1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
|
#!/usr/bin/make -f
SHELL=/bin/bash
include /usr/share/dpkg/default.mk
include /usr/share/dpkg/buildopts.mk
# Set to DEBUG for debug builds
BUILD_TYPE ?= RELEASE
EDK2_TOOLCHAIN = GCC5
export $(EDK2_TOOLCHAIN)_AARCH64_PREFIX=aarch64-linux-gnu-
export $(EDK2_TOOLCHAIN)_RISCV64_PREFIX=riscv64-linux-gnu-
export $(EDK2_TOOLCHAIN)_LOONGARCH64_PREFIX=loongarch64-linux-gnu-
export PYTHON3_ENABLE=TRUE
ifeq ($(DEB_BUILD_ARCH),amd64)
EDK2_BUILD_ARCH=X64
endif
ifeq ($(DEB_BUILD_ARCH),arm64)
EDK2_BUILD_ARCH=AARCH64
endif
# LP: #2078252
unexport ELF_PACKAGE_METADATA
PCD_RELEASE_DATE = $(shell date -d@$(SOURCE_DATE_EPOCH) "+%m/%d/%Y")
PCD_FLAGS = --pcd PcdFirmwareVendor=L"$(shell lsb_release -is) distribution of EDK II\\0"
PCD_FLAGS += --pcd PcdFirmwareVersionString=L"$(DEB_VERSION)\\0"
PCD_FLAGS += --pcd PcdFirmwareReleaseDateString=L"$(PCD_RELEASE_DATE)\\0"
COMMON_FLAGS = -DCC_MEASUREMENT_ENABLE=TRUE
COMMON_FLAGS += -DNETWORK_HTTP_BOOT_ENABLE=TRUE
COMMON_FLAGS += -DNETWORK_IP6_ENABLE=TRUE
COMMON_FLAGS += -DNETWORK_TLS_ENABLE
COMMON_FLAGS += $(PCD_FLAGS)
NO_STRICTNX_COMMON_FLAGS = --pcd PcdUninstallMemAttrProtocol=TRUE
OVMF_COMMON_FLAGS = $(COMMON_FLAGS)
OVMF_COMMON_FLAGS += -DTPM2_ENABLE=TRUE
# Uncomment for in-band debug messages
# OVMF_COMMON_FLAGS += "-DDEBUG_ON_SERIAL_PORT=TRUE"
OVMF_4M_COMMON_FLAGS = $(OVMF_COMMON_FLAGS) -DFD_SIZE_4MB
OVMF_4M_NO_SECBOOT_FLAGS = $(OVMF_COMMON_FLAGS) $(NO_STRICTNX_COMMON_FLAGS)
OVMF_4M_SECBOOT_FLAGS = $(OVMF_4M_COMMON_FLAGS) $(NO_STRICTNX_COMMON_FLAGS) -DBUILD_SHELL=FALSE -DSECURE_BOOT_ENABLE=TRUE -DSMM_REQUIRE=TRUE
OVMF_4M_SECBOOT_CC_FLAGS = $(OVMF_4M_COMMON_FLAGS) $(NO_STRICTNX_COMMON_FLAGS) -DBUILD_SHELL=FALSE -DSECURE_BOOT_ENABLE=TRUE -DSMM_REQUIRE=FALSE
OVMF_4M_SECBOOT_STRICTNX_FLAGS = $(OVMF_4M_COMMON_FLAGS) -DBUILD_SHELL=FALSE -DSECURE_BOOT_ENABLE=TRUE -DSMM_REQUIRE=TRUE
OVMF32_4M_COMMON_FLAGS = $(OVMF_COMMON_FLAGS) -DFD_SIZE_4MB
OVMF32_4M_NO_SECBOOT_FLAGS = $(OVMF32_4M_COMMON_FLAGS) $(NO_STRICTNX_COMMON_FLAGS)
OVMF32_4M_SECBOOT_FLAGS = $(OVMF32_4M_COMMON_FLAGS) $(NO_STRICTNX_COMMON_FLAGS) -DBUILD_SHELL=FALSE -DSECURE_BOOT_ENABLE=TRUE -DSMM_REQUIRE=TRUE
OVMF32_4M_SECBOOT_STRICTNX_FLAGS = $(OVMF32_4M_COMMON_FLAGS) -DBUILD_SHELL=FALSE -DSECURE_BOOT_ENABLE=TRUE -DSMM_REQUIRE=TRUE
AAVMF_COMMON_FLAGS = $(COMMON_FLAGS)
AAVMF_COMMON_FLAGS += -DTPM2_ENABLE=TRUE
AAVMF_COMMON_FLAGS += -DTPM2_CONFIG_ENABLE=TRUE
AAVMF_COMMON_FLAGS += -DCAVIUM_ERRATUM_27456=TRUE
