diff options
Diffstat (limited to 'meta/recipes-core/ovmf/ovmf_git.bb')
-rw-r--r-- | meta/recipes-core/ovmf/ovmf_git.bb | 77 |
1 files changed, 56 insertions, 21 deletions
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index d785ff6700..35ca8d1834 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb | |||
@@ -2,27 +2,48 @@ SUMMARY = "OVMF - UEFI firmware for Qemu and KVM" | |||
2 | DESCRIPTION = "OVMF is an EDK II based project to enable UEFI support for \ | 2 | DESCRIPTION = "OVMF is an EDK II based project to enable UEFI support for \ |
3 | Virtual Machines. OVMF contains sample UEFI firmware for QEMU and KVM" | 3 | Virtual Machines. OVMF contains sample UEFI firmware for QEMU and KVM" |
4 | HOMEPAGE = "https://github.com/tianocore/tianocore.github.io/wiki/OVMF" | 4 | HOMEPAGE = "https://github.com/tianocore/tianocore.github.io/wiki/OVMF" |
5 | LICENSE = "BSD-2-Clause" | 5 | LICENSE = "BSD-2-Clause-Patent" |
6 | LICENSE_class-target = "${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'BSD & OpenSSL', 'BSD', d)}" | 6 | LICENSE:class-target = "${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'BSD-2-Clause-Patent & OpenSSL', 'BSD-2-Clause-Patent', d)}" |
7 | LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=06357ddc23f46577c2aeaeaf7b776d65" | 7 | LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=06357ddc23f46577c2aeaeaf7b776d65" |
8 | 8 | ||
9 | # Enabling Secure Boot adds a dependency on OpenSSL and implies | 9 | # Enabling Secure Boot adds a dependency on OpenSSL and implies |
10 | # compiling OVMF twice, so it is disabled by default. Distros | 10 | # compiling OVMF twice, so it is disabled by default. Distros |
11 | # may change that default. | 11 | # may change that default. |
12 | PACKAGECONFIG ??= "" | 12 | PACKAGECONFIG ??= "" |
13 | PACKAGECONFIG += "${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'tpm', '', d)}" | ||
14 | PACKAGECONFIG += "${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'tpm', '', d)}" | ||
13 | PACKAGECONFIG[secureboot] = ",,," | 15 | PACKAGECONFIG[secureboot] = ",,," |
16 | PACKAGECONFIG[tpm] = "-D TPM_ENABLE=TRUE,-D TPM_ENABLE=FALSE,," | ||
17 | |||
18 | # GCC12 trips on it | ||
19 | #see https://src.fedoraproject.org/rpms/edk2/blob/rawhide/f/0032-Basetools-turn-off-gcc12-warning.patch | ||
20 | BUILD_CFLAGS += "-Wno-error=stringop-overflow" | ||
14 | 21 | ||
15 | SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ | 22 | SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ |
16 | file://0001-ovmf-update-path-to-native-BaseTools.patch \ | 23 | file://0001-ovmf-update-path-to-native-BaseTools.patch \ |
17 | file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \ | 24 | file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \ |
18 | file://0003-ovmf-enable-long-path-file.patch \ | 25 | file://0003-debug-prefix-map.patch \ |
19 | file://0004-ovmf-Update-to-latest.patch \ | 26 | file://0004-reproducible.patch \ |
20 | " | 27 | " |
21 | 28 | ||
22 | PV = "edk2-stable202011" | 29 | PV = "edk2-stable202402" |
23 | SRCREV = "872f953262d68a11da7bc2fb3ded16df234b8700" | 30 | SRCREV = "edc6681206c1a8791981a2f911d2fb8b3d2f5768" |
24 | UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>edk2-stable.*)" | 31 | UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>edk2-stable.*)" |
25 | 32 | ||
33 | CVE_PRODUCT = "edk2" | ||
34 | CVE_VERSION = "${@d.getVar('PV').split('stable')[1]}" | ||
35 | |||
36 | CVE_STATUS[CVE-2014-8271] = "fixed-version: Fixed in svn_16280, which is an unusual versioning breaking version comparison." | ||
37 | CVE_STATUS[CVE-2014-4859] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." | ||
