diff options
Diffstat (limited to 'meta/recipes-core/ovmf/ovmf_git.bb')
| -rw-r--r-- | meta/recipes-core/ovmf/ovmf_git.bb | 77 |
1 files changed, 56 insertions, 21 deletions
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index 896b3b6320..35ca8d1834 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -2,27 +2,48 @@ SUMMARY = "OVMF - UEFI firmware for Qemu and KVM" DESCRIPTION = "OVMF is an EDK II based project to enable UEFI support for \ Virtual Machines. OVMF contains sample UEFI firmware for QEMU and KVM" HOMEPAGE = "https://github.com/tianocore/tianocore.github.io/wiki/OVMF" -LICENSE = "BSD-2-Clause" -LICENSE_class-target = "${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'BSD & OpenSSL', 'BSD', d)}" +LICENSE = "BSD-2-Clause-Patent" +LICENSE:class-target = "${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'BSD-2-Clause-Patent & OpenSSL', 'BSD-2-Clause-Patent', d)}" LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=06357ddc23f46577c2aeaeaf7b776d65" # Enabling Secure Boot adds a dependency on OpenSSL and implies # compiling OVMF twice, so it is disabled by default. Distros # may change that default. PACKAGECONFIG ??= "" +PACKAGECONFIG += "${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'tpm', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'tpm', '', d)}" PACKAGECONFIG[secureboot] = ",,," +PACKAGECONFIG[tpm] = "-D TPM_ENABLE=TRUE,-D TPM_ENABLE=FALSE,," + +# GCC12 trips on it +#see https://src.fedoraproject.org/rpms/edk2/blob/rawhide/f/0032-Basetools-turn-off-gcc12-warning.patch +BUILD_CFLAGS += "-Wno-error=stringop-overflow" SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ file://0001-ovmf-update-path-to-native-BaseTools.patch \ file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \ - file://0004-ovmf-Update-to-latest.patch \ - file://zero.patch \ + file://0003-debug-prefix-map.patch \ + file://0004-reproducible.patch \ " -PV = "edk2-stable202102" -SRCREV = "ef91b07388e1c0a50c604e5350eeda98428ccea6" +PV = "edk2-stable202402" +SRCREV = "edc6681206c1a8791981a2f911d2fb8b3d2f5768" UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>edk2-stable.*)" +CVE_PRODUCT = "edk2" +CVE_VERSION = "${@d.getVar('PV').split('stable')[1]}" + +CVE_STATUS[CVE-2014-8271] = "fixed-version: Fixed in svn_16280, which is an unusual versioning breaking version comparison." +CVE_STATUS[CVE-2014-4859] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." +CVE_STATUS[CVE-2014-4860] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." +CVE_STATUS[CVE-2019-14553] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." +CVE_STATUS[CVE-2019-14559] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." +CVE_STATUS[CVE-2019-14562] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." +CVE_STATUS[CVE-2019-14563] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." +CVE_STATUS[CVE-2019-14575] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." +CVE_STATUS[CVE-2019-14586] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." +CVE_STATUS[CVE-2019-14587] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." + inherit deploy PARALLEL_MAKE = "" @@ -37,7 +58,7 @@ EDK_TOOLS_DIR="edk2_basetools" BUILD_OPTIMIZATION="-pipe" # OVMF supports IA only, although it could conceivably support ARM someday. -COMPATIBLE_HOST_class-target='(i.86|x86_64).*' +COMPATIBLE_HOST:class-target='(i.86|x86_64).*' # Additional build flags for OVMF with Secure Boot. # Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD". @@ -49,7 +70,7 @@ export PYTHON_COMMAND = "${HOSTTOOLS_DIR}/python3" do_patch[postfuncs] += "fix_basetools_location" fix_basetools_location () { } -fix_basetools_location_class-target() { +fix_basetools_location:class-target() { # Replaces the fake path inserted by 0002-ovmf-update-path-to-native-BaseTools.patch. # Necessary for finding the actual BaseTools from ovmf-native. sed -i -e 's#BBAKE_EDK_TOOLS_PATH#${STAGING_BINDIR_NATIVE}/${EDK_TOOLS_DIR}#' ${S}/OvmfPkg/build.sh @@ -58,7 +79,7 @@ fix_basetools_location_class-target() { do_patch[postfuncs] += "fix_iasl" fix_iasl() { } -fix_iasl_class-native() { +fix_iasl:class-native() { # iasl is not installed under /usr/bin when building with OE. sed -i -e 's#/usr/bin/iasl#${STAGING_BINDIR_NATIVE}/iasl#' ${S}/BaseTools/Conf/tools_def.template } @@ -77,14 +98,14 @@ fix_toolchain() { -e '/^VFR_CPPFLAGS/a CC = ${CC}\nCXX = ${CXX}\nAS = ${AS}\nAR = ${AR}\nLD = ${LD}' \ ${S}/BaseTools/Source/C/VfrCompile/GNUmakefile } -fix_toolchain_append_class-native() { +fix_toolchain:append:class-native() { # This tools_def.template is going to be used by the target ovmf and # defines which compilers to use. For the GCC toolchain definitions, # that will be ${HOST_PREFIX}gcc. However, "make" doesn't need that # prefix. # # Injecting ENV(HOST_PREFIX) matches exporting that value as env - # variable in do_compile_class-target. + # variable in do_compile:class-target. sed -i \ -e 's#\(ENV\|DEF\)(GCC.