summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/ovmf/ovmf_git.bb
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-core/ovmf/ovmf_git.bb')
-rw-r--r--meta/recipes-core/ovmf/ovmf_git.bb77
1 files changed, 56 insertions, 21 deletions
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index d785ff6700..35ca8d1834 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -2,27 +2,48 @@ SUMMARY = "OVMF - UEFI firmware for Qemu and KVM"
2DESCRIPTION = "OVMF is an EDK II based project to enable UEFI support for \ 2DESCRIPTION = "OVMF is an EDK II based project to enable UEFI support for \
3Virtual Machines. OVMF contains sample UEFI firmware for QEMU and KVM" 3Virtual Machines. OVMF contains sample UEFI firmware for QEMU and KVM"
4HOMEPAGE = "https://github.com/tianocore/tianocore.github.io/wiki/OVMF" 4HOMEPAGE = "https://github.com/tianocore/tianocore.github.io/wiki/OVMF"
5LICENSE = "BSD-2-Clause" 5LICENSE = "BSD-2-Clause-Patent"
6LICENSE_class-target = "${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'BSD & OpenSSL', 'BSD', d)}" 6LICENSE:class-target = "${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'BSD-2-Clause-Patent & OpenSSL', 'BSD-2-Clause-Patent', d)}"
7LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=06357ddc23f46577c2aeaeaf7b776d65" 7LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=06357ddc23f46577c2aeaeaf7b776d65"
8 8
9# Enabling Secure Boot adds a dependency on OpenSSL and implies 9# Enabling Secure Boot adds a dependency on OpenSSL and implies
10# compiling OVMF twice, so it is disabled by default. Distros 10# compiling OVMF twice, so it is disabled by default. Distros
11# may change that default. 11# may change that default.
12PACKAGECONFIG ??= "" 12PACKAGECONFIG ??= ""
13PACKAGECONFIG += "${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'tpm', '', d)}"
14PACKAGECONFIG += "${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'tpm', '', d)}"
13PACKAGECONFIG[secureboot] = ",,," 15PACKAGECONFIG[secureboot] = ",,,"
16PACKAGECONFIG[tpm] = "-D TPM_ENABLE=TRUE,-D TPM_ENABLE=FALSE,,"
17
18# GCC12 trips on it
19#see https://src.fedoraproject.org/rpms/edk2/blob/rawhide/f/0032-Basetools-turn-off-gcc12-warning.patch
20BUILD_CFLAGS += "-Wno-error=stringop-overflow"
14 21
15SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ 22SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
16 file://0001-ovmf-update-path-to-native-BaseTools.patch \ 23 file://0001-ovmf-update-path-to-native-BaseTools.patch \
17 file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \ 24 file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
18 file://0003-ovmf-enable-long-path-file.patch \ 25 file://0003-debug-prefix-map.patch \
19 file://0004-ovmf-Update-to-latest.patch \ 26 file://0004-reproducible.patch \
20 " 27 "
21 28
22PV = "edk2-stable202011" 29PV = "edk2-stable202402"
23SRCREV = "872f953262d68a11da7bc2fb3ded16df234b8700" 30SRCREV = "edc6681206c1a8791981a2f911d2fb8b3d2f5768"
24UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>edk2-stable.*)" 31UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>edk2-stable.*)"
25 32
33CVE_PRODUCT = "edk2"
34CVE_VERSION = "${@d.getVar('PV').split('stable')[1]}"
35
36CVE_STATUS[CVE-2014-8271] = "fixed-version: Fixed in svn_16280, which is an unusual versioning breaking version comparison."
37CVE_STATUS[CVE-2014-4859] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
38CVE_STATUS[CVE-2014-4860] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
39CVE_STATUS[CVE-2019-14553] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
40CVE_STATUS[CVE-2019-14559] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
41CVE_STATUS[CVE-2019-14562] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
42CVE_STATUS[CVE-2019-14563] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
43CVE_STATUS[CVE-2019-14575] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
44CVE_STATUS[CVE-2019-14586] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
45CVE_STATUS[CVE-2019-14587] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
46
26inherit deploy 47inherit deploy
27 48
28PARALLEL_MAKE = "" 49PARALLEL_MAKE = ""
@@ -37,7 +58,7 @@ EDK_TOOLS_DIR="edk2_basetools"
37BUILD_OPTIMIZATION="-pipe" 58BUILD_OPTIMIZATION="-pipe"
38 59
39# OVMF supports IA only, although it could conceivably support ARM someday. 60# OVMF supports IA only, although it could conceivably support ARM someday.
40COMPATIBLE_HOST_class-target='(i.86|x86_64).*' 61COMPATIBLE_HOST:class-target='(i.86|x86_64).*'
41 62
42# Additional build flags for OVMF with Secure Boot. 63# Additional build flags for OVMF with Secure Boot.
43# Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD". 64# Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD".