38 | CVE_STATUS[CVE-2014-4860] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." | ||
39 | CVE_STATUS[CVE-2019-14553] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." | ||
40 | CVE_STATUS[CVE-2019-14559] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." | ||
41 | CVE_STATUS[CVE-2019-14562] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." | ||
42 | CVE_STATUS[CVE-2019-14563] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." | ||
43 | CVE_STATUS[CVE-2019-14575] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." | ||
44 | CVE_STATUS[CVE-2019-14586] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." | ||
45 | CVE_STATUS[CVE-2019-14587] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." | ||
46 | |||
26 | inherit deploy | 47 | inherit deploy |
27 | 48 | ||
28 | PARALLEL_MAKE = "" | 49 | PARALLEL_MAKE = "" |
@@ -37,7 +58,7 @@ EDK_TOOLS_DIR="edk2_basetools" | |||
37 | BUILD_OPTIMIZATION="-pipe" | 58 | BUILD_OPTIMIZATION="-pipe" |
38 | 59 | ||
39 | # OVMF supports IA only, although it could conceivably support ARM someday. | 60 | # OVMF supports IA only, although it could conceivably support ARM someday. |
40 | COMPATIBLE_HOST_class-target='(i.86|x86_64).*' | 61 | COMPATIBLE_HOST:class-target='(i.86|x86_64).*' |
41 | 62 | ||
42 | # Additional build flags for OVMF with Secure Boot. | 63 | # Additional build flags for OVMF with Secure Boot. |
43 | # Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD". | 64 | # Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD". |
@@ -49,7 +70,7 @@ export PYTHON_COMMAND = "${HOSTTOOLS_DIR}/python3" | |||
49 | do_patch[postfuncs] += "fix_basetools_location" | 70 | do_patch[postfuncs] += "fix_basetools_location" |
50 | fix_basetools_location () { | 71 | fix_basetools_location () { |
51 | } | 72 | } |
52 | fix_basetools_location_class-target() { | 73 | fix_basetools_location:class-target() { |
53 | # Replaces the fake path inserted by 0002-ovmf-update-path-to-native-BaseTools.patch. | 74 | # Replaces the fake path inserted by 0002-ovmf-update-path-to-native-BaseTools.patch. |
54 | # Necessary for finding the actual BaseTools from ovmf-native. | 75 | # Necessary for finding the actual BaseTools from ovmf-native. |
55 | sed -i -e 's#BBAKE_EDK_TOOLS_PATH#${STAGING_BINDIR_NATIVE}/${EDK_TOOLS_DIR}#' ${S}/OvmfPkg/build.sh | 76 | sed -i -e 's#BBAKE_EDK_TOOLS_PATH#${STAGING_BINDIR_NATIVE}/${EDK_TOOLS_DIR}#' ${S}/OvmfPkg/build.sh |
@@ -58,7 +79,7 @@ fix_basetools_location_class-target() { | |||
58 | do_patch[postfuncs] += "fix_iasl" | 79 | do_patch[postfuncs] += "fix_iasl" |
59 | fix_iasl() { | 80 | fix_iasl() { |
60 | } | 81 | } |
61 | fix_iasl_class-native() { | 82 | fix_iasl:class-native() { |
62 | # iasl is not installed under /usr/bin when building with OE. | 83 | # iasl is not installed under /usr/bin when building with OE. |
63 | sed -i -e 's#/usr/bin/iasl#${STAGING_BINDIR_NATIVE}/iasl#' ${S}/BaseTools/Conf/tools_def.template | 84 | sed -i -e 's#/usr/bin/iasl#${STAGING_BINDIR_NATIVE}/iasl#' ${S}/BaseTools/Conf/tools_def.template |
64 | } | 85 | } |
@@ -77,14 +98,14 @@ fix_toolchain() { | |||
77 | -e '/^VFR_CPPFLAGS/a CC = ${CC}\nCXX = ${CXX}\nAS = ${AS}\nAR = ${AR}\nLD = ${LD}' \ | 98 | -e '/^VFR_CPPFLAGS/a CC = ${CC}\nCXX = ${CXX}\nAS = ${AS}\nAR = ${AR}\nLD = ${LD}' \ |
78 | ${S}/BaseTools/Source/C/VfrCompile/GNUmakefile | 99 | ${S}/BaseTools/Source/C/VfrCompile/GNUmakefile |
79 | } | 100 | } |
80 | fix_toolchain_append_class-native() { | 101 | fix_toolchain:append:class-native() { |
81 | # This tools_def.template is going to be used by the target ovmf and | 102 | # This tools_def.template is going to be used by the target ovmf and |
82 | # defines which compilers to use. For the GCC toolchain definitions, | 103 | # defines which compilers to use. For the GCC toolchain definitions, |
83 | # that will be ${HOST_PREFIX}gcc. However, "make" doesn't need that | 104 | # that will be ${HOST_PREFIX}gcc. However, "make" doesn't need that |
84 | # prefix. | 105 | # prefix. |
85 | # | 106 | # |
86 | # Injecting ENV(HOST_PREFIX) matches exporting that value as env | 107 | # Injecting ENV(HOST_PREFIX) matches exporting that value as env |
87 | # variable in do_compile_class-target. | 108 | # variable in do_compile:class-target. |
88 | sed -i \ | 109 | sed -i \ |
89 | -e 's#\(ENV\|DEF\)(GCC.*_PREFIX)#ENV(HOST_PREFIX)#' \ | 110 | -e 's#\(ENV\|DEF\)(GCC.*_PREFIX)#ENV(HOST_PREFIX)#' \ |
90 | -e 's#ENV(HOST_PREFIX)make#make#' \ | 111 | -e 's#ENV(HOST_PREFIX)make#make#' \ |
@@ -101,9 +122,23 @@ fix_toolchain_append_class-native() { | |||
101 | # to make ovmf-native reusable across distros. | 122 | # to make ovmf-native reusable across distros. |
102 | sed -i \ | 123 | sed -i \ |
103 | -e 's#^\(DEFINE GCC.*DLINK.*FLAGS *=\)#\1 -fuse-ld=bfd#' \ | 124 | -e 's#^\(DEFINE GCC.*DLINK.*FLAGS *=\)#\1 -fuse-ld=bfd#' \ |
125 | -e 's#-flto#-fno-lto#g' \ | ||
126 | -e 's#-DUSING_LTO##g' \ | ||
104 | ${S}/BaseTools/Conf/tools_def.template | 127 | ${S}/BaseTools/Conf/tools_def.template |
105 | } | 128 | } |
106 | 129 | ||
130 | # We disable lto above since the results are not reproducible and make it hard to compare | ||
131 | # binary build aretfacts to debug reproducibility problems. | ||
132 | # Surprisingly, if you disable lto, you see compiler warnings which are fatal. We therefore | ||
133 | # have to hack warnings overrides into GCC_PREFIX_MAP to allow it to build. | ||
134 | |||
135 | # We want to pass ${DEBUG_PREFIX_MAP} to gcc commands and also pass in | ||
136 | # --debug-prefix-map to nasm (we carry a patch to nasm for this). The | ||
137 | # tools definitions are built by ovmf-native so we need to pass this in | ||
138 | # at target build time when we know the right values. | ||
139 | export NASM_PREFIX_MAP = "--debug-prefix-map=${WORKDIR}=${TARGET_DBGSRC_DIR}" | ||
140 | export GCC_PREFIX_MAP = "${DEBUG_PREFIX_MAP} -Wno-stringop-overflow -Wno-maybe-uninitialized" | ||
141 | |||
107 | GCC_VER="$(${CC} -v 2>&1 | tail -n1 | awk '{print $3}')" | 142 | GCC_VER="$(${CC} -v 2>&1 | tail -n1 | awk '{print $3}')" |
108 | 143 | ||
109 | fixup_target_tools() { | 144 | fixup_target_tools() { |
@@ -133,11 +168,11 @@ fixup_target_tools() { | |||
133 | echo ${FIXED_GCCVER} | 168 | echo ${FIXED_GCCVER} |
134 | } | 169 | } |
135 | 170 | ||
136 | do_compile_class-native() { | 171 | do_compile:class-native() { |
137 | oe_runmake -C ${S}/BaseTools | 172 | oe_runmake -C ${S}/BaseTools |
138 | } | 173 | } |
139 | 174 | ||
140 | do_compile_class-target() { | 175 | do_compile:class-target() { |
141 | export LFLAGS="${LDFLAGS}" | 176 | export LFLAGS="${LDFLAGS}" |
142 | PARALLEL_JOBS="${@oe.utils.parallel_make_argument(d, '-n %d')}" | 177 | PARALLEL_JOBS="${@oe.utils.parallel_make_argument(d, '-n %d')}" |
143 | OVMF_ARCH="X64" | 178 | OVMF_ARCH="X64" |
@@ -169,7 +204,7 @@ do_compile_class-target() { | |||
169 | 204 | ||
170 | bbnote "Building without Secure Boot." | 205 | bbnote "Building without Secure Boot." |
171 | rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX | 206 | rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX |
172 | ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} | 207 | ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${PACKAGECONFIG_CONFARGS} |
