rpms
/
edk2
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import source and patches from RHEL version, update OpenSSL to 1.1.0e

This commit is contained in:
Paolo Bonzini 2017-11-14 16:05:26 +01:00
parent ede8d7f7db
commit 3485002d46
21 changed files with 5679 additions and 3567 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -11,3 +11,5 @@
/openssl-1.0.2j-hobbled.tar.xz
/edk2-20161105-3b25ca8.tar.gz
/edk2-20170209-296153c5.tar.xz
/edk2-20171011-92d07e4.tar.xz
/openssl-1.1.0e-hobbled.tar.xz

45
0005-BuildEnv-override-set-C-noclobber-of-sourcing-env.patch Normal file
View File

@ -0,0 +1,45 @@
From e4133f594621fa9e8936348f4d0aa4bbd2976d2f Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Sun, 8 Jul 2012 11:55:50 +0200
Subject: BuildEnv: override "set -C" (noclobber) of sourcing env
The BuildEnv utility is sourced (executed by the user's interactive shell)
when the user sets up the build session. Some users like to set -C
(noclobber) for some additional safety in their shells, which trips up
BuildEnv. Update the redirection operator so that it overrides noclobber.
Notes about the c9e5618 -> b9ffeab rebase:
- Adapted to new BaseTools feature (= out of tree modules).
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
- no changes
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
- no changes
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 7df892b6f1c0dead5b177b3866e127b684cdc001)
(cherry picked from commit 06d17db0523920d95fb18b3629f523dcd63d9499)
---
BaseTools/BuildEnv | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/BaseTools/BuildEnv b/BaseTools/BuildEnv
index f748811..ff0c511 100755
--- a/BaseTools/BuildEnv
+++ b/BaseTools/BuildEnv
@@ -90,7 +90,7 @@ StoreCurrentConfiguration() {
#
OUTPUT_FILE=$CONF_PATH/BuildEnv.sh
#echo Storing current configuration into $OUTPUT_FILE
- echo "# Auto-generated by ${BASH_SOURCE[0]}" > $OUTPUT_FILE
+ echo "# Auto-generated by ${BASH_SOURCE[0]}" >| $OUTPUT_FILE
GenerateShellCodeToSetVariable WORKSPACE $OUTPUT_FILE
GenerateShellCodeToSetVariable EDK_TOOLS_PATH $OUTPUT_FILE
GenerateShellCodeToUpdatePath $OUTPUT_FILE
--
1.8.3.1

64
0006-EXCLUDE_SHELL_FROM_FD.patch
View File

@ -1,64 +0,0 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Thu, 18 Feb 2016 10:52:44 +0100
Subject: [PATCH] EXCLUDE_SHELL_FROM_FD
---
OvmfPkg/OvmfPkgIa32.fdf | 2 ++
OvmfPkg/OvmfPkgIa32X64.fdf | 2 ++
OvmfPkg/OvmfPkgX64.fdf | 2 ++
3 files changed, 6 insertions(+)
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 2a5b211..ebdab17 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -281,11 +281,13 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
INF FatPkg/EnhancedFatDxe/Fat.inf
+!ifndef $(EXCLUDE_SHELL_FROM_FD)
!ifndef $(USE_OLD_SHELL)
INF ShellPkg/Application/Shell/Shell.inf
!else
INF RuleOverride = BINARY EdkShellBinPkg/FullShell/FullShell.inf
!endif
+!endif
INF MdeModulePkg/Logo/LogoDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 1c7df21..adf53f3 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -281,11 +281,13 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
INF FatPkg/EnhancedFatDxe/Fat.inf
+!ifndef $(EXCLUDE_SHELL_FROM_FD)
!ifndef $(USE_OLD_SHELL)
INF ShellPkg/Application/Shell/Shell.inf
!else
INF RuleOverride = BINARY USE = X64 EdkShellBinPkg/FullShell/FullShell.inf
!endif
+!endif
INF MdeModulePkg/Logo/LogoDxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 3bb11cb..edf1098 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -281,11 +281,13 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
INF FatPkg/EnhancedFatDxe/Fat.inf
+!ifndef $(EXCLUDE_SHELL_FROM_FD)
!ifndef $(USE_OLD_SHELL)
INF ShellPkg/Application/Shell/Shell.inf
!else
INF RuleOverride = BINARY EdkShellBinPkg/FullShell/FullShell.inf
!endif
+!endif
INF MdeModulePkg/Logo/LogoDxe.inf

3126
0006-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch Normal file
View File

File diff suppressed because it is too large Load Diff

43
0007-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch Normal file
View File

@ -0,0 +1,43 @@
From 58e1d1ebb78bfdaf05f4c6e8abf8d4908dfa038a Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 20 Feb 2014 22:54:45 +0100
Subject: OvmfPkg: increase max debug message length to 512
Upstream prefers short debug messages (sometimes even limited to 80
characters), but any line length under 512 characters is just unsuitable
for effective debugging. (For example, config strings in HII routing,
logged by the platform driver "OvmfPkg/PlatformDxe" on DEBUG_VERBOSE
level, can be several hundred characters long.) 512 is an empirically good
value.
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
- no changes
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
- no changes
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit bfe568d18dba15602604f155982e3b73add63dfb)
(cherry picked from commit 29435a32ec9428720c74c454ce9817662e601fb6)
---
OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
index 5435767..01016c3 100644
--- a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
+++ b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
@@ -27,7 +27,7 @@
//
// Define the maximum debug and assert message length that this library supports
//
-#define MAX_DEBUG_MESSAGE_LENGTH 0x100
+#define MAX_DEBUG_MESSAGE_LENGTH 0x200
/**
This constructor function does not have to do anything.
--
1.8.3.1

32
0005-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch → 0008-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch
View File

@ -1,15 +1,34 @@
From 9a8a034ebc082f86fdbb54dc1303a5059508e14c Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 20 May 2014 23:41:56 +0200
Subject: [PATCH] OvmfPkg: QemuVideoDxe: enable debug messages in VbeShim
Date: Thu, 12 Jun 2014 00:17:59 +0200
Subject: OvmfPkg: QemuVideoDxe: enable debug messages in VbeShim
Contributed-under: TianoCore Contribution Agreement 1.0
The Int10h VBE Shim is capable of emitting short debug messages when the
win2k8r2 UEFI guest uses (emulates) the Video BIOS. In upstream the quiet
version is preferred; for us debug messages are important as a default.
For this patch, the DEBUG macro is enabled in the assembly file, and then
the header file is regenerated from the assembly, by running
"OvmfPkg/QemuVideoDxe/VbeShim.sh".
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
- no changes
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
- no changes
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit ccda46526bb2e573d9b54f0db75d27e442b4566f)
(cherry picked from commit ed45b26dbeadd63dd8f2edf627290957d8bbb3b2)
---
OvmfPkg/QemuVideoDxe/VbeShim.asm | 2 +-
OvmfPkg/QemuVideoDxe/VbeShim.h | 481 +++++++++++++++++++++++++--------------
2 files changed, 308 insertions(+), 175 deletions(-)
diff --git a/OvmfPkg/QemuVideoDxe/VbeShim.asm b/OvmfPkg/QemuVideoDxe/VbeShim.asm
index 18fa920..9a185f2 100644
index 18fa920..f87ed5c 100644
--- a/OvmfPkg/QemuVideoDxe/VbeShim.asm
+++ b/OvmfPkg/QemuVideoDxe/VbeShim.asm
@@ -18,7 +18,7 @@
@ -22,7 +41,7 @@ index 18fa920..9a185f2 100644
%macro DebugLog 1
%ifdef DEBUG
diff --git a/OvmfPkg/QemuVideoDxe/VbeShim.h b/OvmfPkg/QemuVideoDxe/VbeShim.h
index cc9b6e1..db37f1d 100644
index cc9b6e1..325d647 100644
--- a/OvmfPkg/QemuVideoDxe/VbeShim.h
+++ b/OvmfPkg/QemuVideoDxe/VbeShim.h
@@ -517,185 +517,318 @@ STATIC CONST UINT8 mVbeShim[] = {
@ -518,3 +537,6 @@ index cc9b6e1..db37f1d 100644
+ /* 00000459 or al,[fs:bx+si] */ 0x64, 0x0A, 0x00,
};
#endif
--
1.8.3.1

36
0008-MdeModulePkg-TerminalDxe-add-other-text-resolutions.patch → 0009-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch
View File

@ -1,6 +1,7 @@
From d2066c1748f885043026c51dec1bc8d6d406ae8f Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 25 Feb 2014 18:40:35 +0100
Subject: [PATCH] MdeModulePkg: TerminalDxe: add other text resolutions
Subject: MdeModulePkg: TerminalDxe: add other text resolutions
When the console output is multiplexed to several devices by
ConSplitterDxe, then ConSplitterDxe builds an intersection of text modes
@ -11,7 +12,7 @@ Two notable output devices are provided by:
(2) MdeModulePkg/Universal/Console/TerminalDxe.
GraphicsConsoleDxe supports four modes at most -- see
InitializeGraphicsConsoleTextMode():
InitializeGraphicsConsoleTextMode() and "mGraphicsConsoleModeData":
(1a) 80x25 (required by the UEFI spec as mode 0),
(1b) 80x50 (not necessarily supported, but if it is, then the UEFI spec
@ -25,13 +26,13 @@ InitializeGraphicsConsoleTextMode():
The automatic "full screen resolution" makes GraphicsConsoleDxe's
character console very flexible. However, TerminalDxe (which runs on
serial ports) only provides the following fixed resolutions -- see
InitializeTerminalConsoleTextMode():
InitializeTerminalConsoleTextMode() and "mTerminalConsoleModeData":
(2a) 80x25 (required by the UEFI spec as mode 0),
(2b) 80x50 (since the character resolution of a serial device cannot be
interrogated easily, this is added unconditionally as mode 1)
(2c) modes 2 and above come from "mTerminalConsoleModeData". This table
currently only contains one mode, 100x31.
interrogated easily, this is added unconditionally as mode 1),
(2c) 100x31 (since the character resolution of a serial device cannot be
interrogated easily, this is added unconditionally as mode 2).
When ConSplitterDxe combines (1) and (2), multiplexing console output to
both video output and serial terminal, the list of commonly supported text
@ -53,14 +54,28 @@ the most frequent (1d) values from the intersection, and eg. the MODE
command in the UEFI shell will offer the "best" (ie. full screen)
resolution too.
Contributed-under: TianoCore Contribution Agreement 1.0
Upstream status: three calendar months (with on-and-off discussion and
patches) have not been enough to find a solution to this problem that
would please all stakeholders.
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
- adapt commit 0bc77c63de03 (code and commit message) to upstream commit
390b95a49c14 ("MdeModulePkg/TerminalDxe: Refine
InitializeTerminalConsoleTextMode", 2017-01-10).
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
- no changes
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 99dc3720ac86059f60156197328cc433603c536e)
---
.../Universal/Console/TerminalDxe/Terminal.c | 41 ++++++++++++++++++++--
1 file changed, 38 insertions(+), 3 deletions(-)
diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c b/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c
index 5d55969..13620ac 100644
index 60de2d4..c90879b 100644
--- a/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c
+++ b/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c
@@ -113,9 +113,44 @@ TERMINAL_DEV mTerminalDevTemplate = {
@ -71,7 +86,7 @@ index 5d55969..13620ac 100644
- {80, 50},
- {100, 31},
+ { 80, 25 }, // from graphics resolution 640 x 480
+ { 80, 50 }, // from graphics resolution 640 x 480
+ { 80, 50 }, // from graphics resolution 640 x 960
+ { 100, 25 }, // from graphics resolution 800 x 480
+ { 100, 31 }, // from graphics resolution 800 x 600
+ { 104, 32 }, // from graphics resolution 832 x 624
@ -111,3 +126,6 @@ index 5d55969..13620ac 100644
//
// New modes can be added here.
//
--
1.8.3.1

130
0010-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch Normal file
View File

