From a65627a818a7470fe7faf863f5132028bbe4f774 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Tue, 5 Oct 2021 14:09:50 +0200 Subject: [PATCH] debian: update build and packaging from Debian upstream Among other thing this now ships OVMF code/vars with secureboot and MS keys enrolled, allowing Win11 final to get installed and secure boot support in general. Signed-off-by: Thomas Lamprecht --- debian/PkKek-1-Debian.pem | 81 +++ debian/PkKek-1-Ubuntu.pem | 70 +++ debian/PkKek-1-snakeoil.key | 30 ++ debian/PkKek-1-snakeoil.pem | 21 + debian/PkKek-1.README | 35 ++ debian/README.Proxmox-VE | 58 +++ debian/binary-check.blacklist | 41 ++ debian/binary-check.whitelist | 112 ++++ debian/clean | 16 + debian/compat | 1 - debian/control | 36 +- debian/copyright | 477 ++++++++++++++++-- debian/edk2-vars-generator.py | 129 +++++ debian/find-binaries.py | 59 +++ debian/gbp.conf | 3 + debian/patches/brotlicompress-disable.diff | 22 + .../patches/no-stack-protector-all-archs.diff | 19 + debian/patches/series | 2 + debian/pve-edk2-firmware.install | 8 +- debian/python/UEFI/Filesystems.py | 121 +++++ debian/python/UEFI/Qemu.py | 181 +++++++ debian/remove-binaries.py | 12 + debian/rules | 250 ++++++--- debian/source/format | 2 +- debian/source/lintian-overrides | 5 - debian/tests/control | 16 + debian/tests/shell.py | 258 ++++++++++ debian/watch | 8 + 28 files changed, 1962 insertions(+), 111 deletions(-) create mode 100644 debian/PkKek-1-Debian.pem create mode 100644 debian/PkKek-1-Ubuntu.pem create mode 100644 debian/PkKek-1-snakeoil.key create mode 100644 debian/PkKek-1-snakeoil.pem create mode 100644 debian/PkKek-1.README create mode 100644 debian/README.Proxmox-VE create mode 100644 debian/binary-check.blacklist create mode 100644 debian/binary-check.whitelist delete mode 100644 debian/compat create mode 100755 debian/edk2-vars-generator.py create mode 100644 debian/find-binaries.py create mode 100644 debian/gbp.conf create mode 100644 debian/patches/brotlicompress-disable.diff create mode 100644 debian/patches/no-stack-protector-all-archs.diff create mode 100644 debian/patches/series create mode 100644 debian/python/UEFI/Filesystems.py create mode 100644 debian/python/UEFI/Qemu.py create mode 100644 debian/remove-binaries.py delete mode 100644 debian/source/lintian-overrides create mode 100644 debian/tests/control create mode 100755 debian/tests/shell.py create mode 100644 debian/watch diff --git a/debian/PkKek-1-Debian.pem b/debian/PkKek-1-Debian.pem new file mode 100644 index 0000000..1119c99 --- /dev/null +++ b/debian/PkKek-1-Debian.pem @@ -0,0 +1,81 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 45:01:ee:39:3e:52:29:78:36:df:85:42:c8:e5:7b:bb:88:d1:4b:37 + Signature Algorithm: sha256WithRSAEncryption + Issuer: O = Debian, CN = Debian UEFI Secure Boot (PK/KEK key), emailAddress = debian-devel@lists.debian.org + Validity + Not Before: Jul 8 23:42:49 2019 GMT + Not After : Jul 5 23:42:49 2029 GMT + Subject: O = Debian, CN = Debian UEFI Secure Boot (PK/KEK key), emailAddress = debian-devel@lists.debian.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:9b:ab:49:8b:ba:a5:fa:54:2a:71:9a:79:05:c4: + 1b:46:11:c5:b3:bd:59:62:80:71:ad:bb:6c:c4:50: + a8:96:d6:89:eb:e8:11:d4:88:3c:49:e4:8f:51:cd: + a5:87:c3:d2:fe:51:1e:3a:1b:bf:d8:5b:38:53:b5: + 9d:68:52:d1:3e:82:cb:db:fd:5e:01:81:30:c4:be: + 73:e0:d6:56:3f:4a:28:f1:33:d7:52:61:7b:84:a2: + 40:a2:18:88:78:5b:14:d0:1e:6d:6a:b8:ae:10:44: + af:12:99:a6:7b:2d:e9:ba:8d:0a:58:93:38:69:eb: + 6d:f0:6f:97:22:fe:e0:0f:b4:a4:f9:c8:2b:3b:73: + b9:51:cf:1f:1f:e5:66:07:cb:dd:f7:4e:f3:57:2a: + 49:69:53:41:80:fc:d5:6a:75:d9:ba:0d:67:bd:53: + c6:1d:d5:e5:65:bf:0b:8d:fc:16:58:65:ed:59:a6: + 57:8f:33:48:a6:6c:27:dc:b4:1d:9e:94:9e:63:8b: + 19:02:bf:e0:01:52:34:28:a4:13:88:fe:f9:7b:06: + 1d:e2:77:85:07:9e:4e:1b:aa:ca:0c:6a:e4:df:2b: + e9:8a:ac:42:05:de:32:d5:34:f9:e2:6f:96:c2:d4: + 05:5f:c9:20:d8:33:9a:01:82:5d:94:69:78:4e:2e: + e0:c7 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 88:09:EB:9F:FA:7D:2D:5D:DB:30:67:A7:AF:B9:89:8E:A3:EE:02:73 + X509v3 Authority Key Identifier: + keyid:88:09:EB:9F:FA:7D:2D:5D:DB:30:67:A7:AF:B9:89:8E:A3:EE:02:73 + + X509v3 Basic Constraints: critical + CA:TRUE + Signature Algorithm: sha256WithRSAEncryption + 0a:74:2f:89:80:5e:1e:c4:f2:c9:a2:4d:b6:34:ee:b1:68:9d: + f2:bd:77:85:e5:68:66:d5:ff:76:20:29:9f:0d:f3:cd:1b:9f: + 22:4e:26:9d:11:19:93:96:a3:9b:0c:fd:88:df:a0:ef:11:09: + 1e:c2:70:6f:20:f6:fe:be:c3:5a:3c:40:47:79:a0:2c:82:c6: + 42:3c:c4:3c:af:55:7f:8a:c3:0d:0c:6a:cf:9f:7c:9d:bc:b5: + 6d:33:73:cd:f9:13:0e:8e:4d:ce:f8:f6:54:74:c7:90:28:eb: + 6f:58:31:d6:41:9e:25:a7:04:40:8a:28:db:36:39:73:ea:e4: + 9e:8c:3e:42:5a:7b:05:20:78:e6:4d:69:1f:ba:bf:a1:b7:02: + d9:e3:ab:fc:42:d9:77:cd:e0:dd:08:3b:be:96:79:5c:5d:71: + ee:c7:68:e8:a6:08:69:2d:ff:98:ad:51:cb:1b:ef:39:b0:52: + 70:03:d3:3c:a7:ce:a5:f0:93:62:ca:6b:61:4b:dc:7b:c7:00: + 9e:80:3a:bf:af:95:79:f7:f6:14:7e:45:f1:b4:6c:c8:31:9f: + 0a:38:27:fc:3c:fb:44:22:4e:7a:d3:72:17:2f:76:5c:c6:00: + 8b:26:05:15:95:eb:71:52:5f:5b:90:c8:cb:fd:53:01:a4:ff: + 0a:c8:ad:25 +-----BEGIN CERTIFICATE----- +MIIDvTCCAqWgAwIBAgIURQHuOT5SKXg234VCyOV7u4jRSzcwDQYJKoZIhvcNAQEL +BQAwbjEPMA0GA1UECgwGRGViaWFuMS0wKwYDVQQDDCREZWJpYW4gVUVGSSBTZWN1 +cmUgQm9vdCAoUEsvS0VLIGtleSkxLDAqBgkqhkiG9w0BCQEWHWRlYmlhbi1kZXZl +bEBsaXN0cy5kZWJpYW4ub3JnMB4XDTE5MDcwODIzNDI0OVoXDTI5MDcwNTIzNDI0 +OVowbjEPMA0GA1UECgwGRGViaWFuMS0wKwYDVQQDDCREZWJpYW4gVUVGSSBTZWN1 +cmUgQm9vdCAoUEsvS0VLIGtleSkxLDAqBgkqhkiG9w0BCQEWHWRlYmlhbi1kZXZl +bEBsaXN0cy5kZWJpYW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAm6tJi7ql+lQqcZp5BcQbRhHFs71ZYoBxrbtsxFColtaJ6+gR1Ig8SeSPUc2l +h8PS/lEeOhu/2Fs4U7WdaFLRPoLL2/1eAYEwxL5z4NZWP0oo8TPXUmF7hKJAohiI +eFsU0B5tariuEESvEpmmey3puo0KWJM4aett8G+XIv7gD7Sk+cgrO3O5Uc8fH+Vm +B8vd907zVypJaVNBgPzVanXZug1nvVPGHdXlZb8LjfwWWGXtWaZXjzNIpmwn3LQd +npSeY4sZAr/gAVI0KKQTiP75ewYd4neFB55OG6rKDGrk3yvpiqxCBd4y1TT54m+W +wtQFX8kg2DOaAYJdlGl4Ti7gxwIDAQABo1MwUTAdBgNVHQ4EFgQUiAnrn/p9LV3b +MGenr7mJjqPuAnMwHwYDVR0jBBgwFoAUiAnrn/p9LV3bMGenr7mJjqPuAnMwDwYD +VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEACnQviYBeHsTyyaJNtjTu +sWid8r13heVoZtX/diApnw3zzRufIk4mnREZk5ajmwz9iN+g7xEJHsJwbyD2/r7D +WjxAR3mgLILGQjzEPK9Vf4rDDQxqz598nby1bTNzzfkTDo5Nzvj2VHTHkCjrb1gx +1kGeJacEQIoo2zY5c+rknow+Qlp7BSB45k1pH7q/obcC2eOr/ELZd83g3Qg7vpZ5 +XF1x7sdo6KYIaS3/mK1RyxvvObBScAPTPKfOpfCTYsprYUvce8cAnoA6v6+Veff2 +FH5F8bRsyDGfCjgn/Dz7RCJOetNyFy92XMYAiyYFFZXrcVJfW5DIy/1TAaT/Csit +JQ== +-----END CERTIFICATE----- diff --git a/debian/PkKek-1-Ubuntu.pem b/debian/PkKek-1-Ubuntu.pem new file mode 100644 index 0000000..cb782d1 --- /dev/null +++ b/debian/PkKek-1-Ubuntu.pem @@ -0,0 +1,70 @@ +Certificate: + Data: + Version: 1 (0x0) + Serial Number: + 94:cb:af:49:cd:56:a7:d8 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Ubuntu OVMF Secure Boot (PK/KEK key), emailAddress = ubuntu-devel@lists.ubuntu.com + Validity + Not Before: Jun 20 21:48:46 2018 GMT + Not After : Jun 17 21:48:46 2028 GMT + Subject: CN = Ubuntu OVMF Secure Boot (PK/KEK key), emailAddress = ubuntu-devel@lists.ubuntu.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:cb:b0:2b:e9:77:9e:5e:71:e9:e6:eb:1d:85:52: + 86:cf:fb:8c:f0:0a:79:34:cc:bb:83:10:95:36:cd: + a0:e6:6f:55:08:4e:71:e7:63:90:13:5a:3c:f7:5d: + eb:74:c1:c5:81:40:9c:98:54:04:b9:7d:85:6f:c6: + 07:91:67:f6:2b:53:d3:28:79:1b:ae:17:08:16:9f: + cb:7a:c9:2c:5f:0b:f7:d5:43:51:81:2e:bc:1f:9a: + dd:ba:18:01:30:93:a1:59:ce:0d:bf:21:d0:89:8e: + 44:11:7c:b2:02:99:9b:ae:42:26:58:10:f7:76:06: + 65:b8:cb:78:f9:ee:6b:08:54:d8:45:47:d8:71:72: + 2d:91:16:8d:dd:c9:3f:1b:2d:97:31:a3:f8:98:b0: + bc:44:dd:15:7f:df:1d:b9:eb:5b:e7:cb:08:b1:27: + 2c:b6:7f:60:fa:3a:59:ed:26:b5:54:c4:a8:75:a6: + e8:6e:56:50:86:e9:cc:fc:ce:38:6a:62:08:a1:dd: + 23:e5:45:b1:7e:f0:d5:30:5d:32:10:aa:9f:17:29: + 2e:7e:cd:45:71:04:83:0f:8e:43:98:27:38:b4:7d: + 91:32:88:f8:c4:64:bb:1f:69:0c:66:79:bf:d5:4c: + 70:f6:62:da:26:53:1d:17:7d:6e:b8:88:18:e2:ff: + 7e:8d + Exponent: 65537 (0x10001) + Signature Algorithm: sha256WithRSAEncryption + 18:b0:2d:52:ce:df:9d:fe:68:29:4e:c4:ef:ec:28:52:b1:cf: + d3:75:97:03:08:53:34:8f:5e:4e:ce:d8:2c:f8:30:0b:6a:86: + 00:69:33:75:46:54:6f:37:38:cd:2e:12:68:8b:48:4e:56:18: + 79:67:d9:f4:fb:cf:84:f1:b2:21:93:9e:b8:13:28:51:e0:64: + 9e:c0:b6:75:a4:55:5f:5d:5a:01:c8:0e:9d:08:71:30:3d:16: + 8d:24:46:e6:74:39:ad:74:59:fc:dc:18:bd:cb:49:47:cd:65: + e3:59:03:4e:83:6a:8c:12:23:27:71:53:87:3c:fc:84:7c:8c: + bf:f0:c2:87:77:21:fd:7d:87:8f:b8:9b:fb:52:0f:7e:81:c5: + 93:e9:83:ff:a7:be:cb:8e:b0:1d:64:b9:bb:40:68:97:dc:38: + 54:13:30:6b:71:58:9e:21:60:2a:b0:26:9e:88:ae:a3:66:eb: + e5:f0:5b:80:7f:fb:df:6e:a5:27:b4:1b:fc:7e:26:04:b2:b3: + fd:cd:e2:c3:83:c5:f8:a4:31:b2:97:34:e2:d2:5d:bd:0f:a9: + 0c:4b:53:52:25:d5:13:4c:dc:06:2a:76:10:98:0f:54:ad:2c: + cc:ee:47:ea:0b:57:6d:fc:a8:4e:a0:eb:d4:32:9a:0f:8c:7d: + 24:3d:f2:29 +-----BEGIN CERTIFICATE----- +MIIDNjCCAh4CCQCUy69JzVan2DANBgkqhkiG9w0BAQsFADBdMS0wKwYDVQQDDCRV +YnVudHUgT1ZNRiBTZWN1cmUgQm9vdCAoUEsvS0VLIGtleSkxLDAqBgkqhkiG9w0B +CQEWHXVidW50dS1kZXZlbEBsaXN0cy51YnVudHUuY29tMB4XDTE4MDYyMDIxNDg0 +NloXDTI4MDYxNzIxNDg0NlowXTEtMCsGA1UEAwwkVWJ1bnR1IE9WTUYgU2VjdXJl +IEJvb3QgKFBLL0tFSyBrZXkpMSwwKgYJKoZIhvcNAQkBFh11YnVudHUtZGV2ZWxA +bGlzdHMudWJ1bnR1LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMuwK+l3nl5x6ebrHYVShs/7jPAKeTTMu4MQlTbNoOZvVQhOcedjkBNaPPdd63TB +xYFAnJhUBLl9hW/GB5Fn9itT0yh5G64XCBafy3rJLF8L99VDUYEuvB+a3boYATCT +oVnODb8h0ImORBF8sgKZm65CJlgQ93YGZbjLePnuawhU2EVH2HFyLZEWjd3JPxst +lzGj+JiwvETdFX/fHbnrW+fLCLEnLLZ/YPo6We0mtVTEqHWm6G5WUIbpzPzOOGpi +CKHdI+VFsX7w1TBdMhCqnxcpLn7NRXEEgw+OQ5gnOLR9kTKI+MRkux9pDGZ5v9VM +cPZi2iZTHRd9briIGOL/fo0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGLAtUs7f +nf5oKU7E7+woUrHP03WXAwhTNI9eTs7YLPgwC2qGAGkzdUZUbzc4zS4SaItITlYY +eWfZ9PvPhPGyIZOeuBMoUeBknsC2daRVX11aAcgOnQhxMD0WjSRG5nQ5rXRZ/NwY +vctJR81l41kDToNqjBIjJ3FThzz8hHyMv/DCh3ch/X2Hj7ib+1IPfoHFk+mD/6e+ +y46wHWS5u0Bol9w4VBMwa3FYniFgKrAmnoiuo2br5fBbgH/7326lJ7Qb/H4mBLKz +/c3iw4PF+KQxspc04tJdvQ+pDEtTUiXVE0zcBip2EJgPVK0szO5H6gtXbfyoTqDr +1DKaD4x9JD3yKQ== +-----END CERTIFICATE----- diff --git a/debian/PkKek-1-snakeoil.key b/debian/PkKek-1-snakeoil.key new file mode 100644 index 0000000..dd7f492 --- /dev/null +++ b/debian/PkKek-1-snakeoil.