ExclusiveArch: x86_64 aarch64

%define GITDATE        20180508

%define GITCOMMIT      ee3198e672e2

%define TOOLCHAIN      GCC5

%define OPENSSL_VER    1.1.0h

Name:       edk2

Version:    %{GITDATE}git%{GITCOMMIT}

Release:    9%{?dist}.1

Summary:    UEFI firmware for 64-bit virtual machines

Group:      Applications/Emulators

License:    BSD and OpenSSL and MIT

URL:        http://www.tianocore.org

# The source tarball is created using following commands:

# COMMIT=%{GITCOMMIT}

# git archive --format=tar --prefix=edk2-$COMMIT/ $COMMIT \

# | xz -9ev >/tmp/edk2-$COMMIT.tar.xz

Source0: http://batcave.lab.eng.brq.redhat.com/www/edk2-%{GITCOMMIT}.tar.xz

Source1: ovmf-whitepaper-c770f8c.txt

Source2: openssl-fedora-264133c642cdb6fc916f1d9bba9db4cb4cd4a17c.tar.xz

Source3: ovmf-vars-generator

Source4: LICENSE.qosb

Patch0003: 0003-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch

Patch0004: 0004-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch

Patch0005: 0005-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch

Patch0006: 0006-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch

Patch0007: 0007-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch

Patch0008: 0008-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch

Patch0009: 0009-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch

Patch0010: 0010-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch

Patch0011: 0011-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch

Patch0012: 0012-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch

Patch0013: 0013-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch

Patch0014: 0014-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch

Patch0015: 0015-ArmVirtPkg-set-early-hello-message-RH-only.patch

Patch0016: 0016-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch

Patch0017: 0017-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-QemuVide.patch

Patch0018: 0018-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch

Patch0019: 0019-OvmfPkg-PlatformBootManagerLib-connect-consoles-unco.patch

Patch0020: 0020-ArmVirtPkg-PlatformBootManagerLib-connect-Virtio-RNG.patch

Patch0021: 0021-OvmfPkg-PlatformBootManagerLib-connect-Virtio-RNG-de.patch

Patch0027: 0027-BaseTools-tools_def-add-fno-unwind-tables-to-GCC_AAR.patch

# For bz#1536627 - IPv6 enablement in OVMF

Patch35: edk2-ArmVirtPkg-unify-HttpLib-resolutions-in-ArmVirt.dsc..patch

# For bz#1536627 - IPv6 enablement in OVMF

Patch36: edk2-ArmVirtPkg-ArmVirtQemu-enable-the-IPv6-stack.patch

# For bz#1536627 - IPv6 enablement in OVMF

Patch37: edk2-advertise-OpenSSL-due-to-IPv6-enablement-too-RHEL-on.patch

# For bz#1607906 - edk2-tools: Does not use RPM build flags

Patch38: edk2-BaseTools-footer.makefile-expand-BUILD_CFLAGS-last-f.patch

# For bz#1607906 - edk2-tools: Does not use RPM build flags

Patch39: edk2-BaseTools-header.makefile-remove-c-from-BUILD_CFLAGS.patch

# For bz#1607906 - edk2-tools: Does not use RPM build flags

Patch40: edk2-BaseTools-Source-C-split-O2-to-BUILD_OPTFLAGS.patch

# For bz#1607906 - edk2-tools: Does not use RPM build flags

Patch41: edk2-BaseTools-Source-C-take-EXTRA_OPTFLAGS-from-the-call.patch

# For bz#1607906 - edk2-tools: Does not use RPM build flags

Patch42: edk2-BaseTools-Source-C-take-EXTRA_LDFLAGS-from-the-calle.patch

# For bz#1607906 - edk2-tools: Does not use RPM build flags

Patch43: edk2-BaseTools-VfrCompile-honor-EXTRA_LDFLAGS.patch

# For bz#1641436 - CVE-2018-3613 edk2: Logic error in MdeModulePkg in EDK II firmware allows for privilege escalation by authenticated users [rhel-8]

Patch44: edk2-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch

# For bz#1641449 - CVE-2017-5732 edk2: Privilege escalation via processing of malformed files in BaseUefiDecompressLib.c [rhel-8]

# For bz#1641453 - CVE-2017-5733 edk2: Privilege escalation via heap-based buffer overflow in MakeTable() function [rhel-8]

# For bz#1641464 - CVE-2017-5734 edk2: Privilege escalation via stack-based buffer overflow in MakeTable() function [rhel-8]

# For bz#1641469 - CVE-2017-5735 edk2: Privilege escalation via heap-based buffer overflow in Decode() function [rhel-8]

Patch45: edk2-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch

# For bz#1641453 - CVE-2017-5733 edk2: Privilege escalation via heap-based buffer overflow in MakeTable() function [rhel-8]

