And to run a 64-bit UEFI bootable ISO image:\r
$ OvmfPkg/build.sh -a X64 qemu -cdrom /path/to/disk-image.iso\r
\r
-To build a 32-bit OVMF without debug messages using GCC 4.5:\r
-$ OvmfPkg/build.sh -a IA32 -b RELEASE -t GCC45\r
+To build a 32-bit OVMF without debug messages using GCC 4.8:\r
+$ OvmfPkg/build.sh -a IA32 -b RELEASE -t GCC48\r
+\r
+=== SMM support ===\r
+\r
+Requirements:\r
+* SMM support requires QEMU 2.5.\r
+* The minimum required QEMU machine type is "pc-q35-2.5".\r
+* SMM with KVM requires Linux 4.4 (host).\r
+\r
+OVMF is capable of utilizing SMM if the underlying QEMU or KVM hypervisor\r
+emulates SMM. SMM is put to use in the S3 suspend and resume infrastructure,\r
+and in the UEFI variable driver stack. The purpose is (virtual) hardware\r
+separation between the runtime guest OS and the firmware (OVMF), with the\r
+intent to make Secure Boot actually secure, by preventing the runtime guest OS\r
+from tampering with the variable store and S3 areas.\r
+\r
+For SMM support, OVMF must be built with the "-D SMM_REQUIRE" option. The\r
+resultant firmware binary will check if QEMU actually provides SMM emulation;\r
+if it doesn't, then OVMF will log an error and trigger an assertion failure\r
+during boot (even in RELEASE builds). Both the naming of the flag (SMM_REQUIRE,\r
+instead of SMM_ENABLE), and this behavior are consistent with the goal\r
+described above: this is supposed to be a security feature, and fallbacks are\r
+not allowed. Similarly, a pflash-backed variable store is a requirement.\r
+\r
+QEMU should be started with the options listed below (in addition to any other\r
+guest-specific flags). The command line should be gradually composed from the\r
+hints below. '\' is used to extend the command line to multiple lines, and '^'\r
+can be used on Windows.\r
+\r
+* QEMU binary and options specific to 32-bit guests:\r
+\r
+ $ qemu-system-i386 -cpu coreduo,-nx \\r
+\r
+ or\r
+\r
+ $ qemu-system-x86_64 -cpu <MODEL>,-lm,-nx \\r
+\r
+* QEMU binary for running 64-bit guests (no particular options):\r
+\r
+ $ qemu-system-x86_64 \\r
+\r
+* Flags common to all SMM scenarios (only the Q35 machine type is supported):\r
+\r
+ -machine q35,smm=on,accel=(tcg|kvm) \\r
+ -m ... \\r
+ -smp ... \\r
+ -global driver=cfi.pflash01,property=secure,value=on \\r
+ -drive if=pflash,format=raw,unit=0,file=OVMF_CODE.fd,readonly=on \\r
+ -drive if=pflash,format=raw,unit=1,file=copy_of_OVMF_VARS.fd \\r
+\r
+* In order to disable S3, add:\r
+\r
+ -global ICH9-LPC.disable_s3=1 \\r
\r
=== Network Support ===\r
\r
basic virtio-net driver, located in OvmfPkg/VirtioNetDxe.\r
\r
* Also independently of the iPXE NIC drivers, Intel's proprietary E1000 NIC\r
- driver (PROEFI) can be embedded in the OVMF image at build time:\r
-\r
- - Download UEFI drivers for the e1000 NIC\r
- - http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=17515&lang=eng\r
- - Install the drivers into a directory called Intel3.5 in your WORKSPACE.\r
+ driver (from the BootUtil distribution) can be embedded in the OVMF image at\r
+ build time:\r
+\r
+ - Download BootUtil:\r
+ - Navigate to\r
+ https://downloadcenter.intel.com/download/19186/Ethernet-Intel-Ethernet-Connections-Boot-Utility-Preboot-Images-and-EFI-Drivers\r
+ - Click the download link for "PREBOOT.EXE".\r
+ - Accept the Intel Software License Agreement that appears.\r
+ - Unzip "PREBOOT.EXE" into a separate directory (this works with the\r
+ "unzip" utility on platforms different from Windows as well).\r
+ - Copy the "APPS/EFI/EFIx64/E3522X2.EFI" driver binary to\r
+ "Intel3.5/EFIX64/E3522X2.EFI" in your WORKSPACE.\r
+ - Intel have stopped distributing an IA32 driver binary (which used to\r
+ match the filename pattern "E35??E2.EFI"), thus this method will only\r
+ work for the IA32X64 and X64 builds of OVMF.\r
\r
- Include the driver in OVMF during the build:\r