@ -0,0 +1,130 @@
From b9c5c901f25e48d68eef6e78a4abca00e153f574 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 25 Feb 2014 22:40:01 +0100
Subject: MdeModulePkg: TerminalDxe: set xterm resolution on mode change (RH
only)
The
CSI Ps ; Ps ; Ps t
escape sequence serves for window manipulation. We can use the
CSI 8 ; <rows> ; <columns> t
sequence to adapt eg. the xterm window size to the selected console mode.
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
- refresh commit 519b9751573e against various context changes
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
- Refresh downstream-only commit 2909e025db68 against "MdeModulePkg.dec"
context change from upstream commits e043f7895b83 ("MdeModulePkg: Add
PCD PcdPteMemoryEncryptionAddressOrMask", 2017-02-27) and 76081dfcc5b2
("MdeModulePkg: Add PROMPT&HELP string of pcd to UNI file", 2017-03-03).
Reference: <http://rtfm.etla.org/xterm/ctlseq.html>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 2909e025db6878723b49644a8a0cf160d07e6444)
---
MdeModulePkg/MdeModulePkg.dec | 4 +++
.../Universal/Console/TerminalDxe/TerminalConOut.c | 30 ++++++++++++++++++++++
.../Universal/Console/TerminalDxe/TerminalDxe.inf | 2 ++
3 files changed, 36 insertions(+)
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index a3c0633..cd0264e 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -1758,6 +1758,10 @@
# @Prompt The address mask when memory encryption is enabled.
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0|UINT64|0x30001047
+ ## Controls whether TerminalDxe outputs an XTerm resize sequence on terminal
+ # mode change.
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE|BOOLEAN|0x00010080
+
[PcdsPatchableInModule]
## Specify memory size with page number for PEI code when
# Loading Module at Fixed Address feature is enabled.
diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
index e677a76..e2bdc31 100644
--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
+++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
@@ -13,6 +13,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
+#include <Library/PrintLib.h>
+
#include "Terminal.h"
//
@@ -87,6 +89,16 @@ CHAR16 mCursorForwardString[] = { ESC, '[', '0', '0', 'C', 0 };
CHAR16 mCursorBackwardString[] = { ESC, '[', '0', '0', 'D', 0 };
//
+// Note that this is an ASCII format string, taking two INT32 arguments:
+// rows, columns.
+//
+// A %d (INT32) format specification can expand to at most 11 characters.
+//
+CHAR8 mResizeTextAreaFormatString[] = "\x1B[8;%d;%dt";
+#define RESIZE_SEQ_SIZE (sizeof mResizeTextAreaFormatString + 2 * (11 - 2))
+
+
+//
// Body of the ConOut functions
//
@@ -508,6 +520,24 @@ TerminalConOutSetMode (
return EFI_DEVICE_ERROR;
}
+ if (PcdGetBool (PcdResizeXterm)) {
+ CHAR16 ResizeSequence[RESIZE_SEQ_SIZE];
+
+ UnicodeSPrintAsciiFormat (
+ ResizeSequence,
+ sizeof ResizeSequence,
+ mResizeTextAreaFormatString,
+ (INT32) TerminalDevice->TerminalConsoleModeData[ModeNumber].Rows,
+ (INT32) TerminalDevice->TerminalConsoleModeData[ModeNumber].Columns
+ );
+ TerminalDevice->OutputEscChar = TRUE;
+ Status = This->OutputString (This, ResizeSequence);
+ TerminalDevice->OutputEscChar = FALSE;
+ if (EFI_ERROR (Status)) {
+ return EFI_DEVICE_ERROR;
+ }
+ }
+
This->Mode->Mode = (INT32) ModeNumber;
Status = This->ClearScreen (This);
diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
index 0780296..bd2ba82 100644
--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
+++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
@@ -60,6 +60,7 @@
DebugLib
PcdLib
BaseLib
+ PrintLib
[Guids]
## SOMETIMES_PRODUCES ## Variable:L"ConInDev"
@@ -88,6 +89,7 @@
[Pcd]
gEfiMdePkgTokenSpaceGuid.PcdDefaultTerminalType ## SOMETIMES_CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdErrorCodeSetVariable ## CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm ## CONSUMES
# [Event]
# # Relative timer event set by UnicodeToEfiKey(), used to be one 2 seconds input timeout.
--
1.8.3.1

30
0010-VfrCompile-fix-invalid-comparison-between-pointer-an.patch
View File

@ -1,30 +0,0 @@
From 06c3814868bebbe7f2cd9a51c11fbfc407c14349 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 13 Feb 2017 13:49:14 +0100
Subject: [PATCH] VfrCompile: fix invalid comparison between pointer and
integer
This would be valid C but is not valid C++, so change the comparison
to do what it has always been doing.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
BaseTools/Source/C/VfrCompile/VfrUtilityLib.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/BaseTools/Source/C/VfrCompile/VfrUtilityLib.cpp b/BaseTools/Source/C/VfrCompile/VfrUtilityLib.cpp
index 3ca57ed..2f97975 100644
--- a/BaseTools/Source/C/VfrCompile/VfrUtilityLib.cpp
+++ b/BaseTools/Source/C/VfrCompile/VfrUtilityLib.cpp
@@ -3372,7 +3372,7 @@ CVfrStringDB::GetVarStoreNameFormStringId (
UINT8 BlockType;
EFI_HII_STRING_PACKAGE_HDR *PkgHeader;
- if (mStringFileName == '\0' ) {
+ if (mStringFileName == NULL) {
return NULL;
}
--
2.9.3

91
0011-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch Normal file
View File

@ -0,0 +1,91 @@
From b311932d3841c017a0f0fec553edcac365cc2038 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 14 Oct 2015 15:59:06 +0200
Subject: OvmfPkg: take PcdResizeXterm from the QEMU command line (RH only)
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
- no changes
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
- refresh downstream-only commit 8abc2a6ddad2 against context differences
in the DSC files from upstream commit 5e167d7e784c
("OvmfPkg/PlatformPei: don't allocate reserved mem varstore if
SMM_REQUIRE", 2017-03-12).
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 6fa0c4d67c0bb8bde2ddd6db41c19eb0c40b2721)
(cherry picked from commit 8abc2a6ddad25af7e88dc0cf57d55dfb75fbf92d)
---
OvmfPkg/OvmfPkgIa32.dsc | 1 +
OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
OvmfPkg/OvmfPkgX64.dsc | 1 +
OvmfPkg/PlatformPei/Platform.c | 1 +
OvmfPkg/PlatformPei/PlatformPei.inf | 1 +
5 files changed, 5 insertions(+)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 8af11ff..61e606a 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -504,6 +504,7 @@
# ($(SMM_REQUIRE) == FALSE)
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 9e09a50..bfe3baf 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -510,6 +510,7 @@
# ($(SMM_REQUIRE) == FALSE)
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index a31dbf1..4365a7b 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -509,6 +509,7 @@
# ($(SMM_REQUIRE) == FALSE)
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0
diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c
index 5a78668..544ac54 100644
--- a/OvmfPkg/PlatformPei/Platform.c
+++ b/OvmfPkg/PlatformPei/Platform.c
@@ -670,6 +670,7 @@ InitializePlatform (
PeiFvInitialization ();
MemMapInitialization ();
NoexecDxeInitialization ();
+ UPDATE_BOOLEAN_PCD_FROM_FW_CFG (PcdResizeXterm);
}
AmdSevInitialize ();
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index 16a8db7..9f89e08 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -90,6 +90,7 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
gEfiMdeModulePkgTokenSpaceGuid.PcdPciDisableBusEnumeration
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm
gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable
gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack
--
1.8.3.1

37
0012-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch Normal file
View File

@ -0,0 +1,37 @@
From 22b073005af491eef177ef5f80ffe71c1ebabb03 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 12 Apr 2016 20:50:25 +0200
Subject: ArmVirtPkg: QemuFwCfgLib: allow UEFI_DRIVER client modules (RH only)
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
- no changes
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
- no changes
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 8e2153358aa2bba2c91faa87a70beadcaae03fd8)
(cherry picked from commit 5af259a93f4bbee5515ae18638068125e170f2cd)
---
ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf b/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf
index eff4a21..adf1ff6 100644
--- a/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf
+++ b/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf
@@ -22,7 +22,7 @@
FILE_GUID = B271F41F-B841-48A9-BA8D-545B4BC2E2BF
MODULE_TYPE = BASE
VERSION_STRING = 1.0
- LIBRARY_CLASS = QemuFwCfgLib|DXE_DRIVER
+ LIBRARY_CLASS = QemuFwCfgLib|DXE_DRIVER UEFI_DRIVER
CONSTRUCTOR = QemuFwCfgInitialize
--
1.8.3.1

198
0013-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch Normal file
View File

@ -0,0 +1,198 @@
From c9081ebe3bcd28e5cce4bf58bd8d4fca12f9af7c Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Sun, 26 Jul 2015 08:02:50 +0000
Subject: ArmVirtPkg: take PcdResizeXterm from the QEMU command line (RH only)
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
- Adapt commit 6b97969096a3 to the fact that upstream has deprecated such
setter functions for dynamic PCDs that don't return a status code (such
as PcdSetBool()). Employ PcdSetBoolS(), and assert that it succeeds --
there's really no circumstance in this case when it could fail.
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
- Refresh downstream-only commit d4564d39dfdb against context changes in
"ArmVirtPkg/ArmVirtQemu.dsc" from upstream commit 7e5f1b673870
("ArmVirtPkg/PlatformHasAcpiDtDxe: allow guest level ACPI disable
override", 2017-03-29).
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit d4564d39dfdbf74e762af43314005a2c026cb262)
---
ArmVirtPkg/ArmVirtQemu.dsc | 7 +-
.../TerminalPcdProducerLib.c | 87 ++++++++++++++++++++++
.../TerminalPcdProducerLib.inf | 41 ++++++++++
3 files changed, 134 insertions(+), 1 deletion(-)
create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c
create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 045333d..2b1a383 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -212,6 +212,8 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0
gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+
[PcdsDynamicHii]
gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS
@@ -284,7 +286,10 @@
MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf
MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf
MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
- MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
+ MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf {
+ <LibraryClasses>
+ NULL|ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
+ }
MdeModulePkg/Universal/SerialDxe/SerialDxe.inf
MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
diff --git a/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c
new file mode 100644
index 0000000..814ad48
--- /dev/null
+++ b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c
@@ -0,0 +1,87 @@
+/** @file
+* Plugin library for setting up dynamic PCDs for TerminalDxe, from fw_cfg
+*
+* Copyright (C) 2015-2016, Red Hat, Inc.
+* Copyright (c) 2014, Linaro Ltd. All rights reserved.<BR>
+*
+* This program and the accompanying materials are licensed and made available
+* under the terms and conditions of the BSD License which accompanies this
+* distribution. The full text of the license may be found at
+* http://opensource.org/licenses/bsd-license.php
+*
+* THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+* WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
+* IMPLIED.
+*
+**/
+
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/QemuFwCfgLib.h>
+
+STATIC
+RETURN_STATUS
+GetNamedFwCfgBoolean (
+ IN CONST CHAR8 *FwCfgFileName,
+ OUT BOOLEAN *Setting
+ )
+{
+ RETURN_STATUS Status;
+ FIRMWARE_CONFIG_ITEM FwCfgItem;
+ UINTN FwCfgSize;
+ UINT8 Value[3];
+
+ Status = QemuFwCfgFindFile (FwCfgFileName, &FwCfgItem, &FwCfgSize);
+ if (RETURN_ERROR (Status)) {
+ return Status;
+ }
+ if (FwCfgSize > sizeof Value) {
+ return RETURN_BAD_BUFFER_SIZE;
+ }
+ QemuFwCfgSelectItem (FwCfgItem);
+ QemuFwCfgReadBytes (FwCfgSize, Value);
+
+ if ((FwCfgSize == 1) ||
+ (FwCfgSize == 2 && Value[1] == '\n') ||
+ (FwCfgSize == 3 && Value[1] == '\r' && Value[2] == '\n')) {
+ switch (Value[0]) {
+ case '0':
+ case 'n':
+ case 'N':
+ *Setting = FALSE;
+ return RETURN_SUCCESS;
+
+ case '1':
+ case 'y':
+ case 'Y':
+ *Setting = TRUE;
+ return RETURN_SUCCESS;
+
+ default:
+ break;
+ }
+ }
+ return RETURN_PROTOCOL_ERROR;
+}
+
+#define UPDATE_BOOLEAN_PCD_FROM_FW_CFG(TokenName) \
+ do { \
+ BOOLEAN Setting; \
+ RETURN_STATUS PcdStatus; \
+ \
+ if (!RETURN_ERROR (GetNamedFwCfgBoolean ( \
+ "opt/org.tianocore.edk2.aavmf/" #TokenName, &Setting))) { \
+ PcdStatus = PcdSetBoolS (TokenName, Setting); \
+ ASSERT_RETURN_ERROR (PcdStatus); \
+ } \
+ } while (0)
+
+RETURN_STATUS
+EFIAPI
+TerminalPcdProducerLibConstructor (
+ VOID
+ )
+{
+ UPDATE_BOOLEAN_PCD_FROM_FW_CFG (PcdResizeXterm);
+ return RETURN_SUCCESS;
+}
diff --git a/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
new file mode 100644
index 0000000..fecb37b
--- /dev/null
+++ b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
@@ -0,0 +1,41 @@
+## @file
+# Plugin library for setting up dynamic PCDs for TerminalDxe, from fw_cfg
+#
+# Copyright (C) 2015-2016, Red Hat, Inc.
+# Copyright (c) 2014, Linaro Ltd. All rights reserved.<BR>
+#
+# This program and the accompanying materials are licensed and made available
+# under the terms and conditions of the BSD License which accompanies this
+# distribution. The full text of the license may be found at
+# http://opensource.org/licenses/bsd-license.php
+#
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
+# IMPLIED.
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = TerminalPcdProducerLib
+ FILE_GUID = 4a0c5ed7-8c42-4c01-8f4c-7bf258316a96
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = TerminalPcdProducerLib|DXE_DRIVER
+ CONSTRUCTOR = TerminalPcdProducerLibConstructor
+
+[Sources]
+ TerminalPcdProducerLib.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ OvmfPkg/OvmfPkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+
+[LibraryClasses]
+ DebugLib
+ PcdLib
+ QemuFwCfgLib
+
+[Pcd]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm
--
1.8.3.1