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIs4RXCLmGLJgCAggA +MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECHer6014IEhGBIIEyO8O2zL8CJwV +auQpWLJsMMWxu2aSh1WadX9+rg+O61mukuS4rQSH5shMQ2krZZKzyXx0q8+2AySD +EtDXwhLvep60gUxOoNqK1+l3AxSFfIGOY8NC6yW67VX+G09ajWpgHj3ox63VRW8v +6mA8TFWYbOIwB8J7ScF4NszVwyiUnW13oKi7svoBM3LYYG2IMvre+gOvyMGfM8uv +X3txcYqAjhRV6n7vGo9LRLIIRSPKzaJbm/W7nT38LRUJP8JMSQUOPKgeEwQvOTVZ ++1kd7WeaGZrjagTDM4yhBjpOmB3D8aeT6xkjBlUwuddPzbdi0N7GrU520RcJMjxt +JMyOgabHKUKmPTX4m0ZCKi2jSILi7/6fBF+TZDxpakLwAwpTzm6kXArXb6AYtTEX +GPihB4O69ZgEc90jp3EnZt7HtKZn1HTbPNQAlWgvESgJ7hWHnTlM5Obqnyb78tj5 +VdcOfTSQRYmw4Rh/lSUX0vQLhdmYSVLiMFFvT4IepXZgQ6McIdcvqoVrPgr0HoVz +5YILZdmbs80VcgYL853lMfQ84kRwUcw8jNyz7mBK7V7rE5QhaF5lunZ/R41ZRXRy +1ys1rNvLPvtOq/K51+A9U+h5lLM9LjeoOR+IUk2Vg4aIap+Z+lxbImH0gcJTrpem +ctA/2sBjLN7w811EjB/Tlu2awzbsKLpIDFVGHiGBI2zb41gtPd2RkijmiZab6nuM +ETg4ad3GscMoa++01oX/lrnVe386ECSjurmThb7I01eTNZrBlNsLyBeFzlEIEoBR +TqUXHLiDACxzL6U4vWzdnvVrCOW9fwvJJqChj7Wy822w2LXxVhOryNujBmZCmOht +mgDaJ15QiF+DACcX6VoBbm/462z+9Skxa0DqGwGzMOD5HldwvQSyZSykk/BzGFWP +rXfLYoMjN+dgA/yNfem64ayGsmoPUAjnsE4YasD58UVO0XwwtdMGJSOVmkdyWMcM +t+lN74kX/gmIvciK06N6prBfowgBEIJ6ev2dzlydSN8rGORmQ+OFzjP14rT0O+1Q +O48yR2ZZ9jl4YPUKSFJ3EUc/Qt9vO+chNiNYSy6TABGXur0WWiDvGURG9K5fWTqq +U2KydSRoYD5iF0caOgMZecNhZV+4CX927j3XuuKKx49qTAt3WMtmJ/UQFHMtQ833 +XDFWHpEKDImfHfyiB1f8bOmqYmPuE6Shup0UMJsMFel4QVJM0Jn9+wHw/0qqPiS3 +a769S/u9U2dfyZY5PfymY8UjFRMDtLaUoJSRaGp6RNc6LynuMMKdzho0GwvL3+m9 +xKLDbbks8hVdmtcxxDKiio+F0hp3yc/2PyA/VGAlARiGp7876WTCZox9Bwnf6lkS +k9eYLSabe/r3Ag1SbWEGpFk3VO37qCyfp2xTfrHXK1ZJlvFwj3FFSprUaMrV+81K +FCEcSozXpVsQ7e7d11A7S8rTbtp09Q/J2oxyR0A9lk/ia5Qd/xwbPl4QJcWK2Jar +K3yFK8VrUNib7CjI1kdB479KIllD8oK6druBkzwGzFxDtcl47RlfkqW96XSQT7x/ +h/YKSLcpMx9x9TJd2GDKj2t4oE9eGTBC0YbdH+HJNSrjEsWkjgY6Uw++S6VzKvQZ +DDsMJfxwcChc2zKRou+BFA== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/debian/PkKek-1-snakeoil.pem b/debian/PkKek-1-snakeoil.pem new file mode 100644 index 0000000..dd02a82 --- /dev/null +++ b/debian/PkKek-1-snakeoil.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIULTs+L+8XzClMGhAvyFIdsp/PYgUwDQYJKoZIhvcNAQEL +BQAwSjELMAkGA1UEBhMCVVMxETAPBgNVBAgMCENvbG9yYWRvMRUwEwYDVQQHDAxG +b3J0IENvbGxpbnMxETAPBgNVBAoMCFNuYWtlT2lsMCAXDTIwMDkwNzE4NDMyMloY +DzIxMjAwODE0MTg0MzIyWjBKMQswCQYDVQQGEwJVUzERMA8GA1UECAwIQ29sb3Jh +ZG8xFTATBgNVBAcMDEZvcnQgQ29sbGluczERMA8GA1UECgwIU25ha2VPaWwwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIi65d6LmojD5S9q8vE/LI2HHQ +boiO5/1KrFVc6kpxD6XdkJwpBoItYIfSls9CPnzvNWOAxR3hIeBd1U/prAPPxvQ1 +wuDLMXfWkcGaYHfPnme/YluAjnpuLH1MQcumgOzj5xYBvZZk+RbytX/phH7FW4Tx ++L1oBYnsfh3BSE/NTtEEHV1nXAXpa/dvyefWMlrlbwjfM5362lZzM6yrJGcOcWEy +I66UYCIVO2Yhe/ZVF5B/tPGtd2oACz11xLeqLPM1WBjlekAG2Zi7UCPIvDCpdn5u +Vna2ZRQmJyDDdh0Ja2VMC19dkMd/5nOAI21O+FvYPOkBWYX8f4DzDyVQlmIFAgMB +AAGjUzBRMB0GA1UdDgQWBBRjuNXuXfh7mi8I3eTboeYGyFTa2zAfBgNVHSMEGDAW +gBRjuNXuXfh7mi8I3eTboeYGyFTa2zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4IBAQBW2ckn0APqBnwSiOXCWkMCnvY7K7UOfxAlotEsMFSrkzdEa4IE +sn0+A3RV/r3HZGqIaE8GMsBqp8UiVIbL5H67dkqvJEke94/7wEUC16JSSOBc0Mac +HeArDWsL/WIbzKiVcRrmgX+XwJFlsUN5UtR/feTHR08yiy5srSCIJEqli/cTrOxS +JAgvWPLxcoFhOKf6Mi+nwWdrQEbpXvvv8Jv/qyyz5e/VmTRY0wIVmUjd+Yseu+5M +3+cpKtlYaawMxVni5RibA0A12fm+i60fGPrkCNhascUrNY+Oppaf/h+QmKOwEM7h +pqKXyGFQyU6dB6cFBQ/uD5IABUYuEOuL7VFY +-----END CERTIFICATE----- diff --git a/debian/PkKek-1.README b/debian/PkKek-1.README new file mode 100644 index 0000000..68291ff --- /dev/null +++ b/debian/PkKek-1.README @@ -0,0 +1,35 @@ +Background on these keys is described below: + +On 09/30/14 20:00, Peter Jones wrote: +> We should generate a special key that's not in our normal signing chains +> for PK and KEK. The reason for this is that [in practice] PK gets +> treated as part of DB (*). +> +> [Shipping a key in our normal signing chains] as PK means you can run +> grub directly, in which case it won't have access to the shim protocol. +> When grub is run without the shim protocol registered, it assumes SB is +> disabled and boots without verifying the kernel. We don't want that to +> be a thing you can do, but allowing that is the inevitable result of +> shipping with any of our normal signing chain in PK or KEK. +> +> (* USRT has actually agreed that since you can escalate to this behavior +> if you have the secret half of a key in KEK or PK anyway, and many +> vendors had already shipped it this way, that it is fine and I think +> even *expected* at this point, even though it wasn't formally in the +> UEFI 2.3.1 Spec that introduced Secure Boot. I'll try and make sure the +> language reflects that in an upcoming spec revision.) +> +> So let me get SRT to issue a special key to use for PK and KEK. We can +> use it just for those operations, and make sure it's protected with the +> same processes and controls as our other signing keys. + +--- + +We include Debian and Ubuntu keys generated in this manner - i.e., +not in our normal signing chains, and where the public key was not saved. +The Debian key was generated using the following command, taken from +commit be9470b3c9 "OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type +11 SMBIOS table": + +openssl req -x509 -newkey rsa:2048 -outform PEM \ + -keyout /dev/null -out PkKek1.pem diff --git a/debian/README.Proxmox-VE b/debian/README.Proxmox-VE new file mode 100644 index 0000000..3fa6a8a --- /dev/null +++ b/debian/README.Proxmox-VE @@ -0,0 +1,58 @@ +The OVMF_CODE*.fd files provide UEFI firmware for a QEMU guest that is +intended to be read-only. The OVMF_VARS*.fd files provide UEFI variable +template images which are intended to be read-write, and therefore each +guest should be given its own copy. Here's an overview of each of them: + +OVMF_CODE_4M.fd + Use this for booting guests in non-Secure Boot mode. While this image + technically supports Secure Boot, it does so without requiring SMM + support from QEMU, so it is less secure. Use the OVMF_VARS.fd template + with this. + +OVMF_CODE_4M.secboot.fd + Like OVMF_CODE_4M.fd, but will abort if QEMU does not support SMM. + Use this for guests for which you may enable Secure Boot. If you specify + this image, you'll get a guest that is Secure Boot-*capable*, but has + Secure Boot disabled. To enable it, you'll need to manually import + PK/KEK/DB keys and activate Secure Boot from the UEFI setup menu. + +OVMF_VARS_4M.fd + This is an empty variable store template, which means it has no + built-in Secure Boot keys and Secure Boot is disabled. You can use + it with any OVMF_CODE image, but keep in mind that if you want to + boot in Secure Boot mode, you will have to enable it manually. + +OVMF_VARS_4M.ms.fd + This template has distribution-specific PK and KEK1 keys, and + the default Microsoft keys in KEK/DB. It also has Secure Boot + already activated. Using this with OVMF_CODE.ms.fd will boot a + guest directly in Secure Boot mode. + +OVMF32_CODE_4M.secboot.fd +OVMF32_VARS_4M.fd + These images are the same as their "OVMF" variants, but for 32-bit guests. + +OVMF_CODE.fd +OVMF_CODE.ms.fd +OVMF_CODE.secboot.fd +OVMF_VARS.fd +OVMF_VARS.ms.fd + These images are the same as their "4M" variants, but for use with guests + using a 2MB flash device. 2MB flash is no longer considered sufficient for + use with Secure Boot. This is provided only for backwards compatibility. + +OVMF_CODE_4M.snakeoil.fd +OVMF_VARS_4M.snakeoil.fd + This image is **for testing purposes only**. It includes an insecure + "snakeoil" key in PK, KEK & DB. The private key and cert are also + shipped in this package as well, so that testers can easily sign + binaries that will be considered valid. + +PkKek-1-snakeoil.key +PkKek-1-snakeoil.pem + The private key and certificate for the snakeoil key. Use these + to sign binaries that can be verified by the key in the + OVMF_VARS.snakeoil.fd template. The password for the key is + 'snakeoil'. + + -- dann frazier , Thu, 30 Sep 2021 10:33:08 -0600 diff --git a/debian/binary-check.blacklist b/debian/binary-check.blacklist new file mode 100644 index 0000000..de1abec --- /dev/null +++ b/debian/binary-check.blacklist @@ -0,0 +1,41 @@ +ArmPkg/Library/GccLto/liblto-aarch64.a +ArmPkg/Library/GccLto/liblto-arm.a +BaseTools/Bin/CYGWIN_NT-5.1-i686/BootSectImage +BaseTools/Bin/CYGWIN_NT-5.1-i686/BuildEnv +BaseTools/Bin/CYGWIN_NT-5.1-i686/Ecc +BaseTools/Bin/CYGWIN_NT-5.1-i686/EfiLdrImage +BaseTools/Bin/CYGWIN_NT-5.1-i686/EfiRom +BaseTools/Bin/CYGWIN_NT-5.1-i686/GenCrc32 +BaseTools/Bin/CYGWIN_NT-5.1-i686/GenDepex +BaseTools/Bin/CYGWIN_NT-5.1-i686/GenFds +BaseTools/Bin/CYGWIN_NT-5.1-i686/GenFfs +BaseTools/Bin/CYGWIN_NT-5.1-i686/GenFv +BaseTools/Bin/CYGWIN_NT-5.1-i686/GenFw +BaseTools/Bin/CYGWIN_NT-5.1-i686/GenPage +BaseTools/Bin/CYGWIN_NT-5.1-i686/GenSec +BaseTools/Bin/CYGWIN_NT-5.1-i686/GenVtf +BaseTools/Bin/CYGWIN_NT-5.1-i686/GnuGenBootSector +BaseTools/Bin/CYGWIN_NT-5.1-i686/LzmaCompress +BaseTools/Bin/CYGWIN_NT-5.1-i686/LzmaF86Compress +BaseTools/Bin/CYGWIN_NT-5.1-i686/RunBinToolFromBuildDir +BaseTools/Bin/CYGWIN_NT-5.1-i686/RunToolFromSource +BaseTools/Bin/CYGWIN_NT-5.1-i686/Split +BaseTools/Bin/CYGWIN_NT-5.1-i686/TargetTool +BaseTools/Bin/CYGWIN_NT-5.1-i686/TianoCompress +BaseTools/Bin/CYGWIN_NT-5.1-i686/Trim +BaseTools/Bin/CYGWIN_NT-5.1-i686/VfrCompile +BaseTools/Bin/CYGWIN_NT-5.1-i686/VolInfo +BaseTools/Bin/CYGWIN_NT-5.1-i686/build +BaseTools/Bin/Darwin-i386/Arm/DEBUG_XCODE31/CompilerIntrinsicsLib.lib +BaseTools/Bin/Darwin-i386/Arm/DEBUG_XCODE32/CompilerIntrinsicsLib.lib +BaseTools/Bin/Darwin-i386/Arm/RELEASE_XCODE31/CompilerIntrinsicsLib.lib +BaseTools/Bin/Darwin-i386/Arm/RELEASE_XCODE32/CompilerIntrinsicsLib.lib +BaseTools/Source/Python/Eot/EfiCompressor.pyd +BaseTools/Source/Python/Eot/LzmaCompressor.pyd +IntelFsp2Pkg/FspSecCore/Vtf0/Bin/ResetVec.ia32.raw +UefiCpuPkg/ResetVector/Vtf0/Bin/ResetVector.ia32.port80.raw +UefiCpuPkg/ResetVector/Vtf0/Bin/ResetVector.ia32.raw +UefiCpuPkg/ResetVector/Vtf0/Bin/ResetVector.ia32.serial.raw +UefiCpuPkg/ResetVector/Vtf0/Bin/ResetVector.x64.port80.raw +UefiCpuPkg/ResetVector/Vtf0/Bin/ResetVector.x64.raw +UefiCpuPkg/ResetVector/Vtf0/Bin/ResetVector.x64.serial.raw diff --git