Re: [OE-core] [PATCH 6/9] ovmf_git.bb: enable Secure Boot

2017-01-09 Thread Ricardo Neri 
On Wed, 2017-01-04 at 11:10 +0100, Patrick Ohly wrote:
> On Wed, 2016-12-28 at 14:54 -0800, Ricardo Neri wrote:
> > On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote:
> > > The recipe now compiles OVMF twice, once without Secure Boot, once
> > > with. This is the same approach as in
> > > https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec
> > 
> > Besides the fact that Fedora does it, is there a particular reason to
> > build twice?
> 
> The ${build_dir}/FV/OVMF.fd file changes depending on the configuration.
> There's only one such file after a build.
> 
> >  On my side, I am able to build with secure boot with a
> > single build. Also, the Ubuntu documentation does not mention that two
> > builds are needed [1].
> 
> Can you build with and without secure boot in a single build? I wasn't
> sure how to achieve that, so I just copied what Fedora does.

Oh I see, I didn't understand in your commit message that you intend to
keep the secure boot and the non-secure boot images. Then it makes sense
to build twice.
> 
> > Also, I think it would be nice if we could choose between to not have
> > secure boot at all for OVMF. Maybe this could be achieved by having a
> > common ovmf.inc and two ovmf_git.bb and ovmf_sb_git.bb with the
> > different the specific things to support secure boot or not. Maybe all
> > that is needed in the secure boot recipe are the extra variables for
> > OpenSSL and a prepend to do_compile_class-target with the OpenSSL
> > patching. Something to ponder.
> 
> I think I would prefer to have a single recipe with a PACKAGECONFIG for
> secure boot. Having different recipes doesn't scale when adding more
> such options. If you agree, then I'll add that.

Yes, I agree that a PACKAGECONFIG makes more sense.
> 
> > > +( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
> > > +${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t 
> > > ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
> > > +ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd
> > 
> > At this point both ${WORKDIR}/ovmf/OVMF.secboot.fd and
> > ${WORKDIR}/ovmf/OVMF.fd will be linked to the same OVMF.fd with secure
> > boot support. Maybe this could be fixed by copying the files rather than
> > creating a symbolic link.
> 
> This is intentionally a hardlink, not a symbolic link, exactly because
> of the problem you mentioned ;-)

Oh, a hardlink. I see now. Thanks for clarifying.
> 


-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH 6/9] ovmf_git.bb: enable Secure Boot

2017-01-04 Thread Patrick Ohly 
On Wed, 2016-12-28 at 14:54 -0800, Ricardo Neri wrote:
> On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote:
> > The recipe now compiles OVMF twice, once without Secure Boot, once
> > with. This is the same approach as in
> > https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec
> 
> Besides the fact that Fedora does it, is there a particular reason to
> build twice?

The ${build_dir}/FV/OVMF.fd file changes depending on the configuration.
There's only one such file after a build.

>  On my side, I am able to build with secure boot with a
> single build. Also, the Ubuntu documentation does not mention that two
> builds are needed [1].

Can you build with and without secure boot in a single build? I wasn't
sure how to achieve that, so I just copied what Fedora does.

> Also, I think it would be nice if we could choose between to not have
> secure boot at all for OVMF. Maybe this could be achieved by having a
> common ovmf.inc and two ovmf_git.bb and ovmf_sb_git.bb with the
> different the specific things to support secure boot or not. Maybe all
> that is needed in the secure boot recipe are the extra variables for
> OpenSSL and a prepend to do_compile_class-target with the OpenSSL
> patching. Something to ponder.

I think I would prefer to have a single recipe with a PACKAGECONFIG for
secure boot. Having different recipes doesn't scale when adding more
such options. If you agree, then I'll add that.

> > +( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
> > +${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t 
> > ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
> > +ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd
> 
> At this point both ${WORKDIR}/ovmf/OVMF.secboot.fd and
> ${WORKDIR}/ovmf/OVMF.fd will be linked to the same OVMF.fd with secure
> boot support. Maybe this could be fixed by copying the files rather than
> creating a symbolic link.

This is intentionally a hardlink, not a symbolic link, exactly because
of the problem you mentioned ;-)

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.



-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH 6/9] ovmf_git.bb: enable Secure Boot

2016-12-28 Thread Ricardo Neri 
On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote:
> The recipe now compiles OVMF twice, once without Secure Boot, once
> with. This is the same approach as in
> https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec

Besides the fact that Fedora does it, is there a particular reason to
build twice? On my side, I am able to build with secure boot with a
single build. Also, the Ubuntu documentation does not mention that two
builds are needed [1].

I do see that in Fedora, the build parameters change. OVMF without
secure boot support is built with -a X64 -p OvmfPkg/OvmfPkgX64.dsc while
OVMF with secure boot support is built with -a IA32 -a X64 -p
OvmfPkg/OvmfPkgIa32X64.dsc. Perhaps this is the reason?
> 
> The results are "ovmf.qcow2" and "ovmf.secboot.qcow2" in the
> image deploy directory, so
>   runqemu   ovmf.secboot
> will boot with Secure Boot enabled.
> 
> In contrast to Fedora, no attempt is made to strip potentially patent
> encumbered algorithms out of the OpenSSL archive. OVMF does not use
> the ones considered problematic for Fedora, so this shouldn't be a
> problem.
> 
> Fixes: luv-yocto/#38

Also, I think it would be nice if we could choose between to not have
secure boot at all for OVMF. Maybe this could be achieved by having a
common ovmf.inc and two ovmf_git.bb and ovmf_sb_git.bb with the
different the specific things to support secure boot or not. Maybe all
that is needed in the secure boot recipe are the extra variables for
OpenSSL and a prepend to do_compile_class-target with the OpenSSL
patching. Something to ponder.


> 
> Signed-off-by: Patrick Ohly 
> ---
>  meta/recipes-core/ovmf/ovmf_git.bb | 27 ++-
>  1 file changed, 26 insertions(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-core/ovmf/ovmf_git.bb 
> b/meta/recipes-core/ovmf/ovmf_git.bb
> index 67e65b8..c4eedf0 100644
> --- a/meta/recipes-core/ovmf/ovmf_git.bb
> +++ b/meta/recipes-core/ovmf/ovmf_git.bb
> @@ -1,6 +1,6 @@
>  DESCRIPTION = "OVMF - UEFI firmware for Qemu and KVM"
>  HOMEPAGE = 
> "http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF;
> -LICENSE = "BSD"
> +LICENSE = "BSD & OpenSSL"
>  LIC_FILES_CHKSUM = 
> "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496"
>  
>  SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
> @@ -10,7 +10,13 @@ SRC_URI = 
> "git://github.com/tianocore/edk2.git;branch=master \
>   file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
>  "
>  
> +SRC_URI_append_class-target = " \
> + 
> http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib
>  \
> +"
> +
>  SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588"
> +SRC_URI[openssl.md5sum] = "96322138f0b69e61b7212bc53d5e912b"
> +SRC_URI[openssl.sha256sum] = 
> "e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431"
>  
>  PARALLEL_MAKE_class-native = ""
>  
> @@ -30,6 +36,10 @@ BUILD_OPTIMIZATION="-pipe"
>  # OVMF supports IA only, although it could conceivably support ARM someday.
>  COMPATIBLE_HOST='(i.86|x86_64).*'
>  
> +# Additional build flags for OVMF with Secure Boot.
> +# Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD".
> +OVMF_SECURE_BOOT_FLAGS = "-DSECURE_BOOT_ENABLE=TRUE"
> +
>  do_patch_append_class-native() {
>  bb.build.exec_func('do_fix_iasl', d)
>  bb.build.exec_func('do_fix_toolchain', d)
> @@ -110,8 +120,22 @@ do_compile_class-target() {
>  bbnote FIXED_GCCVER is ${FIXED_GCCVER}
>  build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
>  
> +bbnote "Building without Secure Boot."
> +rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
>  ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t 
> ${FIXED_GCCVER}
>  ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd
> +
> +# See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and
> +# https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for
> +# building with Secure Boot enabled.
> +bbnote "Building with Secure Boot."
> +rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
> +if ! [ -f ${S}/CryptoPkg/Library/OpensslLib/openssl-*/edk2-patch-applied 
> ]; then
> +( cd ${S}/CryptoPkg/Library/OpensslLib/openssl-* && patch -p1 
> <$(echo ../EDKII_openssl-*.patch) && touch edk2-patch-applied )
> +fi
> +( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
> +${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t 
> ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
> +ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd

At this point both ${WORKDIR}/ovmf/OVMF.secboot.fd and
${WORKDIR}/ovmf/OVMF.fd will be linked to the same OVMF.fd with secure
boot support. Maybe this could be fixed by copying the files rather than
creating a symbolic link.