112
0014-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch Normal file
View File

@ -0,0 +1,112 @@
From 23df46ebbe7b09451d3a05034acd4d3a25e7177b Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 4 Nov 2014 23:02:53 +0100
Subject: OvmfPkg: allow exclusion of the shell from the firmware image
When '-D EXCLUDE_SHELL_FROM_FD' is passed to 'build', exclude the shell
binary from the firmware image.
Peter Jones advised us that firmware vendors for physical systems disable
the memory-mapped, firmware image-contained UEFI shell in
SecureBoot-enabled builds. The reason being that the memory-mapped shell
can always load, it may have direct access to various hardware in the
system, and it can run UEFI shell scripts (which cannot be signed at all).
Intended use of the new build option:
- In-tree builds: don't pass '-D EXCLUDE_SHELL_FROM_FD'. The resultant
firmware image will contain a shell binary, independently of SecureBoot
enablement, which is flexible for interactive development. (Ie. no
change for in-tree builds.)
- RPM builds: pass both '-D SECURE_BOOT_ENABLE' and
'-D EXCLUDE_SHELL_FROM_FD'. The resultant RPM will provide:
- OVMF_CODE.fd: SecureBoot-enabled firmware, without builtin UEFI shell,
- OVMF_VARS.fd: variable store template matching OVMF_CODE.fd,
- UefiShell.iso: a bootable ISO image with the shell on it as default
boot loader. The shell binary will load when SecureBoot is turned off,
and won't load when SecureBoot is turned on (because it is not
signed).
UefiShell.iso is the reason we're not excluding the shell from the DSC
files as well, only the FDF files -- when '-D EXCLUDE_SHELL_FROM_FD'
is specified, the shell binary needs to be built the same, only it
will be included in UefiShell.iso.
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
- no changes
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
- no changes
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 9c391def70366cabae08e6008814299c3372fafd)
(cherry picked from commit d9dd9ee42937b2611fe37183cc9ec7f62d946933)
---
OvmfPkg/OvmfPkgIa32.fdf | 2 ++
OvmfPkg/OvmfPkgIa32X64.fdf | 2 ++
OvmfPkg/OvmfPkgX64.fdf | 2 ++
3 files changed, 6 insertions(+)
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index a967904..366d6bf 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -284,11 +284,13 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+!ifndef $(EXCLUDE_SHELL_FROM_FD)
!ifndef $(USE_OLD_SHELL)
INF ShellPkg/Application/Shell/Shell.inf
!else
INF RuleOverride = BINARY EdkShellBinPkg/FullShell/FullShell.inf
!endif
+!endif
!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index f5a1d86..e4ca33e 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -285,11 +285,13 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+!ifndef $(EXCLUDE_SHELL_FROM_FD)
!ifndef $(USE_OLD_SHELL)
INF ShellPkg/Application/Shell/Shell.inf
!else
INF RuleOverride = BINARY USE = X64 EdkShellBinPkg/FullShell/FullShell.inf
!endif
+!endif
!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 0bba313..3196b26 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -285,11 +285,13 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+!ifndef $(EXCLUDE_SHELL_FROM_FD)
!ifndef $(USE_OLD_SHELL)
INF ShellPkg/Application/Shell/Shell.inf
!else
INF RuleOverride = BINARY EdkShellBinPkg/FullShell/FullShell.inf
!endif
+!endif
!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
--
1.8.3.1

492
0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch → 0015-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
View File

