280 lines
8.1 KiB
Nix
280 lines
8.1 KiB
Nix
{
|
|
stdenv,
|
|
nixosTests,
|
|
lib,
|
|
edk2,
|
|
util-linux,
|
|
nasm,
|
|
acpica-tools,
|
|
llvmPackages,
|
|
fetchFromGitLab,
|
|
python3,
|
|
pexpect,
|
|
xorriso,
|
|
qemu,
|
|
dosfstools,
|
|
mtools,
|
|
fdSize2MB ? false,
|
|
fdSize4MB ? secureBoot,
|
|
secureBoot ? false,
|
|
systemManagementModeRequired ? secureBoot && stdenv.hostPlatform.isx86,
|
|
# Whether to create an nvram variables template
|
|
# which includes the MSFT secure boot keys
|
|
msVarsTemplate ? false,
|
|
# When creating the nvram variables template with
|
|
# the MSFT keys, we also must provide a certificate
|
|
# to use as the PK and first KEK for the keystore.
|
|
#
|
|
# By default, we use Debian's cert. This default
|
|
# should change to a NixOS cert once we have our
|
|
# own secure boot signing infrastructure.
|
|
#
|
|
# Ignored if msVarsTemplate is false.
|
|
vendorPkKek ? "$NIX_BUILD_TOP/debian/PkKek-1-Debian.pem",
|
|
httpSupport ? false,
|
|
tpmSupport ? false,
|
|
tlsSupport ? false,
|
|
debug ? false,
|
|
# Usually, this option is broken, do not use it except if you know what you are
|
|
# doing.
|
|
sourceDebug ? false,
|
|
projectDscPath ?
|
|
{
|
|
i686 = "OvmfPkg/OvmfPkgIa32.dsc";
|
|
x86_64 = "OvmfPkg/OvmfPkgX64.dsc";
|
|
aarch64 = "ArmVirtPkg/ArmVirtQemu.dsc";
|
|
riscv64 = "OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc";
|
|
loongarch64 = "OvmfPkg/LoongArchVirt/LoongArchVirtQemu.dsc";
|
|
}
|
|
.${stdenv.hostPlatform.parsed.cpu.name}
|
|
or (throw "Unsupported OVMF `projectDscPath` on ${stdenv.hostPlatform.parsed.cpu.name}"),
|
|
fwPrefix ?
|
|
{
|
|
i686 = "OVMF";
|
|
x86_64 = "OVMF";
|
|
aarch64 = "AAVMF";
|
|
riscv64 = "RISCV_VIRT";
|
|
loongarch64 = "LOONGARCH_VIRT";
|
|
}
|
|
.${stdenv.hostPlatform.parsed.cpu.name}
|
|
or (throw "Unsupported OVMF `fwPrefix` on ${stdenv.hostPlatform.parsed.cpu.name}"),
|
|
metaPlatforms ? edk2.meta.platforms,
|
|
}:
|
|
|
|
let
|
|
|
|
platformSpecific = {
|
|
i686.msVarsArgs = {
|
|
flavor = "OVMF";
|
|
archDir = "Ia32";
|
|
};
|
|
x86_64.msVarsArgs = {
|
|
flavor = "OVMF_4M";
|
|
archDir = "X64";
|
|
};
|
|
aarch64.msVarsArgs = {
|
|
flavor = "AAVMF";
|
|
archDir = "AARCH64";
|
|
};
|
|
};
|
|
|
|
cpuName = stdenv.hostPlatform.parsed.cpu.name;
|
|
|
|
inherit (platformSpecific.${cpuName}) msVarsArgs;
|
|
|
|
version = lib.getVersion edk2;
|
|
|
|
OvmfPkKek1AppPrefix = "4e32566d-8e9e-4f52-81d3-5bb9715f9727";
|
|
|
|
debian-edk-src = fetchFromGitLab {
|
|
domain = "salsa.debian.org";
|
|
owner = "qemu-team";
|
|
repo = "edk2";
|
|
nonConeMode = true;
|
|
sparseCheckout = [
|
|
"debian/edk2-vars-generator.py"
|
|
"debian/python"
|
|
"debian/PkKek-1-*.pem"
|
|
];
|
|
rev = "refs/tags/debian/2024.05-1";
|
|
hash = "sha256-uAjXJaHOVh944ZxcA2IgCsrsncxuhc0JKlsXs0E03s0=";
|
|
};
|
|
|
|
buildPrefix = "Build/*/*";
|
|
|
|
in
|
|
|
|
assert msVarsTemplate -> fdSize4MB;
|
|
assert msVarsTemplate -> platformSpecific ? ${cpuName};
|
|
assert msVarsTemplate -> platformSpecific.${cpuName} ? msVarsArgs;
|
|
|
|
edk2.mkDerivation projectDscPath (finalAttrs: {
|
|
pname = "OVMF";
|
|
inherit version;
|
|
|
|
outputs = [
|
|
"out"
|
|
"fd"
|
|
];
|
|
|
|
nativeBuildInputs =
|
|
[
|
|
util-linux
|
|
nasm
|
|
acpica-tools
|
|
]
|
|
++ lib.optionals stdenv.cc.isClang [
|
|
llvmPackages.bintools
|
|
llvmPackages.llvm
|
|
]
|
|
++ lib.optionals msVarsTemplate [
|
|
python3
|
|
pexpect
|
|
xorriso
|
|
qemu
|
|
dosfstools
|
|
mtools
|
|
];
|
|
strictDeps = true;
|
|
|
|
hardeningDisable = [
|
|
"format"
|
|
"stackprotector"
|
|
"pic"
|
|
"fortify"
|
|
];
