--- /dev/null
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 45:01:ee:39:3e:52:29:78:36:df:85:42:c8:e5:7b:bb:88:d1:4b:37
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: O = Debian, CN = Debian UEFI Secure Boot (PK/KEK key), emailAddress = debian-devel@lists.debian.org
+ Validity
+ Not Before: Jul 8 23:42:49 2019 GMT
+ Not After : Jul 5 23:42:49 2029 GMT
+ Subject: O = Debian, CN = Debian UEFI Secure Boot (PK/KEK key), emailAddress = debian-devel@lists.debian.org
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:9b:ab:49:8b:ba:a5:fa:54:2a:71:9a:79:05:c4:
+ 1b:46:11:c5:b3:bd:59:62:80:71:ad:bb:6c:c4:50:
+ a8:96:d6:89:eb:e8:11:d4:88:3c:49:e4:8f:51:cd:
+ a5:87:c3:d2:fe:51:1e:3a:1b:bf:d8:5b:38:53:b5:
+ 9d:68:52:d1:3e:82:cb:db:fd:5e:01:81:30:c4:be:
+ 73:e0:d6:56:3f:4a:28:f1:33:d7:52:61:7b:84:a2:
+ 40:a2:18:88:78:5b:14:d0:1e:6d:6a:b8:ae:10:44:
+ af:12:99:a6:7b:2d:e9:ba:8d:0a:58:93:38:69:eb:
+ 6d:f0:6f:97:22:fe:e0:0f:b4:a4:f9:c8:2b:3b:73:
+ b9:51:cf:1f:1f:e5:66:07:cb:dd:f7:4e:f3:57:2a:
+ 49:69:53:41:80:fc:d5:6a:75:d9:ba:0d:67:bd:53:
+ c6:1d:d5:e5:65:bf:0b:8d:fc:16:58:65:ed:59:a6:
+ 57:8f:33:48:a6:6c:27:dc:b4:1d:9e:94:9e:63:8b:
+ 19:02:bf:e0:01:52:34:28:a4:13:88:fe:f9:7b:06:
+ 1d:e2:77:85:07:9e:4e:1b:aa:ca:0c:6a:e4:df:2b:
+ e9:8a:ac:42:05:de:32:d5:34:f9:e2:6f:96:c2:d4:
+ 05:5f:c9:20:d8:33:9a:01:82:5d:94:69:78:4e:2e:
+ e0:c7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 88:09:EB:9F:FA:7D:2D:5D:DB:30:67:A7:AF:B9:89:8E:A3:EE:02:73
+ X509v3 Authority Key Identifier:
+ keyid:88:09:EB:9F:FA:7D:2D:5D:DB:30:67:A7:AF:B9:89:8E:A3:EE:02:73
+
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ 0a:74:2f:89:80:5e:1e:c4:f2:c9:a2:4d:b6:34:ee:b1:68:9d:
+ f2:bd:77:85:e5:68:66:d5:ff:76:20:29:9f:0d:f3:cd:1b:9f:
+ 22:4e:26:9d:11:19:93:96:a3:9b:0c:fd:88:df:a0:ef:11:09:
+ 1e:c2:70:6f:20:f6:fe:be:c3:5a:3c:40:47:79:a0:2c:82:c6:
+ 42:3c:c4:3c:af:55:7f:8a:c3:0d:0c:6a:cf:9f:7c:9d:bc:b5:
+ 6d:33:73:cd:f9:13:0e:8e:4d:ce:f8:f6:54:74:c7:90:28:eb:
+ 6f:58:31:d6:41:9e:25:a7:04:40:8a:28:db:36:39:73:ea:e4:
+ 9e:8c:3e:42:5a:7b:05:20:78:e6:4d:69:1f:ba:bf:a1:b7:02:
+ d9:e3:ab:fc:42:d9:77:cd:e0:dd:08:3b:be:96:79:5c:5d:71:
+ ee:c7:68:e8:a6:08:69:2d:ff:98:ad:51:cb:1b:ef:39:b0:52:
+ 70:03:d3:3c:a7:ce:a5:f0:93:62:ca:6b:61:4b:dc:7b:c7:00:
+ 9e:80:3a:bf:af:95:79:f7:f6:14:7e:45:f1:b4:6c:c8:31:9f:
+ 0a:38:27:fc:3c:fb:44:22:4e:7a:d3:72:17:2f:76:5c:c6:00:
+ 8b:26:05:15:95:eb:71:52:5f:5b:90:c8:cb:fd:53:01:a4:ff:
+ 0a:c8:ad:25
+-----BEGIN CERTIFICATE-----
+MIIDvTCCAqWgAwIBAgIURQHuOT5SKXg234VCyOV7u4jRSzcwDQYJKoZIhvcNAQEL
+BQAwbjEPMA0GA1UECgwGRGViaWFuMS0wKwYDVQQDDCREZWJpYW4gVUVGSSBTZWN1
+cmUgQm9vdCAoUEsvS0VLIGtleSkxLDAqBgkqhkiG9w0BCQEWHWRlYmlhbi1kZXZl
+bEBsaXN0cy5kZWJpYW4ub3JnMB4XDTE5MDcwODIzNDI0OVoXDTI5MDcwNTIzNDI0
+OVowbjEPMA0GA1UECgwGRGViaWFuMS0wKwYDVQQDDCREZWJpYW4gVUVGSSBTZWN1
+cmUgQm9vdCAoUEsvS0VLIGtleSkxLDAqBgkqhkiG9w0BCQEWHWRlYmlhbi1kZXZl
+bEBsaXN0cy5kZWJpYW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAm6tJi7ql+lQqcZp5BcQbRhHFs71ZYoBxrbtsxFColtaJ6+gR1Ig8SeSPUc2l
+h8PS/lEeOhu/2Fs4U7WdaFLRPoLL2/1eAYEwxL5z4NZWP0oo8TPXUmF7hKJAohiI
+eFsU0B5tariuEESvEpmmey3puo0KWJM4aett8G+XIv7gD7Sk+cgrO3O5Uc8fH+Vm
+B8vd907zVypJaVNBgPzVanXZug1nvVPGHdXlZb8LjfwWWGXtWaZXjzNIpmwn3LQd
+npSeY4sZAr/gAVI0KKQTiP75ewYd4neFB55OG6rKDGrk3yvpiqxCBd4y1TT54m+W
+wtQFX8kg2DOaAYJdlGl4Ti7gxwIDAQABo1MwUTAdBgNVHQ4EFgQUiAnrn/p9LV3b
+MGenr7mJjqPuAnMwHwYDVR0jBBgwFoAUiAnrn/p9LV3bMGenr7mJjqPuAnMwDwYD
+VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEACnQviYBeHsTyyaJNtjTu
+sWid8r13heVoZtX/diApnw3zzRufIk4mnREZk5ajmwz9iN+g7xEJHsJwbyD2/r7D
+WjxAR3mgLILGQjzEPK9Vf4rDDQxqz598nby1bTNzzfkTDo5Nzvj2VHTHkCjrb1gx
+1kGeJacEQIoo2zY5c+rknow+Qlp7BSB45k1pH7q/obcC2eOr/ELZd83g3Qg7vpZ5
+XF1x7sdo6KYIaS3/mK1RyxvvObBScAPTPKfOpfCTYsprYUvce8cAnoA6v6+Veff2
+FH5F8bRsyDGfCjgn/Dz7RCJOetNyFy92XMYAiyYFFZXrcVJfW5DIy/1TAaT/Csit
+JQ==
+-----END CERTIFICATE-----
--- /dev/null
+Certificate:
+ Data:
+ Version: 1 (0x0)
+ Serial Number:
+ 94:cb:af:49:cd:56:a7:d8
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN = Ubuntu OVMF Secure Boot (PK/KEK key), emailAddress = ubuntu-devel@lists.ubuntu.com
+ Validity
+ Not Before: Jun 20 21:48:46 2018 GMT
+ Not After : Jun 17 21:48:46 2028 GMT
+ Subject: CN = Ubuntu OVMF Secure Boot (PK/KEK key), emailAddress = ubuntu-devel@lists.ubuntu.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:cb:b0:2b:e9:77:9e:5e:71:e9:e6:eb:1d:85:52:
+ 86:cf:fb:8c:f0:0a:79:34:cc:bb:83:10:95:36:cd:
+ a0:e6:6f:55:08:4e:71:e7:63:90:13:5a:3c:f7:5d:
+ eb:74:c1:c5:81:40:9c:98:54:04:b9:7d:85:6f:c6:
+ 07:91:67:f6:2b:53:d3:28:79:1b:ae:17:08:16:9f:
+ cb:7a:c9:2c:5f:0b:f7:d5:43:51:81:2e:bc:1f:9a:
+ dd:ba:18:01:30:93:a1:59:ce:0d:bf:21:d0:89:8e:
+ 44:11:7c:b2:02:99:9b:ae:42:26:58:10:f7:76:06:
+ 65:b8:cb:78:f9:ee:6b:08:54:d8:45:47:d8:71:72:
+ 2d:91:16:8d:dd:c9:3f:1b:2d:97:31:a3:f8:98:b0:
+ bc:44:dd:15:7f:df:1d:b9:eb:5b:e7:cb:08:b1:27:
+ 2c:b6:7f:60:fa:3a:59:ed:26:b5:54:c4:a8:75:a6:
+ e8:6e:56:50:86:e9:cc:fc:ce:38:6a:62:08:a1:dd:
+ 23:e5:45:b1:7e:f0:d5:30:5d:32:10:aa:9f:17:29:
+ 2e:7e:cd:45:71:04:83:0f:8e:43:98:27:38:b4:7d:
+ 91:32:88:f8:c4:64:bb:1f:69:0c:66:79:bf:d5:4c:
+ 70:f6:62:da:26:53:1d:17:7d:6e:b8:88:18:e2:ff:
+ 7e:8d
+ Exponent: 65537 (0x10001)
+ Signature Algorithm: sha256WithRSAEncryption
+ 18:b0:2d:52:ce:df:9d:fe:68:29:4e:c4:ef:ec:28:52:b1:cf:
+ d3:75:97:03:08:53:34:8f:5e:4e:ce:d8:2c:f8:30:0b:6a:86:
+ 00:69:33:75:46:54:6f:37:38:cd:2e:12:68:8b:48:4e:56:18:
+ 79:67:d9:f4:fb:cf:84:f1:b2:21:93:9e:b8:13:28:51:e0:64:
+ 9e:c0:b6:75:a4:55:5f:5d:5a:01:c8:0e:9d:08:71:30:3d:16:
+ 8d:24:46:e6:74:39:ad:74:59:fc:dc:18:bd:cb:49:47:cd:65:
+ e3:59:03:4e:83:6a:8c:12:23:27:71:53:87:3c:fc:84:7c:8c:
+ bf:f0:c2:87:77:21:fd:7d:87:8f:b8:9b:fb:52:0f:7e:81:c5:
+ 93:e9:83:ff:a7:be:cb:8e:b0:1d:64:b9:bb:40:68:97:dc:38:
+ 54:13:30:6b:71:58:9e:21:60:2a:b0:26:9e:88:ae:a3:66:eb:
+ e5:f0:5b:80:7f:fb:df:6e:a5:27:b4:1b:fc:7e:26:04:b2:b3:
+ fd:cd:e2:c3:83:c5:f8:a4:31:b2:97:34:e2:d2:5d:bd:0f:a9:
+ 0c:4b:53:52:25:d5:13:4c:dc:06:2a:76:10:98:0f:54:ad:2c:
+ cc:ee:47:ea:0b:57:6d:fc:a8:4e:a0:eb:d4:32:9a:0f:8c:7d:
+ 24:3d:f2:29
+-----BEGIN CERTIFICATE-----
+MIIDNjCCAh4CCQCUy69JzVan2DANBgkqhkiG9w0BAQsFADBdMS0wKwYDVQQDDCRV
+YnVudHUgT1ZNRiBTZWN1cmUgQm9vdCAoUEsvS0VLIGtleSkxLDAqBgkqhkiG9w0B
+CQEWHXVidW50dS1kZXZlbEBsaXN0cy51YnVudHUuY29tMB4XDTE4MDYyMDIxNDg0
+NloXDTI4MDYxNzIxNDg0NlowXTEtMCsGA1UEAwwkVWJ1bnR1IE9WTUYgU2VjdXJl
+IEJvb3QgKFBLL0tFSyBrZXkpMSwwKgYJKoZIhvcNAQkBFh11YnVudHUtZGV2ZWxA
+bGlzdHMudWJ1bnR1LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AMuwK+l3nl5x6ebrHYVShs/7jPAKeTTMu4MQlTbNoOZvVQhOcedjkBNaPPdd63TB
+xYFAnJhUBLl9hW/GB5Fn9itT0yh5G64XCBafy3rJLF8L99VDUYEuvB+a3boYATCT
+oVnODb8h0ImORBF8sgKZm65CJlgQ93YGZbjLePnuawhU2EVH2HFyLZEWjd3JPxst
+lzGj+JiwvETdFX/fHbnrW+fLCLEnLLZ/YPo6We0mtVTEqHWm6G5WUIbpzPzOOGpi
+CKHdI+VFsX7w1TBdMhCqnxcpLn7NRXEEgw+OQ5gnOLR9kTKI+MRkux9pDGZ5v9VM
+cPZi2iZTHRd9briIGOL/fo0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGLAtUs7f
+nf5oKU7E7+woUrHP03WXAwhTNI9eTs7YLPgwC2qGAGkzdUZUbzc4zS4SaItITlYY
+eWfZ9PvPhPGyIZOeuBMoUeBknsC2daRVX11aAcgOnQhxMD0WjSRG5nQ5rXRZ/NwY
+vctJR81l41kDToNqjBIjJ3FThzz8hHyMv/DCh3ch/X2Hj7ib+1IPfoHFk+mD/6e+
+y46wHWS5u0Bol9w4VBMwa3FYniFgKrAmnoiuo2br5fBbgH/7326lJ7Qb/H4mBLKz
+/c3iw4PF+KQxspc04tJdvQ+pDEtTUiXVE0zcBip2EJgPVK0szO5H6gtXbfyoTqDr
+1DKaD4x9JD3yKQ==
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIs4RXCLmGLJgCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECHer6014IEhGBIIEyO8O2zL8CJwV
