* Re: [PATCH 0/9] UEFI + Secure Boot + qemu
From: Fathi Boudra @ 2016-12-21 14:19 UTC (permalink / raw)
To: Patrick Ohly; +Cc: Neri, Ricardo, openembedded-core
In-Reply-To: <cover.1482324587.git.patrick.ohly@intel.com>
Hi,
On 21 December 2016 at 15:11, Patrick Ohly <patrick.ohly@intel.com> wrote:
> There seems to be a consensus that supporting UEFI in OE-core for qemu
> would be valuable, and there have been some (stalled) attempts to add
> it. For reference, see:
> [OE-core] [PATCH V3 0/3] Add UEFI firmware for qemux86*
> [OE-core] Add ovmf-native to make qemu-native/runqemu support boot UEFI image?
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=5654
> https://github.com/01org/luv-yocto/issues/38
>
> This patch set includes the necessary recipes (ovmf and iasl from
> meta-luv), some improvements to them (in particular, enabling Secure
> Boot), and changes to runqemu to make it easier to boot with UEFI. A
> special image recipes builds an image which can be used to lock down a
> virtual machine by enrolling the "normal" pre-installed certificates.
>
> I decided to keep the setup simple and use just a single file for UEFI
> code and variables because that makes the usage via runqemu very
> easy. See the "runqemu: support UEFI with OVMF firmware" patch for
> details. The downside is that the firmware can't be updated without
> loosing variables. I don't see a big need for long-lived virtual
> machine instances, but would like to hear from others about that.
>
> What's missing is automated testing of this new feature. I'm open for
> suggestions here; right now I don't know enough about the automated
> testing in the AB to propose something.
>
> I've discussed the usage of ovmf/iasl with Ricardo and he agreed that
> moving ovmf and iasl from meta-luv to OE-core makes sense. Ricardo,
> would you be willing to act as maintainer of it there, like you did in
> meta-luv?
fwiw, I've been maintaining acpica recipe in meta-oe, and will keep an
eye here as well.
meta-luv supports both x86* and arm*, and we have an interest in
having the same features available and working for qemuaarch64.
> Beware that "git am --keep-cr" must be used to import the ovmf patches
> correctly.
>
> The following changes since commit 5e21afc9395060b489156d3f90505a372b713f37:
>
> Revert "selftest/wic: extending test coverage for WIC script options" (2016-12-20 17:06:01 +0000)
>
> are available in the git repository at:
>
> git://github.com/pohly/openembedded-core secure-boot
> https://github.com/pohly/openembedded-core/tree/secure-boot
>
> Patrick Ohly (7):
> ovmf: explicitly depend on nasm-native
> ovmf: deploy firmware in image directory
> ovmf_git.bb: enable parallel compilation
> ovmf_git.bb: enable Secure Boot
> runqemu: let command line parameters override defaults
> runqemu: support UEFI with OVMF firmware
> ovmf: build image which enrolls standard keys
>
> meta-luv (2):
> ovmf: move from meta-luv to OE-core
> iasl: move from meta-luv to OE-core
>
> meta/recipes-core/ovmf/ovmf-shell-image.bb | 22 +
> ...s-Force-tools-variables-to-host-toolchain.patch | 48 +
> .../ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch | 110 ++
> ...0002-ovmf-update-path-to-native-BaseTools.patch | 32 +
> ...makefile-adjust-to-build-in-under-bitbake.patch | 39 +
> ...ollDefaultKeys-application-for-enrolling-.patch | 1123 ++++++++++++++++++++
> meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks | 4 +
> meta/recipes-core/ovmf/ovmf_git.bb | 178 ++++
> meta/recipes-extended/iasl/iasl_20120215.bb | 27 +
> meta/recipes-extended/iasl/iasl_20150410.bb | 27 +
> meta/recipes-extended/iasl/iasl_20150515.bb | 27 +
> scripts/runqemu | 37 +-
> 12 files changed, 1673 insertions(+), 1 deletion(-)
> create mode 100644 meta/recipes-core/ovmf/ovmf-shell-image.bb
> create mode 100644 meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch
> create mode 100644 meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch
> create mode 100644 meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch
> create mode 100644 meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
> create mode 100644 meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
> create mode 100644 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks
> create mode 100644 meta/recipes-core/ovmf/ovmf_git.bb
> create mode 100644 meta/recipes-extended/iasl/iasl_20120215.bb
> create mode 100644 meta/recipes-extended/iasl/iasl_20150410.bb
> create mode 100644 meta/recipes-extended/iasl/iasl_20150515.bb
>
> --
> 2.1.4
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
Cheers,
--
Fathi
^ permalink raw reply
* Re: [PATCH 2/9] iasl: move from meta-luv to OE-core
From: Fathi Boudra @ 2016-12-21 14:11 UTC (permalink / raw)
To: Patrick Ohly; +Cc: meta-luv, Neri, Ricardo, openembedded-core
In-Reply-To: <374bb6a728f368a801f961fb524290f205bb4625.1482324587.git.patrick.ohly@intel.com>
Hi Patrick,
On 21 December 2016 at 15:11, Patrick Ohly <patrick.ohly@intel.com> wrote:
> From: meta-luv <luv@lists.01.org>
>
> This is an unmodified copy of
> github.com/01org/luv-yocto/meta-luv/recipes-extended/iasl revision
> 4be4329.
>
> iasl is also provided by the meta-oe layer's acpica recipe. iasl is a
> bit simpler and thus seems more suitable for OE-core.
Simpler in what sense? acpica recipe is trivial and provide fully acpica tools.
Would you mind to import meta-oe acpica recipe instead of providing a
reduced set of acpica for not much benefit?
> When the meta-oe layer is active, PREFERRED_PROVIDER_iasl-native must
> be set to avoid a warning. It can be set to "acpica-native" when
> something from acpica besides just iasl is needed.
>
> Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
> ---
> meta/recipes-extended/iasl/iasl_20120215.bb | 27 +++++++++++++++++++++++++++
> meta/recipes-extended/iasl/iasl_20150410.bb | 27 +++++++++++++++++++++++++++
> meta/recipes-extended/iasl/iasl_20150515.bb | 27 +++++++++++++++++++++++++++
> 3 files changed, 81 insertions(+)
> create mode 100644 meta/recipes-extended/iasl/iasl_20120215.bb
> create mode 100644 meta/recipes-extended/iasl/iasl_20150410.bb
> create mode 100644 meta/recipes-extended/iasl/iasl_20150515.bb
>
> diff --git a/meta/recipes-extended/iasl/iasl_20120215.bb b/meta/recipes-extended/iasl/iasl_20120215.bb
> new file mode 100644
> index 0000000..a14d2ec
> --- /dev/null
> +++ b/meta/recipes-extended/iasl/iasl_20120215.bb
> @@ -0,0 +1,27 @@
> +DESCRIPTION = "This is a cross development C compiler, assembler and linker environment for the production of 8086 executables (Optionally MSDOS COM)"
> +HOMEPAGE = "http://www.acpica.org/"
> +LICENSE = "Intel-ACPI"
> +LIC_FILES_CHKSUM = "file://asldefine.h;endline=115;md5=d4d7cf809b8b5e03131327b3f718e8f0"
> +SECTION = "console/tools"
> +PR="r1"
> +
> +DEPENDS="flex-native bison-native"
> +
> +SRC_URI="https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz"
> +
> +SRC_URI[md5sum] = "324c89e5bb9002e2711e0494290ceacc"
> +SRC_URI[sha256sum] = "b2b497415f29ddbefe7be8b9429b62c1f1f6e1ec11456928e4e7da86578e5b8d"
> +
> +S="${WORKDIR}/acpica-unix-${PV}/source/compiler"
> +
> +NATIVE_INSTALL_WORKS = "1"
> +BBCLASSEXTEND = "native"
> +
> +do_compile() {
> + CFLAGS="-Wno-error=redundant-decls" $MAKE
> +}
> +
> +do_install() {
> + mkdir -p ${D}${prefix}/bin
> + cp ${S}/iasl ${D}${prefix}/bin
> +}
> diff --git a/meta/recipes-extended/iasl/iasl_20150410.bb b/meta/recipes-extended/iasl/iasl_20150410.bb
> new file mode 100644
> index 0000000..4e44817
> --- /dev/null
> +++ b/meta/recipes-extended/iasl/iasl_20150410.bb
> @@ -0,0 +1,27 @@
> +DESCRIPTION = "This is a cross development C compiler, assembler and linker environment for the production of 8086 executables (Optionally MSDOS COM)"
> +HOMEPAGE = "http://www.acpica.org/"
> +LICENSE = "Intel-ACPI"
> +LIC_FILES_CHKSUM = "file://Makefile;endline=22;md5=b15414d545d190713f1bab9023dba3be"
> +SECTION = "console/tools"
> +PR="r1"
> +
> +DEPENDS="flex-native bison-native"
> +
> +SRC_URI="https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz"
> +
> +SRC_URI[md5sum] = "7b49c79728dde65ab1ba4edbee6f0b22"
> +SRC_URI[sha256sum] = "1dce8d9edeb234fd553806987471f6206f429c2aab45556f62a5b2bfe2464875"
> +
> +S="${WORKDIR}/acpica-unix-${PV}"
> +
> +NATIVE_INSTALL_WORKS = "1"
> +BBCLASSEXTEND = "native"
> +
> +do_compile() {
> + make iasl
> +}
> +
> +do_install() {
> + mkdir -p ${D}${prefix}/bin
> + cp ${S}/generate/unix/bin/iasl ${D}${prefix}/bin
> +}
> diff --git a/meta/recipes-extended/iasl/iasl_20150515.bb b/meta/recipes-extended/iasl/iasl_20150515.bb
> new file mode 100644
> index 0000000..c7e1cd5
> --- /dev/null
> +++ b/meta/recipes-extended/iasl/iasl_20150515.bb
> @@ -0,0 +1,27 @@
> +DESCRIPTION = "This is a cross development C compiler, assembler and linker environment for the production of 8086 executables (Optionally MSDOS COM)"
> +HOMEPAGE = "http://www.acpica.org/"
> +LICENSE = "Intel-ACPI"
> +LIC_FILES_CHKSUM = "file://Makefile;endline=22;md5=b15414d545d190713f1bab9023dba3be"
> +SECTION = "console/tools"
> +PR="r1"
> +
> +DEPENDS="flex-native bison-native"
> +
> +SRC_URI="https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz"
> +
> +SRC_URI[md5sum] = "c8c128b2d4859b52bc9c802faba2e908"
> +SRC_URI[sha256sum] = "bfa1f296a3cc13421331dbaad3b62e0184678cc312104c3e8ac799ead0742c45"
> +
> +S="${WORKDIR}/acpica-unix-${PV}"
> +
> +NATIVE_INSTALL_WORKS = "1"
> +BBCLASSEXTEND = "native"
> +
> +do_compile() {
> + make iasl
> +}
> +
> +do_install() {
> + mkdir -p ${D}${prefix}/bin
> + cp ${S}/generate/unix/bin/iasl ${D}${prefix}/bin
> +}
> --
> 2.1.4
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
Cheers,
--
Fathi
^ permalink raw reply
* Broadcom firmware alternatives
From: Burton, Ross @ 2016-12-21 13:27 UTC (permalink / raw)
To: OE-core
[-- Attachment #1: Type: text/plain, Size: 637 bytes --]
Hi,
So /lib/firmware/brcm/brcmfmac-sdio.bin is an alternative with five
possibilities:
/lib/firmware/brcm/brcmfmac4330-sdio.bin 10
/lib/firmware/brcm/brcmfmac4329-sdio.bin 10
/lib/firmware/brcm/brcmfmac4334-sdio.bin 10
/lib/firmware/brcm/brcmfmac4339-sdio.bin 20
/lib/firmware/brcm/brcmfmac43340-sdio.bin 10
/lib/firmware/brcm/brcmfmac43430-sdio.bin 10
Note that they're all the same priority, so the choice of what goes into
the rootfs is effectively random.
From reading the internet it looks like this alternative was only required
for kernels older than 3.13, so can we just remove this alternative now?
Ross
[-- Attachment #2: Type: text/html, Size: 826 bytes --]
^ permalink raw reply
* Re: [PATCH 5/5] hdparm: 9.48 -> 9.50
From: Andre McCurdy @ 2016-12-21 13:27 UTC (permalink / raw)
To: Robert Yang; +Cc: OE Core mailing list
In-Reply-To: <6efb8d002491cd1e736b9126e09a5a63b4acd4d1.1482300982.git.liezhi.yang@windriver.com>
On Tue, Dec 20, 2016 at 10:17 PM, Robert Yang <liezhi.yang@windriver.com> wrote:
> Add 0001-Makefile-use-weak-assignment-for-LDFALGS.patch to fix issues like:
> ERROR: hdparm-9.50-r0 do_package: QA Issue: File '/sbin/hdparm.hdparm' from hdparm was already stripped, this will prevent future debugging! [already-stripped]
> ERROR: hdparm-9.50-r0 do_package: Fatal QA errors found, failing task.
Passing LDFLAGS on the make command line might be a cleaner solution
than patching the Makefile.
> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
> ---
> ...-Makefile-use-weak-assignment-for-LDFALGS.patch | 30 ++++++++++++++++++++++
> .../hdparm/{hdparm_9.48.bb => hdparm_9.50.bb} | 8 +++---
> 2 files changed, 35 insertions(+), 3 deletions(-)
> create mode 100644 meta/recipes-extended/hdparm/hdparm/0001-Makefile-use-weak-assignment-for-LDFALGS.patch
> rename meta/recipes-extended/hdparm/{hdparm_9.48.bb => hdparm_9.50.bb} (80%)
>
> diff --git a/meta/recipes-extended/hdparm/hdparm/0001-Makefile-use-weak-assignment-for-LDFALGS.patch b/meta/recipes-extended/hdparm/hdparm/0001-Makefile-use-weak-assignment-for-LDFALGS.patch
> new file mode 100644
> index 00000000000..f74da5f18c9
> --- /dev/null
> +++ b/meta/recipes-extended/hdparm/hdparm/0001-Makefile-use-weak-assignment-for-LDFALGS.patch
> @@ -0,0 +1,30 @@
> +From 9532fbaade3b08cef936723a6a5adf191881edbf Mon Sep 17 00:00:00 2001
> +From: Robert Yang <liezhi.yang@windriver.com>
> +Date: Mon, 19 Dec 2016 22:36:16 -0800
> +Subject: [PATCH] Makefile: use weak assignment for LDFALGS
> +
> +So that it can use LDFLAGS from env vars.
> +
> +Upstream-Status: Pending
> +
> +Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
> +---
> + Makefile | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/Makefile b/Makefile
> +index 05a1f78..60b67d9 100644
> +--- a/Makefile
> ++++ b/Makefile
> +@@ -15,7 +15,7 @@ STRIP ?= strip
> +
> + CFLAGS := -O2 -W -Wall -Wbad-function-cast -Wcast-align -Wpointer-arith -Wcast-qual -Wshadow -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -fkeep-inline-functions -Wwrite-strings -Waggregate-return -Wnested-externs -Wtrigraphs $(CFLAGS)
> +
> +-LDFLAGS = -s
> ++LDFLAGS ?= -s
> + #LDFLAGS = -s -static
> + INSTALL = install
> + INSTALL_DATA = $(INSTALL) -m 644
> +--
> +2.10.2
> +
^ permalink raw reply
* [PATCH 9/9] ovmf: build image which enrolls standard keys
From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw)
To: openembedded-core, ricardo.neri
In-Reply-To: <cover.1482324587.git.patrick.ohly@intel.com>
When booting a qemu virtual machine with ovmf.secboot, it comes up
with no keys installed and thus Secure Boot disabled. To lock down
the machine like a typical PC, one has to enroll the same keys
that PC vendors normally install, i.e. the ones from Microsoft.
This can be done manually (see
https://wiki.ubuntu.com/SecurityTeam/SecureBoot and
https://github.com/tianocore-docs/Docs/raw/master/White_Papers/A_Tour_Beyond_BIOS_into_UEFI_Secure_Boot_White_Paper.pdf) or automatically with the EnrollDefaultKeys.efi helper
from the Fedora ovmf rpm.
To use this with qemu:
$ bitbake ovmf-shell-image
...
$ runqemu serial nographic qemux86 ovmf-shell-image wic ovmf.secboot
...
UEFI Interactive Shell v2.1
EDK II
UEFI v2.60 (EDK II, 0x00010000)
Mapping table
FS0: Alias(s):HD2b:;BLK4:
PciRoot(0x0)/Pci(0x5,0x0)/HD(1,GPT,06AEF759-3982-4AF6-B517-70BA6304FC1C,0x800,0x566C)
BLK0: Alias(s):
PciRoot(0x0)/Pci(0x1,0x0)/Floppy(0x0)
BLK1: Alias(s):
PciRoot(0x0)/Pci(0x1,0x0)/Floppy(0x1)
BLK2: Alias(s):
PciRoot(0x0)/Pci(0x1,0x1)/Ata(0x0)
BLK3: Alias(s):
PciRoot(0x0)/Pci(0x5,0x0)
Press ESC in 1 seconds to skip startup.nsh or any other key to continue.
Shell> fs0:EnrollDefaultKeys.efi
info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
info: success
Shell> reset
Remember that this will modify
deploy/images/qemux86/ovmf.secboot.qcow2, so make a copy and use the
full path of that copy instead of the "ovmf" argument if needed.
The ovmf-shell-image contains an EFI shell, which is what got started
here directly. After enrolling the keys, Secure Boot is active and the
same image cannot be booted anymore, so the BIOS goes through the
normal boot targets (including network boot, which can take a while to
time out), and ends up in the internal EFI shell. Trying to invoke
bootia32.efi (the shell from the image) or EnrollDefaultKeys.efi then
fails:
Shell> bootia32.efi
Command Error Status: Security Violation
The main purpose at the moment is to test that Secure Boot enforcement
really works. If we had a way to sign generated images, that part could
also be tested by booting in a locked down qemu instance.
0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch is
from
https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch?id=b1781931894bf2057464e634beed68b1e3218c9e
with one line changed to fix
https://bugzilla.redhat.com/show_bug.cgi?id=132502:
"EFI_STATUS Status = EFI_SUCCESS;" in EnrollListOfX509Certs() lacked
the initializer.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
meta/recipes-core/ovmf/ovmf-shell-image.bb | 22 +
...ollDefaultKeys-application-for-enrolling-.patch | 1123 ++++++++++++++++++++
meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks | 4 +
meta/recipes-core/ovmf/ovmf_git.bb | 16 +
4 files changed, 1165 insertions(+)
create mode 100644 meta/recipes-core/ovmf/ovmf-shell-image.bb
create mode 100644 meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks
diff --git a/meta/recipes-core/ovmf/ovmf-shell-image.bb b/meta/recipes-core/ovmf/ovmf-shell-image.bb
new file mode 100644
index 0000000..fecde9c
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf-shell-image.bb
@@ -0,0 +1,22 @@
+# This needs to run before image.bbclass reads IMAGE_FSTYPES,
+# which is guaranteed by the ordering of anonymous functions
+# in a recipe.
+python () {
+ # Ignore customization of IMAGE_FSTYPES because
+ # for this image recipe, only the .wic format
+ # with a single vfat partition makes sense.
+ d.setVar('IMAGE_FSTYPES', 'wic')
+}
+WKS_FILE = "ovmf/ovmf-shell-image.wks"
+
+inherit image
+
+# We want a minimal image with just ovmf-shell-efi
+# unpacked in it. We avoid installing unnecessary
+# stuff as much as possible, but some things still
+# get through and need to be removed.
+PACKAGE_INSTALL = "ovmf-shell-efi"
+LINGUAS_INSTALL = ""
+do_image () {
+ rm -rf `ls -d ${IMAGE_ROOTFS}/* | grep -v efi`
+}
diff --git a/meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch b/meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
new file mode 100644
index 0000000..12d43df
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
@@ -0,0 +1,1123 @@
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Mon, 6 Jul 2015 20:22:02 +0200
+Subject: [PATCH] OvmfPkg: EnrollDefaultKeys: application for enrolling default
+ keys
+
+(A port of the <https://bugzilla.redhat.com/show_bug.cgi?id=1148296> patch
+to Gerd's public RPMs.)
+
+This application is meant to be invoked by the management layer, after
+booting the UEFI shell and getting a shell prompt on the serial console.
+The app enrolls a number of certificates (see below), and then reports
+status to the serial console as well. The expected output is "info:
+success":
+
+> Shell> EnrollDefaultKeys.efi
+> info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
+> info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
+> info: success
+> Shell>
+
+In case of success, the management layer can force off or reboot the VM
+(for example with the "reset -s" or "reset -c" UEFI shell commands,
+respectively), and start the guest installation with SecureBoot enabled.
+
+PK:
+- A unique, static, ad-hoc certificate whose private half has been
+ destroyed (more precisely, never saved) and is therefore unusable for
+ signing. (The command for creating this certificate is saved in the
+ source code.)
+
+KEK:
+- same ad-hoc certificate as used for the PK,
+- "Microsoft Corporation KEK CA 2011" -- the dbx data in Fedora's dbxtool
+ package is signed (indirectly, through a chain) with this; enrolling
+ such a KEK should allow guests to install those updates.
+
+DB:
+- "Microsoft Windows Production PCA 2011" -- to load Windows 8 and Windows
+ Server 2012 R2,
+- "Microsoft Corporation UEFI CA 2011" -- to load Linux and signed PCI
+ oproms.
+
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+---
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 960 ++++++++++++++++++++++++
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 51 ++
+ OvmfPkg/OvmfPkgIa32.dsc | 4 +
+ OvmfPkg/OvmfPkgIa32X64.dsc | 4 +
+ OvmfPkg/OvmfPkgX64.dsc | 4 +
+ 5 files changed, 1023 insertions(+)
+ create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+ create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
+
+diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+new file mode 100644
+index 0000000..081212b
+--- /dev/null
++++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+@@ -0,0 +1,960 @@
++/** @file
++ Enroll default PK, KEK, DB.
++
++ Copyright (C) 2014, Red Hat, Inc.
++
++ This program and the accompanying materials are licensed and made available
++ under the terms and conditions of the BSD License which accompanies this
++ distribution. The full text of the license may be found at
++ http://opensource.org/licenses/bsd-license.
++
++ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
++ WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
++**/
++#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
++#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
++#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
++#include <Library/BaseMemoryLib.h> // CopyGuid()
++#include <Library/DebugLib.h> // ASSERT()
++#include <Library/MemoryAllocationLib.h> // FreePool()
++#include <Library/ShellCEntryLib.h> // ShellAppMain()
++#include <Library/UefiLib.h> // AsciiPrint()
++#include <Library/UefiRuntimeServicesTableLib.h> // gRT
++
++//
++// The example self-signed certificate below, which we'll use for both Platform
++// Key, and first Key Exchange Key, has been generated with the following
++// non-interactive openssl command. The passphrase is read from /dev/urandom,
++// and not saved, and the private key is written to /dev/null. In other words,
++// we can't sign anything else against this certificate, which is our purpose.
++//
++/*
++ openssl req \
++ -passout file:<(head -c 16 /dev/urandom) \
++ -x509 \
++ -newkey rsa:2048 \
++ -keyout /dev/null \
++ -outform DER \
++ -subj $(
++ printf /C=US
++ printf /ST=TestStateOrProvince
++ printf /L=TestLocality
++ printf /O=TestOrganization
++ printf /OU=TestOrganizationalUnit
++ printf /CN=TestCommonName
++ printf /emailAddress=test@example.com
++ ) \
++ 2>/dev/null \
++ | xxd -i
++*/
++STATIC CONST UINT8 ExampleCert[] = {
++ 0x30, 0x82, 0x04, 0x45, 0x30, 0x82, 0x03, 0x2d, 0xa0, 0x03, 0x02, 0x01, 0x02,
++ 0x02, 0x09, 0x00, 0xcf, 0x9f, 0x51, 0xa3, 0x07, 0xdb, 0x54, 0xa1, 0x30, 0x0d,
++ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
++ 0x30, 0x81, 0xb8, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
++ 0x02, 0x55, 0x53, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
++ 0x13, 0x54, 0x65, 0x73, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x4f, 0x72, 0x50,
++ 0x72, 0x6f, 0x76, 0x69, 0x6e, 0x63, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03,
++ 0x55, 0x04, 0x07, 0x0c, 0x0c, 0x54, 0x65, 0x73, 0x74, 0x4c, 0x6f, 0x63, 0x61,
++ 0x6c, 0x69, 0x74, 0x79, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a,
++ 0x0c, 0x10, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a,
++ 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04,
++ 0x0b, 0x0c, 0x16, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69,
++ 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x55, 0x6e, 0x69, 0x74, 0x31,
++ 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0e, 0x54, 0x65, 0x73,
++ 0x74, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x31, 0x1f,
++ 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01,
++ 0x16, 0x10, 0x74, 0x65, 0x73, 0x74, 0x40, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c,
++ 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
++ 0x30, 0x39, 0x31, 0x33, 0x32, 0x38, 0x32, 0x32, 0x5a, 0x17, 0x0d, 0x31, 0x34,
++ 0x31, 0x31, 0x30, 0x38, 0x31, 0x33, 0x32, 0x38, 0x32, 0x32, 0x5a, 0x30, 0x81,
++ 0xb8, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
++ 0x53, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x13, 0x54,
++ 0x65, 0x73, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x4f, 0x72, 0x50, 0x72, 0x6f,
++ 0x76, 0x69, 0x6e, 0x63, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04,
++ 0x07, 0x0c, 0x0c, 0x54, 0x65, 0x73, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x69,
++ 0x74, 0x79, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x10,
++ 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74,
++ 0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c,
++ 0x16, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61,
++ 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x55, 0x6e, 0x69, 0x74, 0x31, 0x17, 0x30,
++ 0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0e, 0x54, 0x65, 0x73, 0x74, 0x43,
++ 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x31, 0x1f, 0x30, 0x1d,
++ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10,
++ 0x74, 0x65, 0x73, 0x74, 0x40, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e,
++ 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
++ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
++ 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbf, 0xf1, 0xce,
++ 0x17, 0x32, 0xac, 0xc4, 0x4b, 0xb2, 0xed, 0x84, 0x76, 0xe5, 0xd0, 0xf8, 0x21,
++ 0xac, 0x10, 0xf8, 0x18, 0x09, 0x0e, 0x07, 0x13, 0x76, 0x21, 0x5c, 0xc4, 0xcc,
++ 0xd5, 0xe6, 0x25, 0xa7, 0x26, 0x53, 0x79, 0x2f, 0x16, 0x4b, 0x85, 0xbd, 0xae,
++ 0x42, 0x64, 0x58, 0xcb, 0x5e, 0xe8, 0x6e, 0x5a, 0xd0, 0xc4, 0x0f, 0x38, 0x16,
++ 0xbe, 0xd3, 0x22, 0xa7, 0x3c, 0x9b, 0x8b, 0x5e, 0xcb, 0x62, 0x35, 0xc5, 0x9b,
++ 0xe2, 0x8e, 0x4c, 0x65, 0x57, 0x4f, 0xcb, 0x27, 0xad, 0xe7, 0x63, 0xa7, 0x77,
++ 0x2b, 0xd5, 0x02, 0x42, 0x70, 0x46, 0xac, 0xba, 0xb6, 0x60, 0x57, 0xd9, 0xce,
++ 0x31, 0xc5, 0x12, 0x03, 0x4a, 0xf7, 0x2a, 0x2b, 0x40, 0x06, 0xb4, 0xdb, 0x31,
++ 0xb7, 0x83, 0x6c, 0x67, 0x87, 0x98, 0x8b, 0xce, 0x1b, 0x30, 0x7a, 0xfa, 0x35,
++ 0x6c, 0x86, 0x20, 0x74, 0xc5, 0x7d, 0x32, 0x31, 0x18, 0xeb, 0x69, 0xf7, 0x2d,
++ 0x20, 0xc4, 0xf0, 0xd2, 0xfa, 0x67, 0x81, 0xc1, 0xbb, 0x23, 0xbb, 0x75, 0x1a,
++ 0xe4, 0xb4, 0x49, 0x99, 0xdf, 0x12, 0x4c, 0xe3, 0x6d, 0x76, 0x24, 0x85, 0x24,
++ 0xae, 0x5a, 0x9e, 0xbd, 0x54, 0x1c, 0xf9, 0x0e, 0xed, 0x96, 0xb5, 0xd8, 0xa2,
++ 0x0d, 0x2a, 0x38, 0x5d, 0x12, 0x97, 0xb0, 0x4d, 0x75, 0x85, 0x1e, 0x47, 0x6d,
++ 0xe1, 0x25, 0x59, 0xcb, 0xe9, 0x33, 0x86, 0x6a, 0xef, 0x98, 0x24, 0xa0, 0x2b,
++ 0x02, 0x7b, 0xc0, 0x9f, 0x88, 0x03, 0xb0, 0xbe, 0x22, 0x65, 0x83, 0x77, 0xb3,
++ 0x30, 0xba, 0xe0, 0x3b, 0x54, 0x31, 0x3a, 0x45, 0x81, 0x9c, 0x48, 0xaf, 0xc1,
++ 0x11, 0x5b, 0xf2, 0x3a, 0x1e, 0x33, 0x1b, 0x8f, 0x0e, 0x04, 0xa4, 0x16, 0xd4,
++ 0x6b, 0x57, 0xee, 0xe7, 0xba, 0xf5, 0xee, 0xaf, 0xe2, 0x4c, 0x50, 0xf8, 0x68,
++ 0x57, 0x88, 0xfb, 0x7f, 0xa3, 0xcf, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x50,
++ 0x30, 0x4e, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
++ 0x1e, 0x44, 0xe5, 0xef, 0xcd, 0x6e, 0x1f, 0xdb, 0xcb, 0x4f, 0x94, 0x8f, 0xe3,
++ 0x3b, 0x1a, 0x8c, 0xe6, 0x95, 0x29, 0x61, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
++ 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x1e, 0x44, 0xe5, 0xef, 0xcd, 0x6e,
++ 0x1f, 0xdb, 0xcb, 0x4f, 0x94, 0x8f, 0xe3, 0x3b, 0x1a, 0x8c, 0xe6, 0x95, 0x29,
++ 0x61, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
++ 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
++ 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x12, 0x9c, 0x3e, 0x38,
++ 0xfc, 0x26, 0xea, 0x6d, 0xb7, 0x5c, 0x29, 0x3c, 0x76, 0x20, 0x0c, 0xb2, 0xa9,
++ 0x0f, 0xdf, 0xc0, 0x85, 0xfe, 0xeb, 0xec, 0x1d, 0x5d, 0x73, 0x84, 0xac, 0x8a,
++ 0xb4, 0x2a, 0x86, 0x38, 0x30, 0xaf, 0xd2, 0x2d, 0x2a, 0xde, 0x54, 0xc8, 0x5c,
++ 0x29, 0x90, 0x24, 0xf2, 0x39, 0xc1, 0xa5, 0x00, 0xb4, 0xb7, 0xd8, 0xdc, 0x59,
++ 0x64, 0x50, 0x62, 0x5f, 0x54, 0xf1, 0x73, 0x02, 0x4d, 0x43, 0xc5, 0xc3, 0xc4,
++ 0x0e, 0x62, 0x60, 0x8c, 0x53, 0x66, 0x57, 0x77, 0xb5, 0x81, 0xda, 0x1f, 0x81,
++ 0xda, 0xe9, 0xd6, 0x5e, 0x82, 0xce, 0xa7, 0x5c, 0xc0, 0xa6, 0xbe, 0x9c, 0x5c,
++ 0x7b, 0xa5, 0x15, 0xc8, 0xd7, 0x14, 0x53, 0xd3, 0x5c, 0x1c, 0x9f, 0x8a, 0x9f,
++ 0x66, 0x15, 0xd5, 0xd3, 0x2a, 0x27, 0x0c, 0xee, 0x9f, 0x80, 0x39, 0x88, 0x7b,
++ 0x24, 0xde, 0x0c, 0x61, 0xa3, 0x44, 0xd8, 0x8d, 0x2e, 0x79, 0xf8, 0x1e, 0x04,
++ 0x5a, 0xcb, 0xd6, 0x9c, 0xa3, 0x22, 0x8f, 0x09, 0x32, 0x1e, 0xe1, 0x65, 0x8f,
++ 0x10, 0x5f, 0xd8, 0x52, 0x56, 0xd5, 0x77, 0xac, 0x58, 0x46, 0x60, 0xba, 0x2e,
++ 0xe2, 0x3f, 0x58, 0x7d, 0x60, 0xfc, 0x31, 0x4a, 0x3a, 0xaf, 0x61, 0x55, 0x5f,
++ 0xfb, 0x68, 0x14, 0x74, 0xda, 0xdc, 0x42, 0x78, 0xcc, 0xee, 0xff, 0x5c, 0x03,
++ 0x24, 0x26, 0x2c, 0xb8, 0x3a, 0x81, 0xad, 0xdb, 0xe7, 0xed, 0xe1, 0x62, 0x84,
++ 0x07, 0x1a, 0xc8, 0xa4, 0x4e, 0xb0, 0x87, 0xf7, 0x96, 0xd8, 0x33, 0x9b, 0x0d,
++ 0xa7, 0x77, 0xae, 0x5b, 0xaf, 0xad, 0xe6, 0x5a, 0xc9, 0xfa, 0xa4, 0xe4, 0xe5,
++ 0x57, 0xbb, 0x97, 0xdd, 0x92, 0x85, 0xd8, 0x03, 0x45, 0xfe, 0xd8, 0x6b, 0xb1,
++ 0xdb, 0x85, 0x36, 0xb9, 0xd9, 0x28, 0xbf, 0x17, 0xae, 0x11, 0xde, 0x10, 0x19,
++ 0x26, 0x5b, 0xc0, 0x3d, 0xc7
++};
++
++//
++// Second KEK: "Microsoft Corporation KEK CA 2011".
++// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
++//
++// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
++//
++STATIC CONST UINT8 MicrosoftKEK[] = {
++ 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
++ 0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
++ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++ 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
++ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
++ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
++ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
++ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
++ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
++ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
++ 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
++ 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
++ 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
++ 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
++ 0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32,
++ 0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, 0x30,
++ 0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
++ 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
++ 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
++ 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
++ 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
++ 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
++ 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06,
++ 0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
++ 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
++ 0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31,
++ 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
++ 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
++ 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, 0xad,
++ 0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, 0x5d,
++ 0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, 0xeb,
++ 0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, 0xe3,
++ 0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, 0x9b,
++ 0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, 0xac,
++ 0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, 0xc8,
++ 0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, 0xc0,
++ 0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, 0xe2,
++ 0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, 0x89,
++ 0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, 0xc2,
++ 0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, 0x03,
++ 0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, 0x7e,
++ 0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, 0xeb,
++ 0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, 0x2f,
++ 0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, 0xaa,
++ 0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, 0x9f,
++ 0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, 0xc6,
++ 0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, 0xaf,
++ 0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, 0x07,
++ 0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, 0x30,
++ 0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
++ 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,
++ 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, 0xa4,
++ 0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, 0x5f,
++ 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02,
++ 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00,
++ 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01,
++ 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
++ 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
++ 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, 0x11,
++ 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, 0x30,
++ 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, 0xa0,
++ 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63,
++ 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e,
++ 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70,
++ 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f,
++ 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f,
++ 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63,
++ 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01,
++ 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
++ 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
++ 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++ 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, 0x74,
++ 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61,
++ 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d,
++ 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09,
++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
++ 0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, 0x2a,
++ 0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, 0x66,
++ 0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, 0x5a,
++ 0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, 0x64,
++ 0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, 0x58,
++ 0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, 0xd0,
++ 0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, 0xf5,
++ 0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, 0xec,
++ 0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, 0xd7,
++ 0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, 0x28,
++ 0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, 0x79,
++ 0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, 0x7b,
++ 0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, 0xd8,
++ 0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, 0x19,
++ 0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, 0x58,
++ 0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, 0x0d,
++ 0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, 0x2d,
++ 0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, 0xc8,
++ 0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, 0x60,
++ 0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, 0xac,
++ 0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, 0x87,
++ 0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, 0xcd,
++ 0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, 0x81,
++ 0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, 0x92,
++ 0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, 0xe0,
++ 0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, 0xaf,
++ 0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, 0xfb,
++ 0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, 0x68,
++ 0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, 0xad,
++ 0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, 0x82,
++ 0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, 0x14,
++ 0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, 0x4f,
++ 0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, 0x9b,
++ 0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, 0xb0,
++ 0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d,
++ 0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38,
++ 0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c,
++ 0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14,
++ 0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5,
++ 0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e
++};
++
++//
++// First DB entry: "Microsoft Windows Production PCA 2011"
++// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
++//
++// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
++// rooted in this certificate.
++//
++STATIC CONST UINT8 MicrosoftPCA[] = {
++ 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
++ 0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
++ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++ 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
++ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
++ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
++ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
++ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
++ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
++ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30,
++ 0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72,
++ 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68,
++ 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17,
++ 0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, 0x32,
++ 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, 0x31,
++ 0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
++ 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
++ 0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f,
++ 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52,
++ 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55,
++ 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++ 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31,
++ 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, 0x63,
++ 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77,
++ 0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20,
++ 0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30,
++ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
++ 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
++ 0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, 0xf7,
++ 0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, 0xcb,
++ 0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, 0x8b,
++ 0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, 0xe3,
++ 0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, 0xc0,
++ 0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, 0x74,
++ 0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, 0x67,
++ 0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, 0x53,
++ 0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, 0x23,
++ 0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, 0xa3,
++ 0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, 0xff,
++ 0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, 0xe2,
++ 0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, 0x22,
++ 0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, 0xf3,
++ 0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, 0x2b,
++ 0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, 0xbc,
++ 0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, 0xd6,
++ 0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, 0xe8,
++ 0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, 0xa8,
++ 0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, 0x03,
++ 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, 0x10,
++ 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03,
++ 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
++ 0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, 0xf9,
++ 0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, 0x2b,
++ 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00,
++ 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03,
++ 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03,
++ 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
++ 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
++ 0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, 0x94,
++ 0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, 0x1d,
++ 0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, 0x45,
++ 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69,
++ 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70,
++ 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63,
++ 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41,
++ 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33,
++ 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
++ 0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06,
++ 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, 0x3a,
++ 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
++ 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65,
++ 0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72,
++ 0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32,
++ 0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
++ 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x14,
++ 0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, 0xbc,
++ 0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, 0xd0,
++ 0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, 0x61,
++ 0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, 0xda,
++ 0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, 0x6a,
++ 0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, 0xe2,
++ 0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, 0xea,
++ 0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, 0x30,
++ 0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, 0x86,
++ 0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, 0xc8,
++ 0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, 0xae,
++ 0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, 0xb8,
++ 0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, 0xac,
++ 0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, 0x84,
++ 0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, 0x73,
++ 0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, 0x73,
++ 0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, 0x60,
++ 0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, 0xb6,
++ 0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, 0x2a,
++ 0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, 0xba,
++ 0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, 0xce,
++ 0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, 0x0f,
++ 0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, 0x6e,
++ 0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, 0xd3,
++ 0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, 0x45,
++ 0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, 0xd0,
++ 0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, 0x24,
++ 0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, 0x2c,
++ 0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, 0xdf,
++ 0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, 0x6c,
++ 0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, 0xf2,
++ 0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, 0x5c,
++ 0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, 0x47,
++ 0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, 0x5a,
++ 0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21,
++ 0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86,
++ 0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6,
++ 0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9,
++ 0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4,
++ 0x62, 0x1c, 0x59, 0x7e
++};
++
++//
++// Second DB entry: "Microsoft Corporation UEFI CA 2011"
++// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
++//
++// To verify the "shim" binary and PCI expansion ROMs with.
++//
++STATIC CONST UINT8 MicrosoftUefiCA[] = {
++ 0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
++ 0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
++ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++ 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
++ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
++ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
++ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
++ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
++ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
++ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
++ 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
++ 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
++ 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
++ 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
++ 0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x32,
++ 0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, 0x30,
++ 0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
++ 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
++ 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
++ 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
++ 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
++ 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
++ 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, 0x06,
++ 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
++ 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
++ 0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31,
++ 0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
++ 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
++ 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, 0xc7,
++ 0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, 0x43,
++ 0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, 0x73,
++ 0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, 0xd3,
++ 0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, 0x54,
++ 0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, 0x5c,
++ 0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, 0x4f,
++ 0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, 0xae,
++ 0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, 0x1d,
++ 0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, 0xfa,
++ 0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, 0xff,
++ 0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, 0x7b,
++ 0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, 0xe6,
++ 0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, 0x62,
++ 0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, 0x08,
++ 0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, 0xe7,
++ 0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, 0xb2,
++ 0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, 0x7f,
++ 0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, 0x8b,
++ 0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, 0x6a,
++ 0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x76,
++ 0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01,
++ 0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x23,
++ 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, 0x16,
++ 0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, 0x37,
++ 0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, 0x03,
++ 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, 0xbd,
++ 0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, 0x1b,
++ 0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14,
++ 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43,
++ 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
++ 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
++ 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
++ 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58,
++ 0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8,
++ 0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51,
++ 0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
++ 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++ 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f,
++ 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43,
++ 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f,
++ 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e,
++ 0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
++ 0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01,
++ 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
++ 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
++ 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72,
++ 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50,
++ 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30,
++ 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06,
++ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
++ 0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, 0x76,
++ 0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, 0xef,
++ 0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, 0x13,
++ 0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, 0x82,
++ 0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, 0x1a,
++ 0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, 0x20,
++ 0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, 0x90,
++ 0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, 0x52,
++ 0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, 0x6d,
++ 0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, 0xaf,
++ 0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, 0x49,
++ 0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, 0x34,
++ 0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, 0x75,
++ 0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, 0xb9,
++ 0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, 0x8f,
++ 0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, 0x8c,
++ 0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, 0x56,
++ 0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, 0xae,
++ 0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, 0x4a,
++ 0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, 0x3c,
++ 0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, 0x59,
++ 0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, 0x3d,
++ 0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, 0x53,
++ 0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, 0x1b,
++ 0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, 0x98,
++ 0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, 0x85,
++ 0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, 0xd2,
++ 0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, 0xe2,
++ 0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, 0x6c,
++ 0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, 0x3b,
++ 0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, 0x27,
++ 0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, 0xa6,
++ 0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, 0x3f,
++ 0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, 0x55,
++ 0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e,
++ 0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62,
++ 0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8,
++ 0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6,
++ 0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75,
++ 0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
++};
++
++//
++// The most important thing about the variable payload is that it is a list of
++// lists, where the element size of any given *inner* list is constant.
++//
++// Since X509 certificates vary in size, each of our *inner* lists will contain
++// one element only (one X.509 certificate). This is explicitly mentioned in
++// the UEFI specification, in "28.4.1 Signature Database", in a Note.
++//
++// The list structure looks as follows:
++//
++// struct EFI_VARIABLE_AUTHENTICATION_2 { |
++// struct EFI_TIME { |
++// UINT16 Year; |
++// UINT8 Month; |
++// UINT8 Day; |
++// UINT8 Hour; |
++// UINT8 Minute; |
++// UINT8 Second; |
++// UINT8 Pad1; |
++// UINT32 Nanosecond; |
++// INT16 TimeZone; |
++// UINT8 Daylight; |
++// UINT8 Pad2; |
++// } TimeStamp; |
++// |
++// struct WIN_CERTIFICATE_UEFI_GUID { | |
++// struct WIN_CERTIFICATE { | |
++// UINT32 dwLength; ----------------------------------------+ |
++// UINT16 wRevision; | |
++// UINT16 wCertificateType; | |
++// } Hdr; | +- DataSize
++// | |
++// EFI_GUID CertType; | |
++// UINT8 CertData[1] = { <--- "struct hack" | |
++// struct EFI_SIGNATURE_LIST { | | |
++// EFI_GUID SignatureType; | | |
++// UINT32 SignatureListSize; -------------------------+ | |
++// UINT32 SignatureHeaderSize; | | |
++// UINT32 SignatureSize; ---------------------------+ | | |
++// UINT8 SignatureHeader[SignatureHeaderSize]; | | | |
++// v | | |
++// struct EFI_SIGNATURE_DATA { | | | |
++// EFI_GUID SignatureOwner; | | | |
++// UINT8 SignatureData[1] = { <--- "struct hack" | | | |
++// X.509 payload | | | |
++// } | | | |
++// } Signatures[]; | | |
++// } SigLists[]; | |
++// }; | |
++// } AuthInfo; | |
++// }; |
++//
++// Given that the "struct hack" invokes undefined behavior (which is why C99
++// introduced the flexible array member), and because subtracting those pesky
++// sizes of 1 is annoying, and because the format is fully specified in the
++// UEFI specification, we'll introduce two matching convenience structures that
++// are customized for our X.509 purposes.
++//
++#pragma pack(1)
++typedef struct {
++ EFI_TIME TimeStamp;
++
++ //
++ // dwLength covers data below
++ //
++ UINT32 dwLength;
++ UINT16 wRevision;
++ UINT16 wCertificateType;
++ EFI_GUID CertType;
++} SINGLE_HEADER;
++
++typedef struct {
++ //
++ // SignatureListSize covers data below
++ //
++ EFI_GUID SignatureType;
++ UINT32 SignatureListSize;
++ UINT32 SignatureHeaderSize; // constant 0
++ UINT32 SignatureSize;
++
++ //
++ // SignatureSize covers data below
++ //
++ EFI_GUID SignatureOwner;
++
++ //
++ // X.509 certificate follows
++ //
++} REPEATING_HEADER;
++#pragma pack()
++
++/**
++ Enroll a set of DER-formatted X.509 certificates in a global variable,
++ overwriting it.
++
++ The variable will be rewritten with NV+BS+RT+AT attributes.
++
++ @param[in] VariableName The name of the variable to overwrite.
++
++ @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to
++ overwrite.
++
++ @param[in] ... A list of
++
++ IN CONST UINT8 *Cert,
++ IN UINTN CertSize,
++ IN CONST EFI_GUID *OwnerGuid
++
++ triplets. If the first component of a triplet is
++ NULL, then the other two components are not
++ accessed, and processing is terminated. The list of
++ X.509 certificates is enrolled in the variable
++ specified, overwriting it. The OwnerGuid component
++ identifies the agent installing the certificate.
++
++ @retval EFI_INVALID_PARAMETER The triplet list is empty (ie. the first Cert
++ value is NULL), or one of the CertSize values
++ is 0, or one of the CertSize values would
++ overflow the accumulated UINT32 data size.
++
++ @retval EFI_OUT_OF_RESOURCES Out of memory while formatting variable
++ payload.
++
++ @retval EFI_SUCCESS Enrollment successful; the variable has been
++ overwritten (or created).
++
++ @return Error codes from gRT->GetTime() and
++ gRT->SetVariable().
++**/
++STATIC
++EFI_STATUS
++EFIAPI
++EnrollListOfX509Certs (
++ IN CHAR16 *VariableName,
++ IN EFI_GUID *VendorGuid,
++ ...
++ )
++{
++ UINTN DataSize;
++ SINGLE_HEADER *SingleHeader;
++ REPEATING_HEADER *RepeatingHeader;
++ VA_LIST Marker;
++ CONST UINT8 *Cert;
++ EFI_STATUS Status = EFI_SUCCESS;
++ UINT8 *Data;
++ UINT8 *Position;
++
++ //
++ // compute total size first, for UINT32 range check, and allocation
++ //
++ DataSize = sizeof *SingleHeader;
++ VA_START (Marker, VendorGuid);
++ for (Cert = VA_ARG (Marker, CONST UINT8 *);
++ Cert != NULL;
++ Cert = VA_ARG (Marker, CONST UINT8 *)) {
++ UINTN CertSize;
++
++ CertSize = VA_ARG (Marker, UINTN);
++ (VOID)VA_ARG (Marker, CONST EFI_GUID *);
++
++ if (CertSize == 0 ||
++ CertSize > MAX_UINT32 - sizeof *RepeatingHeader ||
++ DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {
++ Status = EFI_INVALID_PARAMETER;
++ break;
++ }
++ DataSize += sizeof *RepeatingHeader + CertSize;
++ }
++ VA_END (Marker);
++
++ if (DataSize == sizeof *SingleHeader) {
++ Status = EFI_INVALID_PARAMETER;
++ }
++ if (EFI_ERROR (Status)) {
++ goto Out;
++ }
++
++ Data = AllocatePool (DataSize);
++ if (Data == NULL) {
++ Status = EFI_OUT_OF_RESOURCES;
++ goto Out;
++ }
++
++ Position = Data;
++
++ SingleHeader = (SINGLE_HEADER *)Position;
++ Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);
++ if (EFI_ERROR (Status)) {
++ goto FreeData;
++ }
++ SingleHeader->TimeStamp.Pad1 = 0;
++ SingleHeader->TimeStamp.Nanosecond = 0;
++ SingleHeader->TimeStamp.TimeZone = 0;
++ SingleHeader->TimeStamp.Daylight = 0;
++ SingleHeader->TimeStamp.Pad2 = 0;
++#if 0
++ SingleHeader->dwLength = DataSize - sizeof SingleHeader->TimeStamp;
++#else
++ //
++ // This looks like a bug in edk2. According to the UEFI specification,
++ // dwLength is "The length of the entire certificate, including the length of
++ // the header, in bytes". That shouldn't stop right after CertType -- it
++ // should include everything below it.