# For bz#1641464 - CVE-2017-5734 edk2: Privilege escalation via stack-based buffer overflow in MakeTable() function [rhel-8]

# For bz#1641469 - CVE-2017-5735 edk2: Privilege escalation via heap-based buffer overflow in Decode() function [rhel-8]

Patch46: edk2-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch

# For bz#1641445 - CVE-2017-5731 edk2: Privilege escalation via processing of malformed files in TianoCompress.c [rhel-8]

# For bz#1641453 - CVE-2017-5733 edk2: Privilege escalation via heap-based buffer overflow in MakeTable() function [rhel-8]

# For bz#1641464 - CVE-2017-5734 edk2: Privilege escalation via stack-based buffer overflow in MakeTable() function [rhel-8]

# For bz#1641469 - CVE-2017-5735 edk2: Privilege escalation via heap-based buffer overflow in Decode() function [rhel-8]

Patch47: edk2-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch

# For bz#1643377 - Exception when grubx64.efi used for UEFI netboot

Patch48: edk2-NetworkPkg-UefiPxeBcDxe-Add-EXCLUSIVE-attribute-when.patch

# For bz#1662184 - backport fix for (theoretical?) regression introduced by earlier CVE fixes

Patch49: edk2-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch

# For bz#1662184 - backport fix for (theoretical?) regression introduced by earlier CVE fixes

Patch50: edk2-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch

# For bz#1662184 - backport fix for (theoretical?) regression introduced by earlier CVE fixes

Patch51: edk2-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch

# For bz#1690501 - CVE-2018-12180 edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-8.0.0.z]

Patch52: edk2-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch

# For bz#1690501 - CVE-2018-12180 edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-8.0.0.z]

Patch53: edk2-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch

# python2-devel and libuuid-devel are required for building tools

BuildRequires:  python2-devel

BuildRequires:  libuuid-devel

BuildRequires:  /usr/bin/iasl

BuildRequires:  binutils gcc git

%ifarch x86_64

# Only OVMF includes 80x86 assembly files (*.nasm*).

BuildRequires:  nasm

# Only OVMF includes the Secure Boot feature, for which we need to separate out

# the UEFI shell.

BuildRequires:  dosfstools

BuildRequires:  mtools

BuildRequires:  genisoimage

# For generating the variable store template with the default certificates

# enrolled, we need qemu-kvm.

BuildRequires:  qemu-kvm

# For verifying SB enablement in the above variable store template, we need a

# guest kernel that prints "Secure boot enabled".

BuildRequires: kernel-core

BuildRequires: rpmdevtools

# For orchestrating the above two steps (varstore generation and verification),

# we need to launch "ovmf-vars-generator" -- which we run on Python 3.

BuildRequires: python3-devel

%package ovmf

Summary:    UEFI firmware for x86_64 virtual machines

BuildArch:  noarch

Provides:   OVMF = %{version}-%{release}

Obsoletes:  OVMF < 20180508-100.gitee3198e672e2.el7

# OVMF includes the Secure Boot and IPv6 features; it has a builtin OpenSSL

# library.

Provides:   bundled(openssl) = %{OPENSSL_VER}

License:    BSD and OpenSSL

# URL taken from the Maintainers.txt file.

URL:        http://www.tianocore.org/ovmf/

%description ovmf

OVMF (Open Virtual Machine Firmware) is a project to enable UEFI support for

Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU

and KVM.

%else

%package aarch64

Summary:    UEFI firmware for aarch64 virtual machines

BuildArch:  noarch

Provides:   AAVMF = %{version}-%{release}

Obsoletes:  AAVMF < 20180508-100.gitee3198e672e2.el7

# No Secure Boot for AAVMF yet, but we include OpenSSL for the IPv6 stack.

Provides:   bundled(openssl) = %{OPENSSL_VER}

License:    BSD and OpenSSL

# URL taken from the Maintainers.txt file.

URL:        https://github.com/tianocore/tianocore.github.io/wiki/ArmVirtPkg

%description aarch64

AAVMF (ARM Architecture Virtual Machine Firmware) is an EFI Development Kit II

platform that enables UEFI support for QEMU/KVM ARM Virtual Machines. This

package contains a 64-bit build.

%endif

%package tools

Summary:        EFI Development Kit II Tools

Group:          Development/Tools

License:        BSD

URL:            https://github.com/tianocore/tianocore.github.io/wiki/BaseTools

%description tools

This package provides tools that are needed to

build EFI executables and ROMs using the GNU tools.

%package tools-doc

Summary:        Documentation for EFI Development Kit II Tools

Group:          Development/Tools

BuildArch:      noarch

License:        BSD

URL:            https://github.com/tianocore/tianocore.github.io/wiki/BaseTools

%description tools-doc

This package documents the tools that are needed to

build EFI executables and ROMs using the GNU tools.

