Hygon: support build OvmfX64 without option -D SECURE_BOOT_ENABLE=TRUE
When building OVMF{_CODE}.fd using OvmfPkgX64.dsc and define
SECURE_BOOT_ENABLE=TRUE, the OVMF{_CODE}.fd will failure to boot the
AMD SEV/SEV-ES/SEV-SNP and Hygon CSV/CSV2/CSV3 VMs. The root cause
is that the upstream commit 4f173db8b45b ("OvmfPkg/PlatformInitLib:
Add functions for EmuVariableNvStore") rename the function from
TdxValidateCfv to PlatformValidateNvVarStore, and place the function
PlatformValidateNvVarStore to the common lib PlatformInitLib.
I have submitted a bugzilla to the community:
https://bugzilla.tianocore.org/show_bug.cgi?id=4807
and sent partial fix patches to the mailing lists:
https://edk2.groups.io/g/devel/message/119921?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3Acreated%2C%2COvmfPkg%2FPlatformInitLib%3A+Detect+FlashNvVarStore+before+validate+it%2C20%2C2%2C0%2C107212891
I don't have a machine that supports SEV-SNP, so I ultimately can't
fully fix the issue, and the patches I sent couldn't be accepted.
In order to support boot AMD SEV... and Hygon CSV... VMs using the OVMF
from the RPM package, I modified the edk2.spec to build OVMF.fd,
OVMF_CODE.fd and OVMF_VARS.fd without the build option
' -D SECURE_BOOT_ENABLE=TRUE'.
Signed-off-by: hanliyang <hanliyang@hygon.cn>
This commit is contained in:
hanliyang
parent
ba24d73577
commit
1ffbd1357e
26
edk2.spec
26
edk2.spec
@ -7,7 +7,7 @@
|
||||
|
||||
Name: edk2
|
||||
Version: %{stable_date}
|
||||
Release: 17
|
||||
Release: 18
|
||||
Summary: EFI Development Kit II
|
||||
License: BSD-2-Clause-Patent and OpenSSL and MIT
|
||||
URL: https://github.com/tianocore/edk2
|
||||
@ -244,6 +244,24 @@ BUILD_OPTION="$BUILD_OPTION -D TPM_CONFIG_ENABLE=TRUE"
|
||||
|
||||
build $BUILD_OPTION
|
||||
|
||||
%ifarch x86_64
|
||||
for ovmf_bin in $(ls Build/OvmfX64/*/FV/OVMF*.fd); do
|
||||
mv ${ovmf_bin} ${ovmf_bin}.secure_boot
|
||||
done
|
||||
|
||||
BUILD_OPTION=$(echo $BUILD_OPTION | sed 's/ -D SECURE_BOOT_ENABLE=TRUE//g')
|
||||
|
||||
build $BUILD_OPTION
|
||||
|
||||
for ovmf_bin in $(ls Build/OvmfX64/*/FV/OVMF*.fd); do
|
||||
mv ${ovmf_bin} $(echo ${ovmf_bin} | sed 's/\.fd/\.nosb\.fd/')
|
||||
done
|
||||
|
||||
for ovmf_bin in $(ls Build/OvmfX64/*/FV/OVMF*.fd.secure_boot); do
|
||||
mv ${ovmf_bin} $(echo ${ovmf_bin} | sed 's/\.secure_boot//')
|
||||
done
|
||||
%endif
|
||||
|
||||
%install
|
||||
cp CryptoPkg/Library/OpensslLib/openssl/LICENSE.txt LICENSE.openssl
|
||||
mkdir -p %{buildroot}%{_bindir} \
|
||||
@ -290,6 +308,8 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
|
||||
%endif
|
||||
|
||||
%ifarch x86_64
|
||||
mkdir -p %{buildroot}/usr/share/%{name}/ovmf.nosb
|
||||
mv Build/OvmfX64/*/FV/OVMF*.nosb.fd %{buildroot}/usr/share/%{name}/ovmf.nosb
|
||||
mkdir -p %{buildroot}/usr/share/%{name}/ovmf
|
||||
cp Build/OvmfX64/*/FV/OVMF*.fd %{buildroot}/usr/share/%{name}/ovmf
|
||||
install -m 0644 edk2-ovmf-x64-nosb.json %{buildroot}%{_datadir}/qemu/firmware/10-edk2-ovmf-x64-nosb.json
|
||||
@ -373,6 +393,7 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
|
||||
%license LICENSE.openssl
|
||||
%dir %{_datadir}/%{name}
|
||||
%{_datadir}/%{name}/ovmf
|
||||
%{_datadir}/%{name}/ovmf.nosb
|
||||
%{_datadir}/qemu/firmware/10-edk2-ovmf-x64-nosb.json
|
||||
%endif
|
||||
|
||||
@ -401,6 +422,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Feb 28 2025 hanliyang<hanliyang@hygon.cn> - 202308-18
|
||||
- Build OVMF without '-D SECURE_BOOT_ENABLE=TRUE' for X64
|
||||
|
||||
* Sun Feb 23 2025 huyu<huyu70@h-partners.com> - 202308-17
|
||||
- fix CVE-2024-13176、CVE-2024-4741、CVE-2023-5363
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user