AAVMF_NO_SECBOOT_FLAGS = $(COMMON_FLAGS) $(NO_STRICTNX_COMMON_FLAGS)
AAVMF_SECBOOT_FLAGS = $(AAVMF_COMMON_FLAGS) $(NO_STRICTNX_COMMON_FLAGS) -DBUILD_SHELL=FALSE -DSECURE_BOOT_ENABLE=TRUE
AAVMF_SECBOOT_STRICTNX_FLAGS = $(AAVMF_COMMON_FLAGS) -DBUILD_SHELL=FALSE -DSECURE_BOOT_ENABLE=TRUE
RISCV64_FLAGS = $(COMMON_FLAGS)
LOONGARCH64_FLAGS = $(COMMON_FLAGS)
# Clear variables used internally by the edk2 build system
undefine WORKSPACE
undefine ECP_SOURCE
undefine EDK_SOURCE
undefine EFI_SOURCE
undefine EDK_TOOLS_PATH
undefine CONF_PATH
DESTDIR ?= $(CURDIR)/debian/tmp
%:
dh $@
override_dh_auto_install:
$(MAKE) -f debian/rules -j$(DEB_BUILD_OPTION_PARALLEL) install-all
override_dh_auto_build:
$(MAKE) -f debian/rules -j$(DEB_BUILD_OPTION_PARALLEL) build-all
override_dh_auto_test: override_dh_auto_install
ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
$(MAKE) -f debian/rules -j$(DEB_BUILD_OPTION_PARALLEL) test-all
endif
OVMF_INSTALL_DIR = $(DESTDIR)/usr/share/OVMF
ovmf_INSTALL_DIR = $(DESTDIR)/usr/share/ovmf
OVMF_SHELL_INSTALL_DIR = $(DESTDIR)/usr/share/efi-shell-x64
OVMF64_BUILD_ROOT = Build/OvmfX64
OVMF64_BUILD_DIR = $(OVMF64_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
AMDSEV_BUILD_ROOT = Build/AmdSev
AMDSEV_BUILD_DIR = $(AMDSEV_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
INTELTDX_BUILD_ROOT = Build/IntelTdx
INTELTDX_BUILD_DIR = $(INTELTDX_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
AAVMF_INSTALL_DIR = $(DESTDIR)/usr/share/AAVMF
AAVMF_SHELL_INSTALL_DIR = $(DESTDIR)/usr/share/efi-shell-aa64
AAVMF_BUILD_ROOT = Build/ArmVirtQemu-AArch64
AAVMF_BUILD_DIR = $(AAVMF_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
RISCV64_INSTALL_DIR = $(DESTDIR)/usr/share/qemu-efi-riscv64
RISCV64_SHELL_INSTALL_DIR = $(DESTDIR)/usr/share/efi-shell-riscv64
RISCV64_BUILD_ROOT = Build/RiscVVirtQemu
RISCV64_BUILD_DIR = $(RISCV64_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
LOONGARCH64_INSTALL_DIR = $(DESTDIR)/usr/share/qemu-efi-loongarch64
LOONGARCH64_SHELL_INSTALL_DIR = $(DESTDIR)/usr/share/efi-shell-loongarch64
LOONGARCH64_BUILD_ROOT = Build/LoongArchVirtQemu
LOONGARCH64_BUILD_DIR = $(LOONGARCH64_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
# -j options in MAKEFLAGS cause the edk2 build system to fall over.
MAKEFLAGS_NO_PARALLEL := $(filter-out -j%,$(MAKEFLAGS))
# If a parallel build was requested, we'll build multiple images in parallel.
# Tell each image build to just use one thread to avoid overload.
ifneq ($(MAKEFLAGS),$(MAKEFLAGS_NO_PARALLEL))