+auQpWLJsMMWxu2aSh1WadX9+rg+O61mukuS4rQSH5shMQ2krZZKzyXx0q8+2AySD
+EtDXwhLvep60gUxOoNqK1+l3AxSFfIGOY8NC6yW67VX+G09ajWpgHj3ox63VRW8v
+6mA8TFWYbOIwB8J7ScF4NszVwyiUnW13oKi7svoBM3LYYG2IMvre+gOvyMGfM8uv
+X3txcYqAjhRV6n7vGo9LRLIIRSPKzaJbm/W7nT38LRUJP8JMSQUOPKgeEwQvOTVZ
++1kd7WeaGZrjagTDM4yhBjpOmB3D8aeT6xkjBlUwuddPzbdi0N7GrU520RcJMjxt
+JMyOgabHKUKmPTX4m0ZCKi2jSILi7/6fBF+TZDxpakLwAwpTzm6kXArXb6AYtTEX
+GPihB4O69ZgEc90jp3EnZt7HtKZn1HTbPNQAlWgvESgJ7hWHnTlM5Obqnyb78tj5
+VdcOfTSQRYmw4Rh/lSUX0vQLhdmYSVLiMFFvT4IepXZgQ6McIdcvqoVrPgr0HoVz
+5YILZdmbs80VcgYL853lMfQ84kRwUcw8jNyz7mBK7V7rE5QhaF5lunZ/R41ZRXRy
+1ys1rNvLPvtOq/K51+A9U+h5lLM9LjeoOR+IUk2Vg4aIap+Z+lxbImH0gcJTrpem
+ctA/2sBjLN7w811EjB/Tlu2awzbsKLpIDFVGHiGBI2zb41gtPd2RkijmiZab6nuM
+ETg4ad3GscMoa++01oX/lrnVe386ECSjurmThb7I01eTNZrBlNsLyBeFzlEIEoBR
+TqUXHLiDACxzL6U4vWzdnvVrCOW9fwvJJqChj7Wy822w2LXxVhOryNujBmZCmOht
+mgDaJ15QiF+DACcX6VoBbm/462z+9Skxa0DqGwGzMOD5HldwvQSyZSykk/BzGFWP
+rXfLYoMjN+dgA/yNfem64ayGsmoPUAjnsE4YasD58UVO0XwwtdMGJSOVmkdyWMcM
+t+lN74kX/gmIvciK06N6prBfowgBEIJ6ev2dzlydSN8rGORmQ+OFzjP14rT0O+1Q
+O48yR2ZZ9jl4YPUKSFJ3EUc/Qt9vO+chNiNYSy6TABGXur0WWiDvGURG9K5fWTqq
+U2KydSRoYD5iF0caOgMZecNhZV+4CX927j3XuuKKx49qTAt3WMtmJ/UQFHMtQ833
+XDFWHpEKDImfHfyiB1f8bOmqYmPuE6Shup0UMJsMFel4QVJM0Jn9+wHw/0qqPiS3
+a769S/u9U2dfyZY5PfymY8UjFRMDtLaUoJSRaGp6RNc6LynuMMKdzho0GwvL3+m9
+xKLDbbks8hVdmtcxxDKiio+F0hp3yc/2PyA/VGAlARiGp7876WTCZox9Bwnf6lkS
+k9eYLSabe/r3Ag1SbWEGpFk3VO37qCyfp2xTfrHXK1ZJlvFwj3FFSprUaMrV+81K
+FCEcSozXpVsQ7e7d11A7S8rTbtp09Q/J2oxyR0A9lk/ia5Qd/xwbPl4QJcWK2Jar
+K3yFK8VrUNib7CjI1kdB479KIllD8oK6druBkzwGzFxDtcl47RlfkqW96XSQT7x/
+h/YKSLcpMx9x9TJd2GDKj2t4oE9eGTBC0YbdH+HJNSrjEsWkjgY6Uw++S6VzKvQZ
+DDsMJfxwcChc2zKRou+BFA==
+-----END ENCRYPTED PRIVATE KEY-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIDdzCCAl+gAwIBAgIULTs+L+8XzClMGhAvyFIdsp/PYgUwDQYJKoZIhvcNAQEL
+BQAwSjELMAkGA1UEBhMCVVMxETAPBgNVBAgMCENvbG9yYWRvMRUwEwYDVQQHDAxG
+b3J0IENvbGxpbnMxETAPBgNVBAoMCFNuYWtlT2lsMCAXDTIwMDkwNzE4NDMyMloY
+DzIxMjAwODE0MTg0MzIyWjBKMQswCQYDVQQGEwJVUzERMA8GA1UECAwIQ29sb3Jh
+ZG8xFTATBgNVBAcMDEZvcnQgQ29sbGluczERMA8GA1UECgwIU25ha2VPaWwwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIi65d6LmojD5S9q8vE/LI2HHQ
+boiO5/1KrFVc6kpxD6XdkJwpBoItYIfSls9CPnzvNWOAxR3hIeBd1U/prAPPxvQ1
+wuDLMXfWkcGaYHfPnme/YluAjnpuLH1MQcumgOzj5xYBvZZk+RbytX/phH7FW4Tx
++L1oBYnsfh3BSE/NTtEEHV1nXAXpa/dvyefWMlrlbwjfM5362lZzM6yrJGcOcWEy
+I66UYCIVO2Yhe/ZVF5B/tPGtd2oACz11xLeqLPM1WBjlekAG2Zi7UCPIvDCpdn5u
+Vna2ZRQmJyDDdh0Ja2VMC19dkMd/5nOAI21O+FvYPOkBWYX8f4DzDyVQlmIFAgMB
+AAGjUzBRMB0GA1UdDgQWBBRjuNXuXfh7mi8I3eTboeYGyFTa2zAfBgNVHSMEGDAW
+gBRjuNXuXfh7mi8I3eTboeYGyFTa2zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQBW2ckn0APqBnwSiOXCWkMCnvY7K7UOfxAlotEsMFSrkzdEa4IE
+sn0+A3RV/r3HZGqIaE8GMsBqp8UiVIbL5H67dkqvJEke94/7wEUC16JSSOBc0Mac
+HeArDWsL/WIbzKiVcRrmgX+XwJFlsUN5UtR/feTHR08yiy5srSCIJEqli/cTrOxS
+JAgvWPLxcoFhOKf6Mi+nwWdrQEbpXvvv8Jv/qyyz5e/VmTRY0wIVmUjd+Yseu+5M
+3+cpKtlYaawMxVni5RibA0A12fm+i60fGPrkCNhascUrNY+Oppaf/h+QmKOwEM7h
+pqKXyGFQyU6dB6cFBQ/uD5IABUYuEOuL7VFY
+-----END CERTIFICATE-----
--- /dev/null
+Background on these keys is described below:
+
+On 09/30/14 20:00, Peter Jones wrote:
+> We should generate a special key that's not in our normal signing chains
+> for PK and KEK. The reason for this is that [in practice] PK gets
+> treated as part of DB (*).
+>
+> [Shipping a key in our normal signing chains] as PK means you can run
+> grub directly, in which case it won't have access to the shim protocol.
+> When grub is run without the shim protocol registered, it assumes SB is
+> disabled and boots without verifying the kernel. We don't want that to
+> be a thing you can do, but allowing that is the inevitable result of
+> shipping with any of our normal signing chain in PK or KEK.
+>
+> (* USRT has actually agreed that since you can escalate to this behavior
+> if you have the secret half of a key in KEK or PK anyway, and many
+> vendors had already shipped it this way, that it is fine and I think
+> even *expected* at this point, even though it wasn't formally in the
+> UEFI 2.3.1 Spec that introduced Secure Boot. I'll try and make sure the
+> language reflects that in an upcoming spec revision.)
+>
+> So let me get SRT to issue a special key to use for PK and KEK. We can
+> use it just for those operations, and make sure it's protected with the
+> same processes and controls as our other signing keys.
+
+---
+
+We include Debian and Ubuntu keys generated in this manner - i.e.,
+not in our normal signing chains, and where the public key was not saved.
+The Debian key was generated using the following command, taken from
+commit be9470b3c9 "OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type
+11 SMBIOS table":
+
+openssl req -x509 -newkey rsa:2048 -outform PEM \
+ -keyout /dev/null -out PkKek1.pem
--- /dev/null
+The OVMF_CODE*.fd files provide UEFI firmware for a QEMU guest that is
+intended to be read-only. The OVMF_VARS*.fd files provide UEFI variable
+template images which are intended to be read-write, and therefore each
+guest should be given its own copy. Here's an overview of each of them:
+
+OVMF_CODE_4M.fd
+ Use this for booting guests in non-Secure Boot mode. While this image
+ technically supports Secure Boot, it does so without requiring SMM
+ support from QEMU, so it is less secure. Use the OVMF_VARS.fd template
+ with this.
+
+OVMF_CODE_4M.secboot.fd
+ Like OVMF_CODE_4M.fd, but will abort if QEMU does not support SMM.
+ Use this for guests for which you may enable Secure Boot. If you specify
+ this image, you'll get a guest that is Secure Boot-*capable*, but has
+ Secure Boot disabled. To enable it, you'll need to manually import
+ PK/KEK/DB keys and activate Secure Boot from the UEFI setup menu.
+
+OVMF_VARS_4M.fd
+ This is an empty variable store template, which means it has no
+ built-in Secure Boot keys and Secure Boot is disabled. You can use
+ it with any OVMF_CODE image, but keep in mind that if you want to
+ boot in Secure Boot mode, you will have to enable it manually.
+
+OVMF_VARS_4M.ms.fd
+ This template has distribution-specific PK and KEK1 keys, and
+ the default Microsoft keys in KEK/DB. It also has Secure Boot
+ already activated. Using this with OVMF_CODE.ms.fd will boot a
+ guest directly in Secure Boot mode.
+
+OVMF32_CODE_4M.secboot.fd
+OVMF32_VARS_4M.fd
+ These images are the same as their "OVMF" variants, but for 32-bit guests.
+
+OVMF_CODE.fd
+OVMF_CODE.ms.fd
+OVMF_CODE.secboot.fd
+OVMF_VARS.fd
+OVMF_VARS.ms.fd
+ These images are the same as their "4M" variants, but for use with guests
+ using a 2MB flash device. 2MB flash is no longer considered sufficient for
+ use with Secure Boot. This is provided only for backwards compatibility.
+
+OVMF_CODE_4M.snakeoil.fd
+OVMF_VARS_4M.snakeoil.fd
+ This image is **for testing purposes only**. It includes an insecure
+ "snakeoil" key in PK, KEK & DB. The private key and cert are also
+ shipped in this package as well, so that testers can easily sign
+ binaries that will be considered valid.
+
+PkKek-1-snakeoil.key
+PkKek-1-snakeoil.pem
+ The private key and certificate for the snakeoil key. Use these
+ to sign binaries that can be verified by the key in the
+ OVMF_VARS.snakeoil.fd template. The password for the key is
+ 'snakeoil'.
