1 |
commit: 48493c5055195f3a1c1cacabdaf4368b7eaeba14 |
2 |
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Dec 23 01:30:02 2020 +0000 |
4 |
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Dec 23 01:30:31 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48493c50 |
7 |
|
8 |
Revert "sys-firmware/edk2-ovmf: security cleanup (bug #744412)" |
9 |
|
10 |
This reverts commit ffcb1841612a0f3edf1d057e1ef0c862a7cb8270. |
11 |
|
12 |
Still needed for app-emulation/qemu. |
13 |
|
14 |
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> |
15 |
|
16 |
sys-firmware/edk2-ovmf/Manifest | 3 + |
17 |
sys-firmware/edk2-ovmf/edk2-ovmf-201905.ebuild | 170 +++++++++++++++++++++++++ |
18 |
2 files changed, 173 insertions(+) |
19 |
|
20 |
diff --git a/sys-firmware/edk2-ovmf/Manifest b/sys-firmware/edk2-ovmf/Manifest |
21 |
index bcb2df5176f..bec7f6b201f 100644 |
22 |
--- a/sys-firmware/edk2-ovmf/Manifest |
23 |
+++ b/sys-firmware/edk2-ovmf/Manifest |
24 |
@@ -1,4 +1,7 @@ |
25 |
DIST brotli-666c3280cc11dc433c303d79a83d4ffbdd12cc8d.tar.gz 23855739 BLAKE2B 7406ec5b29ac66afbcd7c1376bb3208f298d19b6592b2869c52173aa64947d58bd443f9a61c67deaf046be910a0e31c0b843e5508e97e0e1f5e7bce100d86904 SHA512 df8e90562c4fd7f0e787949df6bc4f5a165b39bd333f442d27874fe65640fbba268f9350d7113e6761a5acceb66d78e75f1a296e5a89b94574edf28109cdc812 |
26 |
+DIST edk2-ovmf-201905-bin.tar.xz 3017256 BLAKE2B 6a106f111a363f1c2de33c4e7eba48183da6047654512939c286c6d0369e3b4c7705c271e61fa95299ba2b629022be7b5ef665ff096d41373583f5409b5c32fb SHA512 4a174dc1d64769a93de3bf5f9d787e278bfab57e2317699d722aa772e64e8867b3998b7feee58d5e4c66adc79ba9c5023dae2ce786159db7a740b86cf35d923d |
27 |
+DIST edk2-ovmf-201905-bundled.tar.xz 3538508 BLAKE2B a1766180c84ee83987f50fdb6a6c9891dfb983ff78c98f7bc38635ffe484ebf29d4286ff97d7747080e28a655ff14b5939d4505d75ebe6655ecacc7f9d405469 SHA512 be3d8ef1ffb1ddce64883d9ef8dc598c7026d23d2e33c33949d28de81513b6a7f04f840ccb3d42664e918c6603487fbe594261c327921f3250c3998218572774 |
28 |
+DIST edk2-ovmf-201905.tar.gz 14551747 BLAKE2B 6fb3385445fd01c0dea26295a68de2691524e55c96d8a0e85aab1385a9abddc47c13ce3236b952c1299514e542ad0fa4bc9550cc4527945c05109d227a698293 SHA512 91188923f7d1ab83c0d6abf7ec6d59f357d0341a617ad6a3ae05f3d0e041dff43f62b014b0c5fc5d15e16d8f1c279c581a5cd64b31e3d52b340d7ef90adb50f1 |
29 |
DIST edk2-ovmf-202008-bin.tar.xz 3486024 BLAKE2B 8283db554ad7024e3a55b62ed0a560ed9f729d728f1dee3806814b1eb8d89dabc4fd70433f7f77656b65d9af7919d036074a53a95190a1aa8b65ab7d73495ffc SHA512 d0c8b249a7a2124e8bb63a4358466e86a3a837e76586565dd4762351998d8561374eabb8a1303dbf71ac269c15552d9e8cff71d65bc6fe8a3a81fb4fb032e0d8 |
30 |
DIST edk2-ovmf-202008-qemu-firmware.tar.xz 680 BLAKE2B 176f8e94a3f605acc72850634cbf155619490f5998125521a392a8e9c7d2b78841b841f0cb5ea860f14645b124cf1921256bbe46960efbe3401805d89bbfbed6 SHA512 b72f248ab4d49503c3e8e686e22beb77f0e48d2c6c9523f389f20504e0c30fa11fa0fcb5607d7d5bb1ba2433894fa458864c5761335e39de4b2a40b01203f043 |
31 |
DIST edk2-ovmf-202008.tar.gz 13172590 BLAKE2B 10acf77d0e70e21ca425ea41c0062f8cebe2cc607b93a2a253bcd87cea1546e791776a34d43fbf4f1040f4fc32e3ee413d44873d0f00b9e523816519cfed634e SHA512 c32340104f27b9b85f79e934cc9eeb739d47b01e13975c88f39b053e9bc5a1ecfe579ab3b63fc7747cc328e104b337b53d41deb4470c3f20dbbd5552173a4666 |