a/debian/binary-check.whitelist b/debian/binary-check.whitelist new file mode 100644 index 0000000..749a2f8 --- /dev/null +++ b/debian/binary-check.whitelist @@ -0,0 +1,112 @@ +.gitmodules +AppPkg/Applications/Python/Python-2.7.2/Demo/comparisons/patterns +AppPkg/Applications/Python/Python-2.7.2/Demo/md5test/foo +AppPkg/Applications/Python/Python-2.7.2/Demo/parser/FILES +AppPkg/Applications/Python/Python-2.7.2/Demo/pdist/rcsbump +AppPkg/Applications/Python/Python-2.7.2/Demo/pdist/rcvs +AppPkg/Applications/Python/Python-2.7.2/Demo/pdist/rrcs +AppPkg/Applications/Python/Python-2.7.2/Demo/scripts/newslist.doc +AppPkg/Applications/Python/Python-2.7.2/Grammar/Grammar +AppPkg/Applications/Python/Python-2.7.2/Lib/distutils/command/command_template +AppPkg/Applications/Python/Python-2.7.2/Lib/distutils/tests/Setup.sample +AppPkg/Applications/Python/Python-2.7.2/Lib/email/test/data/audiotest.au +AppPkg/Applications/Python/Python-2.7.2/Lib/pdb.doc +AppPkg/Applications/Python/Python-2.7.2/Lib/test/185test.db +AppPkg/Applications/Python/Python-2.7.2/Lib/test/Sine-1000Hz-300ms.aif +AppPkg/Applications/Python/Python-2.7.2/Lib/test/audiotest.au +AppPkg/Applications/Python/Python-2.7.2/Lib/test/check_soundcard.vbs +AppPkg/Applications/Python/Python-2.7.2/Lib/test/empty.vbs +AppPkg/Applications/Python/Python-2.7.2/Lib/test/greyrgb.uue +AppPkg/Applications/Python/Python-2.7.2/Lib/test/randv2_32.pck +AppPkg/Applications/Python/Python-2.7.2/Lib/test/randv2_64.pck +AppPkg/Applications/Python/Python-2.7.2/Lib/test/randv3.pck +AppPkg/Applications/Python/Python-2.7.2/Lib/test/testimg.uue +AppPkg/Applications/Python/Python-2.7.2/Lib/test/testimgr.uue +AppPkg/Applications/Python/Python-2.7.2/Lib/test/testrgb.uue +AppPkg/Applications/Python/Python-2.7.2/Lib/test/testtar.tar +AppPkg/Applications/Python/Python-2.7.2/Lib/test/xmltestdata/test.xml.out +AppPkg/Applications/Python/Python-2.7.2/Lib/test/zipdir.zip +AppPkg/Applications/Python/Python-2.7.2/Lib/wsgiref.egg-info +AppPkg/Applications/Python/Python-2.7.2/Modules/zlib/make_vms.com +AppPkg/Applications/Python/Python-2.7.2/Parser/Python.asdl +AppPkg/Applications/Python/Python-2.7.2/Tools/compiler/ACKS +AppPkg/Applications/Python/Python-2.7.2/Tools/msi/msisupport.mak +AppPkg/Applications/Python/Python-2.7.2/Tools/scripts/2to3 +AppPkg/Applications/Python/Python-2.7.2/Tools/scripts/dutree.doc +AppPkg/Applications/Python/Python-2.7.2/Tools/scripts/idle +AppPkg/Applications/Python/Python-2.7.2/Tools/scripts/pydoc +AppPkg/Applications/Python/Python-2.7.2/Tools/scripts/pydocgui.pyw +AppPkg/Applications/Python/Python-2.7.2/Tools/unicode/python-mappings/CP1140.TXT +AppPkg/Applications/Python/Python-2.7.2/Tools/unicode/python-mappings/KOI8-U.TXT +AppPkg/Applications/Python/Python-2.7.2/Tools/unicode/python-mappings/TIS-620.TXT +AppPkg/Applications/Python/Python-2.7.2/Tools/world/world +ArmPkg/Library/ArmSoftFloatLib/bits32/softfloat-macros +ArmPkg/Library/ArmSoftFloatLib/softfloat-specialize +BaseTools/BinWrappers/PosixLike/BPDG +BaseTools/BinWrappers/PosixLike/BootSectImage +BaseTools/BinWrappers/PosixLike/Brotli +BaseTools/BinWrappers/PosixLike/BrotliCompress +BaseTools/BinWrappers/PosixLike/DevicePath +BaseTools/BinWrappers/PosixLike/Ecc +BaseTools/BinWrappers/PosixLike/EfiLdrImage +BaseTools/BinWrappers/PosixLike/EfiRom +BaseTools/BinWrappers/PosixLike/GenerateCapsule +BaseTools/BinWrappers/PosixLike/GenCrc32 +BaseTools/BinWrappers/PosixLike/GenDepex +BaseTools/BinWrappers/PosixLike/GenFds +BaseTools/BinWrappers/PosixLike/GenFfs +BaseTools/BinWrappers/PosixLike/GenFv +BaseTools/BinWrappers/PosixLike/GenFw +BaseTools/BinWrappers/PosixLike/GenPage +BaseTools/BinWrappers/PosixLike/GenPatchPcdTable +BaseTools/BinWrappers/PosixLike/GenSec +BaseTools/BinWrappers/PosixLike/GenVtf +BaseTools/BinWrappers/PosixLike/GnuGenBootSector +BaseTools/BinWrappers/PosixLike/LzmaCompress +BaseTools/BinWrappers/PosixLike/LzmaF86Compress +BaseTools/BinWrappers/PosixLike/PatchPcdValue +BaseTools/BinWrappers/PosixLike/Pkcs7Sign +BaseTools/BinWrappers/PosixLike/Rsa2048Sha256GenerateKeys +BaseTools/BinWrappers/PosixLike/Rsa2048Sha256Sign +BaseTools/BinWrappers/PosixLike/Split +BaseTools/BinWrappers/PosixLike/TargetTool +BaseTools/BinWrappers/PosixLike/TianoCompress +BaseTools/BinWrappers/PosixLike/Trim +BaseTools/BinWrappers/PosixLike/UPT +BaseTools/BinWrappers/PosixLike/VfrCompile +BaseTools/BinWrappers/PosixLike/VolInfo +BaseTools/BinWrappers/PosixLike/build +BaseTools/BuildEnv +BaseTools/Conf/XMLSchema/DistributionPackage.xsd +BaseTools/Scripts/PackageDocumentTools/packagedocapp.pyw +BaseTools/Source/C/Makefiles/ms.app +BaseTools/Source/C/Makefiles/ms.common +BaseTools/Source/C/Makefiles/ms.lib +BaseTools/Source/C/Makefiles/ms.rule +BaseTools/Source/C/VfrCompile/Pccts/MPW_Read_Me +BaseTools/Source/C/VfrCompile/Pccts/NOTES.bcc +BaseTools/Source/C/VfrCompile/Pccts/NOTES.msvc +BaseTools/Source/C/VfrCompile/Pccts/RIGHTS +BaseTools/Source/Python/Ecc/CParser4/C.g4 +BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer +BaseTools/Source/Python/Rsa2048Sha256Sign/TestSigningPublicKey.bin +BeagleBoardPkg/ConfigurationHeader.dat +EmulatorPkg/Unix/.gdbinit +EmulatorPkg/Unix/GdbRun +EmulatorPkg/Unix/Host/X11IncludeHack +EmulatorPkg/Unix/lldbinit +EmulatorPkg/Win/VS2017/Win.vcxproj +EmulatorPkg/Win/VS2017/Win.vcxproj.filters +EmulatorPkg/Win/VS2017/Win.vcxproj.user +IntelFspWrapperPkg/FspWrapperSecCore/Vtf0/Bin/ResetVec.ia32.raw +StandaloneMmPkg +StdLib/Efi/StdLib/etc/host.conf +StdLib/Efi/StdLib/etc/hosts +StdLib/Efi/StdLib/etc/networks +StdLib/Efi/StdLib/etc/protocols +StdLib/Efi/StdLib/etc/resolv.conf +StdLib/Efi/StdLib/etc/services +StdLib/LibC/Softfloat/bits32/softfloat-macros +StdLib/LibC/Softfloat/bits64/softfloat-macros +StdLib/LibC/Softfloat/softfloat-specialize +StdLib/LibC/Softfloat/templates/softfloat-specialize diff --git a/debian/clean b/debian/clean index 8772fda..f1ed674 100644 --- a/debian/clean +++ b/debian/clean @@ -1,4 +1,20 @@ +.pc-post +ArmPkg/Library/GccLto/liblto-*.a +Build/ +CryptoPkg/Include/openssl/*.h +Conf/.cache/ +Conf/.AutoGenIdFile.txt Conf/BuildEnv.sh Conf/build_rule.txt Conf/target.txt Conf/tools_def.txt +EdkShellBinPkg/FullShell/X64/Shell_Full.efi +FatBinPkg/EnhancedFatDxe/X64/Fat.efi +UefiCpuPkg/ResetVector/Vtf0/Bin/*.raw +debian/PkKek-1-vendor.pem +debian/oem-string-snakeoil +debian/oem-string-vendor +debian/ovmf-install/ +debian/ovmf32-install/ +debian/python/UEFI/__pycache__/ +debian/setup-build-stamp diff --git a/debian/compat b/debian/compat deleted file mode 100644 index 48082f7..0000000 --- a/debian/compat +++ /dev/null @@ -1 +0,0 @@ -12 diff --git a/debian/control b/debian/control index 5a518d0..8d642cd 100644 --- a/debian/control +++ b/debian/control @@ -3,22 +3,30 @@ Section: misc Priority: optional Maintainer: Proxmox Support Team Build-Depends: bc, - debhelper (>= 12), - gcc-aarch64-linux-gnu, - iasl, - nasm, - python3, - python3-distutils, - uuid-dev, + debhelper-compat (= 12), + dosfstools, + dpkg (>= 1.19.3), + gcc-aarch64-linux-gnu, + gcc-multilib [i386], + iasl, + mtools, + nasm, + python3, + python3-distutils, + python3-pexpect, + qemu-utils, + pve-qemu-kvm | qemu-system-x86 (>= 1:2.12+dfsg), + uuid-dev, + xorriso, +Standards-Version: 4.5.0 Homepage: http://www.tianocore.org -Standards-Version: 4.1.3 +XS-Build-Indep-Architecture: amd64 Package: pve-edk2-firmware Architecture: all -Depends: ${misc:Depends}, -Description: edk2 based firmware modules for virtual machines - Contains OVMF and AAVMF. Open Virtual Machine Firmware (OVMF) is a build of - EDK II for virtual machines. It includes full support for UEFI, including +Depends: ${misc:Depends} +Multi-Arch: foreign +Description: edk2 based UEFI firmware modules for virtual machines + Open Virtual Machine Firmware is a build of EDK II for 64-bit, 32-bit x86 + and 64-bit ARM virtual machines. It includes full support for UEFI, including Secure Boot, allowing use of UEFI in place of a traditional BIOS in your VM. - AAVMF offers the same for AARCH64 (ARM64) based VMs. - Proxmox VE specific release with disabled secure boot. diff --git a/debian/copyright b/debian/copyright index 5941725..29134b9 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,29 +1,448 @@ -Copyright (c) 2004 - 2016, Intel Corporation. All rights reserved -Copyright (c) 2008 - 2010, Apple Inc. All rights reserved. -Copyright (c) 2011 - 2015, ARM Limited. All rights reserved. -Copyright (c) 2014 - 2015, Linaro Limited. All rights reserved. -Copyright (c) 2013 - 2015, Red Hat, Inc. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: - -* Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. -* Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in - the documentation and/or other materials provided with the - distribution. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, -INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, -BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN -ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -POSSIBILITY OF SUCH DAMAGE. +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: edk2 +Source: git://github.com/tianocore/edk2.git, http://www.openssl.org/source/, + with .efi binary files removed from the source at package generation time. + See get-orig-source in debian/rules for details. + +Files: * +Copyright: 1999-2013, Intel Corporation +License: BSD-2-clause + +Files: StdLib/PosixLib/Stringlist/stringlist.c StdLib/PosixLib/Gen/dirname.c + StdLib/LibC/Time/strptime.c StdLib/LibC/Locale/aliasname_local.h + StdLib/LibC/Locale/wcsxfrm.c StdLib/LibC/Locale/wcstold.c + StdLib/LibC/Locale/__mb_cur_max.c StdLib/LibC/Locale/_wcstod.h + StdLib/LibC/Locale/aliasname.c StdLib/LibC/Locale/__wctoint.h + StdLib/LibC/Locale/wcsftime.c StdLib/LibC/Locale/wcscoll.c + StdLib/LibC/Locale/wcstof.c StdLib/LibC/Locale/wcstod.c + StdLib/LibC/Locale/wcstoul.c StdLib/LibC/Locale/setlocale32.c + StdLib/LibC/Math/* StdLib/LibC/gdtoa/* StdLib/LibC/StdLib/setprogname.c + StdLib/Include/strings.h StdLib/Include/Ipf/* StdLib/Include/nsswitch.h + StdLib/Include/stringlist.h StdLib/BsdSocketLib/getnetnamadr.c + StdLib/BsdSocketLib/getnetbynis.c StdLib/BsdSocketLib/gethostnamadr.c + StdLib/BsdSocketLib/gethostbynis.c +Copyright: 1993, Sun Microsystems, Inc. + 1994, Garrett Wollman + 1994-2008, The NetBSD Foundation, Inc. + 1994-1996, Carnegie-Mellon University + 1996-1997 John D. Polstra + 1998-2000, Lucent Technologies + 1998-2001, Doug Rabson + 1999-2006, Citrus Project + 1999-2012, Intel Corporation + 2002, YAMAMOTO Takashi + 2002, Tim J. Robbins + 2002-2004, Marcel Moolenaar + 2003, David Schultz +License: BSD-2-clause + +Files: OptionRomPkg/Bus/Usb/FtdiUsbSerialDxe/FtdiUsbSerialDriver.