+
+ -- dann frazier <dannf@debian.org>, Thu, 30 Sep 2021 10:33:08 -0600
--- /dev/null
+ArmPkg/Library/GccLto/liblto-aarch64.a
+ArmPkg/Library/GccLto/liblto-arm.a
+BaseTools/Bin/CYGWIN_NT-5.1-i686/BootSectImage
+BaseTools/Bin/CYGWIN_NT-5.1-i686/BuildEnv
+BaseTools/Bin/CYGWIN_NT-5.1-i686/Ecc
+BaseTools/Bin/CYGWIN_NT-5.1-i686/EfiLdrImage
+BaseTools/Bin/CYGWIN_NT-5.1-i686/EfiRom
+BaseTools/Bin/CYGWIN_NT-5.1-i686/GenCrc32
+BaseTools/Bin/CYGWIN_NT-5.1-i686/GenDepex
+BaseTools/Bin/CYGWIN_NT-5.1-i686/GenFds
+BaseTools/Bin/CYGWIN_NT-5.1-i686/GenFfs
+BaseTools/Bin/CYGWIN_NT-5.1-i686/GenFv
+BaseTools/Bin/CYGWIN_NT-5.1-i686/GenFw
+BaseTools/Bin/CYGWIN_NT-5.1-i686/GenPage
+BaseTools/Bin/CYGWIN_NT-5.1-i686/GenSec
+BaseTools/Bin/CYGWIN_NT-5.1-i686/GenVtf
+BaseTools/Bin/CYGWIN_NT-5.1-i686/GnuGenBootSector
+BaseTools/Bin/CYGWIN_NT-5.1-i686/LzmaCompress
+BaseTools/Bin/CYGWIN_NT-5.1-i686/LzmaF86Compress
+BaseTools/Bin/CYGWIN_NT-5.1-i686/RunBinToolFromBuildDir
+BaseTools/Bin/CYGWIN_NT-5.1-i686/RunToolFromSource
+BaseTools/Bin/CYGWIN_NT-5.1-i686/Split
+BaseTools/Bin/CYGWIN_NT-5.1-i686/TargetTool
+BaseTools/Bin/CYGWIN_NT-5.1-i686/TianoCompress
+BaseTools/Bin/CYGWIN_NT-5.1-i686/Trim
+BaseTools/Bin/CYGWIN_NT-5.1-i686/VfrCompile
+BaseTools/Bin/CYGWIN_NT-5.1-i686/VolInfo
+BaseTools/Bin/CYGWIN_NT-5.1-i686/build
+BaseTools/Bin/Darwin-i386/Arm/DEBUG_XCODE31/CompilerIntrinsicsLib.lib
+BaseTools/Bin/Darwin-i386/Arm/DEBUG_XCODE32/CompilerIntrinsicsLib.lib
+BaseTools/Bin/Darwin-i386/Arm/RELEASE_XCODE31/CompilerIntrinsicsLib.lib
+BaseTools/Bin/Darwin-i386/Arm/RELEASE_XCODE32/CompilerIntrinsicsLib.lib
+BaseTools/Source/Python/Eot/EfiCompressor.pyd
+BaseTools/Source/Python/Eot/LzmaCompressor.pyd
+IntelFsp2Pkg/FspSecCore/Vtf0/Bin/ResetVec.ia32.raw
+UefiCpuPkg/ResetVector/Vtf0/Bin/ResetVector.ia32.port80.raw
+UefiCpuPkg/ResetVector/Vtf0/Bin/ResetVector.ia32.raw
+UefiCpuPkg/ResetVector/Vtf0/Bin/ResetVector.ia32.serial.raw
+UefiCpuPkg/ResetVector/Vtf0/Bin/ResetVector.x64.port80.raw
+UefiCpuPkg/ResetVector/Vtf0/Bin/ResetVector.x64.raw
+UefiCpuPkg/ResetVector/Vtf0/Bin/ResetVector.x64.serial.raw
--- /dev/null
+.gitmodules
+AppPkg/Applications/Python/Python-2.7.2/Demo/comparisons/patterns
+AppPkg/Applications/Python/Python-2.7.2/Demo/md5test/foo
+AppPkg/Applications/Python/Python-2.7.2/Demo/parser/FILES
+AppPkg/Applications/Python/Python-2.7.2/Demo/pdist/rcsbump
+AppPkg/Applications/Python/Python-2.7.2/Demo/pdist/rcvs
+AppPkg/Applications/Python/Python-2.7.2/Demo/pdist/rrcs
+AppPkg/Applications/Python/Python-2.7.2/Demo/scripts/newslist.doc
+AppPkg/Applications/Python/Python-2.7.2/Grammar/Grammar
+AppPkg/Applications/Python/Python-2.7.2/Lib/distutils/command/command_template
+AppPkg/Applications/Python/Python-2.7.2/Lib/distutils/tests/Setup.sample
+AppPkg/Applications/Python/Python-2.7.2/Lib/email/test/data/audiotest.au
+AppPkg/Applications/Python/Python-2.7.2/Lib/pdb.doc
+AppPkg/Applications/Python/Python-2.7.2/Lib/test/185test.db
+AppPkg/Applications/Python/Python-2.7.2/Lib/test/Sine-1000Hz-300ms.aif
+AppPkg/Applications/Python/Python-2.7.2/Lib/test/audiotest.au
+AppPkg/Applications/Python/Python-2.7.2/Lib/test/check_soundcard.vbs
+AppPkg/Applications/Python/Python-2.7.2/Lib/test/empty.vbs
+AppPkg/Applications/Python/Python-2.7.2/Lib/test/greyrgb.uue
+AppPkg/Applications/Python/Python-2.7.2/Lib/test/randv2_32.pck
+AppPkg/Applications/Python/Python-2.7.2/Lib/test/randv2_64.pck
+AppPkg/Applications/Python/Python-2.7.2/Lib/test/randv3.pck
+AppPkg/Applications/Python/Python-2.7.2/Lib/test/testimg.uue
+AppPkg/Applications/Python/Python-2.7.2/Lib/test/testimgr.uue
+AppPkg/Applications/Python/Python-2.7.2/Lib/test/testrgb.uue
+AppPkg/Applications/Python/Python-2.7.2/Lib/test/testtar.tar
+AppPkg/Applications/Python/Python-2.7.2/Lib/test/xmltestdata/test.xml.out
+AppPkg/Applications/Python/Python-2.7.2/Lib/test/zipdir.zip
+AppPkg/Applications/Python/Python-2.7.2/Lib/wsgiref.egg-info
+AppPkg/Applications/Python/Python-2.7.2/Modules/zlib/make_vms.com
+AppPkg/Applications/Python/Python-2.7.2/Parser/Python.asdl
+AppPkg/Applications/Python/Python-2.7.2/Tools/compiler/ACKS
+AppPkg/Applications/Python/Python-2.7.2/Tools/msi/msisupport.mak
+AppPkg/Applications/Python/Python-2.7.2/Tools/scripts/2to3
+AppPkg/Applications/Python/Python-2.7.2/Tools/scripts/dutree.doc
+AppPkg/Applications/Python/Python-2.7.2/Tools/scripts/idle
+AppPkg/Applications/Python/Python-2.7.2/Tools/scripts/pydoc
+AppPkg/Applications/Python/Python-2.7.2/Tools/scripts/pydocgui.pyw
+AppPkg/Applications/Python/Python-2.7.2/Tools/unicode/python-mappings/CP1140.TXT
+AppPkg/Applications/Python/Python-2.7.2/Tools/unicode/python-mappings/KOI8-U.TXT
+AppPkg/Applications/Python/Python-2.7.2/Tools/unicode/python-mappings/TIS-620.TXT
+AppPkg/Applications/Python/Python-2.7.2/Tools/world/world
+ArmPkg/Library/ArmSoftFloatLib/bits32/softfloat-macros
+ArmPkg/Library/ArmSoftFloatLib/softfloat-specialize
+BaseTools/BinWrappers/PosixLike/BPDG
+BaseTools/BinWrappers/PosixLike/BootSectImage
+BaseTools/BinWrappers/PosixLike/Brotli
+BaseTools/BinWrappers/PosixLike/BrotliCompress
+BaseTools/BinWrappers/PosixLike/DevicePath
+BaseTools/BinWrappers/PosixLike/Ecc
+BaseTools/BinWrappers/PosixLike/EfiLdrImage
+BaseTools/BinWrappers/PosixLike/EfiRom
+BaseTools/BinWrappers/PosixLike/GenerateCapsule
+BaseTools/BinWrappers/PosixLike/GenCrc32
+BaseTools/BinWrappers/PosixLike/GenDepex
+BaseTools/BinWrappers/PosixLike/GenFds
+BaseTools/BinWrappers/PosixLike/GenFfs
+BaseTools/BinWrappers/PosixLike/GenFv
+BaseTools/BinWrappers/PosixLike/GenFw
+BaseTools/BinWrappers/PosixLike/GenPage
+BaseTools/BinWrappers/PosixLike/GenPatchPcdTable
+BaseTools/BinWrappers/PosixLike/GenSec
+BaseTools/BinWrappers/PosixLike/GenVtf
+BaseTools/BinWrappers/PosixLike/GnuGenBootSector
+BaseTools/BinWrappers/PosixLike/LzmaCompress
+BaseTools/BinWrappers/PosixLike/LzmaF86Compress
+BaseTools/BinWrappers/PosixLike/PatchPcdValue
+BaseTools/BinWrappers/PosixLike/Pkcs7Sign
+BaseTools/BinWrappers/PosixLike/Rsa2048Sha256GenerateKeys
+BaseTools/BinWrappers/PosixLike/Rsa2048Sha256Sign
+BaseTools/BinWrappers/PosixLike/Split
+BaseTools/BinWrappers/PosixLike/TargetTool
+BaseTools/BinWrappers/PosixLike/TianoCompress
+BaseTools/BinWrappers/PosixLike/Trim
+BaseTools/BinWrappers/PosixLike/UPT
+BaseTools/BinWrappers/PosixLike/VfrCompile
+BaseTools/BinWrappers/PosixLike/VolInfo
+BaseTools/BinWrappers/PosixLike/build
+BaseTools/BuildEnv
+BaseTools/Conf/XMLSchema/DistributionPackage.xsd
+BaseTools/Scripts/PackageDocumentTools/packagedocapp.pyw
+BaseTools/Source/C/Makefiles/ms.app
+BaseTools/Source/C/Makefiles/ms.common
+BaseTools/Source/C/Makefiles/ms.lib
+BaseTools/Source/C/Makefiles/ms.rule
+BaseTools/Source/C/VfrCompile/Pccts/MPW_Read_Me
+BaseTools/Source/C/VfrCompile/Pccts/NOTES.bcc
+BaseTools/Source/C/VfrCompile/Pccts/NOTES.msvc
+BaseTools/Source/C/VfrCompile/Pccts/RIGHTS
+BaseTools/Source/Python/Ecc/CParser4/C.g4
+BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer
+BaseTools/Source/Python/Rsa2048Sha256Sign/TestSigningPublicKey.bin
+BeagleBoardPkg/ConfigurationHeader.dat
+EmulatorPkg/Unix/.gdbinit
+EmulatorPkg/Unix/GdbRun
+EmulatorPkg/Unix/Host/X11IncludeHack
+EmulatorPkg/Unix/lldbinit
+EmulatorPkg/Win/VS2017/Win.vcxproj
+EmulatorPkg/Win/VS2017/Win.vcxproj.filters
+EmulatorPkg/Win/VS2017/Win.vcxproj.user
+IntelFspWrapperPkg/FspWrapperSecCore/Vtf0/Bin/ResetVec.ia32.raw
+StandaloneMmPkg
+StdLib/Efi/StdLib/etc/host.conf
+StdLib/Efi/StdLib/etc/hosts
+StdLib/Efi/StdLib/etc/networks
+StdLib/Efi/StdLib/etc/protocols
+StdLib/Efi/StdLib/etc/resolv.conf
+StdLib/Efi/StdLib/etc/services
+StdLib/LibC/Softfloat/bits32/softfloat-macros
+StdLib/LibC/Softfloat/bits64/softfloat-macros
+StdLib/LibC/Softfloat/softfloat-specialize
+StdLib/LibC/Softfloat/templates/softfloat-specialize
+.pc-post
+ArmPkg/Library/GccLto/liblto-*.a
+Build/
+CryptoPkg/Include/openssl/*.h
+Conf/.cache/
+Conf/.AutoGenIdFile.txt
Conf/BuildEnv.sh
Conf/build_rule.txt
Conf/target.txt
Conf/tools_def.txt
+EdkShellBinPkg/FullShell/X64/Shell_Full.efi
+FatBinPkg/EnhancedFatDxe/X64/Fat.efi
+UefiCpuPkg/ResetVector/Vtf0/Bin/*.raw
+debian/PkKek-1-vendor.pem
+debian/oem-string-snakeoil
+debian/oem-string-vendor
+debian/ovmf-install/
+debian/ovmf32-install/
+debian/python/UEFI/__pycache__/
+debian/setup-build-stamp
Priority: optional
Maintainer: Proxmox Support Team <support@proxmox.com>
Build-Depends: bc,
- debhelper (>= 12),
- gcc-aarch64-linux-gnu,
- iasl,
- nasm,
- python3,
- python3-distutils,
- uuid-dev,
+ debhelper-compat (= 12),
+ dosfstools,
+ dpkg (>= 1.19.3),
+ gcc-aarch64-linux-gnu,
+ gcc-multilib [i386],
+ iasl,
+ mtools,
+ nasm,
+ python3,
+ python3-distutils,
+ python3-pexpect,
+ qemu-utils,
+ pve-qemu-kvm | qemu-system-x86 (>= 1:2.12+dfsg),
+ uuid-dev,
+ xorriso,
+Standards-Version: 4.5.0
Homepage: http://www.tianocore.org
-Standards-Version: 4.1.3
+XS-Build-Indep-Architecture: amd64
Package: pve-edk2-firmware
Architecture: all
-Depends: ${misc:Depends},
-Description: edk2 based firmware modules for virtual machines
- Contains OVMF and AAVMF. Open Virtual Machine Firmware (OVMF) is a build of
- EDK II for virtual machines. It includes full support for UEFI, including
+Depends: ${misc:Depends}
+Multi-Arch: foreign
+Description: edk2 based UEFI firmware modules for virtual machines
+ Open Virtual Machine Firmware is a build of EDK II for 64-bit, 32-bit x86
+ and 64-bit ARM virtual machines. It includes full support for UEFI, including
Secure Boot, allowing use of UEFI in place of a traditional BIOS in your VM.
- AAVMF offers the same for AARCH64 (ARM64) based VMs.
- Proxmox VE specific release with disabled secure boot.
-Copyright (c) 2004 - 2016, Intel Corporation. All rights reserved
-Copyright (c) 2008 - 2010, Apple Inc. All rights reserved.
-Copyright (c) 2011 - 2015, ARM Limited. All rights reserved.
-Copyright (c) 2014 - 2015, Linaro Limited. All rights reserved.
-Copyright (c) 2013 - 2015, Red Hat, Inc.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-
-* Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-* Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in
- the documentation and/or other materials provided with the
- distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
-FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
-INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
-ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: edk2
+Source: git://github.com/tianocore/edk2.git, http://www.openssl.org/source/,
+ with .efi binary files removed from the source at package generation time.
+ See get-orig-source in debian/rules for details.
