summaryrefslogtreecommitdiff
path: root/meta
diff options
context:
space:
mode:
authorPatrick Ohly <patrick.ohly@intel.com>2016-12-20 08:47:21 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-02-28 11:26:32 +0000
commitd493f0b4760808f880a0fd6dedf918a3b85006b7 (patch)
tree706cb80ec82604c6b402864cc326df3a77d6ad6b /meta
parentbe307609a067b7d23dc2cd8e39e3a35f770bebc7 (diff)
downloadopenembedded-core-d493f0b4760808f880a0fd6dedf918a3b85006b7.tar.gz
openembedded-core-d493f0b4760808f880a0fd6dedf918a3b85006b7.tar.bz2
openembedded-core-d493f0b4760808f880a0fd6dedf918a3b85006b7.zip
ovmf_git.bb: enable Secure Boot
When enabled via PACCKAGECONFIG = "secureboot" (off by default because of the extra work and license change), the recipe compiles OVMF twice, once without Secure Boot, once with. This is the same approach as in https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec The results are "ovmf.qcow2" and "ovmf.secboot.qcow2" in the image deploy directory, so runqemu <machine> <image> ovmf.secboot will boot with Secure Boot enabled. ovmf.secboot.code.qcow2 is provided for those who want separate code and variable flash drives. The normal ovmf.vars.qcow2 can be used with it. In contrast to Fedora, no attempt is made to strip potentially patent encumbered algorithms out of the OpenSSL archive. OVMF does not use the ones considered problematic for Fedora, so this shouldn't be a problem. Fixes: luv-yocto/#38 Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-core/ovmf/ovmf_git.bb36
1 files changed, 36 insertions, 0 deletions
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 998902579f..bdec6aa851 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -1,8 +1,15 @@
DESCRIPTION = "OVMF - UEFI firmware for Qemu and KVM"
HOMEPAGE = "http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF"
LICENSE = "BSD"
+LICENSE_class-target = "${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'BSD & OpenSSL', 'BSD', d)}"
LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496"
+# Enabling Secure Boot adds a dependency on OpenSSL and implies
+# compiling OVMF twice, so it is disabled by default. Distros
+# may change that default.
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[secureboot] = ",,,"
+
SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
file://0001-BaseTools-Force-tools-variables-to-host-toolchain.patch \
file://0001-OvmfPkg-Enable-BGRT-in-OVMF.patch \
@@ -10,7 +17,13 @@ SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
"
+SRC_URI_append_class-target = " \
+ ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib', '', d)} \
+"
+
SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588"
+SRC_URI[openssl.md5sum] = "96322138f0b69e61b7212bc53d5e912b"
+SRC_URI[openssl.sha256sum] = "e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431"
inherit deploy
@@ -32,6 +45,11 @@ BUILD_OPTIMIZATION="-pipe"
# OVMF supports IA only, although it could conceivably support ARM someday.
COMPATIBLE_HOST='(i.86|x86_64).*'
+# Additional build flags for OVMF with Secure Boot.
+# Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD".
+OVMF_SECURE_BOOT_EXTRA_FLAGS ??= ""
+OVMF_SECURE_BOOT_FLAGS = "-DSECURE_BOOT_ENABLE=TRUE ${OVMF_SECURE_BOOT_EXTRA_FLAGS}"
+
do_patch_append_class-native() {
bb.build.exec_func('do_fix_iasl', d)
bb.build.exec_func('do_fix_toolchain', d)
@@ -112,10 +130,27 @@ do_compile_class-target() {
bbnote FIXED_GCCVER is ${FIXED_GCCVER}
build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
+ bbnote "Building without Secure Boot."
+ rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.fd
ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.code.fd
ln ${build_dir}/FV/OVMF_VARS.fd ${WORKDIR}/ovmf/ovmf.vars.fd
+
+ if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
+ # See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and
+ # https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for
+ # building with Secure Boot enabled.
+ bbnote "Building with Secure Boot."
+ rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
+ if ! [ -f ${S}/CryptoPkg/Library/OpensslLib/openssl-*/edk2-patch-applied ]; then
+ ( cd ${S}/CryptoPkg/Library/OpensslLib/openssl-* && patch -p1 <$(echo ../EDKII_openssl-*.patch) && touch edk2-patch-applied )
+ fi
+ ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
+ ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
+ ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.secboot.fd
+ ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.secboot.code.fd
+ fi
}
do_install_class-native() {
@@ -135,6 +170,7 @@ do_deploy_class-target() {
ovmf \
ovmf.code \
ovmf.vars \
+ ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'ovmf.secboot ovmf.secboot.code', '', d)} \
; do
qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/$i.fd ${DEPLOYDIR}/$i.qcow2
done