Re: [OE-core] [PATCH 6/9] ovmf_git.bb: enable Secure Boot
On Wed, 2017-01-04 at 11:10 +0100, Patrick Ohly wrote: > On Wed, 2016-12-28 at 14:54 -0800, Ricardo Neri wrote: > > On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote: > > > The recipe now compiles OVMF twice, once without Secure Boot, once > > > with. This is the same approach as in > > > https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec > > > > Besides the fact that Fedora does it, is there a particular reason to > > build twice? > > The ${build_dir}/FV/OVMF.fd file changes depending on the configuration. > There's only one such file after a build. > > > On my side, I am able to build with secure boot with a > > single build. Also, the Ubuntu documentation does not mention that two > > builds are needed [1]. > > Can you build with and without secure boot in a single build? I wasn't > sure how to achieve that, so I just copied what Fedora does. Oh I see, I didn't understand in your commit message that you intend to keep the secure boot and the non-secure boot images. Then it makes sense to build twice. > > > Also, I think it would be nice if we could choose between to not have > > secure boot at all for OVMF. Maybe this could be achieved by having a > > common ovmf.inc and two ovmf_git.bb and ovmf_sb_git.bb with the > > different the specific things to support secure boot or not. Maybe all > > that is needed in the secure boot recipe are the extra variables for > > OpenSSL and a prepend to do_compile_class-target with the OpenSSL > > patching. Something to ponder. > > I think I would prefer to have a single recipe with a PACKAGECONFIG for > secure boot. Having different recipes doesn't scale when adding more > such options. If you agree, then I'll add that. Yes, I agree that a PACKAGECONFIG makes more sense. > > > > +( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh ) > > > +${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t > > > ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} > > > +ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd > > > > At this point both ${WORKDIR}/ovmf/OVMF.secboot.fd and > > ${WORKDIR}/ovmf/OVMF.fd will be linked to the same OVMF.fd with secure > > boot support. Maybe this could be fixed by copying the files rather than > > creating a symbolic link. > > This is intentionally a hardlink, not a symbolic link, exactly because > of the problem you mentioned ;-) Oh, a hardlink. I see now. Thanks for clarifying. > -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 6/9] ovmf_git.bb: enable Secure Boot
On Wed, 2016-12-28 at 14:54 -0800, Ricardo Neri wrote: > On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote: > > The recipe now compiles OVMF twice, once without Secure Boot, once > > with. This is the same approach as in > > https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec > > Besides the fact that Fedora does it, is there a particular reason to > build twice? The ${build_dir}/FV/OVMF.fd file changes depending on the configuration. There's only one such file after a build. > On my side, I am able to build with secure boot with a > single build. Also, the Ubuntu documentation does not mention that two > builds are needed [1]. Can you build with and without secure boot in a single build? I wasn't sure how to achieve that, so I just copied what Fedora does. > Also, I think it would be nice if we could choose between to not have > secure boot at all for OVMF. Maybe this could be achieved by having a > common ovmf.inc and two ovmf_git.bb and ovmf_sb_git.bb with the > different the specific things to support secure boot or not. Maybe all > that is needed in the secure boot recipe are the extra variables for > OpenSSL and a prepend to do_compile_class-target with the OpenSSL > patching. Something to ponder. I think I would prefer to have a single recipe with a PACKAGECONFIG for secure boot. Having different recipes doesn't scale when adding more such options. If you agree, then I'll add that. > > +( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh ) > > +${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t > > ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} > > +ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd > > At this point both ${WORKDIR}/ovmf/OVMF.secboot.fd and > ${WORKDIR}/ovmf/OVMF.fd will be linked to the same OVMF.fd with secure > boot support. Maybe this could be fixed by copying the files rather than > creating a symbolic link. This is intentionally a hardlink, not a symbolic link, exactly because of the problem you mentioned ;-) -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 6/9] ovmf_git.bb: enable Secure Boot
On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote: > The recipe now compiles OVMF twice, once without Secure Boot, once > with. This is the same approach as in > https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec Besides the fact that Fedora does it, is there a particular reason to build twice? On my side, I am able to build with secure boot with a single build. Also, the Ubuntu documentation does not mention that two builds are needed [1]. I do see that in Fedora, the build parameters change. OVMF without secure boot support is built with -a X64 -p OvmfPkg/OvmfPkgX64.dsc while OVMF with secure boot support is built with -a IA32 -a X64 -p OvmfPkg/OvmfPkgIa32X64.dsc. Perhaps this is the reason? > > The results are "ovmf.qcow2" and "ovmf.secboot.qcow2" in the > image deploy directory, so > runqemu ovmf.secboot > will boot with Secure Boot enabled. > > In contrast to Fedora, no attempt is made to strip potentially patent > encumbered algorithms out of the OpenSSL archive. OVMF does not use > the ones considered problematic for Fedora, so this shouldn't be a > problem. > > Fixes: luv-yocto/#38 Also, I think it would be nice if we could choose between to not have secure boot at all for OVMF. Maybe this could be achieved by having a common ovmf.inc and two ovmf_git.bb and ovmf_sb_git.bb with the different the specific things to support secure boot or not. Maybe all that is needed in the secure boot recipe are the extra variables for OpenSSL and a prepend to do_compile_class-target with the OpenSSL patching. Something to ponder. > > Signed-off-by: Patrick Ohly> --- > meta/recipes-core/ovmf/ovmf_git.bb | 27 ++- > 1 file changed, 26 insertions(+), 