2019-05-08 15:15:13.016821620 +0200 +++ /work/SRC/openSUSE:Factory/.ovmf.new.4615/ovmf.changes 2019-06-24 21:50:15.959961881 +0200 @@ -1,0 +2,61 @@ +Mon Jun 17 03:32:51 UTC 2019 - Gary Ching-Pang Lin <[email protected]> + +- Update to edk2-stable201905 + + Update OpenSSL version to upcoming 1.1.1 + + Delete EdkCompatibilityPkg from edk2/master + + Remove .S assembly code for IA32 and X64 arch + + Replace BSD 2-Clause License with BSD + Patent Licence + + Recovery PEI BlockIO support for ATA device + + Add PCD to Enabled/Disabled IPv4/IPv6 PXE Support in NetworkPkg + + Remove NetworkPkg/IpSecDxe + + Add api to DebubLib to expose a print routine with VaList + parameter + + Introduce DebugPpi to save the image size with the debug + message + + ResetSystemLib Adds a new API ResetSystem + + ResetUtilityLib Add a new API ResetSystemWithSubtype + + Add support for get organization name to x509 in BaseCryptLib + + Add support for checking x509 EKUs in BaseCryptLib + + Add support for PKCS 1v2 RSAES-OAEP PKI encryption in + BaseCryptLib + + Remove ShellBinPkg from edk2/master + + Enable multiple thread /MP option for MSVC compiler + + Upstream the EnrollDefaultKeys application to OvmfPkg + + Share code for BaseUefiDecompressLib in MdePkg and MdeModulePkg + + Move network related components from MdeModulePkg to NetworkPkg + + Move BeagleBoardPkg and Omap35xxPkg from edk2 to edk2-platforms + repo + + Move MinnowMax and Quark platform to edk2-platforms repo + + Move OptionRomPkg into new Drivers directory edk2-platforms + repo + + Add ACPI6.3 definition + + Remove Nt32Pkg from edk2/master + + update ArmSoftFloatLib to latest upstream version (= 3e) +- Update openssl to 1.1.1b + + Add berkeley-softfloat-3-b64af41c3276f.tar.xz since arm7 needs + the softfloat implementation for openssl 1.1.1b +- Build the varstore templates with EnrollDefaultKeys.efi + + Create the iso files for key enrollment + - Add gen-key-enrollment-iso.sh to generate the iso file + + Drop the non-upstream ovmf-embed-default-keys.patch + - Also drop owner-guid-zero.h + + Drop the MS keys and dbx since they are already in + EnrollDefaultKeys.efi: MicCorKEKCA2011_2011-06-24.crt, + MicCorUEFCA2011_2011-06-27.crt, MicWinProPCA2011_2011-10-19.crt, + and dbxupdate.zip + - Also drop the related script strip_authinfo.pl + + Add ovmf-set-fixed-enroll-time.patch to set the fixed enrolling + time to make the varstore template reproducible + + Require qemu 3.0.0 for fw_cfg +- Update the build flags for network functions + + For x86_64, only enable TLS for the 4MB image since the code + size exceeds the boundary of 2MB image +- Refresh patches: + + ovmf-add-exclude-shell-flag.patch + + ovmf-disable-ia32-firmware-piepic.patch + + ovmf-pie.patch +- Drop the requirement of xxd +- Update README +- Update the License tag to BSD-2-Clause-Patent + +------------------------------------------------------------------- Old: ---- MicCorKEKCA2011_2011-06-24.crt MicCorUEFCA2011_2011-06-27.crt MicWinProPCA2011_2011-10-19.crt dbxupdate.zip openssl-1.1.0j.tar.gz openssl-1.1.0j.tar.gz.asc ovmf-2019+git1552059899.89910a39dcfd.tar.xz ovmf-embed-default-keys.patch owner-guid-zero.h strip_authinfo.pl New: ---- berkeley-softfloat-3-b64af41c3276f.tar.xz edk2-stable201905.tar.gz gen-key-enrollment-iso.sh openssl-1.1.1b.tar.gz openssl-1.1.1b.tar.gz.asc ovmf-set-fixed-enroll-time.