commit ovmf for openSUSE:Factory:NonFree

Hello community, here is the log from the commit of package ovmf for openSUSE:Factory:NonFree checked in at 2015-05-29 11:45:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory:NonFree/ovmf (Old) and /work/SRC/openSUSE:Factory:NonFree/.ovmf.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ovmf" Changes: -------- New Changes file: --- /dev/null 2015-05-15 19:41:08.266053825 +0200 +++ /work/SRC/openSUSE:Factory:NonFree/.ovmf.new/ovmf.changes 2015-05-29 11:45:56.000000000 +0200 @@ -0,0 +1,581 @@ +------------------------------------------------------------------- +Thu May 14 06:59:14 UTC 2015 - glin@suse.com + +- Update to R17446 + + OvmfPkg: AcpiS3SaveDxe: fix protocol usage hint in the INF file + + OvmfPkg: extract some bits and port offsets common to Q35 and + I440FX + + MdeModulePkg: Add ESRT management module. + + MdeModulePkg: Add ESRT management protocol definition + + MdePkg: Add Microsoft UX capsule GUID & layout + + SecurityPkg: Update SecureBootConfigDxe to support ARM image + + SecurityPkg Variable: Make PK & SecureBootMode consistent + + MdeModulePkg DxeCore: Add read only memory support + + OvmfPkg: QemuBootOrderLib: parse OFW device path nodes of PCI + bridges + + MdePkg: Add UEFI 2.5 SD (Secure Digital) Device Path Definitions + + Hash2 driver to [Components.IA32, Components.X64, Components.IPF] + section + + ArmVirtualizationPkg: Enable secure boot for ArmVirtualizationQemu + + ArmPlatformPkg: enable use of authenticated variables in + NorFlashDxe +- Refresh patch + + ovmf-0002-ArmPlatformPkg-Bds-generate-ESP-Image-boot-option-if.patch +- Enable Secure Boot for AArch64 +- Remove the workaround for SLE11 + +------------------------------------------------------------------- +Thu May 7 10:13:13 UTC 2015 - glin@suse.com + +- Although ovmf-gdb-symbols.patch has been included for a while, + it's not mentioned in changelog and legal-auto script is not + happy with it. + +------------------------------------------------------------------- +Thu May 7 06:58:50 UTC 2015 - glin@suse.com + +- Update to R17351 + + BaseTools: Fix build fail issue + + MdeModluePkg: Enable refresh opcode to refresh the entire form + + BaseTool: Add refresh form opcode in vfrcompiler + + MdeModulePkg: Add BootManagerMenuApp + + MdeModulePkg: Add BdsDxe driver and PlatformBootManagerNull + library + + MdeModulePkg: Add UefiBootManagerLib + + MdePkg: Update the UEFI version to reflect new revision + + OvmfPkg: Use the new PCDs defined in MdePkg and MdeModulePkg + + MdePkg: Add UEFI2.5 bluetooth protocol/devicepath definition + + Add UEFI2.5 HASH protocol implementation + + MdeModulePkg: Add UEFI2.5 and PI1.4 PersistentMemory feature + + MdePkg: Add ESRT Interface Definitions + + Various fixes for Shell +- Drop ovmf-sle-11-gcc47.patch + + The NASM version in SLE11 is too old to build the newer ovmf +- Rename the ARM patches to make the legal-auto script happy + + ovmf-0001-ArmPlatformPkg-ArmVirtualizationPkg-enable-DEBUG_VER.patch + + ovmf-0002-ArmPlatformPkg-Bds-generate-ESP-Image-boot-option-if.patch + + ovmf-0003-ArmPlatformPkg-Bds-check-for-other-defaults-too-if-u.patch + + ovmf-0004-ArmPlatformPkg-ArmVirtualizationPkg-auto-detect-boot.patch + + ovmf-0005-ArmPlatformPkg-Bds-initialize-ConIn-ConOut-ErrOut-be.patch + + ovmf-0006-ArmPlatformPkg-Bds-let-FindCandidate-search-all-file.patch + + ovmf-0007-ArmPlatformPkg-Bds-FindCandidateOnHandle-log-full-de.patch + + ovmf-0008-ArmPlatformPkg-Bds-fall-back-to-Boot-Menu-when-no-de.patch + + ovmf-0009-ArmPlatformPkg-Bds-always-connect-drivers-before-loo.patch + + ovmf-0010-avoid-potentially-uninitialized-variable.diff + +------------------------------------------------------------------- +Thu Apr 23 03:33:36 UTC 2015 - glin@suse.com + +- Update ovmf-embed-default-keys.patch to embed the default dbx. + Also add the dbx list from the UEFI website and enable it in the + MS flavor. A script, strip_authinfo.pl, was added to strip the + AuthInfo headers from dbxupdate.bin since those are not necessary + in dbx. + +------------------------------------------------------------------- +Mon Apr 20 03:43:56 UTC 2015 - glin@suse.com + +- Update to R17187 + + Save initial TSVal from TCP connection initiation packets + + BaseTools/Ecc: Add ECC (EFI Code Checker) Binary into BaseTools + bin directory + + MdePkg: Add ESRT Interface Definitions + + OvmfPkg: XenConsoleSerialPortLib: deal with output overflow + + OvmfPkg: Q35: Use correct ACPI PM control register:bit + + PXE driver bug fix + + A failed PXEv6 after a success PXEv4 will cause ASSERT + + MdePkg: BaseSynchronizationLib: fix Increment/Decrement retvals + for ARM + + Updated Memory Error Record Per UEFI Specification 2.4a + + MdeModulePkg BootScriptExecutorDxe: Use ImageContext.ImageSize + to allocate memory for PE image to handle the case PE file + alignment is not same as PE section alignment. + + Fix GCC hang issue: Point should use directly assignment + instead of IP4_COPY_ADDRESS. + + SecurityPkg Variable: Update code in ProcessVariable () +- Update openssl to 0.9.8zf + +------------------------------------------------------------------- +Tue Mar 17 03:10:34 UTC 2015 - glin@suse.com + +- Update to R17055 + + OvmfPkg: include XHCI driver + + ArmVirtualizationPkg/ArmVirtualizationQemu: include XHCI driver + + ArmVirtualizationPkg: build UEFI shell from source + + SecurityPkg Variable: Allow the delete operation of common auth + variable at user physical presence + + Set network boot option to the default last priority + + MdeModulePkg: improve scalability of memory pools + + MdeModulePkg: use correct granularity when allocating pool + pages + +------------------------------------------------------------------- +Fri Mar 6 03:22:51 UTC 2015 - glin@suse.com + +- Update to R17007 + + ArmVirtualizationPkg: PlatformIntelBdsLib: lack of QEMU kernel + is no error + + Improve Xen support in Ovmf + + ArmVirtualizationPkg: PlatformIntelBdsLib: display TianoCore + logo + + ArmVirtualizationPkg/ArmVirtualizationQemu: add USB keyboard + input + + ArmVirtualizationPkg/ArmVirtualizationQemu: add VGA console + output + + ArmVirtualizationPkg/ArmVirtualizationQemu: enable PCI support + + OvmfPkg/QemuVideoDxe: enable ARM builds + + Improve ACPI support in Ovmf + + OvmfPkg/PlatformBdsLib: Signal ReadyToBoot before booting QEMU + kernel + + ArmPkg/ArmLib.h: Add CPU Affinity definitions + + OvmfPkg/SMBIOS: Provide default Type 0 (BIOS Information) + structure + + NetworkPkg: Code refine to avoid NULL pointer dereferenced + + DHCP6 bug fix + + BaseTools/GenFw: Set the PE/COFF attribute BaseOfData with the + address of the first '.data' section + + OvmfPkg: Update PlatformBaseDebugLibIoPort library + + Various fixes for shell +- Update ARM patches + +------------------------------------------------------------------- +Fri Feb 6 10:47:54 UTC 2015 - lnussel@suse.de + +- update to R16775 +- add RH patches for ARM + +------------------------------------------------------------------- +Tue Jan 6 07:51:52 UTC 2015 - glin@suse.com + +- Update to R16580 + + MdeModulePkg Variable: Implement VarCheck PROTOCOL and follow + UEFI spec to check UEFI defined variables + + ArmVirtualizationPkg: Intel BDS: load EFI-stubbed Linux kernel + from fw_cfg + + ArmVirtualizationPkg: identify "new shell" as builtin shell + for Intel BDS + + ArmVirtualizationPkg: PlatformIntelBdsLib: adhere to QEMU's + boot order + + OvmfPkg: QemuBootOrderLib: OFW-to-UEFI translation for + virtio-mmio + + OvmfPkg: QemuBootOrderLib: widen ParseUnitAddressHexList() to + UINT64 + + ArmVirtualizationPkg: VirtFdtDxe: use dedicated + VIRTIO_MMIO_TRANSPORT_GUID + + OvmfPkg: introduce VIRTIO_MMIO_TRANSPORT_GUID + + OvmfPkg: QemuBootOrderLib: featurize PCI-like device path + translation + + OvmfPkg: extract QemuBootOrderLib + + ArmVirtualizationPkg: PlatformIntelBdsLib: add basic policy + + ArmVirtualizationPkg: clone PlatformIntelBdsLib from + ArmPlatformPkg + + ArmVirtualizationPkg: introduce QemuFwCfgLib instance for DXE + drivers + + ArmVirtualizationPkg: VirtFdtDxe: forward FwCfg addresses from + DTB to PCDs + + MdeModulePkg/FvSimpleFileSystem:Fix a potential NULL + dereference issue + + Correct the Hash Calculation for Revoked X.509 Certificate to + align with RFC3280 and UEFI 2.4 Spec + + MdeModulePkg/FvSimpleFileSystem: Add a new module to provide + access to executable files in FVs + + OvmfPkg: enable IPv6 support + + Fix a bug that the gateway is not necessary in a simple PXE + network + + ArmPkg/BdsLib: Update the size of the Device Tree before + booting Linux + + ArmPkg/BdsLib: Rework TFTP boot + + MdePkg: UefiScsiLib: do not encode LUN in CDB for SCSI commands + + Correct the alignment calculation of PE/COFF attribute + certificate entry + + OvmfPkg: CsmSupportLib: depend on OvmfPkg.dec explicitly + + OvmfPkg: AcpiPlatformDxe: make dependency on PCI enumeration + explicit + + MdePkg/MdeModulePkg: Implement the missing + SetMemorySpaceCapabilities function + + Various fixes for shell +- Set the flag to enable IPv6 support ++++ 384 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Factory:NonFree/.ovmf.new/ovmf.changes New: ---- MicCorKEKCA2011_2011-06-24.crt MicCorUEFCA2011_2011-06-27.crt README SLES-UEFI-CA-Certificate-2048.crt SLES-UEFI-SIGN-Certificate-2048.crt _service dbxupdate.zip gdb_uefi.py.in openSUSE-UEFI-CA-Certificate-2048.crt openSUSE-UEFI-CA-Certificate-4096.crt openSUSE-UEFI-SIGN-Certificate-2048.crt openSUSE-UEFI-SIGN-Certificate-4096.crt openssl-0.9.8zf.tar.gz openssl-0.9.8zf.tar.gz.asc openssl.keyring ovmf-0.1+svn17446.tar.xz ovmf-0001-ArmPlatformPkg-ArmVirtualizationPkg-enable-DEBUG_VER.patch ovmf-0002-ArmPlatformPkg-Bds-generate-ESP-Image-boot-option-if.patch ovmf-0003-ArmPlatformPkg-Bds-check-for-other-defaults-too-if-u.patch ovmf-0004-ArmPlatformPkg-ArmVirtualizationPkg-auto-detect-boot.patch ovmf-0005-ArmPlatformPkg-Bds-initialize-ConIn-ConOut-ErrOut-be.patch ovmf-0006-ArmPlatformPkg-Bds-let-FindCandidate-search-all-file.patch ovmf-0007-ArmPlatformPkg-Bds-FindCandidateOnHandle-log-full-de.patch ovmf-0008-ArmPlatformPkg-Bds-fall-back-to-Boot-Menu-when-no-de.patch ovmf-0009-ArmPlatformPkg-Bds-always-connect-drivers-before-loo.patch ovmf-0010-avoid-potentially-uninitialized-variable.diff ovmf-embed-default-keys.patch ovmf-gdb-symbols.patch ovmf-rpmlintrc ovmf.changes ovmf.spec strip_authinfo.pl ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ovmf.spec ++++++ # # spec file for package ovmf # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # needssslcertforbuild %undefine _build_create_debug Name: ovmf Url: http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=EDK2 Summary: Open Virtual Machine Firmware License: BSD-2-Clause Group: System/Emulators/PC Version: 0.1+svn17446 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: https://www.openssl.org/source/openssl-0.9.8zf.tar.gz Source111: https://www.openssl.org/source/openssl-0.9.8zf.tar.gz.asc Source112: openssl.keyring Source2: README Source3: SLES-UEFI-CA-Certificate-2048.crt Source4: SLES-UEFI-SIGN-Certificate-2048.crt Source5: MicCorKEKCA2011_2011-06-24.crt Source6: MicCorUEFCA2011_2011-06-27.crt Source7: openSUSE-UEFI-CA-Certificate-2048.crt Source8: openSUSE-UEFI-SIGN-Certificate-2048.crt Source9: openSUSE-UEFI-CA-Certificate-4096.crt Source10: openSUSE-UEFI-SIGN-Certificate-4096.crt Source11: http://www.uefi.org/sites/default/files/resources/dbxupdate.zip Source12: strip_authinfo.pl Source100: %{name}-rpmlintrc Source101: gdb_uefi.py.in Patch2: %{name}-embed-default-keys.patch Patch3: %{name}-gdb-symbols.patch # PATCH-FIX-OPENSUSE 0001-ArmPlatformPkg-ArmVirtualizationPkg-enable-DEBUG_VER.patch bnc#123456 you@foo -- descr Patch4: %{name}-0001-ArmPlatformPkg-ArmVirtualizationPkg-enable-DEBUG_VER.patch # PATCH-FIX-OPENSUSE 0002-ArmPlatformPkg-Bds-generate-ESP-Image-boot-option-if.patch bnc#123456 you@foo -- descr Patch5: %{name}-0002-ArmPlatformPkg-Bds-generate-ESP-Image-boot-option-if.patch # PATCH-FIX-OPENSUSE 0003-ArmPlatformPkg-Bds-check-for-other-defaults-too-if-u.patch bnc#123456 you@foo -- descr Patch6: %{name}-0003-ArmPlatformPkg-Bds-check-for-other-defaults-too-if-u.patch # PATCH-FIX-OPENSUSE 0004-ArmPlatformPkg-ArmVirtualizationPkg-auto-detect-boot.patch bnc#123456 you@foo -- descr Patch7: %{name}-0004-ArmPlatformPkg-ArmVirtualizationPkg-auto-detect-boot.patch # PATCH-FIX-OPENSUSE 0005-ArmPlatformPkg-Bds-initialize-ConIn-ConOut-ErrOut-be.patch bnc#123456 you@foo -- descr Patch8: %{name}-0005-ArmPlatformPkg-Bds-initialize-ConIn-ConOut-ErrOut-be.patch # PATCH-FIX-OPENSUSE 0006-ArmPlatformPkg-Bds-let-FindCandidate-search-all-file.patch bnc#123456 you@foo -- descr Patch9: %{name}-0006-ArmPlatformPkg-Bds-let-FindCandidate-search-all-file.patch # PATCH-FIX-OPENSUSE 0007-ArmPlatformPkg-Bds-FindCandidateOnHandle-log-full-de.patch bnc#123456 you@foo -- descr Patch10: %{name}-0007-ArmPlatformPkg-Bds-FindCandidateOnHandle-log-full-de.patch # PATCH-FIX-OPENSUSE 0008-ArmPlatformPkg-Bds-fall-back-to-Boot-Menu-when-no-de.patch bnc#123456 you@foo -- descr Patch11: %{name}-0008-ArmPlatformPkg-Bds-fall-back-to-Boot-Menu-when-no-de.patch # PATCH-FIX-OPENSUSE 0009-ArmPlatformPkg-Bds-always-connect-drivers-before-loo.patch bnc#123456 you@foo -- descr Patch12: %{name}-0009-ArmPlatformPkg-Bds-always-connect-drivers-before-loo.patch # PATCH-FIX-OPENSUSE 0010-avoid-potentially-uninitialized-variable.diff bnc#123456 you@foo -- descr Patch13: %{name}-0010-avoid-potentially-uninitialized-variable.