+
+Files: *
+Copyright: 1999-2013, Intel Corporation
+License: BSD-2-clause
+
+Files: StdLib/PosixLib/Stringlist/stringlist.c StdLib/PosixLib/Gen/dirname.c
+ StdLib/LibC/Time/strptime.c StdLib/LibC/Locale/aliasname_local.h
+ StdLib/LibC/Locale/wcsxfrm.c StdLib/LibC/Locale/wcstold.c
+ StdLib/LibC/Locale/__mb_cur_max.c StdLib/LibC/Locale/_wcstod.h
+ StdLib/LibC/Locale/aliasname.c StdLib/LibC/Locale/__wctoint.h
+ StdLib/LibC/Locale/wcsftime.c StdLib/LibC/Locale/wcscoll.c
+ StdLib/LibC/Locale/wcstof.c StdLib/LibC/Locale/wcstod.c
+ StdLib/LibC/Locale/wcstoul.c StdLib/LibC/Locale/setlocale32.c
+ StdLib/LibC/Math/* StdLib/LibC/gdtoa/* StdLib/LibC/StdLib/setprogname.c
+ StdLib/Include/strings.h StdLib/Include/Ipf/* StdLib/Include/nsswitch.h
+ StdLib/Include/stringlist.h StdLib/BsdSocketLib/getnetnamadr.c
+ StdLib/BsdSocketLib/getnetbynis.c StdLib/BsdSocketLib/gethostnamadr.c
+ StdLib/BsdSocketLib/gethostbynis.c
+Copyright: 1993, Sun Microsystems, Inc.
+ 1994, Garrett Wollman
+ 1994-2008, The NetBSD Foundation, Inc.
+ 1994-1996, Carnegie-Mellon University
+ 1996-1997 John D. Polstra
+ 1998-2000, Lucent Technologies
+ 1998-2001, Doug Rabson
+ 1999-2006, Citrus Project
+ 1999-2012, Intel Corporation
+ 2002, YAMAMOTO Takashi
+ 2002, Tim J. Robbins
+ 2002-2004, Marcel Moolenaar
+ 2003, David Schultz <das@FreeBSD.ORG>
+License: BSD-2-clause
+
+Files: OptionRomPkg/Bus/Usb/FtdiUsbSerialDxe/FtdiUsbSerialDriver.*
+Copyright: 2004-2013, Intel Corporation
+ 2012, Ashley DeSimone
+License: BSD-2-clause
+
+Files: OvmfPkg/*
+Copyright: 2004-2013, Intel Corporation
+ 2008-2009, Apple Inc.
+ 2011, Andrei Warkentin <andreiw@motorola.com>
+ 2011-2012, Bei Guan <gbtju85@gmail.com>
+ 2012-2013, Red Hat, Inc
+ 2013, ARM Ltd.
+License: BSD-2-clause
+
+Files: BaseTools/Source/C/GenFw/elf*.h
+ BaseTools/Source/Python/sitecustomize.py DuetPkg/build*.sh
+ EmulatorPkg/* MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c
+ MdeModulePkg/Library/PeiDebugPrintHobLib/PeiDebugPrintHobLib.c
+ MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
+ MdePkg/Include/* MdePkg/Library/*
+Copyright: 1996-1998 John D. Polstra
+ 2004-2013, Intel Corporation
+ 2006, Tristan Gingold
+ 2008-2012, Apple Inc.
+ 2011-2013, ARM Limited
+ 2013, Red Hat, Inc.
+License: BSD-2-clause
+
+Files: ArmPkg/* ArmPlatformPkg/* BaseTools/Source/C/Common/*PeCoff*.c
+ BaseTools/Source/C/GenFv/GenFvInternalLib.c
+ BaseTools/Source/C/GenFw/Elf64Convert.c
+ BaseTools/Source/C/Include/AArch64/*
+ BaseTools/Source/C/Include/Arm/*
+ BaseTools/Source/C/Include/IndustryStandard/PeImage.h
+ BeagleBoardPkg/* EmbeddedPkg/* Omap35xxPkg/*
+Copyright: 2011-2013, ARM Limited
+ 2008-2010, Apple Inc.
+ 2004-2013, Intel Corporation
+ 2009, Hewlett-Packard Company
+ 2011, Hewlett-Packard Corporation
+ 2003-2008 University of Illinois at Urbana-Champaign
+License: BSD-2-clause
+
+Files: ShellPkg/Application/Shell/* ShellPkg/Library/*
+Copyright: 1999-2013, Intel Corporation
+ 2013, Hewlett-Packard Development Company, L.P.
+License: BSD-2-clause
+
+Files: ArmPkg/Library/CompilerIntrinsicsLib/AArch64/memcpy.S
+ ArmPlatformPkg/ArmVExpressPkg/Scripts/uefi-aarch64-bootstrap/*
+ EdkCompatibilityPkg/*
+ StdLibPrivateInternalFiles/Include/kfile.h StdLib/PosixLib/Glob/glob.c
+ StdLib/PosixLib/Gen/readdir.c StdLib/PosixLib/Gen/utime.c
+ StdLib/PosixLib/Gen/opendir.c StdLib/PosixLib/Gen/closedir.c
+ StdLib/LibC/Time/gettimeofday.c StdLib/LibC/Locale/_wcstol.h
+ StdLib/LibC/Locale/rune.h StdLib/LibC/Locale/setlocale.c
+ StdLib/LibC/Locale/iswctype_sb.c StdLib/LibC/Locale/_wcstoul.h
+ StdLib/LibC/Locale/multibyte_sb.c StdLib/LibC/Locale/runetype.h
+ StdLib/LibC/String/strncasecmp.c StdLib/LibC/Main/is*.c
+ StdLib/LibC/Main/*/is*.c StdLib/LibC/NetUtil/inet_*.c
+ StdLib/LibC/Stdio/* StdLib/LibC/StdLib/* StdLib/Include/netatalk/*
+ StdLib/Include/glob.h StdLib/Include/Ipf/machine/limits.h
+ StdLib/Include/Ipf/machine/int_types.h
+ StdLib/Include/Ipf/machine/param.h StdLib/Include/Ipf/machine/stdarg.h
+ StdLib/Include/Ipf/machine/types.h StdLib/Include/Ipf/machine/varargs.h
+ StdLib/Include/Ipf/machine/vmparam.h StdLib/Include/Ipf/machine/ansi.h
+ StdLib/Include/Ipf/machine/aout_machdep.h StdLib/Include/netinet6/in6.h
+ StdLib/Include/pwd.h StdLib/Include/locale.h StdLib/Include/dirent.h
+ StdLib/Include/arpa/nameser.h StdLib/Include/arpa/inet.h
+ StdLib/Include/utime.h StdLib/Include/netinet/in.h
+ StdLib/Include/netinet/tcp.h StdLib/Include/X64/machine/atomic.h
+ StdLib/Include/X64/machine/asm.h StdLib/Include/X64/machine/int_types.h
+ StdLib/Include/X64/machine/types.h StdLib/Include/X64/machine/ansi.h
+ StdLib/Include/paths.h StdLib/Include/netdb.h
+ StdLib/Include/Ia32/machine/asm.h StdLib/Include/Ia32/machine/int_types.h
+ StdLib/Include/Ia32/machine/param.h StdLib/Include/Ia32/machine/types.h
+ StdLib/Include/Ia32/machine/ansi.h StdLib/BsdSocketLib/getaddrinfo.c
+ StdLib/BsdSocketLib/getnameinfo.c
+Copyright: 1982-2013, Intel Corporation
+ 1982-1994, The Regents of the University of California
+ 1990-1991, Regents of The University of Michigan
+ 1993-1994, Digital Equipment Corporation
+ 1995, Jason Downs
+ 1995-1997, Kungliga Tekniska Hogskolan
+ 1995-1998, WIDE Project
+ 1996-1999, Internet Software Consortium
+ 1997, Todd C. Miller <Todd.Miller@courtesan.com>
+ 2002, Wasabi Systems, Inc
+ 2004, Internet Systems Consortium, Inc.
+ 2010-2012, Intel Corporation
+ 2011-2013, ARM Limited
+License: BSD-3-clause
+
+Files: StdLibPrivateInternalFiles/Include/namespace.h
+ StdLibPrivateInternalFiles/Include/reentrant.h
+ StdLibPrivateInternalFiles/Include/extern.h
+ StdLib/PosixLib/Err/warn_err.c StdLib/LibC/Time/timegm.c
+ StdLib/LibC/Time/strftime.c StdLib/LibC/Locale/ctypeio.*
+ StdLib/LibC/String/strsep.c StdLib/LibC/gdtoa/_strtold.c
+ StdLib/LibC/gdtoa/_strtof.c StdLib/LibC/Main/Arm/flt_rounds.c
+ StdLib/LibC/Uefi/writev.c StdLib/LibC/Uefi/select.c
+ StdLib/LibC/Uefi/compat.c StdLib/LibC/NetUtil/inet_addr.c
+ StdLib/LibC/Stdio/fparseln.c StdLib/LibC/Stdio/vswscanf.c
+ StdLib/LibC/Stdio/vfwscanf.c StdLib/LibC/Stdio/flockfile.c
+ StdLib/Include/sys/* StdLib/Include/x86/ieee.h
+ StdLib/Include/sysexits StdLib/Include/Ipf/machine/loadfile_machdep.h
+ StdLib/Include/Ipf/machine/cpu_counter.h
+ StdLib/Include/Ipf/machine/pmap.h
+ StdLib/Include/Ipf/machine/wchar_limits.h
+ StdLib/Include/Ipf/machine/cpu.h StdLib/Include/Ipf/machine/disklabel.h
+ StdLib/Include/Ipf/machine/ptrace.h StdLib/Include/Ipf/machine/setjmp.h
+ StdLib/Include/Ipf/machine/int_limits.h StdLib/Include/nl_types.h
+ StdLib/Include/Arm/machine/* StdLib/Include/net/*
+ StdLib/Include/inttypes.h StdLib/Include/arpa/telnet.h
+ StdLib/Include/arpa/nameser_compat.h StdLib/Include/arpa/ftp.h
+ StdLib/Include/netinet/ip.h StdLib/Include/netinet/in_systm.h
+ StdLib/Include/*/machine/int_mwgwtypes.h
+ StdLib/Include/*/machine/int_const.h
+ StdLib/Include/X64/machine/byte_swap.h
+ StdLib/Include/*/machine/int_fmtio.h
+ StdLib/Include/X64/machine/int_limits.h StdLib/Include/resolv.h
+ StdLib/Include/netns/ns.h StdLib/Include/Ia32/machine/byte_swap.h
+ StdLib/Include/Ia32/machine/int_limits.h StdLib/BsdSocketLib/map_v4v6.c
+ StdLib/BsdSocketLib/inet_net_pton.c StdLib/BsdSocketLib/res_*.c
+ StdLib/BsdSocketLib/sethostname.c StdLib/BsdSocketLib/ns_*.c
+ StdLib/BsdSocketLib/getnetbyht.c StdLib/BsdSocketLib/getproto.c
+ StdLib/BsdSocketLib/gethostname.c StdLib/BsdSocketLib/gethostbydns.c
+ StdLib/BsdSocketLib/herror.c StdLib/BsdSocketLib/getprotoname.c
+ StdLib/BsdSocketLib/inet_neta.c StdLib/BsdSocketLib/getservbyport.c
+ StdLib/BsdSocketLib/inet_pton.c StdLib/BsdSocketLib/getservent.c
+ StdLib/BsdSocketLib/gethostbyht.c StdLib/BsdSocketLib/getservbyname.c
+ StdLib/BsdSocketLib/getnetbydns.c StdLib/BsdSocketLib/getprotoent.c
+Copyright: 1983-1993, Digital Equipment Corporation
+ 1982-1994, Regents of the University of California
+ 1988, University of Utah
+ 1993, Carlos Leandro and Rui Salgueiro
+ 1994, Christopher G. Demetriou
+ 1994, Winning Strategies, Inc
+ 1994-1997, Mark Brinicombe
+ 1996, Internet Software Consortium
+ 1996-1997, Christos Zoulas
+ 1997-2006, The NetBSD Foundation, Inc
+ 1998 HD Associates, Inc
+ 2000-2001, Artur Grabowski <art@openbsd.org>
+ 1999-2012, Intel Corporation
+License: BSD-4-clause
+
+Files: StdLib/LibC/Stdio/fileext.h StdLib/LibC/Stdio/wscanf.c
+ StdLib/LibC/Stdio/vwscanf.c StdLib/LibC/Stdio/*wc.c
+ StdLib/LibC/Stdio/*wchar.c StdLib/LibC/Stdio/fgetws.c
+ StdLib/LibC/Stdio/swscanf.c StdLib/LibC/Stdio/wcio.h
+ StdLib/LibC/Stdio/fwide.c StdLib/LibC/Stdio/fwscanf.c
+ StdLib/LibC/Stdio/wprintf.c StdLib/LibC/Stdio/swprintf.c
+ StdLib/LibC/Stdio/fputws.c StdLib/LibC/Stdio/vwprintf.c
+ StdLib/LibC/Stdio/fwprintf.c
+Copyright: 2001, Citrus Project
+ 2002, Tim J. Robbins
+ 2010-2012, Intel Corporation
+License: BSD-2-clause
+
+Files: StdLib/LibC/String/strlcat.c StdLib/LibC/String/strlcpy.c
+ StdLib/LibC/NetUtil/inet_ntop.c StdLib/BsdSocketLib/base64.c
+ StdLib/BsdSocketLib/inet_net_ntop.c StdLib/BsdSocketLib/res_data.c
+ StdLib/BsdSocketLib/ns_netint.c StdLib/BsdSocketLib/nsap_addr.c
+Copyright: 1998, Todd C. Miller <Todd.Miller@courtesan.com>
+ 1996-1999, Internet Software Consortium
+ 1995-2000, International Business Machines, Inc
+ 2004, Internet Systems Consortium, Inc.
+ 2011, Intel Corporation
+License: ISC
+
+Files: CryptoPkg/Library/OpensslLib/openssl-0.9.8w/*
+Copyright: 1998-2004 The OpenSSL Project
+ 1995-1998 Eric A. Young, Tim J. Hudson
+License: OpenSSL
+
+Files: debian/tests/shell.py
+Copyright: 2019 Canonical Ltd.
+License: GPL-3
+
+License: BSD-2-clause
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ .
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in
+ the documentation and/or other materials provided with the
+ distribution.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+License: BSD-3-clause
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are
+ met:
+ .
+ . Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ .
+ . Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ .
+ . Neither the name of the Intel Corporation nor the names of its
+ contributors may be used to endorse or promote products derived from
+ this software without specific prior written permission.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+
+License: BSD-4-clause
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. All advertising materials mentioning features or use of this software
+ must display the following acknowledgement:
+ This product includes software developed by the NetBSD
+ Foundation, Inc. and its contributors.
+ 4. Neither the name of The NetBSD Foundation nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+License: GPL-3
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License version 3, as
+ published by the Free Software Foundation.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+ .
+ On Debian and Debian-based systems, the full text of the GNU General
+ Public License version 3 can be found in the file
+ `/usr/share/common-licenses/GPL-3'.
+
+License: OpenSSL
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ .
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ .
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in
+ the documentation and/or other materials provided with the
+ distribution.
+ .
+ 3. All advertising materials mentioning features or use of this
+ software must display the following acknowledgment:
+ "This product includes software developed by the OpenSSL Project
+ for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ .
+ 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ endorse or promote products derived from this software without
+ prior written permission. For written permission, please contact
+ openssl-core@openssl.org.
+ .
+ 5. Products derived from this software may not be called "OpenSSL"
+ nor may "OpenSSL" appear in their names without prior written
+ permission of the OpenSSL Project.
+ .
+ 6. Redistributions of any form whatsoever must retain the following
+ acknowledgment:
+ "This product includes software developed by the OpenSSL Project
+ for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ .
+ THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ OF THE POSSIBILITY OF SUCH DAMAGE.
+ ====================================================================
+ .
+ This product includes cryptographic software written by Eric Young
+ (eay@cryptsoft.com). This product includes software written by Tim
+ Hudson (tjh@cryptsoft.com).
+ .
+ This library is free for commercial and non-commercial use as long as
+ the following conditions are aheared to. The following conditions
+ apply to all code found in this distribution, be it the RC4, RSA,
+ lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ included with this distribution is covered by the same copyright terms
+ except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ .
+ Copyright remains Eric Young's, and as such any Copyright notices in
+ the code are not to be removed.
+ If this package is used in a product, Eric Young should be given attribution
+ as the author of the parts of the library used.
+ This can be in the form of a textual message at program startup or
+ in documentation (online or textual) provided with the package.
+ .
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. All advertising materials mentioning features or use of this software
+ must display the following acknowledgement:
+ "This product includes cryptographic software written by
+ Eric Young (eay@cryptsoft.com)"
+ The word 'cryptographic' can be left out if the rouines from the library
+ being used are not cryptographic related :-).
+ 4. If you include any Windows specific code (or a derivative thereof) from
+ the apps directory (application code) you must include an acknowledgement:
+ "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ .
+ THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.
+ .
+ The licence and distribution terms for any publically available version or
+ derivative of this code cannot be changed. i.e. this code cannot simply be
+ copied and put under another distribution licence
+ [including the GNU Public Licence.]
+
+License: ISC
+ Permission to use, copy, modify, and distribute this software for any
+ purpose with or without fee is hereby granted, provided that the above
+ copyright notice and this permission notice appear in all copies.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ SOFTWARE.
+
+License: MIT
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to
+ deal in the Software without restriction, including without limitation the
+ rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+ sell copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+ .
+ The above copyright notice and this permission notice shall be included in
+ all copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ IN THE SOFTWARE.
--- /dev/null
+#!/usr/bin/env python3
+#
+# Copyright 2021 Canonical Ltd.
+# Authors:
+# - dann frazier <dann.frazier@canonical.com>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 3, as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY,
+# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import argparse
+import os.path
+import pexpect
+import shutil
+import sys
+from UEFI.Filesystems import FatFsImage, EfiBootableIsoImage
+from UEFI.Qemu import QemuEfiMachine, QemuEfiVariant, QemuEfiFlashSize
+from UEFI import Qemu
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser()
+ parser.add_argument(
+ "-f", "--flavor", help="UEFI Flavor",
+ choices=['AAVMF', 'OVMF', 'OVMF_4M'],
+ required=True,
+ )
+ parser.add_argument(
+ "-e", "--enrolldefaultkeys",
+ help='Path to "EnrollDefaultKeys" EFI binary',
+ required=True,
+ )
+ parser.add_argument(
+ "-s", "--shell",
+ help='Path to "Shell" EFI binary',
+ required=True,
+ )
+ parser.add_argument(
+ "-C", "--certificate",
+ help='base64-encoded PK/KEK1 certificate',
+ required=True,
+ )
+ parser.add_argument(
+ "-c", "--code",
+ help='UEFI code image',
+ required=True,
+ )
+ parser.add_argument(
+ "-V", "--vars-template",
+ help='UEFI vars template',
+ required=True,
+ )
+ parser.add_argument(
+ "-o", "--out-file",
+ help="Output file for generated vars template",
+ required=True,
+ )
+ parser.add_argument("-d", "--debug", action="store_true",
+ help="Emit debug messages")
+ args = parser.parse_args()
+
+ FlavorConfig = {
+ 'AAVMF': {
+ 'EfiArch': 'AA64',
+ 'QemuCommand': Qemu.QemuCommand(
+ QemuEfiMachine.AAVMF,
+ code_path=args.code,
+ vars_template_path=args.vars_template,
+ ),
+ },
+ 'OVMF': {
+ 'EfiArch': 'X64',
+ 'QemuCommand': Qemu.QemuCommand(
+ QemuEfiMachine.OVMF_Q35,
+ variant=QemuEfiVariant.SECBOOT,
+ flash_size=QemuEfiFlashSize.SIZE_2MB,
+ code_path=args.code,
+ vars_template_path=args.vars_template,
+ ),
+ },
+ 'OVMF_4M': {
+ 'EfiArch': 'X64',
+ 'QemuCommand': Qemu.QemuCommand(
+ QemuEfiMachine.OVMF_Q35,
+ variant=QemuEfiVariant.SECBOOT,
+ flash_size=QemuEfiFlashSize.SIZE_2MB,
+ code_path=args.code,
+ vars_template_path=args.vars_template,
+ ),
+ },
+ }
+
+ eltorito = FatFsImage(64)
+ eltorito.makedirs(os.path.join('EFI', 'BOOT'))
+ removable_media_path = os.path.join(
+ 'EFI', 'BOOT', f"BOOT{FlavorConfig[args.flavor]['EfiArch']}.EFI"
+ )
+ eltorito.insert_file(args.shell, removable_media_path)
+ eltorito.insert_file(
+ args.enrolldefaultkeys,
+ args.enrolldefaultkeys.split(os.path.sep)[-1]
+ )
+ iso = EfiBootableIsoImage(eltorito)
+
+ q = FlavorConfig[args.flavor]['QemuCommand']
+ q.add_disk(iso.path)
+ q.add_oem_string(11, args.certificate)
+
+ child = pexpect.spawn(' '.join(q.command))
+ if args.debug:
+ child.logfile = sys.stdout.buffer
+ child.expect(['Press .* or any other key to continue'], timeout=60)
+ child.sendline('\x1b')
+ child.expect(['Shell> '])
+ child.sendline('FS0:\r')
+ child.expect(['FS0:\\\\> '])
+ child.sendline('EnrollDefaultKeys.efi\r')
+ child.expect(['FS0:\\\\> '])
+ child.sendline('reset -s\r')
+ child.wait()
+ shutil.copy(q.pflash.varfile_path, args.out_file)
--- /dev/null
+#!/usr/bin/env python3
+
+# Use heuristics to identify new files that maybe binaries.
+# Flagged files need to be manually inspected and either added to the
+# whitelist (because they are safe to redistribute), or to the blacklist
+# (so that they'll be removed prior to orig.tar.xz generation).
+
+import os
+import re
+import sys
+
+def nameOK(name):
+ OKPatterns = ['\.gitignore', 'AUTHORS', 'FILE.LST', 'Change[lL]og',
+ 'COPYING', 'configure', 'FAQ', '(GNU)?[Mm]akefile',
+ 'INDEX', 'LICENSE', 'README', 'TODO' ]
+ OKRegexs = map(re.compile, OKPatterns)
+
+ for r in OKRegexs:
+ if r.match(name):
+ return True
+ return False
+
+def extensionOK(name):
+ OKExtensions = [ '1', '3', 'ASL', 'asi', 'asl', 'aslc', 'Asm', 'asm',
+ 'asm16', 'bat', 'bmp', 'c', 'CMM', 'cmm', 'cnf', 'cpp',
+ 'css', 'dec', 'decTest', 'dlg', 'dsc', 'docx', 'dsp',
+ 'dsw', 'el', 'env', 'fdf', 'g', 'gif', 'H', 'h', 'hpp',
+ 'html', 'i', 'idf', 'in', 'inc', 'inf', 'info', 'ini',
+ 'lds', 'log', 'lua', 'mak', 'makefile', 'md', 'nasm',
+ 'nasmb', 'nsh', 'patch', 'pbxuser', 'pbxproj', 'pdf',
+ 'pem', 'pl', 'png', 'pod', 'ps', 'py', 'r', 'rtf', 'S',
+ 's', 'sct', 'sh', 'sln', 't', 'template', 'txt', 'uni',
+ 'Vfr', 'vcproj', 'vfi', 'vfr', 'xml' ]
+ ext = name.split('.')[-1]
+
+ if ext in OKExtensions:
+ return True
+ return False
+
+if __name__ == '__main__':
+ top = './'
+ for root, dirs, files in os.walk(top):
+ with open('./debian/binary-check.whitelist', 'r') as f:
+ whitelist = list(map(lambda s: s.strip(), f.readlines()))
+
+ ret = 0
+ for name in files:
+ relpath = os.path.join(root, name)[len(top):]
+ if relpath in whitelist:
+ continue
+ if nameOK(name):
+ continue
+ if extensionOK(name):
+ continue
+ else:
+ sys.stdout.write("WARNING: Possible binary %s\n" % (os.path.join(root, name)))
+ ret = -1
+ sys.exit(ret)
+
--- /dev/null
+[DEFAULT]
+debian-branch = debian
+pristine-tar = True
--- /dev/null
+Description: Do not attempt to compile removed BrotliCompress source
+ BrotliCompress is not currently used, and including an embedded
+ copy of its source could cause false-positives when scanning for
+ security issues. This code is stripped from our orig.tar (at the request
+ of the Ubuntu security team), so we also need to disable the build.
+Author: dann frazier <dannf@debian.org>
+Forwarded: not-needed
+Last-Update: 2019-06-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: edk2/BaseTools/Source/C/GNUmakefile
+===================================================================
+--- edk2.orig/BaseTools/Source/C/GNUmakefile
++++ edk2/BaseTools/Source/C/GNUmakefile
+@@ -48,7 +48,6 @@ all: makerootdir subdirs
+ LIBRARIES = Common\r
+ VFRAUTOGEN = VfrCompile/VfrLexer.h\r
+ APPLICATIONS = \\r
+- BrotliCompress \\r
+ VfrCompile \\r
+ EfiRom \\r
+ GenFfs \\r
--- /dev/null
+Author: Steve Langasek <steve.langasek@ubuntu.com>
+Description: pass -fno-stack-protector to all GCC toolchains
+ The upstream build rules inexplicably pass -fno-stack-protector only
+ when building for i386 and amd64. Add this essential argument to the
+ generic rules for gcc 4.8 and later.
+Last-Updated: 2019-03-14
+Index: edk2/BaseTools/Conf/tools_def.template
+===================================================================
+--- edk2.orig/BaseTools/Conf/tools_def.template
++++ edk2/BaseTools/Conf/tools_def.template
+@@ -1900,7 +1900,7 @@ DEFINE GCC_RISCV64_RC_FLAGS = -I
+ # GCC Build Flag for included header file list generation\r
+ DEFINE GCC_DEPS_FLAGS = -MMD -MF $@.deps\r
+ \r
+-DEFINE GCC48_ALL_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings\r
++DEFINE GCC48_ALL_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -fno-stack-protector -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings\r
+ DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20\r
+ DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -Wno-address\r
+ DEFINE GCC48_X64_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address\r
--- /dev/null
+no-stack-protector-all-archs.diff
+brotlicompress-disable.diff
-Build/OvmfX64/RELEASE_*GCC*/FV/OVMF_CODE.fd /usr/share/pve-edk2-firmware
-Build/OvmfX64/RELEASE_*GCC*/FV/OVMF_VARS.fd /usr/share/pve-edk2-firmware
+debian/ovmf-install/OVMF_CODE*.fd /usr/share/pve-edk2-firmware
+debian/ovmf-install/OVMF_VARS*.fd /usr/share/pve-edk2-firmware
+debian/ovmf32-install/OVMF32_CODE*.fd /usr/share/pve-edk2-firmware
+debian/ovmf32-install/OVMF32_VARS*.fd /usr/share/pve-edk2-firmware
+Build/ArmVirtQemu-AARCH64/RELEASE_*GCC*/FV/QEMU_EFI.fd /usr/share/pve-edk2-firmware/aarch64
Build/ArmVirtQemu-AARCH64/RELEASE_*GCC*/FV/AAVMF_*.fd /usr/share/pve-edk2-firmware
+debian/PkKek-1-snakeoil.* /usr/share/pve-edk2-firmware
--- /dev/null
+#
+# Copyright 2019-2021 Canonical Ltd.