* +Copyright: 2004-2013, Intel Corporation + 2012, Ashley DeSimone +License: BSD-2-clause + +Files: OvmfPkg/* +Copyright: 2004-2013, Intel Corporation + 2008-2009, Apple Inc. + 2011, Andrei Warkentin + 2011-2012, Bei Guan + 2012-2013, Red Hat, Inc + 2013, ARM Ltd. +License: BSD-2-clause + +Files: BaseTools/Source/C/GenFw/elf*.h + BaseTools/Source/Python/sitecustomize.py DuetPkg/build*.sh + EmulatorPkg/* MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c + MdeModulePkg/Library/PeiDebugPrintHobLib/PeiDebugPrintHobLib.c + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c + MdePkg/Include/* MdePkg/Library/* +Copyright: 1996-1998 John D. Polstra + 2004-2013, Intel Corporation + 2006, Tristan Gingold + 2008-2012, Apple Inc. + 2011-2013, ARM Limited + 2013, Red Hat, Inc. +License: BSD-2-clause + +Files: ArmPkg/* ArmPlatformPkg/* BaseTools/Source/C/Common/*PeCoff*.c + BaseTools/Source/C/GenFv/GenFvInternalLib.c + BaseTools/Source/C/GenFw/Elf64Convert.c + BaseTools/Source/C/Include/AArch64/* + BaseTools/Source/C/Include/Arm/* + BaseTools/Source/C/Include/IndustryStandard/PeImage.h + BeagleBoardPkg/* EmbeddedPkg/* Omap35xxPkg/* +Copyright: 2011-2013, ARM Limited + 2008-2010, Apple Inc. + 2004-2013, Intel Corporation + 2009, Hewlett-Packard Company + 2011, Hewlett-Packard Corporation + 2003-2008 University of Illinois at Urbana-Champaign +License: BSD-2-clause + +Files: ShellPkg/Application/Shell/* ShellPkg/Library/* +Copyright: 1999-2013, Intel Corporation + 2013, Hewlett-Packard Development Company, L.P. +License: BSD-2-clause + +Files: ArmPkg/Library/CompilerIntrinsicsLib/AArch64/memcpy.S + ArmPlatformPkg/ArmVExpressPkg/Scripts/uefi-aarch64-bootstrap/* + EdkCompatibilityPkg/* + StdLibPrivateInternalFiles/Include/kfile.h StdLib/PosixLib/Glob/glob.c + StdLib/PosixLib/Gen/readdir.c StdLib/PosixLib/Gen/utime.c + StdLib/PosixLib/Gen/opendir.c StdLib/PosixLib/Gen/closedir.c + StdLib/LibC/Time/gettimeofday.c StdLib/LibC/Locale/_wcstol.h + StdLib/LibC/Locale/rune.h StdLib/LibC/Locale/setlocale.c + StdLib/LibC/Locale/iswctype_sb.c StdLib/LibC/Locale/_wcstoul.h + StdLib/LibC/Locale/multibyte_sb.c StdLib/LibC/Locale/runetype.h + StdLib/LibC/String/strncasecmp.c StdLib/LibC/Main/is*.c + StdLib/LibC/Main/*/is*.c StdLib/LibC/NetUtil/inet_*.c + StdLib/LibC/Stdio/* StdLib/LibC/StdLib/* StdLib/Include/netatalk/* + StdLib/Include/glob.h StdLib/Include/Ipf/machine/limits.h + StdLib/Include/Ipf/machine/int_types.h + StdLib/Include/Ipf/machine/param.h StdLib/Include/Ipf/machine/stdarg.h + StdLib/Include/Ipf/machine/types.h StdLib/Include/Ipf/machine/varargs.h + StdLib/Include/Ipf/machine/vmparam.h StdLib/Include/Ipf/machine/ansi.h + StdLib/Include/Ipf/machine/aout_machdep.h StdLib/Include/netinet6/in6.h + StdLib/Include/pwd.h StdLib/Include/locale.h StdLib/Include/dirent.h + StdLib/Include/arpa/nameser.h StdLib/Include/arpa/inet.h + StdLib/Include/utime.h StdLib/Include/netinet/in.h + StdLib/Include/netinet/tcp.h StdLib/Include/X64/machine/atomic.h + StdLib/Include/X64/machine/asm.h StdLib/Include/X64/machine/int_types.h + StdLib/Include/X64/machine/types.h StdLib/Include/X64/machine/ansi.h + StdLib/Include/paths.h StdLib/Include/netdb.h + StdLib/Include/Ia32/machine/asm.h StdLib/Include/Ia32/machine/int_types.h + StdLib/Include/Ia32/machine/param.h StdLib/Include/Ia32/machine/types.h + StdLib/Include/Ia32/machine/ansi.h StdLib/BsdSocketLib/getaddrinfo.c + StdLib/BsdSocketLib/getnameinfo.c +Copyright: 1982-2013, Intel Corporation + 1982-1994, The Regents of the University of California + 1990-1991, Regents of The University of Michigan + 1993-1994, Digital Equipment Corporation + 1995, Jason Downs + 1995-1997, Kungliga Tekniska Hogskolan + 1995-1998, WIDE Project + 1996-1999, Internet Software Consortium + 1997, Todd C. Miller + 2002, Wasabi Systems, Inc + 2004, Internet Systems Consortium, Inc. + 2010-2012, Intel Corporation + 2011-2013, ARM Limited +License: BSD-3-clause + +Files: StdLibPrivateInternalFiles/Include/namespace.h + StdLibPrivateInternalFiles/Include/reentrant.h + StdLibPrivateInternalFiles/Include/extern.h + StdLib/PosixLib/Err/warn_err.c StdLib/LibC/Time/timegm.c + StdLib/LibC/Time/strftime.c StdLib/LibC/Locale/ctypeio.* + StdLib/LibC/String/strsep.c StdLib/LibC/gdtoa/_strtold.c + StdLib/LibC/gdtoa/_strtof.c StdLib/LibC/Main/Arm/flt_rounds.c + StdLib/LibC/Uefi/writev.c StdLib/LibC/Uefi/select.c + StdLib/LibC/Uefi/compat.c StdLib/LibC/NetUtil/inet_addr.c + StdLib/LibC/Stdio/fparseln.c StdLib/LibC/Stdio/vswscanf.c + StdLib/LibC/Stdio/vfwscanf.c StdLib/LibC/Stdio/flockfile.c + StdLib/Include/sys/* StdLib/Include/x86/ieee.h + StdLib/Include/sysexits StdLib/Include/Ipf/machine/loadfile_machdep.h + StdLib/Include/Ipf/machine/cpu_counter.h + StdLib/Include/Ipf/machine/pmap.h + StdLib/Include/Ipf/machine/wchar_limits.h + StdLib/Include/Ipf/machine/cpu.h StdLib/Include/Ipf/machine/disklabel.h + StdLib/Include/Ipf/machine/ptrace.h StdLib/Include/Ipf/machine/setjmp.h + StdLib/Include/Ipf/machine/int_limits.h StdLib/Include/nl_types.h + StdLib/Include/Arm/machine/* StdLib/Include/net/* + StdLib/Include/inttypes.h StdLib/Include/arpa/telnet.h + StdLib/Include/arpa/nameser_compat.h StdLib/Include/arpa/ftp.h + StdLib/Include/netinet/ip.h StdLib/Include/netinet/in_systm.h + StdLib/Include/*/machine/int_mwgwtypes.h + StdLib/Include/*/machine/int_const.h + StdLib/Include/X64/machine/byte_swap.h + StdLib/Include/*/machine/int_fmtio.h + StdLib/Include/X64/machine/int_limits.h StdLib/Include/resolv.h + StdLib/Include/netns/ns.h StdLib/Include/Ia32/machine/byte_swap.h + StdLib/Include/Ia32/machine/int_limits.h StdLib/BsdSocketLib/map_v4v6.c + StdLib/BsdSocketLib/inet_net_pton.c StdLib/BsdSocketLib/res_*.c + StdLib/BsdSocketLib/sethostname.c StdLib/BsdSocketLib/ns_*.c + StdLib/BsdSocketLib/getnetbyht.c StdLib/BsdSocketLib/getproto.c + StdLib/BsdSocketLib/gethostname.c StdLib/BsdSocketLib/gethostbydns.c + StdLib/BsdSocketLib/herror.c StdLib/BsdSocketLib/getprotoname.c + StdLib/BsdSocketLib/inet_neta.c StdLib/BsdSocketLib/getservbyport.c + StdLib/BsdSocketLib/inet_pton.c StdLib/BsdSocketLib/getservent.c + StdLib/BsdSocketLib/gethostbyht.c StdLib/BsdSocketLib/getservbyname.c + StdLib/BsdSocketLib/getnetbydns.c StdLib/BsdSocketLib/getprotoent.c +Copyright: 1983-1993, Digital Equipment Corporation + 1982-1994, Regents of the University of California + 1988, University of Utah + 1993, Carlos Leandro and Rui Salgueiro + 1994, Christopher G. Demetriou + 1994, Winning Strategies, Inc + 1994-1997, Mark Brinicombe + 1996, Internet Software Consortium + 1996-1997, Christos Zoulas + 1997-2006, The NetBSD Foundation, Inc + 1998 HD Associates, Inc + 2000-2001, Artur Grabowski + 1999-2012, Intel Corporation +License: BSD-4-clause + +Files: StdLib/LibC/Stdio/fileext.h StdLib/LibC/Stdio/wscanf.c + StdLib/LibC/Stdio/vwscanf.c StdLib/LibC/Stdio/*wc.c + StdLib/LibC/Stdio/*wchar.c StdLib/LibC/Stdio/fgetws.c + StdLib/LibC/Stdio/swscanf.c StdLib/LibC/Stdio/wcio.h + StdLib/LibC/Stdio/fwide.c StdLib/LibC/Stdio/fwscanf.c + StdLib/LibC/Stdio/wprintf.c StdLib/LibC/Stdio/swprintf.c + StdLib/LibC/Stdio/fputws.c StdLib/LibC/Stdio/vwprintf.c + StdLib/LibC/Stdio/fwprintf.c +Copyright: 2001, Citrus Project + 2002, Tim J. Robbins + 2010-2012, Intel Corporation +License: BSD-2-clause + +Files: StdLib/LibC/String/strlcat.c StdLib/LibC/String/strlcpy.c + StdLib/LibC/NetUtil/inet_ntop.c StdLib/BsdSocketLib/base64.c + StdLib/BsdSocketLib/inet_net_ntop.c StdLib/BsdSocketLib/res_data.c + StdLib/BsdSocketLib/ns_netint.c StdLib/BsdSocketLib/nsap_addr.c +Copyright: 1998, Todd C. Miller + 1996-1999, Internet Software Consortium + 1995-2000, International Business Machines, Inc + 2004, Internet Systems Consortium, Inc. + 2011, Intel Corporation +License: ISC + +Files: CryptoPkg/Library/OpensslLib/openssl-0.9.8w/* +Copyright: 1998-2004 The OpenSSL Project + 1995-1998 Eric A. Young, Tim J. Hudson +License: OpenSSL + +Files: debian/tests/shell.py +Copyright: 2019 Canonical Ltd. +License: GPL-3 + +License: BSD-2-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +License: BSD-3-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + . Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + . Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + . Neither the name of the Intel Corporation nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + +License: BSD-4-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. All advertising materials mentioning features or use of this software + must display the following acknowledgement: + This product includes software developed by the NetBSD + Foundation, Inc. and its contributors. + 4. Neither the name of The NetBSD Foundation nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +License: GPL-3 + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License version 3, as + published by the Free Software Foundation. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see . + . + On Debian and Debian-based systems, the full text of the GNU General + Public License version 3 can be found in the file + `/usr/share/common-licenses/GPL-3'. + +License: OpenSSL + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + . + 3. All advertising materials mentioning features or use of this + software must display the following acknowledgment: + "This product includes software developed by the OpenSSL Project + for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + . + 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + endorse or promote products derived from this software without + prior written permission. For written permission, please contact + openssl-core@openssl.org. + . + 5. Products derived from this software may not be called "OpenSSL" + nor may "OpenSSL" appear in their names without prior written + permission of the OpenSSL Project. + . + 6. Redistributions of any form whatsoever must retain the following + acknowledgment: + "This product includes software developed by the OpenSSL Project + for use in the OpenSSL Toolkit (http://www.openssl.org/)" + . + THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + ==================================================================== + . + This product includes cryptographic software written by Eric Young + (eay@cryptsoft.com). This product includes software written by Tim + Hudson (tjh@cryptsoft.com). + . + This library is free for commercial and non-commercial use as long as + the following conditions are aheared to. The following conditions + apply to all code found in this distribution, be it the RC4, RSA, + lhash, DES, etc., code; not just the SSL code. The SSL documentation + included with this distribution is covered by the same copyright terms + except that the holder is Tim Hudson (tjh@cryptsoft.com). + . + Copyright remains Eric Young's, and as such any Copyright notices in + the code are not to be removed. + If this package is used in a product, Eric Young should be given attribution + as the author of the parts of the library used. + This can be in the form of a textual message at program startup or + in documentation (online or textual) provided with the package. + . + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. All advertising materials mentioning features or use of this software + must display the following acknowledgement: + "This product includes cryptographic software written by + Eric Young (eay@cryptsoft.com)" + The word 'cryptographic' can be left out if the rouines from the library + being used are not cryptographic related :-). + 4. If you include any Windows specific code (or a derivative thereof) from + the apps directory (application code) you must include an acknowledgement: + "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + . + THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + . + The licence and distribution terms for any publically available version or + derivative of this code cannot be changed. i.e. this code cannot simply be + copied and put under another distribution licence + [including the GNU Public Licence.] + +License: ISC + Permission to use, copy, modify, and distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + SOFTWARE. + +License: MIT + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to + deal in the Software without restriction, including without limitation the + rights to use, copy, modify, merge, publish, distribute, sublicense, and/or + sell copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + IN THE SOFTWARE. diff --git a/debian/edk2-vars-generator.py b/debian/edk2-vars-generator.py new file mode 100755 index 0000000..f9328c1 --- /dev/null +++ b/debian/edk2-vars-generator.py @@ -0,0 +1,129 @@ +#!/usr/bin/env python3 +# +# Copyright 2021 Canonical Ltd. +# Authors: +# - dann frazier +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 3, as published +# by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY, +# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License along with +# this program. If not, see . +# + +import argparse +import os.path +import pexpect +import shutil +import sys +from UEFI.Filesystems import FatFsImage, EfiBootableIsoImage +from UEFI.Qemu import QemuEfiMachine, QemuEfiVariant, QemuEfiFlashSize +from UEFI import Qemu + +if __name__ == '__main__': + parser = argparse.ArgumentParser() + parser.add_argument( + "-f", "--flavor", help="UEFI Flavor", + choices=['AAVMF', 'OVMF', 'OVMF_4M'], + required=True, + ) + parser.add_argument( + "-e", "--enrolldefaultkeys", + help='Path to "EnrollDefaultKeys" EFI binary', + required=True, + ) + parser.add_argument( + "-s", "--shell", + help='Path to "Shell" EFI binary', + required=True, + ) + parser.add_argument( + "-C", "--certificate", + help='base64-encoded PK/KEK1 certificate', + required=True, + ) + parser.add_argument( + "-c", "--code", + help='UEFI code image', + required=True, + ) + parser.add_argument( + "-V", "--vars-template", + help='UEFI vars template', + required=True, + ) + parser.add_argument( + "-o", "--out-file", + help="Output file for generated vars template", + required=True, + ) + parser.add_argument("-d", "--debug", action="store_true", + help="Emit debug messages") + args = parser.parse_args() + + FlavorConfig = { + 'AAVMF': { + 'EfiArch': 'AA64', + 'QemuCommand': Qemu.QemuCommand( + QemuEfiMachine.AAVMF, + code_path=args.code, + vars_template_path=args.vars_template, + ), + }, + 'OVMF': { + 'EfiArch': 'X64', + 'QemuCommand': Qemu.QemuCommand( + QemuEfiMachine.OVMF_Q35, + variant=QemuEfiVariant.SECBOOT, + flash_size=QemuEfiFlashSize.SIZE_2MB, + code_path=args.code, + vars_template_path=args.vars_template, + ), + }, + 'OVMF_4M': { + 'EfiArch': 'X64', + 'QemuCommand': Qemu.QemuCommand( + QemuEfiMachine.OVMF_Q35, + variant=QemuEfiVariant.SECBOOT, + flash_size=QemuEfiFlashSize.SIZE_2MB, + code_path=args.code, + vars_template_path=args.vars_template, + ), + }, + } + + eltorito = FatFsImage(64) + eltorito.makedirs(os.path.join('EFI', 'BOOT')) + removable_media_path = os.path.join( + 'EFI', 'BOOT', f"BOOT{FlavorConfig[args.flavor]['EfiArch']}.EFI" + ) + eltorito.insert_file(args.shell, removable_media_path) + eltorito.insert_file( + args.enrolldefaultkeys, + args.enrolldefaultkeys.split(os.path.sep)[-1] + ) + iso = EfiBootableIsoImage(eltorito) + + q = FlavorConfig[args.flavor]['QemuCommand'] + q.add_disk(iso.path) + q.add_oem_string(11, args.certificate) + + child = pexpect.spawn(' '.join(q.command)) + if args.debug: + child.logfile = sys.stdout.buffer + child.expect(['Press .* or any other key to continue'], timeout=60) + child.sendline('\x1b') + child.expect(['Shell> ']) + child.sendline('FS0:\r') + child.expect(['FS0:\\\\> ']) + child.sendline('EnrollDefaultKeys.efi\r') + child.expect(['FS0:\\\\> ']) + child.sendline('reset -s\r') + child.wait() + shutil.copy(q.pflash.varfile_path, args.out_file) diff --git a/debian/find-binaries.py b/debian/find-binaries.py new file mode 100644 index 0000000..b506382 --- /dev/null +++ b/debian/find-binaries.py @@ -0,0 +1,59 @@ +#!/usr/bin/env python3 + +# Use heuristics to identify new files that maybe binaries. +# Flagged files need to be manually inspected and either added to the +# whitelist (because they are safe to redistribute), or to the blacklist +# (so that they'll be removed prior to orig.tar.xz generation). + +import os +import re +import sys + +def nameOK(name): + OKPatterns = ['\.gitignore', 'AUTHORS', 'FILE.LST', 'Change[lL]og', + 'COPYING', 'configure', 'FAQ', '(GNU)?[Mm]akefile', + 'INDEX', 'LICENSE', 'README', 'TODO' ] + OKRegexs = map(re.compile, OKPatterns) + + for r in OKRegexs: + if r.match(name): + return True + return False + +def extensionOK(name): + OKExtensions = [ '1', '3', 'ASL', 'asi', 'asl', 'aslc', 'Asm', 'asm', + 'asm16', 'bat', 'bmp', 'c', 'CMM', 'cmm', 'cnf', 'cpp', + 'css', 'dec', 'decTest', 'dlg', 'dsc', 'docx', 'dsp', + 'dsw', 'el', 'env', 'fdf', 'g', 'gif', 'H', 'h', 'hpp', + 'html', 'i', 'idf', 'in', 'inc', 'inf', 'info', 'ini', + 'lds', 'log', 'lua', 'mak', 'makefile', 'md', 'nasm', + 'nasmb', 'nsh', 'patch', 'pbxuser', 'pbxproj', 'pdf', + 'pem', 'pl', 'png', 'pod', 'ps', 'py', 'r', 'rtf', 'S', + 's', 'sct', 'sh', 'sln', 't', 'template', 'txt', 'uni', + 'Vfr', 'vcproj', 'vfi', 'vfr', 'xml' ] + ext = name.split('.')[-1] + + if ext in OKExtensions: + return True + return False + +if __name__ == '__main__': + top = './' + for root, dirs, files in os.walk(top): + with open('./debian/binary-check.whitelist', 'r') as f: + whitelist = list(map(lambda s: s.strip(), f.readlines())) + + ret = 0 + for name in files: + relpath = os.path.join(root, name)[len(top):] + if relpath in whitelist: + continue + if nameOK(name): + continue + if extensionOK(name): + continue + else: + sys.stdout.write("WARNING: Possible binary %s\n" % (os.path.join(root, name))) + ret = -1 + sys.exit(ret) + diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..23e88fe --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch = debian +pristine-tar = True diff --git a/debian/patches/brotlicompress-disable.diff b/debian/patches/brotlicompress-disable.diff new file mode 100644 index 0000000..1c131d8 --- /dev/null +++ b/debian/patches/brotlicompress-disable.diff @@ -0,0 +1,22 @@ +Description: Do not attempt to compile removed BrotliCompress source + BrotliCompress is not currently used, and including an embedded + copy of its source could cause false-positives when scanning for + security issues. This code is stripped from our orig.tar (at the request + of the Ubuntu security team), so we also need to disable the build. +Author: dann frazier +Forwarded: not-needed +Last-Update: 2019-06-25 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: edk2/BaseTools/Source/C/GNUmakefile +=================================================================== +--- edk2.orig/BaseTools/Source/C/GNUmakefile ++++ edk2/BaseTools/Source/C/GNUmakefile +@@ -48,7 +48,6 @@ all: makerootdir subdirs + LIBRARIES = Common + VFRAUTOGEN = VfrCompile/VfrLexer.h + APPLICATIONS = \ +- BrotliCompress \ + VfrCompile \ + EfiRom \ + GenFfs \ diff --git a/debian/patches/no-stack-protector-all-archs.diff b/debian/patches/no-stack-protector-all-archs.diff new file mode 100644 index 0000000..7a777c1 --- /dev/null +++ b/debian/patches/no-stack-protector-all-archs.diff @@ -0,0 +1,19 @@ +Author: Steve Langasek +Description: pass -fno-stack-protector to all GCC toolchains + The upstream build rules inexplicably pass -fno-stack-protector only + when building for i386 and amd64. Add this essential argument to the + generic rules for gcc 4.8 and later. +Last-Updated: 2019-03-14 +Index: edk2/BaseTools/Conf/tools_def.template +=================================================================== +--- edk2.orig/BaseTools/Conf/tools_def.template ++++ edk2/BaseTools/Conf/tools_def.template +@@ -1900,7 +1900,7 @@ DEFINE GCC_RISCV64_RC_FLAGS = -I + # GCC Build Flag for included header file list generation + DEFINE GCC_DEPS_FLAGS = -MMD -MF $@.deps + +-DEFINE GCC48_ALL_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings ++DEFINE GCC48_ALL_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -fno-stack-protector -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings + DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20 + DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -Wno-address + DEFINE GCC48_X64_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..31911bc --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +no-stack-protector-all-archs.diff +brotlicompress-disable.diff diff --git a/debian/pve-edk2-firmware.install b/debian/pve-edk2-firmware.install index 681cc2a..6aa70d9 100644 --- a/debian/pve-edk2-firmware.install +++ b/debian/pve-edk2-firmware.install @@ -1,3 +1,7 @@ -Build/OvmfX64/RELEASE_*GCC*/FV/OVMF_CODE.fd /usr/share/pve-edk2-firmware -Build/OvmfX64/RELEASE_*GCC*/FV/OVMF_VARS.fd /usr/share/pve-edk2-firmware +debian/ovmf-install/OVMF_CODE*.fd /usr/share/pve-edk2-firmware +debian/ovmf-install/OVMF_VARS*.fd /usr/share/pve-edk2-firmware +debian/ovmf32-install/OVMF32_CODE*.fd /usr/share/pve-edk2-firmware +debian/ovmf32-install/OVMF32_VARS*.fd /usr/share/pve-edk2-firmware +Build/ArmVirtQemu-AARCH64/RELEASE_*GCC*/FV/QEMU_EFI.fd /usr/share/pve-edk2-firmware/aarch64 Build/ArmVirtQemu-AARCH64/RELEASE_*GCC*/FV/AAVMF_*.fd /usr/share/pve-edk2-firmware +debian/PkKek-1-snakeoil.