Kola's logic for choosing BIOS vs EFI isn't too smart, and not
specifying --qemu-ovmf-vars leads to it passing -bios to QEMU. This
doesn't make sense for arm64, but it did work anyway with the old
firmware in raw format. The new firmware in QCOW2 format doesn't work
this way.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We initially thought we would need Red Hat's patch set. Then it looked
like we wouldn't because the TPM Event Log appeared to work without it.
We later discovered that on amd64, it only works with Secure Boot
disabled. The patch set also fixes Secure Boot on arm64, which would
have otherwise needed a couple of patches from Canonical.
We have to drop Gentoo's patches because they conflict, but they don't
affect Flatcar anyway.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Rather than starting with a blank image, reuse the image that already
has the Microsoft certificates and the latest DBX revocation list
applied. Gentoo also applies the Red Hat certificates, which we don't
need, but this is okay.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
edk2-bin now supports multiple platforms, including QEMU on arm64, so we
no longer need to use Fedora's build. Note that the Secure Boot
implementation is currently insecure as it lacks SMM, which is needed to
protect the EFI variable store.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
The new arm64 firmware supporting Secure Boot (see next commit) is in
QCOW2 format only, avoiding the extra space taken up by the 64MB
padding. Supporting both raw and QCOW2 images would be messy, so switch
entirely to QCOW2.
Only the 4MB images are in QCOW2 format on amd64, so also switch away
from the 2MB images. 4MB images are now the default for most
distributions as they are needed to apply certain Windows updates.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Gentoo has moved this package so that it can support multiple platforms.
The newer version is needed for Secure Boot support on arm64. This is
newer than the version that QEMU is currently pinned to so unpin it via
the USE flag.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
virt-fw-vars handles X.509 conversion and QCOW2 conversion transparently
and can update all the variables in a single invocation.
Bonus: Asking it to list the variables doesn't cause a segfault due to
the feature not really being implemented. :D
The 00000000-0000-0000-0000-000000000000 owner GUID is what flash-var
used to set, as we didn't specify the -g argument. We will probably be
assigned a real one later.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
They were previously in /usr/share/docker/contrib which means they were
deleted at build time and not shipped into Docker sysext.
New ebuild version of Docker now provides those two files as symlinks to
/usr/share/docker/contrib from /usr/bin.
We can't really remove symlinks using find as docker-runc,
docker-containerd, etc. are broken symlinks too during the build phase.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