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: libuuid-devel BuildRequires: fdupes BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: python %ifnarch aarch64 %arm BuildRequires: iasl BuildRequires: nasm %endif %ifarch x86_64 BuildRequires: openssl BuildRequires: unzip %if 0%{?suse_version} BuildRequires: vim-base %else BuildRequires: vim-common %endif %endif ExclusiveArch: %ix86 x86_64 aarch64 %arm %description The Open Virtual Machine Firmware (OVMF) project aims to support firmware for Virtual Machines using the edk2 code base. %ifarch %ix86 %package -n qemu-ovmf-ia32 Summary: Open Virtual Machine Firmware - QEMU rom images (IA32) Group: System/Emulators/PC BuildArch: noarch Requires: qemu %description -n qemu-ovmf-ia32 The Open Virtual Machine Firmware (OVMF) project aims to support firmware for Virtual Machines using the edk2 code base. This package contains UEFI rom images for exercising UEFI secure boot in a qemu environment (IA32) %endif %ifarch x86_64 %package -n qemu-ovmf-x86_64 Summary: Open Virtual Machine Firmware - QEMU rom images (x86_64) Group: System/Emulators/PC BuildArch: noarch Requires: qemu %description -n qemu-ovmf-x86_64 The Open Virtual Machine Firmware (OVMF) project aims to support firmware for Virtual Machines using the edk2 code base. This package contains UEFI rom images for exercising UEFI secure boot in a qemu environment (x86_64) %package -n qemu-ovmf-x86_64-debug Summary: Open Virtual Machine Firmware - debug symbols (x86_64) Group: System/Emulators/PC Requires: qemu %description -n qemu-ovmf-x86_64-debug The Open Virtual Machine Firmware (OVMF) project aims to support firmware for Virtual Machines using the edk2 code base. This package contains the debug symbols for UEFI rom images (x86_64) %endif %ifarch aarch64 %package -n qemu-uefi-aarch64 Summary: UEFI QEMU rom image (AArch64) Group: System/Emulators/PC BuildArch: noarch %description -n qemu-uefi-aarch64 This package contains the UEFI rom image (AArch64) for QEMU cortex-a57 virt board. %endif %ifarch %arm %package -n qemu-uefi-aarch32 Summary: UEFI QEMU rom image (AArch32) Group: System/Emulators/PC BuildArch: noarch %description -n qemu-uefi-aarch32 This package contains the UEFI rom image (AArch32) for QEMU cortex-a15 virt board. %endif %prep %setup -q -n %{name}-%{version} %setup -T -D -n %{name}-%{version}/CryptoPkg/Library/OpensslLib -a 1 %setup -T -D -n %{name}-%{version} %ifarch x86_64 %patch2 -p1 %endif %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 %patch13 -p1 # Intel has special patches for openssl pushd CryptoPkg/Library/OpensslLib/openssl-0.9.8zf patch -p0 -i ../EDKII_openssl-0.9.8zf.patch cd .. ./Install.sh popd %build OVMF_FLAGS="-D FD_SIZE_2MB -D SECURE_BOOT_ENABLE -D NETWORK_IP6_ENABLE" TOOL_CHAIN_TAG=GCC$(gcc -dumpversion|sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/') %ifarch %ix86 BUILD_OPTIONS="$OVMF_FLAGS -a IA32 -p OvmfPkg/OvmfPkgIa32.dsc -b DEBUG -t $TOOL_CHAIN_TAG" make -C BaseTools %else %ifarch x86_64 BUILD_OPTIONS="$OVMF_FLAGS -a X64 -p OvmfPkg/OvmfPkgX64.dsc -b DEBUG -t $TOOL_CHAIN_TAG" make -C BaseTools %else %ifarch aarch64 BUILD_OPTIONS="-D SECURE_BOOT_ENABLE -a AARCH64 -p ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc -b RELEASE -t $TOOL_CHAIN_TAG" ARCH=AARCH64 make -C BaseTools %else %ifarch %arm BUILD_OPTIONS="-a ARM -p ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc -b RELEASE -t $TOOL_CHAIN_TAG" ARCH=ARM make -C BaseTools %else echo "ERROR: unsupported architecture" false %endif #arm %endif #aarch64 %endif #x86_64 %endif #ix86 . ./edksetup.sh # Build the UEFI image build $BUILD_OPTIONS %ifarch %ix86 cp Build/OvmfIa32/DEBUG_*/FV/OVMF.fd ovmf-ia32.bin cp Build/OvmfIa32/DEBUG_*/FV/OVMF_CODE.fd ovmf-ia32-code.bin cp Build/OvmfIa32/DEBUG_*/FV/OVMF_VARS.fd ovmf-ia32-vars.bin %else %ifarch x86_64 collect_debug_files() { target="$1" out_dir="debug/$target" abs_path="`pwd`/$out_dir/" source_path="`pwd`" gdb_src_path="/usr/src/debug/ovmf-x86_64" # copy the debug symbols mkdir -p $out_dir pushd Build/OvmfX64/DEBUG_GCC4*/X64/ find . -mindepth 2 -type f -name "*.debug" -exec cp --parents -a {} $abs_path \; cp --parents -a DebugPkg/GdbSyms/GdbSyms/DEBUG/GdbSyms.dll $abs_path build_path=`pwd` popd # Change the path in the python gdb script sed "s:__BUILD_PATH__:$build_path:;s:__SOURCE_PATH__:$source_path:;s:__GDB_SRC_PATH__:$gdb_src_path:;s/__FLAVOR__/$target/" \ %{SOURCE101} > gdb_uefi-$target.py } cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd ovmf-x86_64.bin cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd ovmf-x86_64-code.bin cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd ovmf-x86_64-vars.bin # Collect the debug files collect_debug_files ovmf-x86_64 # Collect the source mkdir -p source/ovmf-x86_64 # TODO get the source list from debug files src_list=`find Build/OvmfX64/DEBUG_GCC4*/X64/ -mindepth 1 -maxdepth 1 -type d -exec basename {} \;` find $src_list \( -name "*.c" -o -name "*.h" \) -type f -exec cp --parents -a {} source/ovmf-x86_64 \; build_with_keys() { suffix="$1" xxd -i Default_PK > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h xxd -i Default_KEK > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h xxd -i Default_DB > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h if [ -e Default_DBX ]; then xxd -i Default_DBX > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h fi build $BUILD_OPTIONS cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd ovmf-x86_64-$suffix.bin cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd ovmf-x86_64-$suffix-code.bin cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd ovmf-x86_64-$suffix-vars.bin collect_debug_files ovmf-x86_64-$suffix } # OVMF with SUSE keys openssl x509 -in %{SOURCE3} -outform DER > Default_PK openssl x509 -in %{SOURCE3} -outform DER > Default_KEK openssl x509 -in %{SOURCE4} -outform DER > Default_DB build_with_keys suse #unpack the UEFI revocation list unzip %{SOURCE11} # OVMF with MS keys cat %{SOURCE5} > Default_PK cat %{SOURCE5} > Default_KEK cat %{SOURCE6} > Default_DB chmod 755 %{SOURCE12} %{SOURCE12} dbxupdate.bin Default_DBX build_with_keys ms rm -f Default_DBX # OVMF with openSUSE keys openssl x509 -in %{SOURCE7} -outform DER > Default_PK openssl x509 -in %{SOURCE7} -outform DER > Default_KEK openssl x509 -in %{SOURCE8} -outform DER > Default_DB build_with_keys opensuse # OVMF with openSUSE keys (4096 bit CA) openssl x509 -in %{SOURCE9} -outform DER > Default_PK openssl x509 -in %{SOURCE9} -outform DER > Default_KEK openssl x509 -in %{SOURCE10} -outform DER > Default_DB build_with_keys opensuse-4096 if [ -e %{_sourcedir}/_projectcert.crt ]; then prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash) opensusesubject=$(openssl x509 -in %{SOURCE7} -noout -subject_hash) slessubject=$(openssl x509 -in %{SOURCE3} -noout -subject_hash) if [ "$prjissuer" != "$opensusesubject" -a "$prjissuer" != "$slessubject" ]; then openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER > Default_PK openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER > Default_KEK openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER > Default_DB build_with_keys devel fi fi %else %ifarch aarch64 cp Build/ArmVirtualizationQemu-AARCH64/RELEASE_GCC*/FV/QEMU_EFI.fd qemu-uefi-aarch64.bin %else %ifarch %arm cp Build/ArmVirtualizationQemu-ARM/RELEASE_GCC*/FV/QEMU_EFI.fd qemu-uefi-aarch32.bin %endif #arm %endif #aarch64 %endif #x86_64 %endif #ix86 %install rm -rf %{buildroot} cp %{SOURCE2} README tr -d '\r' < FatBinPkg/License.txt > License-fat-driver.txt %ifarch %ix86 tr -d '\r' < OvmfPkg/License.txt > License.txt install -m 0644 -D ovmf-ia32.bin %{buildroot}/%{_datadir}/qemu/ovmf-ia32.bin install -m 0644 -D ovmf-ia32-code.bin %{buildroot}/%{_datadir}/qemu/ovmf-ia32-code.bin install -m 0644 -D ovmf-ia32-vars.bin %{buildroot}/%{_datadir}/qemu/ovmf-ia32-vars.bin %else %ifarch x86_64 tr -d '\r' < OvmfPkg/License.txt > License.txt install -m 0644 -D ovmf-x86_64.bin %{buildroot}/%{_datadir}/qemu/ovmf-x86_64.bin install -m 0644 ovmf-x86_64-*.bin %{buildroot}/%{_datadir}/qemu/ # Install debug symbols, gdb-uefi.py install -d %{buildroot}/%{_datadir}/ovmf-x86_64/ install -m 0644 gdb_uefi-*.py %{buildroot}/%{_datadir}/ovmf-x86_64/ mkdir -p %{buildroot}/usr/lib/debug mv debug/ovmf-x86_64* %{buildroot}/usr/lib/debug %fdupes %{buildroot}/usr/lib/debug/ovmf-x86_64* mkdir -p %{buildroot}/usr/src/debug mv source/ovmf-x86_64* %{buildroot}/usr/src/debug %fdupes -s %{buildroot}/usr/src/debug/ovmf-x86_64 %else %ifarch aarch64 tr -d '\r' < ArmPlatformPkg/License.txt > License.txt install -m 0644 -D qemu-uefi-aarch64.bin %{buildroot}/%{_datadir}/qemu/qemu-uefi-aarch64.bin %else %ifarch %arm tr -d '\r' < ArmPlatformPkg/License.txt > License.txt install -m 0644 -D qemu-uefi-aarch32.bin %{buildroot}/%{_datadir}/qemu/qemu-uefi-aarch32.bin %endif #arm %endif #aarch64 %endif #x86_64 %endif #ix86 %files %defattr(-,root,root,-) %doc README %ifarch %ix86 %files -n qemu-ovmf-ia32 %defattr(-,root,root,-) %doc License.txt License-fat-driver.txt %dir %{_datadir}/qemu/ %{_datadir}/qemu/ovmf-ia32*.bin %endif %ifarch x86_64 %files -n qemu-ovmf-x86_64 %defattr(-,root,root,-) %doc License.txt License-fat-driver.txt %dir %{_datadir}/qemu/ %{_datadir}/qemu/ovmf-x86_64*.bin %files -n qemu-ovmf-x86_64-debug %defattr(-,root,root,-) %{_datadir}/ovmf-x86_64/ %dir /usr/lib/debug/ /usr/lib/debug/ovmf-x86_64* %dir /usr/src/debug/ /usr/src/debug/ovmf-x86_64* %endif %ifarch aarch64 %files -n qemu-uefi-aarch64 %defattr(-,root,root,-) %doc License.txt License-fat-driver.txt %dir %{_datadir}/qemu/ %{_datadir}/qemu/qemu-uefi-aarch64.bin %endif %ifarch %arm %files -n qemu-uefi-aarch32 %defattr(-,root,root,-) %doc License.txt License-fat-driver.txt %dir %{_datadir}/qemu/ %{_datadir}/qemu/qemu-uefi-aarch32.bin %endif %changelog ++++++ README ++++++ Running the OVMF image in qemu ============================== There are two flavors of the OVMF efi images: the 64 bit and 32 bit one. For the 64 bit image, use the following command: qemu-system-x86_64 -bios /usr/share/qemu/ovmf-x86_64.bin For 32 bit: qemu-system-i386 -bios /usr/share/qemu/ovmf-ia32.bin The rom will boot up to an EFI shell. If you add standard things like a USB drive, you can also run efi executables. To enrol the platform and key exchange keys, exit the efi shell, select 'Device Manager' then 'Secure Boot Configuration' and change the secure boot mode from "Standard Mode" to "Custom Mode". This will cause an extra "Custom Secure Boot Options" menu to appear from which you can enrol the Platform and Key Exchange keys (these need to be present on external media, like a USB key). Note that enroling the KEK will require you to specify a GUID. The GUID is used only to identify the keys later (it's essentially the globally unique label for the key). If you only enrol one KEK, you can ignore this and it will end up with a GUID of all zeros. Flash Mode ---------- For version >= r14840, OVMF supports the qemu flash mode. The non-volatile variables were originally stored in NvVars, a file in the ESP. With the flash mode support, all changes will be saved in the firmware file directly. Here is the example to use OVMF in the flash mode: qemu-system-x86_64 -pflash ovmf-x86_64.bin Please make sure the firmware is writable before using the flash mode, or all your changes won't be saved. Starting from r15670, two extra firmware files are provided for the flash mode: ovmf-*-code.bin and ovmf-*-vars.bin, and all non-volatile variables will be stored in ovmf-*-vars.bin. Example: qemu-system-x86_64 -pflash ovmf-x86_64-code.bin -pflash ovmf-x86_64-vars.bin It would be easier to manage the NV variables with the separated vars firmware. Image with preloaded keys ------------------------- Besides the generic OVMF images, there are images preloaded with different vendor keys. ovmf-x86_64-ms.bin - PK: Microsoft Corporation KEK CA 2011 - KEK: Microsoft Corporation KEK CA 2011 - db: Microsoft Corporation UEFI CA 2011 ovmf-x86_64-opensuse.bin - PK: openSUSE Secure Boot CA - KEK: openSUSE Secure Boot CA - db: openSUSE Secure Boot Signkey ovmf-x86_64-suse.bin - PK: SUSE Linux Enterprise Secure Boot CA - KEK: SUSE Linux Enterprise Secure Boot CA - db: SUSE Linux Enterprise Secure Boot Signkey Note that the preloaded key images are all 64 bit because openSUSE/SLE and Windows only support Secure Boot in 64 bit mode. Creating Platform and Key Exchange keys ======================================= A note about terminology. In UEFI terms, "key" means certificate (not the openssl key). UEFI keys are required to be based on RSA 2048 bit keys. The Platform key and Key Exchange Keys should be the equivalent of CA root certificates (i.e. a self signed certificate). Note that in current tianocore OVMF, the input certificates, if taken from external media, *must* be in a file with a .cer extension and in DER format. The platform key is the key which controls updates to the Key Exchange Key database. The Key Exchange Key controls updates to the signature databases. Note that if the Key Exchange Key is an X509 key, any key which has the KEK as its root signature can also be used to validate an efi binary without need for any entries in the signatures database. Create Platform Key (PK) ------------------------ openssl req -new -x509 -newkey rsa:2048 -keyout PK.key -out PK.crt -days <length> Note that the Key is PK.crt (PK.key is the private key you use to sign other certificates) Now convert to DER format openssl x509 -in PK.crt -out PK.cer -outform DER The file PK.cer can be placed on a USB key for enrolling as the platform key. Create Key Exchange Key (KEK) ----------------------------- This is done exactly as the Platform key above, except call the file KEK.cer instead. Note, for expermentation purposes, there's no reason the KEK and the PK can't be the same certificate. Creating derived keys from the KEK ---------------------------------- This process can be used to create subordinate keys which can be used to sign efi binaries (since their roots can be traced back to the KEK). openssl req -new -newkey rsa:2048 -keyout new.key -out new.csr -days <length> Now sign the certificate request with the KEK: openssl x509 -req -in new.csr -CA KEK.crt -CAkey KEK.key -set_serial 1 -out new.crt Note that since the new key doesn't have to be enrolled in the platform because its root of trust can be traced back to the KEK, there's no need to create a DER form of the key (the sbsign utilites used to sign efi binaries take the key.crt file which is in PEM form). Running the UEFI ARM image in qemu ================================== There are two flavors of the UEFI ARM images: AArch32 and AArch64. For the AArch64 image, use the following command: qemu-system-aarch64 -m 1024 -M virt -cpu cortex-a57 -bios /usr/share/qemu/qemu-uefi-aarch64.bin -serial stdio For AArch32: qemu-system-arm -m 1024 -M virt -cpu cortex-a15 -bios /usr/share/qemu/qemu-uefi-aarch32.bin -serial stdio ++++++ SLES-UEFI-CA-Certificate-2048.crt ++++++ -----BEGIN CERTIFICATE----- MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk QHN1c2UuZGUwHhcNMTMwNDE4MTQzMzQxWhcNMzUwMzE0MTQzMzQxWjCBpjEtMCsG A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4 IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B CQEWDWJ1aWxkQHN1c2UuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDN/avXKoT4gcM2NVA1LMfsBPH01sxgS8gTs3SbvfbEP2M+ZlHyfj9ufHZ7cZ1p ISoVm6ql5VbIeZgSNc17Y4y4Nynud1C8t2SP/iZK5YMYHGxdtIfv1zPE+Bo/KZqE WgHg2YFtMXdiKfXBZRTfSh37t0pGO/OQi6K4JioKw55UtQNggePZWDXtsAviT2vv abqLR9+kxdrQ0iWqhWM+LwXbTGkCpg41s8KucLD/JYAxxw05dKPApFDNnz+Ft2L7 e5JtyB4S0u4PlvQBMNHt4hDs0rK4oeHFLbOxHvjF+nloneWhkg9eT0VCfpAYVYz+ whMxuCHerDCdmeFrRGEMQz11AgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/ MB0GA1UdDgQWBBTsqw1CxFbPdwQ2uXOZOGKWXocmLzCB0wYDVR0jBIHLMIHIgBTs qw1CxFbPdwQ2uXOZOGKWXocmL6GBrKSBqTCBpjEtMCsGA1UEAwwkU1VTRSBMaW51 eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTESMBAGA1UE BwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3RzIEdtYkgx EzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxkQHN1c2Uu ZGWCAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQASviyFhVqU Wc1JUQgXwdljJynTnp0/FQOZJBSe7XdBGPmy91+3ITqrXgyqo/218KISiQl53Qlw pq+cIiGRAia1D7p7wbg7wsg+Trt0zZFXes30wfYq5pjfWadEBAgNCffkBz10TSjL jQrVwW5N+yUJMoq+r843TzV56Huy6LBOVhI5yTz7X7i2rSJYfyQWM8oeHLj8Yl5M rOB9gyTumxB4mOLmSqwKzJiUB0ppGPohdLUSSEKDdo6KSH/GjR7M7uBicwnzwJD3 SVfT9nx9HKF2nXZlHvs5ViQQru3qP1tc6i0eXEnPTYW2+zkZcN0e5iHyozEZHsO0 rvc1p6G0YWtO -----END CERTIFICATE----- ++++++ SLES-UEFI-SIGN-Certificate-2048.crt ++++++ -----BEGIN CERTIFICATE----- MIIE/DCCA+SgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk QHN1c2UuZGUwHhcNMTMwNDE4MTQzNDM0WhcNMjMwMjI1MTQzNDM0WjCBqzEyMDAG A1UEAwwpU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IFNpZ25rZXkx CzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0Ug TGludXggUHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqG SIb3DQEJARYNYnVpbGRAc3VzZS5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAOVY/g3+3Bsa1JZ2hfU+7Fy28h0CKF0Sjqy8J4m9a8yKFoY6rb4hG9MK o4wnCJfPab9flWXRk4PFiouI+0nmLJX74U0sq8nKw3Ijl0UojuthXc6CeZH4hIF5 HDoVhig3SfkUxdT1zZVF4mcYZ3Pf+UlROJ7JpY4sEhtYMY/DJW5qv2HwrzSw427V R1upA18U7ddMF5fKoN8vjKVihUFSNK/Up0tOWalxfcG5s9ugjbJgZULsjfcs2+8t og46QBjTaR7CtpmPbsaOJb1Z6BGDXsHV5GmaZG00TS0BwRn8mAQ1ske1eIpcqmBN q5Mlh6BVaufBot0nXJp9Vnnuib4napkCAwEAAaOCASwwggEoMAwGA1UdEwEB/wQC MAAwHQYDVR0OBBYEFD+wd7bOvG/yUi4cFIxXx3fHiOPnMIHTBgNVHSMEgcswgciA FOyrDULEVs93BDa5c5k4YpZehyYvoYGspIGpMIGmMS0wKwYDVQQDDCRTVVNFIExp bnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYD VQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXggUHJvZHVjdHMgR21i SDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJARYNYnVpbGRAc3Vz ZS5kZYIBATAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJ KoZIhvcNAQELBQADggEBAFEYo0sWgMCODHZEHWcoltp5RMcVj2DAYfw2NePbPqxW AmIgpMU0yG01JPbwJZu6dcuNeYoytgfDrSRLuloKm0JR8oR3+G7/oxbKQCxtMubB Qdflq7PIz73b/JSGiV5Pi77f9oAHijgnKEZrz4obs6sFp2gvuMvJ4w9jteCaofpq IDNhu7i2KFx4rC6FYF/p6V9xnVwOnZS1G56cJALfP/7kOD4k3TVSMiE2FCS3wLwR RI7VE0I/3oJHsi8CR++CT1BI02PI+EWgRcuW8jOzJ3+tYa77HCKpXNyIi7/L5QAK N5ZinPyv68tae+GHkL5U2FxLY365gABSXqXUA9mTquU= -----END CERTIFICATE----- ++++++ _service ++++++ <services> <service name="tar_scm" mode="disabled"> <param name="filename">ovmf</param> <param name="versionformat">0.1+svn%r</param> <param name="url">https://svn.code.sf.net/p/edk2/code/trunk/edk2</param> <param name="scm">svn</param> </service> <service name="recompress" mode="disabled"> <param name="compression">xz</param> <param name="file">*.tar</param> </service> <service name="set_version" mode="disabled"/> </services> ++++++ gdb_uefi.py.in ++++++ """ Allows loading TianoCore symbols into a GDB session attached to EFI Firmware. This is how it works: build GdbSyms - it's a dummy binary that contains the relevant symbols needed to find and load image symbols. $ gdb (gdb) taget remote .... (gdb) source Scripts/gdb_uefi.py (gdb) reload-uefi -o /path/to/GdbSyms.dll The -o option should be used if you've debugging EFI, where the PE images were converted from MACH-O or ELF binaries. """ import array import getopt import binascii import re __license__ = "BSD" __version = "1.0.0" __maintainer__ = "Andrei Warkentin" __email__ = "andrey.warkentin@gmail.com" __status__ = "Works" # FOR RPM PACKAGE replace the strings in the spec file build_path="__BUILD_PATH__" source_path="__SOURCE_PATH__" gdb_src_path="__GDB_SRC_PATH__" flavor="__FLAVOR__" class ReloadUefi (gdb.Command): """Reload UEFI symbols""" # # Various constants. # EINVAL = 0xffffffff CV_NB10 = 0x3031424E CV_RSDS = 0x53445352 CV_MTOC = 0x434F544D DOS_MAGIC = 0x5A4D PE32PLUS_MAGIC = 0x20b EST_SIGNATURE = 0x5453595320494249L DEBUG_GUID = [0x49152E77, 0x1ADA, 0x4764, [0xB7,0xA2,0x7A,0xFE, 0xFE,0xD9,0x5E, 0x8B]] DEBUG_IS_UPDATING = 0x1 # # If the images were built as ELF/MACH-O and then converted to PE, # then the base address needs to be offset by PE headers. # offset_by_headers = False def __init__ (self): super (ReloadUefi, self).__init__ ("reload-uefi", gdb.COMMAND_OBSCURE) # # Returns gdb.Type for a type. # def type (self, typename): return gdb.lookup_type (typename) # # Returns gdb.Type for a pointer to a type. # def ptype (self, typename): return gdb.lookup_type (typename).pointer () # # Computes CRC32 on an array of data. # def crc32 (self, data): return binascii.crc32 (data) & 0xFFFFFFFF # # Sets a field in a struct to a value, i.e. # value->field_name = data. # # Newer Py bindings to Gdb provide access to the inferior # memory, but not all, so have to do it this awkward way. # def set_field (self, value, field_name, data): gdb.execute ("set *(%s *) 0x%x = 0x%x" % \ (str (value[field_name].type), \ long (value[field_name].address), \ data)) # # Returns data backing a gdb.Value as an array. # Same comment as above regarding newer Py bindings... # def value_data (self, value, bytes=0): value_address = gdb.Value (value.address) array_t = self.ptype ('UINT8') value_array = value_address.cast (array_t) if bytes == 0: bytes = value.type.sizeof data = array.array ('B') for i in range (0, bytes): data.append (value_array[i]) return data # # Locates the EFI_SYSTEM_TABLE as per UEFI spec 17.4. # Returns base address or -1. # def search_est (self): address = 0 estp_t = self.ptype ('EFI_SYSTEM_TABLE_POINTER') while True: estp = gdb.Value(address).cast(estp_t) if estp['Signature'] == self.EST_SIGNATURE: oldcrc = long (estp['Crc32']) self.set_field (estp, 'Crc32', 0) newcrc = self.crc32 (self.value_data (estp.dereference (), 0)) self.set_field (estp, 'Crc32', long (oldcrc)) if newcrc == oldcrc: return estp['EfiSystemTableBase'] address = address + 4*1024*1024 if long (address) == 0: return gdb.Value(self.EINVAL) # # Searches for a vendor-specific configuration table (in EST), # given a vendor-specific table GUID. GUID is a list like - # [32-bit, 16-bit, 16-bit, [8 bytes]] # def search_config (self, cfg_table, count, guid): index = 0 while index != count: cfg_entry = cfg_table[index]['VendorGuid'] if cfg_entry['Data1'] == guid[0] and \ cfg_entry['Data2'] == guid[1] and \ cfg_entry['Data3'] == guid[2] and \ self.value_data (cfg_entry['Data4']).tolist () == guid[3]: return cfg_table[index]['VendorTable'] index = index + 1 return gdb.Value(self.EINVAL) # # Returns a UTF16 string corresponding to a (CHAR16 *) value in EFI. # def parse_utf16 (self, value): index = 0 data = array.array ('H') while value[index] != 0: data.append (value[index]) index = index + 1 return data.tostring ().decode ('utf-16') # # Returns offset of a field within structure. Useful # for getting container of a structure. # def offsetof (self, typename, field): t = gdb.Value (0).cast (self.ptype (typename)) return long (t[field].address) # # Returns sizeof of a type. # def sizeof (self, typename): return self.type (typename).sizeof # # Returns the EFI_IMAGE_NT_HEADERS32 pointer, given # an ImageBase address as a gdb.Value. # def pe_headers (self, imagebase): dosh_t = self.ptype ('EFI_IMAGE_DOS_HEADER') head_t = self.ptype ('EFI_IMAGE_OPTIONAL_HEADER_UNION') dosh = imagebase.cast(dosh_t) h_addr = imagebase if dosh['e_magic'] == self.DOS_MAGIC: h_addr = h_addr + dosh['e_lfanew'] return gdb.Value(h_addr).cast (head_t) # # Returns True if pe_headers refer to a PE32+ image. # def pe_is_64 (self, pe_headers): if pe_headers['Pe32']['OptionalHeader']['Magic'] == self.PE32PLUS_MAGIC: return True return False # # Returns the PE (not so) optional header. # def pe_optional (self, pe): if self.pe_is_64 (pe): return pe['Pe32Plus']['OptionalHeader'] else: return pe['Pe32']['OptionalHeader'] # # Returns the symbol file name for a PE image. # def pe_parse_debug (self, pe): opt = self.pe_optional (pe) debug_dir_entry = opt['DataDirectory'][6] dep = debug_dir_entry['VirtualAddress'] + opt['ImageBase'] dep = dep.cast (self.ptype ('EFI_IMAGE_DEBUG_DIRECTORY_ENTRY')) cvp = dep.dereference ()['RVA'] + opt['ImageBase'] cvv = cvp.cast(self.ptype ('UINT32')).dereference () if cvv == self.CV_NB10: return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY') elif cvv == self.CV_RSDS: return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_RSDS_ENTRY') elif cvv == self.CV_MTOC: return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_MTOC_ENTRY') return gdb.Value(self.EINVAL) # # Parses an EFI_LOADED_IMAGE_PROTOCOL, figuring out the symbol file name. # This file name is then appended to list of loaded symbols. # # TBD: Support TE images. # def parse_image (self, image, syms): base = image['ImageBase'] pe = self.pe_headers (base) opt = self.pe_optional (pe) sym_name = self.pe_parse_debug (pe) # For ELF and Mach-O-derived images... if self.offset_by_headers: base = base + opt['SizeOfHeaders'] if sym_name != self.EINVAL: sym_name = sym_name.cast (self.ptype('CHAR8')).string () # Ignore the driver from qemu if re.search (r"\.efidrv$", sym_name): return # FOR RPM PACKAGE substitute the build path sym_name = re.sub(r"^"+re.escape(build_path), "/usr/lib/debug/"+flavor, sym_name) sym_name = re.sub(r"\.dll$", ".debug", sym_name) syms.append ("add-symbol-file %s 0x%x" % \ (sym_name, long (base))) # # Parses table EFI_DEBUG_IMAGE_INFO structures, builds # a list of add-symbol-file commands, and reloads debugger # symbols. # def parse_edii (self, edii, count): index = 0 syms = [] while index != count: entry = edii[index] if entry['ImageInfoType'].dereference () == 1: entry = entry['NormalImage'] self.parse_image(entry['LoadedImageProtocolInstance'], syms) else: print "Skipping unknown EFI_DEBUG_IMAGE_INFO (Type 0x%x)" % \ entry['ImageInfoType'].dereference () index = index + 1 gdb.execute ("symbol-file") print "Loading new symbols..." for sym in syms: print sym gdb.execute (sym) # # Parses EFI_DEBUG_IMAGE_INFO_TABLE_HEADER, in order to load # image symbols. # def parse_dh (self, dh): dh_t = self.ptype ('EFI_DEBUG_IMAGE_INFO_TABLE_HEADER') dh = dh.cast (dh_t) print "DebugImageInfoTable @ 0x%x, 0x%x entries" \ % (long (dh['EfiDebugImageInfoTable']), dh['TableSize']) if dh['UpdateStatus'] & self.DEBUG_IS_UPDATING: print "EfiDebugImageInfoTable update in progress, retry later" return self.parse_edii (dh['EfiDebugImageInfoTable'], dh['TableSize']) # # Parses EFI_SYSTEM_TABLE, in order to load image symbols. # def parse_est (self, est): est_t = self.ptype ('EFI_SYSTEM_TABLE') est = est.cast (est_t) print "Connected to %s (Rev. 0x%x)" % \ (self.parse_utf16 (est['FirmwareVendor']), \ long (est['FirmwareRevision'])) print "ConfigurationTable @ 0x%x, 0x%x entries" \ % (long (est['ConfigurationTable']), est['NumberOfTableEntries']) dh = self.search_config(est['ConfigurationTable'], est['NumberOfTableEntries'], self.DEBUG_GUID) if dh == self.EINVAL: print "No EFI_DEBUG_IMAGE_INFO_TABLE_HEADER" return self.parse_dh (dh) # # Usage information. # def usage (self): print "Usage: reload-uefi [-o] /path/to/GdbSyms.dll" # # Handler for reload-uefi. # def invoke (self, arg, from_tty): args = arg.split(' ') try: opts, args = getopt.getopt(args, "o", ["offset-by-headers"]) except getopt.GetoptError, err: self.usage () return for opt, arg in opts: if opt == "-o": self.offset_by_headers = True if len(args) < 1: self.usage () return # FOR RPM PACKAGE substitute the path of the source code gdb.execute ("set substitute-path "+source_path+" "+gdb_src_path) gdb.execute ("symbol-file") gdb.execute ("symbol-file %s" % args[0]) est = self.search_est () if est == self.EINVAL: print "No EFI_SYSTEM_TABLE..." return print "EFI_SYSTEM_TABLE @ 0x%x" % est self.parse_est (est) ReloadUefi () ++++++ openSUSE-UEFI-CA-Certificate-2048.crt ++++++ -----BEGIN CERTIFICATE----- MIIEdDCCA1ygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzA4MjYxNjEyMDdaFw0zNTA3MjIxNjEy MDdaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3t9hknqk/oPRfTtoDrGn8E6Sk/xHPnAt Tojcmp76M7Sm2w4jwQ2owdVlBIQE/zpIGE85MuTKTvkEnp8PzSBdYaunANil/yt/ vuhHwy9bAsi73o4a6UbThu//iJmQ6xCJuIs/PqgHxlV6btNf/IM8PRbtJsUTc5Kx cB4ilcgAbCV2RvGi2dCwmGgPpy2xDWeJypRK6hLFkVV2f2x6LvkYiZ/49CRD1TVq ywAOLu1L4l0J2BuXcJmeWm+mgaidqVh2fWlxgtO6OpZDm/DaFcZO6cgVuenLx+Rx zuoQG2vEKnABqVK0F94AUs995P0PTQMYspAo1G/Erla8NmBJRotrCwIDAQABo4H0 MIHxMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGhCYA3iLExHfpW+I9/qlRPl lxdiMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPllxdioYGHpIGEMIGB MSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUx EjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEh MB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEBMA4GA1UdDwEB/wQE AwIBhjANBgkqhkiG9w0BAQsFAAOCAQEAiqOJwo7Z+YIL8zPO6RkXF6NlgM0zrgZR Vim2OId79J38KI6q4FMSDjpgxwbYOmF2O3cI9JSkjHxHOpnYhJsXzCBiLuJ25MY2 DSbpLlM1Cvs6NZNFw5OCwQvzCOlXH1k3qdBsafto6n87r9P3WSeO1MeWc/QMCvc+ 5K9sjMd6bwl59EEf428R+z5ssaB75JK3yvky9d7DsHN947OCXc3sYdz+DD7Gteds LV2Sc//tqmqpm2aeXjptcLAxwM7fLyEQaAyH83egMzEKDxX27jKIxZpTcc0NGqEo idC/9lasSzs2BisBxevl3HKDPZSsKIMT+8FdJ5wT9jJf9h9Ktz5Tig== -----END CERTIFICATE----- ++++++ openSUSE-UEFI-CA-Certificate-4096.crt ++++++ -----BEGIN CERTIFICATE----- MIIGdDCCBFygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNDUzMzBaFw0zNDEyMjQxNDUz MzBaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIICIjANBgkq hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuqmSgrdlO0B96sOK5mJj1k4OetzmP6l8 YKdy+HdzN/3bS97vfqIIqb0YCgzmJROSLsXv6WQReuAtKbftgla6R/dOvKU/CxCN z0uCbzuM+gN5Q7pSWifnm81QNDowFpxZlJBFvIP92zh5yWNEGqVzMN0jDjOFxLfh O1sx6W8YBOYzScWrlTKysH6uK79gWenwvh3nmkx+68PV08azmizG6As4IAPDqtd/ w92iLTzjLVGp32wFDhLuDleojjvJgnOGngKa8oRcLlvfh07wKO0urjt8/3HKxcUf RmbSyaLdfP8lOt/mFPpfN4kev9wjqdbIhLIZs6iKbu+hR40QfAR46V8vnPoeIYeM ibsl1mvr0U7O6w7kTQuzW7JmJkCYf7n4HoPBgxTzgjKlsBGY0I+dTvZXozsKuTKx ir/w6WWcdkIWoXJh00Nb9eWqFQr0exG0hwa1o0ESXjv7aJHwg39B6m8MZVppdpmg i0G8pOKtHQZ6OR87YeSUHJ400ocIfYMOAybuB/5rHfC58BvCcjaZwHKTkHlyx28i EXgFyzGMqbWlgmI5RJ8UzaM6rTaieIRSsyGbYrDa89BFMhGmY8xMIeeT8191bLbH CpX7CMW9npoEqslHL67FMI3LXC5fgYKoPwUnj/TlT0gkjVobEXmXZB6sCDQ6BFTg 4dpPIFEjnxsCAwEAAaOB9DCB8TAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSZ DSa38E3ZzmTn0Y79aHtKXeKGpTCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79 aHtKXeKGpaGBh6SBhDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3Qg Q0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9w ZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9y Z4IBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFsmHlxiAGKu Qyx1qb6l7bEWgXAePQfVaaCEH4Mn+oq80kJ67S7s6We8e5QJOgYznk5mDk+PTUC/ phkP3aJRqZAf5UDrQkOHobpk7FFBxZKjZfULPls3H9+Hichw/XJ2/xJwG+Ja6pgD dNO2UaKOjZHCiyZ4ehO7syle/EgQALVwKH4cVq6zIh4xUH4r9WvfdR5vkhhTgM/0 nzzoBnFRnCUpcsLPj10246wVuLQcliZBeKjiV4xqrMe6cXX8crHvZqqJPZ2jMTGD eVIpVES12ZpMT7SbQbcDR1XgjqrL3U9vfcabdqLU60000ALvnDFNN0Sm7xhB+d3c sDIyJMwSfIb9jWApsB/En5uRCM++ruqjyFiqTCORo9gzaocw6gut6WYs2TOrZ2NO Tq4JNAFfCL/z0p8jdz1dJZmqpgFAlltKNNDWV6KlBPUAdxDEbIiuGoYweB+Zxed3 BKdlrKGcH0ewPmzt4vVLCl2yFoODxjVtndXieDt/BWIYltMjqYU1qrrOdISHdeAG A24L/uxiU4Ej2bKKWNYtvrGMNLMUWBTx5afHMQnK9MD8Z6cpjccNaR0Pe9ZCBRGI xyUitlfnU604q1GfYdymiq4mUvSEgy3vbbsVBvcAKElN+hWpAeZbiWc/KcBWKMtp 4aQ0yoLWDFkQNGU0rGazsu3hpOWta6mL -----END CERTIFICATE----- ++++++ openSUSE-UEFI-SIGN-Certificate-2048.crt ++++++ -----BEGIN CERTIFICATE----- MIIEjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzA4MjYxNjE4MzdaFw0yMzA3MDUxNjE4 MzdaMIGGMSUwIwYDVQQDDBxvcGVuU1VTRSBTZWN1cmUgQm9vdCBTaWdua2V5MQsw CQYDVQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMRkwFwYDVQQKDBBvcGVuU1VT RSBQcm9qZWN0MSEwHwYJKoZIhvcNAQkBFhJidWlsZEBvcGVuc3VzZS5vcmcwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLNeCcz9j3S+vjlCzyEXczhpwo HRneRWkhXqCUSgu1QS5nAWuRdjqFZipji4cr6JSKEm4lE7AHPygrdiU+KbJVQuc7 RCQdt5kyy0TStIjLqU+nswa+XKruKwQJquxYY1rIYsfZaEP7vQ6S/0zsAkS8lcmf 0b4h+PSybVoK1U2YZczBjO/f8p/aRQV2+RrAi9UcBfLAuEqwEt9DytULGEazA77N p9cBgPHFyu7ZOh9KM31QAavXOkhuYllzYh447zIx7lgYfVkFivt91A1enUeb2K+2 EZ885xOE5ADsCpeJIpDzFObfwXUHrSQ42OCP9rnA20XjboFcHinQeK5sp0sfAgMB AAGjggEHMIIBAzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQDMvqcvw2IvyGSSw3o KgmlTV3vyDCBrgYDVR0jBIGmMIGjgBRoQmAN4ixMR36VviPf6pUT5ZcXYqGBh6SB hDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYT AkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2pl Y3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9yZ4IBATAOBgNVHQ8B Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEB AI3sxNvPFB/+Cjj9GVCvNbaOGFV+5X6Dd7ZMJat0xI93GS+FvUOO1i53iCpnfSld gE+2chifX2W3u6RyiJTTfwke4EVU4GWjFy78WwwszCih0byVa/YSQguvPuMjvQY6 mw+exom0ri68328yWb1oCDaPOhI9Fr51hj50yUWWBbmpu2YPi5blN6CBE+9B2cbp HVDPxoUWjYJ9leK951nfSu0E1+cLNYDpZ39h4dBHNvU1a3AueVKIXyEYaiwy0VDS 8CQJluUCE4eLlt/cbJqMs0/iY7nRnbVOOyZUYTYxq7ACvDrMyStkfdR4KLDzvLWo 8Gu+1aY2qw6wZ+TKiiRRYjQ= -----END CERTIFICATE----- ++++++ openSUSE-UEFI-SIGN-Certificate-4096.crt ++++++ Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org Validity Not Before: Jan 28 15:10:28 2013 GMT Not After : Dec 7 15:10:28 2022 GMT Subject: CN=openSUSE Secure Boot Signkey, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cb:35:e0:9c:cf:d8:f7:4b:eb:e3:94:2c:f2:11: 77:33:86:9c:28:1d:19:de:45:69:21:5e:a0:94:4a: 0b:b5:41:2e:67:01:6b:91:76:3a:85:66:2a:63:8b: 87:2b:e8:94:8a:12:6e:25:13:b0:07:3f:28:2b:76: 25:3e:29:b2:55:42:e7:3b:44:24:1d:b7:99:32:cb: 44:d2:b4:88:cb:a9:4f:a7:b3:06:be:5c:aa:ee:2b: 04:09:aa:ec:58:63:5a:c8:62:c7:d9:68:43:fb:bd: 0e:92:ff:4c:ec:02:44:bc:95:c9:9f:d1:be:21:f8: f4:b2:6d:5a:0a:d5:4d:98:65:cc:c1:8c:ef:df:f2: 9f:da:45:05:76:f9:1a:c0:8b:d5:1c:05:f2:c0:b8: 4a:b0:12:df:43:ca:d5:0b:18:46:b3:03:be:cd:a7: d7:01:80:f1:c5:ca:ee:d9:3a:1f:4a:33:7d:50:01: ab:d7:3a:48:6e:62:59:73:62:1e:38:ef:32:31:ee: 58:18:7d:59:05:8a:fb:7d:d4:0d:5e:9d:47:9b:d8: af:b6:11:9f:3c:e7:13:84:e4:00:ec:0a:97:89:22: 90:f3:14:e6:df:c1:75:07:ad:24:38:d8:e0:8f:f6: b9:c0:db:45:e3:6e:81:5c:1e:29:d0:78:ae:6c:a7: 4b:1f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 03:32:FA:9C:BF:0D:88:BF:21:92:4B:0D:E8:2A:09:A5:4D:5D:EF:C8 X509v3 Authority Key Identifier: keyid:99:0D:26:B7:F0:4D:D9:CE:64:E7:D1:8E:FD:68:7B:4A:5D:E2:86:A5 DirName:/CN=openSUSE Secure Boot CA/C=DE/L=Nuremberg/O=openSUSE Project/emailAddress=build@opensuse.org serial:01 X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: Code Signing Signature Algorithm: sha256WithRSAEncryption ad:b9:27:89:ed:02:85:3c:c8:5d:fb:28:45:04:16:78:74:58: 49:41:55:88:a7:4c:20:77:55:53:6a:d2:72:5b:70:ba:b6:02: 4f:f2:3d:be:3f:85:52:46:bd:44:31:33:61:20:69:f1:81:7e: 30:3a:b1:5b:ea:bd:91:2a:6e:7d:1b:42:74:93:26:a8:e5:c0: 05:29:cd:50:7d:96:5d:ef:6a:74:f4:4b:0c:26:45:d6:c7:b4: 52:df:92:67:dc:ea:cb:fb:75:4b:22:cd:27:17:7a:d8:76:0b: bb:df:da:bc:6a:24:a0:48:74:2b:3b:12:45:16:89:b2:a6:df: 8c:b9:f7:02:58:aa:c6:53:fe:32:de:16:b6:8b:8b:ff:91:35: 67:a2:59:8f:40:97:25:e6:e5:0c:cd:a8:4a:f7:aa:a8:55:42: 88:4a:23:48:11:53:02:52:d1:dc:77:c5:23:05:77:cb:5d:fa: af:b6:da:26:2e:34:cc:76:0e:4d:c0:0f:d1:de:9c:53:19:89: 2c:38:af:ef:11:e6:69:bc:0e:7e:83:24:40:7b:63:99:89:85: 1d:73:66:4e:d0:de:05:61:c2:37:91:fe:c7:6b:20:5f:4a:f2: d4:a4:c8:81:ed:4f:87:fe:a8:d1:75:bc:17:d0:f7:ef:33:1e: a4:3f:5f:6a:36:0a:4c:bf:7b:25:bd:af:1d:d5:fd:f6:0b:39: 7c:ce:75:bc:48:cb:99:c3:39:de:60:6d:72:03:a1:93:55:70: 99:ff:69:ff:8c:80:ca:d4:23:bb:ea:0d:9d:40:d5:49:b0:29: 20:09:45:98:c8:24:25:fe:da:68:eb:02:d4:25:f5:6e:e1:f2: a6:6d:d8:78:2a:ff:8c:c2:08:d4:87:bf:88:06:a0:3b:58:12: d7:2f:b3:59:2a:4b:9e:bf:5d:04:72:66:29:03:7c:45:24:04: 4d:61:5c:e5:b8:85:ea:6e:4b:d6:6c:e8:b8:a1:1a:92:92:7d: fa:90:1f:43:b2:82:f0:9a:5a:32:cd:cc:4a:e3:c7:91:e5:f6: 94:ef:1f:6a:a4:2c:b5:fa:3f:58:bf:62:e6:d6:fb:71:3a:02: e0:e4:b3:db:ba:78:5e:fc:1a:42:9b:e8:02:ec:73:34:1f:8c: 77:f6:d8:2d:6b:97:dc:b7:13:1f:bd:ab:7b:ca:cd:ea:3d:1e: d2:01:bf:f1:44:ca:df:86:13:37:42:5d:d7:f8:2e:68:e6:7f: 59:75:b8:15:fa:f8:42:45:01:5b:06:50:fc:6a:88:96:4b:3a: 8f:1d:11:b5:88:0f:3a:31:13:cb:d7:8d:94:cd:14:10:3d:9a: 46:26:8a:97:59:c0:66:95 -----BEGIN CERTIFICATE----- MIIFjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNTEwMjhaFw0yMjEyMDcxNTEw MjhaMIGGMSUwIwYDVQQDDBxvcGVuU1VTRSBTZWN1cmUgQm9vdCBTaWdua2V5MQsw CQYDVQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMRkwFwYDVQQKDBBvcGVuU1VT RSBQcm9qZWN0MSEwHwYJKoZIhvcNAQkBFhJidWlsZEBvcGVuc3VzZS5vcmcwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLNeCcz9j3S+vjlCzyEXczhpwo HRneRWkhXqCUSgu1QS5nAWuRdjqFZipji4cr6JSKEm4lE7AHPygrdiU+KbJVQuc7 RCQdt5kyy0TStIjLqU+nswa+XKruKwQJquxYY1rIYsfZaEP7vQ6S/0zsAkS8lcmf 0b4h+PSybVoK1U2YZczBjO/f8p/aRQV2+RrAi9UcBfLAuEqwEt9DytULGEazA77N p9cBgPHFyu7ZOh9KM31QAavXOkhuYllzYh447zIx7lgYfVkFivt91A1enUeb2K+2 EZ885xOE5ADsCpeJIpDzFObfwXUHrSQ42OCP9rnA20XjboFcHinQeK5sp0sfAgMB AAGjggEHMIIBAzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQDMvqcvw2IvyGSSw3o KgmlTV3vyDCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79aHtKXeKGpaGBh6SB hDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYT AkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2pl Y3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9yZ4IBATAOBgNVHQ8B Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggIB AK25J4ntAoU8yF37KEUEFnh0WElBVYinTCB3VVNq0nJbcLq2Ak/yPb4/hVJGvUQx M2EgafGBfjA6sVvqvZEqbn0bQnSTJqjlwAUpzVB9ll3vanT0SwwmRdbHtFLfkmfc 6sv7dUsizScXeth2C7vf2rxqJKBIdCs7EkUWibKm34y59wJYqsZT/jLeFraLi/+R NWeiWY9AlyXm5QzNqEr3qqhVQohKI0gRUwJS0dx3xSMFd8td+q+22iYuNMx2Dk3A D9HenFMZiSw4r+8R5mm8Dn6DJEB7Y5mJhR1zZk7Q3gVhwjeR/sdrIF9K8tSkyIHt T4f+qNF1vBfQ9+8zHqQ/X2o2Cky/eyW9rx3V/fYLOXzOdbxIy5nDOd5gbXIDoZNV cJn/af+MgMrUI7vqDZ1A1UmwKSAJRZjIJCX+2mjrAtQl9W7h8qZt2Hgq/4zCCNSH v4gGoDtYEtcvs1kqS56/XQRyZikDfEUkBE1hXOW4hepuS9Zs6LihGpKSffqQH0Oy gvCaWjLNzErjx5Hl9pTvH2qkLLX6P1i/YubW+3E6AuDks9u6eF78GkKb6ALsczQf jHf22C1rl9y3Ex+9q3vKzeo9HtIBv/FEyt+GEzdCXdf4Lmjmf1l1uBX6+EJFAVsG UPxqiJZLOo8dEbWIDzoxE8vXjZTNFBA9mkYmipdZwGaV -----END CERTIFICATE----- ++++++ ovmf-0001-ArmPlatformPkg-ArmVirtualizationPkg-enable-DEBUG_VER.patch ++++++