*_PREFIX)#ENV(HOST_PREFIX)#' \ -e 's#ENV(HOST_PREFIX)make#make#' \ @@ -101,9 +122,23 @@ fix_toolchain_append_class-native() { # to make ovmf-native reusable across distros. sed -i \ -e 's#^\(DEFINE GCC.*DLINK.*FLAGS *=\)#\1 -fuse-ld=bfd#' \ + -e 's#-flto#-fno-lto#g' \ + -e 's#-DUSING_LTO##g' \ ${S}/BaseTools/Conf/tools_def.template } +# We disable lto above since the results are not reproducible and make it hard to compare +# binary build aretfacts to debug reproducibility problems. +# Surprisingly, if you disable lto, you see compiler warnings which are fatal. We therefore +# have to hack warnings overrides into GCC_PREFIX_MAP to allow it to build. + +# We want to pass ${DEBUG_PREFIX_MAP} to gcc commands and also pass in +# --debug-prefix-map to nasm (we carry a patch to nasm for this). The +# tools definitions are built by ovmf-native so we need to pass this in +# at target build time when we know the right values. +export NASM_PREFIX_MAP = "--debug-prefix-map=${WORKDIR}=${TARGET_DBGSRC_DIR}" +export GCC_PREFIX_MAP = "${DEBUG_PREFIX_MAP} -Wno-stringop-overflow -Wno-maybe-uninitialized" + GCC_VER="$(${CC} -v 2>&1 | tail -n1 | awk '{print $3}')" fixup_target_tools() { @@ -133,11 +168,11 @@ fixup_target_tools() { echo ${FIXED_GCCVER} } -do_compile_class-native() { +do_compile:class-native() { oe_runmake -C ${S}/BaseTools } -do_compile_class-target() { +do_compile:class-target() { export LFLAGS="${LDFLAGS}" PARALLEL_JOBS="${@oe.utils.parallel_make_argument(d, '-n %d')}" OVMF_ARCH="X64" @@ -169,7 +204,7 @@ do_compile_class-target() { bbnote "Building without Secure Boot." rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX - ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} + ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${PACKAGECONFIG_CONFARGS} ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.fd ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.code.fd ln ${build_dir}/FV/OVMF_VARS.fd ${WORKDIR}/ovmf/ovmf.vars.fd @@ -179,19 +214,19 @@ do_compile_class-target() { # Repeat build with the Secure Boot flags. bbnote "Building with Secure Boot." rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX - ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} + ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${PACKAGECONFIG_CONFARGS} ${OVMF_SECURE_BOOT_FLAGS} ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.secboot.fd ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.secboot.code.fd ln ${build_dir}/${OVMF_ARCH}/EnrollDefaultKeys.efi ${WORKDIR}/ovmf/ fi } -do_install_class-native() { +do_install:class-native() { install -d ${D}/${bindir}/edk2_basetools cp -r ${S}/BaseTools ${D}/${bindir}/${EDK_TOOLS_DIR} } -do_install_class-target() { +do_install:class-target() { # Content for UEFI shell iso. We install the EFI shell as # bootx64/ia32.efi because then it can be started even when the # firmware itself does not contain it. @@ -208,19 +243,19 @@ do_install_class-target() { # # However, EnrollDefaultKeys.efi is only included when Secure Boot is enabled. PACKAGES =+ "ovmf-shell-efi" -FILES_ovmf-shell-efi = " \ +FILES:ovmf-shell-efi = " \ EnrollDefaultKeys.efi \ efi/ \ " DEPLOYDEP = "" -DEPLOYDEP_class-target = "qemu-system-native:do_populate_sysroot" -DEPLOYDEP_class-target += " ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'openssl-native:do_populate_sysroot', '', d)}" +DEPLOYDEP:class-target = "qemu-system-native:do_populate_sysroot" +DEPLOYDEP:class-target += " ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'openssl-native:do_populate_sysroot', '', d)}" do_deploy[depends] += "${DEPLOYDEP}" do_deploy() { } -do_deploy_class-target() { +do_deploy:class-target() { # For use with "runqemu ovmf". for i in \ ovmf \ |