[PATCH 0/9] UEFI + Secure Boot + qemu

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: Patrick Ohly <patrick.ohly@intel.com>
To: openembedded-core@lists.openembedded.org, ricardo.neri@intel.com
Subject: [PATCH 0/9] UEFI + Secure Boot + qemu
Date: Wed, 21 Dec 2016 14:11:24 +0100	[thread overview]
Message-ID: <cover.1482324587.git.patrick.ohly@intel.com> (raw)

There seems to be a consensus that supporting UEFI in OE-core for qemu
would be valuable, and there have been some (stalled) attempts to add
it. For reference, see:
   [OE-core] [PATCH V3 0/3] Add UEFI firmware for qemux86*
   [OE-core] Add ovmf-native to make qemu-native/runqemu support boot UEFI image?
   https://bugzilla.yoctoproject.org/show_bug.cgi?id=5654
   https://github.com/01org/luv-yocto/issues/38

This patch set includes the necessary recipes (ovmf and iasl from
meta-luv), some improvements to them (in particular, enabling Secure
Boot), and changes to runqemu to make it easier to boot with UEFI. A
special image recipes builds an image which can be used to lock down a
virtual machine by enrolling the "normal" pre-installed certificates.

I decided to keep the setup simple and use just a single file for UEFI
code and variables because that makes the usage via runqemu very
easy. See the "runqemu: support UEFI with OVMF firmware" patch for
details. The downside is that the firmware can't be updated without
loosing variables. I don't see a big need for long-lived virtual
machine instances, but would like to hear from others about that.

What's missing is automated testing of this new feature. I'm open for
suggestions here; right now I don't know enough about the automated
testing in the AB to propose something.

I've discussed the usage of ovmf/iasl with Ricardo and he agreed that
moving ovmf and iasl from meta-luv to OE-core makes sense. Ricardo,
would you be willing to act as maintainer of it there, like you did in
meta-luv?

Beware that "git am --keep-cr" must be used to import the ovmf patches
correctly.

The following changes since commit 5e21afc9395060b489156d3f90505a372b713f37:

  Revert "selftest/wic: extending test coverage for WIC script options" (2016-12-20 17:06:01 +0000)

are available in the git repository at:

  git://github.com/pohly/openembedded-core secure-boot
  https://github.com/pohly/openembedded-core/tree/secure-boot

Patrick Ohly (7):
  ovmf: explicitly depend on nasm-native
  ovmf: deploy firmware in image directory
  ovmf_git.bb: enable parallel compilation
  ovmf_git.bb: enable Secure Boot
  runqemu: let command line parameters override defaults
  runqemu: support UEFI with OVMF firmware
  ovmf: build image which enrolls standard keys

meta-luv (2):
  ovmf: move from meta-luv to OE-core
  iasl: move from meta-luv to OE-core

 meta/recipes-core/ovmf/ovmf-shell-image.bb         |   22 +
 ...s-Force-tools-variables-to-host-toolchain.patch |   48 +
 .../ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch    |  110 ++
 ...0002-ovmf-update-path-to-native-BaseTools.patch |   32 +
 ...makefile-adjust-to-build-in-under-bitbake.patch |   39 +
 ...ollDefaultKeys-application-for-enrolling-.patch | 1123 ++++++++++++++++++++
 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks   |    4 +
 meta/recipes-core/ovmf/ovmf_git.bb                 |  178 ++++
 meta/recipes-extended/iasl/iasl_20120215.bb        |   27 +
 meta/recipes-extended/iasl/iasl_20150410.bb        |   27 +
 meta/recipes-extended/iasl/iasl_20150515.bb        |   27 +
 scripts/runqemu                                    |   37 +-
 12 files changed, 1673 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-core/ovmf/ovmf-shell-image.bb
 create mode 100644 meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks
 create mode 100644 meta/recipes-core/ovmf/ovmf_git.bb
 create mode 100644 meta/recipes-extended/iasl/iasl_20120215.bb
 create mode 100644 meta/recipes-extended/iasl/iasl_20150410.bb
 create mode 100644 meta/recipes-extended/iasl/iasl_20150515.bb

-- 
2.1.4

next             reply	other threads:[~2016-12-21 13:11 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-12-21 13:11 Patrick Ohly [this message]
2016-12-21 13:11 ` [PATCH 1/9] ovmf: move from meta-luv to OE-core Patrick Ohly
2016-12-28  2:58   ` Ricardo Neri
2016-12-21 13:11 ` [PATCH 2/9] iasl: " Patrick Ohly
2016-12-21 14:11   ` Fathi Boudra
2016-12-21 15:38     ` Patrick Ohly
2016-12-21 18:17       ` Fathi Boudra
2016-12-28  3:08   ` Ricardo Neri
2016-12-21 13:11 ` [PATCH 3/9] ovmf: explicitly depend on nasm-native Patrick Ohly
     [not found]   ` <1482893989.106950.45.camel@ranerica-desktop>
2017-01-04 12:56     ` Patrick Ohly
2016-12-21 13:11 ` [PATCH 4/9] ovmf: deploy firmware in image directory Patrick Ohly
2016-12-28  3:12   ` Ricardo Neri
2016-12-28 21:38   ` Ricardo Neri
2016-12-28 23:25     ` Ricardo Neri
2017-01-04 10:01     ` Patrick Ohly
2017-01-10  3:50       ` Ricardo Neri
2017-01-10  7:32         ` Patrick Ohly
2016-12-21 13:11 ` [PATCH 5/9] ovmf_git.bb: enable parallel compilation Patrick Ohly
2016-12-28  3:17   ` Ricardo Neri
2016-12-21 13:11 ` [PATCH 6/9] ovmf_git.bb: enable Secure Boot Patrick Ohly
2016-12-28 22:54   ` Ricardo Neri
2017-01-04 10:10     ` Patrick Ohly
2017-01-10  3:51       ` Ricardo Neri
2016-12-21 13:11 ` [PATCH 7/9] runqemu: let command line parameters override defaults Patrick Ohly
2016-12-21 13:11 ` [PATCH 8/9] runqemu: support UEFI with OVMF firmware Patrick Ohly
2016-12-28 23:33   ` Ricardo Neri
2017-01-04  9:43     ` Patrick Ohly
2017-01-10  3:50       ` Ricardo Neri
2017-01-10  7:29         ` Patrick Ohly
2016-12-21 13:11 ` [PATCH 9/9] ovmf: build image which enrolls standard keys Patrick Ohly
2016-12-21 14:19 ` [PATCH 0/9] UEFI + Secure Boot + qemu Fathi Boudra
2016-12-28  2:56   ` Ricardo Neri
2016-12-28 19:27     ` Patrick Ohly
2016-12-28 23:26       ` Ricardo Neri
2016-12-28  2:55 ` Ricardo Neri

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1482324587.git.patrick.ohly@intel.com \
    --to=patrick.ohly@intel.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=ricardo.neri@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox