10 files changed, 639 insertions, 0 deletions

diff --git a/recipes-core/images/core-image-minimal-initramfs.bbappend b/recipes-core/images/core-image-minimal-initramfs.bbappend
new file mode 100644
index 00000000..4ddca375
--- /dev/null
+++ b/recipes-core/images/core-image-minimal-initramfs.bbappend
@@ -0,0 +1,6 @@
+# Use initramfs-framework instead of initramfs-live*
+PACKAGE_INSTALL_remove_intel-x86-common = "initramfs-live-boot initramfs-live-install initramfs-live-install-efi"
+PACKAGE_INSTALL_append_intel-x86-common = " initramfs-framework-base initramfs-module-udev initramfs-module-setup-live initramfs-module-install-efi"
+
+# Add i915 graphics firmware
+PACKAGE_INSTALL_append_intel-x86-common = " linux-firmware-i915"
diff --git a/recipes-core/images/core-image-tiny.bb b/recipes-core/images/core-image-tiny.bb
new file mode 100644
index 00000000..ed39fd77
--- /dev/null
+++ b/recipes-core/images/core-image-tiny.bb
@@ -0,0 +1,37 @@
+SUMMARY = "A tiny image just capable of allowing a device to boot from RAM, \
+this image recipe generates an image file which rather boots from initrd than \
+from storage, it achieves this by using wic to pick up the artifacts generated \
+by the core-image-tiny-initramfs image"
+
+# The actual rootfs/initrd will be the one from core-image-tiny-initramfs, so
+# we reset IMAGE_INSTALL to avoid building other things that will be pointless
+IMAGE_INSTALL = ""
+
+# Do not pollute the initrd image with rootfs features
+IMAGE_FEATURES = ""
+
+IMAGE_LINGUAS = " "
+
+LICENSE = "MIT"
+
+IMAGE_ROOTFS_SIZE ?= "8192"
+
+IMAGE_FSTYPES = "wic"
+inherit core-image
+
+# We get some parts from image-live that we need in order to boot from initrd
+INITRD_IMAGE_LIVE ?= "core-image-tiny-initramfs"
+
+python() {
+    image_b = d.getVar('IMAGE_BASENAME')
+    initrd_i = d.getVar('INITRD_IMAGE_LIVE')
+    if image_b == initrd_i:
+        bb.error('INITRD_IMAGE_LIVE %s cannot use the requested IMAGE_FSTYPE' % initrd_i)
+        bb.fatal('Check IMAGE_FSTYPES and INITRAMFS_FSTYPES settings.')
+    elif initrd_i:
+        d.appendVarFlag('do_image', 'depends', ' %s:do_image_complete' % initrd_i)
+}
+
+WKS_FILE_intel-corei7-64 = "core-image-tiny.wks.in"
+WKS_FILE_intel-core2-32 = "core-image-tiny.wks.in"
+WKS_FILE_intel-quark = "mktinygalileodisk.wks"
diff --git a/recipes-core/initrdscripts/files/intel-x86-common/init-install-efi.sh b/recipes-core/initrdscripts/files/intel-x86-common/init-install-efi.sh
new file mode 100644
index 00000000..a7a2ad4c
--- /dev/null
+++ b/recipes-core/initrdscripts/files/intel-x86-common/init-install-efi.sh
@@ -0,0 +1,342 @@
+#!/bin/sh -e
+#
+# Copyright (c) 2016, Intel Corporation.
+# All rights reserved.
+#
+# install.sh [device_name] [rootfs_name]
+#
+# This file is a copy of file with same name in OE:
+# meta/recipes-core/initrdscripts/files/. We modify
+# it for RMC feature to deploy file blobs from RMC
+# database file to target.
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+
+# We need 20 Mb for the boot partition
+boot_size=20
+
+# 5% for swap
+swap_ratio=5
+
+# Get a list of hard drives
+hdnamelist=""
+live_dev_name=`cat /proc/mounts | grep ${1%/} | awk '{print $1}'`
+live_dev_name=${live_dev_name#\/dev/}
+# Only strip the digit identifier if the device is not an mmc
+case $live_dev_name in
+    mmcblk*)
+    ;;
+    nvme*)
+    ;;
+    *)
+        live_dev_name=${live_dev_name%%[0-9]*}
+    ;;
+esac
+
+echo "Searching for hard drives ..."
