From 674b3c8a27a85b2d8646a3e9f94f371c5572dd3b Mon Sep 17 00:00:00 2001 From: Kashyap Chamarthy Date: Jul 12 2019 17:40:09 +0000 Subject: Ship the JSON firmware "descriptor files" From version 4.1 (due in August 2019) onwards, QEMU ships the so-called firmware "descriptor files". These are small JSON files that describe details about UEFI firmware binaries — such as the fimware binary path, its architecture, supported machine type, NVRAM template and so forth. You can see examples of these files from the QEMU upstream Git: https://git.qemu.org/?p=qemu.git;a=tree;f=pc-bios/descriptors $> tree descriptors/ descriptors/ ├── 50-edk2-i386-secure.json ├── 50-edk2-x86_64-secure.json ├── 60-edk2-aarch64.json ├── 60-edk2-arm.json ├── 60-edk2-i386.json └── 60-edk2-x86_64.json QEMU 4.1 itself will ship the above files. However, Fedora needs to ship these file as part of its EDK2 package. Why? ---- (1) Quoting (with minor formatting edits) Laszlo Ersek: Distributions providing their own EDK2 packages would not include the descriptors from upstream QEMU, even if they otherwise package QEMU. That's beause the descriptor files in QEMU match the firmware bundled with QEMU -- but the firmware images in the distros' own EDK2 packages are different. So, if a distro provides an EDK2 package, then the same EDK2 package should offer matching descriptors. QEMU offers descriptors (soon) because QEMU technically distributes edk2 firmware binaries (soon). [Where "soon" == QEMU 4.1] (2) And as Dan Berrangé reminded on IRC: In Fedora, we need to ship them [the "descriptor files"] as part of the EDK2 package, because Fedora throws away all the firmware files that QEMU bundles, because we're [Fedora] required to rebuild everything from pristine source. - - - In this patch: (*) Use the firmware descriptor files provided by Laszlo (thanks!) in this comment here: https://bugzilla.redhat.com/show_bug.cgi?id=1728652#c2 ("RFE: Ship the JSON firmware "descriptor files" as part of EDK2"). On the double-digit priority prefixes, refer to the rationale here: https://src.fedoraproject.org/rpms/edk2/pull-request/3#comment-27523 (*) Install the JSON files for the relevant architectures in `/usr/share/qemu/firmware`, as required by specification[+]. And make each EDK2 own this directory; multiple RPMs owning the same directory is no problem. [+] https://git.qemu.org/?p=qemu.git;a=blob;f=docs/interop/firmware.json Resolves: rhbz#1728652 Signed-off-by: Kashyap Chamarthy --- diff --git a/40-edk2-ovmf-ia32-sb-enrolled.json b/40-edk2-ovmf-ia32-sb-enrolled.json new file mode 100644 index 0000000..8a907de --- /dev/null +++ b/40-edk2-ovmf-ia32-sb-enrolled.json @@ -0,0 +1,35 @@ +{ + "description": "OVMF for i386, with SB+SMM, SB enabled, MS certs enrolled", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2/ovmf-ia32/OVMF_CODE.secboot.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "i386", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "enrolled-keys", + "requires-smm", + "secure-boot", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/40-edk2-ovmf-sb-enrolled.json b/40-edk2-ovmf-sb-enrolled.json new file mode 100644 index 0000000..6c2225c --- /dev/null +++ b/40-edk2-ovmf-sb-enrolled.json @@ -0,0 +1,36 @@ +{ + "description": "OVMF for x86_64, with SB+SMM, SB enabled, MS certs enrolled", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "amd-sev", + "enrolled-keys", + "requires-smm", + "secure-boot", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/50-edk2-ovmf-ia32-sb.json b/50-edk2-ovmf-ia32-sb.json new file mode 100644 index 0000000..cb7501d --- /dev/null +++ b/50-edk2-ovmf-ia32-sb.json @@ -0,0 +1,34 @@ +{ + "description": "OVMF for i386, with SB+SMM, empty varstore", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2/ovmf-ia32/OVMF_CODE.secboot.