From b687cd5e037fe2710ffdc9b5dea1ce6134eededb Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek@redhat.com> Date: Sun, 21 Sep 2014 23:12:09 +0200 Subject: [PATCH 1/9] ArmPlatformPkg/ArmVirtualizationPkg: enable DEBUG_VERBOSE

Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> --- ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc | 1 + 1 file changed, 1 insertion(+) diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc index 0f064af..ce27b4d 100644 --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc @@ -91,6 +91,7 @@ gArmVirtualizationTokenSpaceGuid.PcdKludgeMapPciMmioAsCached|TRUE [PcdsFixedAtBuild.common] + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F gArmPlatformTokenSpaceGuid.PcdFirmwareVendor|"QEMU" gArmPlatformTokenSpaceGuid.PcdCoreCount|1 -- 1.8.3.1 ++++++ ovmf-0002-ArmPlatformPkg-Bds-generate-ESP-Image-boot-option-if.patch ++++++

From 6624a09b1ad2fac52024c403eec75076c3ff0652 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek@redhat.com> Date: Wed, 27 Nov 2013 01:07:05 +0100 Subject: [PATCH 2/9] ArmPlatformPkg/Bds: generate ESP Image boot option if user pref is unset

From 449888b252138a33cc94bce099262ee52b55b69e Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek@redhat.com> Date: Fri, 13 Dec 2013 22:02:37 +0100 Subject: [PATCH 3/9] ArmPlatformPkg/Bds: check for other defaults too if user

From f17f9128d2c6d838cf913bdfc37edd4a0a6d9bb3 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek@redhat.com> Date: Sun, 21 Sep 2014 23:16:14 +0200 Subject: [PATCH 4/9] ArmPlatformPkg/ArmVirtualizationPkg: auto-detect boot

This hack is probably not upstreamable, but it should ease development: If "PcdDefaultBootDevicePath" is set to the empty string in the platform DSC file, then this patch will try to boot the file called "Image" from the ESP. This should make the UEFI binary independent of the ESP's characteristics (UUID of GPT partition, size, etc) and require disk image files only to provide a file called "Image" in the ESP. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> --- ArmPlatformPkg/Bds/Bds.c | 66 +++++++++++++++++++++++++++++---------------- ArmPlatformPkg/Bds/Bds.inf | 1 2 files changed, 44 insertions(+), 23 deletions(-) --- a/ArmPlatformPkg/Bds/Bds.c +++ b/ArmPlatformPkg/Bds/Bds.c @@ -20,6 +20,7 @@ #include <Protocol/Bds.h> #include <Guid/EventGroup.h> +#include <Guid/Gpt.h> #define EFI_SET_TIMER_TO_SECOND 10000000 @@ -238,34 +239,53 @@ DefineDefaultBootEntries ( Status = gRT->GetVariable (L"BootOrder", &gEfiGlobalVariableGuid, NULL, &Size, NULL); if (Status == EFI_NOT_FOUND) { if ((PcdGetPtr(PcdDefaultBootDevicePath) == NULL) || (StrLen ((CHAR16*)PcdGetPtr(PcdDefaultBootDevicePath)) == 0)) { - return EFI_UNSUPPORTED; - } + UINTN NrHandles; + EFI_HANDLE *Handles; - Status = gBS->LocateProtocol (&gEfiDevicePathFromTextProtocolGuid, NULL, (VOID **)&EfiDevicePathFromTextProtocol); - if (EFI_ERROR(Status)) { - // You must provide an implementation of DevicePathFromTextProtocol in your firmware (eg: DevicePathDxe) - DEBUG((EFI_D_ERROR,"Error: Bds requires DevicePathFromTextProtocol\n")); - return Status; - } - BootDevicePath = EfiDevicePathFromTextProtocol->ConvertTextToDevicePath ((CHAR16*)PcdGetPtr(PcdDefaultBootDevicePath)); + BdsConnectAllDrivers(); + Status = gBS->LocateHandleBuffer (ByProtocol, + &gEfiPartTypeSystemPartGuid, NULL /* SearchKey */, + &NrHandles, &Handles); + if (!EFI_ERROR (Status)) { + ASSERT (NrHandles > 0); + BootDevicePath = FileDevicePath (Handles[0], L"Image"); + if (BootDevicePath == NULL) { + Status = EFI_OUT_OF_RESOURCES; + } + FreePool (Handles); + } + if (EFI_ERROR (Status)) { + DEBUG ((EFI_D_ERROR, "failed to auto-create default boot option: %r\n", + Status)); + return Status; + } + } else { + Status = gBS->LocateProtocol (&gEfiDevicePathFromTextProtocolGuid, NULL, (VOID **)&EfiDevicePathFromTextProtocol); + if (EFI_ERROR(Status)) { + // You must provide an implementation of DevicePathFromTextProtocol in your firmware (eg: DevicePathDxe) + DEBUG((EFI_D_ERROR,"Error: Bds requires DevicePathFromTextProtocol\n")); + return Status; + } + BootDevicePath = EfiDevicePathFromTextProtocol->ConvertTextToDevicePath ((CHAR16*)PcdGetPtr(PcdDefaultBootDevicePath)); - DEBUG_CODE_BEGIN(); - // We convert back to the text representation of the device Path to see if the initial text is correct - EFI_DEVICE_PATH_TO_TEXT_PROTOCOL* DevicePathToTextProtocol; - CHAR16* DevicePathTxt; + DEBUG_CODE_BEGIN(); + // We convert back to the text representation of the device Path to see if the initial text is correct + EFI_DEVICE_PATH_TO_TEXT_PROTOCOL* DevicePathToTextProtocol; + CHAR16* DevicePathTxt; - Status = gBS->LocateProtocol(&gEfiDevicePathToTextProtocolGuid, NULL, (VOID **)&DevicePathToTextProtocol); - ASSERT_EFI_ERROR(Status); - DevicePathTxt = DevicePathToTextProtocol->ConvertDevicePathToText (BootDevicePath, TRUE, TRUE); + Status = gBS->LocateProtocol(&gEfiDevicePathToTextProtocolGuid, NULL, (VOID **)&DevicePathToTextProtocol); + ASSERT_EFI_ERROR(Status); + DevicePathTxt = DevicePathToTextProtocol->ConvertDevicePathToText (BootDevicePath, TRUE, TRUE); - if (StrCmp ((CHAR16*)PcdGetPtr (PcdDefaultBootDevicePath), DevicePathTxt) != 0) { - DEBUG ((EFI_D_ERROR, "Device Path given: '%s' Device Path expected: '%s'\n", - (CHAR16*)PcdGetPtr (PcdDefaultBootDevicePath), DevicePathTxt)); - ASSERT_EFI_ERROR (EFI_INVALID_PARAMETER); - } + if (StrCmp ((CHAR16*)PcdGetPtr (PcdDefaultBootDevicePath), DevicePathTxt) != 0) { + DEBUG ((EFI_D_ERROR, "Device Path given: '%s' Device Path expected: '%s'\n", + (CHAR16*)PcdGetPtr (PcdDefaultBootDevicePath), DevicePathTxt)); + ASSERT_EFI_ERROR (EFI_INVALID_PARAMETER); + } - FreePool (DevicePathTxt); - DEBUG_CODE_END(); + FreePool (DevicePathTxt); + DEBUG_CODE_END(); + } // Create the entry is the Default values are correct if (BootDevicePath != NULL) { --- a/ArmPlatformPkg/Bds/Bds.inf +++ b/ArmPlatformPkg/Bds/Bds.inf @@ -53,6 +53,7 @@ gEfiEndOfDxeEventGroupGuid gEfiFileSystemInfoGuid gArmGlobalVariableGuid + gEfiPartTypeSystemPartGuid [Protocols] gEfiBdsArchProtocolGuid ++++++ ovmf-0003-ArmPlatformPkg-Bds-check-for-other-defaults-too-if-u.patch ++++++ pref is unset Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> --- ArmPlatformPkg/Bds/Bds.c | 63 +++++++++++++++++++++++++++++++++++++++++++--- ArmPlatformPkg/Bds/Bds.inf | 1 + 2 files changed, 60 insertions(+), 4 deletions(-) diff --git a/ArmPlatformPkg/Bds/Bds.c b/ArmPlatformPkg/Bds/Bds.c index 276a7c0..b376433 100644 --- a/ArmPlatformPkg/Bds/Bds.c +++ b/ArmPlatformPkg/Bds/Bds.c @@ -18,6 +18,7 @@ #include <Library/PerformanceLib.h> #include <Protocol/Bds.h> +#include <Protocol/SimpleFileSystem.h> #include <Guid/EventGroup.h> #include <Guid/Gpt.h> @@ -211,6 +212,63 @@ InitializeConsole ( return EFI_SUCCESS; } +STATIC +EFI_STATUS +FindCandidate ( + IN EFI_HANDLE Handle, + OUT EFI_DEVICE_PATH **Candidate + ) +{ + EFI_STATUS Status; + EFI_SIMPLE_FILE_SYSTEM_PROTOCOL *FileSystem; + EFI_FILE_PROTOCOL *RootDir; + CONST CHAR16 *CONST *FileName; + CONST CHAR16 *CONST Candidates[] = { + EFI_REMOVABLE_MEDIA_FILE_NAME, + L"\\Image", + L"\\EFI\\redhat\\grubaa64.efi", + L"\\EFI\\fedora\\grubaa64.efi", + NULL + }; + + Status = gBS->HandleProtocol (Handle, &gEfiSimpleFileSystemProtocolGuid, + (VOID **) &FileSystem); + if (EFI_ERROR (Status)) { + return Status; + } + Status = FileSystem->OpenVolume (FileSystem, &RootDir); + if (EFI_ERROR (Status)) { + return Status; + } + + for (FileName = Candidates; *FileName != NULL; ++FileName) { + EFI_FILE_PROTOCOL *File; + + Status = RootDir->Open (RootDir, &File, (CHAR16 *) *FileName, + EFI_FILE_MODE_READ, 0); + if (!EFI_ERROR (Status)) { + File->Close (File); + break; + } + } + if (*FileName == NULL) { + Status = EFI_NOT_FOUND; + goto CloseRoot; + } + + *Candidate = FileDevicePath (Handle, *FileName); + if (*Candidate == NULL) { + Status = EFI_OUT_OF_RESOURCES; + goto CloseRoot; + } + + DEBUG ((EFI_D_INFO, "%a: found \"%s\"\n", __FUNCTION__, *FileName)); + +CloseRoot: + RootDir->Close (RootDir); + return Status; +} + EFI_STATUS DefineDefaultBootEntries ( VOID @@ -248,10 +306,7 @@ DefineDefaultBootEntries ( &NrHandles, &Handles); if (!EFI_ERROR (Status)) { ASSERT (NrHandles > 0); - BootDevicePath = FileDevicePath (Handles[0], L"Image"); - if (BootDevicePath == NULL) { - Status = EFI_OUT_OF_RESOURCES; - } + Status = FindCandidate (Handles[0], &BootDevicePath); FreePool (Handles); } if (EFI_ERROR (Status)) { diff --git a/ArmPlatformPkg/Bds/Bds.inf b/ArmPlatformPkg/Bds/Bds.inf index 78df86f..2d23f13 100644 --- a/ArmPlatformPkg/Bds/Bds.inf +++ b/ArmPlatformPkg/Bds/Bds.inf @@ -66,6 +66,7 @@ gEfiFirmwareVolumeBlock2ProtocolGuid gEfiDhcp4ServiceBindingProtocolGuid gEfiMtftp4ServiceBindingProtocolGuid + gEfiSimpleFileSystemProtocolGuid [Pcd] gArmPlatformTokenSpaceGuid.PcdFirmwareVendor -- 1.8.3.1 ++++++ ovmf-0004-ArmPlatformPkg-ArmVirtualizationPkg-auto-detect-boot.patch ++++++ path Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> --- ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc index ce27b4d..068c732 100644 --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc @@ -123,9 +123,9 @@ # # ARM OS Loader # - gArmPlatformTokenSpaceGuid.PcdDefaultBootDescription|L"Linux (EFI stub) on virtio31:hd0:part0" - gArmPlatformTokenSpaceGuid.PcdDefaultBootDevicePath|L"VenHw(837DCA9E-E874-4D82-B29A-23FE0E23D1E2,003E000A00000000)/HD(1,MBR,0x00000000,0x3F,0x19FC0)/Image" - gArmPlatformTokenSpaceGuid.PcdDefaultBootArgument|"root=/dev/vda2 console=ttyAMA0 earlycon uefi_debug" + gArmPlatformTokenSpaceGuid.PcdDefaultBootDescription|L"Linux from first ESP" + gArmPlatformTokenSpaceGuid.PcdDefaultBootDevicePath|L"" + gArmPlatformTokenSpaceGuid.PcdDefaultBootArgument|"" gArmPlatformTokenSpaceGuid.PcdDefaultBootType|0 # -- 1.8.3.1 ++++++ ovmf-0005-ArmPlatformPkg-Bds-initialize-ConIn-ConOut-ErrOut-be.patch ++++++