+
+for device in `ls /sys/block/`; do
+    case $device in
+        loop*)
+            # skip loop device
+            ;;
+        sr*)
+            # skip CDROM device
+            ;;
+        ram*)
+            # skip ram device
+            ;;
+        *)
+            # skip the device LiveOS is on
+            # Add valid hard drive name to the list
+            case $device in
+                $live_dev_name*)
+                # skip the device we are running from
+                ;;
+                *)
+                    hdnamelist="$hdnamelist $device"
+                ;;
+            esac
+            ;;
+    esac
+done
+
+if [ -z "${hdnamelist}" ]; then
+    echo "You need another device (besides the live device /dev/${live_dev_name}) to install the image. Installation aborted."
+    exit 1
+fi
+
+TARGET_DEVICE_NAME=""
+for hdname in $hdnamelist; do
+    # Display found hard drives and their basic info
+    echo "-------------------------------"
+    echo /dev/$hdname
+    if [ -r /sys/block/$hdname/device/vendor ]; then
+        echo -n "VENDOR="
+        cat /sys/block/$hdname/device/vendor
+    fi
+    if [ -r /sys/block/$hdname/device/model ]; then
+        echo -n "MODEL="
+        cat /sys/block/$hdname/device/model
+    fi
+    if [ -r /sys/block/$hdname/device/uevent ]; then
+        echo -n "UEVENT="
+        cat /sys/block/$hdname/device/uevent
+    fi
+    echo
+done
+
+# Get user choice
+while true; do
+    echo "Please select an install target or press n to exit ($hdnamelist ): "
+    read answer
+    if [ "$answer" = "n" ]; then
+        echo "Installation manually aborted."
+        exit 1
+    fi
+    for hdname in $hdnamelist; do
+        if [ "$answer" = "$hdname" ]; then
+            TARGET_DEVICE_NAME=$answer
+            break
+        fi
+    done
+    if [ -n "$TARGET_DEVICE_NAME" ]; then
+        break
+    fi
+done
+
+if [ -n "$TARGET_DEVICE_NAME" ]; then
+    echo "Installing image on /dev/$TARGET_DEVICE_NAME ..."
+else
+    echo "No hard drive selected. Installation aborted."
+    exit 1
+fi
+
+device=/dev/$TARGET_DEVICE_NAME
+
+#
+# The udev automounter can cause pain here, kill it
+#
+rm -f /etc/udev/rules.d/automount.rules
+rm -f /etc/udev/scripts/mount*
+
+#
+# Unmount anything the automounter had mounted
+#
+umount ${device}* 2> /dev/null || /bin/true
+
+mkdir -p /tmp
+
+# Create /etc/mtab if not present
+if [ ! -e /etc/mtab ]; then
+    cat /proc/mounts > /etc/mtab
+fi
+
+disk_size=$(parted ${device} unit mb print | grep '^Disk .*: .*MB' | cut -d" " -f 3 | sed -e "s/MB//")
+
+swap_size=$((disk_size*swap_ratio/100))
+rootfs_size=$((disk_size-boot_size-swap_size))
+
+rootfs_start=$((boot_size))
+rootfs_end=$((rootfs_start+rootfs_size))
+swap_start=$((rootfs_end))
+
+# MMC devices are special in a couple of ways
+# 1) they use a partition prefix character 'p'
+# 2) they are detected asynchronously (need rootwait)
+rootwait=""
+part_prefix=""
+if [ ! "${device#/dev/mmcblk}" = "${device}" ] || \
+[ ! "${device#/dev/nvme}" = "${device}" ]; then
+    part_prefix="p"
+    rootwait="rootwait"
+fi
+bootfs=${device}${part_prefix}1
+rootfs=${device}${part_prefix}2
+swap=${device}${part_prefix}3
+
+echo "*****************"
+echo "Boot partition size:   $boot_size MB ($bootfs)"
+echo "Rootfs partition size: $rootfs_size MB ($rootfs)"
+echo "Swap partition size:   $swap_size MB ($swap)"
+echo "*****************"
+echo "Deleting partition table on ${device} ..."
+dd if=/dev/zero of=${device} bs=512 count=35
+
+echo "Creating new partition table on ${device} ..."
+parted ${device} mklabel gpt
+
+echo "Creating boot partition on $bootfs"
+parted ${device} mkpart boot fat32 0% $boot_size
+parted ${device} set 1 boot on
+
+echo "Creating rootfs partition on $rootfs"
+parted ${device} mkpart root ext3 $rootfs_start $rootfs_end
+
+echo "Creating swap partition on $swap"
+parted ${device} mkpart swap linux-swap $swap_start 100%
+
+parted ${device} print
+
+echo "Formatting $bootfs to vfat..."
+mkfs.vfat $bootfs
+
+echo "Formatting $rootfs to ext3..."
+mkfs.ext3 $rootfs
+
+echo "Formatting swap partition...($swap)"
+mkswap $swap
+
+mkdir /tgt_root
+mkdir /src_root
+mkdir -p /boot
+
+# Handling of the target root partition
+mount $rootfs /tgt_root
+mount -o rw,loop,noatime,nodiratime /run/media/$1/$2 /src_root
+echo "Copying rootfs files..."
