From a53089c4df903ec73bbbfad6e2a52191bea13b37 Mon Sep 17 00:00:00 2001 From: Kashyap Chamarthy Date: Wed, 10 Jul 2019 14:37:01 +0200 Subject: [PATCH] Ship the JSON firmware "descriptor files" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From version 4.1 (due in August 2019) onwards, QEMU ships the so-called firmware "descriptor files". These are small JSON files that describe details about UEFI firmware binaries — such as the fimware binary path, its architecture, supported machine type, NVRAM template and so forth. You can see examples of these files from the QEMU upstream Git: https://git.qemu.org/?p=qemu.git;a=tree;f=pc-bios/descriptors $> tree descriptors/ descriptors/ ├── 50-edk2-i386-secure.json ├── 50-edk2-x86_64-secure.json ├── 60-edk2-aarch64.json ├── 60-edk2-arm.json ├── 60-edk2-i386.json └── 60-edk2-x86_64.json QEMU 4.1 itself will ship the above files. However, Fedora needs to ship these file as part of its EDK2 package. Why? ---- (1) Quoting (with minor formatting edits) Laszlo Ersek: Distributions providing their own EDK2 packages would not include the descriptors from upstream QEMU, even if they otherwise package QEMU. That's beause the descriptor files in QEMU match the firmware bundled with QEMU -- but the firmware images in the distros' own EDK2 packages are different. So, if a distro provides an EDK2 package, then the same EDK2 package should offer matching descriptors. QEMU offers descriptors (soon) because QEMU technically distributes edk2 firmware binaries (soon). [Where "soon" == QEMU 4.1] (2) And as Dan Berrangé reminded on IRC: In Fedora, we need to ship them [the "descriptor files"] as part of the EDK2 package, because Fedora throws away all the firmware files that QEMU bundles, because we're [Fedora] required to rebuild everything from pristine source. - - - In this patch: (*) Copy the upstream JSON files, and do a simple `sed` substitution to replace the QEMU macro "DATADIR" with the actual path: sed -i 's/\@DATADIR\@/\/usr\/share/g' (*) Install the JSON files for the relevant architectures in the `/usr/share/firmware`, as required by specificatino[+]. (*) I didn't change the prefix "priority" numbers ('50' and '60') of the JSON files because on Fedora they shouldn't collide the with the upstream-provided files. See point (2) earlier. [+] https://git.qemu.org/?p=qemu.git;a=blob;f=docs/interop/firmware.json Resolves: rhbz#1728652 Signed-off-by: Kashyap Chamarthy --- 50-edk2-i386-secure.json | 34 +++++++++++++++++++++++++++ 50-edk2-x86_64-secure.json | 35 +++++++++++++++++++++++++++ 60-edk2-aarch64.json | 31 ++++++++++++++++++++++++ 60-edk2-arm.json | 31 ++++++++++++++++++++++++ 60-edk2-i386.json | 33 ++++++++++++++++++++++++++ 60-edk2-x86_64.json | 34 +++++++++++++++++++++++++++ edk2.spec | 48 +++++++++++++++++++++++++++++++++++++- 7 files changed, 245 insertions(+), 1 deletion(-) create mode 100644 50-edk2-i386-secure.json create mode 100644 50-edk2-x86_64-secure.json create mode 100644 60-edk2-aarch64.json create mode 100644 60-edk2-arm.json create mode 100644 60-edk2-i386.json create mode 100644 60-edk2-x86_64.json diff --git a/50-edk2-i386-secure.json b/50-edk2-i386-secure.json new file mode 100644 index 0000000000000000000000000000000000000000..35eda75ad89daff0a8d8e573149d32b4ee86baab --- /dev/null +++ b/50-edk2-i386-secure.json @@ -0,0 +1,34 @@ +{ + "description": "UEFI firmware for i386, with Secure Boot and SMM", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2-i386-secure-code.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2-i386-vars.