From d53dbb38c43da3fd04fed9a55e7b3b9e2c512b9a Mon Sep 17 00:00:00 2001 From: Saul Wold Date: Tue, 7 Nov 2017 10:32:26 -0800 Subject: meta-intel: Reorganize the layout to remove common Remove the concept of the common directory and move all the recipes-* dirs to the top level as a normal layer would be. layer.conf is updated appropriately Signed-off-by: Saul Wold --- .../images/core-image-minimal-initramfs.bbappend | 6 + recipes-core/images/core-image-tiny.bb | 37 +++ .../files/intel-x86-common/init-install-efi.sh | 342 +++++++++++++++++++++ .../initramfs-live-install-efi_%.bbappend | 2 + recipes-core/microcode/intel-microcode_20170707.bb | 66 ++++ ...am-Add-arg-parse-library-for-MUSL-support.patch | 29 ++ recipes-core/microcode/iucode-tool_2.1.2.bb | 33 ++ ...01-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch | 105 +++++++ recipes-core/ovmf/ovmf-shell-image-enrollkeys.bb | 13 + recipes-core/ovmf/ovmf_%.bbappend | 6 + 10 files changed, 639 insertions(+) create mode 100644 recipes-core/images/core-image-minimal-initramfs.bbappend create mode 100644 recipes-core/images/core-image-tiny.bb create mode 100644 recipes-core/initrdscripts/files/intel-x86-common/init-install-efi.sh create mode 100644 recipes-core/initrdscripts/initramfs-live-install-efi_%.bbappend create mode 100644 recipes-core/microcode/intel-microcode_20170707.bb create mode 100644 recipes-core/microcode/iucode-tool/0001-Makefile.am-Add-arg-parse-library-for-MUSL-support.patch create mode 100644 recipes-core/microcode/iucode-tool_2.1.2.bb create mode 100644 recipes-core/ovmf/files/0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch create mode 100644 recipes-core/ovmf/ovmf-shell-image-enrollkeys.bb create mode 100644 recipes-core/ovmf/ovmf_%.bbappend (limited to 'recipes-core') diff --git a/recipes-core/images/core-image-minimal-initramfs.bbappend b/recipes-core/images/core-image-minimal-initramfs.bbappend new file mode 100644 index 00000000..4ddca375 --- /dev/null +++ b/recipes-core/images/core-image-minimal-initramfs.bbappend @@ -0,0 +1,6 @@ +# Use initramfs-framework instead of initramfs-live* +PACKAGE_INSTALL_remove_intel-x86-common = "initramfs-live-boot initramfs-live-install initramfs-live-install-efi" +PACKAGE_INSTALL_append_intel-x86-common = " initramfs-framework-base initramfs-module-udev initramfs-module-setup-live initramfs-module-install-efi" + +# Add i915 graphics firmware +PACKAGE_INSTALL_append_intel-x86-common = " linux-firmware-i915" diff --git a/recipes-core/images/core-image-tiny.bb b/recipes-core/images/core-image-tiny.bb new file mode 100644 index 00000000..ed39fd77 --- /dev/null +++ b/recipes-core/images/core-image-tiny.bb @@ -0,0 +1,37 @@ +SUMMARY = "A tiny image just capable of allowing a device to boot from RAM, \ +this image recipe generates an image file which rather boots from initrd than \ +from storage, it achieves this by using wic to pick up the artifacts generated \ +by the core-image-tiny-initramfs image" + +# The actual rootfs/initrd will be the one from core-image-tiny-initramfs, so +# we reset IMAGE_INSTALL to avoid building other things that will be pointless +IMAGE_INSTALL = "" + +# Do not pollute the initrd image with rootfs features +IMAGE_FEATURES = "" + +IMAGE_LINGUAS = " " + +LICENSE = "MIT" + +IMAGE_ROOTFS_SIZE ?= "8192" + +IMAGE_FSTYPES = "wic" +inherit core-image + +# We get some parts from image-live that we need in order to boot from initrd +INITRD_IMAGE_LIVE ?