+cp -a /src_root/* /tgt_root
+if [ -d /tgt_root/etc/ ] ; then
+    boot_uuid=$(blkid -o value -s UUID ${bootfs})
+    swap_part_uuid=$(blkid -o value -s PARTUUID ${swap})
+    echo "/dev/disk/by-partuuid/$swap_part_uuid                swap             swap       defaults              0  0" >> /tgt_root/etc/fstab
+    echo "UUID=$boot_uuid              /boot            vfat       defaults              1  2" >> /tgt_root/etc/fstab
+    # We dont want udev to mount our root device while we're booting...
+    if [ -d /tgt_root/etc/udev/ ] ; then
+        echo "${device}" >> /tgt_root/etc/udev/mount.blacklist
+    fi
+fi
+
+# Handling of the target boot partition
+mount $bootfs /boot
+echo "Preparing boot partition..."
+
+EFIDIR="/boot/EFI/BOOT"
+mkdir -p $EFIDIR
+# Copy the efi loader
+cp /run/media/$1/EFI/BOOT/*.efi $EFIDIR
+
+# RMC deployment
+RMC_CMD=/src_root/usr/bin/rmc
+RMC_DB=/run/media/$1/rmc.db
+
+# We don't want to quit when a step failed. For example,
+# a file system could not support some operations.
+set +e
+
+if [ -f "${RMC_DB}" ] && [ -f "${RMC_CMD}" ]; then
+    echo "Found RMC database and tool, start RMC deployment"
+    # query INSTALLER.CONFIG from RMC DB
+    if ${RMC_CMD} -B INSTALLER.CONFIG -d "${RMC_DB}" -o /tmp/installer.config; then
+        while IFS=':' read -r NAME TGT_UID TGT_GID TGT_MODE TGT_PATH; do
+            # skip comment
+            # The regexp in grep works with busybox grep which doesn't
+            # seem to have a -P to recognize '\t'. But this expression could not
+            # work with gnu grep...
+            if echo "$NAME"|grep -q $'^[ \t]*#'; then
+                continue
+            fi
+            # check if we should create a directory (last char in target path is '/')
+            # or deploy a file
+            LAST_CHAR=$(echo "${TGT_PATH:$((${#TGT_PATH}-1)):1}")
+
+            # Do not bail out for failures but user should get stderr message
+            if [ ${LAST_CHAR} = "/" ]; then
+                # name field is skipped for directory
+                echo "DIR:  ${TGT_UID}:${TGT_GID}:${TGT_MODE} => ${TGT_PATH}"
+                mkdir -p "$TGT_PATH"
+                chown "${TGT_UID}:${TGT_GID}" "$TGT_PATH"
+                chmod "${TGT_MODE}" "$TGT_PATH"
+            else
+                ${RMC_CMD} -B "${NAME}" -d "${RMC_DB}" -o "${TGT_PATH}"
+                echo "FILE: ${NAME}:${TGT_UID}:${TGT_GID}:${TGT_MODE} => ${TGT_PATH}"
+                chown "${TGT_UID}:${TGT_GID}" "$TGT_PATH"
+                chmod "${TGT_MODE}" "$TGT_PATH"
+            fi
+        done < /tmp/installer.config
+        rm -rf /tmp/installer.config
+
+        # remove rmc from target since we don't think it is a valid
+        # case to run rmc after installation.
+        rm -rf /tgt_root/usr/bin/rmc
+        echo "RMC deployment finished"
+    else
+        echo "INSTALLER.CONFIG is not found, skip RMC deployment"
+    fi
+
+    # Final retouching by calling post-install hook
+    if ${RMC_CMD} -B POSTINSTALL.sh -d "${RMC_DB}" -o /tmp/POSTINSTALL.sh; then
+        echo "Found POSTINSTALL.sh execute it..."