%description

EDK II is a modern, feature-rich, cross-platform firmware development

environment for the UEFI and PI specifications. This package contains sample

64-bit UEFI firmware builds for QEMU and KVM.

%prep

%setup -q -n edk2-%{GITCOMMIT}

# Ensure old shell and binary packages are not used

rm -rf EdkShellBinPkg

rm -rf EdkShellPkg

rm -rf FatBinPkg

rm -rf ShellBinPkg

%{lua:

    tmp = os.tmpname();

    f = io.open(tmp, "w+");

    count = 0;

    for i, p in ipairs(patches) do

        f:write(p.."\n");

        count = count + 1;

    end;

    f:close();

    print("PATCHCOUNT="..count.."\n")

    print("PATCHLIST="..tmp.."\n")

}

git init -q

git config user.name rpm-build

git config user.email rpm-build

git config core.whitespace cr-at-eol

git config am.keepcr true

git add -A .

git commit -q -a --author 'rpm-build <rpm-build>' \

           -m '%{name}-%{GITCOMMIT} base'

COUNT=$(grep '\.patch$' $PATCHLIST | wc -l)

if [ $COUNT -ne $PATCHCOUNT ]; then

    echo "Found $COUNT patches in $PATCHLIST, expected $PATCHCOUNT"

    exit 1

fi

if [ $COUNT -gt 0 ]; then

    for pf in `cat $PATCHLIST`; do

      git am $pf

    done

fi

echo "Applied $COUNT patches"

rm -f $PATCHLIST

cp -a -- %{SOURCE1} %{SOURCE3} .

tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x

# Done by %setup, but we do not use it for the auxiliary tarballs

chmod -Rf a+rX,u+w,g-w,o-w .

%build

# For the time being, we need Python 2 for the build. See RHBZ 1593429 and

# <https://url.corp.redhat.com/rhel8-py2>.

export RHEL_ALLOW_PYTHON2_FOR_BUILD=1

source ./edksetup.sh

make -C "$EDK_TOOLS_PATH" \

  EXTRA_OPTFLAGS="%{optflags}" \

  EXTRA_LDFLAGS="%{__global_ldflags}"

SMP_MFLAGS="%{?_smp_mflags}"

if [[ x"$SMP_MFLAGS" = x-j* ]]; then

        CC_FLAGS="$CC_FLAGS -n ${SMP_MFLAGS#-j}"

elif [ -n "%{?jobs}" ]; then

        CC_FLAGS="$CC_FLAGS -n %{?jobs}"

fi

CC_FLAGS="$CC_FLAGS --cmd-len=65536 -t %{TOOLCHAIN} -b DEBUG --hash"

CC_FLAGS="$CC_FLAGS -D NETWORK_IP6_ENABLE"

%ifarch x86_64

# Build with neither SB nor SMM; include UEFI shell.

build ${CC_FLAGS} -D FD_SIZE_4MB -a X64 -p OvmfPkg/OvmfPkgX64.dsc

# Build with SB and SMM; exclude UEFI shell.

build -D SECURE_BOOT_ENABLE -D EXCLUDE_SHELL_FROM_FD ${CC_FLAGS} \

  -a IA32 -a X64 -p OvmfPkg/OvmfPkgIa32X64.dsc -D SMM_REQUIRE \

  -D FD_SIZE_4MB

# Sanity check: the varstore templates must be identical.

cmp Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \

  Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd

# Prepare an ISO image that boots the UEFI shell.

(

  UEFI_SHELL_BINARY=Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/Shell.efi

  ENROLLER_BINARY=Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/EnrollDefaultKeys.efi

  UEFI_SHELL_IMAGE=uefi_shell.img

  ISO_IMAGE=UefiShell.iso

  UEFI_SHELL_BINARY_BNAME=$(basename -- "$UEFI_SHELL_BINARY")

  UEFI_SHELL_SIZE=$(stat --format=%s -- "$UEFI_SHELL_BINARY")

  ENROLLER_SIZE=$(stat --format=%s -- "$ENROLLER_BINARY")

  # add 1MB then 10% for metadata

  UEFI_SHELL_IMAGE_KB=$((

    (UEFI_SHELL_SIZE + ENROLLER_SIZE + 1 * 1024 * 1024) * 11 / 10 / 1024

  ))

  # create non-partitioned FAT image

  rm -f -- "$UEFI_SHELL_IMAGE"

  mkdosfs -C "$UEFI_SHELL_IMAGE" -n UEFI_SHELL -- "$UEFI_SHELL_IMAGE_KB"

  # copy the shell binary into the FAT image

  export MTOOLS_SKIP_CHECK=1

  mmd   -i "$UEFI_SHELL_IMAGE"                       ::efi

  mmd   -i "$UEFI_SHELL_IMAGE"                       ::efi/boot

  mcopy -i "$UEFI_SHELL_IMAGE"  "$UEFI_SHELL_BINARY" ::efi/boot/bootx64.efi

  mcopy -i "$UEFI_SHELL_IMAGE"  "$ENROLLER_BINARY"   ::

  mdir  -i "$UEFI_SHELL_IMAGE"  -/                   ::

