sys-firmware/edk2-aarch64: Drop in favour of edk2-bin

edk2-bin now supports multiple platforms, including QEMU on arm64, so we no longer need to use Fedora's build. Note that the Secure Boot implementation is currently insecure as it lacks SMM, which is needed to protect the EFI variable store. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
2026-02-10 18:21:07 +01:00 · 2024-10-02 11:40:17 +01:00 · 2024-10-02 11:40:17 +01:00 · e50fe0a7e4
commit e50fe0a7e4
parent d1ba9b19fb
5 changed files with 16 additions and 32 deletions
--- a/build_library/vm_image_util.sh
+++ b/build_library/vm_image_util.sh
@ -837,11 +837,8 @@ _write_qemu_uefi_conf() {
            cp "/usr/share/edk2/OvmfX64/OVMF_VARS_4M.qcow2" "$(_dst_dir)/${flash_rw}"
            ;;
        arm64-usr)
-            # Get edk2 files into local build workspace.
-            info "Updating edk2 in /build/${BOARD}"
-            emerge-${BOARD} --nodeps --select --verbose --update --getbinpkg --newuse sys-firmware/edk2-aarch64
-            cp "${BOARD_ROOT}/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.qcow2" "$(_dst_dir)/${flash_ro}"
-            cp "${BOARD_ROOT}/usr/share/edk2/aarch64/vars-template-pflash.qcow2" "$(_dst_dir)/${flash_rw}"
+            cp "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_EFI.qcow2" "$(_dst_dir)/${flash_ro}"
+            cp "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_VARS.qcow2" "$(_dst_dir)/${flash_rw}"
            ;;
    esac

@ -870,7 +867,18 @@ _write_qemu_uefi_secure_conf() {
    local owner="00000000-0000-0000-0000-000000000000"

    _write_qemu_uefi_conf
-    cp "/usr/share/edk2/OvmfX64/OVMF_CODE_4M.secboot.qcow2" "$(_dst_dir)/${flash_ro}"
+
+    case $BOARD in
+        amd64-usr)
+            cp "/usr/share/edk2/OvmfX64/OVMF_CODE_4M.secboot.qcow2" "$(_dst_dir)/${flash_ro}"
+            ;;
+        arm64-usr)
+            # This firmware is not considered secure due to the lack of an SMM
+            # implementation, which is needed to protect the variable store, but
+            # it's only supposed to be used for testing anyway.
+            cp "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_EFI.secboot_INSECURE.qcow2" "$(_dst_dir)/${flash_ro}"
+            ;;
+    esac

    virt-fw-vars \
        --inplace "$(_dst_dir)/${flash_rw}" \
--- a/changelog/changes/2024-11-08-uefi-firmware.md
+++ b/changelog/changes/2024-11-08-uefi-firmware.md
@ -1 +1,2 @@
 - The UEFI firmware has changed from raw (.fd) format to QCOW2 format. In addition, the amd64 firmware variables are now held in a 4MB image rather than a 2MB image. Note that this firmware is only intended for testing with QEMU. Do not use it in production. ([scripts#2434](https://github.com/flatcar/scripts/pull/2434))
+- The arm64 UEFI firmware now supports Secure Boot. Be aware that this is not considered secure due to the lack of an SMM implementation, which is needed to protect the variable store. As above, this firmware should not be used in production anyway. ([scripts#2434](https://github.com/flatcar/scripts/pull/2434))
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
@ -56,10 +56,9 @@ USE="${USE} bindist"
 # no-source-code - license for sys-kernel/coreos-firmware
 # linux-fw-redistributable - license for sys-kernel/coreos-firmware
 # freedist - license for sys-kernel/coreos-kernel
-# BSD-2-Clause-Patent - license for sys-firmware/edk2-aarch64
 # intel-ucode - license for sys-firmware/intel-microcode
 ACCEPT_LICENSE="${ACCEPT_LICENSE} no-source-code
-    linux-fw-redistributable freedist BSD-2-Clause-Patent intel-ucode"
+    linux-fw-redistributable freedist intel-ucode"

 # Favor our own mirrors over Gentoo's
 GENTOO_MIRRORS="
--- a/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/Manifest
@ -1 +0,0 @@
-DIST edk2-aarch64-20230524-3.fc38.noarch.rpm 7363923 BLAKE2B 75ff00ea1e988148fbc9a56b8ee3eb44bdec5ceb51b554c3d298191feeb2c876f43740aa3608d3e4b4cc3223aa6bfd8a275f8c6f4c92595af07498b5d6ee68af SHA512 bfe814e0b2230104887a2638f6871fda54cde65937c93226c56cac1a4e1a915b474d690e2862f71ecfc584c3c74d5a091482e038cfc83de9091e5dc49916119b
--- a/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-20220221.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-20220221.ebuild
@ -1,23 +0,0 @@
-# Copyright (c) 2024 The Flatcar Maintainers.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit rpm
-
-DESCRIPTION="Fedora's build of edk2 ARM64 EFI firmware"
-HOMEPAGE="https://packages.fedoraproject.org/pkgs/edk2/edk2-aarch64/"
-SRC_URI="https://kojipkgs.fedoraproject.org//packages/edk2/20230524/3.fc38/noarch/edk2-aarch64-20230524-3.fc38.noarch.rpm"
-
-LICENSE="BSD-2-Clause-Patent openssl"
-SLOT="0"
-KEYWORDS="amd64 arm64"
-
-S="${WORKDIR}"
-
-src_install() {
-	# Avoid collision with qemu installed config file
-	mv usr/share/qemu/firmware/{60,61}-edk2-aarch64.json
-	insinto /
-	doins -r *
-}
				`@ -1 +0,0 @@`
				`DIST edk2-aarch64-20230524-3.fc38.noarch.rpm 7363923 BLAKE2B 75ff00ea1e988148fbc9a56b8ee3eb44bdec5ceb51b554c3d298191feeb2c876f43740aa3608d3e4b4cc3223aa6bfd8a275f8c6f4c92595af07498b5d6ee68af SHA512 bfe814e0b2230104887a2638f6871fda54cde65937c93226c56cac1a4e1a915b474d690e2862f71ecfc584c3c74d5a091482e038cfc83de9091e5dc49916119b`