+        chmod 500 /tmp/POSTINSTALL.sh
+        /tmp/POSTINSTALL.sh
+        rm -rf /tmp/POSTINSTALL.sh
+    fi
+fi
+set -e
+
+if [ -f /run/media/$1/EFI/BOOT/grub.cfg ]; then
+    root_part_uuid=$(blkid -o value -s PARTUUID ${rootfs})
+    GRUBCFG="$EFIDIR/grub.cfg"
+    cp /run/media/$1/EFI/BOOT/grub.cfg $GRUBCFG
+    # Update grub config for the installed image
+    # Delete the install entry
+    sed -i "/menuentry 'install'/,/^}/d" $GRUBCFG
+    # Delete the initrd lines
+    sed -i "/initrd /d" $GRUBCFG
+    # Delete any LABEL= strings
+    sed -i "s/ LABEL=[^ ]*/ /" $GRUBCFG
+    # Delete any root= strings
+    sed -i "s/ root=[^ ]*/ /g" $GRUBCFG
+    # Add the root= and other standard boot options
+    sed -i "s@linux /vmlinuz *@linux /vmlinuz root=PARTUUID=$root_part_uuid rw $rootwait quiet @" $GRUBCFG
+fi
+
+if [ -d /run/media/$1/loader ]; then
+    rootuuid=$(blkid -o value -s PARTUUID ${rootfs})
+    GUMMIBOOT_CFGS="/boot/loader/entries/*.conf"
+    if [ -d /boot/loader ]; then
+        # Don't override loader.conf RMC already deployed
+        if [ ! -f /boot/loader/loader.conf ]; then
+            cp /run/media/$1/loader/loader.conf /boot/loader/
+        fi
+        # only copy built OE entries when RMC entries don't exist.
+        if [ ! -d /boot/loader/entries ] || [ ! ls /boot/loader/entries/*.conf &>/dev/null ]; then
+            cp -dr /run/media/$1/loader/entries /boot/loader
+        fi
+    else
+        # copy config files for gummiboot
+        cp -dr /run/media/$1/loader /boot
+        # delete the install entry
+        rm -f /boot/loader/entries/install.conf
+    fi
+    # delete the initrd lines
+    sed -i "/initrd /d" $GUMMIBOOT_CFGS
+    # delete any LABEL= strings
+    sed -i "s/ LABEL=[^ ]*/ /" $GUMMIBOOT_CFGS
+    # delete any root= strings
+    sed -i "s/ root=[^ ]*/ /" $GUMMIBOOT_CFGS
+    # add the root= and other standard boot options
+    sed -i "s@options *@options root=PARTUUID=$rootuuid rw $rootwait quiet @" $GUMMIBOOT_CFGS
+    # if RMC feature presents, append global kernel command line fragment when it exists.
+    if [ -f "${RMC_DB}" ] && [ -f "${RMC_CMD}" ]; then
+        if ${RMC_CMD} -B KBOOTPARAM -d "${RMC_DB}" -o /tmp/kbootparam; then
+            sed -i "/^[ \t]*options/ s/$/ $(cat /tmp/kbootparam)/" $GUMMIBOOT_CFGS
+            rm /tmp/kbootparam
+        fi
+    fi
+fi
+
+cp /run/media/$1/vmlinuz /boot
+
+umount /src_root
+umount /tgt_root
+umount /boot
+
+sync
+
+echo "Remove your installation media, and press ENTER"
+
+read enter
+
+echo "Rebooting..."
+reboot -f
diff --git a/recipes-core/initrdscripts/initramfs-live-install-efi_%.bbappend b/recipes-core/initrdscripts/initramfs-live-install-efi_%.bbappend
new file mode 100644
index 00000000..0b3a1d3d
--- /dev/null
+++ b/recipes-core/initrdscripts/initramfs-live-install-efi_%.bbappend
@@ -0,0 +1,2 @@
+FILESEXTRAPATHS_prepend_intel-x86-common := "${THISDIR}/files:"
+PACKAGE_ARCH_intel-x86-common = "${INTEL_COMMON_PACKAGE_ARCH}"
diff --git a/recipes-core/microcode/intel-microcode_20170707.bb b/recipes-core/microcode/intel-microcode_20170707.bb
new file mode 100644
index 00000000..2244088b
--- /dev/null
+++ b/recipes-core/microcode/intel-microcode_20170707.bb
@@ -0,0 +1,66 @@
+SUMMARY = "Intel Processor Microcode Datafile for Linux"
+HOMEPAGE = "http://www.intel.com/"
+DESCRIPTION = "The microcode data file contains the latest microcode\
+ definitions for all Intel processors. Intel releases microcode updates\
+ to correct processor behavior as documented in the respective processor\
+ specification updates. While the regular approach to getting this microcode\
+ update is via a BIOS upgrade, Intel realizes that this can be an\
+ administrative hassle. The Linux operating system and VMware ESX\
+ products have a mechanism to update the microcode after booting.\
+ For example, this file will be used by the operating system mechanism\
+ if the file is placed in the /etc/firmware directory of the Linux system."