+# Authors:
+# - dann frazier <dann.frazier@canonical.com>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 3, as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY,
+# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+import shutil
+import subprocess
+import tempfile
+
+
+class FatFsImage:
+ def __init__(self, size_in_mb):
+ with tempfile.NamedTemporaryFile(delete=False) as f:
+ self.path = f.name
+
+ subprocess.check_call(
+ [
+ 'dd', 'if=/dev/zero', 'of=%s' % (self.path),
+ 'count=0', 'bs=1M', 'seek=%d' % (size_in_mb), 'status=none'
+ ]
+ )
+ new_env = os.environ.copy()
+ new_env['PATH'] = f"{os.environ['PATH']}:/sbin"
+ subprocess.check_call(['mkdosfs', '-F', '32', self.path], env=new_env)
+
+ def __del__(self):
+ os.unlink(self.path)
+
+ def mkdir(self, dir):
+ subprocess.run(['mmd', '-i', self.path, dir])
+
+ def makedirs(self, dir):
+ dirs = dir.split(os.path.sep)
+ for dir_idx in range(1, len(dirs)+1):
+ next_dir = os.path.sep.join(dirs[:dir_idx])
+ self.mkdir(next_dir)
+
+ def insert_file(self, src, dest):
+ subprocess.check_call(
+ [
+ 'mcopy', '-i', self.path, src, '::%s' % (dest)
+ ]
+ )
+
+
+class EfiBootableIsoImage:
+ def __init__(self, eltorito_img):
+ with tempfile.TemporaryDirectory() as iso_root:
+ eltorito_iso_root = 'boot'
+ eltorito_iso_path = os.path.join(eltorito_iso_root, 'efi.img')
+ eltorito_local_root = os.path.join(iso_root, eltorito_iso_root)
+ eltorito_local_path = os.path.join(iso_root, eltorito_iso_path)
+
+ os.makedirs(eltorito_local_root)
+ shutil.copyfile(eltorito_img.path, eltorito_local_path)
+
+ with tempfile.NamedTemporaryFile(delete=False) as f:
+ self.path = f.name
+
+ subprocess.check_call(
+ [
+ 'xorriso', '-as', 'mkisofs', '-J', '-l',
+ '-c', 'boot/boot.cat',
+ '-partition_offset', '16', '-append_partition', '2',
+ '0xef', eltorito_local_path,
+ '-e', '--interval:appended_partition_2:all::',
+ '-no-emul-boot', '-o', self.path, iso_root
+ ]
+ )
+
+ def __del__(self):
+ os.unlink(self.path)
+
+
+class GrubShellBootableIsoImage(EfiBootableIsoImage):
+ def __init__(self, efi_arch, use_signed):
+ EfiArchToGrubArch = {
+ 'X64': "x86_64",
+ 'AA64': "arm64",
+ }
+ efi_img = FatFsImage(64)
+ efi_img.makedirs(os.path.join('EFI', 'BOOT'))
+ removable_media_path = os.path.join(
+ 'EFI', 'BOOT', 'BOOT%s.EFI' % (efi_arch.upper())
+ )
+ efi_ext = 'efi'
+ grub_subdir = "%s-efi" % EfiArchToGrubArch[efi_arch.upper()]
+ if use_signed:
+ efi_ext = "%s.signed" % (efi_ext)
+ grub_subdir = "%s-signed" % (grub_subdir)
+
+ shim_src = os.path.join(
+ os.path.sep, 'usr', 'lib', 'shim',
+ 'shim%s.%s' % (efi_arch.lower(), efi_ext)
+ )
+ grub_src = os.path.join(
+ os.path.sep, 'usr', 'lib', 'grub',
+ '%s' % (grub_subdir),
+ "" if use_signed else "monolithic",
+ 'grub%s.%s' % (efi_arch.lower(), efi_ext)
+ )
+ grub_dest = os.path.join(
+ 'EFI', 'BOOT', 'GRUB%s.EFI' % (efi_arch.upper())
+ )
+ efi_img.insert_file(shim_src, removable_media_path)
+ efi_img.insert_file(grub_src, grub_dest)
+ super().__init__(efi_img)
--- /dev/null
+#
+# Copyright 2019-2021 Canonical Ltd.
+# Authors:
+# - dann frazier <dann.frazier@canonical.com>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 3, as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY,
+# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import enum
+import os
+import shutil
+import tempfile
+
+
+class QemuEfiMachine(enum.Enum):
+ OVMF_PC = enum.auto()
+ OVMF_Q35 = enum.auto()
+ OVMF32 = enum.auto()
+ AAVMF = enum.auto()
+ AAVMF32 = enum.auto()
+
+
+class QemuEfiVariant(enum.Enum):
+ MS = enum.auto()
+ SECBOOT = enum.auto()
+ SNAKEOIL = enum.auto()
+
+
+class QemuEfiFlashSize(enum.Enum):
+ DEFAULT = enum.auto
+ SIZE_2MB = enum.auto()
+ SIZE_4MB = enum.auto()
+
+
+class QemuCommand:
+ # Based on the args used by ovmf-vars-generator
+ Qemu_Common_Params = [
+ '-no-user-config', '-nodefaults',
+ '-m', '256',
+ '-smp', '2,sockets=2,cores=1,threads=1',
+ '-display', 'none',
+ '-serial', 'stdio',
+ ]
+ Ovmf_Common_Params = Qemu_Common_Params + [
+ '-chardev', 'pty,id=charserial1',
+ '-device', 'isa-serial,chardev=charserial1,id=serial1',
+ ]
+ Aavmf_Common_Params = Qemu_Common_Params + [
+ '-machine', 'virt', '-device', 'virtio-serial-device',
+ ]
+ Machine_Base_Command = {
+ QemuEfiMachine.AAVMF: [
+ 'qemu-system-aarch64', '-cpu', 'cortex-a57',
+ ] + Aavmf_Common_Params,
+ QemuEfiMachine.AAVMF32: [
+ 'qemu-system-aarch64', '-cpu', 'cortex-a15',
+ ] + Aavmf_Common_Params,
+ QemuEfiMachine.OVMF_PC: [
+ 'qemu-system-x86_64', '-machine', 'pc,accel=tcg',
+ ] + Ovmf_Common_Params,
+ QemuEfiMachine.OVMF_Q35: [
+ 'qemu-system-x86_64', '-machine', 'q35,accel=tcg',
+ ] + Ovmf_Common_Params,
+ QemuEfiMachine.OVMF32: [
+ 'qemu-system-i386', '-machine', 'q35,accel=tcg',
+ ] + Ovmf_Common_Params,
+ }
+
+ def _get_default_flash_paths(self, machine, variant, flash_size):
+ assert(machine in QemuEfiMachine)
+ assert(variant is None or variant in QemuEfiVariant)
+ assert(flash_size in QemuEfiFlashSize)
+
+ code_ext = vars_ext = ''
+ if variant == QemuEfiVariant.MS:
+ code_ext = vars_ext = '.ms'
+ elif variant == QemuEfiVariant.SECBOOT:
+ code_ext = '.secboot'
+ elif variant == QemuEfiVariant.SNAKEOIL:
+ vars_ext = '.snakeoil'
+
+ if machine == QemuEfiMachine.AAVMF:
+ assert(flash_size == QemuEfiFlashSize.DEFAULT)
+ return (
+ f'/usr/share/AAVMF/AAVMF_CODE{code_ext}.fd',
+ f'/usr/share/AAVMF/AAVMF_VARS{code_ext}.fd',
+ )
+ if machine == QemuEfiMachine.AAVMF32:
+ assert(variant is None)
+ assert(flash_size == QemuEfiFlashSize.DEFAULT)
+ return (
+ '/usr/share/AAVMF/AAVMF32_CODE.fd',
+ '/usr/share/AAVMF/AAVMF32_VARS.fd'
+ )
+ if machine == QemuEfiMachine.OVMF32:
+ assert(variant is None or variant in [QemuEfiVariant.SECBOOT])
+ assert(
+ flash_size in [
+ QemuEfiFlashSize.DEFAULT, QemuEfiFlashSize.SIZE_4MB
+ ]
+ )
+ return (
+ '/usr/share/OVMF/OVMF32_CODE_4M.secboot.fd',
+ '/usr/share/OVMF/OVMF32_VARS_4M.fd',
+ )
+ # Remaining possibilities are OVMF variants
+ if machine == QemuEfiMachine.OVMF_PC:
+ assert(variant is None)
+ if variant == QemuEfiVariant.SNAKEOIL:
+ # We provide one size - you don't get to pick.
+ assert(flash_size == QemuEfiFlashSize.DEFAULT)
+ size_ext = '' if flash_size == QemuEfiFlashSize.SIZE_2MB else '_4M'
+ return (
+ f'/usr/share/OVMF/OVMF_CODE{size_ext}{code_ext}.fd',
+ f'/usr/share/OVMF/OVMF_VARS{size_ext}{vars_ext}.fd'
+ )
+
+ def __init__(
+ self, machine, variant=None,
+ code_path=None, vars_template_path=None,
+ flash_size=QemuEfiFlashSize.DEFAULT,
+ ):
+ assert(
+ (code_path and vars_template_path) or
+ (not code_path and not vars_template_path)
+ )
+
+ if not code_path:
+ (code_path, vars_template_path) = self._get_default_flash_paths(
+ machine, variant, flash_size)
+
+ self.pflash = self.PflashParams(code_path, vars_template_path)
+ self.command = self.Machine_Base_Command[machine] + self.pflash.params
+ if variant in [QemuEfiVariant.MS, QemuEfiVariant.SECBOOT] and \
+ flash_size == QemuEfiFlashSize.SIZE_2MB:
+ # 2MB images have 64-bit PEI that does not support S3 w/ SMM
+ self.command.extend(['-global', 'ICH9-LPC.disable_s3=1'])
+
+ def add_disk(self, path):
+ self.command = self.command + [
+ '-drive', 'file=%s,format=raw' % (path)
+ ]
+
+ def add_oem_string(self, type, string):
+ string = string.replace(",", ",,")
+ self.command = self.command + [
+ '-smbios', f'type={type},value={string}'
+ ]
+
+ class PflashParams:
+ '''
+ Used to generate the appropriate -pflash arguments for QEMU. Mostly
+ used as a fancy way to generate a per-instance vars file and have it
+ be automatically cleaned up when the object is destroyed.
+ '''
+ def __init__(self, code_path, vars_template_path):
+ with tempfile.NamedTemporaryFile(delete=False) as varfile:
+ self.varfile_path = varfile.name
+ with open(vars_template_path, 'rb') as template:
+ shutil.copyfileobj(template, varfile)
+ self.params = [
+ '-drive',
+ 'file=%s,if=pflash,format=raw,unit=0,readonly=on' %
+ (code_path),
+ '-drive',
+ 'file=%s,if=pflash,format=raw,unit=1,readonly=off' %
+ (varfile.name)
+ ]
+
+ def __del__(self):
+ os.unlink(self.varfile_path)
--- /dev/null
+#!/usr/bin/env python3
+
+import os
+import sys
+
+if __name__ == '__main__':
+ with open('./debian/binary-check.blacklist', 'r') as f:
+ blacklist = list(map(lambda s: s.strip(), f.readlines()))
+
+ for path in blacklist:
+ sys.stdout.write("Removing %s\n" % (path))
+ os.unlink(path)
#!/usr/bin/make -f
-SHELL=/bin/bash
-# this is a simplified version from the upstream package
+SHELL=/bin/bash
-# Only used for creating our build tools.