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ovmf.spec ++++++ --- /var/tmp/diff_new_pack.OS7tNc/_old 2019-06-24 21:50:19.067964300 +0200 +++ /var/tmp/diff_new_pack.OS7tNc/_new 2019-06-24 21:50:19.079964309 +0200 @@ -20,36 +20,34 @@ %define secureboot_archs x86_64 aarch64 %undefine _build_create_debug -%global openssl_version 1.1.0j +%global openssl_version 1.1.1b +%global softfloat_version b64af41c3276f Name: ovmf Url: http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=EDK2 Summary: Open Virtual Machine Firmware -License: BSD-2-Clause +License: BSD-2-Clause-Patent Group: System/Emulators/PC -Version: 2019+git1552059899.89910a39dcfd +Version: 201905 Release: 0 -Source0: %{name}-%{version}.tar.xz +Source0: https://github.com/tianocore/edk2/archive/edk2-stable%{version}.tar.gz Source1: https://www.openssl.org/source/openssl-%{openssl_version}.tar.gz Source111: https://www.openssl.org/source/openssl-%{openssl_version}.tar.gz.asc Source112: openssl.keyring Source2: README Source3: SLES-UEFI-CA-Certificate-2048.crt -Source4: MicCorKEKCA2011_2011-06-24.crt -Source5: MicCorUEFCA2011_2011-06-27.crt -Source6: MicWinProPCA2011_2011-10-19.crt -Source7: http://www.uefi.org/sites/default/files/resources/dbxupdate.zip -Source8: openSUSE-UEFI-CA-Certificate-2048.crt -Source9: openSUSE-UEFI-SIGN-Certificate-2048.crt -Source10: strip_authinfo.pl -Source11: owner-guid-zero.h +Source4: openSUSE-UEFI-CA-Certificate-2048.crt +Source5: openSUSE-UEFI-SIGN-Certificate-2048.crt +# berkeley-softfloat-3: https://github.com/ucb-bar/berkeley-softfloat-3 +Source6: berkeley-softfloat-3-%{softfloat_version}.tar.xz Source100: %{name}-rpmlintrc Source101: gdb_uefi.py.in +Source102: gen-key-enrollment-iso.sh Patch1: %{name}-add-exclude-shell-flag.patch -Patch2: %{name}-embed-default-keys.patch -Patch3: %{name}-gdb-symbols.patch -Patch4: %{name}-pie.patch -Patch5: %{name}-disable-ia32-firmware-piepic.patch +Patch2: %{name}-gdb-symbols.patch +Patch3: %{name}-pie.patch +Patch4: %{name}-disable-ia32-firmware-piepic.patch +Patch5: %{name}-set-fixed-enroll-time.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bc BuildRequires: fdupes @@ -62,13 +60,18 @@ BuildRequires: nasm %endif %ifarch %{secureboot_archs} +BuildRequires: dosfstools +BuildRequires: mkisofs +BuildRequires: mtools BuildRequires: openssl -BuildRequires: unzip -%if 0%{?suse_version} -BuildRequires: vim-base -%else -BuildRequires: vim-common +%ifarch x86_64 +BuildRequires: qemu-x86 >= 3.0.0 %endif +%ifarch aarch64 +BuildRequires: qemu-arm >= 3.0.0 +BuildRequires: qemu-ipxe +%endif +BuildRequires: unzip %endif ExclusiveArch: %ix86 x86_64 aarch64 %arm @@ -151,7 +154,7 @@ %endif %prep -%setup -q -n %{name}-%{version} +%setup -q -n edk2-edk2-stable%{version} # bsc#973038 Remove the packages we don't need to avoid any potential # license issue. @@ -163,26 +166,31 @@ %ifarch x86_64 %patch1 -p1 %endif -%ifarch %{secureboot_archs} %patch2 -p1 -%endif %patch3 -p1 %patch4 -p1 %patch5 -p1 # add openssl -pushd CryptoPkg/Library/OpensslLib -tar -xf %{SOURCE1} -mv openssl-%{openssl_version}/* openssl +pushd CryptoPkg/Library/OpensslLib/openssl +tar -xf %{SOURCE1} --strip 1 +popd + +# add berkeley-softfloat-3 +pushd ArmPkg/Library/ArmSoftFloatLib/berkeley-softfloat-3 +tar -xf %{SOURCE6} --strip 1 popd +chmod +x %{SOURCE102} + %build # Enable python3 build export PYTHON3_ENABLE=TRUE export PYTHON_COMMAND=python3 -OVMF_FLAGS="-D SECURE_BOOT_ENABLE -D NETWORK_IP6_ENABLE -D HTTP_BOOT_ENABLE -D TLS_ENABLE -D TPM2_ENABLE -D TPM2_CONFIG_ENABLE" +OVMF_FLAGS="-D SECURE_BOOT_ENABLE -D TPM2_ENABLE -D TPM2_CONFIG_ENABLE\ + -D NETWORK_IP6_ENABLE -D NETWORK_HTTP_BOOT_ENABLE" %if 0%{?suse_version} > 1320 TOOL_CHAIN_TAG=GCC5 @@ -192,19 +200,35 @@ %endif %ifarch %ix86 - OVMF_FLAGS="$OVMF_FLAGS -D FD_SIZE_2MB" + # Flavors for x86 + FLAVORS=("ovmf-ia32") + BUILD_ARCH="IA32" + + OVMF_FLAGS="$OVMF_FLAGS -D NETWORK_TLS_ENABLE -D FD_SIZE_2MB" BUILD_OPTIONS="$OVMF_FLAGS -a IA32 -p OvmfPkg/OvmfPkgIa32.dsc -b DEBUG -t $TOOL_CHAIN_TAG" make -C BaseTools %else %ifarch x86_64 + # Flavors for x86_64: 2MB, 4MB, and 4MB+SMM + FLAVORS=("ovmf-x86_64" "ovmf-x86_64-4m" "ovmf-x86_64-smm") + BUILD_ARCH="X64" + BUILD_OPTIONS="$OVMF_FLAGS -a X64 -p OvmfPkg/OvmfPkgX64.dsc -b DEBUG -t $TOOL_CHAIN_TAG" make -C BaseTools %else %ifarch aarch64 + # Flavors for aarch64 + FLAVORS=("aavmf-aarch64") + BUILD_ARCH="AARCH64" + BUILD_OPTIONS="$OVMF_FLAGS -a AARCH64 -p ArmVirtPkg/ArmVirtQemu.dsc -b DEBUG -t $TOOL_CHAIN_TAG" ARCH=AARCH64 make -C BaseTools %else %ifarch %arm + # Flavors for arm + FLAVORS=("aavmf-aarch32") + BUILD_ARCH="AARCH32" + BUILD_OPTIONS="-a ARM -p ArmVirtPkg/ArmVirtQemu.dsc -b DEBUG -t $TOOL_CHAIN_TAG" ARCH=ARM make -C BaseTools %else @@ -248,32 +272,26 @@ %{SOURCE101} > gdb_uefi-$target.py } -build_ovmf() -{ - name="$1" - case $name in - *-smm) - build $BUILD_OPTIONS -D FD_SIZE_4MB -D SMM_REQUIRE -D EXCLUDE_SHELL - ;; - *-4m) - build $BUILD_OPTIONS -D FD_SIZE_4MB - ;; - *) - build $BUILD_OPTIONS -D FD_SIZE_2MB - ;; - esac -} - -# OVMF without any default keys -for name in ovmf-x86_64 ovmf-x86_64-4m ovmf-x86_64-smm; do - build_ovmf $name - cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd $name.bin - cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd $name-code.bin - cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd $name-vars.bin +declare -A EXTRA_FLAGS +EXTRA_FLAGS=( + [ovmf-x86_64]="-D FD_SIZE_2MB" + [ovmf-x86_64-4m]="-D FD_SIZE_4MB -D NETWORK_TLS_ENABLE" + [ovmf-x86_64-smm]="-D FD_SIZE_4MB -D NETWORK_TLS_ENABLE -D SMM_REQUIRE -D EXCLUDE_SHELL" +) + +for flavor in ${FLAVORS[@]}; do + build $BUILD_OPTIONS ${EXTRA_FLAGS[$flavor]} + cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd $flavor.bin + cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd $flavor-code.bin + cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd $flavor-vars.bin - collect_debug_files $name + collect_debug_files $flavor done +# Copy Shell.efi and EnrollDefaultKeys.efi +cp Build/OvmfX64/DEBUG_*/X64/Shell.efi . +cp Build/OvmfX64/DEBUG_*/X64/EnrollDefaultKeys.efi . + # Collect the source mkdir -p source/ovmf-x86_64 # TODO get the source list from debug files @@ -281,26 +299,6 @@ find $src_list \( -name "*.c" -o -name "*.h" \) -type f -exec cp --parents -a {} source/ovmf-x86_64 \; find source/ovmf-x86_64 -name *.c -type f -exec chmod 0644 {} \; -build_with_keys() -{ - suffix_base="$1" - xxd -i Default_PK > SecurityPkg/Library/AuthVariableLib/Default_PK.h - xxd -i Default_KEK > SecurityPkg/Library/AuthVariableLib/Default_KEK.h - xxd -i Default_DB > SecurityPkg/Library/AuthVariableLib/Default_DB.h - xxd -i Default_DB_EX > SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h - xxd -i Default_DBX > SecurityPkg/Library/AuthVariableLib/Default_DBX.h - cat Default_Owner > SecurityPkg/Library/AuthVariableLib/Default_Owner.h - - for suffix in $suffix_base $suffix_base-4m $suffix_base-smm; do - build_ovmf $suffix - cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd ovmf-x86_64-$suffix.bin - cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd ovmf-x86_64-$suffix-code.bin - cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd ovmf-x86_64-$suffix-vars.bin - - collect_debug_files ovmf-x86_64-$suffix - done -} - # Build with keys done later (shared between archs) %else @@ -314,27 +312,9 @@ dd of="aavmf-aarch64-code.bin" if="qemu-uefi-aarch64.bin" conv=notrunc dd of="aavmf-aarch64-vars.bin" if="/dev/zero" bs=1M count=64 -build_with_keys() -{ - suffix_base="$1" - xxd -i Default_PK > SecurityPkg/Library/AuthVariableLib/Default_PK.h - xxd -i Default_KEK > SecurityPkg/Library/AuthVariableLib/Default_KEK.h - xxd -i Default_DB > SecurityPkg/Library/AuthVariableLib/Default_DB.h - xxd -i Default_DB_EX > SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h - xxd -i Default_DBX > SecurityPkg/Library/AuthVariableLib/Default_DBX.h - cat Default_Owner > SecurityPkg/Library/AuthVariableLib/Default_Owner.h - - for suffix in $suffix_base; do - build $BUILD_OPTIONS - cp Build/ArmVirtQemu-AARCH64/DEBUG_*/FV/QEMU_EFI.fd qemu-uefi-aarch64-$suffix.bin - dd of="aavmf-aarch64-$suffix-code.bin" if="/dev/zero" bs=1M count=64 - dd of="aavmf-aarch64-$suffix-code.bin" if="qemu-uefi-aarch64-$suffix.bin" conv=notrunc - dd of="aavmf-aarch64-$suffix-vars.bin" if="/dev/zero" bs=1M count=64 - - done -} - -# Build with keys done later (shared between archs) +# Copy Shell.efi and EnrollDefaultKeys.efi +cp Build/ArmVirtQemu-AARCH64/DEBUG_*/AARCH64/Shell.efi . +cp Build/ArmVirtQemu-AARCH64/DEBUG_*/AARCH64/EnrollDefaultKeys.efi . %else %ifarch %arm @@ -353,55 +333,130 @@ # Builds with keys is shared between archs %ifarch %{secureboot_archs} -# Each arch must define its own build_with_keys() function -# OVMF with SUSE keys -openssl x509 -in %{SOURCE3} -outform DER > Default_PK -openssl x509 -in %{SOURCE3} -outform DER > Default_KEK -openssl x509 -in %{SOURCE3} -outform DER > Default_DB -truncate -s 0 Default_DB_EX -truncate -s 0 Default_DBX -cat %{SOURCE11} > Default_Owner -build_with_keys suse - -#unpack the UEFI revocation list -unzip %{SOURCE7} - -# OVMF with MS keys -cat %{SOURCE4} > Default_PK -cat %{SOURCE4} > Default_KEK -cat %{SOURCE5} > Default_DB -cat %{SOURCE6} > Default_DB_EX -chmod 755 %{SOURCE10} -%{SOURCE10} dbxupdate.bin Default_DBX -echo "EFI_GUID DefaultOwnerGUID = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}};" > \ -Default_Owner -build_with_keys ms - -# OVMF with openSUSE keys -openssl x509 -in %{SOURCE8} -outform DER > Default_PK -openssl x509 -in %{SOURCE8} -outform DER > Default_KEK -openssl x509 -in %{SOURCE9} -outform DER > Default_DB -truncate -s 0 Default_DB_EX -truncate -s 0 Default_DBX -cat %{SOURCE11} > Default_Owner -build_with_keys opensuse +# Generate PK/KEK OEM strings +pkkek_oemstr() +{ + local CERT_FILE=$1 + sed \ + -e 's/^-----BEGIN CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \ + -e '/^-----END CERTIFICATE-----$/d' \ + $CERT_FILE \ + | tr -d '\n' +} + +# Build the varstore template +build_template() +{ + local ARCH=$(echo $1 | tr '[:lower:'] '[:upper:]') + local PREFIX="$2" + local KEY="$3" + local PKKEK_FILE="$4" + local ISO_FILE="$5" + + local FW_CODE_ORIG="${PREFIX}-code.bin" + local FW_VARS_ORIG="${PREFIX}-vars.bin" + local FW_CODE="${PREFIX}-${KEY}-code.bin" + local FW_VARS="${PREFIX}-${KEY}-vars.bin" + + ln -s "$FW_CODE_ORIG" "$FW_CODE" + cp "$FW_VARS_ORIG" "$FW_VARS" + + # QEMU parameters + # pflash parameters + local PFLASH_CODE="-drive if=pflash,format=raw,unit=0,readonly,file=$FW_CODE" + local PFLASH_VARS="-drive if=pflash,format=raw,unit=1,file=$FW_VARS" + + # smbios parameters for PK and KEK + local SMBIOS="-smbios type=11,value=$(pkkek_oemstr $PKKEK_FILE)" + + # memory: 256MB + local MEMORY="-m 256" + + # redirect display to stdio and disable network + local MISC="-display none -no-user-config -nodefaults -smp 1" + MISC="$MISC -serial stdio" + + # set cdrom device + local CDROM="-device virtio-scsi-pci,id=scsi0" + CDROM="$CDROM -device scsi-cd,drive=cd0,bus=scsi0.0,bootindex=0" + CDROM="$CDROM -drive media=cdrom,if=none,id=cd0,format=raw,readonly=on" + CDROM="$CDROM,file=${ISO_FILE}" + + if [ $ARCH == "X64" ]; then + # qemu command + local QEMU="qemu-system-x86_64" + + # machine parameters + local MACHINE="-machine q35" + if [[ "$PREFIX" == *"-smm" ]]; then + MACHINE="$MACHINE,smm=on,accel=tcg" + MACHINE="$MACHINE -global driver=cfi.pflash01,property=secure,value=on" + MACHINE="$MACHINE -global ICH9-LPC.disable_s3=1" + fi + MACHINE="$MACHINE -chardev pty,id=charserial1" + MACHINE="$MACHINE -device isa-serial,chardev=charserial1,id=serial1" + elif [ $ARCH == "AARCH64" ]; then + # qemu command + local QEMU="qemu-system-aarch64" + + # machine parameters + local MACHINE="-cpu cortex-a57 -machine virt" + fi + + # Launch the VM + $QEMU $MACHINE $MEMORY $PFLASH_CODE $PFLASH_VARS $SMBIOS $CDROM $MISC +} +# Assign the default PK/KEK +declare -A PKKEK +PKKEK=( + [ms]=%{SOURCE3} + [suse]=%{SOURCE3} + [opensuse]=%{SOURCE4} + [devel]=%{_sourcedir}/_projectcert.crt +) + +# Assign the key iso file +MS_ISO_FILE=ms-keys.iso +NOMS_ISO_FILE=no-ms-keys.iso +declare -A KEY_ISO_FILES +KEY_ISO_FILES=( + [ms]=$MS_ISO_FILE + [suse]=$NOMS_ISO_FILE + [opensuse]=$NOMS_ISO_FILE + [devel]=$NOMS_ISO_FILE +) + +# Default key sources: ms suse opensuse +KEY_SOURCES=(ms suse opensuse) + +# Add 'devel' if necessary if [ -e %{_sourcedir}/_projectcert.crt ]; then prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash) - opensusesubject=$(openssl x509 -in %{SOURCE8} -noout -subject_hash) + opensusesubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash) slessubject=$(openssl x509 -in %{SOURCE3} -noout -subject_hash) if [ "$prjissuer" != "$opensusesubject" -a "$prjissuer" != "$slessubject" ]; then - openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER > Default_PK - openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER > Default_KEK - openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER > Default_DB - truncate -s 0 Default_DB_EX - truncate -s 0 Default_DBX - cat %{SOURCE11} > Default_Owner - build_with_keys devel + KEY_SOURCES+=(devel) fi fi -%endif + +# Create the iso images +GEN_ISO=%{SOURCE102} +SHELL=Shell.efi +ENROLLER=EnrollDefaultKeys.efi +$GEN_ISO $BUILD_ARCH $SHELL $ENROLLER default $MS_ISO_FILE +$GEN_ISO $BUILD_ARCH $SHELL $ENROLLER no-default $NOMS_ISO_FILE + +# Generate the varstore templates +for flavor in ${FLAVORS[@]}; do + for key in ${KEY_SOURCES[@]}; do + build_template "$BUILD_ARCH" "$flavor" "$key" \ + "${PKKEK[$key]}" "${KEY_ISO_FILES[$key]}" + done +done + +%endif #secureboot_archs %install rm -rf %{buildroot} @@ -421,9 +476,12 @@ %else %ifarch x86_64 tr -d '\r' < OvmfPkg/License.txt > License-ovmf.txt + +# Install firmware files install -m 0644 -D ovmf-x86_64.bin %{buildroot}/%{_datadir}/qemu/ovmf-x86_64.bin install -m 0644 ovmf-x86_64-*.bin %{buildroot}/%{_datadir}/qemu/ %fdupes %{buildroot}/%{_datadir}/qemu/ + # Install debug symbols, gdb-uefi.py install -d %{buildroot}/%{_datadir}/ovmf-x86_64/ install -m 0644 gdb_uefi-*.py %{buildroot}/%{_datadir}/ovmf-x86_64/ @@ -433,13 +491,16 @@ mkdir -p %{buildroot}/usr/src/debug mv source/ovmf-x86_64* %{buildroot}/usr/src/debug %fdupes -s %{buildroot}/usr/src/debug/ovmf-x86_64 + %else %ifarch aarch64 +# Install firmware files install -d %{buildroot}/%{_datadir}/qemu/ install -m 0644 -D qemu-uefi-aarch64*.bin %{buildroot}/%{_datadir}/qemu/ install -m 0644 -D aavmf-aarch64-*code.bin %{buildroot}/%{_datadir}/qemu/ install -m 0644 -D aavmf-aarch64-*vars.bin %{buildroot}/%{_datadir}/qemu/ %fdupes %{buildroot}/%{_datadir}/qemu/ + %else %ifarch %arm install -m 0644 -D qemu-uefi-aarch32.bin %{buildroot}/%{_datadir}/qemu/qemu-uefi-aarch32.bin @@ -450,9 +511,22 @@ %endif #x86_64 %endif #ix86 +%ifarch %{secureboot_archs} +# Install EnrollDefaultKeys.efi +mkdir -p %{buildroot}/%{_datadir}/ovmf/ +install -m 0644 Shell.efi %{buildroot}/%{_datadir}/ovmf/ +install -m 0644 EnrollDefaultKeys.efi %{buildroot}/%{_datadir}/ovmf/ +install -m 0755 %{SOURCE102} %{buildroot}/%{_datadir}/ovmf/ +%endif + %files %defattr(-,root,root) %doc