+
+LICENSE = "Intel-Microcode-License"
+LIC_FILES_CHKSUM = "file://microcode.dat;md5=e5b1dc41901d2de706d4bccee94bbadc"
+
+SRC_URI = "https://downloadmirror.intel.com/26925/eng/microcode-${PV}.tgz"
+SRC_URI[md5sum] = "fe4bcb12e4600629a81fb65208c34248"
+SRC_URI[sha256sum] = "4fd44769bf52a7ac11e90651a307aa6e56ca6e1a814e50d750ba8207973bee93"
+
+DEPENDS = "iucode-tool-native"
+S = "${WORKDIR}"
+
+COMPATIBLE_HOST = "(i.86|x86_64).*-linux"
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+inherit deploy
+
+# Use any of the iucode_tool parameters to filter specific microcodes from the data file
+# For further information, check the iucode-tool's manpage : http://manned.org/iucode-tool
+UCODE_FILTER_PARAMETERS ?= ""
+
+do_compile() {
+        mkdir -p ${WORKDIR}/ucode/kernel/x86/microcode
+        ${STAGING_DIR_NATIVE}${sbindir_native}/iucode_tool \
+                ${UCODE_FILTER_PARAMETERS} \
+                --overwrite \
+                --write-to=${WORKDIR}/microcode_${PV}.bin \
+                ${WORKDIR}/microcode.dat
+
+        ${STAGING_DIR_NATIVE}${sbindir_native}/iucode_tool \
+                ${UCODE_FILTER_PARAMETERS} \
+                --overwrite \
+                --write-earlyfw=${WORKDIR}/microcode_${PV}.cpio \
+                ${WORKDIR}/microcode.dat
+}
+
+do_install() {
+        install -d ${D}${base_libdir}/firmware/intel-ucode/
+        install ${WORKDIR}/microcode_${PV}.bin ${D}${base_libdir}/firmware/intel-ucode/
+        cd ${D}${base_libdir}/firmware/intel-ucode/
+        ln -sf microcode_${PV}.bin microcode.bin
+}
+
+do_deploy() {
+        install -d ${DEPLOYDIR}
+        install ${S}/microcode_${PV}.cpio ${DEPLOYDIR}/
+        cd ${DEPLOYDIR}
+        rm -f microcode.cpio
+        ln -sf microcode_${PV}.cpio microcode.cpio
+}
+
+addtask deploy before do_build after do_compile
+
+PACKAGES = "${PN}"
+
+FILES_${PN} = "${base_libdir}"
diff --git a/recipes-core/microcode/iucode-tool/0001-Makefile.am-Add-arg-parse-library-for-MUSL-support.patch b/recipes-core/microcode/iucode-tool/0001-Makefile.am-Add-arg-parse-library-for-MUSL-support.patch
new file mode 100644
index 00000000..ca97d2ab
--- /dev/null
+++ b/recipes-core/microcode/iucode-tool/0001-Makefile.am-Add-arg-parse-library-for-MUSL-support.patch
@@ -0,0 +1,29 @@
+From 5f6826b3a59dedf508d5a6122362d69a4813e8e6 Mon Sep 17 00:00:00 2001
+From: Saul Wold <sgw@linux.intel.com>
+Date: Fri, 3 Feb 2017 16:08:51 -0800
+Subject: [PATCH] Makefile.am: Add arg-parse library for MUSL support
+
+iucode-tool needs argp-standalone when used with MUSL, so add this
+patch to the Makefile to link with argp
+
+Upstream-Status: Pending
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+---
+ Makefile.am | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Makefile.am b/Makefile.am
+index 415a241..764fb61 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -5,6 +5,7 @@
+ sbin_PROGRAMS   = iucode_tool
+ man_MANS        = iucode_tool.8
+ 
++iucode_tool_LDADD = -largp
+ iucode_tool_SOURCES = intel_microcode.h intel_microcode.c iucode_tool.c
+ EXTRA_DIST     = autogen.sh CONTRIBUTING
+ 
+-- 
+2.7.4
+