= "core-image-tiny-initramfs" + +python() { + image_b = d.getVar('IMAGE_BASENAME') + initrd_i = d.getVar('INITRD_IMAGE_LIVE') + if image_b == initrd_i: + bb.error('INITRD_IMAGE_LIVE %s cannot use the requested IMAGE_FSTYPE' % initrd_i) + bb.fatal('Check IMAGE_FSTYPES and INITRAMFS_FSTYPES settings.') + elif initrd_i: + d.appendVarFlag('do_image', 'depends', ' %s:do_image_complete' % initrd_i) +} + +WKS_FILE_intel-corei7-64 = "core-image-tiny.wks.in" +WKS_FILE_intel-core2-32 = "core-image-tiny.wks.in" +WKS_FILE_intel-quark = "mktinygalileodisk.wks" diff --git a/recipes-core/initrdscripts/files/intel-x86-common/init-install-efi.sh b/recipes-core/initrdscripts/files/intel-x86-common/init-install-efi.sh new file mode 100644 index 00000000..a7a2ad4c --- /dev/null +++ b/recipes-core/initrdscripts/files/intel-x86-common/init-install-efi.sh @@ -0,0 +1,342 @@ +#!/bin/sh -e +# +# Copyright (c) 2016, Intel Corporation. +# All rights reserved. +# +# install.sh [device_name] [rootfs_name] +# +# This file is a copy of file with same name in OE: +# meta/recipes-core/initrdscripts/files/. We modify +# it for RMC feature to deploy file blobs from RMC +# database file to target. + +PATH=/sbin:/bin:/usr/sbin:/usr/bin + +# We need 20 Mb for the boot partition +boot_size=20 + +# 5% for swap +swap_ratio=5 + +# Get a list of hard drives +hdnamelist="" +live_dev_name=`cat /proc/mounts | grep ${1%/} | awk '{print $1}'` +live_dev_name=${live_dev_name#\/dev/} +# Only strip the digit identifier if the device is not an mmc +case $live_dev_name in + mmcblk*) + ;; + nvme*) + ;; + *) + live_dev_name=${live_dev_name%%[0-9]*} + ;; +esac + +echo "Searching for hard drives ..." + +for device in `ls /sys/block/`; do + case $device in + loop*) + # skip loop device + ;; + sr*) + # skip CDROM device + ;; + ram*) + # skip ram device + ;; + *) + # skip the device LiveOS is on + # Add valid hard drive name to the list + case $device in + $live_dev_name*) + # skip the device we are running from + ;; + *) + hdnamelist="$hdnamelist $device" + ;; + esac + ;; + esac +done + +if [ -z "${hdnamelist}" ]; then + echo "You need another device (besides the live device /dev/${live_dev_name}) to install the image. Installation aborted." + exit 1 +fi + +TARGET_DEVICE_NAME="" +for hdname in $hdnamelist; do + # Display found hard drives and their basic info + echo "-------------------------------" + echo /dev/$hdname + if [ -r /sys/block/$hdname/device/vendor ]; then + echo -n "VENDOR=" + cat /sys/block/$hdname/device/vendor + fi + if [ -r /sys/block/$hdname/device/model ]; then + echo -n "MODEL=" + cat /sys/block/$hdname/device/model + fi + if [ -r /sys/block/$hdname/device/uevent ]; then + echo -n "UEVENT=" + cat /sys/block/$hdname/device/uevent + fi + echo +done + +# Get user choice +while true; do + echo "Please select an install target or press n to exit ($hdnamelist ): " + read answer + if [ "$answer" = "n" ]; then + echo "Installation manually aborted." + exit 1 + fi + for hdname in $hdnamelist; do + if [ "$answer" = "$hdname" ]; then + TARGET_DEVICE_NAME=$answer + break + fi + done + if [ -n "$TARGET_DEVICE_NAME" ]; then + break + fi +done + +if [ -n "$TARGET_DEVICE_NAME" ]; then + echo "Installing image on /dev/$TARGET_DEVICE_NAME ..." +else + echo "No hard drive selected. Installation aborted." + exit 1 +fi + +device=/dev/$TARGET_DEVICE_NAME + +# +# The udev automounter can cause pain here, kill it +# +rm -f /etc/udev/rules.d/automount.rules +rm -f /etc/udev/scripts/mount* + +# +# Unmount anything the automounter had mounted +# +umount ${device}* 2> /dev/null || /bin/true + +mkdir -p /tmp + +# Create /etc/mtab if not present +if [ ! -e /etc/mtab ]; then + cat /proc/mounts > /etc/mtab +fi + +disk_size=$(parted ${device} unit mb print | grep '^Disk .