@@ -49,7 +70,7 @@ export PYTHON_COMMAND = "${HOSTTOOLS_DIR}/python3"
49do_patch[postfuncs] += "fix_basetools_location" 70do_patch[postfuncs] += "fix_basetools_location"
50fix_basetools_location () { 71fix_basetools_location () {
51} 72}
52fix_basetools_location_class-target() { 73fix_basetools_location:class-target() {
53 # Replaces the fake path inserted by 0002-ovmf-update-path-to-native-BaseTools.patch. 74 # Replaces the fake path inserted by 0002-ovmf-update-path-to-native-BaseTools.patch.
54 # Necessary for finding the actual BaseTools from ovmf-native. 75 # Necessary for finding the actual BaseTools from ovmf-native.
55 sed -i -e 's#BBAKE_EDK_TOOLS_PATH#${STAGING_BINDIR_NATIVE}/${EDK_TOOLS_DIR}#' ${S}/OvmfPkg/build.sh 76 sed -i -e 's#BBAKE_EDK_TOOLS_PATH#${STAGING_BINDIR_NATIVE}/${EDK_TOOLS_DIR}#' ${S}/OvmfPkg/build.sh
@@ -58,7 +79,7 @@ fix_basetools_location_class-target() {
58do_patch[postfuncs] += "fix_iasl" 79do_patch[postfuncs] += "fix_iasl"
59fix_iasl() { 80fix_iasl() {
60} 81}
61fix_iasl_class-native() { 82fix_iasl:class-native() {
62 # iasl is not installed under /usr/bin when building with OE. 83 # iasl is not installed under /usr/bin when building with OE.
63 sed -i -e 's#/usr/bin/iasl#${STAGING_BINDIR_NATIVE}/iasl#' ${S}/BaseTools/Conf/tools_def.template 84 sed -i -e 's#/usr/bin/iasl#${STAGING_BINDIR_NATIVE}/iasl#' ${S}/BaseTools/Conf/tools_def.template
64} 85}
@@ -77,14 +98,14 @@ fix_toolchain() {
77 -e '/^VFR_CPPFLAGS/a CC = ${CC}\nCXX = ${CXX}\nAS = ${AS}\nAR = ${AR}\nLD = ${LD}' \ 98 -e '/^VFR_CPPFLAGS/a CC = ${CC}\nCXX = ${CXX}\nAS = ${AS}\nAR = ${AR}\nLD = ${LD}' \
78 ${S}/BaseTools/Source/C/VfrCompile/GNUmakefile 99 ${S}/BaseTools/Source/C/VfrCompile/GNUmakefile
79} 100}
80fix_toolchain_append_class-native() { 101fix_toolchain:append:class-native() {
81 # This tools_def.template is going to be used by the target ovmf and 102 # This tools_def.template is going to be used by the target ovmf and
82 # defines which compilers to use. For the GCC toolchain definitions, 103 # defines which compilers to use. For the GCC toolchain definitions,
83 # that will be ${HOST_PREFIX}gcc. However, "make" doesn't need that 104 # that will be ${HOST_PREFIX}gcc. However, "make" doesn't need that
84 # prefix. 105 # prefix.
85 # 106 #
86 # Injecting ENV(HOST_PREFIX) matches exporting that value as env 107 # Injecting ENV(HOST_PREFIX) matches exporting that value as env
87 # variable in do_compile_class-target. 108 # variable in do_compile:class-target.
88 sed -i \ 109 sed -i \
89 -e 's#\(ENV\|DEF\)(GCC.*_PREFIX)#ENV(HOST_PREFIX)#' \ 110 -e 's#\(ENV\|DEF\)(GCC.*_PREFIX)#ENV(HOST_PREFIX)#' \
90 -e 's#ENV(HOST_PREFIX)make#make#' \ 111 -e 's#ENV(HOST_PREFIX)make#make#' \
@@ -101,9 +122,23 @@ fix_toolchain_append_class-native() {
101 # to make ovmf-native reusable across distros. 122 # to make ovmf-native reusable across distros.
102 sed -i \ 123 sed -i \
103 -e 's#^\(DEFINE GCC.*DLINK.*FLAGS *=\)#\1 -fuse-ld=bfd#' \ 124 -e 's#^\(DEFINE GCC.*DLINK.*FLAGS *=\)#\1 -fuse-ld=bfd#' \
125 -e 's#-flto#-fno-lto#g' \
126 -e 's#-DUSING_LTO##g' \
104 ${S}/BaseTools/Conf/tools_def.template 127 ${S}/BaseTools/Conf/tools_def.template
105} 128}
106 129
130# We disable lto above since the results are not reproducible and make it hard to compare
131# binary build aretfacts to debug reproducibility problems.
132# Surprisingly, if you disable lto, you see compiler warnings which are fatal. We therefore
133# have to hack warnings overrides into GCC_PREFIX_MAP to allow it to build.
134
135# We want to pass ${DEBUG_PREFIX_MAP} to gcc commands and also pass in
136# --debug-prefix-map to nasm (we carry a patch to nasm for this). The
137# tools definitions are built by ovmf-native so we need to pass this in
138# at target build time when we know the right values.