diff --git a/recipes-core/microcode/iucode-tool_2.1.2.bb b/recipes-core/microcode/iucode-tool_2.1.2.bb
new file mode 100644
index 00000000..e1fb56f4
--- /dev/null
+++ b/recipes-core/microcode/iucode-tool_2.1.2.bb
@@ -0,0 +1,33 @@
+SUMMARY = "Update Intel CPU microcode"
+
+DESCRIPTION = "iucode_tool is a program to manipulate Intel i686 and X86-64\
+ processor microcode update collections, and to use the kernel facilities to\
+ update the microcode on Intel system processors.  It can load microcode data\
+ files in text and binary format, sort, list and filter the microcode updates\
+ contained in these files, write selected microcode updates to a new file in\
+ binary format, or upload them to the kernel. \
+ It operates on microcode data downloaded directly from Intel:\
+ http://feeds.downloadcenter.intel.com/rss/?p=2371\
+"
+HOMEPAGE = "https://gitlab.com/iucode-tool/"
+BUGTRACKER = "https://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=iucode-tool;repeatmerged=0"
+
+LICENSE = "GPLv2+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe \
+                    file://iucode_tool.c;beginline=1;endline=15;md5=5d8e3639c3b6a80e7d5e0e073933da16"
+
+DEPENDS_append_libc-musl = " argp-standalone"
+
+SRC_URI = "https://gitlab.com/iucode-tool/releases/raw/master/iucode-tool_${PV}.tar.xz"
+SRC_URI_append_libc-musl = " file://0001-Makefile.am-Add-arg-parse-library-for-MUSL-support.patch"
+
+SRC_URI[md5sum] = "c6f131a0b69443f5498782a2335973fa"
+SRC_URI[sha256sum] = "01f1c02ba6935e0ac8440fb594c2ef57ce4437fcbce539e3ef329f55a6fd71ab"
+
+inherit autotools
+
+BBCLASSEXTEND = "native"
+
+COMPATIBLE_HOST = "(i.86|x86_64).*-linux"
+
+UPSTREAM_CHECK_URI = "https://gitlab.com/iucode-tool/releases"
diff --git a/recipes-core/ovmf/files/0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch b/recipes-core/ovmf/files/0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch
new file mode 100644
index 00000000..62db0633
--- /dev/null
+++ b/recipes-core/ovmf/files/0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch
@@ -0,0 +1,105 @@
+From 48e511481d83c1614cd00a5a2edcf6b5d746b9c4 Mon Sep 17 00:00:00 2001
+From: Mikko Ylinen <mikko.ylinen@linux.intel.com>
+Date: Fri, 7 Apr 2017 12:06:14 +0300
+Subject: [PATCH] ovmf: RefkitTestCA: TEST UEFI SecureBoot
+
+This patch adds refkit-db.cer (via xxd -i) in OVMF's db
+signature database when used with EnrollDefaultKeys EFI
+application. It's used for testing purposes only.
+
+Images signed with refkit-db keys are allowed to boot.
+
+Signed-off-by: Mikko Ylinen <mikko.ylinen@linux.intel.com>
+---
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 68 +++++++++++++++++++++++++++
+ 1 file changed, 68 insertions(+)
+
+diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+index 24ab977..a3c12ba 100644
+--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
++++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+@@ -516,6 +516,73 @@ STATIC CONST UINT8 MicrosoftUefiCA[] = {
+   0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
+ };
+ 
++STATIC CONST UINT8 RefkitTestCA[] = {
++  0x30, 0x82, 0x02, 0xfb, 0x30, 0x82, 0x01, 0xe3, 0xa0, 0x03, 0x02, 0x01,