  # build ISO with FAT image file as El Torito EFI boot image

  genisoimage -input-charset ASCII -J -rational-rock \

    -efi-boot "$UEFI_SHELL_IMAGE" -no-emul-boot \

    -o "$ISO_IMAGE" -- "$UEFI_SHELL_IMAGE"

)

# Enroll the default certificates in a separate variable store template.

%{__python3} ovmf-vars-generator --verbose --verbose \

  --qemu-binary        /usr/libexec/qemu-kvm \

  --ovmf-binary        Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \

  --ovmf-template-vars Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \

  --uefi-shell-iso     UefiShell.iso \

  --skip-testing \

  OVMF_VARS.secboot.fd

%else

# Build with a verbose debug mask first, and stash the binary.

build ${CC_FLAGS} -a AARCH64 \

  -p ArmVirtPkg/ArmVirtQemu.dsc \

  -D DEBUG_PRINT_ERROR_LEVEL=0x8040004F

cp -a Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.fd \

  QEMU_EFI.verbose.fd

# Rebuild with a silent (errors only) debug mask.

build ${CC_FLAGS} -a AARCH64 \

  -p ArmVirtPkg/ArmVirtQemu.dsc \

  -D DEBUG_PRINT_ERROR_LEVEL=0x80000000

%endif

%install

cp -a License.txt License.edk2.txt

%ifarch x86_64

mkdir -p \

  $RPM_BUILD_ROOT%{_datadir}/OVMF \

  $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf

# We don't ship the SB-less, SMM-less binary.

%if 0

install -m 0644 Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \

  $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/OVMF_CODE.fd

ln -s ../%{name}/ovmf/OVMF_CODE.fd         $RPM_BUILD_ROOT%{_datadir}/OVMF/

%endif

install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \

  $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd

install -m 0644 Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \

  $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/OVMF_VARS.fd

install -m 0644 OVMF_VARS.secboot.fd \

  $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd

install -m 0644 UefiShell.iso \

  $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/UefiShell.iso

ln -s ../%{name}/ovmf/OVMF_CODE.secboot.fd $RPM_BUILD_ROOT%{_datadir}/OVMF/

ln -s ../%{name}/ovmf/OVMF_VARS.fd         $RPM_BUILD_ROOT%{_datadir}/OVMF/

ln -s ../%{name}/ovmf/OVMF_VARS.secboot.fd $RPM_BUILD_ROOT%{_datadir}/OVMF/

ln -s ../%{name}/ovmf/UefiShell.iso        $RPM_BUILD_ROOT%{_datadir}/OVMF/

install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/Shell.efi \

  $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/Shell.efi

install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/EnrollDefaultKeys.efi \