|
|
|
|
buildFlags =
|
|
# IPv6 has no reason to be disabled.
|
|
[ "-D NETWORK_IP6_ENABLE=TRUE" ]
|
|
++ lib.optionals debug [ "-D DEBUG_ON_SERIAL_PORT=TRUE" ]
|
|
++ lib.optionals sourceDebug [ "-D SOURCE_DEBUG_ENABLE=TRUE" ]
|
|
++ lib.optionals secureBoot [ "-D SECURE_BOOT_ENABLE=TRUE" ]
|
|
++ lib.optionals systemManagementModeRequired [ "-D SMM_REQUIRE=TRUE" ]
|
|
++ lib.optionals fdSize2MB [ "-D FD_SIZE_2MB" ]
|
|
++ lib.optionals fdSize4MB [ "-D FD_SIZE_4MB" ]
|
|
++ lib.optionals httpSupport [
|
|
"-D NETWORK_HTTP_ENABLE=TRUE"
|
|
"-D NETWORK_HTTP_BOOT_ENABLE=TRUE"
|
|
]
|
|
++ lib.optionals tlsSupport [ "-D NETWORK_TLS_ENABLE=TRUE" ]
|
|
++ lib.optionals tpmSupport [
|
|
"-D TPM_ENABLE"
|
|
"-D TPM2_ENABLE"
|
|
"-D TPM2_CONFIG_ENABLE"
|
|
];
|
|
|
|
buildConfig = if debug then "DEBUG" else "RELEASE";
|
|
env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.cc.isClang "-Qunused-arguments";
|
|
|
|
env.PYTHON_COMMAND = "python3";
|
|
|
|
postUnpack = lib.optionalDrvAttr msVarsTemplate ''
|
|
ln -s ${debian-edk-src}/debian
|
|
'';
|
|
|
|
postConfigure = lib.optionalDrvAttr msVarsTemplate ''
|
|
tr -d '\n' < ${vendorPkKek} | sed \
|
|
-e 's/.*-----BEGIN CERTIFICATE-----/${OvmfPkKek1AppPrefix}:/' \
|
|
-e 's/-----END CERTIFICATE-----//' > vendor-cert-string
|
|
export PYTHONPATH=$NIX_BUILD_TOP/debian/python:$PYTHONPATH
|
|
'';
|
|
|
|
postBuild =
|
|
lib.optionalString (stdenv.hostPlatform.isAarch || stdenv.hostPlatform.isLoongArch64) ''
|
|
(
|
|
cd ${buildPrefix}/FV
|
|
cp QEMU_EFI.fd ${fwPrefix}_CODE.fd
|
|
cp QEMU_VARS.fd ${fwPrefix}_VARS.fd
|
|
)
|
|
''
|
|
+ lib.optionalString stdenv.hostPlatform.isAarch ''
|
|
# QEMU expects 64MiB CODE and VARS files on ARM/AARCH64 architectures
|
|
# Truncate the firmware files to the expected size
|
|
truncate -s 64M ${buildPrefix}/FV/${fwPrefix}_CODE.fd
|
|
truncate -s 64M ${buildPrefix}/FV/${fwPrefix}_VARS.fd
|
|
''
|
|
+ lib.optionalString stdenv.hostPlatform.isRiscV ''
|
|
truncate -s 32M ${buildPrefix}/FV/${fwPrefix}_CODE.fd
|
|
truncate -s 32M ${buildPrefix}/FV/${fwPrefix}_VARS.fd
|
|
''
|
|
+ lib.optionalString msVarsTemplate ''
|
|
(
|
|
cd ${buildPrefix}
|
|
# locale must be set on Darwin for invocations of mtools to work correctly
|
|
LC_ALL=C python3 $NIX_BUILD_TOP/debian/edk2-vars-generator.py \
|
|
--flavor ${msVarsArgs.flavor} \
|
|
--enrolldefaultkeys ${msVarsArgs.archDir}/EnrollDefaultKeys.efi \