* /usr/share/pve-edk2-firmware diff --git a/debian/python/UEFI/Filesystems.py b/debian/python/UEFI/Filesystems.py new file mode 100644 index 0000000..0f47cbd --- /dev/null +++ b/debian/python/UEFI/Filesystems.py @@ -0,0 +1,121 @@ +# +# Copyright 2019-2021 Canonical Ltd. +# Authors: +# - dann frazier +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 3, as published +# by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY, +# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License along with +# this program. If not, see . +# + +import os +import shutil +import subprocess +import tempfile + + +class FatFsImage: + def __init__(self, size_in_mb): + with tempfile.NamedTemporaryFile(delete=False) as f: + self.path = f.name + + subprocess.check_call( + [ + 'dd', 'if=/dev/zero', 'of=%s' % (self.path), + 'count=0', 'bs=1M', 'seek=%d' % (size_in_mb), 'status=none' + ] + ) + new_env = os.environ.copy() + new_env['PATH'] = f"{os.environ['PATH']}:/sbin" + subprocess.check_call(['mkdosfs', '-F', '32', self.path], env=new_env) + + def __del__(self): + os.unlink(self.path) + + def mkdir(self, dir): + subprocess.run(['mmd', '-i', self.path, dir]) + + def makedirs(self, dir): + dirs = dir.split(os.path.sep) + for dir_idx in range(1, len(dirs)+1): + next_dir = os.path.sep.join(dirs[:dir_idx]) + self.mkdir(next_dir) + + def insert_file(self, src, dest): + subprocess.check_call( + [ + 'mcopy', '-i', self.path, src, '::%s' % (dest) + ] + ) + + +class EfiBootableIsoImage: + def __init__(self, eltorito_img): + with tempfile.TemporaryDirectory() as iso_root: + eltorito_iso_root = 'boot' + eltorito_iso_path = os.path.join(eltorito_iso_root, 'efi.img') + eltorito_local_root = os.path.join(iso_root, eltorito_iso_root) + eltorito_local_path = os.path.join(iso_root, eltorito_iso_path) + + os.makedirs(eltorito_local_root) + shutil.copyfile(eltorito_img.path, eltorito_local_path) + + with tempfile.NamedTemporaryFile(delete=False) as f: + self.path = f.name + + subprocess.check_call( + [ + 'xorriso', '-as', 'mkisofs', '-J', '-l', + '-c', 'boot/boot.cat', + '-partition_offset', '16', '-append_partition', '2', + '0xef', eltorito_local_path, + '-e', '--interval:appended_partition_2:all::', + '-no-emul-boot', '-o', self.path, iso_root + ] + ) + + def __del__(self): + os.unlink(self.path) + + +class GrubShellBootableIsoImage(EfiBootableIsoImage): + def __init__(self, efi_arch, use_signed): + EfiArchToGrubArch = { + 'X64': "x86_64", + 'AA64': "arm64", + } + efi_img = FatFsImage(64) + efi_img.makedirs(os.path.join('EFI', 'BOOT')) + removable_media_path = os.path.join( + 'EFI', 'BOOT', 'BOOT%s.EFI' % (efi_arch.upper()) + ) + efi_ext = 'efi' + grub_subdir = "%s-efi" % EfiArchToGrubArch[efi_arch.upper()] + if use_signed: + efi_ext = "%s.signed" % (efi_ext) + grub_subdir = "%s-signed" % (grub_subdir) + + shim_src = os.path.join( + os.path.sep, 'usr', 'lib', 'shim', + 'shim%s.%s' % (efi_arch.lower(), efi_ext) + ) + grub_src = os.path.join( + os.path.sep, 'usr', 'lib', 'grub', + '%s' % (grub_subdir), + "" if use_signed else "monolithic", + 'grub%s.%s' % (efi_arch.lower(), efi_ext) + ) + grub_dest = os.path.join( + 'EFI', 'BOOT', 'GRUB%s.EFI' % (efi_arch.upper()) + ) + efi_img.insert_file(shim_src, removable_media_path) + efi_img.insert_file(grub_src, grub_dest) + super().__init__(efi_img) diff --git a/debian/python/UEFI/Qemu.py b/debian/python/UEFI/Qemu.py new file mode 100644 index 0000000..d8aaf23 --- /dev/null +++ b/debian/python/UEFI/Qemu.py @@ -0,0 +1,181 @@ +# +# Copyright 2019-2021 Canonical Ltd. +# Authors: +# - dann frazier +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 3, as published +# by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY, +# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License along with +# this program. If not, see . +# + +import enum +import os +import shutil +import tempfile + + +class QemuEfiMachine(enum.Enum): + OVMF_PC = enum.auto() + OVMF_Q35 = enum.auto() + OVMF32 = enum.auto() + AAVMF = enum.auto() + AAVMF32 = enum.auto() + + +class QemuEfiVariant(enum.Enum): + MS = enum.auto() + SECBOOT = enum.auto() + SNAKEOIL = enum.auto() + + +class QemuEfiFlashSize(enum.Enum): + DEFAULT = enum.auto + SIZE_2MB = enum.auto() + SIZE_4MB = enum.auto() + + +class QemuCommand: + # Based on the args used by ovmf-vars-generator + Qemu_Common_Params = [ + '-no-user-config', '-nodefaults', + '-m', '256', + '-smp', '2,sockets=2,cores=1,threads=1', + '-display', 'none', + '-serial', 'stdio', + ] + Ovmf_Common_Params = Qemu_Common_Params + [ + '-chardev', 'pty,id=charserial1', + '-device', 'isa-serial,chardev=charserial1,id=serial1', + ] + Aavmf_Common_Params = Qemu_Common_Params + [ + '-machine', 'virt', '-device', 'virtio-serial-device', + ] + Machine_Base_Command = { + QemuEfiMachine.AAVMF: [ + 'qemu-system-aarch64', '-cpu', 'cortex-a57', + ] + Aavmf_Common_Params, + QemuEfiMachine.AAVMF32: [ + 'qemu-system-aarch64', '-cpu', 'cortex-a15', + ] + Aavmf_Common_Params, + QemuEfiMachine.OVMF_PC: [ + 'qemu-system-x86_64', '-machine', 'pc,accel=tcg', + ] + Ovmf_Common_Params, + QemuEfiMachine.OVMF_Q35: [ + 'qemu-system-x86_64', '-machine', 'q35,accel=tcg', + ] + Ovmf_Common_Params, + QemuEfiMachine.OVMF32: [ + 'qemu-system-i386', '-machine', 'q35,accel=tcg', + ] + Ovmf_Common_Params, + } + + def _get_default_flash_paths(self, machine, variant, flash_size): + assert(machine in QemuEfiMachine) + assert(variant is None or variant in QemuEfiVariant) + assert(flash_size in QemuEfiFlashSize) + + code_ext = vars_ext = '' + if variant == QemuEfiVariant.MS: + code_ext = vars_ext = '.ms' + elif variant == QemuEfiVariant.SECBOOT: + code_ext = '.secboot' + elif variant == QemuEfiVariant.SNAKEOIL: + vars_ext = '.snakeoil' + + if machine == QemuEfiMachine.AAVMF: + assert(flash_size == QemuEfiFlashSize.DEFAULT) + return ( + f'/usr/share/AAVMF/AAVMF_CODE{code_ext}.fd', + f'/usr/share/AAVMF/AAVMF_VARS{code_ext}.fd', + ) + if machine == QemuEfiMachine.AAVMF32: + assert(variant is None) + assert(flash_size == QemuEfiFlashSize.DEFAULT) + return ( + '/usr/share/AAVMF/AAVMF32_CODE.fd', + '/usr/share/AAVMF/AAVMF32_VARS.fd' + ) + if machine == QemuEfiMachine.OVMF32: + assert(variant is None or variant in [QemuEfiVariant.SECBOOT]) + assert( + flash_size in [ + QemuEfiFlashSize.DEFAULT, QemuEfiFlashSize.SIZE_4MB + ] + ) + return ( + '/usr/share/OVMF/OVMF32_CODE_4M.secboot.fd', + '/usr/share/OVMF/OVMF32_VARS_4M.fd', + ) + # Remaining possibilities are OVMF variants + if machine == QemuEfiMachine.OVMF_PC: + assert(variant is None) + if variant == QemuEfiVariant.SNAKEOIL: + # We provide one size - you don't get to pick. + assert(flash_size == QemuEfiFlashSize.DEFAULT) + size_ext = '' if flash_size == QemuEfiFlashSize.SIZE_2MB else '_4M' + return ( + f'/usr/share/OVMF/OVMF_CODE{size_ext}{code_ext}.fd', + f'/usr/share/OVMF/OVMF_VARS{size_ext}{vars_ext}.fd' + ) + + def __init__( + self, machine, variant=None, + code_path=None, vars_template_path=None, + flash_size=QemuEfiFlashSize.DEFAULT, + ): + assert( + (code_path and vars_template_path) or + (not code_path and not vars_template_path) + ) + + if not code_path: + (code_path, vars_template_path) = self._get_default_flash_paths( + machine, variant, flash_size) + + self.pflash = self.PflashParams(code_path, vars_template_path) + self.command = self.Machine_Base_Command[machine] + self.pflash.params + if variant in [QemuEfiVariant.MS, QemuEfiVariant.SECBOOT] and \ + flash_size == QemuEfiFlashSize.SIZE_2MB: + # 2MB images have 64-bit PEI that does not support S3 w/ SMM + self.command.extend(['-global', 'ICH9-LPC.disable_s3=1']) + + def add_disk(self, path): + self.command = self.command + [ + '-drive', 'file=%s,format=raw' % (path) + ] + + def add_oem_string(self, type, string): + string = string.replace(",", ",,") + self.command = self.command + [ + '-smbios', f'type={type},value={string}' + ] + + class PflashParams: + ''' + Used to generate the appropriate -pflash arguments for QEMU. Mostly + used as a fancy way to generate a per-instance vars file and have it + be automatically cleaned up when the object is destroyed. + ''' + def __init__(self, code_path, vars_template_path): + with tempfile.NamedTemporaryFile(delete=False) as varfile: + self.varfile_path = varfile.name + with open(vars_template_path, 'rb') as template: + shutil.copyfileobj(template, varfile) + self.params = [ + '-drive', + 'file=%s,if=pflash,format=raw,unit=0,readonly=on' % + (code_path), + '-drive', + 'file=%s,if=pflash,format=raw,unit=1,readonly=off' % + (varfile.name) + ] + + def __del__(self): + os.unlink(self.varfile_path) diff --git a/debian/remove-binaries.py b/debian/remove-binaries.py new file mode 100644 index 0000000..6a5c966 --- /dev/null +++ b/debian/remove-binaries.py @@ -0,0 +1,12 @@ +#!