MAX_CONCURRENT_THREAD_NUMBER ?= 1
# This var doesn't seem to be respected, so we explicitly
# pass "-n" instead.
#export MAX_CONCURRENT_THREAD_NUMBER
MAX_THREADS_ARG = -n $(MAX_CONCURRENT_THREAD_NUMBER)
endif
define edksetup
rm $(2)/Conf/BuildEnv.sh
sed "s|$(1)|$(2)|g" < $(1)/Conf/BuildEnv.sh > $(2)/Conf/BuildEnv.sh
endef
define do_build
rm -rf debian/build/$(1)/$(2)
mkdir -p debian/build/$(1)/$(2)
rsync -aH --link-dest=$(CURDIR) \
--exclude=/.git/ --exclude=/debian/ \
./ debian/build/$(1)/$(2)/
$(call edksetup,$(CURDIR),$(CURDIR)/debian/build/$(1)/$(2))
cd debian/build/$(1)/$(2) && . edksetup.sh; \
export MAKEFLAGS=$(MAKEFLAGS_NO_PARALLEL); \
build -a $(3) -t $(EDK2_TOOLCHAIN) \
-p $(4) $(5) -b $(BUILD_TYPE) $(MAX_THREADS_ARG)
endef
define install_descriptors
mkdir -p $(DESTDIR)/usr/share/qemu/firmware
cp debian/descriptors/$(1) $(DESTDIR)/usr/share/qemu/firmware
endef
SHELL_ARCHS = aa64 loongarch64 riscv64 x64
.PHONY: install-all build-all test-all
install-all: install-qemu-efi-aarch64 install-ovmf install-qemu-efi-riscv64 install-qemu-efi-loongarch64 $(addprefix install-efi-shell-,$(SHELL_ARCHS)) $(AAVMF_PREENROLLED_VARS) $(OVMF64_PREENROLLED_VARS)
build-all: build-qemu-efi-aarch64 build-ovmf build-qemu-efi-riscv64 build-qemu-efi-loongarch64 $(addprefix build-efi-shell-,$(SHELL_ARCHS))
test-all: export PYTHONPATH=$(CURDIR)/debian/python
test-all: export DEB_EDK2_ROOT=$(DESTDIR)
test-all:
./debian/tests/shell.py
./debian/tests/check-descriptors.sh
debian/setup-build-stamp:
set -e; . ./edksetup.sh; \
make -C BaseTools ARCH=$(EDK2_BUILD_ARCH)
touch $@
## OVMF ##
.PHONY: install-ovmf build-ovmf
install-ovmf: install-ovmf-no-secboot install-ovmf-secboot install-ovmf-secboot-strictnx install-ovmf-amdsev install-ovmf-inteltdx-ms
build-ovmf: build-ovmf-no-secboot build-ovmf-secboot build-ovmf-secboot-strictnx build-ovmf-amdsev build-ovmf-inteltdx-ms
# OVMF NO-SECBOOT AND SHELL
OVMF64_NO_SECBOOT_BUILD_DIR = debian/build/ovmf/no-secboot/$(OVMF64_BUILD_DIR)
.PHONY: install-ovmf-no-secboot install-efi-shell-x64 build-ovmf-no-secboot build-efi-shell-x64
install-ovmf-no-secboot: build-ovmf-no-secboot
mkdir -p $(OVMF_INSTALL_DIR)
cp $(OVMF64_NO_SECBOOT_BUILD_DIR)/FV/OVMF_CODE.fd \
$(OVMF_INSTALL_DIR)/OVMF_CODE_4M.fd
cp $(OVMF64_NO_SECBOOT_BUILD_DIR)/FV/OVMF_VARS.fd \
$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd
mkdir -p $(ovmf_INSTALL_DIR)
cp $(OVMF64_NO_SECBOOT_BUILD_DIR)/FV/OVMF.fd $(ovmf_INSTALL_DIR)
$(call install_descriptors,*-edk2-x86_64.json)
install-efi-shell-x64: build-efi-shell-x64
mkdir -p $(OVMF_SHELL_INSTALL_DIR)
cp $(OVMF64_NO_SECBOOT_BUILD_DIR)/X64/Shell.efi \
$(OVMF_SHELL_INSTALL_DIR)/shellx64.efi