++ //
++ SingleHeader->dwLength = sizeof *SingleHeader
++ - sizeof SingleHeader->TimeStamp;
++#endif
++ SingleHeader->wRevision = 0x0200;
++ SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;
++ CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);
++ Position += sizeof *SingleHeader;
++
++ VA_START (Marker, VendorGuid);
++ for (Cert = VA_ARG (Marker, CONST UINT8 *);
++ Cert != NULL;
++ Cert = VA_ARG (Marker, CONST UINT8 *)) {
++ UINTN CertSize;
++ CONST EFI_GUID *OwnerGuid;
++
++ CertSize = VA_ARG (Marker, UINTN);
++ OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);
++
++ RepeatingHeader = (REPEATING_HEADER *)Position;
++ CopyGuid (&RepeatingHeader->SignatureType, &gEfiCertX509Guid);
++ RepeatingHeader->SignatureListSize = sizeof *RepeatingHeader + CertSize;
++ RepeatingHeader->SignatureHeaderSize = 0;
++ RepeatingHeader->SignatureSize =
++ sizeof RepeatingHeader->SignatureOwner + CertSize;
++ CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);
++ Position += sizeof *RepeatingHeader;
++
++ CopyMem (Position, Cert, CertSize);
++ Position += CertSize;
++ }
++ VA_END (Marker);
++
++ ASSERT (Data + DataSize == Position);
++
++ Status = gRT->SetVariable (VariableName, VendorGuid,
++ (EFI_VARIABLE_NON_VOLATILE |
++ EFI_VARIABLE_BOOTSERVICE_ACCESS |
++ EFI_VARIABLE_RUNTIME_ACCESS |
++ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
++ DataSize, Data);
++
++FreeData:
++ FreePool (Data);
++
++Out:
++ if (EFI_ERROR (Status)) {
++ AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,
++ VendorGuid, Status);
++ }
++ return Status;
++}
++
++
++STATIC
++EFI_STATUS
++EFIAPI
++GetExact (
++ IN CHAR16 *VariableName,
++ IN EFI_GUID *VendorGuid,
++ OUT VOID *Data,
++ IN UINTN DataSize,
++ IN BOOLEAN AllowMissing
++ )
++{
++ UINTN Size;
++ EFI_STATUS Status;
++
++ Size = DataSize;
++ Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);
++ if (EFI_ERROR (Status)) {
++ if (Status == EFI_NOT_FOUND && AllowMissing) {
++ ZeroMem (Data, DataSize);
++ return EFI_SUCCESS;
++ }
++
++ AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,
++ VendorGuid, Status);
++ return Status;
++ }
++
++ if (Size != DataSize) {
++ AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
++ "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
++ return EFI_PROTOCOL_ERROR;
++ }
++
++ return EFI_SUCCESS;
++}
++
++typedef struct {
++ UINT8 SetupMode;
++ UINT8 SecureBoot;
++ UINT8 SecureBootEnable;
++ UINT8 CustomMode;
++ UINT8 VendorKeys;
++} SETTINGS;
++
++STATIC
++EFI_STATUS
++EFIAPI
++GetSettings (
++ OUT SETTINGS *Settings
++ )
++{
++ EFI_STATUS Status;
++
++ Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,
++ &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);
++ if (EFI_ERROR (Status)) {
++ return Status;
++ }
++
++ Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,
++ &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);
++ if (EFI_ERROR (Status)) {
++ return Status;
++ }
++
++ Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,
++ &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,
++ sizeof Settings->SecureBootEnable, TRUE);
++ if (EFI_ERROR (Status)) {
++ return Status;
++ }
++
++ Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
++ &Settings->CustomMode, sizeof Settings->CustomMode, FALSE);
++ if (EFI_ERROR (Status)) {
++ return Status;
++ }
++
++ Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
++ &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
++ return Status;
++}
++
++STATIC
++VOID
++EFIAPI
++PrintSettings (
++ IN CONST SETTINGS *Settings
++ )
++{
++ AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
++ "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
++ Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
++}
++
++
++INTN
++EFIAPI
++ShellAppMain (
++ IN UINTN Argc,
++ IN CHAR16 **Argv
++ )
++{
++ EFI_STATUS Status;
++ SETTINGS Settings;
++
++ Status = GetSettings (&Settings);
++ if (EFI_ERROR (Status)) {
++ return 1;
++ }
++ PrintSettings (&Settings);
++
++ if (Settings.SetupMode != 1) {
++ AsciiPrint ("error: already in User Mode\n");
++ return 1;
++ }
++
++ if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
++ Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
++ Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
++ (EFI_VARIABLE_NON_VOLATILE |
++ EFI_VARIABLE_BOOTSERVICE_ACCESS),
++ sizeof Settings.CustomMode, &Settings.CustomMode);
++ if (EFI_ERROR (Status)) {
++ AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
++ &gEfiCustomModeEnableGuid, Status);
++ return 1;
++ }
++ }
++
++ Status = EnrollListOfX509Certs (
++ EFI_IMAGE_SECURITY_DATABASE,
++ &gEfiImageSecurityDatabaseGuid,
++ MicrosoftPCA, sizeof MicrosoftPCA, &gEfiCallerIdGuid,
++ MicrosoftUefiCA, sizeof MicrosoftUefiCA, &gEfiCallerIdGuid,
++ NULL);
++ if (EFI_ERROR (Status)) {
++ return 1;
++ }
++
++ Status = EnrollListOfX509Certs (
++ EFI_KEY_EXCHANGE_KEY_NAME,
++ &gEfiGlobalVariableGuid,
++ ExampleCert, sizeof ExampleCert, &gEfiCallerIdGuid,
++ MicrosoftKEK, sizeof MicrosoftKEK, &gEfiCallerIdGuid,
++ NULL);
++ if (EFI_ERROR (Status)) {
++ return 1;
++ }
++
++ Status = EnrollListOfX509Certs (
++ EFI_PLATFORM_KEY_NAME,
++ &gEfiGlobalVariableGuid,
++ ExampleCert, sizeof ExampleCert, &gEfiGlobalVariableGuid,
++ NULL);
++ if (EFI_ERROR (Status)) {
++ return 1;
++ }
++
++ Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
++ Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
++ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
++ sizeof Settings.CustomMode, &Settings.CustomMode);
++ if (EFI_ERROR (Status)) {
++ AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
++ &gEfiCustomModeEnableGuid, Status);
++ return 1;
++ }
++
++ Status = GetSettings (&Settings);
++ if (EFI_ERROR (Status)) {
++ return 1;
++ }
++ PrintSettings (&Settings);
++
++ if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
++ Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
++ Settings.VendorKeys != 0) {
++ AsciiPrint ("error: unexpected\n");
++ return 1;
++ }
++
++ AsciiPrint ("info: success\n");
++ return 0;
++}
+diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
+new file mode 100644
+index 0000000..ac919bb
+--- /dev/null
++++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
+@@ -0,0 +1,51 @@
++## @file
++# Enroll default PK, KEK, DB.
++#
++# Copyright (C) 2014, Red Hat, Inc.
++#
++# This program and the accompanying materials are licensed and made available
++# under the terms and conditions of the BSD License which accompanies this
++# distribution. The full text of the license may be found at
++# http://opensource.org/licenses/bsd-license.
++#
++# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
++# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
++# IMPLIED.
++##
++
++[Defines]
++ INF_VERSION = 0x00010006
++ BASE_NAME = EnrollDefaultKeys
++ FILE_GUID = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A
++ MODULE_TYPE = UEFI_APPLICATION
++ VERSION_STRING = 0.1
++ ENTRY_POINT = ShellCEntryLib
++
++#
++# VALID_ARCHITECTURES = IA32 X64
++#
++
++[Sources]
++ EnrollDefaultKeys.c
++
++[Packages]
++ MdePkg/MdePkg.dec
++ MdeModulePkg/MdeModulePkg.dec
++ SecurityPkg/SecurityPkg.dec
++ ShellPkg/ShellPkg.dec
++
++[Guids]
++ gEfiCertPkcs7Guid
++ gEfiCertX509Guid
++ gEfiCustomModeEnableGuid
++ gEfiGlobalVariableGuid
++ gEfiImageSecurityDatabaseGuid
++ gEfiSecureBootEnableDisableGuid
++
++[LibraryClasses]
++ BaseMemoryLib
++ DebugLib
++ MemoryAllocationLib
++ ShellCEntryLib
++ UefiLib
++ UefiRuntimeServicesTableLib
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index fa9661c..e2e6ba3 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -764,6 +764,10 @@
+
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
++ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
++ <LibraryClasses>
++ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
++ }
+ !endif
+
+ OvmfPkg/PlatformDxe/Platform.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 667584a..a0ae1aa 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -773,6 +773,10 @@
+
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
++ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
++ <LibraryClasses>
++ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
++ }
+ !endif
+
+ OvmfPkg/PlatformDxe/Platform.inf
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 5ae8469..87cee52 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -771,6 +771,10 @@
+
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
++ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
++ <LibraryClasses>
++ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
++ }
+ !endif
+
+ OvmfPkg/PlatformDxe/Platform.inf
diff --git a/meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks b/meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks
new file mode 100644
index 0000000..1d2f16b
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks
@@ -0,0 +1,4 @@
+# short-description: Create an EFI disk image with just the EFI system partition
+
+part / --source rootfs --ondisk sda --fstype=vfat --align 1024
+bootloader --ptable gpt --timeout=5
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index c4eedf0..ef61b16 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -12,6 +12,7 @@ SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
SRC_URI_append_class-target = " \
http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib \
+ file://0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch \
"
SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588"
@@ -136,6 +137,9 @@ do_compile_class-target() {
( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd
+ for i in Shell.efi EnrollDefaultKeys.efi; do
+ ln ${build_dir}/${OVMF_ARCH}/$i ${WORKDIR}/ovmf/$i
+ done
}
do_install_class-native() {
@@ -147,8 +151,20 @@ do_install_class-target() {
# Traditional location.
install -d ${D}${datadir}/ovmf
install -m 0755 ${WORKDIR}/ovmf/OVMF.fd ${D}${datadir}/ovmf/bios.bin
+ # Content for UEFI shell iso. We install the EFI shell as
+ # bootx64/ia32.efi because then it can be started even when the
+ # firmware itself does not contain it.
+ install -d ${D}/efi/boot
+ install ${WORKDIR}/ovmf/Shell.efi ${D}/efi/boot/boot${@ "ia32" if "${TARGET_ARCH}" != "x86_64" else "x64"}.efi
+ install ${WORKDIR}/ovmf/EnrollDefaultKeys.efi ${D}
}
+PACKAGES =+ "ovmf-shell-efi"
+FILES_ovmf-shell-efi = " \
+ EnrollDefaultKeys.efi \
+ efi/ \
+"
+
inherit deploy
do_deploy() {
}
--
2.1.4
^ permalink raw reply related
* [PATCH 8/9] runqemu: support UEFI with OVMF firmware
From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw)
To: openembedded-core, ricardo.neri
In-Reply-To: <cover.1482324587.git.patrick.ohly@intel.com>
In the simplest case, "runqemu qemux86 <some-image> qcow2 ovmf" for an
EFI-enabled image in the qcow2 format will locate the OVMF firmware file,
override the graphics hardware with "-vga std" because that is all
that OVMF supports, and boot with UEFI enabled. This depends on
"bitbake ovmf" deploying a "ovmf.qcow2" firmware file in the image deploy
directory.
The firmware file is activated as a flash drive instead of using the
qemu BIOS parameters, because that is the recommended method
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764918#47) as it
allows storing UEFI variables in the file.
Instead of just "ovmf", a full path to an existing file can also be
used, just as with the rootfs. That may be useful when making a
permanent copy of the virtual machine data files.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
scripts/runqemu | 37 ++++++++++++++++++++++++++++++++++++-
1 file changed, 36 insertions(+), 1 deletion(-)
diff --git a/scripts/runqemu b/scripts/runqemu
index 203992a..257dcec 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -74,6 +74,7 @@ of the following environment variables (in any order):
kvm-vhost - enable KVM with vhost when running x86/x86_64 (VT-capable CPU required)
publicvnc - enable a VNC server open to all hosts
audio - enable audio
+ [*/]ovmf* - OVMF BIOS file or base name for booting with UEFI
tcpserial=<port> - specify tcp serial port number
biosdir=<dir> - specify custom bios dir
biosfilename=<filename> - specify bios filename
@@ -162,6 +163,12 @@ class BaseConfig(object):
self.clean_nfs_dir = False
self.nfs_server = ''
self.rootfs = ''
+ # File name of a OVMF BIOS file, to be added with -drive if=pflash.
+ # Found in the same places as the rootfs, with or without one of
+ # these suffices: qcow2, bin.
+ # Setting one also adds "-vga std" because that is all that
+ # OVMF supports.
+ self.ovmf_bios = ''
self.qemuboot = ''
self.qbconfload = False
self.kernel = ''
@@ -369,6 +376,8 @@ class BaseConfig(object):
self.qemu_opt_script += ' %s' % arg[len('qemuparams='):]
elif arg.startswith('bootparams='):
self.kernel_cmdline_script += ' %s' % arg[len('bootparams='):]
+ elif os.path.basename(arg).startswith('ovmf'):
+ self.ovmf_bios = arg
elif os.path.exists(arg) or (re.search(':', arg) and re.search('/', arg)):
self.check_arg_path(os.path.abspath(arg))
elif re.search('-image-', arg):
@@ -472,6 +481,20 @@ class BaseConfig(object):
if not os.path.exists(self.rootfs):
raise Exception("Can't find rootfs: %s" % self.rootfs)
+ def check_ovmf(self):
+ """Check and set full path for OVMF BIOS file."""
+
+ if self.ovmf_bios is None or os.path.exists(self.ovmf_bios):
+ return
+
+ for suffix in ('qcow2', 'bin'):
+ ovmf_bios = '%s/%s.%s' % (self.get('DEPLOY_DIR_IMAGE'), self.ovmf_bios, suffix)
+ if os.path.exists(ovmf_bios):
+ self.ovmf_bios = ovmf_bios
+ return
+
+ raise Exception("Can't find OVMF BIOS: %s" % self.ovmf_bios)
+
def check_kernel(self):
"""Check and set kernel, dtb"""
# The vm image doesn't need a kernel
@@ -562,6 +585,7 @@ class BaseConfig(object):
self.check_kvm()
self.check_fstype()
self.check_rootfs()
+ self.check_ovmf()
self.check_kernel()
self.check_biosdir()
self.check_mem()
@@ -670,6 +694,8 @@ class BaseConfig(object):
print('NFS_DIR: [%s]' % self.nfs_dir)
else:
print('ROOTFS: [%s]' % self.rootfs)
+ if self.ovmf_bios:
+ print('OVMF: [%s]' % self.ovmf_bios)
print('CONFFILE: [%s]' % self.qemuboot)
print('')
@@ -926,7 +952,16 @@ class BaseConfig(object):
check_libgl(qemu_bin)
- self.qemu_opt = "%s %s %s %s %s" % (qemu_bin, self.get('NETWORK_CMD'), self.get('ROOTFS_OPTIONS'), self.get('QB_OPT_APPEND'), self.qemu_opt_script)
+ self.qemu_opt = "%s %s %s %s" % (qemu_bin, self.get('NETWORK_CMD'), self.get('ROOTFS_OPTIONS'), self.get('QB_OPT_APPEND'))
+
+ if self.ovmf_bios:
+ format = self.ovmf_bios.rsplit('.', 1)[-1]
+ self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, self.ovmf_bios)
+ # OVMF only supports normal VGA, i.e. we need to override a -vga vmware
+ # that gets added for example for normal qemux86.
+ self.qemu_opt += ' -vga std'
+
+ self.qemu_opt += ' ' + self.qemu_opt_script
if self.snapshot:
self.qemu_opt += " -snapshot"
--
2.1.4
^ permalink raw reply related
* [PATCH 7/9] runqemu: let command line parameters override defaults
From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw)
To: openembedded-core, ricardo.neri
In-Reply-To: <cover.1482324587.git.patrick.ohly@intel.com>
It may be necessary to override the parameters gathered for the qemu
invocation. For example, the qemux86 machine configuration sets "-vga
vmware", but when using OVMF as BIOS, only "-vga std" is supported.
By putting the parameters derived from custom runqemu parameters like
"qemuparams" after the parameters derived from the machine
configuration the user gets the possibility to override those.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
scripts/runqemu | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/runqemu b/scripts/runqemu
index 0a9cb94..203992a 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -926,7 +926,7 @@ class BaseConfig(object):
check_libgl(qemu_bin)
- self.qemu_opt = "%s %s %s %s %s" % (qemu_bin, self.get('NETWORK_CMD'), self.qemu_opt_script, self.get('ROOTFS_OPTIONS'), self.get('QB_OPT_APPEND'))
+ self.qemu_opt = "%s %s %s %s %s" % (qemu_bin, self.get('NETWORK_CMD'), self.get('ROOTFS_OPTIONS'), self.get('QB_OPT_APPEND'), self.qemu_opt_script)
if self.snapshot:
self.qemu_opt += " -snapshot"
--
2.1.4
^ permalink raw reply related
* [PATCH 6/9] ovmf_git.bb: enable Secure Boot
From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw)
To: openembedded-core, ricardo.neri
In-Reply-To: <cover.1482324587.git.patrick.ohly@intel.com>
The recipe now compiles OVMF twice, once without Secure Boot, once
with. This is the same approach as in
https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec
The results are "ovmf.qcow2" and "ovmf.secboot.qcow2" in the
image deploy directory, so
runqemu <machine> <image> ovmf.secboot
will boot with Secure Boot enabled.
In contrast to Fedora, no attempt is made to strip potentially patent
encumbered algorithms out of the OpenSSL archive. OVMF does not use
the ones considered problematic for Fedora, so this shouldn't be a
problem.
Fixes: luv-yocto/#38
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
meta/recipes-core/ovmf/ovmf_git.bb | 27 ++++++++++++++++++++++++++-
1 file changed, 26 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 67e65b8..c4eedf0 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -1,6 +1,6 @@
DESCRIPTION = "OVMF - UEFI firmware for Qemu and KVM"
HOMEPAGE = "http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF"
-LICENSE = "BSD"
+LICENSE = "BSD & OpenSSL"
LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496"
SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
@@ -10,7 +10,13 @@ SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
"
+SRC_URI_append_class-target = " \
+ http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib \
+"
+
SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588"
+SRC_URI[openssl.md5sum] = "96322138f0b69e61b7212bc53d5e912b"
+SRC_URI[openssl.sha256sum] = "e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431"
PARALLEL_MAKE_class-native = ""
@@ -30,6 +36,10 @@ BUILD_OPTIMIZATION="-pipe"
# OVMF supports IA only, although it could conceivably support ARM someday.
COMPATIBLE_HOST='(i.86|x86_64).*'
+# Additional build flags for OVMF with Secure Boot.
+# Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD".
+OVMF_SECURE_BOOT_FLAGS = "-DSECURE_BOOT_ENABLE=TRUE"
+
do_patch_append_class-native() {
bb.build.exec_func('do_fix_iasl', d)
bb.build.exec_func('do_fix_toolchain', d)
@@ -110,8 +120,22 @@ do_compile_class-target() {
bbnote FIXED_GCCVER is ${FIXED_GCCVER}
build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
+ bbnote "Building without Secure Boot."
+ rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd
+
+ # See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and
+ # https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for
+ # building with Secure Boot enabled.
+ bbnote "Building with Secure Boot."
+ rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
+ if ! [ -f ${S}/CryptoPkg/Library/OpensslLib/openssl-*/edk2-patch-applied ]; then
+ ( cd ${S}/CryptoPkg/Library/OpensslLib/openssl-* && patch -p1 <$(echo ../EDKII_openssl-*.patch) && touch edk2-patch-applied )
+ fi
+ ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
+ ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
+ ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.secboot.fd
}
do_install_class-native() {
@@ -131,6 +155,7 @@ do_deploy() {
do_deploy_class-target() {
# For use with "runqemu ovmf".
qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2
+ qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.secboot.fd ${DEPLOYDIR}/ovmf.secboot.qcow2
}
addtask do_deploy after do_compile before do_build
--
2.1.4
^ permalink raw reply related
* [PATCH 5/9] ovmf_git.bb: enable parallel compilation
From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw)
To: openembedded-core, ricardo.neri
In-Reply-To: <cover.1482324587.git.patrick.ohly@intel.com>
The Fedora srpm [1] seems to have no problems with parallel
compilation, so let's also use that for the target. The native
tools however indeed have dependency problems:
| test_Ecc_CParser (CheckPythonSyntax.Tests) ... gcc -o ../bin/EfiRom -L/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/usr/lib -L/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/lib -Wl,-rpath-link,/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/usr/lib -Wl,-rpath-link,/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/lib -Wl,-rpath,/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/usr/lib -Wl,-rpath,/fast/build/ostro/x86/tmp-glibc/sysroots/x86_64-linux/lib -Wl,-O1 EfiRom.o -L../libs -lCommon
| /usr/bin/ld: cannot find -lCommon
| collect2: error: ld returned 1 exit status
ERROR: Task (virtual:native:.../meta/recipes-core/ovmf/ovmf_git.bb:do_compile) failed with exit code '1'
[1] https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
meta/recipes-core/ovmf/ovmf_git.bb | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index d0441d1..67e65b8 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -12,7 +12,7 @@ SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588"
-PARALLEL_MAKE = ""
+PARALLEL_MAKE_class-native = ""
S = "${WORKDIR}/git"
@@ -92,6 +92,7 @@ do_compile_class-native() {
do_compile_class-target() {
export LFLAGS="${LDFLAGS}"
+ PARALLEL_JOBS="${@ '${PARALLEL_MAKE}'.replace('-j', '-n')}"
OVMF_ARCH="X64"
if [ "${TARGET_ARCH}" != "x86_64" ] ; then
OVMF_ARCH="IA32"
@@ -109,7 +110,7 @@ do_compile_class-target() {
bbnote FIXED_GCCVER is ${FIXED_GCCVER}
build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
- ${S}/OvmfPkg/build.sh -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
+ ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd
}
--
2.1.4
^ permalink raw reply related
* [PATCH 4/9] ovmf: deploy firmware in image directory
From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw)
To: openembedded-core, ricardo.neri
In-Reply-To: <cover.1482324587.git.patrick.ohly@intel.com>
When used with '-drive if=pflash', qemu will store UEFI variables
inside the firmware image file. That is unexpected for a file located in
the sysroot, which should be read-only, while it is normal for image
files in the deploy/images directory. Therefore that directory is a
better place for use with runqemu.
The name was chose so that "runqemu ovmf" can be used as shorthand for
"runqemu <full path>/ovmf.qcow2" by treating "ovmf" as the base name
of the BIOS file. "ovmf_secboot.qcow2" is meant to be used for the
Secure Boot enabled BIOS. qcow2 is used because it is needed for
"savevm" snapshots of a virtual machine.
Alternatively, OVMF_CODE.fd (read-only) and OVMF_VARS.fd (read/write)
could be used. That would then allow updating the firmware of an
existing machine without wiping out the variables set
earlier. Configuring that in qemu would be more complicated, so for
now the simpler approach with combined code and variable store is
used.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
meta/recipes-core/ovmf/ovmf_git.bb | 33 +++++++++++++++++++++++----------
1 file changed, 23 insertions(+), 10 deletions(-)
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 13b583b..d0441d1 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -16,7 +16,7 @@ PARALLEL_MAKE = ""
S = "${WORKDIR}/git"
-DEPENDS_class-native="util-linux-native iasl-native ossp-uuid-native"
+DEPENDS_class-native="util-linux-native iasl-native ossp-uuid-native qemu-native"
DEPENDS_class-target="ovmf-native"
@@ -97,9 +97,20 @@ do_compile_class-target() {
OVMF_ARCH="IA32"
fi
+ # ${WORKDIR}/ovmf is a well-known location where do_install and
+ # do_deploy will be able to find the files.
+ rm -rf ${WORKDIR}/ovmf
+ mkdir ${WORKDIR}/ovmf
+ OVMF_DIR_SUFFIX="X64"
+ if [ "${TARGET_ARCH}" != "x86_64" ] ; then
+ OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization
+ fi
FIXED_GCCVER=$(fixup_target_tools ${GCC_VER})
- echo FIXED_GCCVER is ${FIXED_GCCVER}
+ bbnote FIXED_GCCVER is ${FIXED_GCCVER}
+ build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
+
${S}/OvmfPkg/build.sh -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
+ ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/OVMF.fd
}
do_install_class-native() {
@@ -108,16 +119,18 @@ do_install_class-native() {
}
do_install_class-target() {
- OVMF_DIR_SUFFIX="X64"
- if [ "${TARGET_ARCH}" != "x86_64" ] ; then
- OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization
- fi
+ # Traditional location.
install -d ${D}${datadir}/ovmf
+ install -m 0755 ${WORKDIR}/ovmf/OVMF.fd ${D}${datadir}/ovmf/bios.bin
+}
- FIXED_GCCVER=$(fixup_target_tools ${GCC_VER})
- build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
- install -m 0755 ${build_dir}/FV/OVMF.fd \
- ${D}${datadir}/ovmf/bios.bin
+inherit deploy
+do_deploy() {
+}
+do_deploy_class-target() {
+ # For use with "runqemu ovmf".
+ qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/OVMF.fd ${DEPLOYDIR}/ovmf.qcow2
}
+addtask do_deploy after do_compile before do_build
BBCLASSEXTEND = "native"
--
2.1.4
^ permalink raw reply related
* [PATCH 3/9] ovmf: explicitly depend on nasm-native
From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw)
To: openembedded-core, ricardo.neri
In-Reply-To: <cover.1482324587.git.patrick.ohly@intel.com>
Fixes a build issue when nasm was not build already because of
something else.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
meta/recipes-core/ovmf/ovmf_git.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index e722db5..13b583b 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -20,6 +20,8 @@ DEPENDS_class-native="util-linux-native iasl-native ossp-uuid-native"
DEPENDS_class-target="ovmf-native"
+DEPENDS_append = " nasm-native"
+
EDK_TOOLS_DIR="edk2_basetools"
# OVMF has trouble building with the default optimization of -O2.
--
2.1.4
^ permalink raw reply related
* [PATCH 2/9] iasl: move from meta-luv to OE-core
From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw)
To: openembedded-core, ricardo.neri; +Cc: meta-luv
In-Reply-To: <cover.1482324587.git.patrick.ohly@intel.com>
From: meta-luv <luv@lists.01.org>
This is an unmodified copy of
github.com/01org/luv-yocto/meta-luv/recipes-extended/iasl revision
4be4329.
iasl is also provided by the meta-oe layer's acpica recipe. iasl is a
bit simpler and thus seems more suitable for OE-core.
When the meta-oe layer is active, PREFERRED_PROVIDER_iasl-native must
be set to avoid a warning. It can be set to "acpica-native" when
something from acpica besides just iasl is needed.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
meta/recipes-extended/iasl/iasl_20120215.bb | 27 +++++++++++++++++++++++++++
meta/recipes-extended/iasl/iasl_20150410.bb | 27 +++++++++++++++++++++++++++
meta/recipes-extended/iasl/iasl_20150515.bb | 27 +++++++++++++++++++++++++++
3 files changed, 81 insertions(+)
create mode 100644 meta/recipes-extended/iasl/iasl_20120215.bb
create mode 100644 meta/recipes-extended/iasl/iasl_20150410.bb
create mode 100644 meta/recipes-extended/iasl/iasl_20150515.bb
diff --git a/meta/recipes-extended/iasl/iasl_20120215.bb b/meta/recipes-extended/iasl/iasl_20120215.bb
new file mode 100644
index 0000000..a14d2ec
--- /dev/null
+++ b/meta/recipes-extended/iasl/iasl_20120215.bb
@@ -0,0 +1,27 @@
+DESCRIPTION = "This is a cross development C compiler, assembler and linker environment for the production of 8086 executables (Optionally MSDOS COM)"
+HOMEPAGE = "http://www.acpica.org/"
+LICENSE = "Intel-ACPI"
+LIC_FILES_CHKSUM = "file://asldefine.h;endline=115;md5=d4d7cf809b8b5e03131327b3f718e8f0"
+SECTION = "console/tools"
+PR="r1"
+
+DEPENDS="flex-native bison-native"
+
+SRC_URI="https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz"
+
+SRC_URI[md5sum] = "324c89e5bb9002e2711e0494290ceacc"
+SRC_URI[sha256sum] = "b2b497415f29ddbefe7be8b9429b62c1f1f6e1ec11456928e4e7da86578e5b8d"
+
+S="${WORKDIR}/acpica-unix-${PV}/source/compiler"
+
+NATIVE_INSTALL_WORKS = "1"
+BBCLASSEXTEND = "native"
+
+do_compile() {
+ CFLAGS="-Wno-error=redundant-decls" $MAKE
+}
+
+do_install() {
+ mkdir -p ${D}${prefix}/bin
+ cp ${S}/iasl ${D}${prefix}/bin
+}
diff --git a/meta/recipes-extended/iasl/iasl_20150410.bb b/meta/recipes-extended/iasl/iasl_20150410.bb
new file mode 100644
index 0000000..4e44817
--- /dev/null
+++ b/meta/recipes-extended/iasl/iasl_20150410.bb
@@ -0,0 +1,27 @@
+DESCRIPTION = "This is a cross development C compiler, assembler and linker environment for the production of 8086 executables (Optionally MSDOS COM)"
+HOMEPAGE = "http://www.acpica.org/"
+LICENSE = "Intel-ACPI"
+LIC_FILES_CHKSUM = "file://Makefile;endline=22;md5=b15414d545d190713f1bab9023dba3be"
+SECTION = "console/tools"
+PR="r1"
+
+DEPENDS="flex-native bison-native"
+
+SRC_URI="https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz"
+
+SRC_URI[md5sum] = "7b49c79728dde65ab1ba4edbee6f0b22"
+SRC_URI[sha256sum] = "1dce8d9edeb234fd553806987471f6206f429c2aab45556f62a5b2bfe2464875"
+
+S="${WORKDIR}/acpica-unix-${PV}"
+
+NATIVE_INSTALL_WORKS = "1"
+BBCLASSEXTEND = "native"
+
+do_compile() {
+ make iasl
+}
+
+do_install() {
+ mkdir -p ${D}${prefix}/bin
+ cp ${S}/generate/unix/bin/iasl ${D}${prefix}/bin
+}
diff --git a/meta/recipes-extended/iasl/iasl_20150515.bb b/meta/recipes-extended/iasl/iasl_20150515.bb
new file mode 100644
index 0000000..c7e1cd5
--- /dev/null
+++ b/meta/recipes-extended/iasl/iasl_20150515.bb
@@ -0,0 +1,27 @@
+DESCRIPTION = "This is a cross development C compiler, assembler and linker environment for the production of 8086 executables (Optionally MSDOS COM)"
+HOMEPAGE = "http://www.acpica.org/"
+LICENSE = "Intel-ACPI"
+LIC_FILES_CHKSUM = "file://Makefile;endline=22;md5=b15414d545d190713f1bab9023dba3be"
+SECTION = "console/tools"
+PR="r1"
+
+DEPENDS="flex-native bison-native"
+
+SRC_URI="https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz"
+
+SRC_URI[md5sum] = "c8c128b2d4859b52bc9c802faba2e908"
+SRC_URI[sha256sum] = "bfa1f296a3cc13421331dbaad3b62e0184678cc312104c3e8ac799ead0742c45"
+
+S="${WORKDIR}/acpica-unix-${PV}"
+
+NATIVE_INSTALL_WORKS = "1"
+BBCLASSEXTEND = "native"
+
+do_compile() {
+ make iasl
+}
+
+do_install() {
+ mkdir -p ${D}${prefix}/bin
+ cp ${S}/generate/unix/bin/iasl ${D}${prefix}/bin
+}
--
2.1.4
^ permalink raw reply related
* [PATCH 1/9] ovmf: move from meta-luv to OE-core
From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw)
To: openembedded-core, ricardo.neri; +Cc: meta-luv
In-Reply-To: <cover.1482324587.git.patrick.ohly@intel.com>
From: meta-luv <luv@lists.01.org>
This is an unmodified copy of
github.com/01org/luv-yocto/meta-luv/recipes-core/ovmf revision
4be4329.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
...s-Force-tools-variables-to-host-toolchain.patch | 48 ++++++++
.../ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch | 110 +++++++++++++++++++
...0002-ovmf-update-path-to-native-BaseTools.patch | 32 ++++++
...makefile-adjust-to-build-in-under-bitbake.patch | 39 +++++++
meta/recipes-core/ovmf/ovmf_git.bb | 121 +++++++++++++++++++++
5 files changed, 350 insertions(+)
create mode 100644 meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
create mode 100644 meta/recipes-core/ovmf/ovmf_git.bb
diff --git a/meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch b/meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch
new file mode 100644
index 0000000..644b99d
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch
@@ -0,0 +1,48 @@
+From 6e24bde1979c2d7149b37d142fb882dfde0e9770 Mon Sep 17 00:00:00 2001
+From: Matt Fleming <matt.fleming@intel.com>
+Date: Fri, 27 Jun 2014 11:12:18 +0100
+Subject: [PATCH] BaseTools: Force tools variables to host toolchain
+
+Signed-off-by: Matt Fleming <matt.fleming@intel.com>
+---
+ BaseTools/Source/C/Makefiles/app.makefile | 7 +++++++
+ BaseTools/Source/C/VfrCompile/GNUmakefile | 5 +++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/BaseTools/Source/C/Makefiles/app.makefile b/BaseTools/Source/C/Makefiles/app.makefile
+index 19269a1..62aad0f 100644
+--- a/BaseTools/Source/C/Makefiles/app.makefile
++++ b/BaseTools/Source/C/Makefiles/app.makefile
+@@ -16,6 +16,13 @@ include $(MAKEROOT)/Makefiles/header.makefile
+
+ APPLICATION = $(MAKEROOT)/bin/$(APPNAME)
+
++CC = gcc
++CXX = g++
++AS = gcc
++AR = ar
++LD = ld
++LINKER = $(CC)
++
+ .PHONY:all
+ all: $(MAKEROOT)/bin $(APPLICATION)
+
+diff --git a/BaseTools/Source/C/VfrCompile/GNUmakefile b/BaseTools/Source/C/VfrCompile/GNUmakefile
+index 82005e1..5ac5f7e 100644
+--- a/BaseTools/Source/C/VfrCompile/GNUmakefile
++++ b/BaseTools/Source/C/VfrCompile/GNUmakefile
+@@ -26,6 +26,11 @@ OBJECTS = AParser.o DLexerBase.o ATokenBuffer.o EfiVfrParser.o VfrLexer.o VfrSyn
+
+ VFR_CPPFLAGS = -DPCCTS_USE_NAMESPACE_STD $(CPPFLAGS)
+
++CC = gcc
++CXX = g++
++AS = gcc
++AR = ar
++LD = ld
+ LINKER = $(BUILD_CXX)
+
+ EXTRA_CLEAN_OBJECTS = EfiVfrParser.cpp EfiVfrParser.h VfrParser.dlg VfrTokens.h VfrLexer.cpp VfrLexer.h VfrSyntax.cpp tokens.h
+--
+1.9.0
+
diff --git a/meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch b/meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch
new file mode 100644
index 0000000..4531a6d
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch
@@ -0,0 +1,110 @@
+From 66a4020c3c2163aeffc9757851f33c346ecfd870 Mon Sep 17 00:00:00 2001
+From: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+Date: Mon, 4 Apr 2016 12:15:12 -0700
+Subject: [PATCH] OvmfPkg: Enable BGRT in OVMF
+
+By default, firmware (OVMF - Open source Virtual Machine Firmware)
+never publishes BGRT (Boot Graphics Resource Table) and in the boot
+process Linux kernel checks for this table and if it fails to find BGRT
+table then corresponding code in Linux kernel is not executed. EDK II
+(EFI Development Kit, thus OVMF) already has BGRT source code packaged
+into it but it is excluded from the build process of OVMF. These changes
+to build system of OVMF enables BGRT in 32-bit and 64-bit OVMF.
+
+There are only two files that need to be modified in order to do this.
+The first one being OvmfPkg*.dsc (this file describes the platform) and
+the second one being OvmfPkg*.fdf (this file describes firmware descriptor
+volume). A *.inf file (here "BootGraphicsResourceTableDxe.inf")
+describes a module (here BGRT). So, include
+"BootGraphicsResourceTableDxe.inf" file in "OvmfPkg*.dsc" so that BGRT
+source code will be compiled and "BootGraphicsResourceTableDxe.efi" file
+is generated and we should also include
+"BootGraphicsResourceTableDxe.inf" file in "OvmfPkg*.fdf" file so that
+"BootGraphicsResourceTableDxe.efi" will be placed in a firmware volume
+and thus gets published.
+
+Signed-off-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+---
+ OvmfPkg/OvmfPkgIa32.dsc | 1 +
+ OvmfPkg/OvmfPkgIa32.fdf | 1 +
+ OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
+ OvmfPkg/OvmfPkgIa32X64.fdf | 1 +
+ OvmfPkg/OvmfPkgX64.dsc | 1 +
+ OvmfPkg/OvmfPkgX64.fdf | 1 +
+ 6 files changed, 6 insertions(+)
+
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 9e5b477..0582219 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -647,6 +647,7 @@
+ OvmfPkg/AcpiS3SaveDxe/AcpiS3SaveDxe.inf
+ MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf
+ MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
++ MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+
+ #
+ # Network Support
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index fc203f2..f968cb7 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -274,6 +274,7 @@ INF RuleOverride=ACPITABLE OvmfPkg/AcpiTables/AcpiTables.inf
+ INF OvmfPkg/AcpiS3SaveDxe/AcpiS3SaveDxe.inf
+ INF MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf
+ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
++INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+
+ INF RuleOverride = BINARY FatBinPkg/EnhancedFatDxe/Fat.inf
+
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 6e4da4f..8289385 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -656,6 +656,7 @@
+ OvmfPkg/AcpiS3SaveDxe/AcpiS3SaveDxe.inf
+ MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf
+ MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
++ MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+
+ #
+ # Network Support
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index d3f46f3..282d40b 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -274,6 +274,7 @@ INF RuleOverride=ACPITABLE OvmfPkg/AcpiTables/AcpiTables.inf
+ INF OvmfPkg/AcpiS3SaveDxe/AcpiS3SaveDxe.inf
+ INF MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf
+ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
++INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+
+ INF RuleOverride = BINARY USE = X64 FatBinPkg/EnhancedFatDxe/Fat.inf
+
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 3d6d43e..0f956a7 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -654,6 +654,7 @@
+ OvmfPkg/AcpiS3SaveDxe/AcpiS3SaveDxe.inf
+ MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf
+ MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
++ MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+
+ #
+ # Network Support
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index 15ef13a..9708fd5 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -274,6 +274,7 @@ INF RuleOverride=ACPITABLE OvmfPkg/AcpiTables/AcpiTables.inf
+ INF OvmfPkg/AcpiS3SaveDxe/AcpiS3SaveDxe.inf
+ INF MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf
+ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
++INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+
+ INF RuleOverride = BINARY FatBinPkg/EnhancedFatDxe/Fat.inf
+
+--
+2.7.4
+
diff --git a/meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch b/meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch
new file mode 100644
index 0000000..94029a5
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch
@@ -0,0 +1,32 @@
+From 9e632e3f9edd09632cc877dff6ea57608f979aab Mon Sep 17 00:00:00 2001
+From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
+Date: Thu, 9 Jun 2016 02:23:01 -0700
+Subject: [PATCH] ovmf: update path to native BaseTools
+
+BaseTools is a set of utilities to build EDK-based firmware. These utilities
+are used during the build process. Thus, they need to be built natively.
+When cross-compiling, we need to provide a path to the location of these
+tools. The BBAKE_EDK_TOOLS_PATH string is used as a pattern to be replaced
+with the appropriate location before building.
+
+Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
+---
+ OvmfPkg/build.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/OvmfPkg/build.sh b/OvmfPkg/build.sh
+index eb5eb73..9058fca 100755
+--- a/OvmfPkg/build.sh
++++ b/OvmfPkg/build.sh
+@@ -30,7 +30,7 @@ then
+ # this assumes svn pulls have the same root dir
+ # export EDK_TOOLS_PATH=`pwd`/../BaseTools
+ # This version is for the tools source in edk2
+- export EDK_TOOLS_PATH=`pwd`/BaseTools
++ export EDK_TOOLS_PATH=BBAKE_EDK_TOOLS_PATH/BaseTools
+ echo $EDK_TOOLS_PATH
+ source edksetup.sh BaseTools
+ else
+--
+2.8.1
+
diff --git a/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch b/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
new file mode 100644
index 0000000..0fdc278
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
@@ -0,0 +1,39 @@
+From 2320650c6d381b914fe91b2dedaa5870279a8bcf Mon Sep 17 00:00:00 2001
+From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
+Date: Sun, 27 Nov 2016 18:42:55 -0800
+Subject: [PATCH] BaseTools: makefile: adjust to build in under bitbake
+
+Prepend the build flags with those of bitbake. This is to build
+using the bitbake native sysroot include and library directories.
+
+Signed-off-by: Ricardo Neri <ricardo.neri@linux.intel.com>
+---
+ BaseTools/Source/C/Makefiles/header.makefile | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/BaseTools/Source/C/Makefiles/header.makefile b/BaseTools/Source/C/Makefiles/header.makefile
+index 821d114..fe0f08b 100644
+--- a/BaseTools/Source/C/Makefiles/header.makefile
++++ b/BaseTools/Source/C/Makefiles/header.makefile
+@@ -44,14 +44,14 @@ ARCH_INCLUDE = -I $(MAKEROOT)/Include/AArch64/
+ endif
+
+ INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT) -I $(MAKEROOT)/Include/Common -I $(MAKEROOT)/Include/ -I $(MAKEROOT)/Include/IndustryStandard -I $(MAKEROOT)/Common/ -I .. -I . $(ARCH_INCLUDE)
+-BUILD_CPPFLAGS = $(INCLUDE) -O2
++BUILD_CPPFLAGS := $(BUILD_CPPFLAGS) $(INCLUDE) -O2
+ ifeq ($(DARWIN),Darwin)
+ # assume clang or clang compatible flags on OS X
+-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g
++BUILD_CFLAGS := $(BUILD_CFLAGS) -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g
+ else
+-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-unused-result -nostdlib -c -g
++BUILD_CFLAGS := $(BUILD_CFLAGS) -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-unused-result -nostdlib -c -g
+ endif
+-BUILD_LFLAGS =
++BUILD_LFLAGS := $(LDFLAGS)
+ BUILD_CXXFLAGS =
+
+ ifeq ($(ARCH), IA32)
+--
+2.9.3
+
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
new file mode 100644
index 0000000..e722db5
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -0,0 +1,121 @@
+DESCRIPTION = "OVMF - UEFI firmware for Qemu and KVM"
+HOMEPAGE = "http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF"
+LICENSE = "BSD"
+LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496"
+
+SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
+ file://0001-BaseTools-Force-tools-variables-to-host-toolchain.patch \
+ file://0001-OvmfPkg-Enable-BGRT-in-OVMF.patch \
+ file://0002-ovmf-update-path-to-native-BaseTools.patch \
+ file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
+ "
+
+SRCREV="4575a602ca6072ee9d04150b38bfb143cbff8588"
+
+PARALLEL_MAKE = ""
+
+S = "${WORKDIR}/git"
+
+DEPENDS_class-native="util-linux-native iasl-native ossp-uuid-native"
+
+DEPENDS_class-target="ovmf-native"
+
+EDK_TOOLS_DIR="edk2_basetools"
+
+# OVMF has trouble building with the default optimization of -O2.
+BUILD_OPTIMIZATION="-pipe"
+
+# OVMF supports IA only, although it could conceivably support ARM someday.
+COMPATIBLE_HOST='(i.86|x86_64).*'
+
+do_patch_append_class-native() {
+ bb.build.exec_func('do_fix_iasl', d)
+ bb.build.exec_func('do_fix_toolchain', d)
+}
+
+do_fix_basetools_location() {
+ sed -i -e 's#BBAKE_EDK_TOOLS_PATH#${STAGING_BINDIR_NATIVE}/${EDK_TOOLS_DIR}#' ${S}/OvmfPkg/build.sh
+}
+
+do_patch_append_class-target() {
+ bb.build.exec_func('do_fix_basetools_location', d)
+}
+
+
+do_fix_iasl() {
+ sed -i -e 's#/usr/bin/iasl#${STAGING_BINDIR_NATIVE}/iasl#' ${S}/BaseTools/Conf/tools_def.template
+}
+
+do_fix_toolchain(){
+ sed -i -e 's#DEF(ELFGCC_BIN)/#${TARGET_PREFIX}#' ${S}/BaseTools/Conf/tools_def.template
+ sed -i -e 's#DEF(GCC.*PREFIX)#${TARGET_PREFIX}#' ${S}/BaseTools/Conf/tools_def.template
+ sed -i -e "s#^LINKER\(.*\)#LINKER\1\nLFLAGS += ${BUILD_LDFLAGS}#" ${S}/BaseTools/Source/C/Makefiles/app.makefile
+ sed -i -e "s#^LINKER\(.*\)#LINKER\1\nCFLAGS += ${BUILD_CFLAGS}#" ${S}/BaseTools/Source/C/Makefiles/app.makefile
+ sed -i -e "s#^LINKER\(.*\)#LINKER\1\nLFLAGS += ${BUILD_LDFLAGS}#" ${S}/BaseTools/Source/C/VfrCompile/GNUmakefile
+ sed -i -e "s#^LINKER\(.*\)#LINKER\1\nCFLAGS += ${BUILD_CFLAGS}#" ${S}/BaseTools/Source/C/VfrCompile/GNUmakefile
+}
+
+GCC_VER="$(${CC} -v 2>&1 | tail -n1 | awk '{print $3}')"
+
+fixup_target_tools() {
+ case ${1} in
+ 4.4.*)
+ FIXED_GCCVER=GCC44
+ ;;
+ 4.5.*)
+ FIXED_GCCVER=GCC45
+ ;;
+ 4.6.*)
+ FIXED_GCCVER=GCC46
+ ;;
+ 4.7.*)
+ FIXED_GCCVER=GCC47
+ ;;
+ 4.8.*)
+ FIXED_GCCVER=GCC48
+ ;;
+ 4.9.*)
+ FIXED_GCCVER=GCC49
+ ;;
+ *)
+ FIXED_GCCVER=GCC5
+ ;;
+ esac
+ echo ${FIXED_GCCVER}
+}
+
+do_compile_class-native() {
+ oe_runmake -C ${S}/BaseTools
+}
+
+do_compile_class-target() {
+ export LFLAGS="${LDFLAGS}"
+ OVMF_ARCH="X64"
+ if [ "${TARGET_ARCH}" != "x86_64" ] ; then
+ OVMF_ARCH="IA32"
+ fi
+
+ FIXED_GCCVER=$(fixup_target_tools ${GCC_VER})
+ echo FIXED_GCCVER is ${FIXED_GCCVER}
+ ${S}/OvmfPkg/build.sh -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER}
+}
+
+do_install_class-native() {
+ install -d ${D}/${bindir}/edk2_basetools
+ cp -r ${S}/BaseTools ${D}/${bindir}/${EDK_TOOLS_DIR}
+}
+
+do_install_class-target() {
+ OVMF_DIR_SUFFIX="X64"
+ if [ "${TARGET_ARCH}" != "x86_64" ] ; then
+ OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization
+ fi
+ install -d ${D}${datadir}/ovmf
+
+ FIXED_GCCVER=$(fixup_target_tools ${GCC_VER})
+ build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
+ install -m 0755 ${build_dir}/FV/OVMF.fd \
+ ${D}${datadir}/ovmf/bios.bin
+}
+
+BBCLASSEXTEND = "native"
--
2.1.4
^ permalink raw reply related
* [PATCH 0/9] UEFI + Secure Boot + qemu
From: Patrick Ohly @ 2016-12-21 13:11 UTC (permalink / raw)
To: openembedded-core, ricardo.neri
There seems to be a consensus that supporting UEFI in OE-core for qemu
would be valuable, and there have been some (stalled) attempts to add
it. For reference, see:
[OE-core] [PATCH V3 0/3] Add UEFI firmware for qemux86*
[OE-core] Add ovmf-native to make qemu-native/runqemu support boot UEFI image?
https://bugzilla.yoctoproject.org/show_bug.cgi?id=5654
https://github.com/01org/luv-yocto/issues/38
This patch set includes the necessary recipes (ovmf and iasl from
meta-luv), some improvements to them (in particular, enabling Secure
Boot), and changes to runqemu to make it easier to boot with UEFI. A
special image recipes builds an image which can be used to lock down a
virtual machine by enrolling the "normal" pre-installed certificates.
I decided to keep the setup simple and use just a single file for UEFI
code and variables because that makes the usage via runqemu very
easy. See the "runqemu: support UEFI with OVMF firmware" patch for
details. The downside is that the firmware can't be updated without
loosing variables. I don't see a big need for long-lived virtual
machine instances, but would like to hear from others about that.
What's missing is automated testing of this new feature. I'm open for
suggestions here; right now I don't know enough about the automated
testing in the AB to propose something.
I've discussed the usage of ovmf/iasl with Ricardo and he agreed that
moving ovmf and iasl from meta-luv to OE-core makes sense. Ricardo,
would you be willing to act as maintainer of it there, like you did in
meta-luv?
Beware that "git am --keep-cr" must be used to import the ovmf patches
correctly.