*: .*MB' | cut -d" " -f 3 | sed -e "s/MB//") + +swap_size=$((disk_size*swap_ratio/100)) +rootfs_size=$((disk_size-boot_size-swap_size)) + +rootfs_start=$((boot_size)) +rootfs_end=$((rootfs_start+rootfs_size)) +swap_start=$((rootfs_end)) + +# MMC devices are special in a couple of ways +# 1) they use a partition prefix character 'p' +# 2) they are detected asynchronously (need rootwait) +rootwait="" +part_prefix="" +if [ ! "${device#/dev/mmcblk}" = "${device}" ] || \ +[ ! "${device#/dev/nvme}" = "${device}" ]; then + part_prefix="p" + rootwait="rootwait" +fi +bootfs=${device}${part_prefix}1 +rootfs=${device}${part_prefix}2 +swap=${device}${part_prefix}3 + +echo "*****************" +echo "Boot partition size: $boot_size MB ($bootfs)" +echo "Rootfs partition size: $rootfs_size MB ($rootfs)" +echo "Swap partition size: $swap_size MB ($swap)" +echo "*****************" +echo "Deleting partition table on ${device} ..." +dd if=/dev/zero of=${device} bs=512 count=35 + +echo "Creating new partition table on ${device} ..." +parted ${device} mklabel gpt + +echo "Creating boot partition on $bootfs" +parted ${device} mkpart boot fat32 0% $boot_size +parted ${device} set 1 boot on + +echo "Creating rootfs partition on $rootfs" +parted ${device} mkpart root ext3 $rootfs_start $rootfs_end + +echo "Creating swap partition on $swap" +parted ${device} mkpart swap linux-swap $swap_start 100% + +parted ${device} print + +echo "Formatting $bootfs to vfat..." +mkfs.vfat $bootfs + +echo "Formatting $rootfs to ext3..." +mkfs.ext3 $rootfs + +echo "Formatting swap partition...($swap)" +mkswap $swap + +mkdir /tgt_root +mkdir /src_root +mkdir -p /boot + +# Handling of the target root partition +mount $rootfs /tgt_root +mount -o rw,loop,noatime,nodiratime /run/media/$1/$2 /src_root +echo "Copying rootfs files..." +cp -a /src_root/* /tgt_root +if [ -d /tgt_root/etc/ ] ; then + boot_uuid=$(blkid -o value -s UUID ${bootfs}) + swap_part_uuid=$(blkid -o value -s PARTUUID ${swap}) + echo "/dev/disk/by-partuuid/$swap_part_uuid swap swap defaults 0 0" >> /tgt_root/etc/fstab + echo "UUID=$boot_uuid /boot vfat defaults 1 2" >> /tgt_root/etc/fstab + # We dont want udev to mount our root device while we're booting... + if [ -d /tgt_root/etc/udev/ ] ; then + echo "${device}" >> /tgt_root/etc/udev/mount.blacklist + fi +fi + +# Handling of the target boot partition +mount $bootfs /boot +echo "Preparing boot partition..." + +EFIDIR="/boot/EFI/BOOT" +mkdir -p $EFIDIR +# Copy the efi loader +cp /run/media/$1/EFI/BOOT/*.efi $EFIDIR + +# RMC deployment +RMC_CMD=/src_root/usr/bin/rmc +RMC_DB=/run/media/$1/rmc.db + +# We don't want to quit when a step failed. For example, +# a file system could not support some operations. +set +e + +if [ -f "${RMC_DB}" ] && [ -f "${RMC_CMD}" ]; then + echo "Found RMC database and tool, start RMC deployment" + # query INSTALLER.CONFIG from RMC DB + if ${RMC_CMD} -B INSTALLER.CONFIG -d "${RMC_DB}" -o /tmp/installer.config; then + while IFS=':' read -r NAME TGT_UID TGT_GID TGT_MODE TGT_PATH; do + # skip comment + # The regexp in grep works with busybox grep which doesn't + # seem to have a -P to recognize '\t'. But this expression could not + # work with gnu grep... + if echo "$NAME"|grep -q $'^[ \t]*#'; then + continue + fi + # check if we should create a directory (last char in target path is '/') + # or deploy a file + LAST_CHAR=$(echo "${TGT_PATH:$((${#TGT_PATH}-1)):1}") + + # Do not bail out for failures but user should get stderr message + if [ ${LAST_CHAR} = "/" ]; then + # name field is skipped for directory + echo "DIR: ${TGT_UID}:${TGT_GID}:${TGT_MODE} => ${TGT_PATH}" + mkdir -p "$TGT_PATH" + chown "${TGT_UID}:${TGT_GID}" "$TGT_PATH" + chmod "${TGT_MODE}" "$TGT_PATH" + else + ${RMC_CMD} -B "${NAME}" -d "${RMC_DB}" -o "${TGT_PATH}" + echo "FILE: ${NAME}:${TGT_UID}:${TGT_GID}:${TGT_MODE} => ${TGT_PATH}" + chown "${TGT_UID}:${TGT_GID}" "$TGT_PATH" + chmod "${TGT_MODE}" "$TGT_PATH" + fi + done < /tmp/installer.config + rm -rf /tmp/installer.config + + # remove rmc from target since we don't think it is a valid + # case to run rmc after installation. + rm -rf /tgt_root/usr/bin/rmc + echo "RMC deployment finished" + else + echo "INSTALLER.CONFIG is not found, skip RMC deployment" + fi + + # Final retouching by calling post-install hook + if ${RMC_CMD} -B POSTINSTALL.sh -d "${RMC_DB}" -o /tmp/POSTINSTALL.sh; then + echo "Found POSTINSTALL.sh execute it..." + chmod 500 /tmp/POSTINSTALL.sh + /tmp/POSTINSTALL.sh + rm -rf /tmp/POSTINSTALL.sh + fi +fi +set -e + +if [ -f /run/media/$1/EFI/BOOT/grub.cfg ]; then + root_part_uuid=$(blkid -o value -s PARTUUID ${rootfs}) + GRUBCFG="$EFIDIR/grub.cfg" + cp /run/media/$1/EFI/BOOT/grub.cfg $GRUBCFG + # Update grub config for the installed image + # Delete the install entry + sed -i "/menuentry 'install'/,/^}/d" $GRUBCFG + # Delete the initrd lines + sed -i "/initrd /d" $GRUBCFG + # Delete any LABEL= strings + sed -i "s/ LABEL=[^ ]*/ /" $GRUBCFG + # Delete any root= strings + sed -i "s/ root=[^ ]*/ /g" $GRUBCFG + # Add the root= and other standard boot options + sed -i "s@linux /vmlinuz *@linux /vmlinuz root=PARTUUID=$root_part_uuid rw $rootwait quiet @" $GRUBCFG +fi + +if [ -d /run/media/$1/loader ]; then + rootuuid=$(blkid -o value -s PARTUUID ${rootfs}) + GUMMIBOOT_CFGS="/boot/loader/entries/*.conf" + if [ -d /boot/loader ]; then + # Don't override loader.conf RMC already deployed + if [ ! -f /boot/loader/loader.conf ]; then + cp /run/media/$1/loader/loader.conf /boot/loader/ + fi + # only copy built OE entries when RMC entries don't exist. + if [ ! -d /boot/loader/entries ] || [ ! ls /boot/loader/entries/*.conf &>/dev/null ]; then + cp -dr /run/media/$1/loader/entries /boot/loader + fi + else + # copy config files for gummiboot + cp -dr /run/media/$1/loader /boot + # delete the install entry + rm -f /boot/loader/entries/install.conf + fi + # delete the initrd lines + sed -i "/initrd /d" $GUMMIBOOT_CFGS + # delete any LABEL= strings + sed -i "s/ LABEL=[^ ]*/ /" $GUMMIBOOT_CFGS + # delete any root= strings + sed -i "s/ root=[^ ]*/ /" $GUMMIBOOT_CFGS + # add the root= and other standard boot options + sed -i "s@options *@options root=PARTUUID=$rootuuid rw $rootwait quiet @" $GUMMIBOOT_CFGS + # if RMC feature presents, append global kernel command line fragment when it exists. + if [ -f "${RMC_DB}" ] && [ -f "${RMC_CMD}" ]; then + if ${RMC_CMD} -B KBOOTPARAM -d "${RMC_DB}" -o /tmp/kbootparam; then + sed -i "/^[ \t]*options/ s/$/ $(cat /tmp/kbootparam)/" $GUMMIBOOT_CFGS + rm /tmp/kbootparam + fi + fi +fi + +cp /run/media/$1/vmlinuz /boot + +umount /src_root +umount /tgt_root +umount /boot + +sync + +echo "Remove your installation media, and press ENTER" + +read enter + +echo "Rebooting..." +reboot -f diff --git a/recipes-core/initrdscripts/initramfs-live-install-efi_%.bbappend b/recipes-core/initrdscripts/initramfs-live-install-efi_%.bbappend new file mode 100644 index 00000000..0b3a1d3d --- /dev/null +++ b/recipes-core/initrdscripts/initramfs-live-install-efi_%.bbappend @@ -0,0 +1,2 @@ +FILESEXTRAPATHS_prepend_intel-x86-common := "${THISDIR}/files:" +PACKAGE_ARCH_intel-x86-common = "${INTEL_COMMON_PACKAGE_ARCH}" diff --git a/recipes-core/microcode/intel-microcode_20170707.bb b/recipes-core/microcode/intel-microcode_20170707.bb new file mode 100644 index 00000000..2244088b --- /dev/null +++ b/recipes-core/microcode/intel-microcode_20170707.bb @@ -0,0 +1,66 @@ +SUMMARY = "Intel Processor Microcode Datafile for Linux" +HOMEPAGE = "http://www.intel.com/" +DESCRIPTION = "The microcode data file contains the latest microcode\ + definitions for all Intel processors. Intel releases microcode updates\ + to correct processor behavior as documented in the respective processor\ + specification updates. While the regular approach to getting this microcode\ + update is via a BIOS upgrade, Intel realizes that this can be an\ + administrative hassle. The Linux operating system and VMware ESX\ + products have a mechanism to update the microcode after booting.\ + For example, this file will be used by the operating system mechanism\ + if the file is placed in the /etc/firmware directory of the Linux system." + +LICENSE = "Intel-Microcode-License" +LIC_FILES_CHKSUM = "file://microcode.dat;md5=e5b1dc41901d2de706d4bccee94bbadc" + +SRC_URI = "https://downloadmirror.intel.com/26925/eng/microcode-${PV}.tgz" +SRC_URI[md5sum] = "fe4bcb12e4600629a81fb65208c34248" +SRC_URI[sha256sum] = "4fd44769bf52a7ac11e90651a307aa6e56ca6e1a814e50d750ba8207973bee93" + +DEPENDS = "iucode-tool-native" +S = "${WORKDIR}" + +COMPATIBLE_HOST = "(i.86|x86_64).*-linux" +PACKAGE_ARCH = "${MACHINE_ARCH}" + +inherit deploy + +# Use any of the iucode_tool parameters to filter specific microcodes from the data file +# For further information, check the iucode-tool's manpage : http://manned.org/iucode-tool +UCODE_FILTER_PARAMETERS ?= "" + +do_compile() { + mkdir -p ${WORKDIR}/ucode/kernel/x86/microcode + ${STAGING_DIR_NATIVE}${sbindir_native}/iucode_tool \ + ${UCODE_FILTER_PARAMETERS} \ + --overwrite \ + --write-to=${WORKDIR}/microcode_${PV}.bin \ + ${WORKDIR}/microcode.dat + + ${STAGING_DIR_NATIVE}${sbindir_native}/iucode_tool \ + ${UCODE_FILTER_PARAMETERS} \ + --overwrite \ + --write-earlyfw=${WORKDIR}/microcode_${PV}.cpio \ + ${WORKDIR}/microcode.dat +} + +do_install() { + install -d ${D}${base_libdir}/firmware/intel-ucode/ + install ${WORKDIR}/microcode_${PV}.bin ${D}${base_libdir}/firmware/intel-ucode/ + cd ${D}${base_libdir}/firmware/intel-ucode/ + ln -sf microcode_${PV}.bin microcode.bin +} + +do_deploy() { + install -d ${DEPLOYDIR} + install ${S}/microcode_${PV}.cpio ${DEPLOYDIR}/ + cd ${DEPLOYDIR} + rm -f microcode.cpio + ln -sf microcode_${PV}.cpio microcode.cpio +} + +addtask deploy before do_build after do_compile + +PACKAGES = "${PN}" + +FILES_${PN} = "${base_libdir}" diff --git