build-ovmf-no-secboot: $(OVMF64_NO_SECBOOT_BUILD_DIR)/FV/OVMF.fd $(OVMF64_NO_SECBOOT_BUILD_DIR)/FV/OVMF_CODE.fd
build-efi-shell-x64: $(OVMF64_NO_SECBOOT_BUILD_DIR)/X64/Shell.efi
$(OVMF64_NO_SECBOOT_BUILD_DIR)/FV/OVMF.fd $(OVMF64_NO_SECBOOT_BUILD_DIR)/FV/OVMF_CODE.fd $(OVMF64_NO_SECBOOT_BUILD_DIR)/X64/Shell.efi &: debian/setup-build-stamp
$(call do_build,ovmf,no-secboot,X64,OvmfPkg/OvmfPkgX64.dsc,$(OVMF_4M_NO_SECBOOT_FLAGS))
# OVMF SECBOOT
OVMF64_SECBOOT_BUILD_DIR = debian/build/ovmf/secboot/$(OVMF64_BUILD_DIR)
OVMF64_PREENROLLED_VARS = $(addprefix $(OVMF64_SECBOOT_BUILD_DIR)/FV/,OVMF_VARS_4M.ms.fd OVMF_VARS_4M.snakeoil.fd)
.PHONY: install-ovmf-secboot build-ovmf-secboot
install-ovmf-secboot: build-ovmf-secboot
mkdir -p $(OVMF_INSTALL_DIR)
cp $(OVMF64_SECBOOT_BUILD_DIR)/FV/OVMF_CODE.fd \
$(OVMF_INSTALL_DIR)/OVMF_CODE_4M.secboot.fd
ln -sf OVMF_CODE_4M.secboot.fd $(OVMF_INSTALL_DIR)/OVMF_CODE_4M.ms.fd
ln -sf OVMF_CODE_4M.secboot.fd $(OVMF_INSTALL_DIR)/OVMF_CODE_4M.snakeoil.fd
cp -a $(OVMF64_PREENROLLED_VARS) $(OVMF_INSTALL_DIR)
mkdir -p $(ovmf_INSTALL_DIR)
cp -a debian/PkKek-1-snakeoil.* $(ovmf_INSTALL_DIR)
$(call install_descriptors,*-edk2-x86_64-secure*.json)
build-ovmf-secboot: $(OVMF64_SECBOOT_BUILD_DIR)/FV/OVMF_CODE.fd $(OVMF64_PREENROLLED_VARS)
$(OVMF64_SECBOOT_BUILD_DIR)/FV/OVMF_CODE.fd $(OVMF64_SECBOOT_BUILD_DIR)/FV/OVMF_VARS.fd &: debian/setup-build-stamp
$(call do_build,ovmf,secboot,X64,OvmfPkg/OvmfPkgX64.dsc,$(OVMF_4M_SECBOOT_FLAGS))
%_4M.fd: %.fd
cp $< $@
# OVMF SECBOOT-STRICTNX
OVMF64_SECBOOT_STRICTNX_BUILD_DIR = debian/build/ovmf/secboot-strictnx/$(OVMF64_BUILD_DIR)
.PHONY: install-ovmf-secboot-strictnx build-ovmf-secboot-strictnx
install-ovmf-secboot-strictnx: build-ovmf-secboot-strictnx
mkdir -p $(OVMF_INSTALL_DIR)
cp $(OVMF64_SECBOOT_STRICTNX_BUILD_DIR)/FV/OVMF_CODE.fd \
$(OVMF_INSTALL_DIR)/OVMF_CODE_4M.secboot.strictnx.fd
build-ovmf-secboot-strictnx: $(OVMF64_SECBOOT_STRICTNX_BUILD_DIR)/FV/OVMF_CODE.fd
$(OVMF64_SECBOOT_STRICTNX_BUILD_DIR)/FV/OVMF_CODE.fd: debian/setup-build-stamp
$(call do_build,ovmf,secboot-strictnx,X64,OvmfPkg/OvmfPkgX64.dsc,$(OVMF_4M_SECBOOT_STRICTNX_FLAGS))
# AMDSEV
OVMF64_AMDSEV_BUILD_DIR = debian/build/ovmf/amdsev/$(AMDSEV_BUILD_DIR)
.PHONY: install-ovmf-amdsev build-ovmf-amdsev
install-ovmf-amdsev: build-ovmf-amdsev
mkdir -p $(ovmf_INSTALL_DIR)
cp $(OVMF64_AMDSEV_BUILD_DIR)/FV/OVMF.fd \
$(ovmf_INSTALL_DIR)/OVMF.amdsev.fd
$(call install_descriptors,*-edk2-x86_64-amdsev*.json)
build-ovmf-amdsev: $(OVMF64_AMDSEV_BUILD_DIR)/FV/OVMF.fd
$(OVMF64_AMDSEV_BUILD_DIR)/FV/OVMF.fd: debian/setup-build-stamp
touch OvmfPkg/AmdSev/Grub/grub.efi