The following changes since commit 5e21afc9395060b489156d3f90505a372b713f37:
Revert "selftest/wic: extending test coverage for WIC script options" (2016-12-20 17:06:01 +0000)
are available in the git repository at:
git://github.com/pohly/openembedded-core secure-boot
https://github.com/pohly/openembedded-core/tree/secure-boot
Patrick Ohly (7):
ovmf: explicitly depend on nasm-native
ovmf: deploy firmware in image directory
ovmf_git.bb: enable parallel compilation
ovmf_git.bb: enable Secure Boot
runqemu: let command line parameters override defaults
runqemu: support UEFI with OVMF firmware
ovmf: build image which enrolls standard keys
meta-luv (2):
ovmf: move from meta-luv to OE-core
iasl: move from meta-luv to OE-core
meta/recipes-core/ovmf/ovmf-shell-image.bb | 22 +
...s-Force-tools-variables-to-host-toolchain.patch | 48 +
.../ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch | 110 ++
...0002-ovmf-update-path-to-native-BaseTools.patch | 32 +
...makefile-adjust-to-build-in-under-bitbake.patch | 39 +
...ollDefaultKeys-application-for-enrolling-.patch | 1123 ++++++++++++++++++++
meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks | 4 +
meta/recipes-core/ovmf/ovmf_git.bb | 178 ++++
meta/recipes-extended/iasl/iasl_20120215.bb | 27 +
meta/recipes-extended/iasl/iasl_20150410.bb | 27 +
meta/recipes-extended/iasl/iasl_20150515.bb | 27 +
scripts/runqemu | 37 +-
12 files changed, 1673 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-core/ovmf/ovmf-shell-image.bb
create mode 100644 meta/recipes-core/ovmf/ovmf/0001-BaseTools-Force-tools-variables-to-host-toolchain.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/0001-OvmfPkg-Enable-BGRT-in-OVMF.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/0002-ovmf-update-path-to-native-BaseTools.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/ovmf-shell-image.wks
create mode 100644 meta/recipes-core/ovmf/ovmf_git.bb
create mode 100644 meta/recipes-extended/iasl/iasl_20120215.bb
create mode 100644 meta/recipes-extended/iasl/iasl_20150410.bb
create mode 100644 meta/recipes-extended/iasl/iasl_20150515.bb
--
2.1.4
^ permalink raw reply
* Re: [PATCH v2 0/4] selftest/wic: extending test coverage for WIC script options
From: Ed Bartosh @ 2016-12-21 13:06 UTC (permalink / raw)
To: Jair Gonzalez; +Cc: openembedded-core
In-Reply-To: <017801d25b0c$fbd79330$f386b990$@linux.intel.com>
On Tue, Dec 20, 2016 at 04:04:06PM -0600, Jair Gonzalez wrote:
> > -----Original Message-----
> > From: Ed Bartosh [mailto:ed.bartosh@linux.intel.com]
> > Sent: Tuesday, December 20, 2016 7:07 AM
> > To: Jair Gonzalez <jair.de.jesus.gonzalez.plascencia@linux.intel.com>
> > Cc: openembedded-core@lists.openembedded.org
> > Subject: Re: [OE-core] [PATCH v2 0/4] selftest/wic: extending test
> coverage
> > for WIC script options
> >
> > On Mon, Dec 19, 2016 at 03:07:30PM -0600, Jair Gonzalez wrote:
> > > Changed in V2:
> > >
> > > The original patch was splitted and updated according to the
> discussion on:
> > > http://lists.openembedded.org/pipermail/openembedded-core/2016-
> > Decembe
> > > r/130131.html
> > > NOTE: The WKS_FILE entry deletion was ommitted from this patch set as
> > > it was introduced on the first patch by mistake.
> > >
> > > The following changes since commit
> > 573c646d4cc62dcd0c230381df4940bdf314d495:
> > >
> > > bitbake: BBHandler: use with instead of open/close (2016-12-16
> > > 10:23:24 +0000)
> > >
> > > are available in the git repository at:
> > >
> > > git://git.yoctoproject.org/poky-contrib jairglez/wictest
> > >
> > > http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=jairglez/wict
> > > est
> > >
> > > Jair Gonzalez (4):
> > > selftest/wic: adding Testopia ID numbers to test cases missing it
> > > selftest/wic: code cleanup
> > > selftest/wic: reorganizing test methods by functionality
> > > selftest/wic: extending test coverage for WIC script options
> > >
> > > meta/lib/oeqa/selftest/wic.py | 370
> > > +++++++++++++++++++++++++++---------------
> > > 1 file changed, 238 insertions(+), 132 deletions(-)
> > >
> >
> > Thank you for the updated patchset!
> > It looks good to me.
> >
> > BTW, did you measure its impact on the test run time?
> >
> > --
> > Regards,
> > Ed
>
> Hi Ed,
>
> Thanks. Regarding the impact, I tested it on my local machine after cleaning
> the cache, sstate-cache, downloads and tmp directories, and the difference
> between them was about 130 seconds after I applied my commits:
> Before:
> Ran 28 tests in 4446.939s
> After:
> Ran 39 tests in 4578.604s
> Difference:
> 131.665s
>
> I also tried with a source repository with existing cache and the difference
> was about 70 seconds:
> Before:
> Ran 28 tests in 272.170s
> After:
> Ran 39 tests in 339.637s
> Difference:
> 67.467s
>
Hi Jair,
Thanks. The difference is acceptable from my point of view.
--
Regards,
Ed
^ permalink raw reply
* Re: [PATCH v6 0/5] wic: bugfixes & --fixed-size support, tests, oeqa: enhancements
From: Ed Bartosh @ 2016-12-21 13:00 UTC (permalink / raw)
To: Maciej Borzęcki
Cc: Maciej Borzecki, Patches and discussions about the oe-core layer
In-Reply-To: <CAD4b0_JGK0zGsNEOSN1T_w-jKMFRnnbzTxVdYkxE=+1cQu5nRw@mail.gmail.com>
On Tue, Dec 20, 2016 at 07:27:04PM +0100, Maciej Borzęcki wrote:
> On Tue, Dec 20, 2016 at 3:04 PM, Ed Bartosh <ed.bartosh@linux.intel.com> wrote:
> > On Mon, Dec 19, 2016 at 12:20:56PM +0100, Maciej Borzecki wrote:
> >> v6 of a patch series previously posted here [1].
> >>
> >> Changes since v5:
> >>
> >> * `oe-selftest: enforce en_US.UTF-8 locale` was merged to master, hence it's no
> >> longer part of this series
> >>
> >> * rebased on top of master (d0d260b0b85790ceb136dd6b0445e8e33d038f5e)
> >>
> >
> > The patchset looks good to me. Thank you.
> >
> > Couple of questions:
> > - did you test if Lars' change
> > https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=db08ffee0ad1451f3bf710f4d1b623938ba9aefb
> > works with your patchset?
>
> Yes. The series was rebased on top of
> d0d260b0b85790ceb136dd6b0445e8e33d038f5e, which includes Lars' patch.
The series causes conflicts on the latest master. Can you check if it's
really the case or it's just something wrong with my setup?
git-pw apply 3904
Applying series: wic: bugfixes & --fixed-size support, tests,
oe-selftest: minor fixes (rev 3)
Applying: oe-selftest: enforce en_US.UTF-8 locale
Using index info to reconstruct a base tree...
M scripts/oe-selftest
Falling back to patching base and 3-way merge...
No changes -- Patch already applied.
Applying: oeqa/utils/commands.py: allow use of binaries from native
sysroot
Applying: wic: add --fixed-size wks option
Applying: wic: selftest: avoid COMPATIBLE_HOST issues
Using index info to reconstruct a base tree...
M meta/lib/oeqa/selftest/wic.py
Falling back to patching base and 3-way merge...
Auto-merging meta/lib/oeqa/selftest/wic.py
CONFLICT (content): Merge conflict in meta/lib/oeqa/selftest/wic.py
Failed to merge in the changes.
Patch failed at 0004 wic: selftest: avoid COMPATIBLE_HOST issues
The copy of the patch that failed is found in:
/home/ed/git/yocto/patchtest/openembedded-core/.git/rebase-apply/patch
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
> The tests passed on all MACHINES I've used (though I'm not sure if
> scenario addressed in that patch is covered by relevant test cases).
>
I've asked Lars to add test case for that functionality.
> I believe I have also hit a weird bug in BitbakeVars._parse_line() while
> testing with this patch and meta-mender. I Hope you can confirm it.
>
Yes, I confirm this. Thanks for poining out to it. I'll fix it today.
> From a quick investigation I have determined that _parse_line() may
> interpret arbitrary lines that are of 'key=value' format as legitimate
> bitbake variables. In my case, IMAGE_CMD_sdimg defined in
> mender-sdimg.bbclass includes the following piece:
>
> IMAGE_CMD_sdimg() {
> ...
> REMAINING_SIZE=$(expr ${MENDER_STORAGE_TOTAL_SIZE_MB} - \
> ${MENDER_BOOT_PART_SIZE_MB} - \
> ${MENDER_DATA_PART_SIZE_MB} - \
> ${MENDER_PARTITIONING_OVERHEAD_MB} - \
> $boot_env_size_mb)
> ROOTFS_SIZE=$(expr $REMAINING_SIZE / 2)
> ...
> }
>
> This will obviously be seen in `bitbake -e output`. Looking at code
> here:
> https://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/scripts/lib/wic/utils/oe/misc.py?id=db08ffee0ad1451f3bf710f4d1b623938ba9aefb#n151
> the line will be split at '=', then whitespace will be stripped from
> both key and value. So a line (taken from bitbake -e):
>
> ROOTFS_SIZE=\$(expr \$REMAINING_SIZE / 2)
>
> Will define a variable ROOTFS_SIZE with value '\\$(expr \\$REMAINING_SIZE / 2)'.
>
> It's a pure coincidence that Lars' patch queries ROOTFS_SIZE which also
> appears in bitbake -e output under exactly the same name.
>
> IMO, when parsing env output, we should expect variable name to start
> right at the beginning of a line, IOW skip the line if key[0].isspace() == True
>
> >
> > - Regarding oe-selftest fixes, wich machine did you run oe-selftest on?
> > It looks to me that a lot of test cases can be run on your machine
> > if we use another wks.
>
> I've run it on beaglebone, vexpress-qemu, qemux86 and qemuarm. Agree
> with your observation though. I think that at least these TCs could be
> made machine agnostic:
>
> - test_build_artifacts
> - test_build_image_name
> - test_compress_*
> - test_gpt_image
> - test_wic_image_type
> - test_wrong_compressor
> - test_rootfs_*
>
>
Yes, that's exactly my point. We should make generic tests work on any
machine.
Would you be willing to do this in a separate patchset together with
your oe-selftest core fixes?
I'd suggest to only include new testcase that works on qemu-x86* into
this patchset. It will make it faster to get merged.
>
> >
> >> [1]. http://lists.openembedded.org/pipermail/openembedded-core/2016-November/129187.html
> >>
> >> Maciej Borzecki (5):
> >> oeqa/utils/commands.py: allow use of binaries from native sysroot
> >> wic: add --fixed-size wks option
> >> wic: selftest: avoid COMPATIBLE_HOST issues
> >> wic: selftest: do not assume bzImage kernel image
> >> wic: selftest: add tests for --fixed-size partition flags
> >>
> >> meta/lib/oeqa/selftest/wic.py | 117 +++++++++++++++++++++++++++++++--
> >> meta/lib/oeqa/utils/commands.py | 9 ++-
> >> scripts/lib/wic/help.py | 14 +++-
> >> scripts/lib/wic/imager/direct.py | 2 +-
> >> scripts/lib/wic/ksparser.py | 41 ++++++++++--
> >> scripts/lib/wic/partition.py | 88 +++++++++++++++----------
> >> scripts/lib/wic/utils/partitionedfs.py | 2 +-
> >> 7 files changed, 224 insertions(+), 49 deletions(-)
--
Regards,
Ed
^ permalink raw reply
* Re: [PATCH] qemu: Fix pci-assign
From: Burton, Ross @ 2016-12-21 12:41 UTC (permalink / raw)
To: He Zhe; +Cc: OE-core
In-Reply-To: <88c4f824-4fdf-b6bc-3c16-07d1bcbf8fd1@windriver.com>
[-- Attachment #1: Type: text/plain, Size: 5496 bytes --]
Now in my staging branch, sorry.
Ross
On 21 December 2016 at 07:01, He Zhe <zhe.he@windriver.com> wrote:
> Ping.
>
> Zhe
>
>
> On 11/29/2016 05:56 PM, zhe.he@windriver.com wrote:
> > From: He Zhe <zhe.he@windriver.com>
> >
> > Fix iommu pci device assignment failure.
> >
> > "qemu-system-x86_64: -device pci-assign,host=02:00.0: No IOMMU found.
> > Unable to assign device "(null)""
> >
> > Signed-off-by: He Zhe <zhe.he@windriver.com>
> > ---
> > ...sync-MSI-MSI-X-cap-and-table-with-PCIDevi.patch | 71
> ++++++++++++++++++++++
> > meta/recipes-devtools/qemu/qemu_2.7.0.bb | 1 +
> > 2 files changed, 72 insertions(+)
> > create mode 100644 meta/recipes-devtools/qemu/
> qemu/0001-pci-assign-sync-MSI-MSI-X-cap-and-table-with-PCIDevi.patch
> >
> > diff --git a/meta/recipes-devtools/qemu/qemu/0001-pci-assign-sync-MSI-
> MSI-X-cap-and-table-with-PCIDevi.patch b/meta/recipes-devtools/qemu/
> qemu/0001-pci-assign-sync-MSI-MSI-X-cap-and-table-with-PCIDevi.patch
> > new file mode 100644
> > index 0000000..03472dd
> > --- /dev/null
> > +++ b/meta/recipes-devtools/qemu/qemu/0001-pci-assign-sync-MSI-
> MSI-X-cap-and-table-with-PCIDevi.patch
> > @@ -0,0 +1,71 @@
> > +From 6baa545df93253fced4fc0d52b14b98447e00473 Mon Sep 17 00:00:00 2001
> > +From: Peter Xu <peterx@redhat.com>
> > +Date: Mon, 28 Nov 2016 15:02:44 +0800
> > +Subject: [PATCH] pci-assign: sync MSI/MSI-X cap and table with PCIDevice
> > +
> > +Since commit e1d4fb2d ("kvm-irqchip: x86: add msi route notify fn"),
> > +kvm_irqchip_add_msi_route() starts to use pci_get_msi_message() to fetch
> > +MSI info. This requires that we setup MSI related fields in PCIDevice.
> > +For most devices, that won't be a problem, as long as we are using
> > +general interfaces like msi_init()/msix_init().
> > +
> > +However, for pci-assign devices, MSI/MSI-X is treated differently - PCI
> > +assign devices are maintaining its own MSI table and cap information in
> > +AssignedDevice struct. however that's not synced up with PCIDevice's
> > +fields. That will leads to pci_get_msi_message() failed to find correct
> > +MSI capability, even with an NULL msix_table.
> > +
> > +A quick fix is to sync up the two places: both the capability bits and
> > +table address for MSI/MSI-X.
> > +
> > +Upstream-Status: Backport [https://lists.gnu.org/
> archive/html/qemu-devel/2016-11/msg04649.html]
> > +
> > +Reported-by: Changlimin <address@hidden>
> > +Tested-by: Changlimin <address@hidden>
> > +Cc: address@hidden
> > +Fixes: e1d4fb2d ("kvm-irqchip: x86: add msi route notify fn")
> > +Signed-off-by: Peter Xu <address@hidden>
> > +Signed-off-by: He Zhe <zhe.he@windriver.com>
> > +---
> > + hw/i386/kvm/pci-assign.c | 4 ++++
> > + 1 file changed, 4 insertions(+)
> > +
> > +diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c
> > +index 8238fbc..87dcbdd 100644
> > +--- a/hw/i386/kvm/pci-assign.c
> > ++++ b/hw/i386/kvm/pci-assign.c
> > +@@ -1251,6 +1251,7 @@ static int assigned_device_pci_cap_init(PCIDevice
> *pci_dev, Error **errp)
> > + error_propagate(errp, local_err);
> > + return -ENOTSUP;
> > + }
> > ++ dev->dev.cap_present |= QEMU_PCI_CAP_MSI;
> > + dev->cap.available |= ASSIGNED_DEVICE_CAP_MSI;
> > + /* Only 32-bit/no-mask currently supported */
> > + ret = pci_add_capability2(pci_dev, PCI_CAP_ID_MSI, pos, 10,
> > +@@ -1285,6 +1286,7 @@ static int assigned_device_pci_cap_init(PCIDevice
> *pci_dev, Error **errp)
> > + error_propagate(errp, local_err);
> > + return -ENOTSUP;
> > + }
> > ++ dev->dev.cap_present |= QEMU_PCI_CAP_MSIX;
> > + dev->cap.available |= ASSIGNED_DEVICE_CAP_MSIX;
> > + ret = pci_add_capability2(pci_dev, PCI_CAP_ID_MSIX, pos, 12,
> > + &local_err);
> > +@@ -1648,6 +1650,7 @@ static void assigned_dev_register_msix_mmio(AssignedDevice
> *dev, Error **errp)
> > + dev->msix_table = NULL;
> > + return;
> > + }
> > ++ dev->dev.msix_table = (uint8_t *)dev->msix_table;
> > +
> > + assigned_dev_msix_reset(dev);
> > +
> > +@@ -1665,6 +1668,7 @@ static void assigned_dev_unregister_msix_mmio(AssignedDevice
> *dev)
> > + error_report("error unmapping msix_table! %s",
> strerror(errno));
> > + }
> > + dev->msix_table = NULL;
> > ++ dev->dev.msix_table = NULL;
> > + }
> > +
> > + static const VMStateDescription vmstate_assigned_device = {
> > +--
> > +2.8.3
> > +
> > diff --git a/meta/recipes-devtools/qemu/qemu_2.7.0.bb
> b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
> > index cef181d..9da5134 100644
> > --- a/meta/recipes-devtools/qemu/qemu_2.7.0.bb
> > +++ b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
> > @@ -13,6 +13,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch
> \
> > file://0002-fix-CVE-2016-7423.patch \
> > file://0003-fix-CVE-2016-7908.patch \
> > file://0004-fix-CVE-2016-7909.patch \
> > + file://0001-pci-assign-sync-MSI-MSI-X-cap-and-table-with-PCIDevi.patch
> \
> > "
> >
> > SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
[-- Attachment #2: Type: text/html, Size: 7885 bytes --]
^ permalink raw reply
* Re: [PATCH] gpgme: add GPGME_STATUS_KEY_CONSIDERED
From: Alexander Kanavin @ 2016-12-21 12:25 UTC (permalink / raw)
To: openembedded-core
In-Reply-To: <CAJTo0LYT4YrWxex7mOLhBsWqKR_9cmJgO66dxzCoJT-U6kWDqQ@mail.gmail.com>
On 12/21/2016 01:14 PM, Burton, Ross wrote:
> https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commitdiff;h=315fb73d4a774e2c699ac1804f5377559b4d0027
> <https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commitdiff;h=315fb73d4a774e2c699ac1804f5377559b4d0027>
>
>
> Can you explain *why* we should cherry pick a patch from upstream?
Because someone didn't check RRS, which would suggest an update to gpgme
1.8.0 should be done instead.
http://recipes.yoctoproject.org/rrs/recipedetail/834/
Alex
^ permalink raw reply
* Re: [PATCH] kexec-tools: Update to 2.0.14
From: Alexander Kanavin @ 2016-12-21 12:21 UTC (permalink / raw)
To: openembedded-core
In-Reply-To: <1482314183-15786-1-git-send-email-zhe.he@windriver.com>
On 12/21/2016 11:56 AM, zhe.he@windriver.com wrote:
> Remove kexec-aarch64.patch since it has been merged upstream
> Remove kexec-x32.patch since it has been reverted upstream
You should also remove the actual files, not just drop them from the recipe.
> Backport patches for kdump arm64 from:
> https://git.linaro.org/people/takahiro.akashi/kexec-tools.git
If the patches are coming from a different repository, they are not a
backport. Change the upstream-status to 'pending' please, or 'submitted
(link)' if they have been submitted upstream.
> meta/recipes-kernel/kexec/kexec-tools_2.0.12.bb | 37 ----
> meta/recipes-kernel/kexec/kexec-tools_2.0.14.bb | 44 +++++
Please use git's rename detection when submitting patches, so we can see
what is the difference between the two files.
Alex
^ permalink raw reply
* Re: [PATCH] gstreamer: Upgrade to 1.10.2
From: Alexander Kanavin @ 2016-12-21 12:16 UTC (permalink / raw)
To: openembedded-core
In-Reply-To: <20161221070238.8554-1-raj.khem@gmail.com>
On 12/21/2016 09:02 AM, Khem Raj wrote:
> .../gstreamer/gstreamer1.0-omx_1.10.2.bb | 10 +++++++
You should remove the file with previous version, so it becomes a file
rename like the others.
Alex
^ permalink raw reply
* Re: [PATCH] gpgme: add GPGME_STATUS_KEY_CONSIDERED
From: Burton, Ross @ 2016-12-21 11:14 UTC (permalink / raw)
To: Mingli Yu; +Cc: OE-core
In-Reply-To: <1482308378-15213-1-git-send-email-mingli.yu@windriver.com>
[-- Attachment #1: Type: text/plain, Size: 896 bytes --]
On 21 December 2016 at 08:19, <mingli.yu@windriver.com> wrote:
> From: Mingli Yu <Mingli.Yu@windriver.com>
>
> * src/gpgme.h.in (GPGME_STATUS_KEY_CONSIDERED): New.
> * src/status-table.c (KEY_CONSIDERED): New.
> * src/op-support.c (_gpgme_parse_inv_recp): Add argc KC_FPR and
> KC_FLAGS. Use calloc.
> (_gpgme_parse_key_considered): New.
> * src/sign.c (op_data_t): Add fields KC_FPR and KC_FLAGS.
> (release_op_data): Free KC_FPR.
> (_gpgme_sign_status_handler): Handle STATUS_KEY_CONSIDERED.
> * src/encrypt.c (op_data_t): Add fields KC_FPR and KC_FLAGS.
> (release_op_data): Free KC_FPR.
> (_gpgme_encrypt_status_handler): Handle STATUS_KEY_CONSIDERED.
>
> Reference: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=
> commitdiff;h=315fb73d4a774e2c699ac1804f5377559b4d0027
>
Can you explain *why* we should cherry pick a patch from upstream?
Ross
[-- Attachment #2: Type: text/html, Size: 1633 bytes --]
^ permalink raw reply
* Re: $50 bounty for an OE recipe for libfilesys-smbclient-perl. seriously.
From: Robert P. J. Day @ 2016-12-21 10:31 UTC (permalink / raw)
To: Burton, Ross; +Cc: OE Core mailing list
In-Reply-To: <CAJTo0LbWx_xHVAL9O9xVRybW8tZY9a0uDVVArOMzfB1s5R0qwg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1580 bytes --]
On Tue, 20 Dec 2016, Burton, Ross wrote:
> On 20 December 2016 at 18:32, Robert P. J. Day <rpjday@crashcourse.ca> wrote:
> really, i just don't have time to mess with this anymore and
> i'm more than happy to pay someone $50 CAD (interac transfer)
> to provide me with a proper recipe and essential patches for
> the perl module Filesys-SmbClient-3.2 here:
>
>
> FWIW I had a quick look at this. I'm certainly no perl guru and can
> barely understand it, but it does *so much* wrong that if you really
> need this then it would be easier to just rewrite the makefile.pl
> from scratch. Once you remove the hunting for the headers in the
> wrong place, it then invokes an autoconf script... which needs to
> be passed the right options.
>
> Do you really need this module? It's not been updated for many
> years, so surely there's something better.
i have been *told* that this module is necessary, i don't know
enough about the context to know what for. if there is something more
recent that has the same capability, then i'd love to see it.
until then, $50 is still up for grabs.
rday
--
========================================================================
Robert P. J. Day Ottawa, Ontario, CANADA
http://crashcourse.ca
Twitter: http://twitter.com/rpjday
LinkedIn: http://ca.linkedin.com/in/rpjday
========================================================================
^ permalink raw reply
* Re: [PATCH] module.bbclass: allow to override location of Module.symvers
From: André Draszik @ 2016-12-21 10:02 UTC (permalink / raw)
To: openembedded-core
In-Reply-To: <20161121093713.7220-1-git@andred.net>
ping
On Mon, 2016-11-21 at 09:37 +0000, André Draszik wrote:
> From: André Draszik <adraszik@tycoint.com>
>
> Requiring all build systems for external kernel modules to
> place Module.symvers directly into ${B}/. is quite an
> artificial assumption/requirement. It doesn't have to end
> up there, but could easily end up somewhere below ${B}.
