commit: 33a4360bc3b6c40315c4e36380839b489e72f9d5 Author: James Le Cuirot <chewi <AT> gentoo <DOT> org> AuthorDate: Thu Sep 26 16:47:52 2024 +0000 Commit: James Le Cuirot <chewi <AT> gentoo <DOT> org> CommitDate: Thu Oct 10 16:29:36 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33a4360b
sys-firmware/edk2: Add arm64 VM support to 202408 The filenames used here differ from Fedora, which ships far more variants. I felt it unnecessary to include the raw and unpadded images when the padded QCOW2 images should be all you need. QEMU_EFI.secboot_INSECURE.qcow2 does have Secure Boot enabled, but it must not be used in production. The lack of an SMM implementation for arm64 in this firmware means that the EFI variable store is unprotected, making the firmware unsafe. Signed-off-by: James Le Cuirot <chewi <AT> gentoo.org> sys-firmware/edk2/Manifest | 2 + sys-firmware/edk2/edk2-202408.ebuild | 56 +++++++++++++++++++++- .../30-edk2-aarch64-qcow2-sb-enrolled.json | 33 +++++++++++++ .../descriptors/40-edk2-aarch64-qcow2-sb.json | 32 +++++++++++++ .../descriptors/50-edk2-aarch64-qcow2-nosb.json | 32 +++++++++++++ 5 files changed, 154 insertions(+), 1 deletion(-) diff --git a/sys-firmware/edk2/Manifest b/sys-firmware/edk2/Manifest index 387cceab5930..22459411e25d 100644 --- a/sys-firmware/edk2/Manifest +++ b/sys-firmware/edk2/Manifest @@ -1,3 +1,4 @@ +DIST arm64_DBXUpdate_05092023.bin 4610 BLAKE2B 4c6628e5c297a26ca5a1235e377a794fdc18f8201dc7bcb134eb5dd164cc16497ff8d7e598509a61dadf3aa6e8525c9c9e4ca597af62a1c93f97945594517303 SHA512 5a2816e3ff73fef1d258c1418a09b264291408493147399da6b71b6a20bd6b347c00153e22589b2635172cdc57de404ff423be41a6c382a9b25ee9a76922f397 DIST brotli-f4153a09f87cbb9c826d8fc12c74642bb2d879ea.tar.gz 512229 BLAKE2B cd86cc2cc7eefad24f87cda8006409bf764922b5f23ccfb951e7a41214b12004ce532b11f94f5fb858b3bf71f9abf8ef17ba219fa96bd5be23b51873afad0fd5 SHA512 7f48e794e738b31c2005e7cef6d8c0cc0d543f1cd8c137ae8ba14602cac2873de6299a3f32ad52be869f513e7548341353ed049609daef1063975694d9a9b80b DIST edk2-202408.tar.gz 17548980 BLAKE2B 12723a593d2767577f74cfa69f4a02ec784347994af6eb77aea7eb9e9e9f7fedb6b47698af2f07ef98848bbb4bf16248179cf117cf9abdf17be73157a0a03fc2 SHA512 d679d905f8b0ddbf60b1c9a0282e403bf51d0fbe55d85a8ea3e4af1778874e947d224e3671f9e82cddd5cd906c1472ff3973498d969414bdd67d0b49f5b8a251 DIST edk2-ovmf-202202-qemu-firmware.tar.xz 664 BLAKE2B 1aa4e25804ce0f3c967c80999315de24eaef6682e42dddd81c274ce4603ec3d15186de752de49e2527c6bd5517080c002a357ed6bc389b5afd6f7a4d93edeb44 SHA512 f9a29212274a99796784673d873e0eee7d3e2a5cf9e63192453841ee3a4ef4b813c7b2357fc7000f39c71ed6c66636daab772abb51d3972a2a56ade8a4c68faf @@ -10,4 +11,5 @@ DIST mbedtls-8c89224991adff88d53cd380f42a2baa36f91454.tar.gz 4587796 BLAKE2B c28 DIST mipi-sys-t-370b5944c046bab043dd8b133727b2135af7747a.tar.gz 378522 BLAKE2B d3f1033e78ad814ebb991e66d8c1437aa3583e91481af9785b97b6021c7c45fb9dcb8d2d58d0a0fe84fbd9f108d24a27234df298eb8a2ba2340e5c9c85c89c40 SHA512 de6888577ceab7ab6915d792f3c48248cfa53357ccd310fc7f7eae4d25a932de8c7c23e5b898c9ebf61cf86cb538277273f2eb131a628b3bf0d46c9a3b9b6686 DIST openssl-d82e959e621a3d597f1e0d50ff8c2d8b96915fd7.tar.gz 10034310 BLAKE2B 6996979dc12a523d565830e7b0943feb682a376f71ddb6f20cb8b9976bb7f12e39f088abaa45d514933ef79c0e4a2933dc6f1af4774fedaa16e74c0081c358e7 SHA512 a89bc652dc4318c5e8a9c594a43d890ca05dfc1acd6b15e2a8ab8b5628b5f33994143ff8024230e07b9e67556b28ea3a5e36763aa72dec20b52022ca8c6f2a7e DIST openssl-de90e54bbe82e5be4fb9608b6f5c308bb837d355.tar.gz 15337569 BLAKE2B