[OE-core] [PATCH 6/9] ovmf_git.bb: enable Secure Boot
Patrick Ohly
patrick.ohly at intel.com
Wed Dec 21 13:11:27 UTC 2016
The recipe now compiles OVMF twice, once without Secure Boot, once
with. This is the same approach as in
https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec
The results are "ovmf.qcow2" and "ovmf.secboot.qcow2" in the
image deploy directory, so
runqemu <machine> <image> ovmf.secboot
will boot with Secure Boot enabled.
In contrast to Fedora, no attempt is made to strip potentially patent
encumbered algorithms out of the OpenSSL archive. OVMF does not use
the ones considered problematic for Fedora, so this shouldn't be a
problem.
Fixes: luv-yocto/#38
Signed-off-by: Patrick Ohly <patrick.ohly at intel.com>
---
meta/recipes-core/ovmf/ovmf_git.bb | 27 ++++++++++++++++++++++++++-
1 file changed, 26 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 67e65b8..c4eedf0 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -1,6 +1,6 @@
DESCRIPTION = "OVMF - UEFI firmware for Qemu and KVM"
HOMEPAGE = "http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF"
-LICENSE = "BSD"
+LICENSE = "BSD & OpenSSL"
LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496"
SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
@@ -10,7 +10,13 @@ SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
"
+SRC_URI_append_class-target = " \
+ http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib \
+"
+
SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588"
+SRC_URI[openssl.md5sum] = "96322138f0b69e61b7212bc53d5e912b"
+SRC_URI[openssl.sha256sum] = "e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431"
PARALLEL_MAKE_class-native = ""
@@ -30,6 +36,10 @@ BUILD_OPTIMIZATION="-pipe"
# OVMF supports IA only, although it could conceivably support ARM someday.
COMPATIBLE_HOST='(i.86|x86_64).*'
+# Additional build flags for OVMF with Secure Boot.
+# Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD".
+OVMF_SECURE_BOOT_FLAGS = "-DSECURE_BOOT_ENABLE=TRUE"
+
do_patch_append_class-native() {
bb.build.exec_func('do_fix_iasl', d)
bb.build.exec_func('do_fix_toolchain', d)
@@ -110,8 +120,22 @@ do_compile_class-target() {
bbnote FIXED_GCCVER is ${FIXED_GCCVER}
build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
+ bbnote "Building without Secure Boot."
+ rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd
+
+ # See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and
+ # https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for
+ # building with Secure Boot enabled.
+ bbnote "Building with Secure Boot."
+ rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
+ if ! [ -f ${S}/CryptoPkg/Library/OpensslLib/openssl-*/edk2-patch-applied ]; then
+ ( cd ${S}/CryptoPkg/Library/OpensslLib/openssl-* && patch -p1 <$(echo ../EDKII_openssl-*.patch) && touch edk2-patch-applied )
+ fi
+ ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
+ ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
+ ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd
}
do_install_class-native() {
@@ -131,6 +155,7 @@ do_deploy() {
do_deploy_class-target() {
# For use with "runqemu ovmf".
qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2
+ qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.secboot.fd ${DEPLOYDIR}/ovmf.secboot.qcow2
}
addtask do_deploy after do_compile before do_build
--
2.1.4
More information about the Openembedded-core
mailing list