- - Add "-D E1000_ENABLE -D FD_SIZE_2MB" to your build command,\r
- - For example: "build -D E1000_ENABLE -D FD_SIZE_2MB".\r
+ - Add "-D E1000_ENABLE" to your build command (only when building\r
+ "OvmfPkg/OvmfPkgIa32X64.dsc" or "OvmfPkg/OvmfPkgX64.dsc").\r
+ - For example: "build -D E1000_ENABLE".\r
\r
* When a matching iPXE driver is configured for a NIC as described above, it\r
takes priority over other drivers that could possibly drive the card too:\r
\r
- | e1000 ne2k_pci pcnet rtl8139 virtio-net-pci\r
- -------------+------------------------------------------------\r
- iPXE | x x x x x\r
- VirtioNetDxe | x\r
- Intel PROEFI | x\r
+ | e1000 ne2k_pci pcnet rtl8139 virtio-net-pci\r
+ ---------------------+------------------------------------------------\r
+ iPXE | x x x x x\r
+ VirtioNetDxe | x\r
+ Intel BootUtil (X64) | x\r
+\r
+=== HTTPS Boot ===\r
+\r
+HTTPS Boot is an alternative solution to PXE. It replaces the tftp server\r
+with a HTTPS server so the firmware can download the images through a trusted\r
+and encrypted connection.\r
+\r
+* To enable HTTPS Boot, you have to build OVMF with -D HTTP_BOOT_ENABLE and\r
+ -D TLS_ENABLE. The former brings in the HTTP stack from NetworkPkg while\r
+ the latter enables TLS support in both NetworkPkg and CryptoPkg.\r
+\r
+* By default, there is no trusted certificate. The user has to import the\r
+ certificates either manually with "Tls Auth Configuration" utility in the\r
+ firmware UI or through the fw_cfg entry, etc/edk2/https/cacerts.\r
+\r
+ -fw_cfg name=etc/edk2/https/cacerts,file=<certdb>\r
+\r
+ The blob for etc/edk2/https/cacerts has to be in the format of Signature\r
+ Database(*1). You can use p11-kit(*2) or efisiglit(*3) to create the\r
+ certificate list.\r
+\r
+ If you want to create the certificate list based on the CA certificates\r
+ in your local host, p11-kit will be a good choice. Here is the command to\r
+ create the list:\r
+\r
+ p11-kit extract --format=edk2-cacerts --filter=ca-anchors \\r
+ --overwrite --purpose=server-auth <certdb>\r
+\r
+ If you only want to import one certificate, efisiglist is the tool for you:\r
+\r
+ efisiglist -a <cert file> -o <certdb>\r
+\r
+ Please note that the certificate has to be in the DER format.\r
+\r
+ You can also append a certificate to the existing list with the following\r
+ command:\r
+\r
+ efisiglist -i <old certdb> -a <cert file> -o <new certdb>\r
+\r
+ NOTE: You may need the patch to make efisiglist generate the correct header.\r
+ (https://github.com/rhboot/pesign/pull/40)\r
+\r
+* Besides the trusted certificates, it's also possible to configure the trusted\r
+ cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/ciphers.\r
+\r
+ -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites>\r
+\r
+ OVMF expects a binary UINT16 array which comprises the cipher suites HEX\r
+ IDs(*4). If the cipher suite list is given, OVMF will choose the cipher\r
+ suite from the intersection of the given list and the built-in cipher\r
+ suites. Otherwise, OVMF just chooses whatever proper cipher suites from the\r
+ built-in ones.\r
+\r
+ While the tool(*5) to create the cipher suite array is still under\r
+ development, the array can be generated with the following script:\r
+\r
+ export LC_ALL=C\r
+ openssl ciphers -V \\r
+ | sed -r -n \\r
+ -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \\r
+ | xargs -r -- printf -- '%b' > ciphers.bin\r
+\r
+ This script creates ciphers.bin that contains all the cipher suite IDs\r
+ supported by openssl according to the local host configuration.\r
+\r
+ You may want to enable only a limited set of cipher suites. Then, you\r
+ should check the validity of your list first:\r
+\r
+ openssl ciphers -V <cipher list>\r
+\r
+ If all the cipher suites in your list map to the proper HEX IDs, go ahead\r
+ to modify the script and execute it:\r
+\r
+ export LC_ALL=C\r
+ openssl ciphers -V <cipher list> \\r