include /usr/share/dpkg/default.mk
-# for GCC5 and newer, LTO enabled
-EDK2_TOOLCHAIN=GCC5
-AARCH64_TOOLCHAIN=GCC5
+EDK2_TOOLCHAIN = GCC5
export $(EDK2_TOOLCHAIN)_AARCH64_PREFIX=aarch64-linux-gnu-
export PYTHON3_ENABLE=TRUE
-export PYTHON_COMMAND=python3
ifeq ($(DEB_BUILD_ARCH),amd64)
EDK2_BUILD_ARCH=X64
endif
+ifeq ($(DEB_BUILD_ARCH),i386)
+ EDK2_BUILD_ARCH=IA32
+endif
ifeq ($(DEB_BUILD_ARCH),arm64)
EDK2_BUILD_ARCH=AARCH64
endif
-ifeq ($(DEB_HOST_ARCH),amd64)
- EDK2_HOST_ARCH=X64
-endif
+
+COMMON_FLAGS = -DNETWORK_HTTP_BOOT_ENABLE=TRUE -DNETWORK_TLS_ENABLE -DSECURE_BOOT_ENABLE=TRUE
+OVMF_COMMON_FLAGS = $(COMMON_FLAGS) -DTPM_ENABLE=TRUE
+OVMF_2M_FLAGS = $(OVMF_COMMON_FLAGS) -DFD_SIZE_2MB
+OVMF_4M_FLAGS = $(OVMF_COMMON_FLAGS) -DFD_SIZE_4MB
+OVMF_2M_SMM_FLAGS = $(OVMF_2M_FLAGS) -DSMM_REQUIRE=TRUE
+OVMF_4M_SMM_FLAGS = $(OVMF_4M_FLAGS) -DSMM_REQUIRE=TRUE
+OVMF32_4M_FLAGS = $(OVMF_COMMON_FLAGS) -DFD_SIZE_4MB
+OVMF32_4M_SMM_FLAGS = $(OVMF32_4M_FLAGS) -DSMM_REQUIRE=TRUE
+
+AAVMF_FLAGS = $(COMMON_FLAGS) -DTPM2_ENABLE=TRUE -DTPM2_CONFIG_ENABLE=TRUE
+
+OVMF_VARS_GENERATOR = ./qemu-ovmf-secureboot-1-1-3/ovmf-vars-generator
# Clear variables used internally by the edk2 build system
undefine WORKSPACE
%:
dh $@
-override_dh_auto_build: build-qemu-efi-aarch64 build-ovmf
+override_dh_auto_build: build-qemu-efi-aarch64 build-ovmf build-ovmf32
-setup-build:
+debian/setup-build-stamp:
cp -a debian/Logo.bmp MdeModulePkg/Logo/Logo.bmp
+ set -e; . ./edksetup.sh; \
make -C BaseTools ARCH=$(EDK2_BUILD_ARCH)
- # call this when building too, it modifies the shell environment
- . ./edksetup.sh
+ touch $@
+
+OVMF_BUILD_DIR = Build/OvmfX64/RELEASE_$(EDK2_TOOLCHAIN)
+OVMF3264_BUILD_DIR = Build/Ovmf3264/RELEASE_$(EDK2_TOOLCHAIN)
+OVMF_ENROLL = $(OVMF3264_BUILD_DIR)/X64/EnrollDefaultKeys.efi
+OVMF_SHELL = $(OVMF3264_BUILD_DIR)/X64/Shell.efi
+OVMF_BINARIES = $(OVMF_ENROLL) $(OVMF_SHELL)
+OVMF_IMAGES := $(addprefix debian/ovmf-install/,OVMF_CODE.fd OVMF_CODE_4M.fd OVMF_CODE.secboot.fd OVMF_CODE_4M.secboot.fd OVMF_VARS.fd OVMF_VARS_4M.fd)
+OVMF_PREENROLLED_VARS := $(addprefix debian/ovmf-install/,OVMF_VARS.ms.fd OVMF_VARS_4M.ms.fd OVMF_VARS_4M.snakeoil.fd)
-build-ovmf: EDK2_ARCH_DIR=X64
-build-ovmf: EDK2_HOST_ARCH=X64
-build-ovmf: setup-build
+OVMF32_BUILD_DIR = Build/OvmfIa32/RELEASE_$(EDK2_TOOLCHAIN)
+OVMF32_SHELL = $(OVMF32_BUILD_DIR)/IA32/Shell.efi
+OVMF32_BINARIES = $(OVMF32_SHELL)
+OVMF32_IMAGES := $(addprefix debian/ovmf32-install/,OVMF32_CODE_4M.secboot.fd OVMF_VARS_4M.fd)
+
+QEMU_EFI_BUILD_DIR = Build/ArmVirtQemu-$(EDK2_HOST_ARCH)/RELEASE_$(EDK2_TOOLCHAIN)
+AAVMF_BUILD_DIR = Build/ArmVirtQemu-AARCH64/RELEASE_$(EDK2_TOOLCHAIN)
+AAVMF_ENROLL = $(AAVMF_BUILD_DIR)/AARCH64/EnrollDefaultKeys.efi
+AAVMF_SHELL = $(AAVMF_BUILD_DIR)/AARCH64/Shell.efi
+AAVMF_BINARIES = $(AAVMF_ENROLL) $(AAVMF_SHELL)
+AAVMF_CODE = $(AAVMF_BUILD_DIR)/FV/AAVMF_CODE.fd
+AAVMF_VARS = $(AAVMF_BUILD_DIR)/FV/AAVMF_VARS.fd
+AAVMF_IMAGES = $(AAVMF_CODE) $(AAVMF_VARS)
+AAVMF_PREENROLLED_VARS = $(addprefix $(AAVMF_BUILD_DIR)/FV/,AAVMF_VARS.ms.fd AAVMF_VARS.snakeoil.fd)
+
+build-ovmf32: $(OVMF32_BINARIES) $(OVMF32_IMAGES)
+$(OVMF32_BINARIES) $(OVMF32_IMAGES): debian/setup-build-stamp
+ rm -rf debian/ovmf32-install
+ mkdir debian/ovmf32-install
+ set -e; . ./edksetup.sh; \
+ build -a IA32 \
+ -t $(EDK2_TOOLCHAIN) \
+ -p OvmfPkg/OvmfPkgIa32.dsc \
+ $(OVMF32_4M_SMM_FLAGS) -b RELEASE
+ cp $(OVMF32_BUILD_DIR)/FV/OVMF_CODE.fd \
+ debian/ovmf32-install/OVMF32_CODE_4M.secboot.fd
+ cp $(OVMF32_BUILD_DIR)/FV/OVMF_VARS.fd \
+ debian/ovmf32-install/OVMF32_VARS_4M.fd
+
+build-ovmf: $(OVMF_BINARIES) $(OVMF_IMAGES) $(OVMF_PREENROLLED_VARS)
+$(OVMF_BINARIES) $(OVMF_IMAGES): debian/setup-build-stamp
+ rm -rf debian/ovmf-install
+ mkdir debian/ovmf-install
+ set -e; . ./edksetup.sh; \
+ build -a X64 \
+ -t $(EDK2_TOOLCHAIN) \
+ -p OvmfPkg/OvmfPkgX64.dsc \
+ $(OVMF_2M_FLAGS) -b RELEASE
+ cp $(OVMF_BUILD_DIR)/FV/OVMF_CODE.fd \
+ debian/ovmf-install/
+ cp $(OVMF_BUILD_DIR)/FV/OVMF_VARS.fd debian/ovmf-install/
+ rm -rf Build/OvmfX64
+ set -e; . ./edksetup.sh; \
+ build -a IA32 -a X64 \
+ -t $(EDK2_TOOLCHAIN) \
+ -p OvmfPkg/OvmfPkgIa32X64.dsc \
+ $(OVMF_4M_FLAGS) -b RELEASE
+ cp $(OVMF3264_BUILD_DIR)/FV/OVMF_CODE.fd \
+ debian/ovmf-install/OVMF_CODE_4M.fd
+ cp $(OVMF3264_BUILD_DIR)/FV/OVMF_VARS.fd \
+ debian/ovmf-install/OVMF_VARS_4M.fd
+ rm -rf Build/OvmfX64
set -e; . ./edksetup.sh; \
- OvmfPkg/build.sh \
- -b RELEASE \
- -a $(EDK2_HOST_ARCH) \
- -t $(EDK2_TOOLCHAIN) \
- -DSECURE_BOOT_ENABLE=FALSE \
- -DDNETWORK_TLS_ENABLE \
- -DTPM_ENABLE=TRUE \
- -DTPM2_ENABLE=TRUE \
- -DFD_SIZE_2MB \
- -n $$(getconf _NPROCESSORS_ONLN)
-
-build-qemu-efi: setup-build
- mkdir -p ShellBinPkg/UefiShell/$(EDK2_ARCH_DIR) FatBinPkg/EnhancedFatDxe/$(EDK2_ARCH_DIR)
+ build -a X64 \
+ -t $(EDK2_TOOLCHAIN) \
+ -p OvmfPkg/OvmfPkgX64.dsc \
+ $(OVMF_2M_SMM_FLAGS) -b RELEASE
+ cp $(OVMF_BUILD_DIR)/FV/OVMF_CODE.fd \
+ debian/ovmf-install/OVMF_CODE.secboot.fd
+ rm -rf Build/OvmfX64
+ set -e; . ./edksetup.sh; \
+ build -a IA32 -a X64 \
+ -t $(EDK2_TOOLCHAIN) \
+ -p OvmfPkg/OvmfPkgIa32X64.dsc \
+ $(OVMF_4M_SMM_FLAGS) -b RELEASE
+ cp $(OVMF3264_BUILD_DIR)/FV/OVMF_CODE.fd \
+ debian/ovmf-install/OVMF_CODE_4M.secboot.fd
+
+ifeq ($(call dpkg_vendor_derives_from_v1,ubuntu),yes)
+debian/PkKek-1-vendor.pem: debian/PkKek-1-Ubuntu.pem
+else
+debian/PkKek-1-vendor.pem: debian/PkKek-1-Debian.pem
+endif
+ ln -sf `basename $<` $@
+
+debian/oem-string-%: debian/PkKek-1-%.pem
+ tr -d '\n' < $< | \
+ sed -e 's/.*-----BEGIN CERTIFICATE-----/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' -e 's/-----END CERTIFICATE-----//' > $@
+
+%/AAVMF_VARS.ms.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/oem-string-vendor $(AAVMF_ENROLL) $(AAVMF_SHELL)
+ PYTHONPATH=$(CURDIR)/debian/python \
+ ./debian/edk2-vars-generator.py \
+ -f AAVMF -e $(AAVMF_ENROLL) -s $(AAVMF_SHELL) \
+ -c $(AAVMF_CODE) -V $(AAVMF_VARS) \
+ -C `< debian/oem-string-vendor` -o $@
+
+%/AAVMF_VARS.snakeoil.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/oem-string-snakeoil $(AAVMF_ENROLL) $(AAVMF_SHELL)
+ PYTHONPATH=$(CURDIR)/debian/python \
+ ./debian/edk2-vars-generator.py \
+ -f AAVMF -e $(AAVMF_ENROLL) -s $(AAVMF_SHELL) \
+ -c $(AAVMF_CODE) -V $(AAVMF_VARS) \
+ -C `< debian/oem-string-snakeoil` -o $@
+
+%/OVMF_VARS.ms.fd: %/OVMF_CODE.fd %/OVMF_VARS.fd debian/oem-string-vendor $(OVMF_ENROLL) $(OVMF_SHELL)
+ PYTHONPATH=$(CURDIR)/debian/python \
+ ./debian/edk2-vars-generator.py \
+ -f OVMF -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \
+ -c debian/ovmf-install/OVMF_CODE.fd \
+ -V debian/ovmf-install/OVMF_VARS.fd \
+ -C `< debian/oem-string-vendor` -o $@
+
+%/OVMF_VARS_4M.ms.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/oem-string-vendor $(OVMF_ENROLL) $(OVMF_SHELL)
+ PYTHONPATH=$(CURDIR)/debian/python \
+ ./debian/edk2-vars-generator.py \
+ -f OVMF_4M -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \
+ -c debian/ovmf-install/OVMF_CODE_4M.fd \
+ -V debian/ovmf-install/OVMF_VARS_4M.fd \
+ -C `< debian/oem-string-vendor` -o $@
+
+%/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/oem-string-snakeoil $(OVMF_ENROLL) $(OVMF_SHELL)
+ PYTHONPATH=$(CURDIR)/debian/python \
+ ./debian/edk2-vars-generator.py \
+ -f OVMF_4M -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \
+ -c debian/ovmf-install/OVMF_CODE_4M.fd \
+ -V debian/ovmf-install/OVMF_VARS_4M.fd \
+ -C `< debian/oem-string-snakeoil` -o $@
+
+ArmPkg/Library/GccLto/liblto-aarch64.a: ArmPkg/Library/GccLto/liblto-aarch64.s
+ $($(EDK2_TOOLCHAIN)_AARCH64_PREFIX)gcc -c -fpic $< -o $@
+
+build-qemu-efi: debian/setup-build-stamp
set -e; . ./edksetup.sh; \
- build -a $(EDK2_HOST_ARCH) -p ShellPkg/ShellPkg.dsc \
- -b RELEASE -t $(EDK2_TOOLCHAIN); \
- cp -a Build/Shell/RELEASE_$(EDK2_TOOLCHAIN)/$(EDK2_HOST_ARCH)/Shell_7C04A583-9E3E-4f1c-AD65-E05268D0B4D1.efi \
- ShellBinPkg/UefiShell/$(EDK2_ARCH_DIR)/Shell.efi; \
- build -a $(EDK2_HOST_ARCH) -p FatPkg/FatPkg.dsc \
- -m FatPkg/EnhancedFatDxe/Fat.inf \
- -t $(EDK2_TOOLCHAIN) -b RELEASE; \
- cp -a Build/Fat/RELEASE_$(EDK2_TOOLCHAIN)/$(EDK2_HOST_ARCH)/Fat.efi \
- FatBinPkg/EnhancedFatDxe/$(EDK2_ARCH_DIR)/Fat.efi; \
build -a $(EDK2_HOST_ARCH) \
-t $(EDK2_TOOLCHAIN) \
-p ArmVirtPkg/ArmVirtQemu.dsc \
- -DHTTP_BOOT_ENABLE=TRUE \
- -DSECURE_BOOT_ENABLE=FALSE \
- -DDNETWORK_TLS_ENABLE \
- -DTPM_ENABLE=TRUE \
- -DTPM2_ENABLE=TRUE \
- -DINTEL_BDS \
- -b RELEASE
- dd if=/dev/zero of=Build/ArmVirtQemu-$(EDK2_HOST_ARCH)/RELEASE_$(EDK2_TOOLCHAIN)/FV/$(FW_NAME)_CODE.fd bs=1M seek=64 count=0
- dd if=Build/ArmVirtQemu-$(EDK2_HOST_ARCH)/RELEASE_$(EDK2_TOOLCHAIN)/FV/QEMU_EFI.fd of=Build/ArmVirtQemu-$(EDK2_HOST_ARCH)/RELEASE_$(EDK2_TOOLCHAIN)/FV/$(FW_NAME)_CODE.fd conv=notrunc
- dd if=/dev/zero of=Build/ArmVirtQemu-$(EDK2_HOST_ARCH)/RELEASE_$(EDK2_TOOLCHAIN)/FV/$(FW_NAME)_VARS.fd bs=1M seek=64 count=0
-
-build-qemu-efi-aarch64:
+ $(AAVMF_FLAGS) -b RELEASE
+ dd if=/dev/zero of=$(QEMU_EFI_BUILD_DIR)/FV/$(FW_NAME)_CODE.fd bs=1M seek=64 count=0
+ dd if=$(QEMU_EFI_BUILD_DIR)/FV/QEMU_EFI.fd of=$(QEMU_EFI_BUILD_DIR)/FV/$(FW_NAME)_CODE.fd conv=notrunc
+ dd if=/dev/zero of=$(QEMU_EFI_BUILD_DIR)/FV/$(FW_NAME)_VARS.fd bs=1M seek=64 count=0
+
+build-qemu-efi-aarch64: $(AAVMF_BINARIES) $(AAVMF_PREENROLLED_VARS)
+$(AAVMF_BINARIES): ArmPkg/Library/GccLto/liblto-aarch64.a
$(MAKE) -f debian/rules build-qemu-efi EDK2_ARCH_DIR=AArch64 EDK2_HOST_ARCH=AARCH64 FW_NAME=AAVMF
override_dh_auto_clean:
- set -e; \
- if [ -d BaseTools/Source/C/bin ]; then \
- . ./edksetup.sh; build clean; \
- make -C BaseTools clean; \
- fi
- rm -rf Conf/.cache Build .pc-post
-
-.PHONY: setup-build build-ovmf
+ -. ./edksetup.sh; build clean
+ make -C BaseTools clean
+
+# Only embed code that is actually used; requested by the Ubuntu Security Team
+EMBEDDED_SUBMODULES += CryptoPkg/Library/OpensslLib/openssl
+EMBEDDED_SUBMODULES += ArmPkg/Library/ArmSoftFloatLib/berkeley-softfloat-3
+EMBEDDED_SUBMODULES += MdeModulePkg/Library/BrotliCustomDecompressLib/brotli
+get-orig-source:
+ # Should be executed on a checkout of the upstream master branch,
+ # with the debian/ directory manually copied in.