  $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi

%else

mkdir -p \

  $RPM_BUILD_ROOT%{_datadir}/AAVMF \

  $RPM_BUILD_ROOT%{_datadir}/%{name}/aarch64

# Pad and install the verbose binary.

cat QEMU_EFI.verbose.fd \

  /dev/zero \

| head -c 64m \

  > $RPM_BUILD_ROOT%{_datadir}/%{name}/aarch64/QEMU_EFI-pflash.raw

# Pad and install the silent (default) binary.

cat Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.fd \

  /dev/zero \

| head -c 64m \

  > $RPM_BUILD_ROOT%{_datadir}/%{name}/aarch64/QEMU_EFI-silent-pflash.raw

# Create varstore template.

cat Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_VARS.fd \

  /dev/zero \

| head -c 64m \

  > $RPM_BUILD_ROOT%{_datadir}/%{name}/aarch64/vars-template-pflash.raw

ln -s ../%{name}/aarch64/QEMU_EFI-pflash.raw \

  $RPM_BUILD_ROOT%{_datadir}/AAVMF/AAVMF_CODE.verbose.fd

ln -s ../%{name}/aarch64/QEMU_EFI-silent-pflash.raw \

  $RPM_BUILD_ROOT%{_datadir}/AAVMF/AAVMF_CODE.fd

ln -s ../%{name}/aarch64/vars-template-pflash.raw \

  $RPM_BUILD_ROOT%{_datadir}/AAVMF/AAVMF_VARS.fd

chmod 0644 -- $RPM_BUILD_ROOT%{_datadir}/AAVMF/AAVMF_*.fd

install -m 0644 QEMU_EFI.verbose.fd \

  $RPM_BUILD_ROOT%{_datadir}/%{name}/aarch64/QEMU_EFI.fd

install -m 0644 Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.fd \

  $RPM_BUILD_ROOT%{_datadir}/%{name}/aarch64/QEMU_EFI.silent.fd

install -m 0644 Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_VARS.fd \

  $RPM_BUILD_ROOT%{_datadir}/%{name}/aarch64/QEMU_VARS.fd

%endif

cp -a CryptoPkg/Library/OpensslLib/openssl/LICENSE LICENSE.openssl

# install the tools

mkdir -p %{buildroot}%{_bindir} \

         %{buildroot}%{_datadir}/%{name}/Conf \

         %{buildroot}%{_datadir}/%{name}/Scripts

install BaseTools/Source/C/bin/* \

        %{buildroot}%{_bindir}

install BaseTools/BinWrappers/PosixLike/LzmaF86Compress \

        %{buildroot}%{_bindir}

install BaseTools/BuildEnv \

        %{buildroot}%{_datadir}/%{name}

install BaseTools/Conf/*.template \

        %{buildroot}%{_datadir}/%{name}/Conf

install BaseTools/Scripts/GccBase.lds \

        %{buildroot}%{_datadir}/%{name}/Scripts

%ifarch x86_64

%files ovmf

%else

%files aarch64

%endif

%defattr(-,root,root,-)

%license License.edk2.txt

%license OvmfPkg/License.txt

%license LICENSE.openssl

%dir %{_datadir}/%{name}/

%ifarch x86_64

%doc OvmfPkg/README

%doc ovmf-whitepaper-c770f8c.txt

%dir %{_datadir}/OVMF/

%dir %{_datadir}/%{name}/ovmf/

%if 0

%{_datadir}/%{name}/ovmf/OVMF_CODE.fd

%{_datadir}/OVMF/OVMF_CODE.fd

%endif

%{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd

%{_datadir}/%{name}/ovmf/OVMF_VARS.fd

%{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd

%{_datadir}/%{name}/ovmf/UefiShell.iso

%{_datadir}/OVMF/OVMF_CODE.secboot.fd

%{_datadir}/OVMF/OVMF_VARS.fd

%{_datadir}/OVMF/OVMF_VARS.secboot.fd

%{_datadir}/OVMF/UefiShell.iso

%{_datadir}/%{name}/ovmf/Shell.efi

%{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi

%else

%dir %{_datadir}/AAVMF/

%dir %{_datadir}/%{name}/aarch64/

%{_datadir}/%{name}/aarch64/QEMU_EFI-pflash.raw

%{_datadir}/%{name}/aarch64/QEMU_EFI-silent-pflash.raw

%{_datadir}/%{name}/aarch64/vars-template-pflash.raw

%{_datadir}/AAVMF/AAVMF_CODE.verbose.fd

%{_datadir}/AAVMF/AAVMF_CODE.fd

%{_datadir}/AAVMF/AAVMF_VARS.fd

%{_datadir}/%{name}/aarch64/QEMU_EFI.fd

%{_datadir}/%{name}/aarch64/QEMU_EFI.silent.fd

%{_datadir}/%{name}/aarch64/QEMU_VARS.fd

%endif

%files tools

%license License.txt

%{_bindir}/BootSectImage

%{_bindir}/Brotli

%{_bindir}/DevicePath

%{_bindir}/EfiLdrImage

%{_bindir}/EfiRom

%{_bindir}/GenCrc32

%{_bindir}/GenFfs

%{_bindir}/GenFv

%{_bindir}/GenFw

%{_bindir}/GenPage

%{_bindir}/GenSec

%{_bindir}/GenVtf

%{_bindir}/GnuGenBootSector

%{_bindir}/LzmaCompress

%{_bindir}/LzmaF86Compress

%{_bindir}/Split

%{_bindir}/TianoCompress

%{_bindir}/VfrCompile

%{_bindir}/VolInfo

%dir %{_datadir}/%{name}

%{_datadir}/%{name}/BuildEnv

%{_datadir}/%{name}/Conf

%{_datadir}/%{name}/Scripts

%files tools-doc

%doc BaseTools/UserManuals/*.rtf

%check

%ifarch x86_64

# Of the installed host kernels, boot the one with the highest Version-Release

# under OVMF, and check if it prints "Secure boot enabled".

KERNEL_PKG=$(rpm -q kernel-core | rpmdev-sort | tail -n 1)

KERNEL_IMG=$(rpm -q -l $KERNEL_PKG | egrep '^/lib/modules/[^/]+/vmlinuz$')

%{__python3} ovmf-vars-generator --verbose --verbose \

  --qemu-binary        /usr/libexec/qemu-kvm \

  --ovmf-binary        Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \

  --ovmf-template-vars Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \

  --uefi-shell-iso     UefiShell.iso \

  --kernel-path        $KERNEL_IMG \

  --skip-enrollment \

  --no-download \

  OVMF_VARS.secboot.fd

%else

true

%endif

%changelog

* Tue Mar 26 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-9.el8_0

- edk2-MdeModulePkg-PartitionDxe-Ensure-blocksize-holds-MBR.patch [bz#1690501]

- edk2-MdeModulePkg-RamDiskDxe-Restrict-on-RAM-disk-size-CV.patch [bz#1690501]