1 deletion(-) > > diff --git a/meta/recipes-core/ovmf/ovmf_git.bb > b/meta/recipes-core/ovmf/ovmf_git.bb > index 67e65b8..c4eedf0 100644 > --- a/meta/recipes-core/ovmf/ovmf_git.bb > +++ b/meta/recipes-core/ovmf/ovmf_git.bb > @@ -1,6 +1,6 @@ > DESCRIPTION = "OVMF - UEFI firmware for Qemu and KVM" > HOMEPAGE = > "http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF; > -LICENSE = "BSD" > +LICENSE = "BSD & OpenSSL" > LIC_FILES_CHKSUM = > "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496" > > SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \ > @@ -10,7 +10,13 @@ SRC_URI = > "git://github.com/tianocore/edk2.git;branch=master \ > file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \ > " > > +SRC_URI_append_class-target = " \ > + > http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib > \ > +" > + > SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588" > +SRC_URI[openssl.md5sum] = "96322138f0b69e61b7212bc53d5e912b" > +SRC_URI[openssl.sha256sum] = > "e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431" > > PARALLEL_MAKE_class-native = "" > > @@ -30,6 +36,10 @@ BUILD_OPTIMIZATION="-pipe" > # OVMF supports IA only, although it could conceivably support ARM someday. > COMPATIBLE_HOST='(i.86|x86_64).*' > > +# Additional build flags for OVMF with Secure Boot. > +# Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD". > +OVMF_SECURE_BOOT_FLAGS = "-DSECURE_BOOT_ENABLE=TRUE" > + > do_patch_append_class-native() { > bb.build.exec_func('do_fix_iasl', d) > bb.build.exec_func('do_fix_toolchain', d) > @@ -110,8 +120,22 @@ do_compile_class-target() { > bbnote FIXED_GCCVER is ${FIXED_GCCVER} > build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}" > > +bbnote "Building without Secure Boot." > +rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX > ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t > ${FIXED_GCCVER} > ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd > + > +# See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and > +# https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for > +# building with Secure Boot enabled. > +bbnote "Building with Secure Boot." > +rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX > +if ! [ -f ${S}/CryptoPkg/Library/OpensslLib/openssl-*/edk2-patch-applied > ]; then > +( cd ${S}/CryptoPkg/Library/OpensslLib/openssl-* && patch -p1 > <$(echo ../EDKII_openssl-*.patch) && touch edk2-patch-applied ) > +fi > +( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh ) > +${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t > ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} > +ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd At this point both ${WORKDIR}/ovmf/OVMF.secboot.fd and ${WORKDIR}/ovmf/OVMF.fd will be linked to the same OVMF.fd with secure boot support. Maybe this could be fixed by copying the files rather than creating a symbolic link. > } > > do_install_class-native() { > @@ -131,6 +155,7 @@ do_deploy() { > do_deploy_class-target() { > # For use with "runqemu ovmf". > qemu-img
[OE-core] [PATCH 6/9] ovmf_git.bb: enable Secure Boot
The recipe now compiles OVMF twice, once without Secure Boot, once with. This is the same approach as in https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec The results are "ovmf.qcow2" and "ovmf.secboot.qcow2" in the image deploy directory, so runqemu ovmf.secboot will boot with Secure Boot enabled. In contrast to Fedora, no attempt is made to strip potentially patent encumbered algorithms out of the OpenSSL archive. OVMF does not use the ones considered problematic for Fedora, so this shouldn't be a problem. Fixes: luv-yocto/#38 Signed-off-by: Patrick Ohly--- meta/recipes-core/ovmf/ovmf_git.bb | 27 ++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index 67e65b8..c4eedf0 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -1,6 +1,6 @@ DESCRIPTION = "OVMF - UEFI firmware for Qemu and KVM" HOMEPAGE = "http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF; -LICENSE = "BSD" +LICENSE = "BSD & OpenSSL" LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496" SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \ @@ -10,7 +10,13 @@ SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \ file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \ " +SRC_URI_append_class-target = " \ + http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib \ +" + SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588" +SRC_URI[openssl.md5sum] = "96322138f0b69e61b7212bc53d5e912b" +SRC_URI[openssl.sha256sum] = "e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431" PARALLEL_MAKE_class-native = "" @@ -30,6 +36,10 @@ BUILD_OPTIMIZATION="-pipe" # OVMF supports IA only, although it could conceivably support ARM someday. COMPATIBLE_HOST='(i.86|x86_64).*' +# Additional build flags for OVMF with Secure Boot. +# Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD". +OVMF_SECURE_BOOT_FLAGS = "-DSECURE_BOOT_ENABLE=TRUE" + do_patch_append_class-native() { bb.build.exec_func('do_fix_iasl', d) bb.build.exec_func('do_fix_toolchain', d) @@ -110,8 +120,22 @@ do_compile_class-target() { bbnote FIXED_GCCVER is ${FIXED_GCCVER} build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}" +bbnote "Building without Secure Boot." +rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd + +# See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and +# https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for +# building with Secure Boot enabled. +bbnote "Building with Secure Boot." +rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX +if ! [ -f ${S}/CryptoPkg/Library/OpensslLib/openssl-*/edk2-patch-applied ]; then +( cd ${S}/CryptoPkg/Library/OpensslLib/openssl-* && patch -p1 <$(echo ../EDKII_openssl-*.patch) && touch edk2-patch-applied ) +fi +( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh ) +${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} +ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd } do_install_class-native() { @@ -131,6 +155,7 @@ do_deploy() { do_deploy_class-target() { # For use with "runqemu ovmf". qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2 +qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.secboot.fd ${DEPLOYDIR}/ovmf.secboot.qcow2 } addtask do_deploy after do_compile before do_build -- 2.1.4 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core