@ -1,11 +1,7 @@
From da502f7cc283055a65ab3caeaa62eb5c6a6fddb5 Mon Sep 17 00:00:00 2001
From 92424de98ffaf1fa81e6346949b1d2b5f9a637ca Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Mon, 6 Jul 2015 20:22:02 +0200
Subject: [PATCH] OvmfPkg: EnrollDefaultKeys: application for enrolling default
keys
(A port of the <https://bugzilla.redhat.com/show_bug.cgi?id=1148296> patch
to Gerd's public RPMs.)
Date: Tue, 4 Nov 2014 23:02:55 +0100
Subject: OvmfPkg: EnrollDefaultKeys: application for enrolling default keys
This application is meant to be invoked by the management layer, after
booting the UEFI shell and getting a shell prompt on the serial console.
@ -27,7 +23,33 @@ PK:
- A unique, static, ad-hoc certificate whose private half has been
destroyed (more precisely, never saved) and is therefore unusable for
signing. (The command for creating this certificate is saved in the
source code.)
source code.) Background:
On 09/30/14 20:00, Peter Jones wrote:
> We should generate a special key that's not in our normal signing chains
> for PK and KEK. The reason for this is that [in practice] PK gets
> treated as part of DB (*).
>
> [Shipping a key in our normal signing chains] as PK means you can run
> grub directly, in which case it won't have access to the shim protocol.
> When grub is run without the shim protocol registered, it assumes SB is
> disabled and boots without verifying the kernel. We don't want that to
> be a thing you can do, but allowing that is the inevitable result of
> shipping with any of our normal signing chain in PK or KEK.
>
> (* USRT has actually agreed that since you can escalate to this behavior
> if you have the secret half of a key in KEK or PK anyway, and many
> vendors had already shipped it this way, that it is fine and I think
> even *expected* at this point, even though it wasn't formally in the
> UEFI 2.3.1 Spec that introduced Secure Boot. I'll try and make sure the
> language reflects that in an upcoming spec revision.)
>
> So let me get SRT to issue a special key to use for PK and KEK. We can
> use it just for those operations, and make sure it's protected with the
> same processes and controls as our other signing keys.
Until SRT generates such a key for us, this ad-hoc key should be a good
placeholder.
KEK:
- same ad-hoc certificate as used for the PK,
@ -41,24 +63,149 @@ DB:
- "Microsoft Corporation UEFI CA 2011" -- to load Linux and signed PCI
oproms.
Contributed-under: TianoCore Contribution Agreement 1.0
*UPDATE*
OvmfPkg: EnrollDefaultKeys: pick up official Red Hat PK/KEK (RHEL only)
Replace the placeholder ExampleCert with a certificate generated and
managed by the Red Hat Security Response Team.
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 18371740789028339953 (0xfef588e8f396c0f1)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: CN=Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com
> Validity
> Not Before: Oct 31 11:15:37 2014 GMT
> Not After : Oct 25 11:15:37 2037 GMT
> Subject: CN=Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> 00:90:1f:84:7b:8d:bc:eb:97:26:82:6d:88:ab:8a:
> c9:8c:68:70:f9:df:4b:07:b2:37:83:0b:02:c8:67:
> 68:30:9e:e3:f0:f0:99:4a:b8:59:57:c6:41:f6:38:
> 8b:fe:66:4c:49:e9:37:37:92:2e:98:01:1e:5b:14:
> 50:e6:a8:8d:25:0d:f5:86:e6:ab:30:cb:40:16:ea:
> 8d:8b:16:86:70:43:37:f2:ce:c0:91:df:71:14:8e:
> 99:0e:89:b6:4c:6d:24:1e:8c:e4:2f:4f:25:d0:ba:
> 06:f8:c6:e8:19:18:76:73:1d:81:6d:a8:d8:05:cf:
> 3a:c8:7b:28:c8:36:a3:16:0d:29:8c:99:9a:68:dc:
> ab:c0:4d:8d:bf:5a:bb:2b:a9:39:4b:04:97:1c:f9:
> 36:bb:c5:3a:86:04:ae:af:d4:82:7b:e0:ab:de:49:
> 05:68:fc:f6:ae:68:1a:6c:90:4d:57:19:3c:64:66:
> 03:f6:c7:52:9b:f7:94:cf:93:6a:a1:68:c9:aa:cf:
> 99:6b:bc:aa:5e:08:e7:39:1c:f7:f8:0f:ba:06:7e:
> f1:cb:e8:76:dd:fe:22:da:ad:3a:5e:5b:34:ea:b3:
> c9:e0:4d:04:29:7e:b8:60:b9:05:ef:b5:d9:17:58:
> 56:16:60:b9:30:32:f0:36:4a:c3:f2:79:8d:12:40:
> 70:f3
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> 3C:E9:60:E3:FF:19:A1:0A:7B:A3:42:F4:8D:42:2E:B4:D5:9C:72:EC
> X509v3 Authority Key Identifier:
> keyid:3C:E9:60:E3:FF:19:A1:0A:7B:A3:42:F4:8D:42:2E:B4:D5:9C:72:EC
>
> Signature Algorithm: sha256WithRSAEncryption
> 5c:4d:92:88:b4:82:5f:1d:ad:8b:11:ec:df:06:a6:7a:a5:2b:
> 9f:37:55:0c:8d:6e:05:00:ad:b7:0c:41:89:69:cf:d6:65:06:
> 9b:51:78:d2:ad:c7:bf:9c:dc:05:73:7f:e7:1e:39:13:b4:ea:
> b6:30:7d:40:75:ab:9c:43:0b:df:b0:c2:1b:bf:30:e0:f4:fe:
> c0:db:62:21:98:f6:c5:af:de:3b:4f:49:0a:e6:1e:f9:86:b0:
> 3f:0d:d6:d4:46:37:db:54:74:5e:ff:11:c2:60:c6:70:58:c5:
> 1c:6f:ec:b2:d8:6e:6f:c3:bc:33:87:38:a4:f3:44:64:9c:34:
> 3b:28:94:26:78:27:9f:16:17:e8:3b:69:0a:25:a9:73:36:7e:
> 9e:37:5c:ec:e8:3f:db:91:f9:12:b3:3d:ce:e7:dd:15:c3:ae:
> 8c:05:20:61:9b:95:de:9b:af:fa:b1:5c:1c:e5:97:e7:c3:34:
> 11:85:f5:8a:27:26:a4:70:36:ec:0c:f6:83:3d:90:f7:36:f3:
> f9:f3:15:d4:90:62:be:53:b4:af:d3:49:af:ef:f4:73:e8:7b:
> 76:e4:44:2a:37:ba:81:a4:99:0c:3a:31:24:71:a0:e4:e4:b7:
> 1a:cb:47:e4:aa:22:cf:ef:75:61:80:e3:43:b7:48:57:73:11:
> 3d:78:9b:69
> -----BEGIN CERTIFICATE-----
> MIIDoDCCAoigAwIBAgIJAP71iOjzlsDxMA0GCSqGSIb3DQEBCwUAMFExKzApBgNV
> BAMTIlJlZCBIYXQgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkgMSkxIjAgBgkqhkiG
> 9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMTQxMDMxMTExNTM3WhcNMzcx
> MDI1MTExNTM3WjBRMSswKQYDVQQDEyJSZWQgSGF0IFNlY3VyZSBCb290IChQSy9L
> RUsga2V5IDEpMSIwIAYJKoZIhvcNAQkBFhNzZWNhbGVydEByZWRoYXQuY29tMIIB
> IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkB+Ee42865cmgm2Iq4rJjGhw
> +d9LB7I3gwsCyGdoMJ7j8PCZSrhZV8ZB9jiL/mZMSek3N5IumAEeWxRQ5qiNJQ31
> huarMMtAFuqNixaGcEM38s7Akd9xFI6ZDom2TG0kHozkL08l0LoG+MboGRh2cx2B
> bajYBc86yHsoyDajFg0pjJmaaNyrwE2Nv1q7K6k5SwSXHPk2u8U6hgSur9SCe+Cr
> 3kkFaPz2rmgabJBNVxk8ZGYD9sdSm/eUz5NqoWjJqs+Za7yqXgjnORz3+A+6Bn7x
> y+h23f4i2q06Xls06rPJ4E0EKX64YLkF77XZF1hWFmC5MDLwNkrD8nmNEkBw8wID
> AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
> YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPOlg4/8ZoQp7o0L0jUIutNWccuww
> HwYDVR0jBBgwFoAUPOlg4/8ZoQp7o0L0jUIutNWccuwwDQYJKoZIhvcNAQELBQAD
> ggEBAFxNkoi0gl8drYsR7N8GpnqlK583VQyNbgUArbcMQYlpz9ZlBptReNKtx7+c
> 3AVzf+ceORO06rYwfUB1q5xDC9+wwhu/MOD0/sDbYiGY9sWv3jtPSQrmHvmGsD8N
> 1tRGN9tUdF7/EcJgxnBYxRxv7LLYbm/DvDOHOKTzRGScNDsolCZ4J58WF+g7aQol
> qXM2fp43XOzoP9uR+RKzPc7n3RXDrowFIGGbld6br/qxXBzll+fDNBGF9YonJqRw
> NuwM9oM9kPc28/nzFdSQYr5TtK/TSa/v9HPoe3bkRCo3uoGkmQw6MSRxoOTktxrL
> R+SqIs/vdWGA40O3SFdzET14m2k=
> -----END CERTIFICATE-----
Notes about the 9ece15a -> c9e5618 rebase:
- resolved conflicts in:
OvmfPkg/OvmfPkgIa32.dsc
OvmfPkg/OvmfPkgIa32X64.dsc
OvmfPkg/OvmfPkgX64.dsc
due to OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf having
disappeared in upstream (commit 57446bb9).
Notes about the c9e5618 -> b9ffeab rebase:
- Guid/VariableFormat.h now lives under MdeModulePkg.
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
- This patch now squashes the following commits:
- 014f459c197b OvmfPkg: EnrollDefaultKeys: application for enrolling
default keys (RH only)
- 18422a18d0e9 OvmfPkg/EnrollDefaultKeys: assign Status before reading
it (RH only)
- ddb90568e874 OvmfPkg/EnrollDefaultKeys: silence VS2015x86 warning (RH
only)
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
- This patch now squashes the following commits:
- c0b2615a9c0b OvmfPkg: EnrollDefaultKeys: application for enrolling
default keys (RH only)
- 22f4d33d0168 OvmfPkg/EnrollDefaultKeys: update SignatureOwner GUID for
Windows HCK (RH)
- ff7f2c1d870d OvmfPkg/EnrollDefaultKeys: expose CertType parameter of
EnrollListOfCerts (RH)
- aee7b5ba60b4 OvmfPkg/EnrollDefaultKeys: blacklist empty file in dbx
for Windows HCK (RH)
- Consequently, OvmfPkg/EnrollDefaultKeys/ is identical to the same
directory at the "RHEL-7.4" tag (49d06d386736).
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit c0b2615a9c0b4a4be1bffe45681a32915449279d)
---
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 963 ++++++++++++++++++++++++
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 51 ++
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 1015 +++++++++++++++++++++++
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 52 ++
OvmfPkg/OvmfPkgIa32.dsc | 4 +
OvmfPkg/OvmfPkgIa32X64.dsc | 4 +
OvmfPkg/OvmfPkgX64.dsc | 4 +
5 files changed, 1026 insertions(+)
5 files changed, 1079 insertions(+)
create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
new file mode 100644
index 0000000..447288f
index 0000000..dd413df
--- /dev/null
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -0,0 +1,963 @@
@@ -0,0 +1,1015 @@
+/** @file
+ Enroll default PK, KEK, DB.
+
@ -83,117 +230,85 @@ index 0000000..447288f
+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
+
+//
+// The example self-signed certificate below, which we'll use for both Platform
+// Key, and first Key Exchange Key, has been generated with the following
+// non-interactive openssl command. The passphrase is read from /dev/urandom,
+// and not saved, and the private key is written to /dev/null. In other words,
+// we can't sign anything else against this certificate, which is our purpose.
+// We'll use the certificate below as both Platform Key and as first Key
+// Exchange Key.
+//
+/*
+ openssl req \
+ -passout file:<(head -c 16 /dev/urandom) \
+ -x509 \
+ -newkey rsa:2048 \
+ -keyout /dev/null \
+ -outform DER \
+ -subj $(
+ printf /C=US
+ printf /ST=TestStateOrProvince
+ printf /L=TestLocality
+ printf /O=TestOrganization
+ printf /OU=TestOrganizationalUnit
+ printf /CN=TestCommonName
+ printf /emailAddress=test@example.com
+ ) \
+ 2>/dev/null \
+ | xxd -i
+*/
+STATIC CONST UINT8 ExampleCert[] = {
+ 0x30, 0x82, 0x04, 0x45, 0x30, 0x82, 0x03, 0x2d, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x09, 0x00, 0xcf, 0x9f, 0x51, 0xa3, 0x07, 0xdb, 0x54, 0xa1, 0x30, 0x0d,
+// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
+// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
+//
+STATIC CONST UINT8 RedHatPkKek1[] = {
+ 0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, 0x0d,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
+ 0x30, 0x81, 0xb8, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
+ 0x13, 0x54, 0x65, 0x73, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x4f, 0x72, 0x50,
+ 0x72, 0x6f, 0x76, 0x69, 0x6e, 0x63, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03,
+ 0x55, 0x04, 0x07, 0x0c, 0x0c, 0x54, 0x65, 0x73, 0x74, 0x4c, 0x6f, 0x63, 0x61,
+ 0x6c, 0x69, 0x74, 0x79, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a,
+ 0x0c, 0x10, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a,
+ 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04,
+ 0x0b, 0x0c, 0x16, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69,
+ 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x55, 0x6e, 0x69, 0x74, 0x31,
+ 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0e, 0x54, 0x65, 0x73,
+ 0x74, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x31, 0x1f,
+ 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01,
+ 0x16, 0x10, 0x74, 0x65, 0x73, 0x74, 0x40, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c,
+ 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
+ 0x30, 0x39, 0x31, 0x33, 0x32, 0x38, 0x32, 0x32, 0x5a, 0x17, 0x0d, 0x31, 0x34,
+ 0x31, 0x31, 0x30, 0x38, 0x31, 0x33, 0x32, 0x38, 0x32, 0x32, 0x5a, 0x30, 0x81,
+ 0xb8, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x13, 0x54,
+ 0x65, 0x73, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x4f, 0x72, 0x50, 0x72, 0x6f,
+ 0x76, 0x69, 0x6e, 0x63, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04,
+ 0x07, 0x0c, 0x0c, 0x54, 0x65, 0x73, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x69,
+ 0x74, 0x79, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x10,
+ 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74,
+ 0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c,
+ 0x16, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61,
+ 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x55, 0x6e, 0x69, 0x74, 0x31, 0x17, 0x30,
+ 0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0e, 0x54, 0x65, 0x73, 0x74, 0x43,
+ 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x31, 0x1f, 0x30, 0x1d,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10,
+ 0x74, 0x65, 0x73, 0x74, 0x40, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e,
+ 0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22,
+ 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72,
+ 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45,
+ 0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73,
+ 0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61,
+ 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
+ 0x33, 0x31, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x33, 0x37,
+ 0x31, 0x30, 0x32, 0x35, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x30, 0x51,
+ 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x52, 0x65,
+ 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20,
+ 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45, 0x4b, 0x20,
+ 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63,
+ 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, 0x2e,
+ 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
+ 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbf, 0xf1, 0xce,
+ 0x17, 0x32, 0xac, 0xc4, 0x4b, 0xb2, 0xed, 0x84, 0x76, 0xe5, 0xd0, 0xf8, 0x21,
+ 0xac, 0x10, 0xf8, 0x18, 0x09, 0x0e, 0x07, 0x13, 0x76, 0x21, 0x5c, 0xc4, 0xcc,
+ 0xd5, 0xe6, 0x25, 0xa7, 0x26, 0x53, 0x79, 0x2f, 0x16, 0x4b, 0x85, 0xbd, 0xae,
+ 0x42, 0x64, 0x58, 0xcb, 0x5e, 0xe8, 0x6e, 0x5a, 0xd0, 0xc4, 0x0f, 0x38, 0x16,
+ 0xbe, 0xd3, 0x22, 0xa7, 0x3c, 0x9b, 0x8b, 0x5e, 0xcb, 0x62, 0x35, 0xc5, 0x9b,
+ 0xe2, 0x8e, 0x4c, 0x65, 0x57, 0x4f, 0xcb, 0x27, 0xad, 0xe7, 0x63, 0xa7, 0x77,
+ 0x2b, 0xd5, 0x02, 0x42, 0x70, 0x46, 0xac, 0xba, 0xb6, 0x60, 0x57, 0xd9, 0xce,
+ 0x31, 0xc5, 0x12, 0x03, 0x4a, 0xf7, 0x2a, 0x2b, 0x40, 0x06, 0xb4, 0xdb, 0x31,
+ 0xb7, 0x83, 0x6c, 0x67, 0x87, 0x98, 0x8b, 0xce, 0x1b, 0x30, 0x7a, 0xfa, 0x35,
+ 0x6c, 0x86, 0x20, 0x74, 0xc5, 0x7d, 0x32, 0x31, 0x18, 0xeb, 0x69, 0xf7, 0x2d,
+ 0x20, 0xc4, 0xf0, 0xd2, 0xfa, 0x67, 0x81, 0xc1, 0xbb, 0x23, 0xbb, 0x75, 0x1a,
+ 0xe4, 0xb4, 0x49, 0x99, 0xdf, 0x12, 0x4c, 0xe3, 0x6d, 0x76, 0x24, 0x85, 0x24,
+ 0xae, 0x5a, 0x9e, 0xbd, 0x54, 0x1c, 0xf9, 0x0e, 0xed, 0x96, 0xb5, 0xd8, 0xa2,
+ 0x0d, 0x2a, 0x38, 0x5d, 0x12, 0x97, 0xb0, 0x4d, 0x75, 0x85, 0x1e, 0x47, 0x6d,
+ 0xe1, 0x25, 0x59, 0xcb, 0xe9, 0x33, 0x86, 0x6a, 0xef, 0x98, 0x24, 0xa0, 0x2b,
+ 0x02, 0x7b, 0xc0, 0x9f, 0x88, 0x03, 0xb0, 0xbe, 0x22, 0x65, 0x83, 0x77, 0xb3,
+ 0x30, 0xba, 0xe0, 0x3b, 0x54, 0x31, 0x3a, 0x45, 0x81, 0x9c, 0x48, 0xaf, 0xc1,
+ 0x11, 0x5b, 0xf2, 0x3a, 0x1e, 0x33, 0x1b, 0x8f, 0x0e, 0x04, 0xa4, 0x16, 0xd4,
+ 0x6b, 0x57, 0xee, 0xe7, 0xba, 0xf5, 0xee, 0xaf, 0xe2, 0x4c, 0x50, 0xf8, 0x68,