- Resolves: bz#1690501

  (CVE-2018-12180 edk2: Buffer Overflow in BlockIo service for RAM disk [rhel-8.0.0.z])

* Mon Jan 21 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-9.el8

- edk2-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch [bz#1662184]

- edk2-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch [bz#1662184]

- edk2-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch [bz#1662184]

- edk2-git-Use-HTTPS-support.patch []

- Resolves: bz#1662184

  (backport fix for (theoretical?) regression introduced by earlier CVE fixes)

* Wed Nov 21 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-8.el8

- edk2-NetworkPkg-UefiPxeBcDxe-Add-EXCLUSIVE-attribute-when.patch [bz#1643377]

- Resolves: bz#1643377

  (Exception when grubx64.efi used for UEFI netboot)

* Fri Nov 16 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-7.el8

- Rebuilding edk2 outside the module branch

- Resolves: bz#1637650

  (Move ipxe and edk2 out of the virt module.)

* Tue Nov 06 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-5.el8

- edk2-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch [bz#1641436]

- edk2-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch [bz#1641449 bz#1641453 bz#1641464 bz#1641469]

- edk2-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch [bz#1641453 bz#1641464 bz#1641469]

- edk2-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch [bz#1641445 bz#1641453 bz#1641464 bz#1641469]

- Resolves: bz#1641436

  (CVE-2018-3613 edk2: Logic error in MdeModulePkg in EDK II firmware allows for privilege escalation by authenticated users [rhel-8])

- Resolves: bz#1641445

  (CVE-2017-5731 edk2: Privilege escalation via processing of malformed files in TianoCompress.c [rhel-8])

- Resolves: bz#1641449

  (CVE-2017-5732 edk2: Privilege escalation via processing of malformed files in BaseUefiDecompressLib.c [rhel-8])

- Resolves: bz#1641453

  (CVE-2017-5733 edk2: Privilege escalation via heap-based buffer overflow in MakeTable() function [rhel-8])

- Resolves: bz#1641464

  (CVE-2017-5734 edk2: Privilege escalation via stack-based buffer overflow in MakeTable() function [rhel-8])

- Resolves: bz#1641469

  (CVE-2017-5735 edk2: Privilege escalation via heap-based buffer overflow in Decode() function [rhel-8])

* Tue Sep 04 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-5.el8

- edk2-BaseTools-footer.makefile-expand-BUILD_CFLAGS-last-f.patch [bz#1607906]

- edk2-BaseTools-header.makefile-remove-c-from-BUILD_CFLAGS.patch [bz#1607906]

- edk2-BaseTools-Source-C-split-O2-to-BUILD_OPTFLAGS.patch [bz#1607906]

- edk2-BaseTools-Source-C-take-EXTRA_OPTFLAGS-from-the-call.patch [bz#1607906]

- edk2-BaseTools-Source-C-take-EXTRA_LDFLAGS-from-the-calle.patch [bz#1607906]

- edk2-BaseTools-VfrCompile-honor-EXTRA_LDFLAGS.patch [bz#1607906]

- edk2-redhat-inject-the-RPM-compile-and-link-options-to-th.patch [bz#1607906]

- Resolves: bz#1607906

  (edk2-tools: Does not use RPM build flags)

* Wed Aug 08 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-4.el8

- edk2-redhat-provide-virtual-bundled-OpenSSL-in-edk2-ovmf-.patch [bz#1607801]

- Resolves: bz#1607801

  (add 'Provides: bundled(openssl) = 1.1.0h' to the spec file)

* Tue Jul 24 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-3.el8

- edk2-redhat-Provide-and-Obsolete-OVMF-and-AAVMF.patch [bz#1596148]

- edk2-ArmVirtPkg-unify-HttpLib-resolutions-in-ArmVirt.dsc..patch [bz#1536627]

- edk2-ArmVirtPkg-ArmVirtQemu-enable-the-IPv6-stack.patch [bz#1536627]

- edk2-advertise-OpenSSL-due-to-IPv6-enablement-too-RHEL-on.patch [bz#1536627]

- edk2-redhat-add-D-NETWORK_IP6_ENABLE-to-the-build-flags.patch [bz#1536627]

- edk2-redhat-update-license-fields-and-files-in-the-spec-f.patch [bz#1536627]

- Resolves: bz#1536627

  (IPv6 enablement in OVMF)

- Resolves: bz#1596148

  (restore Provides/Obsoletes macros for OVMF and AAVMF, from RHEL-8 Alpha)

* Tue Jul 10 2018 Danilo C. L. de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-2.el8

- Rebase edk2 on top of 20180508gitee3198e672e2

* Fri Jun 08 2018 Miroslav Rezanina <mrezanin@redhat.com> - 20180508-2.gitee3198e672e2

- OvmfPkg/PlatformBootManagerLib: connect consoles unconditionally [bz#1577546]