/usr/bin/env python3 + +import os +import sys + +if __name__ == '__main__': + with open('./debian/binary-check.blacklist', 'r') as f: + blacklist = list(map(lambda s: s.strip(), f.readlines())) + + for path in blacklist: + sys.stdout.write("Removing %s\n" % (path)) + os.unlink(path) diff --git a/debian/rules b/debian/rules index 1264201..8fd8d3e 100755 --- a/debian/rules +++ b/debian/rules @@ -1,28 +1,36 @@ #!/usr/bin/make -f -SHELL=/bin/bash -# this is a simplified version from the upstream package +SHELL=/bin/bash -# Only used for creating our build tools. include /usr/share/dpkg/default.mk -# for GCC5 and newer, LTO enabled -EDK2_TOOLCHAIN=GCC5 -AARCH64_TOOLCHAIN=GCC5 +EDK2_TOOLCHAIN = GCC5 export $(EDK2_TOOLCHAIN)_AARCH64_PREFIX=aarch64-linux-gnu- export PYTHON3_ENABLE=TRUE -export PYTHON_COMMAND=python3 ifeq ($(DEB_BUILD_ARCH),amd64) EDK2_BUILD_ARCH=X64 endif +ifeq ($(DEB_BUILD_ARCH),i386) + EDK2_BUILD_ARCH=IA32 +endif ifeq ($(DEB_BUILD_ARCH),arm64) EDK2_BUILD_ARCH=AARCH64 endif -ifeq ($(DEB_HOST_ARCH),amd64) - EDK2_HOST_ARCH=X64 -endif + +COMMON_FLAGS = -DNETWORK_HTTP_BOOT_ENABLE=TRUE -DNETWORK_TLS_ENABLE -DSECURE_BOOT_ENABLE=TRUE +OVMF_COMMON_FLAGS = $(COMMON_FLAGS) -DTPM_ENABLE=TRUE +OVMF_2M_FLAGS = $(OVMF_COMMON_FLAGS) -DFD_SIZE_2MB +OVMF_4M_FLAGS = $(OVMF_COMMON_FLAGS) -DFD_SIZE_4MB +OVMF_2M_SMM_FLAGS = $(OVMF_2M_FLAGS) -DSMM_REQUIRE=TRUE +OVMF_4M_SMM_FLAGS = $(OVMF_4M_FLAGS) -DSMM_REQUIRE=TRUE +OVMF32_4M_FLAGS = $(OVMF_COMMON_FLAGS) -DFD_SIZE_4MB +OVMF32_4M_SMM_FLAGS = $(OVMF32_4M_FLAGS) -DSMM_REQUIRE=TRUE + +AAVMF_FLAGS = $(COMMON_FLAGS) -DTPM2_ENABLE=TRUE -DTPM2_CONFIG_ENABLE=TRUE + +OVMF_VARS_GENERATOR = ./qemu-ovmf-secureboot-1-1-3/ovmf-vars-generator # Clear variables used internally by the edk2 build system undefine WORKSPACE @@ -35,64 +43,188 @@ undefine CONF_PATH %: dh $@ -override_dh_auto_build: build-qemu-efi-aarch64 build-ovmf +override_dh_auto_build: build-qemu-efi-aarch64 build-ovmf build-ovmf32 -setup-build: +debian/setup-build-stamp: cp -a debian/Logo.bmp MdeModulePkg/Logo/Logo.bmp + set -e; . ./edksetup.sh; \ make -C BaseTools ARCH=$(EDK2_BUILD_ARCH) - # call this when building too, it modifies the shell environment - . ./edksetup.sh + touch $@ + +OVMF_BUILD_DIR = Build/OvmfX64/RELEASE_$(EDK2_TOOLCHAIN) +OVMF3264_BUILD_DIR = Build/Ovmf3264/RELEASE_$(EDK2_TOOLCHAIN) +OVMF_ENROLL = $(OVMF3264_BUILD_DIR)/X64/EnrollDefaultKeys.efi +OVMF_SHELL = $(OVMF3264_BUILD_DIR)/X64/Shell.efi +OVMF_BINARIES = $(OVMF_ENROLL) $(OVMF_SHELL) +OVMF_IMAGES := $(addprefix debian/ovmf-install/,OVMF_CODE.fd OVMF_CODE_4M.fd OVMF_CODE.secboot.fd OVMF_CODE_4M.secboot.fd OVMF_VARS.fd OVMF_VARS_4M.fd) +OVMF_PREENROLLED_VARS := $(addprefix debian/ovmf-install/,OVMF_VARS.ms.fd OVMF_VARS_4M.ms.fd OVMF_VARS_4M.snakeoil.fd) -build-ovmf: EDK2_ARCH_DIR=X64 -build-ovmf: EDK2_HOST_ARCH=X64 -build-ovmf: setup-build +OVMF32_BUILD_DIR = Build/OvmfIa32/RELEASE_$(EDK2_TOOLCHAIN) +OVMF32_SHELL = $(OVMF32_BUILD_DIR)/IA32/Shell.efi +OVMF32_BINARIES = $(OVMF32_SHELL) +OVMF32_IMAGES := $(addprefix debian/ovmf32-install/,OVMF32_CODE_4M.secboot.fd OVMF_VARS_4M.fd) + +QEMU_EFI_BUILD_DIR = Build/ArmVirtQemu-$(EDK2_HOST_ARCH)/RELEASE_$(EDK2_TOOLCHAIN) +AAVMF_BUILD_DIR = Build/ArmVirtQemu-AARCH64/RELEASE_$(EDK2_TOOLCHAIN) +AAVMF_ENROLL = $(AAVMF_BUILD_DIR)/AARCH64/EnrollDefaultKeys.efi +AAVMF_SHELL = $(AAVMF_BUILD_DIR)/AARCH64/Shell.efi +AAVMF_BINARIES = $(AAVMF_ENROLL) $(AAVMF_SHELL) +AAVMF_CODE = $(AAVMF_BUILD_DIR)/FV/AAVMF_CODE.fd +AAVMF_VARS = $(AAVMF_BUILD_DIR)/FV/AAVMF_VARS.fd +AAVMF_IMAGES = $(AAVMF_CODE) $(AAVMF_VARS) +AAVMF_PREENROLLED_VARS = $(addprefix $(AAVMF_BUILD_DIR)/FV/,AAVMF_VARS.ms.fd AAVMF_VARS.snakeoil.fd) + +build-ovmf32: $(OVMF32_BINARIES) $(OVMF32_IMAGES) +$(OVMF32_BINARIES) $(OVMF32_IMAGES): debian/setup-build-stamp + rm -rf debian/ovmf32-install + mkdir debian/ovmf32-install + set -e; . ./edksetup.sh; \ + build -a IA32 \ + -t $(EDK2_TOOLCHAIN) \ + -p OvmfPkg/OvmfPkgIa32.dsc \ + $(OVMF32_4M_SMM_FLAGS) -b RELEASE + cp $(OVMF32_BUILD_DIR)/FV/OVMF_CODE.fd \ + debian/ovmf32-install/OVMF32_CODE_4M.secboot.fd + cp $(OVMF32_BUILD_DIR)/FV/OVMF_VARS.fd \ + debian/ovmf32-install/OVMF32_VARS_4M.fd + +build-ovmf: $(OVMF_BINARIES) $(OVMF_IMAGES) $(OVMF_PREENROLLED_VARS) +$(OVMF_BINARIES) $(OVMF_IMAGES): debian/setup-build-stamp + rm -rf debian/ovmf-install + mkdir debian/ovmf-install + set -e; . ./edksetup.sh; \ + build -a X64 \ + -t $(EDK2_TOOLCHAIN) \ + -p OvmfPkg/OvmfPkgX64.dsc \ + $(OVMF_2M_FLAGS) -b RELEASE + cp $(OVMF_BUILD_DIR)/FV/OVMF_CODE.fd \ + debian/ovmf-install/ + cp $(OVMF_BUILD_DIR)/FV/OVMF_VARS.fd debian/ovmf-install/ + rm -rf Build/OvmfX64 + set -e; . ./edksetup.sh; \ + build -a IA32 -a X64 \ + -t $(EDK2_TOOLCHAIN) \ + -p OvmfPkg/OvmfPkgIa32X64.dsc \ + $(OVMF_4M_FLAGS) -b RELEASE + cp $(OVMF3264_BUILD_DIR)/FV/OVMF_CODE.fd \ + debian/ovmf-install/OVMF_CODE_4M.fd + cp $(OVMF3264_BUILD_DIR)/FV/OVMF_VARS.fd \ + debian/ovmf-install/OVMF_VARS_4M.fd + rm -rf Build/OvmfX64 set -e; . ./edksetup.sh; \ - OvmfPkg/build.sh \ - -b RELEASE \ - -a $(EDK2_HOST_ARCH) \ - -t $(EDK2_TOOLCHAIN) \ - -DSECURE_BOOT_ENABLE=FALSE \ - -DDNETWORK_TLS_ENABLE \ - -DTPM_ENABLE=TRUE \ - -DTPM2_ENABLE=TRUE \ - -DFD_SIZE_2MB \ - -n $$(getconf _NPROCESSORS_ONLN) - -build-qemu-efi: setup-build - mkdir -p ShellBinPkg/UefiShell/$(EDK2_ARCH_DIR) FatBinPkg/EnhancedFatDxe/$(EDK2_ARCH_DIR) + build -a X64 \ + -t $(EDK2_TOOLCHAIN) \ + -p OvmfPkg/OvmfPkgX64.dsc \ + $(OVMF_2M_SMM_FLAGS) -b RELEASE + cp $(OVMF_BUILD_DIR)/FV/OVMF_CODE.fd \ + debian/ovmf-install/OVMF_CODE.secboot.fd + rm -rf Build/OvmfX64 + set -e; . ./edksetup.sh; \ + build -a IA32 -a X64 \ + -t $(EDK2_TOOLCHAIN) \ + -p OvmfPkg/OvmfPkgIa32X64.dsc \ + $(OVMF_4M_SMM_FLAGS) -b RELEASE + cp $(OVMF3264_BUILD_DIR)/FV/OVMF_CODE.fd \ + debian/ovmf-install/OVMF_CODE_4M.secboot.fd + +ifeq ($(call dpkg_vendor_derives_from_v1,ubuntu),yes) +debian/PkKek-1-vendor.pem: debian/PkKek-1-Ubuntu.pem +else +debian/PkKek-1-vendor.pem: debian/PkKek-1-Debian.pem +endif + ln -sf `basename $<` $@ + +debian/oem-string-%: debian/PkKek-1-%.pem + tr -d '\n' < $< | \ + sed -e 's/.*-----BEGIN CERTIFICATE-----/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' -e 's/-----END CERTIFICATE-----//' > $@ + +%/AAVMF_VARS.ms.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/oem-string-vendor $(AAVMF_ENROLL) $(AAVMF_SHELL) + PYTHONPATH=$(CURDIR)/debian/python \ + ./debian/edk2-vars-generator.py \ + -f AAVMF -e $(AAVMF_ENROLL) -s $(AAVMF_SHELL) \ + -c $(AAVMF_CODE) -V $(AAVMF_VARS) \ + -C `< debian/oem-string-vendor` -o $@ + +%/AAVMF_VARS.snakeoil.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/oem-string-snakeoil $(AAVMF_ENROLL) $(AAVMF_SHELL) + PYTHONPATH=$(CURDIR)/debian/python \ + ./debian/edk2-vars-generator.py \ + -f AAVMF -e $(AAVMF_ENROLL) -s $(AAVMF_SHELL) \ + -c $(AAVMF_CODE) -V $(AAVMF_VARS) \ + -C `< debian/oem-string-snakeoil` -o $@ + +%/OVMF_VARS.ms.fd: %/OVMF_CODE.fd %/OVMF_VARS.fd debian/oem-string-vendor $(OVMF_ENROLL) $(OVMF_SHELL) + PYTHONPATH=$(CURDIR)/debian/python \ + ./debian/edk2-vars-generator.py \ + -f OVMF -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \ + -c debian/ovmf-install/OVMF_CODE.fd \ + -V debian/ovmf-install/OVMF_VARS.fd \ + -C `< debian/oem-string-vendor` -o $@ + +%/OVMF_VARS_4M.ms.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/oem-string-vendor $(OVMF_ENROLL) $(OVMF_SHELL) + PYTHONPATH=$(CURDIR)/debian/python \ + ./debian/edk2-vars-generator.py \ + -f OVMF_4M -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \ + -c debian/ovmf-install/OVMF_CODE_4M.fd \ + -V debian/ovmf-install/OVMF_VARS_4M.fd \ + -C `< debian/oem-string-vendor` -o $@ + +%/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/oem-string-snakeoil $(OVMF_ENROLL) $(OVMF_SHELL) + PYTHONPATH=$(CURDIR)/debian/python \ + ./debian/edk2-vars-generator.py \ + -f OVMF_4M -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \ + -c debian/ovmf-install/OVMF_CODE_4M.fd \ + -V debian/ovmf-install/OVMF_VARS_4M.fd \ + -C `< debian/oem-string-snakeoil` -o $@ + +ArmPkg/Library/GccLto/liblto-aarch64.a: ArmPkg/Library/GccLto/liblto-aarch64.s + $($(EDK2_TOOLCHAIN)_AARCH64_PREFIX)gcc -c -fpic $< -o $@ + +build-qemu-efi: debian/setup-build-stamp set -e; . ./edksetup.sh; \ - build -a $(EDK2_HOST_ARCH) -p ShellPkg/ShellPkg.dsc \ - -b RELEASE -t $(EDK2_TOOLCHAIN); \ - cp -a Build/Shell/RELEASE_$(EDK2_TOOLCHAIN)/$(EDK2_HOST_ARCH)/Shell_7C04A583-9E3E-4f1c-AD65-E05268D0B4D1.efi \ - ShellBinPkg/UefiShell/$(EDK2_ARCH_DIR)/Shell.efi; \ - build -a $(EDK2_HOST_ARCH) -p FatPkg/FatPkg.dsc \ - -m FatPkg/EnhancedFatDxe/Fat.inf \ - -t $(EDK2_TOOLCHAIN) -b RELEASE; \ - cp -a Build/Fat/RELEASE_$(EDK2_TOOLCHAIN)/$(EDK2_HOST_ARCH)/Fat.efi \ - FatBinPkg/EnhancedFatDxe/$(EDK2_ARCH_DIR)/Fat.efi; \ build -a $(EDK2_HOST_ARCH) \ -t $(EDK2_TOOLCHAIN) \ -p ArmVirtPkg/ArmVirtQemu.dsc \ - -DHTTP_BOOT_ENABLE=TRUE \ - -DSECURE_BOOT_ENABLE=FALSE \ - -DDNETWORK_TLS_ENABLE \ - -DTPM_ENABLE=TRUE \ - -DTPM2_ENABLE=TRUE \ - -DINTEL_BDS \ - -b RELEASE - dd if=/dev/zero of=Build/ArmVirtQemu-$(EDK2_HOST_ARCH)/RELEASE_$(EDK2_TOOLCHAIN)/FV/$(FW_NAME)_CODE.fd bs=1M seek=64 count=0 - dd if=Build/ArmVirtQemu-$(EDK2_HOST_ARCH)/RELEASE_$(EDK2_TOOLCHAIN)/FV/QEMU_EFI.fd of=Build/ArmVirtQemu-$(EDK2_HOST_ARCH)/RELEASE_$(EDK2_TOOLCHAIN)/FV/$(FW_NAME)_CODE.fd conv=notrunc - dd if=/dev/zero of=Build/ArmVirtQemu-$(EDK2_HOST_ARCH)/RELEASE_$(EDK2_TOOLCHAIN)/FV/$(FW_NAME)_VARS.fd bs=1M seek=64 count=0 - -build-qemu-efi-aarch64: + $(AAVMF_FLAGS) -b RELEASE + dd if=/dev/zero of=$(QEMU_EFI_BUILD_DIR)/FV/$(FW_NAME)_CODE.fd bs=1M seek=64 count=0 + dd if=$(QEMU_EFI_BUILD_DIR)/FV/QEMU_EFI.fd of=$(QEMU_EFI_BUILD_DIR)/FV/$(FW_NAME)_CODE.fd conv=notrunc + dd if=/dev/zero of=$(QEMU_EFI_BUILD_DIR)/FV/$(FW_NAME)_VARS.fd bs=1M seek=64 count=0 + +build-qemu-efi-aarch64: $(AAVMF_BINARIES) $(AAVMF_PREENROLLED_VARS) +$(AAVMF_BINARIES): ArmPkg/Library/GccLto/liblto-aarch64.a $(MAKE) -f debian/rules build-qemu-efi EDK2_ARCH_DIR=AArch64 EDK2_HOST_ARCH=AARCH64 FW_NAME=AAVMF override_dh_auto_clean: - set -e; \ - if [ -d BaseTools/Source/C/bin ]; then \ - . ./edksetup.sh; build clean; \ - make -C BaseTools clean; \ - fi - rm -rf Conf/.cache Build .pc-post - -.PHONY: setup-build build-ovmf + -. ./edksetup.sh; build clean + make -C BaseTools clean + +# Only embed code that is actually used; requested by the Ubuntu Security Team +EMBEDDED_SUBMODULES += CryptoPkg/Library/OpensslLib/openssl +EMBEDDED_SUBMODULES += ArmPkg/Library/ArmSoftFloatLib/berkeley-softfloat-3 +EMBEDDED_SUBMODULES += MdeModulePkg/Library/BrotliCustomDecompressLib/brotli +get-orig-source: + # Should be executed on a checkout of the upstream master branch, + # with the debian/ directory manually copied in. + rm -rf edk2.tmp && git clone . edk2.tmp + # Embed submodules. Don't recurse - openssl will bring in MBs of + # stuff we don't need + set -e; cd edk2.tmp; \ + for submodule in $(EMBEDDED_SUBMODULES); do \ + git submodule update --init $$submodule; \ + done + rm -rf edk2-$(DEB_VERSION_UPSTREAM) && \ + mkdir edk2-$(DEB_VERSION_UPSTREAM) + cd edk2.tmp && git archive HEAD | \ + tar xv -C ../edk2-$(DEB_VERSION_UPSTREAM) + cd edk2.tmp && git submodule foreach \ + 'git archive HEAD | tar xv -C $$toplevel/../edk2-$(DEB_VERSION_UPSTREAM)/$$sm_path' + ln -s ../debian edk2-$(DEB_VERSION_UPSTREAM) + # Remove known-binary files + cd edk2-$(DEB_VERSION_UPSTREAM) && python3 ./debian/remove-binaries.py + # Look for possible unknown binary files + cd edk2-$(DEB_VERSION_UPSTREAM) && python3 ./debian/find-binaries.py + rm edk2-$(DEB_VERSION_UPSTREAM)/debian + tar Jcvf ../edk2_$(DEB_VERSION_UPSTREAM).orig.tar.xz \ + edk2-$(DEB_VERSION_UPSTREAM) + rm -rf edk2.tmp edk2-$(DEB_VERSION_UPSTREAM) + +.PHONY: build-ovmf build-ovmf32 build-qemu-efi build-qemu-efi-aarch64 diff --git a/debian/source/format b/debian/source/format index d3827e7..163aaf8 100644 --- a/debian/source/format +++ b/debian/source/format @@ -1 +1 @@ -1.0 +3.0 (quilt) diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides deleted file mode 100644 index 96da6b1..0000000 --- a/debian/source/lintian-overrides +++ /dev/null @@ -1,5 +0,0 @@ -pve-edk2-firmware source: source-is-missing Vlv2TbltDevicePkg/GenBiosId -pve-edk2-firmware source: source-is-missing BeagleBoardPkg/Debugger_scripts/rvi_dummy.axf -pve-edk2-firmware source: source-is-missing ArmPkg/Library/GccLto/liblto-aarch64.a -pve-edk2-firmware source: source-is-missing ArmPkg/Library/GccLto/liblto-arm.a -pve-edk2-firmware source: source-contains-unsafe-symlink EmulatorPkg/Unix/Host/X11IncludeHack diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..cc87fde --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,16 @@ +Test-Command: PYTHONPATH=./debian/python python3 debian/tests/shell.py +Restrictions: allow-stderr +Depends: + dosfstools [amd64 arm64], + grub-efi-amd64-signed [amd64], + grub-efi-arm64-signed [arm64], + mtools [amd64 arm64], + ovmf, + ovmf-ia32, + python3-pexpect, + qemu-efi-aarch64, + qemu-efi-arm, + qemu-system-arm, + qemu-system-x86, + shim-signed [amd64 arm64], + xorriso [amd64 arm64], diff --git a/debian/tests/shell.py b/debian/tests/shell.py new file mode 100755 index 0000000..391b7bf --- /dev/null +++ b/debian/tests/shell.py @@ -0,0 +1,258 @@ +#!/usr/bin/env python3 +# +# Copyright 2019-2021 Canonical Ltd. +# Authors: +# - dann frazier +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 3, as published +# by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY, +# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License along with +# this program. If not, see . +# + +import enum +import pexpect +import subprocess +import sys +import unittest + +from UEFI.Filesystems import GrubShellBootableIsoImage +from UEFI.Qemu import QemuEfiMachine, QemuEfiVariant, QemuEfiFlashSize +from UEFI import Qemu + +DPKG_ARCH = subprocess.check_output( + ['dpkg', '--print-architecture'] +).decode().rstrip() + + +class BootToShellTest(unittest.TestCase): + debug = True + + def run_cmd_check_shell(self, cmd): + child = pexpect.spawn(' '.join(cmd)) + + if self.debug: + child.logfile = sys.stdout.buffer + try: + while True: + i = child.expect( + [ + 'Press .* or any other key to continue', + 'Shell> ' + ], + timeout=60, + ) + if i == 0: + child.sendline('\x1b') + continue + if i == 1: + child.sendline('reset -s\r') + continue + except pexpect.EOF: + return + except pexpect.TIMEOUT as err: + self.fail("%s\n" % (err)) + + def run_cmd_check_secure_boot(self, cmd, efiarch, should_verify): + class State(enum.Enum): + PRE_EXEC = 1 + POST_EXEC = 2 + + child = pexpect.spawn(' '.join(cmd)) + + if self.debug: + child.logfile = sys.stdout.buffer + try: + state = State.PRE_EXEC + while True: + i = child.expect( + [ + 'Press .* or any other key to continue', + 'Shell> ', + "FS0:\\\\> ", + 'grub> ', + 'Command Error Status: Access Denied', + ], + timeout=60, + ) + if i == 0: + child.sendline('\x1b') + continue + if i == 1: + child.sendline('fs0:\r') + continue + if i == 2: + if state == State.PRE_EXEC: + child.sendline(f'\\efi\\boot\\boot{efiarch}.efi\r') + state = State.POST_EXEC + elif state == State.POST_EXEC: + child.sendline('reset -s\r') + continue + if i == 3: + child.sendline('halt\r') + verified = True + continue + if i == 4: + verified = False + continue + except pexpect.TIMEOUT as err: + self.fail("%s\n" % (err)) + except pexpect.EOF: + pass + self.assertEqual(should_verify, verified) + + def test_aavmf(self): + q = Qemu.QemuCommand(QemuEfiMachine.AAVMF) + self.run_cmd_check_shell(q.command) + + @unittest.skipUnless(DPKG_ARCH == 'arm64', "Requires grub-efi-arm64") + def test_aavmf_ms_secure_boot_signed(self): + q = Qemu.QemuCommand( + QemuEfiMachine.AAVMF, + variant=QemuEfiVariant.MS, + ) + iso = GrubShellBootableIsoImage('AA64', use_signed=True) + q.add_disk(iso.path) + self.run_cmd_check_secure_boot(q.command, 'aa64', True) + + @unittest.skipUnless(DPKG_ARCH == 'arm64', "Requires grub-efi-arm64") + def test_aavmf_ms_secure_boot_unsigned(self): + q = Qemu.QemuCommand( + QemuEfiMachine.AAVMF, + variant=QemuEfiVariant.MS, + ) + iso = GrubShellBootableIsoImage('AA64', use_signed=False) + q.add_disk(iso.path) + self.run_cmd_check_secure_boot(q.command, 'aa64', False) + + def test_aavmf_snakeoil(self): + q = Qemu.QemuCommand( + QemuEfiMachine.AAVMF, + variant=QemuEfiVariant.SNAKEOIL, + ) + self.run_cmd_check_shell(q.command) + + def test_aavmf32(self): + q = Qemu.QemuCommand(QemuEfiMachine.AAVMF32) + self.run_cmd_check_shell(q.command) + + def test_ovmf_pc(self): + q = Qemu.QemuCommand( + QemuEfiMachine.OVMF_PC, flash_size=QemuEfiFlashSize.SIZE_2MB, + ) + self.run_cmd_check_shell(q.command) + + def test_ovmf_q35(self): + q = Qemu.QemuCommand( + QemuEfiMachine.OVMF_Q35, flash_size=QemuEfiFlashSize.SIZE_2MB, + ) + self.run_cmd_check_shell(q.command) + + def test_ovmf_secboot(self): + q = Qemu.QemuCommand( + QemuEfiMachine.OVMF_Q35, + variant=QemuEfiVariant.SECBOOT, + flash_size=QemuEfiFlashSize.SIZE_2MB, + ) + self.run_cmd_check_shell(q.command) + + def test_ovmf_ms(self): + q = Qemu.QemuCommand( + QemuEfiMachine.OVMF_Q35, + variant=QemuEfiVariant.MS, + flash_size=QemuEfiFlashSize.SIZE_2MB, + ) + self.run_cmd_check_shell(q.command) + + @unittest.skipUnless(DPKG_ARCH == 'amd64', "amd64-only") + def test_ovmf_ms_secure_boot_signed(self): + q = Qemu.QemuCommand( + QemuEfiMachine.OVMF_Q35, + variant=QemuEfiVariant.MS, + flash_size=QemuEfiFlashSize.SIZE_2MB, + ) + iso = GrubShellBootableIsoImage('X64', use_signed=True) + q.add_disk(iso.path) + self.run_cmd_check_secure_boot(q.command, 'x64', True) + + @unittest.skipUnless(DPKG_ARCH == 'amd64', "amd64-only") + def test_ovmf_ms_secure_boot_unsigned(self): + q = Qemu.QemuCommand( + QemuEfiMachine.OVMF_Q35, + variant=QemuEfiVariant.MS, + flash_size=QemuEfiFlashSize.SIZE_2MB, + ) + iso = GrubShellBootableIsoImage('X64', use_signed=False) + q.add_disk(iso.path) + self.run_cmd_check_secure_boot(q.command, 'x64', False) + + def test_ovmf_4m(self): + q = Qemu.QemuCommand( + QemuEfiMachine.OVMF_Q35, + flash_size=QemuEfiFlashSize.SIZE_4MB, + ) + self.run_cmd_check_shell(q.command) + + def test_ovmf_4m_secboot(self): + q = Qemu.QemuCommand( + QemuEfiMachine.OVMF_Q35, + variant=QemuEfiVariant.SECBOOT, + flash_size=QemuEfiFlashSize.SIZE_4MB, + ) + self.run_cmd_check_shell(q.command) + + def test_ovmf_4m_ms(self): + q = Qemu.QemuCommand( + QemuEfiMachine.OVMF_Q35, + variant=QemuEfiVariant.MS, + flash_size=QemuEfiFlashSize.SIZE_4MB, + ) + self.run_cmd_check_shell(q.command) + + def test_ovmf_snakeoil(self): + q = Qemu.QemuCommand( + QemuEfiMachine.OVMF_Q35, + variant=QemuEfiVariant.SNAKEOIL, + ) + self.run_cmd_check_shell(q.command) + + @unittest.skipUnless(DPKG_ARCH == 'amd64', "amd64-only") + def test_ovmf_4m_ms_secure_boot_signed(self): + q = Qemu.QemuCommand( + QemuEfiMachine.OVMF_Q35, + variant=QemuEfiVariant.MS, + flash_size=QemuEfiFlashSize.SIZE_4MB, + ) + iso = GrubShellBootableIsoImage('X64', use_signed=True) + q.add_disk(iso.path) + self.run_cmd_check_secure_boot(q.command, 'x64', True) + + @unittest.skipUnless(DPKG_ARCH == 'amd64', "amd64-only") + def test_ovmf_4m_ms_secure_boot_unsigned(self): + q = Qemu.QemuCommand( + QemuEfiMachine.OVMF_Q35, + variant=QemuEfiVariant.MS, + flash_size=QemuEfiFlashSize.SIZE_4MB, + ) + iso = GrubShellBootableIsoImage('X64', use_signed=False) + q.add_disk(iso.path) + self.run_cmd_check_secure_boot(q.command, 'x64', False) + + def test_ovmf32_4m_secboot(self): + q = Qemu.QemuCommand( + QemuEfiMachine.OVMF32, + variant=QemuEfiVariant.SECBOOT, + flash_size=QemuEfiFlashSize.SIZE_4MB, + ) + self.run_cmd_check_shell(q.command) + + +if __name__ == '__main__': + unittest.main(verbosity=2) diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..78bc130 --- /dev/null +++ b/debian/watch @@ -0,0 +1,8 @@ +# Currently only useful for checking for a new release. There's additional +# upstream tarball mangling required via ./debian/rules get-orig-source. +# Also - doesn't check for new qemu-ovmf-secureboot releases. +version=4 +opts="filenamemangle=s/.+\/edk2-stable(\d{6})\.tar\.gz/edk2-0.0~$1.tar.gz/, \ + uversionmangle=s/(\d{6})/0.0~$1/" \ + https://github.com/tianocore/edk2/tags \ + .*/edk2-stable(\d{6})\.tar\.gz debian uupdate -- 2.39.2