>
> Allow to override the location below ${B}
>
> Note that we still don't make use of multiple
> Module.symvers in case there are any generated by one
> single kernel module build, but this is no change in
> behaviour from before and could be added if there really
> is a demand for that.
>
> Reported-by: Denys Dmytriyenko <denis@denix.org>
> Signed-off-by: André Draszik <adraszik@tycoint.com>
> ---
> meta/classes/module.bbclass | 16 ++++++++++++----
> 1 file changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/meta/classes/module.bbclass b/meta/classes/module.bbclass
> index 68e3d34..037ca4f 100644
> --- a/meta/classes/module.bbclass
> +++ b/meta/classes/module.bbclass
> @@ -7,6 +7,7 @@ do_make_scripts[depends] +=
> "virtual/kernel:do_shared_workdir"
> EXTRA_OEMAKE += "KERNEL_SRC=${STAGING_KERNEL_DIR}"
>
> MODULES_INSTALL_TARGET ?= "modules_install"
> +MODULES_MODULE_SYMVERS_LOCATION ?= ""
>
> python __anonymous () {
> depends = d.getVar('DEPENDS', True)
> @@ -35,10 +36,17 @@ module_do_install() {
> O=${STAGING_KERNEL_BUILDDIR} \
> ${MODULES_INSTALL_TARGET}
>
> - install -d -m0755 ${D}${includedir}/${BPN}
> - cp -a --no-preserve=ownership ${B}/Module.symvers
> ${D}${includedir}/${BPN}
> - # it doesn't actually seem to matter which path is specified here
> - sed -e 's:${B}/::g' -i ${D}${includedir}/${BPN}/Module.symvers
> + if [ ! -e
> "${B}/${MODULES_MODULE_SYMVERS_LOCATION}/Module.symvers" ] ; then
> + bbwarn "Module.symvers not found in
> ${B}/${MODULES_MODULE_SYMVERS_LOCATION}"
> + bbwarn "Please consider setting
> MODULES_MODULE_SYMVERS_LOCATION to a"
> + bbwarn "directory below B to get correct inter-module
> dependencies"
> + else
> + install -Dm0644
> "${B}/${MODULES_MODULE_SYMVERS_LOCATION}"/Module.symvers
> ${D}${includedir}/${BPN}/Module.symvers
> + # Module.symvers contains absolute path to the build
> directory.
> + # While it doesn't actually seem to matter which path is
> specified,
> + # clear them out to avoid confusion
> + sed -e 's:${B}/::g' -i
> ${D}${includedir}/${BPN}/Module.symvers
> + fi
> }
>
> EXPORT_FUNCTIONS do_compile do_install
^ permalink raw reply
* [PATCH] kexec-tools: Update to 2.0.14
From: zhe.he @ 2016-12-21 9:56 UTC (permalink / raw)
To: openembedded-core
From: He Zhe <zhe.he@windriver.com>
Remove kexec-aarch64.patch since it has been merged upstream
Remove kexec-x32.patch since it has been reverted upstream
Backport patches for kdump arm64 from:
https://git.linaro.org/people/takahiro.akashi/kexec-tools.git
Signed-off-by: He Zhe <zhe.he@windriver.com>
---
...nd-the-semantics-of-kexec_iomem_for_each_.patch | 78 ++++++++
...eneralize-and-rename-get_kernel_stext_sym.patch | 194 ++++++++++++++++++++
...0003-arm64-identify-PHYS_OFFSET-correctly.patch | 76 ++++++++
.../0004-arm64-kdump-identify-memory-regions.patch | 202 +++++++++++++++++++++
| 191 +++++++++++++++++++
...6-arm64-kdump-set-up-kernel-image-segment.patch | 137 ++++++++++++++
.../0007-arm64-kdump-set-up-other-segments.patch | 35 ++++
...-add-DT-properties-to-crash-dump-kernel-s.patch | 150 +++++++++++++++
...-kdump-Add-support-for-binary-image-files.patch | 52 ++++++
meta/recipes-kernel/kexec/kexec-tools_2.0.12.bb | 37 ----
meta/recipes-kernel/kexec/kexec-tools_2.0.14.bb | 44 +++++
11 files changed, 1159 insertions(+), 37 deletions(-)
create mode 100644 meta/recipes-kernel/kexec/kexec-tools/0001-kexec-exntend-the-semantics-of-kexec_iomem_for_each_.patch
create mode 100644 meta/recipes-kernel/kexec/kexec-tools/0002-kexec-generalize-and-rename-get_kernel_stext_sym.patch
create mode 100644 meta/recipes-kernel/kexec/kexec-tools/0003-arm64-identify-PHYS_OFFSET-correctly.patch
create mode 100644 meta/recipes-kernel/kexec/kexec-tools/0004-arm64-kdump-identify-memory-regions.patch
create mode 100644 meta/recipes-kernel/kexec/kexec-tools/0005-arm64-kdump-add-elf-core-header-segment.patch
create mode 100644 meta/recipes-kernel/kexec/kexec-tools/0006-arm64-kdump-set-up-kernel-image-segment.patch
create mode 100644 meta/recipes-kernel/kexec/kexec-tools/0007-arm64-kdump-set-up-other-segments.patch
create mode 100644 meta/recipes-kernel/kexec/kexec-tools/0008-arm64-kdump-add-DT-properties-to-crash-dump-kernel-s.patch
create mode 100644 meta/recipes-kernel/kexec/kexec-tools/0009-arm64-kdump-Add-support-for-binary-image-files.patch
delete mode 100644 meta/recipes-kernel/kexec/kexec-tools_2.0.12.bb
create mode 100644 meta/recipes-kernel/kexec/kexec-tools_2.0.14.bb
diff --git a/meta/recipes-kernel/kexec/kexec-tools/0001-kexec-exntend-the-semantics-of-kexec_iomem_for_each_.patch b/meta/recipes-kernel/kexec/kexec-tools/0001-kexec-exntend-the-semantics-of-kexec_iomem_for_each_.patch
new file mode 100644
index 0000000..822f28c
--- /dev/null
+++ b/meta/recipes-kernel/kexec/kexec-tools/0001-kexec-exntend-the-semantics-of-kexec_iomem_for_each_.patch
@@ -0,0 +1,78 @@
+From 02eed0f8f2748fd7579f69e5373445b52b2b8754 Mon Sep 17 00:00:00 2001
+From: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Date: Mon, 17 Oct 2016 13:56:58 +0900
+Subject: [PATCH 1/9] kexec: exntend the semantics of kexec_iomem_for_each_line
+
+The current kexec_iomem_for_each_line() counts up all the lines for which
+a callback function returns zero(0) or positive, and otherwise it stops
+further scanning.
+This behavior is incovenient in some cases. For instance, on arm64, we want
+to count up "System RAM" entries, but need to skip "reserved" entries.
+
+So this patch extends the semantics so that we will continue to scan
+succeeding entries but not count lines for which a callback function
+returns positive.
+
+The current users of kexec_iomem_for_each_line(), arm, sh and x86, will not
+be affected by this change because
+* arm
+ The callback function only returns -1 or 0, and the return value of
+ kexec_iomem_for_each_line() will never be used.
+* sh, x86
+ The callback function may return (-1 for sh,) 0 or 1, but always returns
+ 1 once we have reached the maximum number of entries allowed.
+ Even so the current kexec_iomem_for_each_line() counts them up.
+ This change actually fixes this bug.
+
+Upstream-Status: Backport [https://git.linaro.org/people/takahiro.akashi/kexec-tools.git]
+
+Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+---
+ kexec/kexec-iomem.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/kexec/kexec-iomem.c b/kexec/kexec-iomem.c
+index 485a2e8..0a0277a 100644
+--- a/kexec/kexec-iomem.c
++++ b/kexec/kexec-iomem.c
+@@ -18,6 +18,9 @@
+ * Iterate over each line in the file returned by proc_iomem(). If match is
+ * NULL or if the line matches with our match-pattern then call the
+ * callback if non-NULL.
++ * If match is NULL, callback should return a negative if error.
++ * Otherwise the interation goes on, incrementing nr but only if callback
++ * returns 0 (matched).
+ *
+ * Return the number of lines matched.
+ */
+@@ -37,7 +40,7 @@ int kexec_iomem_for_each_line(char *match,
+ char *str;
+ int consumed;
+ int count;
+- int nr = 0;
++ int nr = 0, ret;
+
+ fp = fopen(iomem, "r");
+ if (!fp)
+@@ -50,11 +53,13 @@ int kexec_iomem_for_each_line(char *match,
+ str = line + consumed;
+ size = end - start + 1;
+ if (!match || memcmp(str, match, strlen(match)) == 0) {
+- if (callback
+- && callback(data, nr, str, start, size) < 0) {
+- break;
++ if (callback) {
++ ret = callback(data, nr, str, start, size);
++ if (ret < 0)
++ break;
++ else if (ret == 0)
++ nr++;
+ }
+- nr++;
+ }
+ }
+
+--
+1.9.1
+
diff --git a/meta/recipes-kernel/kexec/kexec-tools/0002-kexec-generalize-and-rename-get_kernel_stext_sym.patch b/meta/recipes-kernel/kexec/kexec-tools/0002-kexec-generalize-and-rename-get_kernel_stext_sym.patch
new file mode 100644
index 0000000..953f13b
--- /dev/null
+++ b/meta/recipes-kernel/kexec/kexec-tools/0002-kexec-generalize-and-rename-get_kernel_stext_sym.patch
@@ -0,0 +1,194 @@
+From d29f37bb6e9114aba96c606103b110f511bee9a1 Mon Sep 17 00:00:00 2001
+From: Pratyush Anand <panand@redhat.com>
+Date: Wed, 2 Nov 2016 15:05:25 +0530
+Subject: [PATCH 2/9] kexec: generalize and rename get_kernel_stext_sym()
+
+get_kernel_stext_sym() has been defined for both arm and i386. Other
+architecture might need some other kernel symbol address. Therefore rewrite
+this function as generic function to get any kernel symbol address.
+
+More over, kallsyms is not arch specific representation, therefore have
+common function for all arches.
+
+Upstream-Status: Backport [https://git.linaro.org/people/takahiro.akashi/kexec-tools.git]
+
+Signed-off-by: Pratyush Anand <panand@redhat.com>
+[created symbols.c]
+Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+---
+ kexec/Makefile | 1 +
+ kexec/arch/arm/crashdump-arm.c | 40 +---------------------------------------
+ kexec/arch/i386/crashdump-x86.c | 29 -----------------------------
+ kexec/kexec.h | 2 ++
+ kexec/symbols.c | 41 +++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 45 insertions(+), 68 deletions(-)
+ create mode 100644 kexec/symbols.c
+
+diff --git a/kexec/Makefile b/kexec/Makefile
+index 39f365f..2b4fb3d 100644
+--- a/kexec/Makefile
++++ b/kexec/Makefile
+@@ -26,6 +26,7 @@ KEXEC_SRCS_base += kexec/kernel_version.c
+ KEXEC_SRCS_base += kexec/lzma.c
+ KEXEC_SRCS_base += kexec/zlib.c
+ KEXEC_SRCS_base += kexec/kexec-xen.c
++KEXEC_SRCS_base += kexec/symbols.c
+
+ KEXEC_GENERATED_SRCS += $(PURGATORY_HEX_C)
+
+diff --git a/kexec/arch/arm/crashdump-arm.c b/kexec/arch/arm/crashdump-arm.c
+index 4a89b5e..245c21a 100644
+--- a/kexec/arch/arm/crashdump-arm.c
++++ b/kexec/arch/arm/crashdump-arm.c
+@@ -73,48 +73,10 @@ static struct crash_elf_info elf_info = {
+
+ extern unsigned long long user_page_offset;
+
+-/* Retrieve kernel _stext symbol virtual address from /proc/kallsyms */
+-static unsigned long long get_kernel_stext_sym(void)
+-{
+- const char *kallsyms = "/proc/kallsyms";
+- const char *stext = "_stext";
+- char sym[128];
+- char line[128];
+- FILE *fp;
+- unsigned long long vaddr = 0;
+- char type;
+-
+- fp = fopen(kallsyms, "r");
+- if (!fp) {
+- fprintf(stderr, "Cannot open %s\n", kallsyms);
+- return 0;
+- }
+-
+- while(fgets(line, sizeof(line), fp) != NULL) {
+- unsigned long long addr;
+-
+- if (sscanf(line, "%Lx %c %s", &addr, &type, sym) != 3)
+- continue;
+-
+- if (strcmp(sym, stext) == 0) {
+- dbgprintf("kernel symbol %s vaddr = %#llx\n", stext, addr);
+- vaddr = addr;
+- break;
+- }
+- }
+-
+- fclose(fp);
+-
+- if (vaddr == 0)
+- fprintf(stderr, "Cannot get kernel %s symbol address\n", stext);
+-
+- return vaddr;
+-}
+-
+ static int get_kernel_page_offset(struct kexec_info *info,
+ struct crash_elf_info *elf_info)
+ {
+- unsigned long long stext_sym_addr = get_kernel_stext_sym();
++ unsigned long long stext_sym_addr = get_kernel_sym("_stext");
+ if (stext_sym_addr == 0) {
+ if (user_page_offset != (-1ULL)) {
+ elf_info->page_offset = user_page_offset;
+diff --git a/kexec/arch/i386/crashdump-x86.c b/kexec/arch/i386/crashdump-x86.c
+index ab833d4..abf82a5 100644
+--- a/kexec/arch/i386/crashdump-x86.c
++++ b/kexec/arch/i386/crashdump-x86.c
+@@ -102,35 +102,6 @@ static int get_kernel_paddr(struct kexec_info *UNUSED(info),
+ return -1;
+ }
+
+-/* Retrieve kernel symbol virtual address from /proc/kallsyms */
+-static unsigned long long get_kernel_sym(const char *symbol)
+-{
+- const char *kallsyms = "/proc/kallsyms";
+- char sym[128];
+- char line[128];
+- FILE *fp;
+- unsigned long long vaddr;
+- char type;
+-
+- fp = fopen(kallsyms, "r");
+- if (!fp) {
+- fprintf(stderr, "Cannot open %s\n", kallsyms);
+- return 0;
+- }
+-
+- while(fgets(line, sizeof(line), fp) != NULL) {
+- if (sscanf(line, "%Lx %c %s", &vaddr, &type, sym) != 3)
+- continue;
+- if (strcmp(sym, symbol) == 0) {
+- dbgprintf("kernel symbol %s vaddr = %16llx\n", symbol, vaddr);
+- return vaddr;
+- }
+- }
+-
+- fprintf(stderr, "Cannot get kernel %s symbol address\n", symbol);
+- return 0;
+-}
+-
+ /* Retrieve info regarding virtual address kernel has been compiled for and
+ * size of the kernel from /proc/kcore. Current /proc/kcore parsing from
+ * from kexec-tools fails because of malformed elf notes. A kernel patch has
+diff --git a/kexec/kexec.h b/kexec/kexec.h
+index 9194f1c..b4fafad 100644
+--- a/kexec/kexec.h
++++ b/kexec/kexec.h
+@@ -312,4 +312,6 @@ int xen_kexec_load(struct kexec_info *info);
+ int xen_kexec_unload(uint64_t kexec_flags);
+ void xen_kexec_exec(void);
+
++extern unsigned long long get_kernel_sym(const char *text);
++
+ #endif /* KEXEC_H */
+diff --git a/kexec/symbols.c b/kexec/symbols.c
+new file mode 100644
+index 0000000..ea6e327
+--- /dev/null
++++ b/kexec/symbols.c
+@@ -0,0 +1,41 @@
++#include <stdio.h>
++#include <string.h>
++#include "kexec.h"
++
++/* Retrieve kernel symbol virtual address from /proc/kallsyms */
++unsigned long long get_kernel_sym(const char *text)
++{
++ const char *kallsyms = "/proc/kallsyms";
++ char sym[128];
++ char line[128];
++ FILE *fp;
++ unsigned long long vaddr = 0;
++ char type;
++
++ fp = fopen(kallsyms, "r");
++ if (!fp) {
++ fprintf(stderr, "Cannot open %s\n", kallsyms);
++ return 0;
++ }
++
++ while (fgets(line, sizeof(line), fp) != NULL) {
++ unsigned long long addr;
++
++ if (sscanf(line, "%Lx %c %s", &addr, &type, sym) != 3)
++ continue;
++
++ if (strcmp(sym, text) == 0) {
++ dbgprintf("kernel symbol %s vaddr = %#llx\n",
++ text, addr);
++ vaddr = addr;
++ break;
++ }
++ }
++
++ fclose(fp);
++
++ if (vaddr == 0)
++ fprintf(stderr, "Cannot get kernel %s symbol address\n", text);
++
++ return vaddr;
++}
+--
+1.9.1
+
diff --git a/meta/recipes-kernel/kexec/kexec-tools/0003-arm64-identify-PHYS_OFFSET-correctly.patch b/meta/recipes-kernel/kexec/kexec-tools/0003-arm64-identify-PHYS_OFFSET-correctly.patch
new file mode 100644
index 0000000..1a1c317
--- /dev/null
+++ b/meta/recipes-kernel/kexec/kexec-tools/0003-arm64-identify-PHYS_OFFSET-correctly.patch
@@ -0,0 +1,76 @@
+From 16df170ad4808d12acd5e919ac4f6e7f33a247b3 Mon Sep 17 00:00:00 2001
+From: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Date: Thu, 1 Sep 2016 10:57:42 +0900
+Subject: [PATCH 3/9] arm64: identify PHYS_OFFSET correctly
+
+Due to the kernel patch, commit e7cd190385d1 ("arm64: mark reserved
+memblock regions explicitly in iomem"), the current code will not be able
+to identify the correct value of PHYS_OFFSET if some "reserved" memory
+region, which is likely to be UEFI runtime services code/data, exists at
+an address below the first "System RAM" regions.
+
+This patch fixes this issue.
+
+Upstream-Status: Backport [https://git.linaro.org/people/takahiro.akashi/kexec-tools.git]
+
+Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+---
+ kexec/arch/arm64/iomem.h | 7 +++++++
+ kexec/arch/arm64/kexec-arm64.c | 12 ++++++++++--
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+ create mode 100644 kexec/arch/arm64/iomem.h
+
+diff --git a/kexec/arch/arm64/iomem.h b/kexec/arch/arm64/iomem.h
+new file mode 100644
+index 0000000..7fd66eb
+--- /dev/null
++++ b/kexec/arch/arm64/iomem.h
+@@ -0,0 +1,7 @@
++#ifndef IOMEM_H
++#define IOMEM_H
++
++#define SYSTEM_RAM "System RAM\n"
++#define IOMEM_RESERVED "reserved\n"
++
++#endif
+diff --git a/kexec/arch/arm64/kexec-arm64.c b/kexec/arch/arm64/kexec-arm64.c
+index 2e8839a..8ac811d 100644
+--- a/kexec/arch/arm64/kexec-arm64.c
++++ b/kexec/arch/arm64/kexec-arm64.c
+@@ -21,6 +21,7 @@
+ #include "crashdump-arm64.h"
+ #include "dt-ops.h"
+ #include "fs2dt.h"
++#include "iomem.h"
+ #include "kexec-syscall.h"
+ #include "arch/options.h"
+
+@@ -475,7 +476,14 @@ static int get_memory_ranges_iomem_cb(void *data, int nr, char *str,
+ return -1;
+
+ r = (struct memory_range *)data + nr;
+- r->type = RANGE_RAM;
++
++ if (!strncmp(str, SYSTEM_RAM, strlen(SYSTEM_RAM)))
++ r->type = RANGE_RAM;
++ else if (!strncmp(str, IOMEM_RESERVED, strlen(IOMEM_RESERVED)))
++ r->type = RANGE_RESERVED;
++ else
++ return 1;
++
+ r->start = base;
+ r->end = base + length - 1;
+
+@@ -494,7 +502,7 @@ static int get_memory_ranges_iomem_cb(void *data, int nr, char *str,
+ static int get_memory_ranges_iomem(struct memory_range *array,
+ unsigned int *count)
+ {
+- *count = kexec_iomem_for_each_line("System RAM\n",
++ *count = kexec_iomem_for_each_line(NULL,
+ get_memory_ranges_iomem_cb, array);
+
+ if (!*count) {
+--
+1.9.1
+
diff --git a/meta/recipes-kernel/kexec/kexec-tools/0004-arm64-kdump-identify-memory-regions.patch b/meta/recipes-kernel/kexec/kexec-tools/0004-arm64-kdump-identify-memory-regions.patch
new file mode 100644
index 0000000..66600f3
--- /dev/null
+++ b/meta/recipes-kernel/kexec/kexec-tools/0004-arm64-kdump-identify-memory-regions.patch
@@ -0,0 +1,202 @@
+From 48a4c7874d8264ddbfaec2e9858d7866a2d2eb60 Mon Sep 17 00:00:00 2001
+From: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Date: Wed, 5 Aug 2015 13:16:30 +0900
+Subject: [PATCH 4/9] arm64: kdump: identify memory regions
+
+The following regions need to be identified for later use:
+ a) memory regions which belong to the 1st kernel
+ b) usable memory reserved for crash dump kernel
+
+We go through /proc/iomem to find out a) and b) which are marked
+as "System RAM" and "Crash kernel", respectively.
+
+Upstream-Status: Backport [https://git.linaro.org/people/takahiro.akashi/kexec-tools.git]
+
+Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+---
+ kexec/arch/arm64/Makefile | 2 +
+ kexec/arch/arm64/crashdump-arm64.c | 100 ++++++++++++++++++++++++++++++++++++-
+ kexec/arch/arm64/crashdump-arm64.h | 14 +++++-
+ kexec/arch/arm64/iomem.h | 1 +
+ 4 files changed, 114 insertions(+), 3 deletions(-)
+
+diff --git a/kexec/arch/arm64/Makefile b/kexec/arch/arm64/Makefile
+index 74b677f..2d4ae0e 100644
+--- a/kexec/arch/arm64/Makefile
++++ b/kexec/arch/arm64/Makefile
+@@ -6,6 +6,8 @@ arm64_FS2DT_INCLUDE += \
+
+ arm64_DT_OPS += kexec/dt-ops.c
+
++arm64_MEM_REGIONS = kexec/mem_regions.c
++
+ arm64_CPPFLAGS += -I $(srcdir)/kexec/
+
+ arm64_KEXEC_SRCS += \
+diff --git a/kexec/arch/arm64/crashdump-arm64.c b/kexec/arch/arm64/crashdump-arm64.c
+index d2272c8..dcaca43 100644
+--- a/kexec/arch/arm64/crashdump-arm64.c
++++ b/kexec/arch/arm64/crashdump-arm64.c
+@@ -1,5 +1,13 @@
+ /*
+ * ARM64 crashdump.
++ * partly derived from arm implementation
++ *
++ * Copyright (c) 2014-2016 Linaro Limited
++ * Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 2 as
++ * published by the Free Software Foundation.
+ */
+
+ #define _GNU_SOURCE
+@@ -10,12 +18,102 @@
+ #include "kexec.h"
+ #include "crashdump.h"
+ #include "crashdump-arm64.h"
++#include "iomem.h"
+ #include "kexec-arm64.h"
+ #include "kexec-elf.h"
++#include "mem_regions.h"
+
+-struct memory_ranges usablemem_rgns = {};
++/* memory ranges on crashed kernel */
++static struct memory_range crash_memory_ranges[CRASH_MAX_MEMORY_RANGES];
++static struct memory_ranges crash_memory_rgns = {
++ .size = 0,
++ .max_size = CRASH_MAX_MEMORY_RANGES,
++ .ranges = crash_memory_ranges,
++};
++
++/* memory range reserved for crashkernel */
++struct memory_range crash_reserved_mem;
++struct memory_ranges usablemem_rgns = {
++ .size = 0,
++ .max_size = 1,
++ .ranges = &crash_reserved_mem,
++};
++
++/*
++ * iomem_range_callback() - callback called for each iomem region
++ * @data: not used
++ * @nr: not used
++ * @str: name of the memory region
++ * @base: start address of the memory region
++ * @length: size of the memory region
++ *
++ * This function is called once for each memory region found in /proc/iomem.
++ * It locates system RAM and crashkernel reserved memory and places these to
++ * variables, respectively, crash_memory_ranges and crash_reserved_mem.
++ */
++
++static int iomem_range_callback(void *UNUSED(data), int UNUSED(nr),
++ char *str, unsigned long long base,
++ unsigned long long length)
++{
++ if (strncmp(str, CRASH_KERNEL, strlen(CRASH_KERNEL)) == 0)
++ return mem_regions_add(&usablemem_rgns,
++ base, length, RANGE_RAM);
++ else if (strncmp(str, SYSTEM_RAM, strlen(SYSTEM_RAM)) == 0)
++ return mem_regions_add(&crash_memory_rgns,
++ base, length, RANGE_RAM);
++
++ return 0;
++}
+
+ int is_crashkernel_mem_reserved(void)
+ {
++ if (!crash_reserved_mem.end)
++ kexec_iomem_for_each_line(NULL, iomem_range_callback, NULL);
++
++ return crash_reserved_mem.start != crash_reserved_mem.end;
++}
++
++/*
++ * crash_get_memory_ranges() - read system physical memory
++ *
++ * Function reads through system physical memory and stores found memory
++ * regions in crash_memory_ranges.