173 | ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.fd | 208 | ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.fd |
174 | ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.code.fd | 209 | ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.code.fd |
175 | ln ${build_dir}/FV/OVMF_VARS.fd ${WORKDIR}/ovmf/ovmf.vars.fd | 210 | ln ${build_dir}/FV/OVMF_VARS.fd ${WORKDIR}/ovmf/ovmf.vars.fd |
@@ -179,19 +214,19 @@ do_compile_class-target() { | |||
179 | # Repeat build with the Secure Boot flags. | 214 | # Repeat build with the Secure Boot flags. |
180 | bbnote "Building with Secure Boot." | 215 | bbnote "Building with Secure Boot." |
181 | rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX | 216 | rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX |
182 | ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} | 217 | ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${PACKAGECONFIG_CONFARGS} ${OVMF_SECURE_BOOT_FLAGS} |
183 | ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.secboot.fd | 218 | ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.secboot.fd |
184 | ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.secboot.code.fd | 219 | ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.secboot.code.fd |
185 | ln ${build_dir}/${OVMF_ARCH}/EnrollDefaultKeys.efi ${WORKDIR}/ovmf/ | 220 | ln ${build_dir}/${OVMF_ARCH}/EnrollDefaultKeys.efi ${WORKDIR}/ovmf/ |
186 | fi | 221 | fi |
187 | } | 222 | } |
188 | 223 | ||
189 | do_install_class-native() { | 224 | do_install:class-native() { |
190 | install -d ${D}/${bindir}/edk2_basetools | 225 | install -d ${D}/${bindir}/edk2_basetools |
191 | cp -r ${S}/BaseTools ${D}/${bindir}/${EDK_TOOLS_DIR} | 226 | cp -r ${S}/BaseTools ${D}/${bindir}/${EDK_TOOLS_DIR} |
192 | } | 227 | } |
193 | 228 | ||
194 | do_install_class-target() { | 229 | do_install:class-target() { |
195 | # Content for UEFI shell iso. We install the EFI shell as | 230 | # Content for UEFI shell iso. We install the EFI shell as |
196 | # bootx64/ia32.efi because then it can be started even when the | 231 | # bootx64/ia32.efi because then it can be started even when the |
197 | # firmware itself does not contain it. | 232 | # firmware itself does not contain it. |
@@ -208,19 +243,19 @@ do_install_class-target() { | |||
208 | # | 243 | # |
209 | # However, EnrollDefaultKeys.efi is only included when Secure Boot is enabled. | 244 | # However, EnrollDefaultKeys.efi is only included when Secure Boot is enabled. |
210 | PACKAGES =+ "ovmf-shell-efi" | 245 | PACKAGES =+ "ovmf-shell-efi" |
211 | FILES_ovmf-shell-efi = " \ | 246 | FILES:ovmf-shell-efi = " \ |
212 | EnrollDefaultKeys.efi \ | 247 | EnrollDefaultKeys.efi \ |
213 | efi/ \ | 248 | efi/ \ |
214 | " | 249 | " |
215 | 250 | ||
216 | DEPLOYDEP = "" | 251 | DEPLOYDEP = "" |
217 | DEPLOYDEP_class-target = "qemu-system-native:do_populate_sysroot" | 252 | DEPLOYDEP:class-target = "qemu-system-native:do_populate_sysroot" |
218 | DEPLOYDEP_class-target += " ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'openssl-native:do_populate_sysroot', '', d)}" | 253 | DEPLOYDEP:class-target += " ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'openssl-native:do_populate_sysroot', '', d)}" |
219 | do_deploy[depends] += "${DEPLOYDEP}" | 254 | do_deploy[depends] += "${DEPLOYDEP}" |
220 | 255 | ||
221 | do_deploy() { | 256 | do_deploy() { |
222 | } | 257 | } |
223 | do_deploy_class-target() { | 258 | do_deploy:class-target() { |
224 | # For use with "runqemu ovmf". | 259 | # For use with "runqemu ovmf". |
225 | for i in \ | 260 | for i in \ |
226 | ovmf \ | 261 | ovmf \ |