a/recipes-core/microcode/iucode-tool/0001-Makefile.am-Add-arg-parse-library-for-MUSL-support.patch b/recipes-core/microcode/iucode-tool/0001-Makefile.am-Add-arg-parse-library-for-MUSL-support.patch new file mode 100644 index 00000000..ca97d2ab --- /dev/null +++ b/recipes-core/microcode/iucode-tool/0001-Makefile.am-Add-arg-parse-library-for-MUSL-support.patch @@ -0,0 +1,29 @@ +From 5f6826b3a59dedf508d5a6122362d69a4813e8e6 Mon Sep 17 00:00:00 2001 +From: Saul Wold +Date: Fri, 3 Feb 2017 16:08:51 -0800 +Subject: [PATCH] Makefile.am: Add arg-parse library for MUSL support + +iucode-tool needs argp-standalone when used with MUSL, so add this +patch to the Makefile to link with argp + +Upstream-Status: Pending +Signed-off-by: Saul Wold +--- + Makefile.am | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Makefile.am b/Makefile.am +index 415a241..764fb61 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -5,6 +5,7 @@ + sbin_PROGRAMS = iucode_tool + man_MANS = iucode_tool.8 + ++iucode_tool_LDADD = -largp + iucode_tool_SOURCES = intel_microcode.h intel_microcode.c iucode_tool.c + EXTRA_DIST = autogen.sh CONTRIBUTING + +-- +2.7.4 + diff --git a/recipes-core/microcode/iucode-tool_2.1.2.bb b/recipes-core/microcode/iucode-tool_2.1.2.bb new file mode 100644 index 00000000..e1fb56f4 --- /dev/null +++ b/recipes-core/microcode/iucode-tool_2.1.2.bb @@ -0,0 +1,33 @@ +SUMMARY = "Update Intel CPU microcode" + +DESCRIPTION = "iucode_tool is a program to manipulate Intel i686 and X86-64\ + processor microcode update collections, and to use the kernel facilities to\ + update the microcode on Intel system processors. It can load microcode data\ + files in text and binary format, sort, list and filter the microcode updates\ + contained in these files, write selected microcode updates to a new file in\ + binary format, or upload them to the kernel. \ + It operates on microcode data downloaded directly from Intel:\ + http://feeds.downloadcenter.intel.com/rss/?p=2371\ +" +HOMEPAGE = "https://gitlab.com/iucode-tool/" +BUGTRACKER = "https://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=iucode-tool;repeatmerged=0" + +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe \ + file://iucode_tool.c;beginline=1;endline=15;md5=5d8e3639c3b6a80e7d5e0e073933da16" + +DEPENDS_append_libc-musl = " argp-standalone" + +SRC_URI = "https://gitlab.com/iucode-tool/releases/raw/master/iucode-tool_${PV}.tar.xz" +SRC_URI_append_libc-musl = " file://0001-Makefile.am-Add-arg-parse-library-for-MUSL-support.patch" + +SRC_URI[md5sum] = "c6f131a0b69443f5498782a2335973fa" +SRC_URI[sha256sum] = "01f1c02ba6935e0ac8440fb594c2ef57ce4437fcbce539e3ef329f55a6fd71ab" + +inherit autotools + +BBCLASSEXTEND = "native" + +COMPATIBLE_HOST = "(i.86|x86_64).*-linux" + +UPSTREAM_CHECK_URI = "https://gitlab.com/iucode-tool/releases" diff --git a/recipes-core/ovmf/files/0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch b/recipes-core/ovmf/files/0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch new file mode 100644 index 00000000..62db0633 --- /dev/null +++ b/recipes-core/ovmf/files/0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch @@ -0,0 +1,105 @@ +From 48e511481d83c1614cd00a5a2edcf6b5d746b9c4 Mon Sep 17 00:00:00 2001 +From: Mikko Ylinen +Date: Fri, 7 Apr 2017 12:06:14 +0300 +Subject: [PATCH] ovmf: RefkitTestCA: TEST UEFI SecureBoot + +This patch adds refkit-db.cer (via xxd -i) in OVMF's db +signature