139export NASM_PREFIX_MAP = "--debug-prefix-map=${WORKDIR}=${TARGET_DBGSRC_DIR}"
140export GCC_PREFIX_MAP = "${DEBUG_PREFIX_MAP} -Wno-stringop-overflow -Wno-maybe-uninitialized"
141
107GCC_VER="$(${CC} -v 2>&1 | tail -n1 | awk '{print $3}')" 142GCC_VER="$(${CC} -v 2>&1 | tail -n1 | awk '{print $3}')"
108 143
109fixup_target_tools() { 144fixup_target_tools() {
@@ -133,11 +168,11 @@ fixup_target_tools() {
133 echo ${FIXED_GCCVER} 168 echo ${FIXED_GCCVER}
134} 169}
135 170
136do_compile_class-native() { 171do_compile:class-native() {
137 oe_runmake -C ${S}/BaseTools 172 oe_runmake -C ${S}/BaseTools
138} 173}
139 174
140do_compile_class-target() { 175do_compile:class-target() {
141 export LFLAGS="${LDFLAGS}" 176 export LFLAGS="${LDFLAGS}"
142 PARALLEL_JOBS="${@oe.utils.parallel_make_argument(d, '-n %d')}" 177 PARALLEL_JOBS="${@oe.utils.parallel_make_argument(d, '-n %d')}"
143 OVMF_ARCH="X64" 178 OVMF_ARCH="X64"
@@ -169,7 +204,7 @@ do_compile_class-target() {
169 204
170 bbnote "Building without Secure Boot." 205 bbnote "Building without Secure Boot."
171 rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX 206 rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
172 ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} 207 ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${PACKAGECONFIG_CONFARGS}
173 ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.fd 208 ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.fd
174 ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.code.fd 209 ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.code.fd
175 ln ${build_dir}/FV/OVMF_VARS.fd ${WORKDIR}/ovmf/ovmf.vars.fd 210 ln ${build_dir}/FV/OVMF_VARS.fd ${WORKDIR}/ovmf/ovmf.vars.fd
@@ -179,19 +214,19 @@ do_compile_class-target() {
179 # Repeat build with the Secure Boot flags. 214 # Repeat build with the Secure Boot flags.
180 bbnote "Building with Secure Boot." 215 bbnote "Building with Secure Boot."
181 rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX 216 rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
182 ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} 217 ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${PACKAGECONFIG_CONFARGS} ${OVMF_SECURE_BOOT_FLAGS}
183 ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.secboot.fd 218 ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.secboot.fd
184 ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.secboot.code.fd 219 ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.secboot.code.fd
185 ln ${build_dir}/${OVMF_ARCH}/EnrollDefaultKeys.efi ${WORKDIR}/ovmf/ 220 ln ${build_dir}/${OVMF_ARCH}/EnrollDefaultKeys.efi ${WORKDIR}/ovmf/
186 fi 221 fi
187} 222}
188 223
189do_install_class-native() { 224do_install:class-native() {
190 install -d ${D}/${bindir}/edk2_basetools 225 install -d ${D}/${bindir}/edk2_basetools
191 cp -r ${S}/BaseTools ${D}/${bindir}/${EDK_TOOLS_DIR} 226 cp -r ${S}/BaseTools ${D}/${bindir}/${EDK_TOOLS_DIR}
192} 227}
193 228
194do_install_class-target() { 229do_install:class-target() {
195 # Content for UEFI shell iso. We install the EFI shell as 230 # Content for UEFI shell iso. We install the EFI shell as
196 # bootx64/ia32.efi because then it can be started even when the 231 # bootx64/ia32.efi because then it can be started even when the
197 # firmware itself does not contain it. 232 # firmware itself does not contain it.
@@ -208,19 +243,19 @@ do_install_class-target() {
208# 243#
209# However, EnrollDefaultKeys.efi is only included when Secure Boot is enabled. 244# However, EnrollDefaultKeys.efi is only included when Secure Boot is enabled.
210PACKAGES =+ "ovmf-shell-efi" 245PACKAGES =+ "ovmf-shell-efi"
211FILES_ovmf-shell-efi = " \ 246FILES:ovmf-shell-efi = " \
212 EnrollDefaultKeys.efi \ 247 EnrollDefaultKeys.efi \
213 efi/ \ 248 efi/ \
214" 249"
215 250
216DEPLOYDEP = "" 251DEPLOYDEP = ""
217DEPLOYDEP_class-target = "qemu-system-native:do_populate_sysroot" 252DEPLOYDEP:class-target = "qemu-system-native:do_populate_sysroot"
218DEPLOYDEP_class-target += " ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'openssl-native:do_populate_sysroot', '', d)}" 253DEPLOYDEP:class-target += " ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'openssl-native:do_populate_sysroot', '', d)}"
219do_deploy[depends] += "${DEPLOYDEP}" 254do_deploy[depends] += "${DEPLOYDEP}"
220 255
221do_deploy() { 256do_deploy() {
222} 257}
223do_deploy_class-target() { 258do_deploy:class-target() {
224 # For use with "runqemu ovmf". 259 # For use with "runqemu ovmf".
225 for i in \ 260 for i in \
226 ovmf \ 261 ovmf \
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-04-24 09:40:31 +0000