>  }
>  
>  do_install_class-native() {
> @@ -131,6 +155,7 @@ do_deploy() {
>  do_deploy_class-target() {
>  # For use with "runqemu ovmf".
>  qemu-img

[OE-core] [PATCH 6/9] ovmf_git.bb: enable Secure Boot

2016-12-21 Thread Patrick Ohly 
The recipe now compiles OVMF twice, once without Secure Boot, once
with. This is the same approach as in
https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec

The results are "ovmf.qcow2" and "ovmf.secboot.qcow2" in the
image deploy directory, so
  runqemu   ovmf.secboot
will boot with Secure Boot enabled.

In contrast to Fedora, no attempt is made to strip potentially patent
encumbered algorithms out of the OpenSSL archive. OVMF does not use
the ones considered problematic for Fedora, so this shouldn't be a
problem.

Fixes: luv-yocto/#38

Signed-off-by: Patrick Ohly 
---
 meta/recipes-core/ovmf/ovmf_git.bb | 27 ++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-core/ovmf/ovmf_git.bb 
b/meta/recipes-core/ovmf/ovmf_git.bb
index 67e65b8..c4eedf0 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -1,6 +1,6 @@
 DESCRIPTION = "OVMF - UEFI firmware for Qemu and KVM"
 HOMEPAGE = 
"http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF;
-LICENSE = "BSD"
+LICENSE = "BSD & OpenSSL"
 LIC_FILES_CHKSUM = 
"file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496"
 
 SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
@@ -10,7 +10,13 @@ SRC_URI = "git://github.com/tianocore/edk2.git;branch=master 
\
file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
 "
 
+SRC_URI_append_class-target = " \
+   
http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib
 \
+"
+
 SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588"
+SRC_URI[openssl.md5sum] = "96322138f0b69e61b7212bc53d5e912b"
+SRC_URI[openssl.sha256sum] = 
"e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431"
 
 PARALLEL_MAKE_class-native = ""
 
@@ -30,6 +36,10 @@ BUILD_OPTIMIZATION="-pipe"
 # OVMF supports IA only, although it could conceivably support ARM someday.
 COMPATIBLE_HOST='(i.86|x86_64).*'
 
+# Additional build flags for OVMF with Secure Boot.
+# Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD".
+OVMF_SECURE_BOOT_FLAGS = "-DSECURE_BOOT_ENABLE=TRUE"
+
 do_patch_append_class-native() {
 bb.build.exec_func('do_fix_iasl', d)
 bb.build.exec_func('do_fix_toolchain', d)
@@ -110,8 +120,22 @@ do_compile_class-target() {
 bbnote FIXED_GCCVER is ${FIXED_GCCVER}
 build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
 
+bbnote "Building without Secure Boot."
+rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
 ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t 
${FIXED_GCCVER}
 ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd
+
+# See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and
+# https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for
+# building with Secure Boot enabled.
+bbnote "Building with Secure Boot."
+rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
+if ! [ -f ${S}/CryptoPkg/Library/OpensslLib/openssl-*/edk2-patch-applied 
]; then
+( cd ${S}/CryptoPkg/Library/OpensslLib/openssl-* && patch -p1 <$(echo 
../EDKII_openssl-*.patch) && touch edk2-patch-applied )
+fi
+( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
+${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t 
${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
+ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd
 }
 
 do_install_class-native() {
@@ -131,6 +155,7 @@ do_deploy() {
 do_deploy_class-target() {
 # For use with "runqemu ovmf".
 qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd 
${DEPLOYDIR}/ovmf.qcow2
+qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.secboot.fd 
${DEPLOYDIR}/ovmf.secboot.qcow2
 }
 addtask do_deploy after do_compile before do_build
 
-- 
2.1.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core