database when used with EnrollDefaultKeys EFI +application. It's used for testing purposes only. + +Images signed with refkit-db keys are allowed to boot. + +Signed-off-by: Mikko Ylinen +--- + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 68 +++++++++++++++++++++++++++ + 1 file changed, 68 insertions(+) + +diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +index 24ab977..a3c12ba 100644 +--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c ++++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +@@ -516,6 +516,73 @@ STATIC CONST UINT8 MicrosoftUefiCA[] = { + 0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58 + }; + ++STATIC CONST UINT8 RefkitTestCA[] = { ++ 0x30, 0x82, 0x02, 0xfb, 0x30, 0x82, 0x01, 0xe3, 0xa0, 0x03, 0x02, 0x01, ++ 0x02, 0x02, 0x09, 0x00, 0xd4, 0xf6, 0x48, 0xc2, 0x68, 0x19, 0x91, 0xac, ++ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, ++ 0x0b, 0x05, 0x00, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, ++ 0x04, 0x03, 0x0c, 0x09, 0x72, 0x65, 0x66, 0x6b, 0x69, 0x74, 0x2d, 0x64, ++ 0x62, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x37, 0x30, 0x34, 0x32, 0x30, 0x31, ++ 0x32, 0x30, 0x36, 0x33, 0x32, 0x5a, 0x17, 0x0d, 0x31, 0x38, 0x30, 0x34, ++ 0x32, 0x30, 0x31, 0x32, 0x30, 0x36, 0x33, 0x32, 0x5a, 0x30, 0x14, 0x31, ++ 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, 0x65, ++ 0x66, 0x6b, 0x69, 0x74, 0x2d, 0x64, 0x62, 0x30, 0x82, 0x01, 0x22, 0x30, ++ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, ++ 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, ++ 0x82, 0x01, 0x01, 0x00, 0xb4, 0x1c, 0x22, 0xa6, 0x22, 0x01, 0x57, 0xcd, ++ 0xf1, 0x4f, 0xaf, 0x72, 0xe3, 0xd9, 0x01, 0x80, 0x50, 0x55, 0xef, 0x02, ++ 0x5e, 0xeb, 0x99, 0x35, 0xcb, 0x7f, 0x2a, 0x79, 0xff, 0xb5, 0x3e, 0xec, ++ 0x5d, 0x92, 0x06, 0x30, 0x20, 0xe7, 0x95, 0xad, 0xa4, 0x84, 0x2e, 0x3f, ++ 0xfa, 0xd7, 0x46, 0xdd, 0x49, 0xa8, 0xe8, 0xe3, 0x79, 0x49, 0xf6, 0x8f, ++ 0x0b, 0x1d, 0xfe, 0x63, 0xa8, 0xd1, 0x63, 0xa3, 0xd6, 0x0d, 0x4e, 0x6c, ++ 0x66, 0x5c, 0xd6, 0x66, 0x26, 0xd1, 0x26, 0x98, 0xd4, 0x4f, 0x76, 0xc9, ++ 0x65, 0x48, 0x58, 0x13, 0x08, 0x31, 0xbc, 0xe5, 0x47, 0x25, 0x65, 0x95, ++ 0x39, 0x89, 0x5f, 0x02, 0xf1, 0xc5, 0x06, 0x17, 0x58, 0xca, 0x09, 0xfd, ++ 0xf6, 0x1e, 0xc5, 0x97, 0xda, 0xa3, 0x4e, 0x1a, 0x48, 0xbe, 0xcf, 0x96, ++ 0x27, 0x04, 0x4b, 0xb7, 0x6d, 0x67, 0xb6, 0x50, 0x18, 0x04, 0x73, 0x51, ++ 0xd2, 0x6a, 0x2d, 0xdf, 0x3b, 0xab, 0xf2, 0x2d, 0x95, 0xd7, 0xa8, 0xb8, ++ 0xa8, 0x30, 0xa1, 0xab, 0x8b, 0x92, 0x2b, 0x60, 0x3e, 0x3a, 0xe5, 0x86, ++ 0x40, 0x71, 0xc1, 0x3f, 0x2d, 0x2e, 0x90, 0xe7, 0xd6, 0xec, 0xcc, 0xc2, ++ 0x0b, 0x79, 0x83, 0x71, 0x6d, 0xf6, 0xa3, 0xa9, 0x4c, 0xcd, 0x46, 0x81, ++ 0xdc, 0xef, 0xec, 0x51, 0xbe, 0x81, 0x2a, 0xf1, 0x78, 0x73, 0x41, 0xdb, ++ 0x54, 0xce, 0x7c, 0xce, 0xa2, 0xe3, 0x90, 0x4f, 0x45, 0x1a, 0xf9, 0x3d, ++ 0x88, 0xfc, 0x0e, 0xed, 0xd3, 0x69, 0x22, 0x4c, 0xfa, 0x0a, 0x69, 0xd1, ++ 0x48, 0xc0, 0xaa, 0xa9, 0x3a, 0xb3, 0x8f, 0x10, 0x3a, 0x76, 0xa8, 0x0c, ++ 0x7a, 0x3d, 0xd8, 0x79, 0xce, 0x1c, 0x96, 0x62, 0xf4, 0x06, 0xee, 0x47, ++ 0xe8, 0xe0, 0x69, 0x91, 0xae, 0xea, 0x34, 0xcf, 0xda, 0xa8, 0xb4, 0x39, ++ 0x5e, 0xf3, 0x7a, 0xd0, 0x88, 0x48, 0x47, 0x69, 0x02, 0x03, 0x01, 0x00, ++ 0x01, 0xa3, 0x50, 0x30, 0x4e, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, ++ 0x04, 0x16, 0x04, 0x14, 0x68, 0x60, 0x11, 0x25, 0x85, 0x14, 0x78, 0x1b, ++ 0x1a, 0x9f, 0x46, 0x12, 0xe6, 0x21, 0xe4, 0xef, 0xfb, 