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "i386", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "requires-smm", + "secure-boot", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/50-edk2-x86_64-secure.json b/50-edk2-x86_64-secure.json new file mode 100644 index 0000000000000000000000000000000000000000..3716b06ebcaf24d765615216cc32884cf6d0ad41 --- /dev/null +++ b/50-edk2-x86_64-secure.json @@ -0,0 +1,35 @@ +{ + "description": "UEFI firmware for x86_64, with Secure Boot and SMM", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2-x86_64-secure-code.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2-i386-vars.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "amd-sev", + "requires-smm", + "secure-boot", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/60-edk2-aarch64.json b/60-edk2-aarch64.json new file mode 100644 index 0000000000000000000000000000000000000000..8ce29cd49cd8a34317dd9a3b93527c0229e75fbd --- /dev/null +++ b/60-edk2-aarch64.json @@ -0,0 +1,31 @@ +{ + "description": "UEFI firmware for aarch64", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2-aarch64-code.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2-arm-vars.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + "verbose-static" + ], + "tags": [ + + ] +} diff --git a/60-edk2-arm.json b/60-edk2-arm.json new file mode 100644 index 0000000000000000000000000000000000000000..3ddeeb0782da155ac9545db871e923b626a0dae2 --- /dev/null +++ b/60-edk2-arm.json @@ -0,0 +1,31 @@ +{ + "description": "UEFI firmware for arm", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2-arm-code.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2-arm-vars.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "arm", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + "verbose-static" + ], + "tags": [ + + ] +} diff --git a/60-edk2-i386.json b/60-edk2-i386.json new file mode 100644 index 0000000000000000000000000000000000000000..080ee67bb48b66d26728ff627ddb6040f9848498 --- /dev/null +++ b/60-edk2-i386.json @@ -0,0 +1,33 @@ +{ + "description": "UEFI firmware for i386", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2-i386-code.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2-i386-vars.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "i386", + "machines": [ + "pc-i440fx-*", + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/60-edk2-x86_64.json b/60-edk2-x86_64.json new file mode 100644 index 0000000000000000000000000000000000000000..4129faaa656d68fe763dede49e8c218fecc9415c --- /dev/null +++ b/60-edk2-x86_64.json @@ -0,0 +1,34 @@ +{ + "description": "UEFI firmware for x86_64", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/OVMF/OVMF_CODE.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/OVMF/OVMF_VARS.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-i440fx-*", + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "amd-sev", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/edk2.spec b/edk2.spec index d5df71559df1780a3f7a83b744d0ce1566072e15..3891d4735c36efa5dc12ed575984e09a9c460867 100644 --- a/edk2.spec +++ b/edk2.spec @@ -50,7 +50,7 @@ Name: edk2 #Version: {edk2_date}git{edk2_githash} Version: %{edk2_stable_date}stable -Release: 1%{dist} +Release: 2%{dist} Summary: EFI Development Kit II License: BSD @@ -67,6 +67,14 @@ Source11: build-iso.sh Source12: update-tarball.sh Source13: openssl-patch-to-tarball.sh +# Fedora-specific JSON "descriptor files" +Source14: 50-edk2-x86_64-secure.json +Source15: 60-edk2-x86_64.json +Source16: 50-edk2-i386-secure.json +Source17: 60-edk2-i386.json +Source18: 60-edk2-aarch64.json +Source19: 60-edk2-arm.json + # non-upstream patches Patch0001: 0001-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch Patch0002: 0002-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-the-DXE-.patch @@ -239,6 +247,14 @@ tar -xvf %{SOURCE3} mv qemu-ovmf-secureboot-%{qosb_version}/README.md README.qosb mv qemu-ovmf-secureboot-%{qosb_version}/LICENSE