++  0x02, 0x02, 0x09, 0x00, 0xd4, 0xf6, 0x48, 0xc2, 0x68, 0x19, 0x91, 0xac,
++  0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
++  0x0b, 0x05, 0x00, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55,
++  0x04, 0x03, 0x0c, 0x09, 0x72, 0x65, 0x66, 0x6b, 0x69, 0x74, 0x2d, 0x64,
++  0x62, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x37, 0x30, 0x34, 0x32, 0x30, 0x31,
++  0x32, 0x30, 0x36, 0x33, 0x32, 0x5a, 0x17, 0x0d, 0x31, 0x38, 0x30, 0x34,
++  0x32, 0x30, 0x31, 0x32, 0x30, 0x36, 0x33, 0x32, 0x5a, 0x30, 0x14, 0x31,
++  0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, 0x65,
++  0x66, 0x6b, 0x69, 0x74, 0x2d, 0x64, 0x62, 0x30, 0x82, 0x01, 0x22, 0x30,
++  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
++  0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02,
++  0x82, 0x01, 0x01, 0x00, 0xb4, 0x1c, 0x22, 0xa6, 0x22, 0x01, 0x57, 0xcd,
++  0xf1, 0x4f, 0xaf, 0x72, 0xe3, 0xd9, 0x01, 0x80, 0x50, 0x55, 0xef, 0x02,
++  0x5e, 0xeb, 0x99, 0x35, 0xcb, 0x7f, 0x2a, 0x79, 0xff, 0xb5, 0x3e, 0xec,
++  0x5d, 0x92, 0x06, 0x30, 0x20, 0xe7, 0x95, 0xad, 0xa4, 0x84, 0x2e, 0x3f,
++  0xfa, 0xd7, 0x46, 0xdd, 0x49, 0xa8, 0xe8, 0xe3, 0x79, 0x49, 0xf6, 0x8f,
++  0x0b, 0x1d, 0xfe, 0x63, 0xa8, 0xd1, 0x63, 0xa3, 0xd6, 0x0d, 0x4e, 0x6c,
++  0x66, 0x5c, 0xd6, 0x66, 0x26, 0xd1, 0x26, 0x98, 0xd4, 0x4f, 0x76, 0xc9,
++  0x65, 0x48, 0x58, 0x13, 0x08, 0x31, 0xbc, 0xe5, 0x47, 0x25, 0x65, 0x95,
++  0x39, 0x89, 0x5f, 0x02, 0xf1, 0xc5, 0x06, 0x17, 0x58, 0xca, 0x09, 0xfd,
++  0xf6, 0x1e, 0xc5, 0x97, 0xda, 0xa3, 0x4e, 0x1a, 0x48, 0xbe, 0xcf, 0x96,
++  0x27, 0x04, 0x4b, 0xb7, 0x6d, 0x67, 0xb6, 0x50, 0x18, 0x04, 0x73, 0x51,
++  0xd2, 0x6a, 0x2d, 0xdf, 0x3b, 0xab, 0xf2, 0x2d, 0x95, 0xd7, 0xa8, 0xb8,
++  0xa8, 0x30, 0xa1, 0xab, 0x8b, 0x92, 0x2b, 0x60, 0x3e, 0x3a, 0xe5, 0x86,
++  0x40, 0x71, 0xc1, 0x3f, 0x2d, 0x2e, 0x90, 0xe7, 0xd6, 0xec, 0xcc, 0xc2,
++  0x0b, 0x79, 0x83, 0x71, 0x6d, 0xf6, 0xa3, 0xa9, 0x4c, 0xcd, 0x46, 0x81,
++  0xdc, 0xef, 0xec, 0x51, 0xbe, 0x81, 0x2a, 0xf1, 0x78, 0x73, 0x41, 0xdb,
++  0x54, 0xce, 0x7c, 0xce, 0xa2, 0xe3, 0x90, 0x4f, 0x45, 0x1a, 0xf9, 0x3d,
++  0x88, 0xfc, 0x0e, 0xed, 0xd3, 0x69, 0x22, 0x4c, 0xfa, 0x0a, 0x69, 0xd1,
++  0x48, 0xc0, 0xaa, 0xa9, 0x3a, 0xb3, 0x8f, 0x10, 0x3a, 0x76, 0xa8, 0x0c,
++  0x7a, 0x3d, 0xd8, 0x79, 0xce, 0x1c, 0x96, 0x62, 0xf4, 0x06, 0xee, 0x47,
++  0xe8, 0xe0, 0x69, 0x91, 0xae, 0xea, 0x34, 0xcf, 0xda, 0xa8, 0xb4, 0x39,
++  0x5e, 0xf3, 0x7a, 0xd0, 0x88, 0x48, 0x47, 0x69, 0x02, 0x03, 0x01, 0x00,
++  0x01, 0xa3, 0x50, 0x30, 0x4e, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
++  0x04, 0x16, 0x04, 0x14, 0x68, 0x60, 0x11, 0x25, 0x85, 0x14, 0x78, 0x1b,
++  0x1a, 0x9f, 0x46, 0x12, 0xe6, 0x21, 0xe4, 0xef, 0xfb, 0x3b, 0xaa, 0xdd,
++  0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,
++  0x14, 0x68, 0x60, 0x11, 0x25, 0x85, 0x14, 0x78, 0x1b, 0x1a, 0x9f, 0x46,
++  0x12, 0xe6, 0x21, 0xe4, 0xef, 0xfb, 0x3b, 0xaa, 0xdd, 0x30, 0x0c, 0x06,
++  0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30,
++  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
++  0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x8f, 0xd2, 0x84, 0x7c, 0x43,