++ * Regions are sorted in ascending order.
++ *
++ * Returns 0 in case of success and -1 otherwise (errno is set).
++ */
++static int crash_get_memory_ranges(void)
++{
++ /*
++ * First read all memory regions that can be considered as
++ * system memory including the crash area.
++ */
++ if (!usablemem_rgns.size)
++ kexec_iomem_for_each_line(NULL, iomem_range_callback, NULL);
++
++ /* allow only a single region for crash dump kernel */
++ if (usablemem_rgns.size != 1) {
++ errno = EINVAL;
++ return -1;
++ }
++
++ dbgprint_mem_range("Reserved memory range", &crash_reserved_mem, 1);
++
++ if (mem_regions_exclude(&crash_memory_rgns, &crash_reserved_mem)) {
++ fprintf(stderr,
++ "Error: Number of crash memory ranges excedeed the max limit\n");
++ errno = ENOMEM;
++ return -1;
++ }
++
++ /*
++ * Make sure that the memory regions are sorted.
++ */
++ mem_regions_sort(&crash_memory_rgns);
++
++ dbgprint_mem_range("Coredump memory ranges",
++ crash_memory_rgns.ranges, crash_memory_rgns.size);
++
+ return 0;
+ }
+diff --git a/kexec/arch/arm64/crashdump-arm64.h b/kexec/arch/arm64/crashdump-arm64.h
+index f33c7a2..07a0ed0 100644
+--- a/kexec/arch/arm64/crashdump-arm64.h
++++ b/kexec/arch/arm64/crashdump-arm64.h
+@@ -1,12 +1,22 @@
+ /*
+ * ARM64 crashdump.
++ *
++ * Copyright (c) 2014-2016 Linaro Limited
++ * Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 2 as
++ * published by the Free Software Foundation.
+ */
+
+-#if !defined(CRASHDUMP_ARM64_H)
++#ifndef CRASHDUMP_ARM64_H
+ #define CRASHDUMP_ARM64_H
+
+ #include "kexec.h"
+
++#define CRASH_MAX_MEMORY_RANGES 32
++
+ extern struct memory_ranges usablemem_rgns;
++extern struct memory_range crash_reserved_mem;
+
+-#endif
++#endif /* CRASHDUMP_ARM64_H */
+diff --git a/kexec/arch/arm64/iomem.h b/kexec/arch/arm64/iomem.h
+index 7fd66eb..20cda87 100644
+--- a/kexec/arch/arm64/iomem.h
++++ b/kexec/arch/arm64/iomem.h
+@@ -2,6 +2,7 @@
+ #define IOMEM_H
+
+ #define SYSTEM_RAM "System RAM\n"
++#define CRASH_KERNEL "Crash kernel\n"
+ #define IOMEM_RESERVED "reserved\n"
+
+ #endif
+--
+1.9.1
+
--git a/meta/recipes-kernel/kexec/kexec-tools/0005-arm64-kdump-add-elf-core-header-segment.patch b/meta/recipes-kernel/kexec/kexec-tools/0005-arm64-kdump-add-elf-core-header-segment.patch
new file mode 100644
index 0000000..fe535b6
--- /dev/null
+++ b/meta/recipes-kernel/kexec/kexec-tools/0005-arm64-kdump-add-elf-core-header-segment.patch
@@ -0,0 +1,191 @@
+From 769da25627cebb2a53caee5d5be78a32d376adc1 Mon Sep 17 00:00:00 2001
+From: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Date: Wed, 5 Aug 2015 13:45:15 +0900
+Subject: [PATCH 5/9] arm64: kdump: add elf core header segment
+
+Elf core header contains the information necessary for the coredump of
+the 1st kernel, including its physcal memory layout as well as cpu register
+states at the panic.
+The segment is allocated inside the reserved memory of crash dump kernel.
+
+Upstream-Status: Backport [https://git.linaro.org/people/takahiro.akashi/kexec-tools.git]
+
+Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+---
+ kexec/arch/arm64/crashdump-arm64.c | 96 ++++++++++++++++++++++++++++++++++++++
+ kexec/arch/arm64/crashdump-arm64.h | 3 ++
+ kexec/arch/arm64/iomem.h | 2 +
+ kexec/arch/arm64/kexec-elf-arm64.c | 10 ++++
+ 4 files changed, 111 insertions(+)
+
+diff --git a/kexec/arch/arm64/crashdump-arm64.c b/kexec/arch/arm64/crashdump-arm64.c
+index dcaca43..8346131 100644
+--- a/kexec/arch/arm64/crashdump-arm64.c
++++ b/kexec/arch/arm64/crashdump-arm64.c
+@@ -39,6 +39,39 @@ struct memory_ranges usablemem_rgns = {
+ .ranges = &crash_reserved_mem,
+ };
+
++struct memory_range elfcorehdr_mem;
++
++static struct crash_elf_info elf_info = {
++ .class = ELFCLASS64,
++#if (__BYTE_ORDER == __LITTLE_ENDIAN)
++ .data = ELFDATA2LSB,
++#else
++ .data = ELFDATA2MSB,
++#endif
++ .machine = EM_AARCH64,
++};
++
++/*
++ * Note: The returned value is correct only if !CONFIG_RANDOMIZE_BASE.
++ */
++static uint64_t get_kernel_page_offset(void)
++{
++ int i;
++
++ if (elf_info.kern_vaddr_start == UINT64_MAX)
++ return UINT64_MAX;
++
++ /* Current max virtual memory range is 48-bits. */
++ for (i = 48; i > 0; i--)
++ if (!(elf_info.kern_vaddr_start & (1UL << i)))
++ break;
++
++ if (i <= 0)
++ return UINT64_MAX;
++ else
++ return UINT64_MAX << i;
++}
++
+ /*
+ * iomem_range_callback() - callback called for each iomem region
+ * @data: not used
+@@ -62,6 +95,10 @@ static int iomem_range_callback(void *UNUSED(data), int UNUSED(nr),
+ else if (strncmp(str, SYSTEM_RAM, strlen(SYSTEM_RAM)) == 0)
+ return mem_regions_add(&crash_memory_rgns,
+ base, length, RANGE_RAM);
++ else if (strncmp(str, KERNEL_CODE, strlen(KERNEL_CODE)) == 0)
++ elf_info.kern_paddr_start = base;
++ else if (strncmp(str, KERNEL_DATA, strlen(KERNEL_DATA)) == 0)
++ elf_info.kern_size = base + length - elf_info.kern_paddr_start;
+
+ return 0;
+ }
+@@ -115,5 +152,64 @@ static int crash_get_memory_ranges(void)
+ dbgprint_mem_range("Coredump memory ranges",
+ crash_memory_rgns.ranges, crash_memory_rgns.size);
+
++ /*
++ * For additional kernel code/data segment.
++ * kern_paddr_start/kern_size are determined in iomem_range_callback
++ */
++ elf_info.kern_vaddr_start = get_kernel_sym("_text");
++ if (!elf_info.kern_vaddr_start)
++ elf_info.kern_vaddr_start = UINT64_MAX;
++
++ return 0;
++}
++
++/*
++ * load_crashdump_segments() - load the elf core header
++ * @info: kexec info structure
++ *
++ * This function creates and loads an additional segment of elf core header
++ : which is used to construct /proc/vmcore on crash dump kernel.
++ *
++ * Return 0 in case of success and -1 in case of error.
++ */
++
++int load_crashdump_segments(struct kexec_info *info)
++{
++ unsigned long elfcorehdr;
++ unsigned long bufsz;
++ void *buf;
++ int err;
++
++ /*
++ * First fetch all the memory (RAM) ranges that we are going to
++ * pass to the crash dump kernel during panic.
++ */
++
++ err = crash_get_memory_ranges();
++
++ if (err)
++ return err;
++
++ elf_info.page_offset = get_kernel_page_offset();
++ dbgprintf("%s: page_offset: %016llx\n", __func__,
++ elf_info.page_offset);
++
++ err = crash_create_elf64_headers(info, &elf_info,
++ crash_memory_rgns.ranges, crash_memory_rgns.size,
++ &buf, &bufsz, ELF_CORE_HEADER_ALIGN);
++
++ if (err)
++ return err;
++
++ elfcorehdr = add_buffer_phys_virt(info, buf, bufsz, bufsz, 0,
++ crash_reserved_mem.start, crash_reserved_mem.end,
++ -1, 0);
++
++ elfcorehdr_mem.start = elfcorehdr;
++ elfcorehdr_mem.end = elfcorehdr + bufsz - 1;
++
++ dbgprintf("%s: elfcorehdr 0x%llx-0x%llx\n", __func__,
++ elfcorehdr_mem.start, elfcorehdr_mem.end);
++
+ return 0;
+ }
+diff --git a/kexec/arch/arm64/crashdump-arm64.h b/kexec/arch/arm64/crashdump-arm64.h
+index 07a0ed0..da75a2d 100644
+--- a/kexec/arch/arm64/crashdump-arm64.h
++++ b/kexec/arch/arm64/crashdump-arm64.h
+@@ -18,5 +18,8 @@
+
+ extern struct memory_ranges usablemem_rgns;
+ extern struct memory_range crash_reserved_mem;
++extern struct memory_range elfcorehdr_mem;
++
++extern int load_crashdump_segments(struct kexec_info *info);
+
+ #endif /* CRASHDUMP_ARM64_H */
+diff --git a/kexec/arch/arm64/iomem.h b/kexec/arch/arm64/iomem.h
+index 20cda87..d4864bb 100644
+--- a/kexec/arch/arm64/iomem.h
++++ b/kexec/arch/arm64/iomem.h
+@@ -2,6 +2,8 @@
+ #define IOMEM_H
+
+ #define SYSTEM_RAM "System RAM\n"
++#define KERNEL_CODE "Kernel code\n"
++#define KERNEL_DATA "Kernel data\n"
+ #define CRASH_KERNEL "Crash kernel\n"
+ #define IOMEM_RESERVED "reserved\n"
+
+diff --git a/kexec/arch/arm64/kexec-elf-arm64.c b/kexec/arch/arm64/kexec-elf-arm64.c
+index daf8bf0..c70a37a 100644
+--- a/kexec/arch/arm64/kexec-elf-arm64.c
++++ b/kexec/arch/arm64/kexec-elf-arm64.c
+@@ -119,6 +119,16 @@ int elf_arm64_load(int argc, char **argv, const char *kernel_buf,
+ dbgprintf("%s: PE format: %s\n", __func__,
+ (arm64_header_check_pe_sig(header) ? "yes" : "no"));
+
++ if (info->kexec_flags & KEXEC_ON_CRASH) {
++ /* create and initialize elf core header segment */
++ result = load_crashdump_segments(info);
++ if (result) {
++ dbgprintf("%s: Creating eflcorehdr failed.\n",
++ __func__);
++ goto exit;
++ }
++ }
++
+ /* load the kernel */
+ result = elf_exec_load(&ehdr, info);
+
+--
+1.9.1
+
diff --git a/meta/recipes-kernel/kexec/kexec-tools/0006-arm64-kdump-set-up-kernel-image-segment.patch b/meta/recipes-kernel/kexec/kexec-tools/0006-arm64-kdump-set-up-kernel-image-segment.patch
new file mode 100644
index 0000000..4149551
--- /dev/null
+++ b/meta/recipes-kernel/kexec/kexec-tools/0006-arm64-kdump-set-up-kernel-image-segment.patch
@@ -0,0 +1,137 @@
+From 4079c93ac5453ef5f7889ab64920c1e9427690ef Mon Sep 17 00:00:00 2001
+From: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Date: Tue, 17 Feb 2015 16:06:55 +0900
+Subject: [PATCH 6/9] arm64: kdump: set up kernel image segment
+
+On arm64, we can use the same kernel image as 1st kernel, but
+we have to modify the entry point as well as segments' addresses
+in the kernel's elf header in order to load them into correct places.
+
+Upstream-Status: Backport [https://git.linaro.org/people/takahiro.akashi/kexec-tools.git]
+
+Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+---
+ kexec/arch/arm64/crashdump-arm64.c | 23 +++++++++++++++++++++++
+ kexec/arch/arm64/crashdump-arm64.h | 1 +
+ kexec/arch/arm64/kexec-arm64.c | 25 ++++++++++++++++++++-----
+ kexec/arch/arm64/kexec-elf-arm64.c | 10 +++++++++-
+ 4 files changed, 53 insertions(+), 6 deletions(-)
+
+diff --git a/kexec/arch/arm64/crashdump-arm64.c b/kexec/arch/arm64/crashdump-arm64.c
+index 8346131..9517329 100644
+--- a/kexec/arch/arm64/crashdump-arm64.c
++++ b/kexec/arch/arm64/crashdump-arm64.c
+@@ -213,3 +213,26 @@ int load_crashdump_segments(struct kexec_info *info)
+
+ return 0;
+ }
++
++/*
++ * e_entry and p_paddr are actually in virtual address space.
++ * Those values will be translated to physcal addresses by
++ * using virt_to_phys().
++ * So let's get ready for later use so the memory base (phys_offset)
++ * will be correctly replaced with crash_reserved_mem.start.
++ */
++void modify_ehdr_for_crashdump(struct mem_ehdr *ehdr)
++{
++ struct mem_phdr *phdr;
++ int i;
++
++ ehdr->e_entry += - arm64_mem.phys_offset + crash_reserved_mem.start;
++
++ for (i = 0; i < ehdr->e_phnum; i++) {
++ phdr = &ehdr->e_phdr[i];
++ if (phdr->p_type != PT_LOAD)
++ continue;
++ phdr->p_paddr +=
++ (-arm64_mem.phys_offset + crash_reserved_mem.start);
++ }
++}
+diff --git a/kexec/arch/arm64/crashdump-arm64.h b/kexec/arch/arm64/crashdump-arm64.h
+index da75a2d..382f571 100644
+--- a/kexec/arch/arm64/crashdump-arm64.h
++++ b/kexec/arch/arm64/crashdump-arm64.h
+@@ -21,5 +21,6 @@ extern struct memory_range crash_reserved_mem;
+ extern struct memory_range elfcorehdr_mem;
+
+ extern int load_crashdump_segments(struct kexec_info *info);
++extern void modify_ehdr_for_crashdump(struct mem_ehdr *ehdr);
+
+ #endif /* CRASHDUMP_ARM64_H */
+diff --git a/kexec/arch/arm64/kexec-arm64.c b/kexec/arch/arm64/kexec-arm64.c
+index 8ac811d..cec4e41 100644
+--- a/kexec/arch/arm64/kexec-arm64.c
++++ b/kexec/arch/arm64/kexec-arm64.c
+@@ -307,12 +307,27 @@ unsigned long arm64_locate_kernel_segment(struct kexec_info *info)
+ {
+ unsigned long hole;
+
+- hole = locate_hole(info,
+- arm64_mem.text_offset + arm64_mem.image_size,
+- MiB(2), 0, ULONG_MAX, 1);
++ if (info->kexec_flags & KEXEC_ON_CRASH) {
++ unsigned long hole_end;
++
++ hole = (crash_reserved_mem.start < mem_min ?
++ mem_min : crash_reserved_mem.start);
++ hole = _ALIGN_UP(hole, MiB(2));
++ hole_end = hole + arm64_mem.text_offset + arm64_mem.image_size;
++
++ if ((hole_end > mem_max) ||
++ (hole_end > crash_reserved_mem.end)) {
++ dbgprintf("%s: Crash kernel out of range\n", __func__);
++ hole = ULONG_MAX;
++ }
++ } else {
++ hole = locate_hole(info,
++ arm64_mem.text_offset + arm64_mem.image_size,
++ MiB(2), 0, ULONG_MAX, 1);
+
+- if (hole == ULONG_MAX)
+- dbgprintf("%s: locate_hole failed\n", __func__);
++ if (hole == ULONG_MAX)
++ dbgprintf("%s: locate_hole failed\n", __func__);
++ }
+
+ return hole;
+ }
+diff --git a/kexec/arch/arm64/kexec-elf-arm64.c b/kexec/arch/arm64/kexec-elf-arm64.c
+index c70a37a..842ce21 100644
+--- a/kexec/arch/arm64/kexec-elf-arm64.c
++++ b/kexec/arch/arm64/kexec-elf-arm64.c
+@@ -9,6 +9,7 @@
+ #include <stdlib.h>
+ #include <linux/elf.h>
+
++#include "crashdump-arm64.h"
+ #include "kexec-arm64.h"
+ #include "kexec-elf.h"
+ #include "kexec-syscall.h"
+@@ -105,7 +106,8 @@ int elf_arm64_load(int argc, char **argv, const char *kernel_buf,
+ }
+
+ arm64_mem.vp_offset = _ALIGN_DOWN(ehdr.e_entry, MiB(2));
+- arm64_mem.vp_offset -= kernel_segment - get_phys_offset();
++ if (!(info->kexec_flags & KEXEC_ON_CRASH))
++ arm64_mem.vp_offset -= kernel_segment - get_phys_offset();
+
+ dbgprintf("%s: kernel_segment: %016lx\n", __func__, kernel_segment);
+ dbgprintf("%s: text_offset: %016lx\n", __func__,
+@@ -127,6 +129,12 @@ int elf_arm64_load(int argc, char **argv, const char *kernel_buf,
+ __func__);
+ goto exit;
+ }
++
++ /*
++ * offset addresses in order to fit vmlinux
++ * (elf_exec) into crash kernel's memory
++ */
++ modify_ehdr_for_crashdump(&ehdr);
+ }
+
+ /* load the kernel */
+--
+1.9.1
+
diff --git a/meta/recipes-kernel/kexec/kexec-tools/0007-arm64-kdump-set-up-other-segments.patch b/meta/recipes-kernel/kexec/kexec-tools/0007-arm64-kdump-set-up-other-segments.patch
new file mode 100644
index 0000000..2745466
--- /dev/null
+++ b/meta/recipes-kernel/kexec/kexec-tools/0007-arm64-kdump-set-up-other-segments.patch
@@ -0,0 +1,35 @@
+From 07ad14e12665221d754fde8e47c32ac18c24586a Mon Sep 17 00:00:00 2001
+From: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Date: Fri, 31 Jul 2015 20:01:39 +0900
+Subject: [PATCH 7/9] arm64: kdump: set up other segments
+
+We make sure that all the other segments, initrd and device-tree blob,
+also be loaded into the reserved memory of crash dump kernel.
+
+Upstream-Status: Backport [https://git.linaro.org/people/takahiro.akashi/kexec-tools.git]
+
+Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+---
+ kexec/arch/arm64/kexec-arm64.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/kexec/arch/arm64/kexec-arm64.c b/kexec/arch/arm64/kexec-arm64.c
+index cec4e41..78a0035 100644
+--- a/kexec/arch/arm64/kexec-arm64.c
++++ b/kexec/arch/arm64/kexec-arm64.c
+@@ -374,7 +374,10 @@ int arm64_load_other_segments(struct kexec_info *info,
+ /* Put the other segments after the image. */
+
+ hole_min = image_base + arm64_mem.image_size;
+- hole_max = ULONG_MAX;
++ if (info->kexec_flags & KEXEC_ON_CRASH)
++ hole_max = crash_reserved_mem.end;
++ else
++ hole_max = ULONG_MAX;
+
+ if (arm64_opts.initrd) {
+ initrd_buf = slurp_file(arm64_opts.initrd, &initrd_size);
+--
+1.9.1
+
diff --git a/meta/recipes-kernel/kexec/kexec-tools/0008-arm64-kdump-add-DT-properties-to-crash-dump-kernel-s.patch b/meta/recipes-kernel/kexec/kexec-tools/0008-arm64-kdump-add-DT-properties-to-crash-dump-kernel-s.patch
new file mode 100644
index 0000000..31c3d85
--- /dev/null
+++ b/meta/recipes-kernel/kexec/kexec-tools/0008-arm64-kdump-add-DT-properties-to-crash-dump-kernel-s.patch
@@ -0,0 +1,150 @@
+From 23bf7ac189cc3b87ceb9d1d3b69b5c4815354add Mon Sep 17 00:00:00 2001
+From: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Date: Wed, 27 Jan 2016 13:38:39 +0900
+Subject: [PATCH 8/9] arm64: kdump: add DT properties to crash dump kernel's
+ dtb
+
+We pass the following properties to crash dump kernel:
+linux,elfcorehdr: elf core header segment,
+ same as "elfcorehdr=" kernel parameter on other archs
+linux,usable-memory-range: usable memory reserved for crash dump kernel
+
+Upstream-Status: Backport [https://git.linaro.org/people/takahiro.akashi/kexec-tools.git]
+
+Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+---
+ kexec/arch/arm64/kexec-arm64.c | 76 +++++++++++++++++++++++++++++++++++---
+ kexec/arch/arm64/kexec-elf-arm64.c | 5 ---
+ 2 files changed, 71 insertions(+), 10 deletions(-)
+
+diff --git a/kexec/arch/arm64/kexec-arm64.c b/kexec/arch/arm64/kexec-arm64.c
+index 78a0035..a8fb64f 100644
+--- a/kexec/arch/arm64/kexec-arm64.c
++++ b/kexec/arch/arm64/kexec-arm64.c
+@@ -128,9 +128,6 @@ int arch_process_options(int argc, char **argv)
+ case OPT_INITRD:
+ arm64_opts.initrd = optarg;
+ break;
+- case OPT_PANIC:
+- die("load-panic (-p) not supported");
+- break;
+ default:
+ break; /* Ignore core and unknown options. */
+ }
+@@ -285,8 +282,12 @@ on_success:
+ * setup_2nd_dtb - Setup the 2nd stage kernel's dtb.
+ */
+
+-static int setup_2nd_dtb(struct dtb *dtb, char *command_line)
++static int setup_2nd_dtb(struct dtb *dtb, char *command_line, int on_crash)
+ {
++ char *new_buf;
++ int new_size;
++ int nodeoffset;
++ uint64_t range[2];
+ int result;
+
+ result = fdt_check_header(dtb->buf);
+@@ -298,8 +299,72 @@ static int setup_2nd_dtb(struct dtb *dtb, char *command_line)
+
+ result = set_bootargs(dtb, command_line);
+
++ /* remove those anyway */
++ nodeoffset = fdt_path_offset(dtb->buf, "/chosen");
++ fdt_delprop(dtb->buf, nodeoffset, "linux,crashkernel-base");
++ fdt_delprop(dtb->buf, nodeoffset, "linux,crashkernel-size");
++
++ if (on_crash) {
++ nodeoffset = fdt_path_offset(dtb->buf, "/chosen");
++ fdt_delprop(dtb->buf, nodeoffset, "linux,elfcorehdr");
++ fdt_delprop(dtb->buf, nodeoffset, "linux,usable-memory-range");
++ new_size = fdt_totalsize(dtb->buf)
++ + 2 * (sizeof(struct fdt_property)
++ + FDT_TAGALIGN(sizeof(range)))
++ + strlen("linux,elfcorehdr") + 1
++ + strlen("linux,usable-memory-range") + 1;
++
++ new_buf = xmalloc(new_size);
++ result = fdt_open_into(dtb->buf, new_buf, new_size);
++ if (result) {
++ dbgprintf("%s: fdt_open_into failed: %s\n", __func__,
++ fdt_strerror(result));
++ result = -ENOSPC;
++ goto on_error;
++ }
++
++ range[0] = cpu_to_be64(elfcorehdr_mem.start);
++ range[1] = cpu_to_be64(elfcorehdr_mem.end
++ - elfcorehdr_mem.start + 1);
++ nodeoffset = fdt_path_offset(new_buf, "/chosen");
++ result = fdt_setprop(new_buf, nodeoffset, "linux,elfcorehdr",
++ (void *)range, sizeof(range));
++ if (result) {
++ dbgprintf("%s: fdt_setprop failed: %s\n", __func__,
++ fdt_strerror(result));
++ result = -EINVAL;
++ goto on_error;
++ }
++
++ range[0] = cpu_to_be64(crash_reserved_mem.start);
++ range[1] = cpu_to_be64(crash_reserved_mem.end
++ - crash_reserved_mem.start + 1);
++ nodeoffset = fdt_path_offset(new_buf, "/chosen");
++ result = fdt_setprop(new_buf, nodeoffset,
++ "linux,usable-memory-range",
++ (void *)range, sizeof(range));
++ if (result) {
++ dbgprintf("%s: fdt_setprop failed: %s\n", __func__,
++ fdt_strerror(result));
++ result = -EINVAL;
++ goto on_error;
++ }
++
++ fdt_pack(new_buf);
++ dtb->buf = new_buf;
++ dtb->size = fdt_totalsize(new_buf);
++ }
++
+ dump_reservemap(dtb);
+
++
++ return result;
++
++on_error:
++ fprintf(stderr, "kexec: %s failed.\n", __func__);
++ if (new_buf)
++ free(new_buf);
++
+ return result;
+ }
+
+@@ -366,7 +431,8 @@ int arm64_load_other_segments(struct kexec_info *info,
+ }
+ }
+
+- result = setup_2nd_dtb(&dtb, command_line);
++ result = setup_2nd_dtb(&dtb, command_line,
++ info->kexec_flags & KEXEC_ON_CRASH);
+
+ if (result)
+ return -EFAILED;
+diff --git a/kexec/arch/arm64/kexec-elf-arm64.c b/kexec/arch/arm64/kexec-elf-arm64.c
+index 842ce21..b17a31a 100644
+--- a/kexec/arch/arm64/kexec-elf-arm64.c
++++ b/kexec/arch/arm64/kexec-elf-arm64.c
+@@ -47,11 +47,6 @@ int elf_arm64_load(int argc, char **argv, const char *kernel_buf,
+ int result;
+ int i;
+
+- if (info->kexec_flags & KEXEC_ON_CRASH) {
+- fprintf(stderr, "kexec: kdump not yet supported on arm64\n");
+- return -EFAILED;
+- }
+-
+ result = build_elf_exec_info(kernel_buf, kernel_size, &ehdr, 0);
+
+ if (result < 0) {
+--
+1.9.1
+
diff --git a/meta/recipes-kernel/kexec/kexec-tools/0009-arm64-kdump-Add-support-for-binary-image-files.patch b/meta/recipes-kernel/kexec/kexec-tools/0009-arm64-kdump-Add-support-for-binary-image-files.patch
new file mode 100644
index 0000000..8b1c018
--- /dev/null
+++ b/meta/recipes-kernel/kexec/kexec-tools/0009-arm64-kdump-Add-support-for-binary-image-files.patch
@@ -0,0 +1,52 @@
+From 5a4958f01a793c3e7f440f5bae75666a4349cc50 Mon Sep 17 00:00:00 2001
+From: Pratyush Anand <panand@redhat.com>
+Date: Thu, 14 May 2015 11:25:37 +0530
+Subject: [PATCH 9/9] arm64: kdump: Add support for binary image files
+
+This patch adds support to use binary image ie arch/arm64/boot/Image with
+kdump.
