[OE-core] [PATCH 6/9] ovmf_git.bb: enable Secure Boot

Ricardo Neri ricardo.neri-calderon at linux.intel.com
Wed Dec 28 22:54:40 UTC 2016 

On Wed, 2016-12-21 at 14:11 +0100, Patrick Ohly wrote:
> The recipe now compiles OVMF twice, once without Secure Boot, once
> with. This is the same approach as in
> https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec

Besides the fact that Fedora does it, is there a particular reason to
build twice? On my side, I am able to build with secure boot with a
single build. Also, the Ubuntu documentation does not mention that two
builds are needed [1].

I do see that in Fedora, the build parameters change. OVMF without
secure boot support is built with -a X64 -p OvmfPkg/OvmfPkgX64.dsc while
OVMF with secure boot support is built with -a IA32 -a X64 -p
OvmfPkg/OvmfPkgIa32X64.dsc. Perhaps this is the reason?
> 
> The results are "ovmf.qcow2" and "ovmf.secboot.qcow2" in the
> image deploy directory, so
>   runqemu <machine> <image> ovmf.secboot
> will boot with Secure Boot enabled.
> 
> In contrast to Fedora, no attempt is made to strip potentially patent
> encumbered algorithms out of the OpenSSL archive. OVMF does not use
> the ones considered problematic for Fedora, so this shouldn't be a
> problem.
> 
> Fixes: luv-yocto/#38

Also, I think it would be nice if we could choose between to not have
secure boot at all for OVMF. Maybe this could be achieved by having a
common ovmf.inc and two ovmf_git.bb and ovmf_sb_git.bb with the
different the specific things to support secure boot or not. Maybe all
that is needed in the secure boot recipe are the extra variables for
OpenSSL and a prepend to do_compile_class-target with the OpenSSL
patching. Something to ponder.


> 
> Signed-off-by: Patrick Ohly <patrick.ohly at intel.com>
> ---
>  meta/recipes-core/ovmf/ovmf_git.bb | 27 ++++++++++++++++++++++++++-
>  1 file changed, 26 insertions(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
> index 67e65b8..c4eedf0 100644
> --- a/meta/recipes-core/ovmf/ovmf_git.bb
> +++ b/meta/recipes-core/ovmf/ovmf_git.bb
> @@ -1,6 +1,6 @@
>  DESCRIPTION = "OVMF - UEFI firmware for Qemu and KVM"
>  HOMEPAGE = "http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF"
> -LICENSE = "BSD"
> +LICENSE = "BSD & OpenSSL"
>  LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496"
>  
>  SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
> @@ -10,7 +10,13 @@ SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
>  	file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
>          "
>  
> +SRC_URI_append_class-target = " \
> +	http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib \
> +"
> +
>  SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588"
> +SRC_URI[openssl.md5sum] = "96322138f0b69e61b7212bc53d5e912b"
> +SRC_URI[openssl.sha256sum] = "e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431"
>  
>  PARALLEL_MAKE_class-native = ""
>  
> @@ -30,6 +36,10 @@ BUILD_OPTIMIZATION="-pipe"
>  # OVMF supports IA only, although it could conceivably support ARM someday.
>  COMPATIBLE_HOST='(i.86|x86_64).*'
>  
> +# Additional build flags for OVMF with Secure Boot.
> +# Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD".
> +OVMF_SECURE_BOOT_FLAGS = "-DSECURE_BOOT_ENABLE=TRUE"
> +
>  do_patch_append_class-native() {
>      bb.build.exec_func('do_fix_iasl', d)
>      bb.build.exec_func('do_fix_toolchain', d)
> @@ -110,8 +120,22 @@ do_compile_class-target() {
>      bbnote FIXED_GCCVER is ${FIXED_GCCVER}
>      build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
>  
> +    bbnote "Building without Secure Boot."
> +    rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
>      ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
>      ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd
> +
> +    # See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and
> +    # https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for
> +    # building with Secure Boot enabled.
> +    bbnote "Building with Secure Boot."
> +    rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
> +    if ! [ -f ${S}/CryptoPkg/Library/OpensslLib/openssl-*/edk2-patch-applied ]; then
> +        ( cd ${S}/CryptoPkg/Library/OpensslLib/openssl-* && patch -p1 <$(echo ../EDKII_openssl-*.patch) && touch edk2-patch-applied )
> +    fi
> +    ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
> +    ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
> +    ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd

At this point both ${WORKDIR}/ovmf/OVMF.secboot.fd and
${WORKDIR}/ovmf/OVMF.fd will be linked to the same OVMF.fd with secure
boot support. Maybe this could be fixed by copying the files rather than
creating a symbolic link.

>  }
>  
>  do_install_class-native() {
> @@ -131,6 +155,7 @@ do_deploy() {
>  do_deploy_class-target() {
>      # For use with "runqemu ovmf".
>      qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2
> +    qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.secboot.fd ${DEPLOYDIR}/ovmf.secboot.qcow2

In the same line as my previous comment, these two images will have
secure boot support.

Thanks and BR,
Ricardo

[1]. https://wiki.ubuntu.com/UEFI/EDK2
>  }
>  addtask do_deploy after do_compile before do_build
>  
> -- 
> 2.1.4
>

More information about the Openembedded-core mailing list