++  0x47, 0xca, 0x6b, 0xfd, 0x87, 0x83, 0xd0, 0xef, 0x75, 0xd3, 0x20, 0x52,
++  0x73, 0x18, 0xaa, 0x32, 0x71, 0xfb, 0xa5, 0xf4, 0xc9, 0x11, 0xa3, 0x68,
++  0x4d, 0xb7, 0x9d, 0xe6, 0xd9, 0x46, 0x24, 0xdc, 0xc7, 0xc2, 0x3b, 0xf9,
++  0xb0, 0x98, 0xfc, 0xee, 0x34, 0x6e, 0x10, 0x9b, 0x3d, 0x44, 0x6e, 0x33,
++  0x09, 0x11, 0xb8, 0x29, 0xd6, 0x2d, 0x06, 0xcf, 0x67, 0x8f, 0x96, 0x85,
++  0x9d, 0x63, 0x72, 0xbf, 0x64, 0x5f, 0x0d, 0xe3, 0xc9, 0x63, 0x19, 0x71,
++  0xd4, 0x7d, 0x4c, 0x9c, 0x77, 0x46, 0xda, 0x20, 0x97, 0x6d, 0xbc, 0xdd,
++  0xc2, 0x1f, 0xf3, 0x40, 0x38, 0x1e, 0xe7, 0xcc, 0x55, 0x05, 0x72, 0xba,
++  0x24, 0x4f, 0xb3, 0x8a, 0x93, 0x0c, 0x30, 0x60, 0xda, 0x9f, 0x6f, 0x35,
++  0xf6, 0xfb, 0xb0, 0x1f, 0xb3, 0x00, 0xdd, 0xc4, 0xa6, 0xbc, 0xe2, 0x37,
++  0xc1, 0xa3, 0xef, 0xd9, 0xa1, 0x86, 0xf9, 0xeb, 0xa4, 0xa5, 0x45, 0x38,
++  0xff, 0x4e, 0x87, 0x4a, 0x41, 0xcf, 0x6e, 0x69, 0x7e, 0x97, 0xbe, 0x2d,
++  0x22, 0xbc, 0x8d, 0xa0, 0x1a, 0x21, 0x8f, 0x4b, 0x72, 0x90, 0x01, 0x5c,
++  0xba, 0xa5, 0x9c, 0x2d, 0xd7, 0x25, 0x24, 0xfc, 0xff, 0x5c, 0x58, 0x14,
++  0x46, 0x30, 0x09, 0x7c, 0x55, 0x64, 0x83, 0x0b, 0xb9, 0xdf, 0xcf, 0x25,
++  0xee, 0xec, 0xf7, 0xcb, 0xdb, 0xd1, 0x5b, 0x93, 0x93, 0xc8, 0x8a, 0x10,
++  0x46, 0xb8, 0xb0, 0x35, 0x1c, 0x6c, 0x0d, 0x8f, 0x03, 0x6a, 0x8f, 0x1b,
++  0x36, 0x68, 0xf3, 0x53, 0x89, 0x36, 0x5b, 0x21, 0x80, 0xde, 0xe3, 0x92,
++  0x52, 0x94, 0x97, 0x9d, 0x49, 0x89, 0x7d, 0x3e, 0xde, 0x29, 0x51, 0xba,
++  0x11, 0xf7, 0xba, 0x01, 0xf7, 0xab, 0xea, 0xc1, 0xa7, 0x2e, 0xa3, 0x4d,
++  0x65, 0xfd, 0x40, 0x71, 0xf1, 0xe2, 0x3f, 0x6c, 0x28, 0xcb, 0xd3
++};
++
+ //
+ // The most important thing about the variable payload is that it is a list of
+ // lists, where the element size of any given *inner* list is constant.
+@@ -908,6 +975,7 @@ ShellAppMain (
+              &gEfiImageSecurityDatabaseGuid,
+              MicrosoftPCA,    sizeof MicrosoftPCA,    &gEfiCallerIdGuid,
+              MicrosoftUefiCA, sizeof MicrosoftUefiCA, &gEfiCallerIdGuid,
++             RefkitTestCA,    sizeof RefkitTestCA,    &gEfiCallerIdGuid,
+              NULL);
+   if (EFI_ERROR (Status)) {
+     return 1;
+-- 
+2.1.4
+
diff --git a/recipes-core/ovmf/ovmf-shell-image-enrollkeys.bb b/recipes-core/ovmf/ovmf-shell-image-enrollkeys.bb
new file mode 100644
index 00000000..b20f6e58
--- /dev/null
+++ b/recipes-core/ovmf/ovmf-shell-image-enrollkeys.bb
@@ -0,0 +1,13 @@
+require recipes-core/ovmf/ovmf-shell-image.bb
+
+WKS_SEARCH_PATH_append = ":${COREBASE}/meta/recipes-core/ovmf"
+
+QB_DRIVE_TYPE = "/dev/vd"
+
+do_image_append() {
+    cat > ${IMAGE_ROOTFS}/startup.nsh << EOF
+EnrollDefaultKeys
+reset
+EOF
+
+}
diff --git a/recipes-core/ovmf/ovmf_%.bbappend b/recipes-core/ovmf/ovmf_%.bbappend
new file mode 100644
index 00000000..bbf5fa32
--- /dev/null
+++ b/recipes-core/ovmf/ovmf_%.bbappend
@@ -0,0 +1,6 @@
+FILESEXTRAPATHS_prepend_intel-x86-common := "${THISDIR}/files:"
+
+SRC_URI_append_intel-x86-common = " \
+        file://0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch \
+"
+PACKAGECONFIG_append_intel-x86-common = " secureboot"