From e1b259925c0c4be3d26042b8e298ccb4b4ab9071 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek@redhat.com> Date: Fri, 17 Oct 2014 01:06:38 +0200 Subject: [PATCH 5/9] ArmPlatformPkg/Bds: initialize ConIn/ConOut/ErrOut before connecting terminals

In the following call tree: BdsEntry() DefineDefaultBootEntries() BdsConnectAllDrivers() InitializeConsole() set ConIn/ConOut/ErrOut BdsConnectAllDrivers() connects SerialDxe -> TerminalDxe -> ConPlatformDxe -> ConSplitterDxe before InitializeConsole has a chance to set ConIn / ConOut / ErrOut. This causes ConPlatformDxe, at very first boot, to filter out TerminalDxe's STI and STO from the set that ConSplitterDxe multiplexes, leaving the system without a terminal console. Reorder InitializeConsole() with DefineDefaultBootEntries(), so that the variables be always set when DefineDefaultBootEntries() calls BdsConnectAllDrivers(). Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> --- ArmPlatformPkg/Bds/Bds.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ArmPlatformPkg/Bds/Bds.c b/ArmPlatformPkg/Bds/Bds.c index b376433..a0ca7c4 100644 --- a/ArmPlatformPkg/Bds/Bds.c +++ b/ArmPlatformPkg/Bds/Bds.c @@ -616,9 +616,6 @@ BdsEntry ( 0, NULL); } - // If Boot Order does not exist then create a default entry - DefineDefaultBootEntries (); - // Now we need to setup the EFI System Table with information about the console devices. InitializeConsole (); @@ -629,6 +626,9 @@ BdsEntry ( Status = gBS->CalculateCrc32 ((VOID*)gST, gST->Hdr.HeaderSize, &gST->Hdr.CRC32); ASSERT_EFI_ERROR (Status); + // If Boot Order does not exist then create a default entry + DefineDefaultBootEntries (); + // Timer before initiating the default boot selection StartDefaultBootOnTimeout (); -- 1.8.3.1 ++++++ ovmf-0006-ArmPlatformPkg-Bds-let-FindCandidate-search-all-file.patch ++++++

From 6b23210afb7379b6db21a9e398cb11f23f4e04cf Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek@redhat.com> Date: Thu, 13 Nov 2014 15:18:41 +0100 Subject: [PATCH 6/9] ArmPlatformPkg/Bds: let FindCandidate() search all filesystems

Thus far FindCandidate() has looked only at the EFI System Partition that was found first. Let's scan all handles with the ESP protocol instead, and if we still can't find a boot option candidate, go through all FAT filesystems as well. (The latter set will probably include the former set, but that's no problem.) This is motivated by the fact that PartitionDxe doesn't install the ESP protocol for ElTorito (ie. CD-ROM) boot images, therefore FindCandidate() was unable to find any candidates on CD-ROMs. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> --- ArmPlatformPkg/Bds/Bds.c | 51 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 39 insertions(+), 12 deletions(-) diff --git a/ArmPlatformPkg/Bds/Bds.c b/ArmPlatformPkg/Bds/Bds.c index a0ca7c4..6f70483 100644 --- a/ArmPlatformPkg/Bds/Bds.c +++ b/ArmPlatformPkg/Bds/Bds.c @@ -214,7 +214,7 @@ InitializeConsole ( STATIC EFI_STATUS -FindCandidate ( +FindCandidateOnHandle ( IN EFI_HANDLE Handle, OUT EFI_DEVICE_PATH **Candidate ) @@ -269,6 +269,43 @@ CloseRoot: return Status; } + +STATIC +EFI_STATUS +FindCandidate ( + OUT EFI_DEVICE_PATH **Candidate + ) +{ + EFI_STATUS Status; + EFI_GUID * CONST *FilterGuid; + STATIC EFI_GUID * CONST FilterGuids[] = { &gEfiPartTypeSystemPartGuid, + &gEfiSimpleFileSystemProtocolGuid, NULL }; + + Status = EFI_NOT_FOUND; + FilterGuid = FilterGuids; + while (EFI_ERROR (Status) && *FilterGuid != NULL) { + UINTN NrHandles; + EFI_HANDLE *Handles; + + Status = gBS->LocateHandleBuffer (ByProtocol, *FilterGuid, + NULL /* SearchKey */, &NrHandles, &Handles); + if (!EFI_ERROR (Status)) { + UINTN Idx; + + Status = EFI_NOT_FOUND; + Idx = 0; + while (EFI_ERROR (Status) && Idx < NrHandles) { + Status = FindCandidateOnHandle (Handles[Idx], Candidate); + ++Idx; + } + FreePool (Handles); + } + ++FilterGuid; + } + return Status; +} + + EFI_STATUS DefineDefaultBootEntries ( VOID @@ -297,18 +334,8 @@ DefineDefaultBootEntries ( Status = gRT->GetVariable (L"BootOrder", &gEfiGlobalVariableGuid, NULL, &Size, NULL); if (Status == EFI_NOT_FOUND) { if ((PcdGetPtr(PcdDefaultBootDevicePath) == NULL) || (StrLen ((CHAR16*)PcdGetPtr(PcdDefaultBootDevicePath)) == 0)) { - UINTN NrHandles; - EFI_HANDLE *Handles; - BdsConnectAllDrivers(); - Status = gBS->LocateHandleBuffer (ByProtocol, - &gEfiPartTypeSystemPartGuid, NULL /* SearchKey */, - &NrHandles, &Handles); - if (!EFI_ERROR (Status)) { - ASSERT (NrHandles > 0); - Status = FindCandidate (Handles[0], &BootDevicePath); - FreePool (Handles); - } + Status = FindCandidate (&BootDevicePath); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, "failed to auto-create default boot option: %r\n", Status)); -- 1.8.3.1 ++++++ ovmf-0007-ArmPlatformPkg-Bds-FindCandidateOnHandle-log-full-de.patch ++++++

From 20938b307851edd71ec3ba16ae1d221e22686f76 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek@redhat.com> Date: Thu, 13 Nov 2014 15:18:42 +0100 Subject: [PATCH 7/9] ArmPlatformPkg/Bds: FindCandidateOnHandle(): log full device path

Since we scan several handles / devices now, log the full device path when we find the candidate. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> --- ArmPlatformPkg/Bds/Bds.c | 10 +++++++++- ArmPlatformPkg/Bds/Bds.inf | 1 + 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/ArmPlatformPkg/Bds/Bds.c b/ArmPlatformPkg/Bds/Bds.c index 6f70483..545cc24 100644 --- a/ArmPlatformPkg/Bds/Bds.c +++ b/ArmPlatformPkg/Bds/Bds.c @@ -16,6 +16,7 @@ #include <Library/PcdLib.h> #include <Library/PerformanceLib.h> +#include <Library/DevicePathLib.h> #include <Protocol/Bds.h> #include <Protocol/SimpleFileSystem.h> @@ -230,6 +231,7 @@ FindCandidateOnHandle ( L"\\EFI\\fedora\\grubaa64.efi", NULL }; + CHAR16 *DevicePathString; Status = gBS->HandleProtocol (Handle, &gEfiSimpleFileSystemProtocolGuid, (VOID **) &FileSystem); @@ -262,7 +264,13 @@ FindCandidateOnHandle ( goto CloseRoot; } - DEBUG ((EFI_D_INFO, "%a: found \"%s\"\n", __FUNCTION__, *FileName)); + DevicePathString = ConvertDevicePathToText (*Candidate, + FALSE /* DisplayOnly */, FALSE /* AllowShortcuts */); + DEBUG ((EFI_D_INFO, "%a: found \"%s\"\n", __FUNCTION__, + DevicePathString == NULL ? *FileName : DevicePathString)); + if (DevicePathString != NULL) { + FreePool (DevicePathString); + } CloseRoot: RootDir->Close (RootDir); diff --git a/ArmPlatformPkg/Bds/Bds.inf b/ArmPlatformPkg/Bds/Bds.inf index 2d23f13..6f6e31c 100644 --- a/ArmPlatformPkg/Bds/Bds.inf +++ b/ArmPlatformPkg/Bds/Bds.inf @@ -48,6 +48,7 @@ PrintLib BaseLib NetLib + DevicePathLib [Guids] gEfiEndOfDxeEventGroupGuid -- 1.8.3.1 ++++++ ovmf-0008-ArmPlatformPkg-Bds-fall-back-to-Boot-Menu-when-no-de.patch ++++++

From 93e312a3ac46bbc97b89974bd1b4ea3bc0ae4382 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek@redhat.com> Date: Fri, 21 Nov 2014 02:52:56 +0100 Subject: [PATCH 8/9] ArmPlatformPkg/Bds: fall back to Boot Menu when no default option was found