32 |
|
33 |
diff --git a/sys-firmware/edk2-ovmf/edk2-ovmf-201905.ebuild b/sys-firmware/edk2-ovmf/edk2-ovmf-201905.ebuild |
34 |
new file mode 100644 |
35 |
index 00000000000..8b1c10b16ff |
36 |
--- /dev/null |
37 |
+++ b/sys-firmware/edk2-ovmf/edk2-ovmf-201905.ebuild |
38 |
@@ -0,0 +1,170 @@ |
39 |
+# Copyright 1999-2020 Gentoo Authors |
40 |
+# Distributed under the terms of the GNU General Public License v2 |
41 |
+ |
42 |
+EAPI=7 |
43 |
+ |
44 |
+PYTHON_REQ_USE="sqlite" |
45 |
+PYTHON_COMPAT=( python{3_6,3_7} ) |
46 |
+ |
47 |
+inherit eutils python-any-r1 readme.gentoo-r1 |
48 |
+ |
49 |
+DESCRIPTION="UEFI firmware for 64-bit x86 virtual machines" |
50 |
+HOMEPAGE="https://github.com/tianocore/edk2" |
51 |
+ |
52 |
+NON_BINARY_DEPEND=" |
53 |
+ app-emulation/qemu |
54 |
+ >=dev-lang/nasm-2.0.7 |
55 |
+ >=sys-power/iasl-20160729 |
56 |
+ ${PYTHON_DEPS} |
57 |
+" |
58 |
+DEPEND="" |
59 |
+RDEPEND="" |
60 |
+if [[ ${PV} == "999999" ]] ; then |
61 |
+ inherit git-r3 |
62 |
+ EGIT_REPO_URI="https://github.com/tianocore/edk2" |
63 |
+ DEPEND+=" |
64 |
+ ${NON_BINARY_DEPEND} |
65 |
+ " |
66 |
+else |
67 |
+ # Binary versions taken from fedora: |
68 |
+ # http://download.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/Packages/s/ |
69 |
+ # edk2-ovmf-20190501stable-2.fc31.noarch.rpm |
70 |
+ SRC_URI=" |
71 |
+ !binary? ( |
72 |
+ https://github.com/tianocore/edk2/archive/edk2-stable${PV}.tar.gz -> ${P}.tar.gz |
73 |
+ https://dev.gentoo.org/~tamiko/distfiles/${P}-bundled.tar.xz |
74 |
+ ) |
75 |
+ binary? ( https://dev.gentoo.org/~tamiko/distfiles/${P}-bin.tar.xz ) |
76 |
+ " |
77 |
+ KEYWORDS="amd64 arm64 ~ppc ppc64 x86" |
78 |
+ IUSE="+binary" |
79 |
+ REQUIRED_USE+=" |
80 |
+ !amd64? ( binary ) |
81 |
+ " |
82 |
+ DEPEND+=" |
83 |
+ !binary? ( |
84 |
+ amd64? ( |
85 |
+ ${NON_BINARY_DEPEND} |
86 |
+ ) |
87 |
+ )" |
88 |
+ PATCHES=( |
89 |
+ ) |
90 |
+fi |
91 |
+ |
92 |
+LICENSE="BSD-2 MIT" |
93 |
+SLOT="0" |
94 |
+ |
95 |
+S="${WORKDIR}/edk2-edk2-stable${PV}" |
96 |
+ |
97 |
+DISABLE_AUTOFORMATTING=true |
98 |
+DOC_CONTENTS="This package contains the tianocore edk2 UEFI firmware for 64-bit x86 |
99 |
+virtual machines. The firmware is located under |
100 |
+ /usr/share/edk2-ovmf/OVMF_CODE.fd |
101 |
+ /usr/share/edk2-ovmf/OVMF_VARS.fd |
102 |
+ /usr/share/edk2-ovmf/OVMF_CODE.secboot.fd |
103 |
+ |
104 |
+If USE=binary is enabled, we also install an OVMF variables file (coming from |
105 |
+fedora) that contains secureboot default keys |
106 |
+ |
107 |
+ /usr/share/edk2-ovmf/OVMF_VARS.secboot.fd |
108 |
+ |
109 |
+If you have compiled this package by hand, you need to either populate all |
110 |
+necessary EFI variables by hand by booting |
111 |
+ /usr/share/edk2-ovmf/UefiShell.(iso|img) |
112 |
+or creating OVMF_VARS.secboot.fd by hand: |
113 |
+ https://github.com/puiterwijk/qemu-ovmf-secureboot |
114 |
+ |
115 |
+The firmware does not support csm (due to no free csm implementation |
116 |
+available). If you need a firmware with csm support you have to download |
117 |
+one for yourself. Firmware blobs are commonly labeled |