README +%ifarch %{secureboot_archs} +%dir %{_datadir}/ovmf/ +%{_datadir}/ovmf/*.efi +%{_datadir}/ovmf/*.sh +%endif %files tools %defattr(-,root,root) @@ -462,7 +536,7 @@ %ifarch %ix86 %files -n qemu-ovmf-ia32 %defattr(-,root,root) -%doc License.txt License-ovmf.txt +%license License.txt License-ovmf.txt %dir %{_datadir}/qemu/ %{_datadir}/qemu/ovmf-ia32*.bin %endif @@ -470,7 +544,7 @@ %ifarch x86_64 %files -n qemu-ovmf-x86_64 %defattr(-,root,root) -%doc License.txt License-ovmf.txt +%license License.txt License-ovmf.txt %dir %{_datadir}/qemu/ %{_datadir}/qemu/ovmf-x86_64*.bin @@ -486,7 +560,7 @@ %ifarch aarch64 %files -n qemu-uefi-aarch64 %defattr(-,root,root) -%doc License.txt +%license License.txt %dir %{_datadir}/qemu/ %{_datadir}/qemu/qemu-uefi-aarch64*.bin %{_datadir}/qemu/aavmf-aarch64-*code.bin @@ -496,7 +570,7 @@ %ifarch %arm %files -n qemu-uefi-aarch32 %defattr(-,root,root) -%doc License.txt +%license License.txt %dir %{_datadir}/qemu/ %{_datadir}/qemu/qemu-uefi-aarch32.bin %{_datadir}/qemu/aavmf-aarch32-code.bin ++++++ README ++++++ --- /var/tmp/diff_new_pack.OS7tNc/_old 2019-06-24 21:50:19.471964614 +0200 +++ /var/tmp/diff_new_pack.OS7tNc/_new 2019-06-24 21:50:19.475964618 +0200 @@ -21,28 +21,25 @@ It would be easier to manage the NV variables with the separated vars firmware. -NOTE: Although it's possible to run OVMF with '-bios', this is not recommended. - In the BIOS mode, OVMF has to store the NV variables in a file, NvVars, - to emulate flash and this is usually unreliable and error-prone. +NOTE: Running OVMF with '-bios' is deprecated and should not be used anymore. -Image with preloaded keys -------------------------- +Variable Stores with preloaded keys +----------------------------------- Besides the generic OVMF images, there are images preloaded with different vendor keys. -ovmf-x86_64-ms.bin -- PK: Microsoft Corporation KEK CA 2011 -- KEK: Microsoft Corporation KEK CA 2011 +ovmf-x86_64-smm-ms-vars.bin +- PK: SUSE Linux Enterprise Secure Boot CA +- KEK: Microsoft Corporation KEK CA 2011, SUSE Linux Enterprise Secure Boot CA - db: Microsoft Corporation UEFI CA 2011, Microsoft Windows Production PCA 2011 -- dbx: dbx hashes from uefi.org -ovmf-x86_64-opensuse.bin +ovmf-x86_64-smm-opensuse-vars.bin - PK: openSUSE Secure Boot CA - KEK: openSUSE Secure Boot CA -- db: openSUSE Secure Boot Signkey +- db: openSUSE Secure Boot CA -ovmf-x86_64-suse.bin +ovmf-x86_64-smm-suse-vars.bin - PK: SUSE Linux Enterprise Secure Boot CA - KEK: SUSE Linux Enterprise Secure Boot CA - db: SUSE Linux Enterprise Secure Boot CA @@ -50,6 +47,12 @@ Note that the preloaded key images are all 64 bit because openSUSE/SLE and Windows only support Secure Boot in 64 bit mode. +Those variable stores are created with EnrollDefaultKeys.efi which enrolls +the Microsoft keys into KEK and db. It also reads the key from SMBIOS Type 11 +and enrolls the key into PK and KEK. If the "--no-default" switch is provided, +the program will ignore the Microsoft keys and enroll the key from SMBIOS into +db instead. + x86_64 4MB images ----------------- @@ -64,8 +67,8 @@ The image files with "-smm", e.g. ovmf-x86_64-smm.bin, are the images with SMM support. SMM provides better (virtual) hardware separation between the guest OS and the firmware to prevent the runtime guest OS from tampering -with the variable store and S3 areas. Here are the requirements to use the -SMM images: +with the variable store and S3 areas, so it's recommended to enable SMM along +with Secure Boot. Here are the requirements to use the SMM images: * SMM support requires QEMU 2.5. * The minimum required QEMU machine type is "pc-q35-2.5". @@ -82,7 +85,7 @@ -global ICH9-LPC.disable_s3=1 \ ... -NOTE: The pflash variables store is required to use OVMF with SMM. +NOTE: The pflash variable store is required to use OVMF with SMM. Creating Platform and Key Exchange keys ======================================= ++++++ gen-key-enrollment-iso.sh ++++++ #!