Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ovmf for openSUSE:Factory checked in at 2024-08-13 13:22:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ovmf (Old) and /work/SRC/openSUSE:Factory/.ovmf.new.7232 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ovmf" Tue Aug 13 13:22:01 2024 rev:104 rq:1193325 version:202402 Changes: -------- --- /work/SRC/openSUSE:Factory/ovmf/ovmf.changes 2024-07-17 15:14:10.567937207 +0200 +++ /work/SRC/openSUSE:Factory/.ovmf.new.7232/ovmf.changes 2024-08-13 13:22:06.979427257 +0200 @@ -1,0 +2,19 @@ +Mon Aug 12 05:46:00 UTC 2024 - Joey Lee <jlee@suse.com> + +- Add ovmf-x86_64-sev flavor to X64 against AMD SEV. + - Moved "-D SECURE_BOOT_ENABLE" from OVMF_FLAGS to EXTRA_FLAGS_X64, + , BUILD_OPTIONS_X86, BUILD_OPTIONS_AA64 and BUILD_OPTIONS_RV64 + because SEV can NOT work with secure boot. +- Removed ovmf-Revert-OvmfPkg-PlatformPei-Update-ReserveEmuVariable.patch + because the SEV ovmf be separated from X64 ovmf as an independent flavor. + - The original patch reverts "58eb8517ad OvmfPkg/PlatformPei: Update + ReserveEmuVariableNvStore" which affects all ovmf flavor. + - The secure boot be disabled in SEV flavor, so we do not need revert + 58eb8517ad anymore. (bsc#1209266) +- Add 50-ovmf-x86_64-sev.json to descriptors.tar.xz for SEV flavor + - Removed features tag: + "acpi-s3", "requires-smm", "secure-boot", "enrolled-keys" + - Add features tag: + "amd-sev", "amd-sev-es", "amd-sev-snp" + +------------------------------------------------------------------- Old: ---- ovmf-Revert-OvmfPkg-PlatformPei-Update-ReserveEmuVariable.patch BETA DEBUG BEGIN: Old: because SEV can NOT work with secure boot. - Removed ovmf-Revert-OvmfPkg-PlatformPei-Update-ReserveEmuVariable.patch because the SEV ovmf be separated from X64 ovmf as an independent flavor. BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ovmf.spec ++++++ --- /var/tmp/diff_new_pack.iwX0ys/_old 2024-08-13 13:22:08.087473422 +0200 +++ /var/tmp/diff_new_pack.iwX0ys/_new 2024-08-13 13:22:08.091473589 +0200 @@ -63,8 +63,6 @@ Patch8: %{name}-Revert-ArmVirtPkg-make-EFI_LOADER_DATA-non-executabl.patch # Bug 1205613 - L3: win 2k22 UEFI xen VMs cannot boot in xen after upgrade Patch9: %{name}-Revert-OvmfPkg-OvmfXen-Set-PcdFSBClock.patch -# Bug 1209266 - OVMF firmware hangs when booting SEV or SEV-ES guest -Patch10: %{name}-Revert-OvmfPkg-PlatformPei-Update-ReserveEmuVariable.patch # Bug 1219024 - SVVP test Check SMBIOS Table Specific Requirements fails Patch11: %{name}-OvmfPkg-SmbiosPlatformDxe-tweak-fallback-release-dat.patch # Bug 1217704 - ovmf: reproducible builds problem in ovmf-riscv64-code.bin @@ -231,7 +229,6 @@ # For some reason ARM still uses TPM2_CONFIG_ENABLE OVMF_FLAGS=" \ - -D SECURE_BOOT_ENABLE \ -D TPM2_ENABLE \ -D TPM2_CONFIG_ENABLE \ -D NETWORK_IP6_ENABLE \ @@ -250,6 +247,7 @@ BUILD_OPTIONS_X86=" \ $OVMF_FLAGS \ -D FD_SIZE_2MB \ + -D SECURE_BOOT_ENABLE \ -D BUILD_SHELL=FALSE \ -a IA32 \ -p OvmfPkg/OvmfPkgIa32.dsc \ @@ -257,8 +255,10 @@ -t $TOOL_CHAIN \ " -# Flavors for x86_64: 2MB, 4MB, and 4MB+SMM -FLAVORS_X64=("ovmf-x86_64" "ovmf-x86_64-4m" "ovmf-x86_64-smm") +# Flavors for x86_64: 2MB, 4MB, 4MB+SMM and AMD SEV +FLAVORS_X64=("ovmf-x86_64" "ovmf-x86_64-4m" "ovmf-x86_64-smm" "ovmf-x86_64-sev") +# Flavors will NOT enroll default kek/db keys +FLAVORS_X64_SKIP_SB_KEY=("ovmf-x86_64-sev") BUILD_OPTIONS_X64=" \ $OVMF_FLAGS \ -D BUILD_SHELL=FALSE \ @@ -271,6 +271,7 @@ FLAVORS_AA64=("aavmf-aarch64") BUILD_OPTIONS_AA64=" \ $OVMF_FLAGS \ + -D SECURE_BOOT_ENABLE \ -D NETWORK_TLS_ENABLE \ -a AARCH64 \ -p ArmVirtPkg/ArmVirtQemu.dsc \ @@ -291,6 +292,7 @@ FLAVORS_RV64=("riscv") BUILD_OPTIONS_RV64=" \ $OVMF_FLAGS \ + -D SECURE_BOOT_ENABLE \ -a RISCV64 \ -p OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc \ -b DEBUG \ @@ -352,15 +354,17 @@ declare -A EXTRA_FLAGS_X64 EXTRA_FLAGS_X64=( - [ovmf-x86_64]="-p OvmfPkg/OvmfPkgX64.dsc -D FD_SIZE_2MB" - [ovmf-x86_64-4m]="-p OvmfPkg/OvmfPkgX64.dsc -D FD_SIZE_4MB -D NETWORK_TLS_ENABLE" - [ovmf-x86_64-smm]="-a IA32 -p OvmfPkg/OvmfPkgIa32X64.dsc -D FD_SIZE_4MB -D NETWORK_TLS_ENABLE -D SMM_REQUIRE" + [ovmf-x86_64]="-p OvmfPkg/OvmfPkgX64.dsc -D FD_SIZE_2MB -D SECURE_BOOT_ENABLE" + [ovmf-x86_64-4m]="-p OvmfPkg/OvmfPkgX64.dsc -D FD_SIZE_4MB -D NETWORK_TLS_ENABLE -D SECURE_BOOT_ENABLE" + [ovmf-x86_64-smm]="-a IA32 -p OvmfPkg/OvmfPkgIa32X64.dsc -D FD_SIZE_4MB -D NETWORK_TLS_ENABLE -D SMM_REQUIRE -D SECURE_BOOT_ENABLE" + [ovmf-x86_64-sev]="-p OvmfPkg/OvmfPkgX64.dsc -D FD_SIZE_4MB -D NETWORK_TLS_ENABLE" ) declare -A OUTDIR_X64 OUTDIR_X64=( [ovmf-x86_64]="OvmfX64" [ovmf-x86_64-4m]="OvmfX64" [ovmf-x86_64-smm]="Ovmf3264" + [ovmf-x86_64-sev]="OvmfX64" ) %ifnarch x86_64 @@ -491,6 +495,10 @@ # We only build the variable templates for X64 and AARCH64 if [ "$ARCH" == "X64" ]; then FLAVORS=${FLAVORS_X64[@]} + # some flavors should NOT enroll default keys + for skip in ${FLAVORS_X64_SKIP_SB_KEY[@]}; do + FLAVORS=("${FLAVORS[@]/$skip}") + done elif [ "$ARCH" == "AARCH64" ]; then FLAVORS=${FLAVORS_AA64[@]} fi ++++++ descriptors.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/50-ovmf-x86_64-sev.json new/descriptors/50-ovmf-x86_64-sev.json --- old/descriptors/50-ovmf-x86_64-sev.json 1970-01-01 01:00:00.000000000 +0100 +++ new/descriptors/50-ovmf-x86_64-sev.json 2024-08-07 10:20:00.571607784 +0200 @@ -0,0 +1,35 @@ +{ + "description": "UEFI firmware for x86_64, with AMD SEV", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "@DATADIR@/ovmf-x86_64-sev-code.bin", + "format": "raw" + }, + "nvram-template": { + "filename": "@DATADIR@/ovmf-x86_64-sev-vars.bin", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s4", + "amd-sev", + "amd-sev-es", + "amd-sev-snp", + "verbose-dynamic" + ], + "tags": [ + + ] +}