LICENSE.qosb +# Copy the JSON firmware descriptor files into place +cp -a -- %{SOURCE14} . +cp -a -- %{SOURCE15} . +cp -a -- %{SOURCE16} . +cp -a -- %{SOURCE17} . +cp -a -- %{SOURCE18} . +cp -a -- %{SOURCE19} . + %autopatch -p1 base64 --decode < MdeModulePkg/Logo/Logo-OpenSSL.bmp.b64 > MdeModulePkg/Logo/Logo-OpenSSL.bmp @@ -408,9 +424,25 @@ ln -sf ../%{name}/ovmf/OVMF_CODE.secboot.fd %{buildroot}/usr/share/OVMF ln -sf ../%{name}/ovmf/OVMF_VARS.fd %{buildroot}/usr/share/OVMF ln -sf ../%{name}/ovmf/OVMF_VARS.secboot.fd %{buildroot}/usr/share/OVMF ln -sf ../%{name}/ovmf/UefiShell.iso %{buildroot}/usr/share/OVMF + +# For distro-provided firmware packages, the specification +# (https://git.qemu.org/?p=qemu.git;a=blob;f=docs/interop/firmware.json) +# says the JSON "descriptor files" to be searched in this directory: +# `/usr/share/firmware/`. Create it. +mkdir -p %{buildroot}/%{_datadir}/qemu/firmware + +# Install the two variants of the x86_64 firmware descriptor files +# (50-edk2-x86_64-secure.json and 60-edk2-x86_64.json) +install -pm 644 %{SOURCE14} %{buildroot}/%{_datadir}/qemu/firmware +install -pm 644 %{SOURCE15} %{buildroot}/%{_datadir}/qemu/firmware %endif %if 0%{?build_ovmf_ia32:1} cp -a ovmf-ia32 %{buildroot}/usr/share/%{name} + +# Install the two variants of the ia32 firmware descriptor files +# (50-edk2-i386-secure.json and 60-edk2-i386.json) +install -pm 644 %{SOURCE16} %{buildroot}/%{_datadir}/qemu/firmware +install -pm 644 %{SOURCE17} %{buildroot}/%{_datadir}/qemu/firmware %endif %if 0%{?build_aavmf_aarch64:1} cp -a aarch64 %{buildroot}/usr/share/%{name} @@ -418,10 +450,15 @@ cp -a aarch64 %{buildroot}/usr/share/%{name} mkdir %{buildroot}/usr/share/AAVMF ln -sf ../%{name}/aarch64/QEMU_EFI-pflash.raw %{buildroot}/usr/share/AAVMF/AAVMF_CODE.fd ln -sf ../%{name}/aarch64/vars-template-pflash.raw %{buildroot}/usr/share/AAVMF/AAVMF_VARS.fd + +# Install the AArch64 firmware descriptor file (60-edk2-aarch64.json) +install -pm 644 %{SOURCE18} %{buildroot}/%{_datadir}/qemu/firmware %endif %if 0%{?build_aavmf_arm:1} cp -a arm %{buildroot}/usr/share/%{name} ln -sf ../%{name}/arm/QEMU_EFI-pflash.raw %{buildroot}/usr/share/AAVMF/AAVMF32_CODE.fd +# Install the ARM firmware descriptor file (60-edk2-arm.json) +install -pm 644 %{SOURCE19} %{buildroot}/%{_datadir}/qemu/firmware %endif install qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator %{buildroot}%{_bindir} @@ -482,6 +519,8 @@ install qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator %{buildroot}%{_ /usr/share/%{name}/ovmf/OVMF*.fd /usr/share/%{name}/ovmf/*.efi /usr/share/%{name}/ovmf/*.iso +/usr/share/%{name}/ovmf/*.iso +/usr/share/qemu/firmware/*.json /usr/share/OVMF %endif @@ -496,6 +535,7 @@ install qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator %{buildroot}%{_ /usr/share/%{name}/ovmf-ia32/OVMF*.fd /usr/share/%{name}/ovmf-ia32/*.efi /usr/share/%{name}/ovmf-ia32/*.iso +/usr/share/qemu/firmware/*.json %endif %if 0%{?build_aavmf_aarch64:1} @@ -506,6 +546,7 @@ install qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator %{buildroot}%{_ %dir /usr/share/%{name}/aarch64 /usr/share/%{name}/aarch64/QEMU*.fd /usr/share/%{name}/aarch64/*.raw +/usr/share/qemu/firmware/*.json /usr/share/AAVMF/AAVMF_* %endif @@ -517,11 +558,16 @@ install qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator %{buildroot}%{_ %dir /usr/share/%{name}/arm /usr/share/%{name}/arm/QEMU*.fd /usr/share/%{name}/arm/*.raw +/usr/share/qemu/firmware/*.json /usr/share/AAVMF/AAVMF32_* %endif %changelog +* Wed Jul 10 2019 Kashyap Chamarthy - 20190308stable-2 +- Ship Fedora-variant JSON "firmware descriptor files" +- Resolves rhbz#1728652 + * Mon Mar 18 2019 Cole Robinson - 20190308stable-1 - Use YYYYMMDD versioning to fix upgrade path -- 2.20.1