summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core
diff options
context:
space:
mode:
authorPatrick Ohly <patrick.ohly@intel.com>2016-12-20 08:47:21 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-03-01 11:17:44 +0000
commit3ee86f53266ba9fef1b61b6e790eddc3b6b1a944 (patch)
tree41328f19bd6684a7f3abca9291b6c25660ab34c0 /meta/recipes-core
parente404935ca91ab1a73ff9683c92d1a232dd5e3d49 (diff)
downloadpoky-3ee86f53266ba9fef1b61b6e790eddc3b6b1a944.tar.gz
ovmf_git.bb: enable Secure Boot
When enabled via PACCKAGECONFIG = "secureboot" (off by default because of the extra work and license change), the recipe compiles OVMF twice, once without Secure Boot, once with. This is the same approach as in https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec The results are "ovmf.qcow2" and "ovmf.secboot.qcow2" in the image deploy directory, so runqemu <machine> <image> ovmf.secboot will boot with Secure Boot enabled. ovmf.secboot.code.qcow2 is provided for those who want separate code and variable flash drives. The normal ovmf.vars.qcow2 can be used with it. In contrast to Fedora, no attempt is made to strip potentially patent encumbered algorithms out of the OpenSSL archive. OVMF does not use the ones considered problematic for Fedora, so this shouldn't be a problem. Fixes: luv-yocto/#38 (From OE-Core rev: d493f0b4760808f880a0fd6dedf918a3b85006b7) Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r--meta/recipes-core/ovmf/ovmf_git.bb36
1 files changed, 36 insertions, 0 deletions
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 998902579f..bdec6aa851 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -1,8 +1,15 @@
1DESCRIPTION = "OVMF - UEFI firmware for Qemu and KVM" 1DESCRIPTION = "OVMF - UEFI firmware for Qemu and KVM"
2HOMEPAGE = "http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF" 2HOMEPAGE = "http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF"
3LICENSE = "BSD" 3LICENSE = "BSD"
4LICENSE_class-target = "${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'BSD & OpenSSL', 'BSD', d)}"
4LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496" 5LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496"
5 6
7# Enabling Secure Boot adds a dependency on OpenSSL and implies
8# compiling OVMF twice, so it is disabled by default. Distros
9# may change that default.
10PACKAGECONFIG ??= ""
11PACKAGECONFIG[secureboot] = ",,,"
12
6SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \ 13SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
7 file://0001-BaseTools-Force-tools-variables-to-host-toolchain.patch \ 14 file://0001-BaseTools-Force-tools-variables-to-host-toolchain.patch \
8 file://0001-OvmfPkg-Enable-BGRT-in-OVMF.patch \ 15 file://0001-OvmfPkg-Enable-BGRT-in-OVMF.patch \
@@ -10,7 +17,13 @@ SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
10 file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \ 17 file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
11 " 18 "
12 19
20SRC_URI_append_class-target = " \
21 ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib', '', d)} \
22"
23
13SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588" 24SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588"
25SRC_URI[openssl.md5sum] = "96322138f0b69e61b7212bc53d5e912b"
26SRC_URI[openssl.sha256sum] = "e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431"
14 27
15inherit deploy 28inherit deploy
16 29
@@ -32,6 +45,11 @@ BUILD_OPTIMIZATION="-pipe"
32# OVMF supports IA only, although it could conceivably support ARM someday. 45# OVMF supports IA only, although it could conceivably support ARM someday.
33COMPATIBLE_HOST='(i.86|x86_64).*' 46COMPATIBLE_HOST='(i.86|x86_64).*'
34 47
48# Additional build flags for OVMF with Secure Boot.
49# Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD".
50OVMF_SECURE_BOOT_EXTRA_FLAGS ??= ""
51OVMF_SECURE_BOOT_FLAGS = "-DSECURE_BOOT_ENABLE=TRUE ${OVMF_SECURE_BOOT_EXTRA_FLAGS}"
52
35do_patch_append_class-native() { 53do_patch_append_class-native() {
36 bb.build.exec_func('do_fix_iasl', d) 54 bb.build.exec_func('do_fix_iasl', d)
37 bb.build.exec_func('do_fix_toolchain', d) 55 bb.build.exec_func('do_fix_toolchain', d)
@@ -112,10 +130,27 @@ do_compile_class-target() {
112 bbnote FIXED_GCCVER is ${FIXED_GCCVER} 130 bbnote FIXED_GCCVER is ${FIXED_GCCVER}
113 build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}" 131 build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
114 132
133 bbnote "Building without Secure Boot."
134 rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
115 ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} 135 ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
116 ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.fd 136 ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.fd
117 ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.code.fd 137 ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.code.fd
118 ln ${build_dir}/FV/OVMF_VARS.fd ${WORKDIR}/ovmf/ovmf.vars.fd 138 ln ${build_dir}/FV/OVMF_VARS.fd ${WORKDIR}/ovmf/ovmf.vars.fd
139
140 if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
141 # See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and
142 # https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for
143 # building with Secure Boot enabled.
144 bbnote "Building with Secure Boot."
145 rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
146 if ! [ -f ${S}/CryptoPkg/Library/OpensslLib/openssl-*/edk2-patch-applied ]; then
147 ( cd ${S}/CryptoPkg/Library/OpensslLib/openssl-* && patch -p1 <$(echo ../EDKII_openssl-*.patch) && touch edk2-patch-applied )
148 fi
149 ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
150 ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
151 ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.secboot.fd
152 ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.secboot.code.fd
153 fi
119} 154}
120 155
121do_install_class-native() { 156do_install_class-native() {
@@ -135,6 +170,7 @@ do_deploy_class-target() {
135 ovmf \ 170 ovmf \
136 ovmf.code \ 171 ovmf.code \
137 ovmf.vars \ 172 ovmf.vars \
173 ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'ovmf.secboot ovmf.secboot.code', '', d)} \
138 ; do 174 ; do
139 qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/$i.fd ${DEPLOYDIR}/$i.qcow2 175 qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/$i.fd ${DEPLOYDIR}/$i.qcow2
140 done 176 done