bb0b2f4ee7838178e8e23317b6c63048611d805e20c81d6c875d9b515e6dbcf981cda38f031965c9ec45bcab3ac4725cfa793718b0212e92bf53b4c7fc3f4e32 SHA512 4bba15075dacc8c1772a95759cfe8620ff3a9d535e5d3d29bb15e4790cc543555ab45f0b239195361e534eca26249ae1b491b63cbf6b7ecda6f0840c7f6253ac +DIST pylibfdt-cfff805481bdea27f900c32698171286542b8d3c.tar.gz 49659 BLAKE2B 05e954fc2d72618b3f56c08bdfcd64479259902ee2613d034b66ebe50e33b02b243bed1191d8dcdcea9fcb2553f84a737ae12514d30c48e776efc858a4879894 SHA512 c2f4cbda24bc4a2140135de2db19fd7ad0b6eff2a748862b4166bf0e65f3e324e2855ea4331dafa2c82f44b4d01309c8ac50159cbcc076a968a1169c8709a523 DIST x64_DBXUpdate_05092023.bin 21170 BLAKE2B 9b74945ef441e65c50116122bc24578c22c8f5f7af94e46322a96bd15035b79c0af4c1fd5366017b347b9aaf3f5791b9d6ea84ef141500700ccf69f708f91389 SHA512 71fb6e8cd6918126b3acd78b95651913336df372e13fdfdfdd20d5d23f0e509050c6c88c8a2c43f8ac44f987df86bd45174bb3065d5a7a8c7e3b8772fd06d624 diff --git a/sys-firmware/edk2/edk2-202408.ebuild b/sys-firmware/edk2/edk2-202408.ebuild index 383d695f5ac4..c1209c456866 100644 --- a/sys-firmware/edk2/edk2-202408.ebuild +++ b/sys-firmware/edk2/edk2-202408.ebuild @@ -13,6 +13,7 @@ HOMEPAGE="https://github.com/tianocore/edk2"; DBXDATE="05092023" # MMDDYYYY BUNDLED_BROTLI_SUBMODULE_SHA="f4153a09f87cbb9c826d8fc12c74642bb2d879ea" +BUNDLED_LIBFDT_SUBMODULE_SHA="cfff805481bdea27f900c32698171286542b8d3c" BUNDLED_LIBSPDM_SUBMODULE_SHA="50924a4c8145fc721e17208f55814d2b38766fe6" BUNDLED_MBEDTLS_SUBMODULE_SHA="8c89224991adff88d53cd380f42a2baa36f91454" BUNDLED_MIPI_SYS_T_SUBMODULE_SHA="370b5944c046bab043dd8b133727b2135af7747a" @@ -36,12 +37,19 @@ SRC_URI=" https://uefi.org/sites/default/files/resources/x64_DBXUpdate_${DBXDATE}.bin https://uefi.org/sites/default/files/resources/x64_DBXUpdate.bin -> x64_DBXUpdate_${DBXDATE}.bin ) + + arm64? ( + https://uefi.org/sites/default/files/resources/arm64_DBXUpdate_${DBXDATE}.bin + https://uefi.org/sites/default/files/resources/arm64_DBXUpdate.bin -> arm64_DBXUpdate_${DBXDATE}.bin + https://github.com/devicetree-org/pylibfdt/archive/${BUNDLED_LIBFDT_SUBMODULE_SHA}.tar.gz + -> pylibfdt-${BUNDLED_LIBFDT_SUBMODULE_SHA}.tar.gz + ) " S="${WORKDIR}/${PN}-${PN}-stable${PV}" LICENSE="BSD-2 MIT" SLOT="0" -KEYWORDS="-* ~amd64" +KEYWORDS="-* ~amd64 ~arm64" BDEPEND=" ${PYTHON_DEPS} @@ -78,6 +86,14 @@ pkg_setup() { UNIT1="OVMF_VARS.fd" FMT="raw" ;; + arm64) + TARGET_ARCH="AARCH64" + QEMU_ARCH="aarch64" + ARCH_DIRS="${DIR}/ArmVirtQemu-AARCH64" + UNIT0="QEMU_EFI.qcow2" + UNIT1="QEMU_VARS.qcow2" + FMT="qcow2" + ;; esac DOC_CONTENTS="This package includes the TianoCore EDK II UEFI firmware for ${QEMU_ARCH} @@ -100,6 +116,13 @@ download one for yourself. Firmware blobs are commonly labelled: OVMF_CODE-with-csm.fd OVMF_VARS-with-csm.fd" ;; + arm64) DOC_CONTENTS+=" + +WARNING! QEMU_EFI.secboot_INSECURE.qcow2 does have Secure Boot +enabled, but it must not be used in production. The lack of an SMM +implementation for arm64 in this firmware means that the EFI +variable store is unprotected, making the firmware unsafe." + ;; esac } @@ -122,6 +145,10 @@ src_prepare() { link_mod "${WORKDIR}/openssl-${BUNDLED_OPENSSL_SUBMODULE_SHA}" \ CryptoPkg/Library/OpensslLib/openssl + use arm64 && + link_mod "${WORKDIR}/pylibfdt-${BUNDLED_LIBFDT_SUBMODULE_SHA}" \ + MdePkg/Library/BaseFdtLib/libfdt + default # Fix descriptor paths for prefix. @@ -207,6 +234,25 @@ src_compile() { # Fedora only converts newer images to QCOW2. 