The StartDefaultBootOnTimeout() function assumes that its predecessor DefineDefaultBootEntries() sets up at least one default boot option, unconditionally (even if that boot option can't actually be booted later). With our FindCandidate() logic in place, this is no longer guaranteed. If FindCandidate() fails, then StartDefaultBootOnTimeout() may dereference the uninitialized BootOrder pointer. Prevent this by checking the return value of GetGlobalEnvironmentVariable(L"BootOrder"). And, if it's not found, don't even start the countdown, just go straight to the boot menu. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> --- ArmPlatformPkg/Bds/Bds.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/ArmPlatformPkg/Bds/Bds.c b/ArmPlatformPkg/Bds/Bds.c index 545cc24..31bcee0 100644 --- a/ArmPlatformPkg/Bds/Bds.c +++ b/ArmPlatformPkg/Bds/Bds.c @@ -475,6 +475,15 @@ StartDefaultBootOnTimeout ( EFI_STATUS Status; EFI_INPUT_KEY Key; + Status = GetGlobalEnvironmentVariable (L"BootOrder", NULL, &BootOrderSize, + (VOID**)&BootOrder); + if (EFI_ERROR (Status)) { + // + // proceed to Boot Menu immediately + // + return Status; + } + Size = sizeof(UINT16); Timeout = (UINT16)PcdGet16 (PcdPlatformBootTimeOut); Status = GetGlobalEnvironmentVariable (L"Timeout", &Timeout, &Size, (VOID**)&TimeoutPtr); @@ -511,9 +520,6 @@ StartDefaultBootOnTimeout ( // In case of Timeout we start the default boot selection if (Timeout == 0) { - // Get the Boot Option Order from the environment variable (a default value should have been created) - GetGlobalEnvironmentVariable (L"BootOrder", NULL, &BootOrderSize, (VOID**)&BootOrder); - for (Index = 0; Index < BootOrderSize / sizeof (UINT16); Index++) { UnicodeSPrint (BootVariableName, 9 * sizeof(CHAR16), L"Boot%04X", BootOrder[Index]); Status = BdsStartBootOption (BootVariableName); @@ -523,9 +529,10 @@ StartDefaultBootOnTimeout ( } // In case of success, we should not return from this call. } - FreePool (BootOrder); } } + + FreePool (BootOrder); return EFI_SUCCESS; } -- 1.8.3.1 ++++++ ovmf-0009-ArmPlatformPkg-Bds-always-connect-drivers-before-loo.patch ++++++

From c1a637498f7d0992004af328f3bf81731dcfe92e Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek@redhat.com> Date: Fri, 21 Nov 2014 03:40:53 +0100 Subject: [PATCH 9/9] ArmPlatformPkg/Bds: always connect drivers before looking at boot options

A long standing issue in ARM BDS has been that it can attempt to load a preexistent, absolute devpath option without first connecting the necessary drivers and devices, fail, and drop to the boot menu. Connect drivers and devices unconditionally, before we look at anything boot option related. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> --- ArmPlatformPkg/Bds/Bds.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ArmPlatformPkg/Bds/Bds.c b/ArmPlatformPkg/Bds/Bds.c index 31bcee0..771bf11 100644 --- a/ArmPlatformPkg/Bds/Bds.c +++ b/ArmPlatformPkg/Bds/Bds.c @@ -342,7 +342,6 @@ DefineDefaultBootEntries ( Status = gRT->GetVariable (L"BootOrder", &gEfiGlobalVariableGuid, NULL, &Size, NULL); if (Status == EFI_NOT_FOUND) { if ((PcdGetPtr(PcdDefaultBootDevicePath) == NULL) || (StrLen ((CHAR16*)PcdGetPtr(PcdDefaultBootDevicePath)) == 0)) { - BdsConnectAllDrivers(); Status = FindCandidate (&BootDevicePath); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, "failed to auto-create default boot option: %r\n", @@ -668,6 +667,8 @@ BdsEntry ( Status = gBS->CalculateCrc32 ((VOID*)gST, gST->Hdr.HeaderSize, &gST->Hdr.CRC32); ASSERT_EFI_ERROR (Status); + BdsConnectAllDrivers(); + // If Boot Order does not exist then create a default entry DefineDefaultBootEntries (); -- 1.8.3.1 ++++++ ovmf-0010-avoid-potentially-uninitialized-variable.diff ++++++

From 6b3d00f41e511c9e626ab6269c929d0f4f585cf5 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <ludwig.nussel@suse.de> Date: Fri, 6 Feb 2015 10:34:30 +0100 Subject: [PATCH 10/10] avoid potentially uninitialized variable

--- ArmPlatformPkg/Bds/Bds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ArmPlatformPkg/Bds/Bds.c b/ArmPlatformPkg/Bds/Bds.c index 771bf11..6fa0dd0 100644 --- a/ArmPlatformPkg/Bds/Bds.c +++ b/ArmPlatformPkg/Bds/Bds.c @@ -323,7 +323,7 @@ DefineDefaultBootEntries ( UINTN Size; EFI_STATUS Status; EFI_DEVICE_PATH_FROM_TEXT_PROTOCOL* EfiDevicePathFromTextProtocol; - EFI_DEVICE_PATH* BootDevicePath; + EFI_DEVICE_PATH* BootDevicePath = NULL; UINT8* OptionalData; UINTN OptionalDataSize; ARM_BDS_LOADER_ARGUMENTS* BootArguments; -- 2.2.2 ++++++ ovmf-embed-default-keys.patch ++++++

From 718b2183d898df8ca9becb2e5945cdb53c4fd310 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <glin@suse.com> Date: Fri, 10 May 2013 10:27:51 +0800 Subject: [PATCH 1/2] Add a stub to allow keys to be embedded at build time

Signed-off-by: Gary Ching-Pang Lin <glin@suse.com> --- .../VariableAuthenticated/RuntimeDxe/AuthService.c | 173 +++++++++++++++++++++ .../VariableAuthenticated/RuntimeDxe/Default_DB.h | 2 + .../VariableAuthenticated/RuntimeDxe/Default_KEK.h | 2 + .../VariableAuthenticated/RuntimeDxe/Default_PK.h | 2 + .../RuntimeDxe/VariableRuntimeDxe.inf | 3 + 5 files changed, 182 insertions(+) create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c index 1e9e190..03c8e26 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c @@ -32,6 +32,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include "Variable.h" #include "AuthService.h" +#include "Default_PK.h" +#include "Default_KEK.h" +#include "Default_DB.h" /// /// Global database array for scratch @@ -145,6 +148,11 @@ AutenticatedVariableServiceInitialize ( UINT8 SecureBootEnable; UINT8 CustomMode; UINT32 ListSize; + EFI_SIGNATURE_LIST *SigCert; + EFI_SIGNATURE_DATA *SigCertData; + UINTN SigSize; + EFI_GUID *SignatureGUID; + UINT32 Attr; // // Initialize hash context. @@ -155,6 +163,171 @@ AutenticatedVariableServiceInitialize ( return EFI_OUT_OF_RESOURCES; } + //**** + // Create signature list for PK KEK DB + Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; + + // PK + if (Default_PK == NULL) + goto SKIP_KEYS; + + SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); + if (SignatureGUID == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len; + Data = AllocateZeroPool (SigSize); + if (Data == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigCert = (EFI_SIGNATURE_LIST*) Data; + SigCert->SignatureListSize = (UINT32) SigSize; + SigCert->SignatureHeaderSize = 0; + SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len); + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); + CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_PK, Default_PK_len); + + Status = FindVariable ( + EFI_PLATFORM_KEY_NAME, + &gEfiGlobalVariableGuid, + &Variable, + &mVariableModuleGlobal->VariableGlobal, + FALSE + ); + if (Variable.CurrPtr == NULL) { + Status = UpdateVariable ( + EFI_PLATFORM_KEY_NAME, + &gEfiGlobalVariableGuid, + Data, + SigSize, + Attr, + 0, + 0, + &Variable, + NULL + ); + if (EFI_ERROR (Status)) { + return Status; + } + } + + FreePool(SignatureGUID); + FreePool(Data); + + // KEK + if (Default_KEK == NULL) + goto SKIP_KEYS; + + SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); + if (SignatureGUID == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len; + Data = AllocateZeroPool (SigSize); + if (Data == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigCert = (EFI_SIGNATURE_LIST*) Data; + SigCert->SignatureListSize = (UINT32) SigSize; + SigCert->SignatureHeaderSize = 0; + SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len); + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); + CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_KEK, Default_KEK_len); + + Status = FindVariable ( + EFI_KEY_EXCHANGE_KEY_NAME, + &gEfiGlobalVariableGuid, + &Variable, + &mVariableModuleGlobal->VariableGlobal, + FALSE + ); + if (Variable.CurrPtr == NULL) { + Status = UpdateVariable ( + EFI_KEY_EXCHANGE_KEY_NAME, + &gEfiGlobalVariableGuid, + Data, + SigSize, + Attr, + 0, + 0, + &Variable, + NULL + ); + if (EFI_ERROR (Status)) { + return Status; + } + } + + FreePool(SignatureGUID); + FreePool(Data); + + // DB + if (Default_DB == NULL) + goto SKIP_KEYS; + + SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); + if (SignatureGUID == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len; + Data = AllocateZeroPool (SigSize); + if (Data == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigCert = (EFI_SIGNATURE_LIST*) Data; + SigCert->SignatureListSize = (UINT32) SigSize; + SigCert->SignatureHeaderSize = 0; + SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len); + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); + CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len); + + Status = FindVariable ( + EFI_IMAGE_SECURITY_DATABASE, + &gEfiImageSecurityDatabaseGuid, + &Variable, + &mVariableModuleGlobal->VariableGlobal, + FALSE + ); + if (Variable.CurrPtr == NULL) { + Status = UpdateVariable ( + EFI_IMAGE_SECURITY_DATABASE, + &gEfiImageSecurityDatabaseGuid, + Data, + SigSize, + Attr, + 0, + 0, + &Variable, + NULL + ); + if (EFI_ERROR (Status)) { + return Status; + } + } + + FreePool(SignatureGUID); + FreePool(Data); + +SKIP_KEYS: + //**** + // // Reserve runtime buffer for public key database. The size excludes variable header and name size. // diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h new file mode 100644 index 0000000..4d13894 --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h @@ -0,0 +1,2 @@ +unsigned char *Default_DB = NULL; +unsigned int Default_DB_len = 0; diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h new file mode 100644 index 0000000..80883de --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h @@ -0,0 +1,2 @@ +unsigned char *Default_KEK = NULL; +unsigned int Default_KEK_len = 0; diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h new file mode 100644 index 0000000..23b90e4 --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h @@ -0,0 +1,2 @@ +unsigned char *Default_PK = NULL; +unsigned int Default_PK_len = 0; diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf index cbf7da0..e4ec2e0 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf @@ -45,6 +45,9 @@ AuthService.h Measurement.c VarCheck.c + Default_PK.h + Default_KEK.h + Default_DB.h [Packages] MdePkg/MdePkg.dec -- 2.1.4

From cc0bdc4ec72c751f0a6f3925ab5ffd6ada6cd8a8 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <glin@suse.com> Date: Wed, 22 Apr 2015 16:20:54 +0800 Subject: [PATCH 2/2] Add a stub to set the default dbx