- build OVMF varstore template with SB enabled / certs enrolled [bz#1561128]

- connect Virtio RNG devices again [bz#1579518]

- Resolves: bz#1577546

  (no input consoles connected under certain circumstances)

- Resolves: bz#1561128

  (OVMF Secure boot enablement (enrollment of default keys))

- Resolves: bz#1579518

  (EFI_RNG_PROTOCOL no longer produced for virtio-rng)

* Wed Dec 06 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20171011-4.git92d07e48907f.el7

- ovmf-MdeModulePkg-Core-Dxe-log-informative-memprotect-msg.patch [bz#1520485]

- ovmf-MdeModulePkg-BdsDxe-fall-back-to-a-Boot-Manager-Menu.patch [bz#1515418]

- Resolves: bz#1515418

  (RFE: Provide diagnostics for failed boot)

- Resolves: bz#1520485

  (AAVMF: two new messages with silent build)

* Fri Dec 01 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20171011-3.git92d07e48907f.el7

- ovmf-UefiCpuPkg-CpuDxe-Fix-multiple-entries-of-RT_CODE-in.patch [bz#1518308]

- ovmf-MdeModulePkg-DxeCore-Filter-out-all-paging-capabilit.patch [bz#1518308]

- ovmf-MdeModulePkg-Core-Merge-memory-map-after-filtering-p.patch [bz#1518308]

- Resolves: bz#1518308

  (UEFI memory map regression (runtime code entry splitting) introduced by c1cab54ce57c)

* Mon Nov 27 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20171011-2.git92d07e48907f.el7

- ovmf-MdeModulePkg-Bds-Remove-assertion-in-BmCharToUint.patch [bz#1513632]

- ovmf-MdeModulePkg-Bds-Check-variable-name-even-if-OptionN.patch [bz#1513632]

- ovmf-MdeModulePkg-PciBus-Fix-bug-that-PCI-BUS-claims-too-.patch [bz#1514105]

- ovmf-OvmfPkg-make-it-a-proper-BASE-library.patch [bz#1488247]

- ovmf-OvmfPkg-create-a-separate-PlatformDebugLibIoPort-ins.patch [bz#1488247]

- ovmf-OvmfPkg-save-on-I-O-port-accesses-when-the-debug-por.patch [bz#1488247]

- ovmf-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch [bz#1488247]

- ovmf-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-QemuVide.patch [bz#1488247]

- ovmf-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch [bz#1488247]

- ovmf-Revert-redhat-introduce-separate-silent-and-verbose-.patch [bz#1488247]

- Resolves: bz#1488247

  (make debug logging no-op unless a debug console is active)

- Resolves: bz#1513632

  ([RHEL-ALT 7.5] AAVMF fails to boot after setting BootNext)

- Resolves: bz#1514105

  (backport edk2 commit 6e3287442774 so that PciBusDxe not over-claim resources)

* Wed Oct 18 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20171011-1.git92d07e48907f.el7

- Rebase to 92d07e48907f [bz#1469787]

- Resolves: bz#1469787

  ((ovmf-rebase-rhel-7.5) Rebase OVMF for RHEL-7.5)

- Resolves: bz#1434740

  (OvmfPkg/PciHotPlugInitDxe: don't reserve IO space when IO support is disabled)

- Resolves: bz#1434747

  ([Q35] code12 error when hotplug x710 device in win2016)

- Resolves: bz#1447027

  (Guest cannot boot with 240 or above vcpus when using ovmf)

- Resolves: bz#1458192

  ([Q35] recognize "usb-storage" devices in XHCI ports)

- Resolves: bz#1468526

  (>1TB RAM support)

- Resolves: bz#1488247

  (provide "OVMF_CODE.secboot.verbose.fd" for log capturing; silence "OVMF_CODE.secboot.fd")

- Resolves: bz#1496170

  (Inconsistent MOR control variables exposed by OVMF, breaks Windows Device Guard)

* Fri May 12 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20170228-5.gitc325e41585e3.el7

- ovmf-OvmfPkg-EnrollDefaultKeys-update-SignatureOwner-GUID.patch [bz#1443351]

- ovmf-OvmfPkg-EnrollDefaultKeys-expose-CertType-parameter-.patch [bz#1443351]

- ovmf-OvmfPkg-EnrollDefaultKeys-blacklist-empty-file-in-db.patch [bz#1443351]

- ovmf-OvmfPkg-introduce-the-FD_SIZE_IN_KB-macro-build-flag.patch [bz#1443351]

- ovmf-OvmfPkg-OvmfPkg.fdf.inc-extract-VARS_LIVE_SIZE-and-V.patch [bz#1443351]

- ovmf-OvmfPkg-introduce-4MB-flash-image-mainly-for-Windows.patch [bz#1443351]

- ovmf-OvmfPkg-raise-max-variable-size-auth-non-auth-to-33K.patch [bz#1443351]

- ovmf-OvmfPkg-PlatformPei-handle-non-power-of-two-spare-si.patch [bz#1443351]

- ovmf-redhat-update-local-build-instructions-with-D-FD_SIZ.patch [bz#1443351]

- ovmf-redhat-update-OVMF-build-commands-with-D-FD_SIZE_4MB.patch [bz#1443351]

- Resolves: bz#1443351

  ([svvp][ovmf] job "Secure Boot Logo Test" failed  with q35&ovmf)

* Fri Apr 28 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20170228-4.gitc325e41585e3.el7

- ovmf-ShellPkg-Shell-clean-up-bogus-member-types-in-SPLIT_.patch [bz#1442908]

- ovmf-ShellPkg-Shell-eliminate-double-free-in-RunSplitComm.patch [bz#1442908]

- Resolves: bz#1442908

  (Guest hang when running a wrong command in Uefishell)

* Tue Apr 04 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20170228-3.gitc325e41585e3.el7

- ovmf-ArmVirtPkg-FdtClientDxe-supplement-missing-EFIAPI-ca.patch [bz#1430262]

- ovmf-ArmVirtPkg-ArmVirtPL031FdtClientLib-unconditionally-.patch [bz#1430262]

- ovmf-MdeModulePkg-RamDiskDxe-fix-C-string-literal-catenat.patch [bz#1430262]

- ovmf-EmbeddedPkg-introduce-EDKII-Platform-Has-ACPI-GUID.patch [bz#1430262]

- ovmf-EmbeddedPkg-introduce-PlatformHasAcpiLib.patch [bz#1430262]

- ovmf-EmbeddedPkg-introduce-EDKII-Platform-Has-Device-Tree.patch [bz#1430262]

- ovmf-ArmVirtPkg-add-PlatformHasAcpiDtDxe.patch [bz#1430262]

- ovmf-ArmVirtPkg-enable-AcpiTableDxe-and-EFI_ACPI_TABLE_PR.patch [bz#1430262]

- ovmf-ArmVirtPkg-FdtClientDxe-install-DT-as-sysconfig-tabl.patch [bz#1430262]

- ovmf-ArmVirtPkg-PlatformHasAcpiDtDxe-don-t-expose-DT-if-Q.patch [bz#1430262]

- ovmf-ArmVirtPkg-remove-PURE_ACPI_BOOT_ENABLE-and-PcdPureA.patch [bz#1430262]

- Resolves: bz#1430262

  (AAVMF: forward QEMU's DT to the guest OS only if ACPI payload is unavailable)

* Mon Mar 27 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20170228-2.gitc325e41585e3.el7

- ovmf-MdeModulePkg-Core-Dxe-downgrade-CodeSegmentCount-is-.patch [bz#1433428]

- Resolves: bz#1433428

  (AAVMF: Fix error message during ARM guest VM installation)

* Wed Mar 08 2017 Laszlo Ersek <lersek@redhat.com> - ovmf-20170228-1.gitc325e41585e3.el7

- Rebase to upstream c325e41585e3 [bz#1416919]

- Resolves: bz#1373812

  (guest boot from network even set 'boot order=1' for virtio disk with OVMF)

- Resolves: bz#1380282

  (Update OVMF to openssl-1.0.2k-hobbled)

- Resolves: bz#1412313

  (select broadcast SMI if available)

- Resolves: bz#1416919

  (Rebase OVMF for RHEL-7.4)

- Resolves: bz#1426330

  (disable libssl in CryptoPkg)

* Mon Sep 12 2016 Laszlo Ersek <lersek@redhat.com> - ovmf-20160608b-1.git988715a.el7

- rework downstream-only commit dde83a75b566 "setup the tree for the secure

  boot feature (RHEL only)", excluding patent-encumbered files from the

  upstream OpenSSL 1.0.2g tarball [bz#1374710]

- rework downstream-only commit dfc3ca1ee509 "CryptoPkg/OpensslLib: Upgrade

  OpenSSL version to 1.0.2h", excluding patent-encumbered files from the

  upstream OpenSSL 1.0.2h tarball [bz#1374710]

* Thu Aug 04 2016 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20160608-3.git988715a.el7

- ovmf-MdePkg-PCI-Add-missing-PCI-PCIE-definitions.patch [bz#1332408]

- ovmf-ArmPlatformPkg-NorFlashDxe-accept-both-non-secure-an.patch [bz#1353494]

- ovmf-ArmVirtPkg-ArmVirtQemu-switch-secure-boot-build-to-N.patch [bz#1353494]

- ovmf-ArmPlatformPkg-NorFlashAuthenticatedDxe-remove-this-.patch [bz#1353494]

- ovmf-ArmVirtPkg-add-FDF-definition-for-empty-varstore.patch [bz#1353494]

- ovmf-redhat-package-the-varstore-template-produced-by-the.patch [bz#1353494]