2MB images are raw. raw_to_qcow2 0 Build/OvmfX64_4M*/"${BUILD_DIR}"/FV/OVMF_{CODE,VARS}.fd ;; + arm64) + BUILD_ARGS+=( + # grub.efi uses EfiLoaderData for code + --pcd PcdDxeNxMemoryProtectionPolicy=0xC000000000007FD1 + # shim.efi has broken MemAttr code + --pcd PcdUninstallMemAttrProtocol=TRUE + ) + + mybuild -a AARCH64 -p ArmVirtPkg/ArmVirtQemu.dsc \ + -D BUILD_SHELL=FALSE \ + -D SECURE_BOOT_ENABLE + + mv -T Build/ArmVirtQemu-AARCH64 Build/ArmVirtQemu-AARCH64.secboot_INSECURE || die + + mybuild -a AARCH64 -p ArmVirtPkg/ArmVirtQemu.dsc + + mk_fw_vars arm64 Build/ArmVirtQemu-AARCH64.secboot_INSECURE/"${BUILD_DIR}"/FV/QEMU_VARS.fd + raw_to_qcow2 64m Build/ArmVirtQemu-AARCH64*/"${BUILD_DIR}"/FV/QEMU_{EFI,VARS}.fd + ;; esac } @@ -229,6 +275,14 @@ src_install() { # Compatibility with older package versions. dosym ${PN}/OvmfX64 /usr/share/edk2-ovmf ;; + arm64) + insinto ${DIR}/ArmVirtQemu-AARCH64 + + for TYPE in "" .secboot_INSECURE; do + newins Build/ArmVirtQemu-AARCH64${TYPE}/"${BUILD_DIR}"/FV/QEMU_EFI.qcow2 QEMU_EFI${TYPE}.qcow2 + newins Build/ArmVirtQemu-AARCH64${TYPE}/"${BUILD_DIR}"/FV/QEMU_VARS.qcow2 QEMU_VARS${TYPE}.qcow2 + done + ;; esac insinto /usr/share/qemu/firmware diff --git a/sys-firmware/edk2/files/descriptors/30-edk2-aarch64-qcow2-sb-enrolled.json b/sys-firmware/edk2/files/descriptors/30-edk2-aarch64-qcow2-sb-enrolled.json new file mode 100644 index 000000000000..47c3c9f03935 --- /dev/null +++ b/sys-firmware/edk2/files/descriptors/30-edk2-aarch64-qcow2-sb-enrolled.json @@ -0,0 +1,33 @@ +{ + "description": "UEFI for arm64 VMs, with *INSECURE* SB, SB enabled, MS certs enrolled", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "mode" : "split", + "executable": { + "filename": "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_EFI.secboot_INSECURE.qcow2", + "format": "qcow2" + }, + "nvram-template": { + "filename": "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_VARS.secboot_INSECURE.qcow2", + "format": "qcow2" + } + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + "enrolled-keys", + "secure-boot" + ], + "tags": [ + + ] +} diff --git a/sys-firmware/edk2/files/descriptors/40-edk2-aarch64-qcow2-sb.json b/sys-firmware/edk2/files/descriptors/40-edk2-aarch64-qcow2-sb.json new file mode 100644 index 000000000000..92ac2aea9014 --- /dev/null +++ b/sys-firmware/edk2/files/descriptors/40-edk2-aarch64-qcow2-sb.json @@ -0,0 +1,32 @@ +{ + "description": "UEFI for arm64 VMs, with *INSECURE* SB, empty varstore", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "mode" : "split", + "executable": { + "filename": "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_EFI.secboot_INSECURE.qcow2", + "format": "qcow2" + }, + "nvram-template": { + "filename": "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_VARS.qcow2", + "format": "qcow2" + } + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + "secure-boot" + ], + "tags": [ + + ] +} diff --git a/sys-firmware/edk2/files/descriptors/50-edk2-aarch64-qcow2-nosb.json b/sys-firmware/edk2/files/descriptors/50-edk2-aarch64-qcow2-nosb.json new file mode 100644 index 000000000000..7a6db3ce9db2 --- /dev/null +++ b/sys-firmware/edk2/files/descriptors/50-edk2-aarch64-qcow2-nosb.json @@ -0,0 +1,32 @@ +{ + "description": "UEFI for arm64 VMs, without SB, empty varstore", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "mode" : "split", + "executable": { + "filename": "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_EFI.qcow2", + "format": "qcow2" + }, + "nvram-template": { + "filename": "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_VARS.qcow2", + "format": "qcow2" + } + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + + ], + "tags": [ + + ] +}