+ 0x57, 0x88, 0xfb, 0x7f, 0xa3, 0xcf, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x50,
+ 0x30, 0x4e, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
+ 0x1e, 0x44, 0xe5, 0xef, 0xcd, 0x6e, 0x1f, 0xdb, 0xcb, 0x4f, 0x94, 0x8f, 0xe3,
+ 0x3b, 0x1a, 0x8c, 0xe6, 0x95, 0x29, 0x61, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
+ 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x1e, 0x44, 0xe5, 0xef, 0xcd, 0x6e,
+ 0x1f, 0xdb, 0xcb, 0x4f, 0x94, 0x8f, 0xe3, 0x3b, 0x1a, 0x8c, 0xe6, 0x95, 0x29,
+ 0x61, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
+ 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x12, 0x9c, 0x3e, 0x38,
+ 0xfc, 0x26, 0xea, 0x6d, 0xb7, 0x5c, 0x29, 0x3c, 0x76, 0x20, 0x0c, 0xb2, 0xa9,
+ 0x0f, 0xdf, 0xc0, 0x85, 0xfe, 0xeb, 0xec, 0x1d, 0x5d, 0x73, 0x84, 0xac, 0x8a,
+ 0xb4, 0x2a, 0x86, 0x38, 0x30, 0xaf, 0xd2, 0x2d, 0x2a, 0xde, 0x54, 0xc8, 0x5c,
+ 0x29, 0x90, 0x24, 0xf2, 0x39, 0xc1, 0xa5, 0x00, 0xb4, 0xb7, 0xd8, 0xdc, 0x59,
+ 0x64, 0x50, 0x62, 0x5f, 0x54, 0xf1, 0x73, 0x02, 0x4d, 0x43, 0xc5, 0xc3, 0xc4,
+ 0x0e, 0x62, 0x60, 0x8c, 0x53, 0x66, 0x57, 0x77, 0xb5, 0x81, 0xda, 0x1f, 0x81,
+ 0xda, 0xe9, 0xd6, 0x5e, 0x82, 0xce, 0xa7, 0x5c, 0xc0, 0xa6, 0xbe, 0x9c, 0x5c,
+ 0x7b, 0xa5, 0x15, 0xc8, 0xd7, 0x14, 0x53, 0xd3, 0x5c, 0x1c, 0x9f, 0x8a, 0x9f,
+ 0x66, 0x15, 0xd5, 0xd3, 0x2a, 0x27, 0x0c, 0xee, 0x9f, 0x80, 0x39, 0x88, 0x7b,
+ 0x24, 0xde, 0x0c, 0x61, 0xa3, 0x44, 0xd8, 0x8d, 0x2e, 0x79, 0xf8, 0x1e, 0x04,
+ 0x5a, 0xcb, 0xd6, 0x9c, 0xa3, 0x22, 0x8f, 0x09, 0x32, 0x1e, 0xe1, 0x65, 0x8f,
+ 0x10, 0x5f, 0xd8, 0x52, 0x56, 0xd5, 0x77, 0xac, 0x58, 0x46, 0x60, 0xba, 0x2e,
+ 0xe2, 0x3f, 0x58, 0x7d, 0x60, 0xfc, 0x31, 0x4a, 0x3a, 0xaf, 0x61, 0x55, 0x5f,
+ 0xfb, 0x68, 0x14, 0x74, 0xda, 0xdc, 0x42, 0x78, 0xcc, 0xee, 0xff, 0x5c, 0x03,
+ 0x24, 0x26, 0x2c, 0xb8, 0x3a, 0x81, 0xad, 0xdb, 0xe7, 0xed, 0xe1, 0x62, 0x84,
+ 0x07, 0x1a, 0xc8, 0xa4, 0x4e, 0xb0, 0x87, 0xf7, 0x96, 0xd8, 0x33, 0x9b, 0x0d,
+ 0xa7, 0x77, 0xae, 0x5b, 0xaf, 0xad, 0xe6, 0x5a, 0xc9, 0xfa, 0xa4, 0xe4, 0xe5,
+ 0x57, 0xbb, 0x97, 0xdd, 0x92, 0x85, 0xd8, 0x03, 0x45, 0xfe, 0xd8, 0x6b, 0xb1,
+ 0xdb, 0x85, 0x36, 0xb9, 0xd9, 0x28, 0xbf, 0x17, 0xae, 0x11, 0xde, 0x10, 0x19,
+ 0x26, 0x5b, 0xc0, 0x3d, 0xc7
+ 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0x90, 0x1f, 0x84,
+ 0x7b, 0x8d, 0xbc, 0xeb, 0x97, 0x26, 0x82, 0x6d, 0x88, 0xab, 0x8a, 0xc9, 0x8c,
+ 0x68, 0x70, 0xf9, 0xdf, 0x4b, 0x07, 0xb2, 0x37, 0x83, 0x0b, 0x02, 0xc8, 0x67,
+ 0x68, 0x30, 0x9e, 0xe3, 0xf0, 0xf0, 0x99, 0x4a, 0xb8, 0x59, 0x57, 0xc6, 0x41,
+ 0xf6, 0x38, 0x8b, 0xfe, 0x66, 0x4c, 0x49, 0xe9, 0x37, 0x37, 0x92, 0x2e, 0x98,
+ 0x01, 0x1e, 0x5b, 0x14, 0x50, 0xe6, 0xa8, 0x8d, 0x25, 0x0d, 0xf5, 0x86, 0xe6,
+ 0xab, 0x30, 0xcb, 0x40, 0x16, 0xea, 0x8d, 0x8b, 0x16, 0x86, 0x70, 0x43, 0x37,
+ 0xf2, 0xce, 0xc0, 0x91, 0xdf, 0x71, 0x14, 0x8e, 0x99, 0x0e, 0x89, 0xb6, 0x4c,
+ 0x6d, 0x24, 0x1e, 0x8c, 0xe4, 0x2f, 0x4f, 0x25, 0xd0, 0xba, 0x06, 0xf8, 0xc6,
+ 0xe8, 0x19, 0x18, 0x76, 0x73, 0x1d, 0x81, 0x6d, 0xa8, 0xd8, 0x05, 0xcf, 0x3a,
+ 0xc8, 0x7b, 0x28, 0xc8, 0x36, 0xa3, 0x16, 0x0d, 0x29, 0x8c, 0x99, 0x9a, 0x68,
+ 0xdc, 0xab, 0xc0, 0x4d, 0x8d, 0xbf, 0x5a, 0xbb, 0x2b, 0xa9, 0x39, 0x4b, 0x04,
+ 0x97, 0x1c, 0xf9, 0x36, 0xbb, 0xc5, 0x3a, 0x86, 0x04, 0xae, 0xaf, 0xd4, 0x82,
+ 0x7b, 0xe0, 0xab, 0xde, 0x49, 0x05, 0x68, 0xfc, 0xf6, 0xae, 0x68, 0x1a, 0x6c,
+ 0x90, 0x4d, 0x57, 0x19, 0x3c, 0x64, 0x66, 0x03, 0xf6, 0xc7, 0x52, 0x9b, 0xf7,
+ 0x94, 0xcf, 0x93, 0x6a, 0xa1, 0x68, 0xc9, 0xaa, 0xcf, 0x99, 0x6b, 0xbc, 0xaa,
+ 0x5e, 0x08, 0xe7, 0x39, 0x1c, 0xf7, 0xf8, 0x0f, 0xba, 0x06, 0x7e, 0xf1, 0xcb,
+ 0xe8, 0x76, 0xdd, 0xfe, 0x22, 0xda, 0xad, 0x3a, 0x5e, 0x5b, 0x34, 0xea, 0xb3,
+ 0xc9, 0xe0, 0x4d, 0x04, 0x29, 0x7e, 0xb8, 0x60, 0xb9, 0x05, 0xef, 0xb5, 0xd9,
+ 0x17, 0x58, 0x56, 0x16, 0x60, 0xb9, 0x30, 0x32, 0xf0, 0x36, 0x4a, 0xc3, 0xf2,
+ 0x79, 0x8d, 0x12, 0x40, 0x70, 0xf3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x7b,
+ 0x30, 0x79, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00,
+ 0x30, 0x2c, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x0d,
+ 0x04, 0x1f, 0x16, 0x1d, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, 0x4c, 0x20, 0x47,
+ 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72, 0x74,
+ 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
+ 0x0e, 0x04, 0x16, 0x04, 0x14, 0x3c, 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a,
+ 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42, 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30,
+ 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x3c,
+ 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a, 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42,
+ 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
+ 0x5c, 0x4d, 0x92, 0x88, 0xb4, 0x82, 0x5f, 0x1d, 0xad, 0x8b, 0x11, 0xec, 0xdf,
+ 0x06, 0xa6, 0x7a, 0xa5, 0x2b, 0x9f, 0x37, 0x55, 0x0c, 0x8d, 0x6e, 0x05, 0x00,
+ 0xad, 0xb7, 0x0c, 0x41, 0x89, 0x69, 0xcf, 0xd6, 0x65, 0x06, 0x9b, 0x51, 0x78,
+ 0xd2, 0xad, 0xc7, 0xbf, 0x9c, 0xdc, 0x05, 0x73, 0x7f, 0xe7, 0x1e, 0x39, 0x13,
+ 0xb4, 0xea, 0xb6, 0x30, 0x7d, 0x40, 0x75, 0xab, 0x9c, 0x43, 0x0b, 0xdf, 0xb0,
+ 0xc2, 0x1b, 0xbf, 0x30, 0xe0, 0xf4, 0xfe, 0xc0, 0xdb, 0x62, 0x21, 0x98, 0xf6,
+ 0xc5, 0xaf, 0xde, 0x3b, 0x4f, 0x49, 0x0a, 0xe6, 0x1e, 0xf9, 0x86, 0xb0, 0x3f,
+ 0x0d, 0xd6, 0xd4, 0x46, 0x37, 0xdb, 0x54, 0x74, 0x5e, 0xff, 0x11, 0xc2, 0x60,
+ 0xc6, 0x70, 0x58, 0xc5, 0x1c, 0x6f, 0xec, 0xb2, 0xd8, 0x6e, 0x6f, 0xc3, 0xbc,
+ 0x33, 0x87, 0x38, 0xa4, 0xf3, 0x44, 0x64, 0x9c, 0x34, 0x3b, 0x28, 0x94, 0x26,
+ 0x78, 0x27, 0x9f, 0x16, 0x17, 0xe8, 0x3b, 0x69, 0x0a, 0x25, 0xa9, 0x73, 0x36,
+ 0x7e, 0x9e, 0x37, 0x5c, 0xec, 0xe8, 0x3f, 0xdb, 0x91, 0xf9, 0x12, 0xb3, 0x3d,
+ 0xce, 0xe7, 0xdd, 0x15, 0xc3, 0xae, 0x8c, 0x05, 0x20, 0x61, 0x9b, 0x95, 0xde,
+ 0x9b, 0xaf, 0xfa, 0xb1, 0x5c, 0x1c, 0xe5, 0x97, 0xe7, 0xc3, 0x34, 0x11, 0x85,
+ 0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, 0x90,
+ 0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, 0xaf,
+ 0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, 0x37,
+ 0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, 0xb7,
+ 0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, 0x43,
+ 0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69
+};
+
+//
@ -578,6 +693,71 @@ index 0000000..447288f
+};
+
+//
+// The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test case
+// of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit
+// expects that the "dbx" variable exist.
+//
+// The article at <https://technet.microsoft.com/en-us/library/dn747883.aspx>
+// writes (excerpt):
+//
+// Windows 8.1 Secure Boot Key Creation and Management Guidance
+// 1. Secure Boot, Windows 8.1 and Key Management
+// 1.4 Signature Databases (Db and Dbx)
+// 1.4.3 Forbidden Signature Database (dbx)
+//
+// The contents of EFI_IMAGE_SIGNATURE_DATABASE1 dbx must be checked when
+// verifying images before checking db and any matches must prevent the
+// image from executing. The database may contain multiple certificates,
+// keys, and hashes in order to identify forbidden images. The Windows
+// Hardware Certification Requirements state that a dbx must be present, so
+// any dummy value, such as the SHA-256 hash of 0, may be used as a safe
+// placeholder until such time as Microsoft begins delivering dbx updates.
+//
+// The byte array below captures the SHA256 checksum of the empty file,
+// blacklisting it for loading & execution. This qualifies as a dummy, since
+// the empty file is not a valid UEFI binary anyway.
+//
+// Technically speaking, we could also capture an official (although soon to be
+// obsolete) dbx update from <http://www.uefi.org/revocationlistfile>. However,
+// the terms and conditions on distributing that binary aren't exactly light
+// reading, so let's best steer clear of it, and follow the "dummy entry"
+// practice recommended -- in natural English langauge -- in the
+// above-referenced TechNet article.
+//
+STATIC CONST UINT8 mSha256OfDevNull[] = {
+ 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99,
+ 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95,
+ 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
+};
+
+//
+// The following test cases of the Secure Boot Logo Test in the Microsoft
+// Hardware Certification Kit:
+//
+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
+//
+// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
+// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
+// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
+// certificates:
+//
+// - "Microsoft Corporation KEK CA 2011" (in KEK)
+// - "Microsoft Windows Production PCA 2011" (in db)
+// - "Microsoft Corporation UEFI CA 2011" (in db)
+//
+// This is despite the fact that the UEFI specification requires
+// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
+// application or driver) that enrolled and therefore owns
+// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
+// EFI_SIGNATURE_DATA.SignatureData.
+//
+STATIC CONST EFI_GUID mMicrosoftOwnerGuid = {
+ 0x77fa9abd, 0x0359, 0x4d32,
+ { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
+};
+
+//
+// The most important thing about the variable payload is that it is a list of
+// lists, where the element size of any given *inner* list is constant.
+//
@ -669,8 +849,7 @@ index 0000000..447288f
+#pragma pack()
+
+/**
+ Enroll a set of DER-formatted X.509 certificates in a global variable,
+ overwriting it.
+ Enroll a set of certificates in a global variable, overwriting it.
+
+ The variable will be rewritten with NV+BS+RT+AT attributes.
+
@ -679,6 +858,12 @@ index 0000000..447288f
+ @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to
+ overwrite.
+
+ @param[in] CertType The GUID determining the type of all the
+ certificates in the set that is passed in. For
+ example, gEfiCertX509Guid stands for DER-encoded
+ X.509 certificates, while gEfiCertSha256Guid stands
+ for SHA256 image hashes.
+
+ @param[in] ... A list of
+
+ IN CONST UINT8 *Cert,
@ -688,9 +873,9 @@ index 0000000..447288f
+ triplets. If the first component of a triplet is
+ NULL, then the other two components are not
+ accessed, and processing is terminated. The list of
+ X.509 certificates is enrolled in the variable
+ specified, overwriting it. The OwnerGuid component
+ identifies the agent installing the certificate.
+ certificates is enrolled in the variable specified,
+ overwriting it. The OwnerGuid component identifies
+ the agent installing the certificate.
+
+ @retval EFI_INVALID_PARAMETER The triplet list is empty (ie. the first Cert
+ value is NULL), or one of the CertSize values
@ -709,9 +894,10 @@ index 0000000..447288f
+STATIC
+EFI_STATUS
+EFIAPI
+EnrollListOfX509Certs (
+EnrollListOfCerts (
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid,
+ IN EFI_GUID *CertType,
+ ...
+ )
+{
@ -730,7 +916,7 @@ index 0000000..447288f
+ // compute total size first, for UINT32 range check, and allocation
+ //
+ DataSize = sizeof *SingleHeader;
+ VA_START (Marker, VendorGuid);
+ VA_START (Marker, CertType);
+ for (Cert = VA_ARG (Marker, CONST UINT8 *);
+ Cert != NULL;
+ Cert = VA_ARG (Marker, CONST UINT8 *)) {
@ -791,7 +977,7 @@ index 0000000..447288f
+ CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);
+ Position += sizeof *SingleHeader;
+
+ VA_START (Marker, VendorGuid);
+ VA_START (Marker, CertType);
+ for (Cert = VA_ARG (Marker, CONST UINT8 *);
+ Cert != NULL;
+ Cert = VA_ARG (Marker, CONST UINT8 *)) {
@ -802,7 +988,7 @@ index 0000000..447288f
+ OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);
+
+ RepeatingHeader = (REPEATING_HEADER *)Position;
+ CopyGuid (&RepeatingHeader->SignatureType, &gEfiCertX509Guid);
+ CopyGuid (&RepeatingHeader->SignatureType, CertType);
+ RepeatingHeader->SignatureListSize =
+ (UINT32)(sizeof *RepeatingHeader + CertSize);
+ RepeatingHeader->SignatureHeaderSize = 0;
@ -967,30 +1153,43 @@ index 0000000..447288f
+ }
+ }
+
+ Status = EnrollListOfX509Certs (
+ Status = EnrollListOfCerts (
+ EFI_IMAGE_SECURITY_DATABASE,
+ &gEfiImageSecurityDatabaseGuid,
+ MicrosoftPCA, sizeof MicrosoftPCA, &gEfiCallerIdGuid,
+ MicrosoftUefiCA, sizeof MicrosoftUefiCA, &gEfiCallerIdGuid,
+ &gEfiCertX509Guid,
+ MicrosoftPCA, sizeof MicrosoftPCA, &mMicrosoftOwnerGuid,
+ MicrosoftUefiCA, sizeof MicrosoftUefiCA, &mMicrosoftOwnerGuid,
+ NULL);
+ if (EFI_ERROR (Status)) {
+ return 1;
+ }
+
+ Status = EnrollListOfX509Certs (
+ Status = EnrollListOfCerts (
+ EFI_IMAGE_SECURITY_DATABASE1,
+ &gEfiImageSecurityDatabaseGuid,
+ &gEfiCertSha256Guid,
+ mSha256OfDevNull, sizeof mSha256OfDevNull, &gEfiCallerIdGuid,
+ NULL);
+ if (EFI_ERROR (Status)) {
+ return 1;
+ }
+
+ Status = EnrollListOfCerts (
+ EFI_KEY_EXCHANGE_KEY_NAME,
+ &gEfiGlobalVariableGuid,
+ ExampleCert, sizeof ExampleCert, &gEfiCallerIdGuid,
+ MicrosoftKEK, sizeof MicrosoftKEK, &gEfiCallerIdGuid,
+ &gEfiCertX509Guid,
+ RedHatPkKek1, sizeof RedHatPkKek1, &gEfiCallerIdGuid,
+ MicrosoftKEK, sizeof MicrosoftKEK, &mMicrosoftOwnerGuid,
+ NULL);
+ if (EFI_ERROR (Status)) {
+ return 1;
+ }
+
+ Status = EnrollListOfX509Certs (
+ Status = EnrollListOfCerts (
+ EFI_PLATFORM_KEY_NAME,
+ &gEfiGlobalVariableGuid,
+ ExampleCert, sizeof ExampleCert, &gEfiGlobalVariableGuid,
+ &gEfiCertX509Guid,
+ RedHatPkKek1, sizeof RedHatPkKek1, &gEfiGlobalVariableGuid,
+ NULL);
+ if (EFI_ERROR (Status)) {
+ return 1;
@ -1024,10 +1223,10 @@ index 0000000..447288f
+}
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
new file mode 100644
index 0000000..ac919bb
index 0000000..0ad86a2
--- /dev/null
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
@@ -0,0 +1,51 @@
@@ -0,0 +1,52 @@
+## @file
+# Enroll default PK, KEK, DB.
+#
@ -1066,6 +1265,7 @@ index 0000000..ac919bb
+
+[Guids]
+ gEfiCertPkcs7Guid
+ gEfiCertSha256Guid
+ gEfiCertX509Guid
+ gEfiCustomModeEnableGuid
+ gEfiGlobalVariableGuid
@ -1080,10 +1280,10 @@ index 0000000..ac919bb
+ UefiLib
+ UefiRuntimeServicesTableLib
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 8af3267..6fb5c9c 100644
index 61e606a..b0ad6e9 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -749,6 +749,10 @@
@@ -821,6 +821,10 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
@ -1095,10 +1295,10 @@ index 8af3267..6fb5c9c 100644
OvmfPkg/PlatformDxe/Platform.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 4bb38d0..e5abaff 100644
index bfe3baf..bf749d7 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -758,6 +758,10 @@
@@ -830,6 +830,10 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
@ -1110,10 +1310,10 @@ index 4bb38d0..e5abaff 100644
OvmfPkg/PlatformDxe/Platform.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index be3aa1f..4c36a7d 100644
index 4365a7b..b677d15 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -756,6 +756,10 @@
@@ -828,6 +828,10 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf

56
0016-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch Normal file
View File

@ -0,0 +1,56 @@
From 6734b88cf7abcaf42632e3d2fc469b2169dd2f16 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 14 Oct 2015 13:49:43 +0200
Subject: ArmPlatformPkg: introduce fixed PCD for early hello message (RH only)
Drew has proposed that ARM|AARCH64 platform firmware (especially virtual
machine firmware) print a reasonably early, simple hello message to the
serial port, regardless of debug mask settings. This should inform
interactive users, and provide some rough help in localizing boot
problems, even with restrictive debug masks.
If a platform doesn't want this feature, it should stick with the default
empty string.
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1270279
Downstream only:
<http://thread.gmane.org/gmane.comp.bios.edk2.devel/2996/focus=3433>.
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
- no changes
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
- no changes
Suggested-by: Drew Jones <drjones@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 7ce97b06421434c82095f01a1753a8c9c546cc30)
(cherry picked from commit 20b1f1cbd0590aa71c6d99d35e23cf08e0707750)
---
ArmPlatformPkg/ArmPlatformPkg.dec | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/ArmPlatformPkg/ArmPlatformPkg.dec b/ArmPlatformPkg/ArmPlatformPkg.dec
index 2d82ead..2380609 100644
--- a/ArmPlatformPkg/ArmPlatformPkg.dec
+++ b/ArmPlatformPkg/ArmPlatformPkg.dec
@@ -126,6 +126,13 @@
gArmPlatformTokenSpaceGuid.PcdDefaultConInPaths|L""|VOID*|0x0000001B
gArmPlatformTokenSpaceGuid.PcdDefaultConOutPaths|L""|VOID*|0x0000001C
+ #
+ # Early hello message (ASCII string), printed to the serial port.
+ # If set to the empty string, nothing is printed.
+ # Otherwise, a trailing CRLF should be specified explicitly.
+ #
+ gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage|""|VOID*|0x00000100
+
[PcdsFixedAtBuild.common,PcdsDynamic.common]
## PL031 RealTimeClock
gArmPlatformTokenSpaceGuid.PcdPL031RtcBase|0x0|UINT32|0x00000024
--
1.8.3.1

105
0017-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch Normal file
View File

@ -0,0 +1,105 @@
From 93d69eb9393cf05af90676253875c59c1bec67fd Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 14 Oct 2015 13:59:20 +0200
Subject: ArmPlatformPkg: PrePeiCore: write early hello message to the serial
port (RH)
The FixedPcdGetSize() macro expands to an integer constant, therefore an
optimizing compiler can eliminate the new code, if the platform DSC
doesn't override the empty string (size=1) default of
PcdEarlyHelloMessage.
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1270279
Downstream only:
<http://thread.gmane.org/gmane.comp.bios.edk2.devel/2996/focus=3433>.
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
- no changes
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
- no changes
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit b16c4c505ce0e27305235533eac9236aa66f132e)
(cherry picked from commit 742e5bf6d5ce5a1e73879d6e5c0dd00feda7a9ac)
---
ArmPlatformPkg/PrePeiCore/MainMPCore.c | 5 +++++
ArmPlatformPkg/PrePeiCore/MainUniCore.c | 5 +++++
ArmPlatformPkg/PrePeiCore/PrePeiCore.h | 1 +
ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf | 2 ++
ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf | 2 ++
5 files changed, 15 insertions(+)
diff --git a/ArmPlatformPkg/PrePeiCore/MainMPCore.c b/ArmPlatformPkg/PrePeiCore/MainMPCore.c
index dc47adb..cbd7223 100644
--- a/ArmPlatformPkg/PrePeiCore/MainMPCore.c
+++ b/ArmPlatformPkg/PrePeiCore/MainMPCore.c
@@ -117,6 +117,11 @@ PrimaryMain (
UINTN TemporaryRamBase;
UINTN TemporaryRamSize;
+ if (FixedPcdGetSize (PcdEarlyHelloMessage) > 1) {
+ SerialPortWrite (FixedPcdGetPtr (PcdEarlyHelloMessage),
+ FixedPcdGetSize (PcdEarlyHelloMessage) - 1);
+ }
+
CreatePpiList (&PpiListSize, &PpiList);
// Enable the GIC Distributor
diff --git a/ArmPlatformPkg/PrePeiCore/MainUniCore.c b/ArmPlatformPkg/PrePeiCore/MainUniCore.c
index 134a469..af39fc0 100644
--- a/ArmPlatformPkg/PrePeiCore/MainUniCore.c
+++ b/ArmPlatformPkg/PrePeiCore/MainUniCore.c
@@ -35,6 +35,11 @@ PrimaryMain (
UINTN TemporaryRamBase;
UINTN TemporaryRamSize;
+ if (FixedPcdGetSize (PcdEarlyHelloMessage) > 1) {
+ SerialPortWrite (FixedPcdGetPtr (PcdEarlyHelloMessage),
+ FixedPcdGetSize (PcdEarlyHelloMessage) - 1);
+ }
+
CreatePpiList (&PpiListSize, &PpiList);
// Adjust the Temporary Ram as the new Ppi List (Common + Platform Ppi Lists) is created at
diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCore.h b/ArmPlatformPkg/PrePeiCore/PrePeiCore.h
index 1608946..bf843d7 100644
--- a/ArmPlatformPkg/PrePeiCore/PrePeiCore.h
+++ b/ArmPlatformPkg/PrePeiCore/PrePeiCore.h
@@ -21,6 +21,7 @@
#include <Library/DebugLib.h>
#include <Library/IoLib.h>
#include <Library/PcdLib.h>
+#include <Library/SerialPortLib.h>
#include <PiPei.h>
#include <Ppi/TemporaryRamSupport.h>
diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf b/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
index ecdbccb..dd3447c 100644
--- a/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
+++ b/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
@@ -72,6 +72,8 @@
gArmPlatformTokenSpaceGuid.PcdCPUCorePrimaryStackSize
gArmPlatformTokenSpaceGuid.PcdCPUCoreSecondaryStackSize
+ gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage
+
gArmTokenSpaceGuid.PcdGicDistributorBase
gArmTokenSpaceGuid.PcdGicInterruptInterfaceBase
gArmTokenSpaceGuid.PcdGicSgiIntId
diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf b/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
index b5d4e38..fdbdc82 100644
--- a/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
+++ b/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
@@ -69,3 +69,5 @@
gArmPlatformTokenSpaceGuid.PcdCPUCoresStackBase
gArmPlatformTokenSpaceGuid.PcdCPUCorePrimaryStackSize
gArmPlatformTokenSpaceGuid.PcdCPUCoreSecondaryStackSize
+
+ gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage
--
1.8.3.1

42
0018-ArmVirtPkg-set-early-hello-message.patch Normal file
View File

@ -0,0 +1,42 @@
From ce3f59d0710c24c162d5222bbf5cd7e36180c80c Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 14 Oct 2015 14:07:17 +0200
Subject: ArmVirtPkg: set early hello message (RH only)
Print a friendly banner on QEMU, regardless of debug mask settings.
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1270279
Downstream only:
<http://thread.gmane.org/gmane.comp.bios.edk2.devel/2996/focus=3433>.
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
- no changes
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
- no changes
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 5d4a15b9019728b2d96322bc679099da49916925)
(cherry picked from commit 179df76dbb0d199bd905236e98775b4059c6502a)
---
ArmVirtPkg/ArmVirtQemu.dsc | 1 +
1 file changed, 1 insertion(+)
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 2b1a383..ef6eaf1 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -93,6 +93,7 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdConOutUgaSupport|FALSE
[PcdsFixedAtBuild.common]
+ gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage|"UEFI firmware starting.\r\n"
gArmPlatformTokenSpaceGuid.PcdCoreCount|1
!if $(ARCH) == AARCH64
gArmTokenSpaceGuid.PcdVFPEnabled|1
--
1.8.3.1

56
0009-Tweak-the-tools_def-to-support-cross-compiling.patch → 0099-Tweak-the-tools_def-to-support-cross-compiling.patch
View File

@ -10,7 +10,7 @@ These files are meant for customization, so this is not upstream.
1 file changed, 161 insertions(+), 182 deletions(-)
diff --git a/BaseTools/Conf/tools_def.template b/BaseTools/Conf/tools_def.template
index 39fda78..97f5557 100755
index e93c2a0..2fc16c1 100755
--- a/BaseTools/Conf/tools_def.template
+++ b/BaseTools/Conf/tools_def.template
@@ -178,27 +178,6 @@ DEFINE CYGWIN_BINIA32 = c:/cygwin/opt/tiano/i386-tiano-pe/i386-tiano-pe
@ -41,7 +41,7 @@ index 39fda78..97f5557 100755
DEFINE UNIX_IASL_BIN = ENV(IASL_PREFIX)iasl
DEFINE WIN_IASL_BIN = ENV(IASL_PREFIX)iasl.exe
DEFINE WIN_ASL_BIN = ENV(IASL_PREFIX)asl.exe
@@ -4590,7 +4569,7 @@ DEFINE GCC5_AARCH64_ASLDLINK_FLAGS = DEF(GCC49_AARCH64_ASLDLINK_FLAGS)
@@ -4598,7 +4577,7 @@ DEFINE GCC5_AARCH64_ASLDLINK_FLAGS = DEF(GCC49_AARCH64_ASLDLINK_FLAGS)
####################################################################################
*_GCC44_*_*_FAMILY = GCC
@ -50,7 +50,7 @@ index 39fda78..97f5557 100755
*_GCC44_*_*_DLL = ENV(GCC44_DLL)
*_GCC44_*_ASL_PATH = DEF(UNIX_IASL_BIN)
@@ -4605,17 +4584,17 @@ DEFINE GCC5_AARCH64_ASLDLINK_FLAGS = DEF(GCC49_AARCH64_ASLDLINK_FLAGS)
@@ -4613,17 +4592,17 @@ DEFINE GCC5_AARCH64_ASLDLINK_FLAGS = DEF(GCC49_AARCH64_ASLDLINK_FLAGS)
##################
# GCC44 IA32 definitions
##################
@ -79,7 +79,7 @@ index 39fda78..97f5557 100755
*_GCC44_IA32_ASLCC_FLAGS = DEF(GCC_ASLCC_FLAGS) -m32
*_GCC44_IA32_ASLDLINK_FLAGS = DEF(GCC44_IA32_X64_ASLDLINK_FLAGS) -Wl,-m,elf_i386
@@ -4633,17 +4612,17 @@ RELEASE_GCC44_IA32_CC_FLAGS = DEF(GCC44_IA32_CC_FLAGS) -Os
@@ -4641,17 +4620,17 @@ RELEASE_GCC44_IA32_CC_FLAGS = DEF(GCC44_IA32_CC_FLAGS) -Os
##################
# GCC44 X64 definitions
##################
@ -108,7 +108,7 @@ index 39fda78..97f5557 100755
*_GCC44_X64_ASLCC_FLAGS = DEF(GCC_ASLCC_FLAGS) -m64
*_GCC44_X64_ASLDLINK_FLAGS = DEF(GCC44_IA32_X64_ASLDLINK_FLAGS) -Wl,-m,elf_x86_64
@@ -4666,7 +4645,7 @@ RELEASE_GCC44_X64_CC_FLAGS = DEF(GCC44_X64_CC_FLAGS) -Os
@@ -4674,7 +4653,7 @@ RELEASE_GCC44_X64_CC_FLAGS = DEF(GCC44_X64_CC_FLAGS) -Os
####################################################################################
*_GCC45_*_*_FAMILY = GCC
@ -117,7 +117,7 @@ index 39fda78..97f5557 100755
*_GCC45_*_*_DLL = ENV(GCC45_DLL)
*_GCC45_*_ASL_PATH = DEF(UNIX_IASL_BIN)
@@ -4681,17 +4660,17 @@ RELEASE_GCC44_X64_CC_FLAGS = DEF(GCC44_X64_CC_FLAGS) -Os
@@ -4689,17 +4668,17 @@ RELEASE_GCC44_X64_CC_FLAGS = DEF(GCC44_X64_CC_FLAGS) -Os
##################
# GCC45 IA32 definitions
##################
@ -146,7 +146,7 @@ index 39fda78..97f5557 100755
*_GCC45_IA32_ASLCC_FLAGS = DEF(GCC_ASLCC_FLAGS) -m32
*_GCC45_IA32_ASLDLINK_FLAGS = DEF(GCC45_IA32_X64_ASLDLINK_FLAGS) -Wl,-m,elf_i386
@@ -4709,17 +4688,17 @@ RELEASE_GCC45_IA32_CC_FLAGS = DEF(GCC45_IA32_CC_FLAGS) -Os
@@ -4717,17 +4696,17 @@ RELEASE_GCC45_IA32_CC_FLAGS = DEF(GCC45_IA32_CC_FLAGS) -Os
##################
# GCC45 X64 definitions
##################
@ -175,7 +175,7 @@ index 39fda78..97f5557 100755
*_GCC45_X64_ASLCC_FLAGS = DEF(GCC_ASLCC_FLAGS) -m64
*_GCC45_X64_ASLDLINK_FLAGS = DEF(GCC45_IA32_X64_ASLDLINK_FLAGS) -Wl,-m,elf_x86_64
@@ -4742,7 +4721,7 @@ RELEASE_GCC45_X64_CC_FLAGS = DEF(GCC45_X64_CC_FLAGS) -Os
@@ -4750,7 +4729,7 @@ RELEASE_GCC45_X64_CC_FLAGS = DEF(GCC45_X64_CC_FLAGS) -Os
####################################################################################
*_GCC46_*_*_FAMILY = GCC
@ -183,8 +183,8 @@ index 39fda78..97f5557 100755
+*_GCC46_*_MAKE_PATH = make
*_GCC46_*_*_DLL = ENV(GCC46_DLL)
*_GCC46_*_ASL_PATH = DEF(UNIX_IASL_BIN)
@@ -4757,17 +4736,17 @@ RELEASE_GCC45_X64_CC_FLAGS = DEF(GCC45_X64_CC_FLAGS) -Os
*_GCC46_*_DTC_PATH = DEF(DTC_BIN)
@@ -4766,17 +4745,17 @@ RELEASE_GCC45_X64_CC_FLAGS = DEF(GCC45_X64_CC_FLAGS) -Os
##################
# GCC46 IA32 definitions
##################
@ -213,7 +213,7 @@ index 39fda78..97f5557 100755
*_GCC46_IA32_ASLCC_FLAGS = DEF(GCC_ASLCC_FLAGS) -m32
*_GCC46_IA32_ASLDLINK_FLAGS = DEF(GCC46_IA32_X64_ASLDLINK_FLAGS) -Wl,-m,elf_i386
@@ -4785,17 +4764,17 @@ RELEASE_GCC46_IA32_CC_FLAGS = DEF(GCC46_IA32_CC_FLAGS) -Os -Wno-unused-but
@@ -4794,17 +4773,17 @@ RELEASE_GCC46_IA32_CC_FLAGS = DEF(GCC46_IA32_CC_FLAGS) -Os -Wno-unused-but
##################
# GCC46 X64 definitions
##################
@ -242,7 +242,7 @@ index 39fda78..97f5557 100755
*_GCC46_X64_ASLCC_FLAGS = DEF(GCC_ASLCC_FLAGS) -m64
*_GCC46_X64_ASLDLINK_FLAGS = DEF(GCC46_IA32_X64_ASLDLINK_FLAGS) -Wl,-m,elf_x86_64
@@ -4851,7 +4830,7 @@ RELEASE_GCC46_ARM_CC_FLAGS = DEF(GCC46_ARM_CC_FLAGS) -Wno-unused-but-set-v
@@ -4861,7 +4840,7 @@ RELEASE_GCC46_ARM_CC_FLAGS = DEF(GCC46_ARM_CC_FLAGS) -Wno-unused-but-set-v
####################################################################################
*_GCC47_*_*_FAMILY = GCC
@ -250,8 +250,8 @@ index 39fda78..97f5557 100755
+*_GCC47_*_MAKE_PATH = make
*_GCC47_*_*_DLL = ENV(GCC47_DLL)
*_GCC47_*_ASL_PATH = DEF(UNIX_IASL_BIN)
@@ -4866,17 +4845,17 @@ RELEASE_GCC46_ARM_CC_FLAGS = DEF(GCC46_ARM_CC_FLAGS) -Wno-unused-but-set-v
*_GCC47_*_DTC_PATH = DEF(DTC_BIN)
@@ -4877,17 +4856,17 @@ RELEASE_GCC46_ARM_CC_FLAGS = DEF(GCC46_ARM_CC_FLAGS) -Wno-unused-but-set-v
##################
# GCC47 IA32 definitions
##################
@ -280,7 +280,7 @@ index 39fda78..97f5557 100755
*_GCC47_IA32_ASLCC_FLAGS = DEF(GCC_ASLCC_FLAGS) -m32
*_GCC47_IA32_ASLDLINK_FLAGS = DEF(GCC47_IA32_X64_ASLDLINK_FLAGS) -Wl,-m,elf_i386
@@ -4894,17 +4873,17 @@ RELEASE_GCC47_IA32_CC_FLAGS = DEF(GCC47_IA32_CC_FLAGS) -Os -Wno-unused-but
@@ -4905,17 +4884,17 @@ RELEASE_GCC47_IA32_CC_FLAGS = DEF(GCC47_IA32_CC_FLAGS) -Os -Wno-unused-but
##################
# GCC47 X64 definitions
##################
@ -309,7 +309,7 @@ index 39fda78..97f5557 100755
*_GCC47_X64_ASLCC_FLAGS = DEF(GCC_ASLCC_FLAGS) -m64
*_GCC47_X64_ASLDLINK_FLAGS = DEF(GCC47_IA32_X64_ASLDLINK_FLAGS) -Wl,-m,elf_x86_64
@@ -4988,7 +4967,7 @@ RELEASE_GCC47_AARCH64_CC_FLAGS = DEF(GCC47_AARCH64_CC_FLAGS) -Wno-unused-but-s
@@ -5001,7 +4980,7 @@ RELEASE_GCC47_AARCH64_CC_FLAGS = DEF(GCC47_AARCH64_CC_FLAGS) -Wno-unused-but-s
####################################################################################
*_GCC48_*_*_FAMILY = GCC
@ -317,8 +317,8 @@ index 39fda78..97f5557 100755
+*_GCC48_*_MAKE_PATH = make
*_GCC48_*_*_DLL = ENV(GCC48_DLL)
*_GCC48_*_ASL_PATH = DEF(UNIX_IASL_BIN)
@@ -5003,17 +4982,17 @@ RELEASE_GCC47_AARCH64_CC_FLAGS = DEF(GCC47_AARCH64_CC_FLAGS) -Wno-unused-but-s
*_GCC48_*_DTC_PATH = DEF(DTC_BIN)
@@ -5017,17 +4996,17 @@ RELEASE_GCC47_AARCH64_CC_FLAGS = DEF(GCC47_AARCH64_CC_FLAGS) -Wno-unused-but-s
##################
# GCC48 IA32 definitions
##################
@ -347,7 +347,7 @@ index 39fda78..97f5557 100755
*_GCC48_IA32_ASLCC_FLAGS = DEF(GCC_ASLCC_FLAGS) -m32
*_GCC48_IA32_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_ASLDLINK_FLAGS) -Wl,-m,elf_i386
@@ -5031,17 +5010,17 @@ RELEASE_GCC48_IA32_CC_FLAGS = DEF(GCC48_IA32_CC_FLAGS) -Os -Wno-unused-but
@@ -5045,17 +5024,17 @@ RELEASE_GCC48_IA32_CC_FLAGS = DEF(GCC48_IA32_CC_FLAGS) -Os -Wno-unused-but
##################
# GCC48 X64 definitions
##################
@ -376,7 +376,7 @@ index 39fda78..97f5557 100755
*_GCC48_X64_ASLCC_FLAGS = DEF(GCC_ASLCC_FLAGS) -m64
*_GCC48_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_ASLDLINK_FLAGS) -Wl,-m,elf_x86_64
@@ -5125,7 +5104,7 @@ RELEASE_GCC48_AARCH64_CC_FLAGS = DEF(GCC48_AARCH64_CC_FLAGS) -Wno-unused-but-s
@@ -5141,7 +5120,7 @@ RELEASE_GCC48_AARCH64_CC_FLAGS = DEF(GCC48_AARCH64_CC_FLAGS) -Wno-unused-but-s
####################################################################################
*_GCC49_*_*_FAMILY = GCC
@ -384,8 +384,8 @@ index 39fda78..97f5557 100755
+*_GCC49_*_MAKE_PATH = make
*_GCC49_*_*_DLL = ENV(GCC49_DLL)
*_GCC49_*_ASL_PATH = DEF(UNIX_IASL_BIN)
@@ -5140,17 +5119,17 @@ RELEASE_GCC48_AARCH64_CC_FLAGS = DEF(GCC48_AARCH64_CC_FLAGS) -Wno-unused-but-s
*_GCC49_*_DTC_PATH = DEF(DTC_BIN)
@@ -5157,17 +5136,17 @@ RELEASE_GCC48_AARCH64_CC_FLAGS = DEF(GCC48_AARCH64_CC_FLAGS) -Wno-unused-but-s
##################
# GCC49 IA32 definitions
##################
@ -414,7 +414,7 @@ index 39fda78..97f5557 100755
*_GCC49_IA32_ASLCC_FLAGS = DEF(GCC_ASLCC_FLAGS) -m32
*_GCC49_IA32_ASLDLINK_FLAGS = DEF(GCC49_IA32_X64_ASLDLINK_FLAGS) -Wl,-m,elf_i386
@@ -5168,17 +5147,17 @@ RELEASE_GCC49_IA32_CC_FLAGS = DEF(GCC49_IA32_CC_FLAGS) -Os -Wno-unused-but
@@ -5185,17 +5164,17 @@ RELEASE_GCC49_IA32_CC_FLAGS = DEF(GCC49_IA32_CC_FLAGS) -Os -Wno-unused-but
##################
# GCC49 X64 definitions
##################
@ -443,7 +443,7 @@ index 39fda78..97f5557 100755
*_GCC49_X64_ASLCC_FLAGS = DEF(GCC_ASLCC_FLAGS) -m64
*_GCC49_X64_ASLDLINK_FLAGS = DEF(GCC49_IA32_X64_ASLDLINK_FLAGS) -Wl,-m,elf_x86_64
@@ -5268,7 +5247,7 @@ RELEASE_GCC49_AARCH64_DLINK_FLAGS = DEF(GCC49_AARCH64_DLINK_FLAGS)
@@ -5287,7 +5266,7 @@ RELEASE_GCC49_AARCH64_DLINK_FLAGS = DEF(GCC49_AARCH64_DLINK_FLAGS)
####################################################################################
*_GCC5_*_*_FAMILY = GCC
@ -451,8 +451,8 @@ index 39fda78..97f5557 100755
+*_GCC5_*_MAKE_PATH = make
*_GCC5_*_*_DLL = ENV(GCC5_DLL)
*_GCC5_*_ASL_PATH = DEF(UNIX_IASL_BIN)
@@ -5283,17 +5262,17 @@ RELEASE_GCC49_AARCH64_DLINK_FLAGS = DEF(GCC49_AARCH64_DLINK_FLAGS)
*_GCC5_*_DTC_PATH = DEF(DTC_BIN)
@@ -5303,17 +5282,17 @@ RELEASE_GCC49_AARCH64_DLINK_FLAGS = DEF(GCC49_AARCH64_DLINK_FLAGS)
##################
# GCC5 IA32 definitions
##################
@ -481,7 +481,7 @@ index 39fda78..97f5557 100755
*_GCC5_IA32_ASLCC_FLAGS = DEF(GCC_ASLCC_FLAGS) -m32 -fno-lto
*_GCC5_IA32_ASLDLINK_FLAGS = DEF(GCC5_IA32_X64_ASLDLINK_FLAGS) -Wl,-m,elf_i386
@@ -5315,17 +5294,17 @@ RELEASE_GCC5_IA32_DLINK_FLAGS = DEF(GCC5_IA32_X64_DLINK_FLAGS) -flto -Os -Wl,
@@ -5335,17 +5314,17 @@ RELEASE_GCC5_IA32_DLINK_FLAGS = DEF(GCC5_IA32_X64_DLINK_FLAGS) -flto -Os -Wl,
##################
# GCC5 X64 definitions
##################
@ -511,5 +511,5 @@ index 39fda78..97f5557 100755
*_GCC5_X64_ASLCC_FLAGS = DEF(GCC_ASLCC_FLAGS) -m64 -fno-lto
*_GCC5_X64_ASLDLINK_FLAGS = DEF(GCC5_IA32_X64_ASLDLINK_FLAGS) -Wl,-m,elf_x86_64
--
2.9.3
2.14.3

2028
EDKII_openssl-1.0.2j-no-srp.patch
View File

File diff suppressed because it is too large Load Diff

91
edk2.spec
View File

@ -1,6 +1,6 @@
%global edk2_date 20170209
%global edk2_githash 296153c5
%global openssl_version 1.0.2j
%global edk2_date 20171011
%global edk2_githash 92d07e4
%global openssl_version 1.1.0e
%define cross 1
@ -25,48 +25,45 @@
Name: edk2
Version: %{edk2_date}git%{edk2_githash}
Release: 7%{dist}
Release: 1%{dist}
Summary: EFI Development Kit II
Group: Applications/Emulators
License: BSD
URL: http://www.tianocore.org/edk2/
Source0: edk2-%{edk2_date}-%{edk2_githash}.tar.xz
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
Source1: openssl-%{openssl_version}-hobbled.tar.xz
Source2: hobble-openssl
Source3: build-iso.sh
Source9: update-tarball.sh
Source2: ovmf-whitepaper-c770f8c.txt
Source10: hobble-openssl
Source11: build-iso.sh
Source12: update-tarball.sh
Source13: openssl-patch-to-tarball.sh
# This is the version of the OpenSSL patch that EDK2 applies, but
# with all changes to srp.* files removed.
Source10: EDKII_openssl-1.0.2j-no-srp.patch
# Debug output tweaks, not for upstream
Patch0001: 0001-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
Patch0002: 0002-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-the-DXE-.patch
Patch0003: 0003-OvmfPkg-enable-DEBUG_VERBOSE.patch
Patch0004: 0004-OvmfPkg-increase-max-debug-message-length-to-512.patch
Patch0005: 0005-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch
# Exclude EFI shell from firmware, suggested by pjones re: secureboot.
# Not for upstream, see bug 1325023#c16
Patch0006: 0006-EXCLUDE_SHELL_FROM_FD.patch
# Ship EnrollDefaultKeys application.
# Not for upstream, see bug 1325023#c16
Patch0007: 0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
# More text console resolutions. Upstreaming attempted, but failed
Patch0008: 0008-MdeModulePkg-TerminalDxe-add-other-text-resolutions.patch
Patch0005: 0005-BuildEnv-override-set-C-noclobber-of-sourcing-env.patch
Patch0006: 0006-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
Patch0008: 0008-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch
Patch0009: 0009-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch
Patch0010: 0010-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
Patch0011: 0011-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
Patch0012: 0012-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch
Patch0013: 0013-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
Patch0014: 0014-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch
Patch0015: 0015-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
Patch0016: 0016-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
Patch0017: 0017-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
Patch0018: 0018-ArmVirtPkg-set-early-hello-message.patch
%if 0%{?cross:1}
# Tweak the tools_def to support cross-compiling.
# These files are meant for customization, so this is not upstream.
Patch0009: 0009-Tweak-the-tools_def-to-support-cross-compiling.patch
Patch0099: 0099-Tweak-the-tools_def-to-support-cross-compiling.patch
%endif
# fix for build failure, sent upstream
Patch0010: 0010-VfrCompile-fix-invalid-comparison-between-pointer-an.patch
#
# actual firmware builds support cross-compiling. edk2-tools
# in theory should build everywhere without much trouble, but
@ -166,16 +163,19 @@ armv7 UEFI Firmware
%setup -q -n tianocore-%{name}-%{edk2_githash}
%autopatch -p1
# replace upstream patch with ours
cp %{SOURCE10} CryptoPkg/Library/OpensslLib/EDKII_openssl-%{openssl_version}.patch
# Ensure old shell and binary packages are not used
rm -rf EdkShellBinPkg
rm -rf EdkShellPkg
rm -rf FatBinPkg
rm -rf ShellBinPkg
cp -a -- %{SOURCE2} .
# add openssl
tar -C CryptoPkg/Library/OpensslLib -xf %{SOURCE1}
(cd CryptoPkg/Library/OpensslLib/openssl-%{openssl_version};
patch -p1 < ../EDKII_openssl-%{openssl_version}.patch)
(cd CryptoPkg/Library/OpensslLib; ./Install.sh)
cp CryptoPkg/Library/OpensslLib/openssl-*/LICENSE LICENSE.openssl
(cd .. && tar -xvf %{SOURCE1})
cp CryptoPkg/Library/OpensslLib/openssl/LICENSE LICENSE.openssl
base64 --decode < MdeModulePkg/Logo/Logo-OpenSSL.bmp.b64 > MdeModulePkg/Logo/Logo-OpenSSL.bmp
%build
source ./edksetup.sh
@ -237,7 +237,6 @@ cp Build/Ovmf3264/*/FV/OVMF_CODE.fd ovmf/OVMF_CODE.secboot.fd
cp Build/Ovmf3264/*/X64/Shell.efi ovmf/
cp Build/Ovmf3264/*/X64/EnrollDefaultKeys.efi ovmf
sh %{_sourcedir}/build-iso.sh ovmf/
unset GCC49_X64_PREFIX
%endif
@ -256,7 +255,6 @@ cp Build/OvmfIa32/*/FV/OVMF_CODE.fd ovmf-ia32/OVMF_CODE.secboot.fd
cp Build/OvmfIa32/*/IA32/Shell.efi ovmf-ia32/Shell.efi
cp Build/OvmfIa32/*/IA32/EnrollDefaultKeys.efi ovmf-ia32/EnrollDefaultKeys.efi
sh %{_sourcedir}/build-iso.sh ovmf-ia32/
unset GCC49_IA32_PREFIX
%endif
@ -268,7 +266,6 @@ cp Build/ArmVirtQemu-AARCH64/DEBUG_*/FV/*.fd aarch64
dd of="aarch64/QEMU_EFI-pflash.raw" if="/dev/zero" bs=1M count=64
dd of="aarch64/QEMU_EFI-pflash.raw" if="aarch64/QEMU_EFI.fd" conv=notrunc
dd of="aarch64/vars-template-pflash.raw" if="/dev/zero" bs=1M count=64
unset GCC49_AARCH64_PREFIX
%endif
@ -280,7 +277,6 @@ cp Build/ArmVirtQemu-ARM/DEBUG_*/FV/*.fd arm
dd of="arm/QEMU_EFI-pflash.raw" if="/dev/zero" bs=1M count=64
dd of="arm/QEMU_EFI-pflash.raw" if="arm/QEMU_EFI.fd" conv=notrunc
dd of="arm/vars-template-pflash.raw" if="/dev/zero" bs=1M count=64
unset GCC49_ARM_PREFIX
%endif
%install
@ -333,7 +329,9 @@ ln -sf ../%{name}/arm/QEMU_EFI-pflash.raw %{buildroot}/usr/share/AAVMF/
%files tools
%license License.txt
%{_bindir}/BootSectImage
%{_bindir}/Brotli
%{_bindir}/EfiLdrImage
%{_bindir}/EfiRom
%{_bindir}/GenCrc32
@ -377,6 +375,7 @@ ln -sf ../%{name}/arm/QEMU_EFI-pflash.raw %{buildroot}/usr/share/AAVMF/
%license OvmfPkg/License.txt
%license LICENSE.openssl
%doc OvmfPkg/README
%doc ovmf-whitepaper-c770f8c.txt
%dir /usr/share/%{name}
%dir /usr/share/%{name}/ovmf
/usr/share/%{name}/ovmf/OVMF*.fd
@ -390,6 +389,7 @@ ln -sf ../%{name}/arm/QEMU_EFI-pflash.raw %{buildroot}/usr/share/AAVMF/
%license OvmfPkg/License.txt
%license LICENSE.openssl
%doc OvmfPkg/README
%doc ovmf-whitepaper-c770f8c.txt
%dir /usr/share/%{name}
%dir /usr/share/%{name}/ovmf-ia32
/usr/share/%{name}/ovmf-ia32/OVMF*.fd
@ -399,7 +399,8 @@ ln -sf ../%{name}/arm/QEMU_EFI-pflash.raw %{buildroot}/usr/share/AAVMF/
%if 0%{?build_aavmf_aarch64:1}
%files aarch64
%license ArmVirtPkg/License.txt
%license OvmfPkg/License.txt
%license LICENSE.openssl
%dir /usr/share/%{name}
%dir /usr/share/%{name}/aarch64
/usr/share/%{name}/aarch64/QEMU*.fd
@ -409,7 +410,8 @@ ln -sf ../%{name}/arm/QEMU_EFI-pflash.raw %{buildroot}/usr/share/AAVMF/
%if 0%{?build_aavmf_arm:1}
%files arm
%license ArmVirtPkg/License.txt
%license OvmfPkg/License.txt
%license LICENSE.openssl
%dir /usr/share/%{name}
%dir /usr/share/%{name}/arm
/usr/share/%{name}/arm/QEMU*.fd
@ -419,6 +421,11 @@ ln -sf ../%{name}/arm/QEMU_EFI-pflash.raw %{buildroot}/usr/share/AAVMF/
%changelog
* Tue Nov 14 2017 Paolo Bonzini <pbonzini@redhat.com> - 20170209git296153c5-6
- Import source and patches from RHEL version
- Update OpenSSL to 1.1.0e
- Refresh 0099-Tweak-the-tools_def-to-support-cross-compiling.patch
* Mon Nov 13 2017 Paolo Bonzini <pbonzini@redhat.com> - 20170209git296153c5-6
- Allow non-cross builds
- Install /usr/share/OVMF and /usr/share/AAVMF

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (openssl-1.0.2j-hobbled.tar.xz) = 87c7c4e45f83c49b36154f4c66d3799fdc63286f9841b4dd71d4bdc3b26206be6009e33462533f0c1cc0efd9ef6aa05b772728ed0ee3e88f952586cdcf513003
SHA512 (edk2-20170209-296153c5.tar.xz) = b9b1936bde197712fe0f5dc3cf227095c08803486866967703959f4adc131c48b1b5f3bcdd8a4a40fe234eba5a7fdf887087d4d522db01a0920eb85cc7ab9454
SHA512 (edk2-20171011-92d07e4.tar.xz) = b7afcefd21470df730648c32455d19e0e31caf15d6a9aedc36a1c390fccddd18719d2710cdd01cf6156bb7551c67fce2a3073bf640b756c32184d889a8d40d46
SHA512 (openssl-1.1.0e-hobbled.tar.xz) = 25e7d5bddd28501de3f1488c91f4effb0e271986c836302680ea3754d73dceb1d34dd7460096bc28d3c0bced7dd5736dda15ccf5936d9313f4587f68a256efbc