From 1ffbd1357e9f25d3a39ef52278006831a6d2570e Mon Sep 17 00:00:00 2001 From: hanliyang Date: Thu, 19 Dec 2024 10:01:27 +0800 Subject: [PATCH] Hygon: support build OvmfX64 without option -D SECURE_BOOT_ENABLE=TRUE When building OVMF{_CODE}.fd using OvmfPkgX64.dsc and define SECURE_BOOT_ENABLE=TRUE, the OVMF{_CODE}.fd will failure to boot the AMD SEV/SEV-ES/SEV-SNP and Hygon CSV/CSV2/CSV3 VMs. The root cause is that the upstream commit 4f173db8b45b ("OvmfPkg/PlatformInitLib: Add functions for EmuVariableNvStore") rename the function from TdxValidateCfv to PlatformValidateNvVarStore, and place the function PlatformValidateNvVarStore to the common lib PlatformInitLib. I have submitted a bugzilla to the community: https://bugzilla.tianocore.org/show_bug.cgi?id=4807 and sent partial fix patches to the mailing lists: https://edk2.groups.io/g/devel/message/119921?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3Acreated%2C%2COvmfPkg%2FPlatformInitLib%3A+Detect+FlashNvVarStore+before+validate+it%2C20%2C2%2C0%2C107212891 I don't have a machine that supports SEV-SNP, so I ultimately can't fully fix the issue, and the patches I sent couldn't be accepted. In order to support boot AMD SEV... and Hygon CSV... VMs using the OVMF from the RPM package, I modified the edk2.spec to build OVMF.fd, OVMF_CODE.fd and OVMF_VARS.fd without the build option ' -D SECURE_BOOT_ENABLE=TRUE'. Signed-off-by: hanliyang --- edk2.spec | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/edk2.spec b/edk2.spec index ba85a91..b6d0010 100644 --- a/edk2.spec +++ b/edk2.spec @@ -7,7 +7,7 @@ Name: edk2 Version: %{stable_date} -Release: 17 +Release: 18 Summary: EFI Development Kit II License: BSD-2-Clause-Patent and OpenSSL and MIT URL: https://github.com/tianocore/edk2 @@ -244,6 +244,24 @@ BUILD_OPTION="$BUILD_OPTION -D TPM_CONFIG_ENABLE=TRUE" build $BUILD_OPTION +%ifarch x86_64 + for ovmf_bin in $(ls Build/OvmfX64/*/FV/OVMF*.fd); do + mv ${ovmf_bin} ${ovmf_bin}.secure_boot + done + + BUILD_OPTION=$(echo $BUILD_OPTION | sed 's/ -D SECURE_BOOT_ENABLE=TRUE//g') + + build $BUILD_OPTION + + for ovmf_bin in $(ls Build/OvmfX64/*/FV/OVMF*.fd); do + mv ${ovmf_bin} $(echo ${ovmf_bin} | sed 's/\.fd/\.nosb\.fd/') + done + + for ovmf_bin in $(ls Build/OvmfX64/*/FV/OVMF*.fd.secure_boot); do + mv ${ovmf_bin} $(echo ${ovmf_bin} | sed 's/\.secure_boot//') + done +%endif + %install cp CryptoPkg/Library/OpensslLib/openssl/LICENSE.txt LICENSE.openssl mkdir -p %{buildroot}%{_bindir} \ @@ -290,6 +308,8 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %ifarch x86_64 + mkdir -p %{buildroot}/usr/share/%{name}/ovmf.nosb + mv Build/OvmfX64/*/FV/OVMF*.nosb.fd %{buildroot}/usr/share/%{name}/ovmf.nosb mkdir -p %{buildroot}/usr/share/%{name}/ovmf cp Build/OvmfX64/*/FV/OVMF*.fd %{buildroot}/usr/share/%{name}/ovmf install -m 0644 edk2-ovmf-x64-nosb.json %{buildroot}%{_datadir}/qemu/firmware/10-edk2-ovmf-x64-nosb.json @@ -373,6 +393,7 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %license LICENSE.openssl %dir %{_datadir}/%{name} %{_datadir}/%{name}/ovmf +%{_datadir}/%{name}/ovmf.nosb %{_datadir}/qemu/firmware/10-edk2-ovmf-x64-nosb.json %endif @@ -401,6 +422,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Fri Feb 28 2025 hanliyang - 202308-18 +- Build OVMF without '-D SECURE_BOOT_ENABLE=TRUE' for X64 + * Sun Feb 23 2025 huyu - 202308-17 - fix CVE-2024-13176、CVE-2024-4741、CVE-2023-5363 -- Gitee