$(call do_build,ovmf,amdsev,X64,OvmfPkg/AmdSev/AmdSevX64.dsc,$(OVMF_COMMON_FLAGS))
# Intel TDX
OVMF64_INTELTDX_MS_BUILD_DIR = debian/build/ovmf/inteltdx-ms/$(INTELTDX_BUILD_DIR)
.PHONY: install-ovmf-inteltdx-ms build-ovmf-inteltdx-ms
install-ovmf-inteltdx-ms: build-ovmf-inteltdx-ms
mkdir -p $(ovmf_INSTALL_DIR)
cp $(OVMF64_INTELTDX_MS_BUILD_DIR)/FV/OVMF.ms.fd \
$(ovmf_INSTALL_DIR)/OVMF.inteltdx.ms.fd
$(call install_descriptors,*-edk2-x86_64-inteltdx*.json)
build-ovmf-inteltdx-ms: $(OVMF64_INTELTDX_MS_BUILD_DIR)/FV/OVMF.ms.fd
$(OVMF64_INTELTDX_MS_BUILD_DIR)/FV/OVMF.fd: debian/setup-build-stamp
$(call do_build,ovmf,inteltdx-ms,X64,OvmfPkg/IntelTdx/IntelTdxX64.dsc,$(OVMF_4M_SECBOOT_CC_FLAGS))
## QEMU-EFI-AARCH64 ##
.PHONY: install-qemu-efi-aarch64 build-qemu-efi-aarch64
install-qemu-efi-aarch64: install-qemu-efi-aarch64-no-secboot install-qemu-efi-aarch64-secboot install-qemu-efi-aarch64-secboot-strictnx
build-qemu-efi-aarch64: build-qemu-efi-aarch64-no-secboot build-qemu-efi-aarch64-secboot build-qemu-efi-aarch64-secboot-strictnx
# QEMU-EFI-AARCH64 NO-SECBOOT AND SHELL
AAVMF_NO_SECBOOT_BUILD_DIR = debian/build/qemu-efi-aarch64/no-secboot/$(AAVMF_BUILD_DIR)
.PHONY: install-qemu-efi-aarch64-no-secboot install-efi-shell-aa64 build-qemu-efi-aarch64-no-secboot build-efi-shell-aa64
install-qemu-efi-aarch64-no-secboot: build-qemu-efi-aarch64-no-secboot
mkdir -p $(AAVMF_INSTALL_DIR)
cp $(AAVMF_NO_SECBOOT_BUILD_DIR)/FV/QEMU_EFI.fd \
$(AAVMF_INSTALL_DIR)/AAVMF_CODE.no-secboot.fd
cp $(AAVMF_NO_SECBOOT_BUILD_DIR)/FV/QEMU_VARS.fd \
$(AAVMF_INSTALL_DIR)/AAVMF_VARS.fd
truncate -s 64M $(AAVMF_INSTALL_DIR)/AAVMF_CODE.no-secboot.fd
truncate -s 64M $(AAVMF_INSTALL_DIR)/AAVMF_VARS.fd
mkdir -p $(DESTDIR)/usr/share/qemu-efi-aarch64
cp $(AAVMF_NO_SECBOOT_BUILD_DIR)/FV/QEMU_EFI.fd \
$(DESTDIR)/usr/share/qemu-efi-aarch64
$(call install_descriptors,*-edk2-aarch64.json)
install-efi-shell-aa64: build-efi-shell-aa64
mkdir -p $(AAVMF_SHELL_INSTALL_DIR)
cp $(AAVMF_NO_SECBOOT_BUILD_DIR)/AARCH64/Shell.efi \
$(AAVMF_SHELL_INSTALL_DIR)/shellaa64.efi
build-qemu-efi-aarch64-no-secboot: $(AAVMF_NO_SECBOOT_BUILD_DIR)/FV/QEMU_EFI.fd $(AAVMF_NO_SECBOOT_BUILD_DIR)/FV/QEMU_VARS.fd
build-efi-shell-aa64: $(AAVMF_NO_SECBOOT_BUILD_DIR)/AARCH64/Shell.efi
$(AAVMF_NO_SECBOOT_BUILD_DIR)/FV/QEMU_EFI.fd $(AAVMF_NO_SECBOOT_BUILD_DIR)/FV/QEMU_VARS.fd $(AAVMF_NO_SECBOOT_BUILD_DIR)/AARCH64/Shell.efi &: debian/setup-build-stamp BaseTools/Bin/GccLto/liblto-aarch64.a
$(call do_build,qemu-efi-aarch64,no-secboot,AARCH64,ArmVirtPkg/ArmVirtQemu.dsc,$(AAVMF_NO_SECBOOT_FLAGS))
# QEMU-EFI-AARCH64 SECBOOT
AAVMF_SECBOOT_BUILD_DIR = debian/build/qemu-efi-aarch64/secboot/$(AAVMF_BUILD_DIR)