118 |
+ OVMF{,_CODE,_VARS}-with-csm.fd |
119 |
+ |
120 |
+In order to use the firmware you can run qemu the following way |
121 |
+ |
122 |
+ $ qemu-system-x86_64 \ |
123 |
+ -drive file=/usr/share/edk2-ovmf/OVMF.fd,if=pflash,format=raw,unit=0,readonly=on \ |
124 |
+ ... |
125 |
+ |
126 |
+You can register the firmware for use in libvirt by adding to /etc/libvirt/qemu.conf: |
127 |
+ nvram = [ |
128 |
+ \"/usr/share/edk2-ovmf/OVMF_CODE.fd:/usr/share/edk2-ovmf/OVMF_VARS.fd\" |
129 |
+ \"/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd:/usr/share/edk2-ovmf/OVMF_VARS.fd\" |
130 |
+ ]" |
131 |
+ |
132 |
+pkg_setup() { |
133 |
+ [[ ${PV} != "999999" ]] && use binary || python-any-r1_pkg_setup |
134 |
+} |
135 |
+ |
136 |
+src_prepare() { |
137 |
+ if ! use binary; then |
138 |
+ sed -i -r \ |
139 |
+ -e "/function SetupPython3/,/\}/{s,\\\$\(whereis python3\),${EPYTHON},g}" \ |
140 |
+ "${S}"/edksetup.sh || die "Fixing for correct Python3 support failed" |
141 |
+ fi |
142 |
+ if [[ ${PV} != "999999" ]] && use binary; then |
143 |
+ eapply_user |
144 |
+ return |
145 |
+ fi |
146 |
+ default |
147 |
+} |
148 |
+ |
149 |
+src_compile() { |
150 |
+ TARGET_ARCH=X64 |
151 |
+ TARGET_NAME=RELEASE |
152 |
+ TARGET_TOOLS=GCC49 |
153 |
+ |
154 |
+ BUILD_FLAGS="-D TLS_ENABLE \ |
155 |
+ -D HTTP_BOOT_ENABLE \ |
156 |
+ -D NETWORK_IP6_ENABLE \ |
157 |
+ -D FD_SIZE_2MB" |
158 |
+ |
159 |
+ SECUREBOOT_BUILD_FLAGS="${BUILD_FLAGS} \ |
160 |
+ -D SECURE_BOOT_ENABLE \ |
161 |
+ -D SMM_REQUIRE \ |
162 |
+ -D EXCLUDE_SHELL_FROM_FD" |
163 |
+ |
164 |
+ [[ ${PV} != "999999" ]] && use binary && return |
165 |
+ |
166 |
+ emake ARCH=${TARGET_ARCH} -C BaseTools |
167 |
+ |
168 |
+ . ./edksetup.sh |
169 |
+ |
170 |
+ # Build all EFI firmware blobs: |
171 |
+ |
172 |
+ mkdir -p ovmf |
173 |
+ |
174 |
+ ./OvmfPkg/build.sh \ |
175 |
+ -a "${TARGET_ARCH}" -b "${TARGET_NAME}" -t "${TARGET_TOOLS}" \ |
176 |
+ ${BUILD_FLAGS} || die "OvmfPkg/build.sh failed" |
177 |
+ |
178 |
+ cp Build/OvmfX64/*/FV/OVMF_*.fd ovmf/ |
179 |
+ rm -rf Build/OvmfX64 |
180 |
+ |
181 |
+ ./OvmfPkg/build.sh \ |
182 |
+ -a "${TARGET_ARCH}" -b "${TARGET_NAME}" -t "${TARGET_TOOLS}" \ |
183 |
+ ${SECUREBOOT_BUILD_FLAGS} || die "OvmfPkg/build.sh failed" |
184 |
+ |
185 |
+ cp Build/OvmfX64/*/FV/OVMF_CODE.fd ovmf/OVMF_CODE.secboot.fd || die "cp failed" |
186 |
+ cp Build/OvmfX64/*/X64/Shell.efi ovmf/ || die "cp failed" |
187 |
+ cp Build/OvmfX64/*/X64/EnrollDefaultKeys.efi ovmf || die "cp failed" |
188 |
+ |
189 |
+ # Build a convenience UefiShell.img: |
190 |
+ |
191 |
+ mkdir -p iso_image/efi/boot || die "mkdir failed" |
192 |
+ cp ovmf/Shell.efi iso_image/efi/boot/bootx64.efi || die "cp failed" |
193 |
+ cp ovmf/EnrollDefaultKeys.efi iso_image || die "cp failed" |
194 |
+ qemu-img convert --image-opts \ |
195 |
+ driver=vvfat,floppy=on,fat-type=12,label=UEFI_SHELL,dir=iso_image \ |
196 |
+ ovmf/UefiShell.img || die "qemu-img failed" |
197 |
+} |
198 |
+ |
199 |
+src_install() { |
200 |
+ insinto /usr/share/${PN} |
201 |
+ doins ovmf/* |
202 |
+ |
203 |
+ readme.gentoo_create_doc |
204 |
+} |
205 |
+ |
206 |
+pkg_postinst() { |
207 |
+ readme.gentoo_print_elog |
208 |
+} |