Signed-off-by: Gary Ching-Pang Lin <glin@suse.com> --- .../VariableAuthenticated/RuntimeDxe/AuthService.c | 29 ++++++++++++++++++++++ .../VariableAuthenticated/RuntimeDxe/Default_DBX.h | 2 ++ .../RuntimeDxe/VariableRuntimeDxe.inf | 1 + 3 files changed, 32 insertions(+) create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c index 03c8e26..56bfda4 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c @@ -35,6 +35,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include "Default_PK.h" #include "Default_KEK.h" #include "Default_DB.h" +#include "Default_DBX.h" /// /// Global database array for scratch @@ -325,6 +326,34 @@ AutenticatedVariableServiceInitialize ( FreePool(SignatureGUID); FreePool(Data); + // DBX + if (Default_DBX == NULL) + goto SKIP_KEYS; + + Status = FindVariable ( + EFI_IMAGE_SECURITY_DATABASE1, + &gEfiImageSecurityDatabaseGuid, + &Variable, + &mVariableModuleGlobal->VariableGlobal, + FALSE + ); + if (Variable.CurrPtr == NULL) { + Status = UpdateVariable ( + EFI_IMAGE_SECURITY_DATABASE1, + &gEfiImageSecurityDatabaseGuid, + Default_DBX, + Default_DBX_len, + Attr, + 0, + 0, + &Variable, + NULL + ); + if (EFI_ERROR (Status)) { + return Status; + } + } + SKIP_KEYS: //**** diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h new file mode 100644 index 0000000..5fd3cdc --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h @@ -0,0 +1,2 @@ +unsigned char *Default_DBX = NULL; +unsigned int Default_DBX_len = 0; diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf index e4ec2e0..b390d0b 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf @@ -48,6 +48,7 @@ Default_PK.h Default_KEK.h Default_DB.h + Default_DBX.h [Packages] MdePkg/MdePkg.dec -- 2.1.4 ++++++ ovmf-gdb-symbols.patch ++++++ diff --git a/DebugPkg/DebugPkg.dec b/DebugPkg/DebugPkg.dec new file mode 100644 index 0000000..e12401d --- /dev/null +++ b/DebugPkg/DebugPkg.dec @@ -0,0 +1,34 @@ +## @file +# Debug package - various useful stuff for debugging. +# +# Copyright (c) 2006 - 2011, Andrei Warkentin <andreiw@motorola.com> +# +# This program and the accompanying materials +# are licensed and made available under the terms and conditions of the BSD License +# which accompanies this distribution. The full text of the license may be found at +# http://opensource.org/licenses/bsd-license.php +# +# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. +# +## + +[Defines] + DEC_VERSION = 0x00010005 + PACKAGE_NAME = DebugPkg + PACKAGE_GUID = 2d234f34-50e5-4b9d-b8e3-5562334d87e5 + PACKAGE_VERSION = 0.1 + +[Includes] + Include + +[Guids] + +[Protocols] + +[PcdsFixedAtBuild] + +[PcdsDynamic] + +[LibraryClasses] + diff --git a/DebugPkg/GdbSyms/GdbSyms.c b/DebugPkg/GdbSyms/GdbSyms.c new file mode 100644 index 0000000..2551dfa --- /dev/null +++ b/DebugPkg/GdbSyms/GdbSyms.c @@ -0,0 +1,70 @@ +/** @file + + Bare-minimum GDB symbols needed for reloading symbols. + + This is not a "driver" and should not be placed in a FD. + + Copyright (c) 2011, Andrei Warkentin <andreiw@motorola.com> + + This program and the accompanying materials + are licensed and made available under the terms and conditions of the BSD License + which accompanies this distribution. The full text of the license may be found at + http://opensource.org/licenses/bsd-license.php + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include "PiDxe.h" + +#include <Library/UefiLib.h> +#include <Library/UefiDriverEntryPoint.h> +#include <Library/BaseLib.h> +#include <Library/UefiRuntimeLib.h> +#include <Library/DebugLib.h> +#include <Library/BaseMemoryLib.h> +#include <Library/MemoryAllocationLib.h> +#include <Library/UefiBootServicesTableLib.h> +#include <Library/DevicePathLib.h> +#include <Library/PcdLib.h> +#include <Guid/DebugImageInfoTable.h> + +/** + Main entry point. + + @param[in] ImageHandle The firmware allocated handle for the EFI image. + @param[in] SystemTable A pointer to the EFI System Table. + + @retval EFI_SUCCESS Successfully initialized. + +**/ +EFI_STATUS +EFIAPI +Initialize ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_SYSTEM_TABLE_POINTER ESTP; + EFI_DEBUG_IMAGE_INFO_TABLE_HEADER EDIITH; + EFI_IMAGE_DOS_HEADER EIDH; + EFI_IMAGE_OPTIONAL_HEADER_UNION EIOHU; + EFI_IMAGE_DEBUG_DIRECTORY_ENTRY EIDDE; + EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY EIDCNE; + EFI_IMAGE_DEBUG_CODEVIEW_RSDS_ENTRY EIDCRE; + EFI_IMAGE_DEBUG_CODEVIEW_MTOC_ENTRY EIDCME; + UINTN Dummy = + (UINTN) &ESTP | + (UINTN) &EDIITH | + (UINTN) &EIDH | + (UINTN) &EIOHU | + (UINTN) &EIDDE | + (UINTN) &EIDCNE | + (UINTN) &EIDCRE | + (UINTN) &EIDCME | + 1 + ; + return !!Dummy & EFI_SUCCESS; +} + + diff --git a/DebugPkg/GdbSyms/GdbSyms.inf b/DebugPkg/GdbSyms/GdbSyms.inf new file mode 100644 index 0000000..afb7887 --- /dev/null +++ b/DebugPkg/GdbSyms/GdbSyms.inf @@ -0,0 +1,57 @@ +## @file +# +# Bare-minimum GDB symbols needed for reloading symbols. +# +# This is not a "driver" and should not be placed in a FD. +# +# Copyright (c) 2011, Andrei Warkentin <andreiw@motorola.com> +# +# This program and the accompanying materials +# are licensed and made available under the terms and conditions of the BSD License +# which accompanies this distribution. The full text of the license may be found at +# http://opensource.org/licenses/bsd-license.php +# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = GdbSyms + FILE_GUID = 22abcb60-fb40-42ac-b01f-3ab1fad9aad8 + MODULE_TYPE = DXE_DRIVER + VERSION_STRING = 1.0 + ENTRY_POINT = Initialize + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 IPF EBC ARM +# + +[Sources] + GdbSyms.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + DxeServicesTableLib + HobLib + MemoryAllocationLib + PcdLib + UefiBootServicesTableLib + UefiDriverEntryPoint + UefiLib + +[Guids] + +[Protocols] + +[Depex] + TRUE + diff --git a/DebugPkg/Scripts/gdb_uefi.py b/DebugPkg/Scripts/gdb_uefi.py new file mode 100644 index 0000000..3db87a4 --- /dev/null +++ b/DebugPkg/Scripts/gdb_uefi.py @@ -0,0 +1,350 @@ +""" +Allows loading TianoCore symbols into a GDB session attached to EFI +Firmware. + +This is how it works: build GdbSyms - it's a dummy binary that +contains the relevant symbols needed to find and load image symbols. + +$ gdb +(gdb) taget remote .... +(gdb) source Scripts/gdb_uefi.py +(gdb) reload-uefi -o /path/to/GdbSyms.dll + +The -o option should be used if you've debugging EFI, where the PE +images were converted from MACH-O or ELF binaries. + +""" + +import array +import getopt +import binascii +import re + +__license__ = "BSD" +__version = "1.0.0" +__maintainer__ = "Andrei Warkentin" +__email__ = "andrey.warkentin@gmail.com" +__status__ = "Works" + +class ReloadUefi (gdb.Command): + """Reload UEFI symbols""" + + # + # Various constants. + # + + EINVAL = 0xffffffff + CV_NB10 = 0x3031424E + CV_RSDS = 0x53445352 + CV_MTOC = 0x434F544D + DOS_MAGIC = 0x5A4D + PE32PLUS_MAGIC = 0x20b + EST_SIGNATURE = 0x5453595320494249L + DEBUG_GUID = [0x49152E77, 0x1ADA, 0x4764, + [0xB7,0xA2,0x7A,0xFE, + 0xFE,0xD9,0x5E, 0x8B]] + DEBUG_IS_UPDATING = 0x1 + + # + # If the images were built as ELF/MACH-O and then converted to PE, + # then the base address needs to be offset by PE headers. + # + + offset_by_headers = False + + def __init__ (self): + super (ReloadUefi, self).__init__ ("reload-uefi", gdb.COMMAND_OBSCURE) + + # + # Returns gdb.Type for a type. + # + + def type (self, typename): + return gdb.lookup_type (typename) + + # + # Returns gdb.Type for a pointer to a type. + # + + def ptype (self, typename): + return gdb.lookup_type (typename).pointer () + + # + # Computes CRC32 on an array of data. + # + + def crc32 (self, data): + return binascii.crc32 (data) & 0xFFFFFFFF + + # + # Sets a field in a struct to a value, i.e. + # value->field_name = data. + # + # Newer Py bindings to Gdb provide access to the inferior + # memory, but not all, so have to do it this awkward way. + # + + def set_field (self, value, field_name, data): + gdb.execute ("set *(%s *) 0x%x = 0x%x" % \ + (str (value[field_name].type), \ + long (value[field_name].address), \ + data)) + + # + # Returns data backing a gdb.Value as an array. + # Same comment as above regarding newer Py bindings... + # + + def value_data (self, value, bytes=0): + value_address = gdb.Value (value.address) + array_t = self.ptype ('UINT8') + value_array = value_address.cast (array_t) + if bytes == 0: + bytes = value.type.sizeof + data = array.array ('B') + for i in range (0, bytes): + data.append (value_array[i]) + return data + + # + # Locates the EFI_SYSTEM_TABLE as per UEFI spec 17.4. + # Returns base address or -1. + # + + def search_est (self): + address = 0 + estp_t = self.ptype ('EFI_SYSTEM_TABLE_POINTER') + while True: + estp = gdb.Value(address).cast(estp_t) + if estp['Signature'] == self.EST_SIGNATURE: + oldcrc = long (estp['Crc32']) + self.set_field (estp, 'Crc32', 0) + newcrc = self.crc32 (self.value_data (estp.dereference (), 0)) + self.set_field (estp, 'Crc32', long (oldcrc)) + if newcrc == oldcrc: + return estp['EfiSystemTableBase'] + + address = address + 4*1024*1024 + if long (address) == 0: + return gdb.Value(self.EINVAL) + + # + # Searches for a vendor-specific configuration table (in EST), + # given a vendor-specific table GUID. GUID is a list like - + # [32-bit, 16-bit, 16-bit, [8 bytes]] + # + + def search_config (self, cfg_table, count, guid): + index = 0 + while index != count: + cfg_entry = cfg_table[index]['VendorGuid'] + if cfg_entry['Data1'] == guid[0] and \ + cfg_entry['Data2'] == guid[1] and \ + cfg_entry['Data3'] == guid[2] and \ + self.value_data (cfg_entry['Data4']).tolist () == guid[3]: + return cfg_table[index]['VendorTable'] + index = index + 1 + return gdb.Value(self.EINVAL) + + # + # Returns a UTF16 string corresponding to a (CHAR16 *) value in EFI. + # + + def parse_utf16 (self, value): + index = 0 + data = array.array ('H') + while value[index] != 0: + data.append (value[index]) + index = index + 1 + return data.tostring ().decode ('utf-16') + + # + # Returns offset of a field within structure. Useful + # for getting container of a structure. + # + + def offsetof (self, typename, field): + t = gdb.Value (0).cast (self.ptype (typename)) + return long (t[field].address) + + # + # Returns sizeof of a type. + # + + def sizeof (self, typename): + return self.type (typename).sizeof + + # + # Returns the EFI_IMAGE_NT_HEADERS32 pointer, given + # an ImageBase address as a gdb.Value. + # + + def pe_headers (self, imagebase): + dosh_t = self.ptype ('EFI_IMAGE_DOS_HEADER') + head_t = self.ptype ('EFI_IMAGE_OPTIONAL_HEADER_UNION') + dosh = imagebase.cast(dosh_t) + h_addr = imagebase + if dosh['e_magic'] == self.DOS_MAGIC: + h_addr = h_addr + dosh['e_lfanew'] + return gdb.Value(h_addr).cast (head_t) + + # + # Returns True if pe_headers refer to a PE32+ image. + # + + def pe_is_64 (self, pe_headers): + if pe_headers['Pe32']['OptionalHeader']['Magic'] == self.PE32PLUS_MAGIC: + return True + return False + + # + # Returns the PE (not so) optional header. + # + + def pe_optional (self, pe): + if self.pe_is_64 (pe): + return pe['Pe32Plus']['OptionalHeader'] + else: + return pe['Pe32']['OptionalHeader'] + + # + # Returns the symbol file name for a PE image. + # + + def pe_parse_debug (self, pe): + opt = self.pe_optional (pe) + debug_dir_entry = opt['DataDirectory'][6] + dep = debug_dir_entry['VirtualAddress'] + opt['ImageBase'] + dep = dep.cast (self.ptype ('EFI_IMAGE_DEBUG_DIRECTORY_ENTRY')) + cvp = dep.dereference ()['RVA'] + opt['ImageBase'] + cvv = cvp.cast(self.ptype ('UINT32')).dereference () + if cvv == self.CV_NB10: + return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY') + elif cvv == self.CV_RSDS: + return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_RSDS_ENTRY') + elif cvv == self.CV_MTOC: + return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_MTOC_ENTRY') + return gdb.Value(self.EINVAL) + + # + # Parses an EFI_LOADED_IMAGE_PROTOCOL, figuring out the symbol file name. + # This file name is then appended to list of loaded symbols. + # + # TBD: Support TE images. + # + + def parse_image (self, image, syms): + base = image['ImageBase'] + pe = self.pe_headers (base) + opt = self.pe_optional (pe) + sym_name = self.pe_parse_debug (pe) + + # For ELF and Mach-O-derived images... + if self.offset_by_headers: + base = base + opt['SizeOfHeaders'] + if sym_name != self.EINVAL: + sym_name = sym_name.cast (self.ptype('CHAR8')).string () + sym_name = re.sub(r"\.dll$", ".debug", sym_name) + syms.append ("add-symbol-file %s 0x%x" % \ + (sym_name, + long (base))) + + # + # Parses table EFI_DEBUG_IMAGE_INFO structures, builds + # a list of add-symbol-file commands, and reloads debugger + # symbols. + # + + def parse_edii (self, edii, count): + index = 0 + syms = [] + while index != count: + entry = edii[index] + if entry['ImageInfoType'].dereference () == 1: + entry = entry['NormalImage'] + self.parse_image(entry['LoadedImageProtocolInstance'], syms) + else: + print "Skipping unknown EFI_DEBUG_IMAGE_INFO (Type 0x%x)" % \ + entry['ImageInfoType'].dereference () + index = index + 1 + gdb.execute ("symbol-file") + print "Loading new symbols..." + for sym in syms: + print sym + gdb.execute (sym) + + # + # Parses EFI_DEBUG_IMAGE_INFO_TABLE_HEADER, in order to load + # image symbols. + # + + def parse_dh (self, dh): + dh_t = self.ptype ('EFI_DEBUG_IMAGE_INFO_TABLE_HEADER') + dh = dh.cast (dh_t) + print "DebugImageInfoTable @ 0x%x, 0x%x entries" \ + % (long (dh['EfiDebugImageInfoTable']), dh['TableSize']) + if dh['UpdateStatus'] & self.DEBUG_IS_UPDATING: + print "EfiDebugImageInfoTable update in progress, retry later" + return + self.parse_edii (dh['EfiDebugImageInfoTable'], dh['TableSize']) + + # + # Parses EFI_SYSTEM_TABLE, in order to load image symbols. + # + + def parse_est (self, est): + est_t = self.ptype ('EFI_SYSTEM_TABLE') + est = est.cast (est_t) + print "Connected to %s (Rev. 0x%x)" % \ + (self.parse_utf16 (est['FirmwareVendor']), \ + long (est['FirmwareRevision'])) + print "ConfigurationTable @ 0x%x, 0x%x entries" \ + % (long (est['ConfigurationTable']), est['NumberOfTableEntries']) + + dh = self.search_config(est['ConfigurationTable'], + est['NumberOfTableEntries'], + self.DEBUG_GUID) + if dh == self.EINVAL: + print "No EFI_DEBUG_IMAGE_INFO_TABLE_HEADER" + return + self.parse_dh (dh) + + # + # Usage information. + # + + def usage (self): + print "Usage: reload-uefi [-o] /path/to/GdbSyms.dll" + + # + # Handler for reload-uefi. + # + + def invoke (self, arg, from_tty): + args = arg.split(' ') + try: + opts, args = getopt.getopt(args, "o", ["offset-by-headers"]) + except getopt.GetoptError, err: + self.usage () + return + for opt, arg in opts: + if opt == "-o": + self.offset_by_headers = True + + if len(args) < 1: + self.usage () + return + + gdb.execute ("symbol-file") + gdb.execute ("symbol-file %s" % args[0]) + est = self.search_est () + if est == self.EINVAL: + print "No EFI_SYSTEM_TABLE..." + return + + print "EFI_SYSTEM_TABLE @ 0x%x" % est + self.parse_est (est) + +ReloadUefi () + + diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 66459c2..320ffe8 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -567,3 +567,4 @@ !endif OvmfPkg/PlatformDxe/Platform.inf + DebugPkg/GdbSyms/GdbSyms.inf ++++++ ovmf-rpmlintrc ++++++ addFilter("unstripped-binary-or-object /usr/lib/debug/*") addFilter("statically-linked-binary /usr/lib/debug/*") addFilter("executable-stack /usr/lib/debug/*") ++++++ strip_authinfo.pl ++++++ #!/usr/bin/perl use strict; use FileHandle; if ($#ARGV != 1) { print "Usage: stripe_authinfo <variable with AuthInfo> <stripped binary>\n"; exit; } my $file_in = $ARGV[0]; my $file_out = $ARGV[1]; sub read_file($) { my ($file) = @_; my $contents; my $len; open(FD, "<$file") || die $file; binmode FD; my @st = stat(FD); die $file if (!@st); $len = read(FD, $contents, $st[7]) || die $file; close(FD) || die $file; die "$file: Wanted length ", $st[7], ", got ", $len, "\n" if ($len != $st[7]); return $contents; } my $authvar = read_file($file_in); my $authvar_len = length($authvar); # Skip the first 16 bytes (EFI_TIME) and check the following 8 bytes # # WIN_CERTIFICATE (8 bytes) # UINT32 dwLength # UINT16 wRevision 0x0200 # UINT16 wCertificateType 0x0EF0 to 0x0EFF my($dwLength, $wRevision, $wCertificateType) = unpack("VSS", substr($authvar, 16, 8)); # check the contents die "invalid certificate length" if ($dwLength > $authvar_len); die "invalid Revision" if ($wRevision != 0x200); die "invalid certificate type" if ($wCertificateType != 0x0EF0 && $wCertificateType != 0x0EF1 && $wCertificateType != 0x0002); my $skip = $dwLength + 16; open(FD, ">$file_out") || die $file_out; binmode FD; print FD substr($authvar, $skip, $authvar_len - $skip); close FD || die $file_out;