+
+Upstream-Status: Backport [https://git.linaro.org/people/takahiro.akashi/kexec-tools.git]
+
+Signed-off-by: Pratyush Anand <panand@redhat.com>
+[takahiro.akashi@linaro.org: a bit reworked]
+Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+---
+ kexec/arch/arm64/kexec-image-arm64.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/kexec/arch/arm64/kexec-image-arm64.c b/kexec/arch/arm64/kexec-image-arm64.c
+index 960ed96..982e431 100644
+--- a/kexec/arch/arm64/kexec-image-arm64.c
++++ b/kexec/arch/arm64/kexec-image-arm64.c
+@@ -4,7 +4,9 @@
+
+ #define _GNU_SOURCE
+
++#include "crashdump-arm64.h"
+ #include "kexec-arm64.h"
++#include "kexec-syscall.h"
+ #include <limits.h>
+
+ int image_arm64_probe(const char *kernel_buf, off_t kernel_size)
+@@ -58,6 +60,16 @@ int image_arm64_load(int argc, char **argv, const char *kernel_buf,
+ dbgprintf("%s: PE format: %s\n", __func__,
+ (arm64_header_check_pe_sig(header) ? "yes" : "no"));
+
++ if (info->kexec_flags & KEXEC_ON_CRASH) {
++ /* create and initialize elf core header segment */
++ result = load_crashdump_segments(info);
++ if (result) {
++ dbgprintf("%s: Creating eflcorehdr failed.\n",
++ __func__);
++ goto exit;
++ }
++ }
++
+ /* load the kernel */
+ add_segment_phys_virt(info, kernel_buf, kernel_size,
+ kernel_segment + arm64_mem.text_offset,
+--
+1.9.1
+
diff --git a/meta/recipes-kernel/kexec/kexec-tools_2.0.12.bb b/meta/recipes-kernel/kexec/kexec-tools_2.0.12.bb
deleted file mode 100644
index 59376c8..0000000
--- a/meta/recipes-kernel/kexec/kexec-tools_2.0.12.bb
+++ /dev/null
@@ -1,37 +0,0 @@
-require kexec-tools.inc
-export LDFLAGS = "-L${STAGING_LIBDIR}"
-EXTRA_OECONF = " --with-zlib=yes"
-
-SRC_URI += " \
- file://kexec-aarch64.patch \
- file://kexec-x32.patch \
- file://0002-powerpc-change-the-memory-size-limit.patch \
- file://0001-purgatory-Pass-r-directly-to-linker.patch \
- file://0001-vmcore-dmesg-Define-_GNU_SOURCE.patch \
- "
-
-SRC_URI[md5sum] = "10ddaae0e86af54407b164a1f5a39cc3"
-SRC_URI[sha256sum] = "cc7b60dad0da202004048a6179d8a53606943062dd627a2edba45a8ea3a85135"
-
-PACKAGES =+ "kexec kdump vmcore-dmesg"
-
-ALLOW_EMPTY_${PN} = "1"
-RRECOMMENDS_${PN} = "kexec kdump vmcore-dmesg"
-
-FILES_kexec = "${sbindir}/kexec"
-FILES_kdump = "${sbindir}/kdump ${sysconfdir}/init.d/kdump \
- ${sysconfdir}/sysconfig/kdump.conf"
-FILES_vmcore-dmesg = "${sbindir}/vmcore-dmesg"
-
-inherit update-rc.d
-
-INITSCRIPT_PACKAGES = "kdump"
-INITSCRIPT_NAME_kdump = "kdump"
-INITSCRIPT_PARAMS_kdump = "start 56 2 3 4 5 . stop 56 0 1 6 ."
-
-do_install_append () {
- install -d ${D}${sysconfdir}/init.d
- install -m 0755 ${WORKDIR}/kdump ${D}${sysconfdir}/init.d/kdump
- install -d ${D}${sysconfdir}/sysconfig
- install -m 0644 ${WORKDIR}/kdump.conf ${D}${sysconfdir}/sysconfig
-}
diff --git a/meta/recipes-kernel/kexec/kexec-tools_2.0.14.bb b/meta/recipes-kernel/kexec/kexec-tools_2.0.14.bb
new file mode 100644
index 0000000..899b391
--- /dev/null
+++ b/meta/recipes-kernel/kexec/kexec-tools_2.0.14.bb
@@ -0,0 +1,44 @@
+require kexec-tools.inc
+export LDFLAGS = "-L${STAGING_LIBDIR}"
+EXTRA_OECONF = " --with-zlib=yes"
+
+SRC_URI += "${KERNELORG_MIRROR}/linux/utils/kernel/kexec/kexec-tools-${PV}.tar.gz \
+ file://0002-powerpc-change-the-memory-size-limit.patch \
+ file://0001-purgatory-Pass-r-directly-to-linker.patch \
+ file://0001-vmcore-dmesg-Define-_GNU_SOURCE.patch \
+ file://0001-kexec-exntend-the-semantics-of-kexec_iomem_for_each_.patch \
+ file://0002-kexec-generalize-and-rename-get_kernel_stext_sym.patch \
+ file://0003-arm64-identify-PHYS_OFFSET-correctly.patch \
+ file://0004-arm64-kdump-identify-memory-regions.patch \
+ file://0005-arm64-kdump-add-elf-core-header-segment.patch \
+ file://0006-arm64-kdump-set-up-kernel-image-segment.patch \
+ file://0007-arm64-kdump-set-up-other-segments.patch \
+ file://0008-arm64-kdump-add-DT-properties-to-crash-dump-kernel-s.patch \
+ file://0009-arm64-kdump-Add-support-for-binary-image-files.patch \
+ "
+
+SRC_URI[md5sum] = "b2b2c5e6b29d467d6e99d587fb6b7cf5"
+SRC_URI[sha256sum] = "b3e69519d2acced256843b1e8f1ecfa00d9b54fa07449ed78f05b9193f239370"
+
+PACKAGES =+ "kexec kdump vmcore-dmesg"
+
+ALLOW_EMPTY_${PN} = "1"
+RRECOMMENDS_${PN} = "kexec kdump vmcore-dmesg"
+
+FILES_kexec = "${sbindir}/kexec"
+FILES_kdump = "${sbindir}/kdump ${sysconfdir}/init.d/kdump \
+ ${sysconfdir}/sysconfig/kdump.conf"
+FILES_vmcore-dmesg = "${sbindir}/vmcore-dmesg"
+
+inherit update-rc.d
+
+INITSCRIPT_PACKAGES = "kdump"
+INITSCRIPT_NAME_kdump = "kdump"
+INITSCRIPT_PARAMS_kdump = "start 56 2 3 4 5 . stop 56 0 1 6 ."
+
+do_install_append () {
+ install -d ${D}${sysconfdir}/init.d
+ install -m 0755 ${WORKDIR}/kdump ${D}${sysconfdir}/init.d/kdump
+ install -d ${D}${sysconfdir}/sysconfig
+ install -m 0644 ${WORKDIR}/kdump.conf ${D}${sysconfdir}/sysconfig
+}
--
2.8.3
^ permalink raw reply related
* [PATCH] gpgme: add GPGME_STATUS_KEY_CONSIDERED
From: mingli.yu @ 2016-12-21 8:19 UTC (permalink / raw)
To: openembedded-core
From: Mingli Yu <Mingli.Yu@windriver.com>
* src/gpgme.h.in (GPGME_STATUS_KEY_CONSIDERED): New.
* src/status-table.c (KEY_CONSIDERED): New.
* src/op-support.c (_gpgme_parse_inv_recp): Add argc KC_FPR and
KC_FLAGS. Use calloc.
(_gpgme_parse_key_considered): New.
* src/sign.c (op_data_t): Add fields KC_FPR and KC_FLAGS.
(release_op_data): Free KC_FPR.
(_gpgme_sign_status_handler): Handle STATUS_KEY_CONSIDERED.
* src/encrypt.c (op_data_t): Add fields KC_FPR and KC_FLAGS.
(release_op_data): Free KC_FPR.
(_gpgme_encrypt_status_handler): Handle STATUS_KEY_CONSIDERED.
Reference: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commitdiff;h=315fb73d4a774e2c699ac1804f5377559b4d0027
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
---
...001-gpgme-add-GPGME_STATUS_KEY_CONSIDERED.patch | 300 +++++++++++++++++++++
meta/recipes-support/gpgme/gpgme_1.6.0.bb | 1 +
2 files changed, 301 insertions(+)
create mode 100644 meta/recipes-support/gpgme/gpgme/0001-gpgme-add-GPGME_STATUS_KEY_CONSIDERED.patch
diff --git a/meta/recipes-support/gpgme/gpgme/0001-gpgme-add-GPGME_STATUS_KEY_CONSIDERED.patch b/meta/recipes-support/gpgme/gpgme/0001-gpgme-add-GPGME_STATUS_KEY_CONSIDERED.patch
new file mode 100644
index 0000000..ebcf397
--- /dev/null
+++ b/meta/recipes-support/gpgme/gpgme/0001-gpgme-add-GPGME_STATUS_KEY_CONSIDERED.patch
@@ -0,0 +1,300 @@
+From e1bdd4c73d43d7ba98b976811ce82d3d11d81c6e Mon Sep 17 00:00:00 2001
+From: Mingli Yu <Mingli.Yu@windriver.com>
+Date: Tue, 20 Dec 2016 06:12:38 +0000
+Subject: [PATCH] gpgme: add GPGME_STATUS_KEY_CONSIDERED
+
+* src/gpgme.h.in (GPGME_STATUS_KEY_CONSIDERED): New.
+* src/status-table.c (KEY_CONSIDERED): New.
+* src/op-support.c (_gpgme_parse_inv_recp): Add argc KC_FPR and
+KC_FLAGS. Use calloc.
+(_gpgme_parse_key_considered): New.
+* src/sign.c (op_data_t): Add fields KC_FPR and KC_FLAGS.
+(release_op_data): Free KC_FPR.
+(_gpgme_sign_status_handler): Handle STATUS_KEY_CONSIDERED.
+* src/encrypt.c (op_data_t): Add fields KC_FPR and KC_FLAGS.
+(release_op_data): Free KC_FPR.
+(_gpgme_encrypt_status_handler): Handle STATUS_KEY_CONSIDERED.
+
+Reference: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commitdiff;h=315fb73d4a774e2c699ac1804f5377559b4d0027
+
+Upstream-status: Backport
+
+Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
+---
+ src/encrypt.c | 23 ++++++++++++++++++++-
+ src/gpgme.h.in | 3 ++-
+ src/op-support.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++--------
+ src/ops.h | 8 +++++++-
+ src/sign.c | 26 +++++++++++++++++++++++-
+ src/status-table.c | 1 +
+ 6 files changed, 108 insertions(+), 12 deletions(-)
+
+diff --git a/src/encrypt.c b/src/encrypt.c
+index 9f5134d..82d90e4 100644
+--- a/src/encrypt.c
++++ b/src/encrypt.c
+@@ -39,6 +39,12 @@ typedef struct
+ /* The error code from a FAILURE status line or 0. */
+ gpg_error_t failure_code;
+
++ /* The fingerprint from the last KEY_CONSIDERED status line. */
++ char *kc_fpr;
++
++ /* The flags from the last KEY_CONSIDERED status line. */
++ unsigned int kc_flags;
++
+ /* A pointer to the next pointer of the last invalid recipient in
+ the list. This makes appending new invalid recipients painless
+ while preserving the order. */
+@@ -60,6 +66,7 @@ release_op_data (void *hook)
+ free (invalid_recipient);
+ invalid_recipient = next;
+ }
++ free (opd->kc_fpr);
+ }
+
+
+@@ -128,12 +135,26 @@ _gpgme_encrypt_status_handler (void *priv, gpgme_status_code_t code,
+ return opd->failure_code;
+ break;
+
++ case GPGME_STATUS_KEY_CONSIDERED:
++ /* This is emitted during gpg's key lookup to give information
++ * about the lookup results. We store the last one so it can be
++ * used in connection with INV_RECP. */
++ free (opd->kc_fpr);
++ opd->kc_fpr = NULL;
++ err = _gpgme_parse_key_considered (args, &opd->kc_fpr, &opd->kc_flags);
++ if (err)
++ return err;
++ break;
++
+ case GPGME_STATUS_INV_RECP:
+- err = _gpgme_parse_inv_recp (args, opd->lastp);
++ err = _gpgme_parse_inv_recp (args, 0, opd->kc_fpr, opd->kc_flags,
++ opd->lastp);
+ if (err)
+ return err;
+
+ opd->lastp = &(*opd->lastp)->next;
++ free (opd->kc_fpr);
++ opd->kc_fpr = NULL;
+ break;
+
+ case GPGME_STATUS_NO_RECP:
+diff --git a/src/gpgme.h.in b/src/gpgme.h.in
+index 6cea2c7..fdff1a0 100644
+--- a/src/gpgme.h.in
++++ b/src/gpgme.h.in
+@@ -531,7 +531,8 @@ typedef enum
+ GPGME_STATUS_BEGIN_SIGNING = 90,
+ GPGME_STATUS_KEY_NOT_CREATED = 91,
+ GPGME_STATUS_INQUIRE_MAXLEN = 92,
+- GPGME_STATUS_FAILURE = 93
++ GPGME_STATUS_FAILURE = 93,
++ GPGME_STATUS_KEY_CONSIDERED = 94
+ }
+ gpgme_status_code_t;
+
+diff --git a/src/op-support.c b/src/op-support.c
+index 02940ef..e7d3e45 100644
+--- a/src/op-support.c
++++ b/src/op-support.c
+@@ -190,16 +190,19 @@ _gpgme_op_reset (gpgme_ctx_t ctx, int type)
+ }
+
+ \f
+-/* Parse the INV_RECP or INV-SNDR status line in ARGS and return the
+- result in KEY. */
++/* Parse the INV_RECP or INV_SNDR status line in ARGS and return the
++ result in KEY. If KC_FPR (from the KEY_CONSIDERED status line) is
++ not NULL take the KC_FLAGS in account. */
+ gpgme_error_t
+-_gpgme_parse_inv_recp (char *args, gpgme_invalid_key_t *key)
++_gpgme_parse_inv_recp (char *args, int for_signing,
++ const char *kc_fpr, unsigned int kc_flags,
++ gpgme_invalid_key_t *key)
+ {
+ gpgme_invalid_key_t inv_key;
+ char *tail;
+ long int reason;
+
+- inv_key = malloc (sizeof (*inv_key));
++ inv_key = calloc (1, sizeof (*inv_key));
+ if (!inv_key)
+ return gpg_error_from_syserror ();
+ inv_key->next = NULL;
+@@ -214,9 +217,11 @@ _gpgme_parse_inv_recp (char *args, gpgme_invalid_key_t *key)
+
+ switch (reason)
+ {
+- default:
+ case 0:
+- inv_key->reason = gpg_error (GPG_ERR_GENERAL);
++ if (kc_fpr && (kc_flags & 2))
++ inv_key->reason = gpg_error (GPG_ERR_SUBKEYS_EXP_OR_REV);
++ else
++ inv_key->reason = gpg_error (GPG_ERR_GENERAL);
+ break;
+
+ case 1:
+@@ -274,6 +279,10 @@ _gpgme_parse_inv_recp (char *args, gpgme_invalid_key_t *key)
+ case 14:
+ inv_key->reason = gpg_error (GPG_ERR_INV_USER_ID);
+ break;
++
++ default:
++ inv_key->reason = gpg_error (GPG_ERR_GENERAL);
++ break;
+ }
+
+ while (*tail && *tail == ' ')
+@@ -287,14 +296,48 @@ _gpgme_parse_inv_recp (char *args, gpgme_invalid_key_t *key)
+ return gpg_error_from_syserror ();
+ }
+ }
+- else
+- inv_key->fpr = NULL;
+
+ *key = inv_key;
+ return 0;
+ }
+
+
++/* Parse a KEY_CONSIDERED status line in ARGS and store the
++ * fingerprint and the flags at R_FPR and R_FLAGS. The caller must
++ * free the value at R_FPR on success. */
++gpgme_error_t
++_gpgme_parse_key_considered (const char *args,
++ char **r_fpr, unsigned int *r_flags)
++{
++ char *pend;
++ size_t n;
++
++ *r_fpr = NULL;
++
++ pend = strchr (args, ' ');
++ if (!pend || pend == args)
++ return trace_gpg_error (GPG_ERR_INV_ENGINE); /* Bogus status line. */
++ n = pend - args;
++ *r_fpr = malloc (n + 1);
++ if (!*r_fpr)
++ return gpg_error_from_syserror ();
++ memcpy (*r_fpr, args, n);
++ (*r_fpr)[n] = 0;
++ args = pend + 1;
++
++ gpg_err_set_errno (0);
++ *r_flags = strtoul (args, &pend, 0);
++ if (errno || args == pend || (*pend && *pend != ' '))
++ {
++ free (*r_fpr);
++ *r_fpr = NULL;
++ return trace_gpg_error (GPG_ERR_INV_ENGINE);
++ }
++
++ return 0;
++}
++
++
+ /* Parse the PLAINTEXT status line in ARGS and return the result in
+ FILENAMEP. */
+ gpgme_error_t
+diff --git a/src/ops.h b/src/ops.h
+index 3662d57..9c27529 100644
+--- a/src/ops.h
++++ b/src/ops.h
+@@ -57,9 +57,15 @@ gpgme_error_t _gpgme_op_data_lookup (gpgme_ctx_t ctx, ctx_op_data_id_t type,
+ /* Prepare a new operation on CTX. */
+ gpgme_error_t _gpgme_op_reset (gpgme_ctx_t ctx, int synchronous);
+
++/* Parse the KEY_CONSIDERED status line. */
++gpgme_error_t _gpgme_parse_key_considered (const char *args,
++ char **r_fpr, unsigned int *r_flags);
++
+ /* Parse the INV_RECP status line in ARGS and return the result in
+ KEY. */
+-gpgme_error_t _gpgme_parse_inv_recp (char *args, gpgme_invalid_key_t *key);
++gpgme_error_t _gpgme_parse_inv_recp (char *args, int for_signing,
++ const char *kc_fpr, unsigned int kc_flags,
++ gpgme_invalid_key_t *key);
+
+ /* Parse the PLAINTEXT status line in ARGS and return the result in
+ FILENAMEP. */
+diff --git a/src/sign.c b/src/sign.c
+index 6c9fc03..81cbbc7 100644
+--- a/src/sign.c
++++ b/src/sign.c
+@@ -42,6 +42,12 @@ typedef struct
+ /* The error code from a FAILURE status line or 0. */
+ gpg_error_t failure_code;
+
++ /* The fingerprint from the last KEY_CONSIDERED status line. */
++ char *kc_fpr;
++
++ /* The flags from the last KEY_CONSIDERED status line. */
++ unsigned int kc_flags;
++
+ /* A pointer to the next pointer of the last invalid signer in
+ the list. This makes appending new invalid signers painless
+ while preserving the order. */
+@@ -86,6 +92,7 @@ release_op_data (void *hook)
+ }
+
+ release_signatures (opd->result.signatures);
++ free (opd->kc_fpr);
+ }
+
+
+@@ -316,6 +323,17 @@ _gpgme_sign_status_handler (void *priv, gpgme_status_code_t code, char *args)
+ opd->last_sig_p = &(*opd->last_sig_p)->next;
+ break;
+
++ case GPGME_STATUS_KEY_CONSIDERED:
++ /* This is emitted during gpg's key lookup to give information
++ * about the lookup results. We store the last one so it can be
++ * used in connection with INV_RECP. */
++ free (opd->kc_fpr);
++ opd->kc_fpr = NULL;
++ err = _gpgme_parse_key_considered (args, &opd->kc_fpr, &opd->kc_flags);
++ if (err)
++ return err;
++ break;
++
+ case GPGME_STATUS_INV_RECP:
+ if (opd->inv_sgnr_seen && opd->ignore_inv_recp)
+ break;
+@@ -323,11 +341,17 @@ _gpgme_sign_status_handler (void *priv, gpgme_status_code_t code, char *args)
+ case GPGME_STATUS_INV_SGNR:
+ if (code == GPGME_STATUS_INV_SGNR)
+ opd->inv_sgnr_seen = 1;
+- err = _gpgme_parse_inv_recp (args, opd->last_signer_p);
++ free (opd->kc_fpr);
++ opd->kc_fpr = NULL;
++ err = _gpgme_parse_inv_recp (args, 1, opd->kc_fpr, opd->kc_flags,
++ opd->last_signer_p);
+ if (err)
+ return err;
+
+ opd->last_signer_p = &(*opd->last_signer_p)->next;
++ free (opd->kc_fpr);
++ opd->kc_fpr = NULL;
++
+ break;
+
+ case GPGME_STATUS_FAILURE:
+diff --git a/src/status-table.c b/src/status-table.c
+index 6d428d7..e70cb8b 100644
+--- a/src/status-table.c
++++ b/src/status-table.c
+@@ -84,6 +84,7 @@ static struct status_table_s status_table[] =
+ { "INQUIRE_MAXLEN", GPGME_STATUS_INQUIRE_MAXLEN },
+ { "INV_RECP", GPGME_STATUS_INV_RECP },
+ { "INV_SGNR", GPGME_STATUS_INV_SGNR },
++ { "KEY_CONSIDERED", GPGME_STATUS_KEY_CONSIDERED },
+ { "KEY_CREATED", GPGME_STATUS_KEY_CREATED },
+ { "KEY_NOT_CREATED", GPGME_STATUS_KEY_NOT_CREATED },
+ { "KEYEXPIRED", GPGME_STATUS_KEYEXPIRED },
+--
+2.11.0
+
diff --git a/meta/recipes-support/gpgme/gpgme_1.6.0.bb b/meta/recipes-support/gpgme/gpgme_1.6.0.bb
index a2d0587..546e029 100644
--- a/meta/recipes-support/gpgme/gpgme_1.6.0.bb
+++ b/meta/recipes-support/gpgme/gpgme_1.6.0.bb
@@ -13,6 +13,7 @@ UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html"
SRC_URI = "${GNUPG_MIRROR}/gpgme/${BP}.tar.bz2 \
file://gpgme.pc \
file://pkgconfig.patch \
+ file://0001-gpgme-add-GPGME_STATUS_KEY_CONSIDERED.patch \
"
SRC_URI[md5sum] = "60d730d22e8065fd5de309e8b98e304b"
--
2.8.1
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox