[PATCH v2 00/11] UEFI + Secure Boot + qemu

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick Ohly <patrick.ohly@intel.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH v2 00/11] UEFI + Secure Boot + qemu
Date: Tue, 10 Jan 2017 17:07:16 +0100	[thread overview]
Message-ID: <cover.1484063948.git.patrick.ohly@intel.com> (raw)

There seems to be a consensus that supporting UEFI in OE-core for qemu
would be valuable, and there have been some (stalled) attempts to add
it. For reference, see:
   [OE-core] [PATCH V3 0/3] Add UEFI firmware for qemux86*
   [OE-core] Add ovmf-native to make qemu-native/runqemu support boot UEFI image?
   https://bugzilla.yoctoproject.org/show_bug.cgi?id=5654
   https://github.com/01org/luv-yocto/issues/38

This patch set includes the necessary recipes (ovmf from meta-luv, acpica from
meta-oe), some improvements to them (in particular, enabling Secure
Boot), and changes to runqemu to make it easier to boot with UEFI. A
special image recipes builds an image which can be used to lock down a
virtual machine by enrolling the "normal" pre-installed certificates.

In contrast to the first version of this patch series, one can now use
both a single OVMF firmware file as well as set up persistent
variables for a virtual machine by using two files.

Eduardo promised to add automated testing for this once it is in OE-core.
As it stands now, ovmf-shell-image and ovmf without Secure Boot enabled
should at least be part of a world build.

As discussed on this list, Ricardo and Fathi volunteered to help with
maintaining the ovmf and acpica recipes in OE-core.

Beware that "git am --keep-cr" must be used to import the ovmf patches
correctly.

Changes since V1:
- support both combined code+vars ("ovmf") and separate code
  and vars flash drives ("ovmf.code ovmf.vars")
- OVMF firmware no longer installed in the target sysroot
- slightly simpler renaming from OVMF (uppercase, underscore)
  to OE naming convention (lowercase, dots): now the different
  ln invocation directly create files with the final name
- DEPLOYDIR needs to be cleaned explicitly (done via cleandirs varflag)
- Secure Boot support in ovmf is controlled by a PACKAGECONFIG option,
  off by default
- distros and developers can add additional Secure Boot compile flags
  with OVMF_SECURE_BOOT_EXTRA_FLAGS
- explain how to get ovmf built for use with runqemu via MACHINE_ESSENTIAL_EXTRA_RDEPENDS
- IMAGE_FSTYPES_forcevariable = "wic" used in ovmf-shell-image
- remove OVMF BGRT patch
- location of "inherit deploy"

The following changes since commit acce512a0b85853b5acf2ef07e4163a3b4f33a98:

  selftest/devtool: update test to work with new mtd-utils (2017-01-09 13:34:32 +0000)

are available in the git repository at:

  git://github.com/pohly/openembedded-core secure-boot
  https://github.com/pohly/openembedded-core/tree/secure-boot

Fathi Boudra (1):
  acpica: move from meta-oe to OE-core

Patrick Ohly (9):
  ovmf: explicitly depend on nasm-native
  ovmf: deploy firmware in image directory
  ovmf_git.bb: enable parallel compilation
  ovmf_git.bb: enable Secure Boot
  runqemu: also accept -image suffix for rootfs parameter
  runqemu: fix undefined variable reference in check_arg_path()
  runqemu: support UEFI with OVMF firmware
  ovmf: build image which enrolls standard keys
  ovmf: remove BGRT patch

meta-luv (1):
  ovmf: move from meta-luv to OE-core

 meta/recipes-core/ovmf/ovmf-shell-image.bb         |   17 +
 ...s-Force-tools-variables-to-host-toolchain.patch |   48 +
 ...0002-ovmf-update-path-to-native-BaseTools.patch |   32 +
 ...makefile-adjust-to-build-in-under-bitbake.patch |   39 +
 ...ollDefaultKeys-application-for-enrolling-.patch | 1124 ++++++++++++++++++++
 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks   |    4 +
 meta/recipes-core/ovmf/ovmf_git.bb                 |  201 ++++
 meta/recipes-extended/acpica/acpica_20150515.bb    |   46 +
 .../acpica/acpitests/aapits-linux.patch            |  336 ++++++
 .../acpica/acpitests/aapits-makefile.patch         |   34 +
 meta/recipes-extended/acpica/acpitests_20140828.bb |   35 +
 meta/recipes-extended/acpica/files/no-werror.patch |   32 +
 scripts/runqemu                                    |   50 +-
 13 files changed, 1993 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-core/ovmf/ovmf-shell-image.bb
 create mode 100644 meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks
 create mode 100644 meta/recipes-core/ovmf/ovmf_git.bb
 create mode 100644 meta/recipes-extended/acpica/acpica_20150515.bb
 create mode 100644 meta/recipes-extended/acpica/acpitests/aapits-linux.patch
 create mode 100644 meta/recipes-extended/acpica/acpitests/aapits-makefile.patch
 create mode 100644 meta/recipes-extended/acpica/acpitests_20140828.bb
 create mode 100644 meta/recipes-extended/acpica/files/no-werror.patch

-- 
2.1.4

next             reply	other threads:[~2017-01-10 16:07 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-10 16:07 Patrick Ohly [this message]
2017-01-10 16:07 ` [PATCH v2 01/11] acpica: move from meta-oe to OE-core Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 02/11] ovmf: move from meta-luv " Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 03/11] ovmf: explicitly depend on nasm-native Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 04/11] ovmf: deploy firmware in image directory Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 05/11] ovmf_git.bb: enable parallel compilation Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 06/11] ovmf_git.bb: enable Secure Boot Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 07/11] runqemu: also accept -image suffix for rootfs parameter Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 08/11] runqemu: fix undefined variable reference in check_arg_path() Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 09/11] runqemu: support UEFI with OVMF firmware Patrick Ohly
2017-01-12  7:42   ` Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 10/11] ovmf: build image which enrolls standard keys Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 11/11] ovmf: remove BGRT patch Patrick Ohly

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1484063948.git.patrick.ohly@intel.com \
    --to=patrick.ohly@intel.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.