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "i386", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "requires-smm", + "secure-boot", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/50-edk2-ovmf-sb.json b/50-edk2-ovmf-sb.json new file mode 100644 index 0000000..99345ca --- /dev/null +++ b/50-edk2-ovmf-sb.json @@ -0,0 +1,35 @@ +{ + "description": "OVMF for x86_64, with SB+SMM, empty varstore", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "amd-sev", + "requires-smm", + "secure-boot", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/60-edk2-ovmf-ia32.json b/60-edk2-ovmf-ia32.json new file mode 100644 index 0000000..d2cb1e8 --- /dev/null +++ b/60-edk2-ovmf-ia32.json @@ -0,0 +1,33 @@ +{ + "description": "OVMF for i386, without SB, without SMM, with empty varstore", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2/ovmf-ia32/OVMF_CODE.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "i386", + "machines": [ + "pc-i440fx-*", + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/60-edk2-ovmf.json b/60-edk2-ovmf.json new file mode 100644 index 0000000..355691b --- /dev/null +++ b/60-edk2-ovmf.json @@ -0,0 +1,34 @@ +{ + "description": "OVMF for x86_64, without SB, without SMM, with empty varstore", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2/ovmf/OVMF_CODE.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-i440fx-*", + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "amd-sev", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/70-edk2-aarch64-verbose.json b/70-edk2-aarch64-verbose.json new file mode 100644 index 0000000..a553dc1 --- /dev/null +++ b/70-edk2-aarch64-verbose.json @@ -0,0 +1,31 @@ +{ + "description": "UEFI firmware for aarch64, verbose logs", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2/aarch64/vars-template-pflash.raw", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + "verbose-static" + ], + "tags": [ + + ] +} diff --git a/70-edk2-arm-verbose.json b/70-edk2-arm-verbose.json new file mode 100644 index 0000000..9e2cb0d --- /dev/null +++ b/70-edk2-arm-verbose.json @@ -0,0 +1,31 @@ +{ + "description": "UEFI firmware for arm, verbose logs", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2/arm/QEMU_EFI-pflash.raw", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2/arm/vars-template-pflash.raw", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "arm", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + "verbose-static" + ], + "tags": [ + + ] +} diff --git a/edk2.spec b/edk2.spec index 3b7ab93..53a57c7 100644 --- a/edk2.spec +++ b/edk2.spec @@ -76,6 +76,16 @@ Source11: build-iso.sh Source12: update-tarball.sh Source13: openssl-patch-to-tarball.sh +# Fedora-specific JSON "descriptor files" +Source14: 40-edk2-ovmf-sb-enrolled.json +Source15: 50-edk2-ovmf-sb.json +Source16: 60-edk2-ovmf.json +Source17: 40-edk2-ovmf-ia32-sb-enrolled.json +Source18: 50-edk2-ovmf-ia32-sb.json +Source19: 60-edk2-ovmf-ia32.json +Source20: 70-edk2-aarch64-verbose.json +Source21: 70-edk2-arm-verbose.json + # non-upstream patches Patch0001: 0001-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch Patch0002: 0002-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-the-DXE-.patch @@ -424,9 +434,27 @@ ln -sf ../%{name}/ovmf/OVMF_CODE.secboot.fd %{buildroot}/usr/share/OVMF ln -sf ../%{name}/ovmf/OVMF_VARS.fd %{buildroot}/usr/share/OVMF ln -sf ../%{name}/ovmf/OVMF_VARS.secboot.fd %{buildroot}/usr/share/OVMF ln -sf ../%{name}/ovmf/UefiShell.iso %{buildroot}/usr/share/OVMF + +# For distro-provided firmware packages, the specification +# (https://git.qemu.org/?p=qemu.git;a=blob;f=docs/interop/firmware.json) +# says the JSON "descriptor files" to be searched in this directory: +# `/usr/share/firmware/`. Create it. +mkdir -p %{buildroot}/%{_datadir}/qemu/firmware + +# Install the two variants of the x86_64 firmware descriptor files +# (50-edk2-x86_64-secure.json and 60-edk2-x86_64.json) +install -pm 644 %{SOURCE14} %{buildroot}/%{_datadir}/qemu/firmware +install -pm 644 %{SOURCE15} %{buildroot}/%{_datadir}/qemu/firmware +install -pm 644 %{SOURCE16} %{buildroot}/%{_datadir}/qemu/firmware %endif %if 0%{?build_ovmf_ia32:1} cp -a ovmf-ia32 %{buildroot}/usr/share/%{name} + +# Install the two variants of the ia32 firmware descriptor files +# (50-edk2-i386-secure.json and 60-edk2-i386.json) +install -pm 644 %{SOURCE17} %{buildroot}/%{_datadir}/qemu/firmware +install -pm 644 %{SOURCE18} %{buildroot}/%{_datadir}/qemu/firmware +install -pm 644 %{SOURCE19} %{buildroot}/%{_datadir}/qemu/firmware %endif %if 0%{?build_aavmf_aarch64:1} cp -a aarch64 %{buildroot}/usr/share/%{name} @@ -434,10 +462,15 @@ cp -a aarch64 %{buildroot}/usr/share/%{name} mkdir %{buildroot}/usr/share/AAVMF ln -sf ../%{name}/aarch64/QEMU_EFI-pflash.raw %{buildroot}/usr/share/AAVMF/AAVMF_CODE.fd ln -sf ../%{name}/aarch64/vars-template-pflash.raw %{buildroot}/usr/share/AAVMF/AAVMF_VARS.fd + +# Install the AArch64 firmware descriptor file (60-edk2-aarch64.json) +install -pm 644 %{SOURCE20} %{buildroot}/%{_datadir}/qemu/firmware %endif %if 0%{?build_aavmf_arm:1} cp -a arm %{buildroot}/usr/share/%{name} ln -sf ../%{name}/arm/QEMU_EFI-pflash.raw %{buildroot}/usr/share/AAVMF/AAVMF32_CODE.fd +# Install the ARM firmware descriptor file (60-edk2-arm.json) +install -pm 644 %{SOURCE21} %{buildroot}/%{_datadir}/qemu/firmware %endif install qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator %{buildroot}%{_bindir} @@ -495,9 +528,11 @@ install qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator %{buildroot}%{_ %doc ovmf-whitepaper-c770f8c.txt %dir /usr/share/%{name} %dir /usr/share/%{name}/ovmf +%dir /usr/share/qemu/firmware /usr/share/%{name}/ovmf/OVMF*.fd /usr/share/%{name}/ovmf/*.efi /usr/share/%{name}/ovmf/*.iso +/usr/share/qemu/firmware/*.json /usr/share/OVMF %endif @@ -509,9 +544,11 @@ install qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator %{buildroot}%{_ %doc ovmf-whitepaper-c770f8c.txt %dir /usr/share/%{name} %dir /usr/share/%{name}/ovmf-ia32 +%dir /usr/share/qemu/firmware /usr/share/%{name}/ovmf-ia32/OVMF*.fd /usr/share/%{name}/ovmf-ia32/*.efi /usr/share/%{name}/ovmf-ia32/*.iso +/usr/share/qemu/firmware/*.json %endif %if 0%{?build_aavmf_aarch64:1} @@ -520,8 +557,10 @@ install qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator %{buildroot}%{_ %license LICENSE.openssl %dir /usr/share/%{name} %dir /usr/share/%{name}/aarch64 +%dir /usr/share/qemu/firmware /usr/share/%{name}/aarch64/QEMU*.fd /usr/share/%{name}/aarch64/*.raw +/usr/share/qemu/firmware/*.json /usr/share/AAVMF/AAVMF_* %endif @@ -531,8 +570,10 @@ install qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator %{buildroot}%{_ %license LICENSE.openssl %dir /usr/share/%{name} %dir /usr/share/%{name}/arm +%dir /usr/share/qemu/firmware /usr/share/%{name}/arm/QEMU*.fd /usr/share/%{name}/arm/*.raw +/usr/share/qemu/firmware/*.json /usr/share/AAVMF/AAVMF32_* %endif @@ -542,6 +583,8 @@ install qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator %{buildroot}%{_ - Update to stable-201905 - Update to openssl-1.1.1b - Ship VARS file for ovmf-ia32 (bug 1688596) +- Ship Fedora-variant JSON "firmware descriptor files" +- Resolves rhbz#1728652 * Mon Mar 18 2019 Cole Robinson - 20190308stable-1 - Use YYYYMMDD versioning to fix upgrade path