|
|
--shell ${msVarsArgs.archDir}/Shell.efi \
|
|
--code FV/${fwPrefix}_CODE.fd \
|
|
--vars-template FV/${fwPrefix}_VARS.fd \
|
|
--certificate `< $NIX_BUILD_TOP/$sourceRoot/vendor-cert-string` \
|
|
--out-file FV/${fwPrefix}_VARS.ms.fd
|
|
)
|
|
'';
|
|
|
|
# TODO: Usage of -bios OVMF.fd is discouraged: https://lists.katacontainers.io/pipermail/kata-dev/2021-January/001650.html
|
|
# We should remove the isx86-specifc block here once we're ready to update nixpkgs to stop using that and update the
|
|
# release notes accordingly.
|
|
postInstall =
|
|
''
|
|
mkdir -vp $fd/FV
|
|
''
|
|
+
|
|
lib.optionalString
|
|
(builtins.elem fwPrefix [
|
|
"OVMF"
|
|
"AAVMF"
|
|
"RISCV_VIRT"
|
|
"LOONGARCH_VIRT"
|
|
])
|
|
''
|
|
mv -v $out/FV/${fwPrefix}_{CODE,VARS}.fd $fd/FV
|
|
''
|
|
+ lib.optionalString stdenv.hostPlatform.isx86 ''
|
|
mv -v $out/FV/${fwPrefix}.fd $fd/FV
|
|
''
|
|
+ lib.optionalString msVarsTemplate ''
|
|
mv -v $out/FV/${fwPrefix}_VARS.ms.fd $fd/FV
|
|
ln -sv $fd/FV/${fwPrefix}_CODE{,.ms}.fd
|
|
''
|
|
+ lib.optionalString stdenv.hostPlatform.isAarch ''
|
|
mv -v $out/FV/QEMU_{EFI,VARS}.fd $fd/FV
|
|
# Add symlinks for Fedora dir layout: https://src.fedoraproject.org/rpms/edk2/blob/main/f/edk2.spec
|
|
mkdir -vp $fd/AAVMF
|
|
ln -s $fd/FV/AAVMF_CODE.fd $fd/AAVMF/QEMU_EFI-pflash.raw
|
|
ln -s $fd/FV/AAVMF_VARS.fd $fd/AAVMF/vars-template-pflash.raw
|
|
'';
|
|
|
|
dontPatchELF = true;
|
|
|
|
passthru =
|
|
let
|
|
prefix = "${finalAttrs.finalPackage.fd}/FV/${fwPrefix}";
|
|
in
|
|
{
|
|
firmware = "${prefix}_CODE.fd";
|
|
variables = "${prefix}_VARS.fd";
|
|
variablesMs =
|
|
assert msVarsTemplate;
|
|
"${prefix}_VARS.ms.fd";
|
|
# This will test the EFI firmware for the host platform as part of the NixOS Tests setup.
|
|
tests.basic-systemd-boot = nixosTests.systemd-boot.basic;
|
|
tests.secureBoot-systemd-boot = nixosTests.systemd-boot.secureBoot;
|
|
inherit secureBoot systemManagementModeRequired;
|
|
};
|
|
|
|
meta = {
|
|
description = "Sample UEFI firmware for QEMU and KVM";
|
|
homepage = "https://github.com/tianocore/tianocore.github.io/wiki/OVMF";
|
|
license = lib.licenses.bsd2;
|
|
platforms = metaPlatforms;
|
|
maintainers = with lib.maintainers; [
|
|
adamcstephens
|
|
raitobezarius
|
|
mjoerg
|
|
sigmasquadron
|
|
];
|
|
broken = stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64;
|
|
};
|
|
})
|