/bin/bash -e # The script to generate the key enrollment iso file # based on build_iso() in https://git.kraxel.org/cgit/jenkins/edk2/tree/edk2.git.spec # Example: $0 X64 Shell.efi EnrollDefaultKeys.efi default key.iso usage() { PROG_NAME=$1 echo "Usage: $PROG_NAME <Arch> <Shell> <Enroller> <Type> <ISO NAME>" echo "ex: $PROG_NAME X64 Shell.efi EnrollDefaultKeys.efi default key.iso" } ARCH=$(echo $1 | tr '[:lower:'] '[:upper:]') UEFI_SHELL_BINARY="$2" ENROLLER_BINARY="$3" TYPE="$4" ISO_NAME="$5" # Check the arguments if [ x$ARCH != xX64 ] && [ x$ARCH != xAARCH64 ]; then echo "Supported architecture: X64, AARCH64" usage $0 exit 1 fi if [ x$UEFI_SHELL_BINARY == x ] || [ ! -e "$UEFI_SHELL_BINARY" ]; then echo "Please specify the UEFI shell binary" usage $0 exit 1 fi if [ x$ENROLLER_BINARY == x ] || [ ! -e "$ENROLLER_BINARY" ]; then echo "Please specify the enroller binary" usage $0 exit 1 fi if [ x$TYPE == x ]; then echo "Please specify the type of image: default or no-default" usage $0 exit 1 fi if [ x$ISO_NAME == x ]; then echo "Please specify the name of output iso" usage $0 exit 1 fi ISO_PATH=$(realpath $ISO_NAME) TMP_DIR=$(mktemp -d) cp $UEFI_SHELL_BINARY $TMP_DIR/Shell.efi cp $ENROLLER_BINARY $TMP_DIR/EnrollDefaultKeys.efi UEFI_BOOT_EFI=$( if [ $ARCH == "X64" ]; then echo bootx64.efi elif [ $ARCH == "AARCH64" ]; then echo bootaa64.efi else exit 1 fi ) UEFI_SHELL_SIZE=$(stat --format=%s -- "$UEFI_SHELL_BINARY") ENROLLER_SIZE=$(stat --format=%s -- "$ENROLLER_BINARY") START_SCRIPT=$TMP_DIR/"startup.nsh" echo "fs0:" > $START_SCRIPT if [ $TYPE == "default" ]; then echo "EnrollDefaultKeys.efi" >> $START_SCRIPT else echo "EnrollDefaultKeys.efi --no-default" >> $START_SCRIPT fi echo "reset -s" >> $START_SCRIPT UEFI_SHELL_IMAGE=uefi_shell_${ARCH}_${TYPE}.img # Add 1MB then 10% for metadata UEFI_SHELL_IMAGE_KB=$(( (UEFI_SHELL_SIZE + ENROLLER_SIZE + 1 * 1024 * 1024) * 11 / 10 / 1024 )) pushd $TMP_DIR # Create non-partitioned FAT image rm -f -- "$UEFI_SHELL_IMAGE" /usr/sbin/mkdosfs -C "$UEFI_SHELL_IMAGE" -n UEFI_SHELL -- "$UEFI_SHELL_IMAGE_KB" export MTOOLS_SKIP_CHECK=1 mmd -i "$UEFI_SHELL_IMAGE" ::efi mmd -i "$UEFI_SHELL_IMAGE" ::efi/boot mcopy -i "$UEFI_SHELL_IMAGE" Shell.efi ::efi/boot/$UEFI_BOOT_EFI mcopy -i "$UEFI_SHELL_IMAGE" "$START_SCRIPT" ::efi/boot/startup.nsh mcopy -i "$UEFI_SHELL_IMAGE" EnrollDefaultKeys.efi ::EnrollDefaultKeys.efi mdir -i "$UEFI_SHELL_IMAGE" -/ :: # build ISO with FAT image file as El Torito EFI boot image mkisofs -input-charset ASCII -J -rational-rock \ -eltorito-platform efi -eltorito-boot "$UEFI_SHELL_IMAGE" \ -no-emul-boot -o "$ISO_PATH" -- "$UEFI_SHELL_IMAGE" popd #rm -rf $TMP_DIR ++++++ openssl-1.1.0j.tar.gz -> openssl-1.1.1b.tar.gz ++++++ /work/SRC/openSUSE:Factory/ovmf/openssl-1.1.0j.tar.gz /work/SRC/openSUSE:Factory/.ovmf.new.4615/openssl-1.1.1b.tar.gz differ: char 5, line 1 ++++++ ovmf-add-exclude-shell-flag.patch ++++++ --- /var/tmp/diff_new_pack.OS7tNc/_old 2019-06-24 21:50:19.615964726 +0200 +++ /var/tmp/diff_new_pack.OS7tNc/_new 2019-06-24 21:50:19.615964726 +0200 @@ -1,8 +1,8 @@ -Index: ovmf-2019+git1550452308.c417c1b33d06/OvmfPkg/OvmfPkgX64.fdf +Index: edk2-edk2-stable201905/OvmfPkg/OvmfPkgX64.fdf =================================================================== ---- ovmf-2019+git1550452308.c417c1b33d06.orig/OvmfPkg/OvmfPkgX64.fdf -+++ ovmf-2019+git1550452308.c417c1b33d06/OvmfPkg/OvmfPkgX64.fdf -@@ -292,7 +292,9 @@ INF MdeModulePkg/Universal/Disk/UdfDxe/ +--- edk2-edk2-stable201905.orig/OvmfPkg/OvmfPkgX64.fdf ++++ edk2-edk2-stable201905/OvmfPkg/OvmfPkgX64.fdf +@@ -291,7 +291,9 @@ INF MdeModulePkg/Universal/Disk/UdfDxe/ !if $(TOOL_CHAIN_TAG) != "XCODE5" INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf !endif ++++++ ovmf-disable-ia32-firmware-piepic.patch ++++++ --- /var/tmp/diff_new_pack.OS7tNc/_old 2019-06-24 21:50:19.619964730 +0200 +++ /var/tmp/diff_new_pack.OS7tNc/_new 2019-06-24 21:50:19.619964730 +0200 @@ -1,8 +1,8 @@ -Index: ovmf-2019+git1550452308.c417c1b33d06/BaseTools/Conf/tools_def.template +Index: edk2-edk2-stable201905/BaseTools/Conf/tools_def.template =================================================================== ---- ovmf-2019+git1550452308.c417c1b33d06.orig/BaseTools/Conf/tools_def.template -+++ ovmf-2019+git1550452308.c417c1b33d06/BaseTools/Conf/tools_def.template -@@ -3141,7 +3141,7 @@ DEFINE GCC_AARCH64_RC_FLAGS = -I +--- edk2-edk2-stable201905.orig/BaseTools/Conf/tools_def.template ++++ edk2-edk2-stable201905/BaseTools/Conf/tools_def.template +@@ -1738,7 +1738,7 @@ DEFINE GCC_AARCH64_RC_FLAGS = -I DEFINE GCC48_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20 ++++++ ovmf-pie.patch ++++++ --- /var/tmp/diff_new_pack.OS7tNc/_old 2019-06-24 21:50:19.647964751 +0200 +++ /var/tmp/diff_new_pack.OS7tNc/_new 2019-06-24 21:50:19.647964751 +0200 @@ -1,13 +1,13 @@ -Index: ovmf-2018+git1534736099.43fe4c405292/BaseTools/Source/C/Makefiles/header.makefile +Index: edk2-edk2-stable201905/BaseTools/Source/C/Makefiles/header.makefile =================================================================== ---- ovmf-2018+git1534736099.43fe4c405292.orig/BaseTools/Source/C/Makefiles/header.makefile -+++ ovmf-2018+git1534736099.43fe4c405292/BaseTools/Source/C/Makefiles/header.makefile -@@ -77,7 +77,7 @@ ifeq ($(DARWIN),Darwin) - # assume clang or clang compatible flags on OS X - BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -g - else --BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-unused-result -nostdlib -g -+BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-unused-result -nostdlib -g -fPIE +--- edk2-edk2-stable201905.orig/BaseTools/Source/C/Makefiles/header.makefile ++++ edk2-edk2-stable201905/BaseTools/Source/C/Makefiles/header.makefile +@@ -75,7 +75,7 @@ else + BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \ + -fno-delete-null-pointer-checks -Wall -Werror \ + -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict \ +--Wno-unused-result -nostdlib -g ++-Wno-unused-result -nostdlib -g -fPIE endif BUILD_LFLAGS = BUILD_CXXFLAGS = -Wno-unused-result ++++++ ovmf-set-fixed-enroll-time.patch ++++++ >From c0cec3409f3abda1e2359a79ccac575b4ea1838b Mon Sep 17 00:00:00 2001 From: Gary Lin <[email protected]> Date: Tue, 21 May 2019 16:56:06 +0800 Subject: [PATCH 1/1] OvmfPkg/EnrollDefaultKeys: Set the fixed time For the reproducible build, we need to set the fixed time when setting the authenticate variables. Signed-off-by: Gary Lin <[email protected]> --- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c index f45cb799f726..0e42e49d48f2 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -301,6 +301,16 @@ EnrollListOfCerts ( if (EFI_ERROR (Status)) { goto FreeData; } + + // Set the fixed time for the reproducible build + // 2019-5-20 00:00:00 + SingleHeader->TimeStamp.Year = 2019; + SingleHeader->TimeStamp.Month = 5; + SingleHeader->TimeStamp.Day = 20; + SingleHeader->TimeStamp.Hour = 0; + SingleHeader->TimeStamp.Minute = 0; + SingleHeader->TimeStamp.Second = 0; + SingleHeader->TimeStamp.Pad1 = 0; SingleHeader->TimeStamp.Nanosecond = 0; SingleHeader->TimeStamp.TimeZone = 0; -- 2.21.0