+ rm -rf edk2.tmp && git clone . edk2.tmp
+ # Embed submodules. Don't recurse - openssl will bring in MBs of
+ # stuff we don't need
+ set -e; cd edk2.tmp; \
+ for submodule in $(EMBEDDED_SUBMODULES); do \
+ git submodule update --init $$submodule; \
+ done
+ rm -rf edk2-$(DEB_VERSION_UPSTREAM) && \
+ mkdir edk2-$(DEB_VERSION_UPSTREAM)
+ cd edk2.tmp && git archive HEAD | \
+ tar xv -C ../edk2-$(DEB_VERSION_UPSTREAM)
+ cd edk2.tmp && git submodule foreach \
+ 'git archive HEAD | tar xv -C $$toplevel/../edk2-$(DEB_VERSION_UPSTREAM)/$$sm_path'
+ ln -s ../debian edk2-$(DEB_VERSION_UPSTREAM)
+ # Remove known-binary files
+ cd edk2-$(DEB_VERSION_UPSTREAM) && python3 ./debian/remove-binaries.py
+ # Look for possible unknown binary files
+ cd edk2-$(DEB_VERSION_UPSTREAM) && python3 ./debian/find-binaries.py
+ rm edk2-$(DEB_VERSION_UPSTREAM)/debian
+ tar Jcvf ../edk2_$(DEB_VERSION_UPSTREAM).orig.tar.xz \
+ edk2-$(DEB_VERSION_UPSTREAM)
+ rm -rf edk2.tmp edk2-$(DEB_VERSION_UPSTREAM)
+
+.PHONY: build-ovmf build-ovmf32 build-qemu-efi build-qemu-efi-aarch64
+++ /dev/null
-pve-edk2-firmware source: source-is-missing Vlv2TbltDevicePkg/GenBiosId
-pve-edk2-firmware source: source-is-missing BeagleBoardPkg/Debugger_scripts/rvi_dummy.axf
-pve-edk2-firmware source: source-is-missing ArmPkg/Library/GccLto/liblto-aarch64.a
-pve-edk2-firmware source: source-is-missing ArmPkg/Library/GccLto/liblto-arm.a
-pve-edk2-firmware source: source-contains-unsafe-symlink EmulatorPkg/Unix/Host/X11IncludeHack
--- /dev/null
+Test-Command: PYTHONPATH=./debian/python python3 debian/tests/shell.py
+Restrictions: allow-stderr
+Depends:
+ dosfstools [amd64 arm64],
+ grub-efi-amd64-signed [amd64],
+ grub-efi-arm64-signed [arm64],
+ mtools [amd64 arm64],
+ ovmf,
+ ovmf-ia32,
+ python3-pexpect,
+ qemu-efi-aarch64,
+ qemu-efi-arm,
+ qemu-system-arm,
+ qemu-system-x86,
+ shim-signed [amd64 arm64],
+ xorriso [amd64 arm64],
--- /dev/null
+#!/usr/bin/env python3
+#
+# Copyright 2019-2021 Canonical Ltd.
+# Authors:
+# - dann frazier <dann.frazier@canonical.com>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 3, as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY,
+# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import enum
+import pexpect
+import subprocess
+import sys
+import unittest
+
+from UEFI.Filesystems import GrubShellBootableIsoImage
+from UEFI.Qemu import QemuEfiMachine, QemuEfiVariant, QemuEfiFlashSize
+from UEFI import Qemu
+
+DPKG_ARCH = subprocess.check_output(
+ ['dpkg', '--print-architecture']
+).decode().rstrip()
+
+
+class BootToShellTest(unittest.TestCase):
+ debug = True
+
+ def run_cmd_check_shell(self, cmd):
+ child = pexpect.spawn(' '.join(cmd))
+
+ if self.debug:
+ child.logfile = sys.stdout.buffer
+ try:
+ while True:
+ i = child.expect(
+ [
+ 'Press .* or any other key to continue',
+ 'Shell> '
+ ],
+ timeout=60,
+ )
+ if i == 0:
+ child.sendline('\x1b')
+ continue
+ if i == 1:
+ child.sendline('reset -s\r')
+ continue
+ except pexpect.EOF:
+ return
+ except pexpect.TIMEOUT as err:
+ self.fail("%s\n" % (err))
+
+ def run_cmd_check_secure_boot(self, cmd, efiarch, should_verify):
+ class State(enum.Enum):
+ PRE_EXEC = 1
+ POST_EXEC = 2
+
+ child = pexpect.spawn(' '.join(cmd))
+
+ if self.debug:
+ child.logfile = sys.stdout.buffer
+ try:
+ state = State.PRE_EXEC
+ while True:
+ i = child.expect(
+ [
+ 'Press .* or any other key to continue',
+ 'Shell> ',
+ "FS0:\\\\> ",
+ 'grub> ',
+ 'Command Error Status: Access Denied',
+ ],
+ timeout=60,
+ )
+ if i == 0:
+ child.sendline('\x1b')
+ continue
+ if i == 1:
+ child.sendline('fs0:\r')
+ continue
+ if i == 2:
+ if state == State.PRE_EXEC:
+ child.sendline(f'\\efi\\boot\\boot{efiarch}.efi\r')
+ state = State.POST_EXEC
+ elif state == State.POST_EXEC:
+ child.sendline('reset -s\r')
+ continue
+ if i == 3:
+ child.sendline('halt\r')
+ verified = True
+ continue
+ if i == 4:
+ verified = False
+ continue
+ except pexpect.TIMEOUT as err:
+ self.fail("%s\n" % (err))
+ except pexpect.EOF:
+ pass
+ self.assertEqual(should_verify, verified)
+
+ def test_aavmf(self):
+ q = Qemu.QemuCommand(QemuEfiMachine.AAVMF)
+ self.run_cmd_check_shell(q.command)
+
+ @unittest.skipUnless(DPKG_ARCH == 'arm64', "Requires grub-efi-arm64")
+ def test_aavmf_ms_secure_boot_signed(self):
+ q = Qemu.QemuCommand(
+ QemuEfiMachine.AAVMF,
+ variant=QemuEfiVariant.MS,
+ )
+ iso = GrubShellBootableIsoImage('AA64', use_signed=True)
+ q.add_disk(iso.path)
+ self.run_cmd_check_secure_boot(q.command, 'aa64', True)
+
+ @unittest.skipUnless(DPKG_ARCH == 'arm64', "Requires grub-efi-arm64")
+ def test_aavmf_ms_secure_boot_unsigned(self):
+ q = Qemu.QemuCommand(
+ QemuEfiMachine.AAVMF,
+ variant=QemuEfiVariant.MS,
+ )
+ iso = GrubShellBootableIsoImage('AA64', use_signed=False)
+ q.add_disk(iso.path)
+ self.run_cmd_check_secure_boot(q.command, 'aa64', False)
+
+ def test_aavmf_snakeoil(self):
+ q = Qemu.QemuCommand(
+ QemuEfiMachine.AAVMF,
+ variant=QemuEfiVariant.SNAKEOIL,
+ )
+ self.run_cmd_check_shell(q.command)
+
+ def test_aavmf32(self):
+ q = Qemu.QemuCommand(QemuEfiMachine.AAVMF32)
+ self.run_cmd_check_shell(q.command)
+
+ def test_ovmf_pc(self):
+ q = Qemu.QemuCommand(
+ QemuEfiMachine.OVMF_PC, flash_size=QemuEfiFlashSize.SIZE_2MB,
+ )
+ self.run_cmd_check_shell(q.command)
+
+ def test_ovmf_q35(self):
+ q = Qemu.QemuCommand(
+ QemuEfiMachine.OVMF_Q35, flash_size=QemuEfiFlashSize.SIZE_2MB,
+ )
+ self.run_cmd_check_shell(q.command)
+
+ def test_ovmf_secboot(self):
+ q = Qemu.QemuCommand(
+ QemuEfiMachine.OVMF_Q35,
+ variant=QemuEfiVariant.SECBOOT,
+ flash_size=QemuEfiFlashSize.SIZE_2MB,
+ )
+ self.run_cmd_check_shell(q.command)
+
+ def test_ovmf_ms(self):
+ q = Qemu.QemuCommand(
+ QemuEfiMachine.OVMF_Q35,
+ variant=QemuEfiVariant.MS,
+ flash_size=QemuEfiFlashSize.SIZE_2MB,
+ )
+ self.run_cmd_check_shell(q.command)
+
+ @unittest.skipUnless(DPKG_ARCH == 'amd64', "amd64-only")
+ def test_ovmf_ms_secure_boot_signed(self):
+ q = Qemu.QemuCommand(
+ QemuEfiMachine.OVMF_Q35,
+ variant=QemuEfiVariant.MS,
+ flash_size=QemuEfiFlashSize.SIZE_2MB,
+ )
+ iso = GrubShellBootableIsoImage('X64', use_signed=True)
+ q.add_disk(iso.path)
+ self.run_cmd_check_secure_boot(q.command, 'x64', True)
+
+ @unittest.skipUnless(DPKG_ARCH == 'amd64', "amd64-only")
+ def test_ovmf_ms_secure_boot_unsigned(self):
+ q = Qemu.QemuCommand(
+ QemuEfiMachine.OVMF_Q35,
+ variant=QemuEfiVariant.MS,
+ flash_size=QemuEfiFlashSize.SIZE_2MB,
+ )
+ iso = GrubShellBootableIsoImage('X64', use_signed=False)
+ q.add_disk(iso.path)
+ self.run_cmd_check_secure_boot(q.command, 'x64', False)
+
+ def test_ovmf_4m(self):
+ q = Qemu.QemuCommand(
+ QemuEfiMachine.OVMF_Q35,
+ flash_size=QemuEfiFlashSize.SIZE_4MB,
+ )
+ self.run_cmd_check_shell(q.command)
+
+ def test_ovmf_4m_secboot(self):
+ q = Qemu.QemuCommand(
+ QemuEfiMachine.OVMF_Q35,
+ variant=QemuEfiVariant.SECBOOT,
+ flash_size=QemuEfiFlashSize.SIZE_4MB,
+ )
+ self.run_cmd_check_shell(q.command)
+
+ def test_ovmf_4m_ms(self):
+ q = Qemu.QemuCommand(
+ QemuEfiMachine.OVMF_Q35,
+ variant=QemuEfiVariant.MS,
+ flash_size=QemuEfiFlashSize.SIZE_4MB,
+ )
+ self.run_cmd_check_shell(q.command)
+
+ def test_ovmf_snakeoil(self):
+ q = Qemu.QemuCommand(
+ QemuEfiMachine.OVMF_Q35,
+ variant=QemuEfiVariant.SNAKEOIL,
+ )
+ self.run_cmd_check_shell(q.command)
+
+ @unittest.skipUnless(DPKG_ARCH == 'amd64', "amd64-only")
+ def test_ovmf_4m_ms_secure_boot_signed(self):
+ q = Qemu.QemuCommand(
+ QemuEfiMachine.OVMF_Q35,
+ variant=QemuEfiVariant.MS,
+ flash_size=QemuEfiFlashSize.SIZE_4MB,
+ )
+ iso = GrubShellBootableIsoImage('X64', use_signed=True)
+ q.add_disk(iso.path)
+ self.run_cmd_check_secure_boot(q.command, 'x64', True)
+
+ @unittest.skipUnless(DPKG_ARCH == 'amd64', "amd64-only")
+ def test_ovmf_4m_ms_secure_boot_unsigned(self):
+ q = Qemu.QemuCommand(
+ QemuEfiMachine.OVMF_Q35,
+ variant=QemuEfiVariant.MS,
+ flash_size=QemuEfiFlashSize.SIZE_4MB,
+ )
+ iso = GrubShellBootableIsoImage('X64', use_signed=False)
+ q.add_disk(iso.path)
+ self.run_cmd_check_secure_boot(q.command, 'x64', False)
+
+ def test_ovmf32_4m_secboot(self):
+ q = Qemu.QemuCommand(
+ QemuEfiMachine.OVMF32,
+ variant=QemuEfiVariant.SECBOOT,
+ flash_size=QemuEfiFlashSize.SIZE_4MB,
+ )
+ self.run_cmd_check_shell(q.command)
+
+
+if __name__ == '__main__':
+ unittest.main(verbosity=2)
--- /dev/null
+# Currently only useful for checking for a new release. There's additional
+# upstream tarball mangling required via ./debian/rules get-orig-source.
+# Also - doesn't check for new qemu-ovmf-secureboot releases.
+version=4
+opts="filenamemangle=s/.+\/edk2-stable(\d{6})\.tar\.gz/edk2-0.0~$1.tar.gz/, \
+ uversionmangle=s/(\d{6})/0.0~$1/" \
+ https://github.com/tianocore/edk2/tags \
+ .*/edk2-stable(\d{6})\.tar\.gz debian uupdate