+ | sed -r -n \\r
+ -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \\r
+ | xargs -r -- printf -- '%b' > ciphers.bin\r
+\r
+* In the future (after release 2.12), QEMU should populate both above fw_cfg\r
+ files automatically from the local host configuration, and enable the user\r
+ to override either with dedicated options or properties.\r
+\r
+(*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A.\r
+(*2) p11-kit: https://github.com/p11-glue/p11-kit/\r
+(*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisiglist.c\r
+(*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table\r
+(*5) update-crypto-policies: https://gitlab.com/redhat-crypto/fedora-crypto-policies\r
\r
=== OVMF Flash Layout ===\r
\r
-Like all current IA32/X64 system designs, OVMF's firmware\r
-device (rom/flash) appears in QEMU's physical address space\r
-just below 4GB (0x100000000).\r
+Like all current IA32/X64 system designs, OVMF's firmware device (rom/flash)\r
+appears in QEMU's physical address space just below 4GB (0x100000000).\r
+\r
+OVMF supports building a 1MB, 2MB or 4MB flash image (see the DSC files for the\r
+FD_SIZE_1MB, FD_SIZE_2MB, FD_SIZE_4MB build defines). The base address for the\r
+1MB image in QEMU physical memory is 0xfff00000. The base address for the 2MB\r
+image is 0xffe00000. The base address for the 4MB image is 0xffc00000.\r
\r
-The layout of the firmware device in memory looks like:\r
+Using the 1MB or 2MB image, the layout of the firmware device in memory looks\r
+like:\r
\r
+--------------------------------------- 4GB (0x100000000)\r
| VTF0 (16-bit reset code) and OVMF SEC\r
-| (SECFV)\r
+| (SECFV, 208KB/0x34000)\r
+--------------------------------------- varies based on flash size\r
|\r
| Compressed main firmware image\r
| area (56KB/0xe000)\r
+--------------------------------------- base address\r
\r
-OVMF supports building a 1MB or a 2MB flash image. The base address for\r
-a 1MB image in QEMU physical memory is 0xfff00000. The base address for\r
-a 2MB image is 0xffe00000.\r
+Using the 4MB image, the layout of the firmware device in memory looks like:\r
+\r
++--------------------------------------- base + 0x400000 (4GB/0x100000000)\r
+| VTF0 (16-bit reset code) and OVMF SEC\r
+| (SECFV, 208KB/0x34000)\r
++--------------------------------------- base + 0x3cc000\r
+|\r
+| Compressed main firmware image\r
+| (FVMAIN_COMPACT, 3360KB/0x348000)\r
+|\r
++--------------------------------------- base + 0x84000\r
+| Fault-tolerant write (FTW)\r
+| Spare blocks (264KB/0x42000)\r
++--------------------------------------- base + 0x42000\r
+| FTW Work block (4KB/0x1000)\r
++--------------------------------------- base + 0x41000\r
+| Event log area (4KB/0x1000)\r
++--------------------------------------- base + 0x40000\r
+| Non-volatile variable storage\r
+| area (256KB/0x40000)\r
++--------------------------------------- base address (0xffc00000)\r
\r
The code in SECFV locates FVMAIN_COMPACT, and decompresses the\r
main firmware (MAINFV) into RAM memory at address 0x800000. The\r
\r
If you build with the UNIXGCC toolchain, then debugging will be disabled\r
due to larger image sizes being produced by the UNIXGCC toolchain. The\r
-first choice recommendation is to use GCC44 or newer instead.\r
+first choice recommendation is to use GCC48 or newer instead.\r
\r
If you must use UNIXGCC, then you can override the build options for\r
particular libraries and modules in the .dsc to re-enable debugging\r
selectively. For example:\r
[Components]\r
- OvmfPkg/Library/PlatformBdsLib/PlatformBdsLib.inf {\r
+ OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf {\r
<BuildOptions>\r
GCC:*_*_*_CC_FLAGS = -UMDEPKG_NDEBUG\r
}\r
- IntelFrameworkModulePkg/Universal/BdsDxe/BdsDxe.inf {\r
+ MdeModulePkg/Universal/BdsDxe/BdsDxe.inf {\r
<BuildOptions>\r
GCC:*_*_*_CC_FLAGS = -UMDEPKG_NDEBUG\r
}\r
projects / mirror_edk2.git / blobdiff