0x3b, 0xaa, 0xdd, ++ 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, ++ 0x14, 0x68, 0x60, 0x11, 0x25, 0x85, 0x14, 0x78, 0x1b, 0x1a, 0x9f, 0x46, ++ 0x12, 0xe6, 0x21, 0xe4, 0xef, 0xfb, 0x3b, 0xaa, 0xdd, 0x30, 0x0c, 0x06, ++ 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, ++ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, ++ 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x8f, 0xd2, 0x84, 0x7c, 0x43, ++ 0x47, 0xca, 0x6b, 0xfd, 0x87, 0x83, 0xd0, 0xef, 0x75, 0xd3, 0x20, 0x52, ++ 0x73, 0x18, 0xaa, 0x32, 0x71, 0xfb, 0xa5, 0xf4, 0xc9, 0x11, 0xa3, 0x68, ++ 0x4d, 0xb7, 0x9d, 0xe6, 0xd9, 0x46, 0x24, 0xdc, 0xc7, 0xc2, 0x3b, 0xf9, ++ 0xb0, 0x98, 0xfc, 0xee, 0x34, 0x6e, 0x10, 0x9b, 0x3d, 0x44, 0x6e, 0x33, ++ 0x09, 0x11, 0xb8, 0x29, 0xd6, 0x2d, 0x06, 0xcf, 0x67, 0x8f, 0x96, 0x85, ++ 0x9d, 0x63, 0x72, 0xbf, 0x64, 0x5f, 0x0d, 0xe3, 0xc9, 0x63, 0x19, 0x71, ++ 0xd4, 0x7d, 0x4c, 0x9c, 0x77, 0x46, 0xda, 0x20, 0x97, 0x6d, 0xbc, 0xdd, ++ 0xc2, 0x1f, 0xf3, 0x40, 0x38, 0x1e, 0xe7, 0xcc, 0x55, 0x05, 0x72, 0xba, ++ 0x24, 0x4f, 0xb3, 0x8a, 0x93, 0x0c, 0x30, 0x60, 0xda, 0x9f, 0x6f, 0x35, ++ 0xf6, 0xfb, 0xb0, 0x1f, 0xb3, 0x00, 0xdd, 0xc4, 0xa6, 0xbc, 0xe2, 0x37, ++ 0xc1, 0xa3, 0xef, 0xd9, 0xa1, 0x86, 0xf9, 0xeb, 0xa4, 0xa5, 0x45, 0x38, ++ 0xff, 0x4e, 0x87, 0x4a, 0x41, 0xcf, 0x6e, 0x69, 0x7e, 0x97, 0xbe, 0x2d, ++ 0x22, 0xbc, 0x8d, 0xa0, 0x1a, 0x21, 0x8f, 0x4b, 0x72, 0x90, 0x01, 0x5c, ++ 0xba, 0xa5, 0x9c, 0x2d, 0xd7, 0x25, 0x24, 0xfc, 0xff, 0x5c, 0x58, 0x14, ++ 0x46, 0x30, 0x09, 0x7c, 0x55, 0x64, 0x83, 0x0b, 0xb9, 0xdf, 0xcf, 0x25, ++ 0xee, 0xec, 0xf7, 0xcb, 0xdb, 0xd1, 0x5b, 0x93, 0x93, 0xc8, 0x8a, 0x10, ++ 0x46, 0xb8, 0xb0, 0x35, 0x1c, 0x6c, 0x0d, 0x8f, 0x03, 0x6a, 0x8f, 0x1b, ++ 0x36, 0x68, 0xf3, 0x53, 0x89, 0x36, 0x5b, 0x21, 0x80, 0xde, 0xe3, 0x92, ++ 0x52, 0x94, 0x97, 0x9d, 0x49, 0x89, 0x7d, 0x3e, 0xde, 0x29, 0x51, 0xba, ++ 0x11, 0xf7, 0xba, 0x01, 0xf7, 0xab, 0xea, 0xc1, 0xa7, 0x2e, 0xa3, 0x4d, ++ 0x65, 0xfd, 0x40, 0x71, 0xf1, 0xe2, 0x3f, 0x6c, 0x28, 0xcb, 0xd3 ++}; ++ + // + // The most important thing about the variable payload is that it is a list of + // lists, where the element size of any given *inner* list is constant. +@@ -908,6 +975,7 @@ ShellAppMain ( + &gEfiImageSecurityDatabaseGuid, + MicrosoftPCA, sizeof MicrosoftPCA, &gEfiCallerIdGuid, + MicrosoftUefiCA, sizeof MicrosoftUefiCA, &gEfiCallerIdGuid, ++ RefkitTestCA, sizeof RefkitTestCA, &gEfiCallerIdGuid, + NULL); + if (EFI_ERROR (Status)) { + return 1; +-- +2.1.4 + diff --git a/recipes-core/ovmf/ovmf-shell-image-enrollkeys.bb b/recipes-core/ovmf/ovmf-shell-image-enrollkeys.bb new file mode 100644 index 00000000..b20f6e58 --- /dev/null +++ b/recipes-core/ovmf/ovmf-shell-image-enrollkeys.bb @@ -0,0 +1,13 @@ +require recipes-core/ovmf/ovmf-shell-image.bb + +WKS_SEARCH_PATH_append = ":${COREBASE}/meta/recipes-core/ovmf" + +QB_DRIVE_TYPE = "/dev/vd" + +do_image_append() { + cat > ${IMAGE_ROOTFS}/startup.nsh << EOF +EnrollDefaultKeys +reset +EOF + +} diff --git a/recipes-core/ovmf/ovmf_%.bbappend b/recipes-core/ovmf/ovmf_%.bbappend new file mode 100644 index 00000000..bbf5fa32 --- /dev/null +++ b/recipes-core/ovmf/ovmf_%.bbappend @@ -0,0 +1,6 @@ +FILESEXTRAPATHS_prepend_intel-x86-common := "${THISDIR}/files:" + +SRC_URI_append_intel-x86-common = " \ + file://0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch \ +" +PACKAGECONFIG_append_intel-x86-common = " secureboot" -- cgit v1.2.3-54-g00ecf