AAVMF_PREENROLLED_VARS = $(addprefix $(AAVMF_SECBOOT_BUILD_DIR)/FV/,AAVMF_VARS.ms.fd AAVMF_VARS.snakeoil.fd)
.PHONY: install-qemu-efi-aarch64-secboot build-qemu-efi-aarch64-secboot
install-qemu-efi-aarch64-secboot: build-qemu-efi-aarch64-secboot
mkdir -p $(AAVMF_INSTALL_DIR)
cp $(AAVMF_SECBOOT_BUILD_DIR)/FV/QEMU_EFI.fd \
$(AAVMF_INSTALL_DIR)/AAVMF_CODE.secboot.fd
truncate -s 64M $(AAVMF_INSTALL_DIR)/AAVMF_CODE.secboot.fd
ln -sf AAVMF_CODE.secboot.fd $(AAVMF_INSTALL_DIR)/AAVMF_CODE.ms.fd
ln -sf AAVMF_CODE.secboot.fd $(AAVMF_INSTALL_DIR)/AAVMF_CODE.snakeoil.fd
cp -a $(AAVMF_PREENROLLED_VARS) $(AAVMF_INSTALL_DIR)
truncate -s 64M $(addprefix $(AAVMF_INSTALL_DIR)/,$(notdir $(AAVMF_PREENROLLED_VARS)))
mkdir -p $(DESTDIR)/usr/share/qemu-efi-aarch64
cp -a debian/PkKek-1-snakeoil.* $(DESTDIR)/usr/share/qemu-efi-aarch64
$(call install_descriptors,*-edk2-aarch64-secure*.json)
build-qemu-efi-aarch64-secboot: $(AAVMF_SECBOOT_BUILD_DIR)/FV/QEMU_EFI.fd $(AAVMF_PREENROLLED_VARS)
$(AAVMF_SECBOOT_BUILD_DIR)/FV/QEMU_EFI.fd $(AAVMF_SECBOOT_BUILD_DIR)/FV/QEMU_VARS.fd &: debian/setup-build-stamp BaseTools/Bin/GccLto/liblto-aarch64.a
$(call do_build,qemu-efi-aarch64,secboot,AARCH64,ArmVirtPkg/ArmVirtQemu.dsc,$(AAVMF_SECBOOT_FLAGS))
%/AAVMF_VARS.fd: %/QEMU_VARS.fd
cp $< $@
# QEMU_EFI_AARCH64 SECBOOT-STRICTNX
AAVMF_SECBOOT_STRICTNX_BUILD_DIR = debian/build/qemu-efi-aarch64/secboot-strictnx/$(AAVMF_BUILD_DIR)
.PHONY: install-qemu-efi-aarch64-secboot-strictnx build-qemu-efi-aarch64-secboot-strictnx
install-qemu-efi-aarch64-secboot-strictnx: build-qemu-efi-aarch64-secboot-strictnx
mkdir -p $(AAVMF_INSTALL_DIR)
cp $(AAVMF_SECBOOT_STRICTNX_BUILD_DIR)/FV/QEMU_EFI.fd \
$(AAVMF_INSTALL_DIR)/AAVMF_CODE.secboot.strictnx.fd
truncate -s 64M $(AAVMF_INSTALL_DIR)/AAVMF_CODE.secboot.strictnx.fd
build-qemu-efi-aarch64-secboot-strictnx: $(AAVMF_SECBOOT_STRICTNX_BUILD_DIR)/FV/QEMU_EFI.fd
$(AAVMF_SECBOOT_STRICTNX_BUILD_DIR)/FV/QEMU_EFI.fd: debian/setup-build-stamp BaseTools/Bin/GccLto/liblto-aarch64.a
$(call do_build,qemu-efi-aarch64,secboot-strictnx,AARCH64,ArmVirtPkg/ArmVirtQemu.dsc,$(AAVMF_SECBOOT_STRICTNX_FLAGS))
ifeq ($(call dpkg_vendor_derives_from_v1,ubuntu),yes)
debian/PkKek-1-vendor.pem: debian/PkKek-1-Ubuntu.pem
else
debian/PkKek-1-vendor.pem: debian/PkKek-1-Debian.pem
endif
ln -sf `basename $<` $@
# Usage: $(call enroll_vendor,<var-template>,<output-file>,<uefi-arch>)
enroll_vendor = virt-fw-vars --input $(1) --output $(2) \
--enroll-cert debian/PkKek-1-vendor.pem \
--set-dbx ./debian/DBXUpdate-*.$(3).bin
%.ms.fd: %.fd debian/PkKek-1-vendor.pem
$(call enroll_vendor,$<,$@,amd64)
# Usage: $(call enroll_snakeoil,<var-template>,<output-file>)
enroll_snakeoil = virt-fw-vars --input $(1) --output $(2) \
--set-pk OvmfEnrollDefaultKeys \
debian/PkKek-1-snakeoil.pem \
--add-kek OvmfEnrollDefaultKeys \
debian/PkKek-1-snakeoil.pem \
--add-db OvmfEnrollDefaultKeys \
debian/PkKek-1-snakeoil.pem
%.snakeoil.fd: %.fd debian/PkKek-1-snakeoil.pem
$(call enroll_snakeoil,$<,$@)
BaseTools/Bin/GccLto/liblto-aarch64.a: BaseTools/Bin/GccLto/liblto-aarch64.s
$($(EDK2_TOOLCHAIN)_AARCH64_PREFIX)gcc -c -fpic $< -o $@
## QEMU-EFI-RISCV64
# QEMU-EFI-RISCV64 AND SHELL
RISCV64_DEFAULT_BUILD_DIR = debian/build/qemu-efi-riscv64/default/$(RISCV64_BUILD_DIR)
.PHONY: install-qemu-efi-riscv64 install-efi-shell-riscv64 build-qemu-efi-riscv64 build-efi-shell-riscv64
install-qemu-efi-riscv64: build-qemu-efi-riscv64
mkdir -p $(RISCV64_INSTALL_DIR)
cp $(RISCV64_DEFAULT_BUILD_DIR)/FV/RISCV_VIRT_CODE.fd \
$(RISCV64_INSTALL_DIR)/
cp $(RISCV64_DEFAULT_BUILD_DIR)/FV/RISCV_VIRT_VARS.fd \
$(RISCV64_INSTALL_DIR)/
truncate -s 32M $(RISCV64_INSTALL_DIR)/RISCV_VIRT_CODE.fd
truncate -s 32M $(RISCV64_INSTALL_DIR)/RISCV_VIRT_VARS.fd
$(call install_descriptors,*-edk2-riscv64.json)
install-efi-shell-riscv64: build-efi-shell-riscv64
mkdir -p $(RISCV64_SHELL_INSTALL_DIR)
cp $(RISCV64_DEFAULT_BUILD_DIR)/RISCV64/Shell.efi \
$(RISCV64_SHELL_INSTALL_DIR)/shellriscv64.efi
build-qemu-efi-riscv64: $(RISCV64_DEFAULT_BUILD_DIR)/FV/RISCV_VIRT_CODE.fd $(RISCV64_DEFAULT_BUILD_DIR)/FV/RISCV_VIRT_VARS.fd
build-efi-shell-riscv64: $(RISCV64_DEFAULT_BUILD_DIR)/RISCV64/Shell.efi
$(RISCV64_DEFAULT_BUILD_DIR)/FV/RISCV_VIRT_CODE.fd $(RISCV64_DEFAULT_BUILD_DIR)/FV/RISCV_VIRT_VARS.fd $(RISCV64_DEFAULT_BUILD_DIR)/RISCV64/Shell.efi &: debian/setup-build-stamp
$(call do_build,qemu-efi-riscv64,default,RISCV64,OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc,$(RISCV64_FLAGS))
## QEMU-EFI-LOONGARCH64
# QEMU-EFI-LOONGARCH64 AND SHELL
LOONGARCH64_DEFAULT_BUILD_DIR = debian/build/qemu-efi-loongarch64/default/$(LOONGARCH64_BUILD_DIR)
.PHONY: install-qemu-efi-loongarch64 install-efi-shell-loongarch64 build-qemu-efi-loongarch64 build-efi-shell-loongarch64
install-qemu-efi-loongarch64: build-qemu-efi-loongarch64
mkdir -p $(LOONGARCH64_INSTALL_DIR)
cp $(LOONGARCH64_DEFAULT_BUILD_DIR)/FV/QEMU_EFI.fd \
$(LOONGARCH64_INSTALL_DIR)/
cp $(LOONGARCH64_DEFAULT_BUILD_DIR)/FV/QEMU_VARS.fd \
$(LOONGARCH64_INSTALL_DIR)/
truncate -s 16M $(LOONGARCH64_INSTALL_DIR)/QEMU_EFI.fd
truncate -s 16M $(LOONGARCH64_INSTALL_DIR)/QEMU_VARS.fd
$(call install_descriptors,*-edk2-loongarch64.json)
install-efi-shell-loongarch64: build-efi-shell-loongarch64
mkdir -p $(LOONGARCH64_SHELL_INSTALL_DIR)
cp $(LOONGARCH64_DEFAULT_BUILD_DIR)/LOONGARCH64/Shell.efi \
$(LOONGARCH64_SHELL_INSTALL_DIR)/shellloongarch64.efi
build-qemu-efi-loongarch64: $(LOONGARCH64_DEFAULT_BUILD_DIR)/FV/QEMU_EFI.fd $(LOONGARCH64_DEFAULT_BUILD_DIR)/FV/QEMU_VARS.fd
build-efi-shell-loongarch64: $(LOONGARCH64_DEFAULT_BUILD_DIR)/LOONGARCH64/Shell.efi
$(LOONGARCH64_DEFAULT_BUILD_DIR)/FV/QEMU_EFI.fd $(LOONGARCH64_DEFAULT_BUILD_DIR)/FV/QEMU_VARS.fd $(LOONGARCH64_DEFAULT_BUILD_DIR)/LOONGARCH64/Shell.efi &: debian/setup-build-stamp
$(call do_build,qemu-efi-loongarch64,default,LOONGARCH64,OvmfPkg/LoongArchVirt/LoongArchVirtQemu.dsc,$(LOONGARCH64_FLAGS))
override_dh_auto_clean:
rm -rf debian/build
rm -f BaseTools/Bin/GccLto/liblto-*.a
rm -f debian/PkKek-1-vendor.pem
# Only embed code that is actually used; requested by the Ubuntu Security Team
EMBEDDED_SUBMODULES += CryptoPkg/Library/MbedTlsLib/mbedtls
EMBEDDED_SUBMODULES += CryptoPkg/Library/OpensslLib/openssl
EMBEDDED_SUBMODULES += MdeModulePkg/Library/BrotliCustomDecompressLib/brotli
EMBEDDED_SUBMODULES += MdePkg/Library/BaseFdtLib/libfdt
EMBEDDED_SUBMODULES += MdePkg/Library/MipiSysTLib/mipisyst
EMBEDDED_SUBMODULES += SecurityPkg/DeviceSecurity/SpdmLib/libspdm
get-orig-source:
# Should be executed on a checkout of the upstream master branch,
# with the debian/ directory manually copied in.
rm -rf edk2.tmp && git clone . edk2.tmp
# Embed submodules. Don't recurse - openssl will bring in MBs of
# stuff we don't need
set -e; cd edk2.tmp; \
for submodule in $(EMBEDDED_SUBMODULES); do \
git submodule update --depth 1 --init $$submodule; \
done
rm -rf edk2-$(DEB_VERSION_UPSTREAM) && \
mkdir edk2-$(DEB_VERSION_UPSTREAM)
cd edk2.tmp && git archive HEAD | \
tar xv -C ../edk2-$(DEB_VERSION_UPSTREAM)
cd edk2.tmp && git submodule foreach \
'git archive HEAD | tar xv -C $$toplevel/../edk2-$(DEB_VERSION_UPSTREAM)/$$sm_path'
ln -s ../debian edk2-$(DEB_VERSION_UPSTREAM)
# Remove known-binary files
cd edk2-$(DEB_VERSION_UPSTREAM) && python3 ./debian/remove-binaries.py
# Look for possible unknown binary files
cd edk2-$(DEB_VERSION_UPSTREAM) && python3 ./debian/find-binaries.py
rm edk2-$(DEB_VERSION_UPSTREAM)/debian
tar Jcvf ../edk2_$(DEB_VERSION_UPSTREAM).orig.tar.xz \
edk2-$(DEB_VERSION_UPSTREAM)
rm -rf edk2.tmp edk2-$(DEB_VERSION_UPSTREAM)
update-dbx:
rm -rf debian/DBXUpdate-*.bin
set -ex; \
tmpdir="$$(mktemp -d)"; \
git clone https://github.com/microsoft/secureboot_objects $$tmpdir; \
for arch in amd64 arm64; do \
bin=PostSignedObjects/DBX/$$arch/DBXUpdate.bin; \
date=$$(cd $$tmpdir && git log -1 --pretty=format:"%cs" $$bin); \
cp $$tmpdir/$$bin debian/DBXUpdate-$${date}.$${arch}.bin; \
done; \
rm -rf "$$tmpdir"
ls debian/DBXUpdate-*.bin > debian/source/include-binaries
|
