[PATCH v2 00/11] UEFI + Secure Boot + qemu

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: Patrick Ohly <patrick.ohly@intel.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH v2 00/11] UEFI + Secure Boot + qemu
Date: Tue, 10 Jan 2017 17:07:16 +0100	[thread overview]
Message-ID: <cover.1484063948.git.patrick.ohly@intel.com> (raw)

There seems to be a consensus that supporting UEFI in OE-core for qemu
would be valuable, and there have been some (stalled) attempts to add
it. For reference, see:
   [OE-core] [PATCH V3 0/3] Add UEFI firmware for qemux86*
   [OE-core] Add ovmf-native to make qemu-native/runqemu support boot UEFI image?
   https://bugzilla.yoctoproject.org/show_bug.cgi?id=5654
   https://github.com/01org/luv-yocto/issues/38

This patch set includes the necessary recipes (ovmf from meta-luv, acpica from
meta-oe), some improvements to them (in particular, enabling Secure
Boot), and changes to runqemu to make it easier to boot with UEFI. A
special image recipes builds an image which can be used to lock down a
virtual machine by enrolling the "normal" pre-installed certificates.

In contrast to the first version of this patch series, one can now use
both a single OVMF firmware file as well as set up persistent
variables for a virtual machine by using two files.

Eduardo promised to add automated testing for this once it is in OE-core.
As it stands now, ovmf-shell-image and ovmf without Secure Boot enabled
should at least be part of a world build.

As discussed on this list, Ricardo and Fathi volunteered to help with
maintaining the ovmf and acpica recipes in OE-core.

Beware that "git am --keep-cr" must be used to import the ovmf patches
correctly.

Changes since V1:
- support both combined code+vars ("ovmf") and separate code
  and vars flash drives ("ovmf.code ovmf.vars")
- OVMF firmware no longer installed in the target sysroot
- slightly simpler renaming from OVMF (uppercase, underscore)
  to OE naming convention (lowercase, dots): now the different
  ln invocation directly create files with the final name
- DEPLOYDIR needs to be cleaned explicitly (done via cleandirs varflag)
- Secure Boot support in ovmf is controlled by a PACKAGECONFIG option,
  off by default
- distros and developers can add additional Secure Boot compile flags
  with OVMF_SECURE_BOOT_EXTRA_FLAGS
- explain how to get ovmf built for use with runqemu via MACHINE_ESSENTIAL_EXTRA_RDEPENDS
- IMAGE_FSTYPES_forcevariable = "wic" used in ovmf-shell-image
- remove OVMF BGRT patch
- location of "inherit deploy"

The following changes since commit acce512a0b85853b5acf2ef07e4163a3b4f33a98:

  selftest/devtool: update test to work with new mtd-utils (2017-01-09 13:34:32 +0000)

are available in the git repository at:

  git://github.com/pohly/openembedded-core secure-boot
  https://github.com/pohly/openembedded-core/tree/secure-boot

Fathi Boudra (1):
  acpica: move from meta-oe to OE-core

Patrick Ohly (9):
  ovmf: explicitly depend on nasm-native
  ovmf: deploy firmware in image directory
  ovmf_git.bb: enable parallel compilation
  ovmf_git.bb: enable Secure Boot
  runqemu: also accept -image suffix for rootfs parameter
  runqemu: fix undefined variable reference in check_arg_path()
  runqemu: support UEFI with OVMF firmware
  ovmf: build image which enrolls standard keys
  ovmf: remove BGRT patch

meta-luv (1):
  ovmf: move from meta-luv to OE-core

 meta/recipes-core/ovmf/ovmf-shell-image.bb         |   17 +
 ...s-Force-tools-variables-to-host-toolchain.patch |   48 +
 ...0002-ovmf-update-path-to-native-BaseTools.patch |   32 +
 ...makefile-adjust-to-build-in-under-bitbake.patch |   39 +
 ...ollDefaultKeys-application-for-enrolling-.patch | 1124 ++++++++++++++++++++
 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks   |    4 +
 meta/recipes-core/ovmf/ovmf_git.bb                 |  201 ++++
 meta/recipes-extended/acpica/acpica_20150515.bb    |   46 +
 .../acpica/acpitests/aapits-linux.patch            |  336 ++++++
 .../acpica/acpitests/aapits-makefile.patch         |   34 +
 meta/recipes-extended/acpica/acpitests_20140828.bb |   35 +
 meta/recipes-extended/acpica/files/no-werror.patch |   32 +
 scripts/runqemu                                    |   50 +-
 13 files changed, 1993 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-core/ovmf/ovmf-shell-image.bb
 create mode 100644 meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks
 create mode 100644 meta/recipes-core/ovmf/ovmf_git.bb
 create mode 100644 meta/recipes-extended/acpica/acpica_20150515.bb
 create mode 100644 meta/recipes-extended/acpica/acpitests/aapits-linux.patch
 create mode 100644 meta/recipes-extended/acpica/acpitests/aapits-makefile.patch
 create mode 100644 meta/recipes-extended/acpica/acpitests_20140828.bb
 create mode 100644 meta/recipes-extended/acpica/files/no-werror.patch

-- 
2.1.4

next             reply	other threads:[~2017-01-10 16:07 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-10 16:07 Patrick Ohly [this message]
2017-01-10 16:07 ` [PATCH v2 01/11] acpica: move from meta-oe to OE-core Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 02/11] ovmf: move from meta-luv " Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 03/11] ovmf: explicitly depend on nasm-native Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 04/11] ovmf: deploy firmware in image directory Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 05/11] ovmf_git.bb: enable parallel compilation Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 06/11] ovmf_git.bb: enable Secure Boot Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 07/11] runqemu: also accept -image suffix for rootfs parameter Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 08/11] runqemu: fix undefined variable reference in check_arg_path() Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 09/11] runqemu: support UEFI with OVMF firmware Patrick Ohly
2017-01-12  7:42   ` Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 10/11] ovmf: build image which enrolls standard keys Patrick Ohly
2017-01-10 16:07 ` [PATCH v2 11/11] ovmf: remove BGRT patch Patrick Ohly

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1484063948.git.patrick.ohly@intel.com \
    --to=patrick.ohly@intel.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox