1 |
From 026848dd55609cd184cd8fef3b312236e0ee3024 Mon Sep 17 00:00:00 2001 |
2 |
From: Laszlo Ersek <lersek@redhat.com> |
3 |
Date: Tue, 4 Nov 2014 23:02:53 +0100 |
4 |
Subject: [PATCH] OvmfPkg: allow exclusion of the shell from the firmware image |
5 |
|
6 |
When '-D EXCLUDE_SHELL_FROM_FD' is passed to 'build', exclude the shell |
7 |
binary from the firmware image. |
8 |
|
9 |
Peter Jones advised us that firmware vendors for physical systems disable |
10 |
the memory-mapped, firmware image-contained UEFI shell in |
11 |
SecureBoot-enabled builds. The reason being that the memory-mapped shell |
12 |
can always load, it may have direct access to various hardware in the |
13 |
system, and it can run UEFI shell scripts (which cannot be signed at all). |
14 |
|
15 |
Intended use of the new build option: |
16 |
|
17 |
- In-tree builds: don't pass '-D EXCLUDE_SHELL_FROM_FD'. The resultant |
18 |
firmware image will contain a shell binary, independently of SecureBoot |
19 |
enablement, which is flexible for interactive development. (Ie. no |
20 |
change for in-tree builds.) |
21 |
|
22 |
- RPM builds: pass both '-D SECURE_BOOT_ENABLE' and |
23 |
'-D EXCLUDE_SHELL_FROM_FD'. The resultant RPM will provide: |
24 |
|
25 |
- OVMF_CODE.fd: SecureBoot-enabled firmware, without builtin UEFI shell, |
26 |
|
27 |
- OVMF_VARS.fd: variable store template matching OVMF_CODE.fd, |
28 |
|
29 |
- UefiShell.iso: a bootable ISO image with the shell on it as default |
30 |
boot loader. The shell binary will load when SecureBoot is turned off, |
31 |
and won't load when SecureBoot is turned on (because it is not |
32 |
signed). |
33 |
|
34 |
UefiShell.iso is the reason we're not excluding the shell from the DSC |
35 |
files as well, only the FDF files -- when '-D EXCLUDE_SHELL_FROM_FD' |
36 |
is specified, the shell binary needs to be built the same, only it |
37 |
will be included in UefiShell.iso. |
38 |
|
39 |
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase: |
40 |
|
41 |
- no changes |
42 |
|
43 |
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase: |
44 |
|
45 |
- no changes |
46 |
|
47 |
Signed-off-by: Laszlo Ersek <lersek@redhat.com> |
48 |
(cherry picked from commit 9c391def70366cabae08e6008814299c3372fafd) |
49 |
(cherry picked from commit d9dd9ee42937b2611fe37183cc9ec7f62d946933) |
50 |
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
51 |
--- |
52 |
OvmfPkg/OvmfPkgIa32.fdf | 2 ++ |
53 |
OvmfPkg/OvmfPkgIa32X64.fdf | 3 +++ |
54 |
OvmfPkg/OvmfPkgX64.fdf | 3 +++ |
55 |
3 files changed, 8 insertions(+) |
56 |
|
57 |
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf |
58 |
index 77d0d3f131..aa07387d19 100644 |
59 |
--- a/OvmfPkg/OvmfPkgIa32.fdf |
60 |
+++ b/OvmfPkg/OvmfPkgIa32.fdf |
61 |
@@ -288,10 +288,12 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour |
62 |
INF FatPkg/EnhancedFatDxe/Fat.inf
|
63 |
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
|
64 |
|
65 |
+!ifndef $(EXCLUDE_SHELL_FROM_FD)
|
66 |
!if $(TOOL_CHAIN_TAG) != "XCODE5"
|
67 |
INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
|
68 |
!endif
|
69 |
INF ShellPkg/Application/Shell/Shell.inf
|
70 |
+!endif
|
71 |
|
72 |
!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(NETWORK_IP6_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
|
73 |
INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
|
74 |
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf |
75 |
index da68440ddb..585d97685a 100644 |
76 |
--- a/OvmfPkg/OvmfPkgIa32X64.fdf |
77 |
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf |
78 |
@@ -289,10 +289,13 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour |
79 |
INF FatPkg/EnhancedFatDxe/Fat.inf
|
80 |
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
|
81 |
|
82 |
+!ifndef $(EXCLUDE_SHELL_FROM_FD)
|
83 |
!if $(TOOL_CHAIN_TAG) != "XCODE5"
|
84 |
INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
|
85 |
!endif
|
86 |
INF ShellPkg/Application/Shell/Shell.inf
|
87 |
+!endif
|
88 |
+
|
89 |
|
90 |
!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(NETWORK_IP6_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
|
91 |
INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
|
92 |
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf |
93 |
index da68440ddb..585d97685a 100644 |
94 |
--- a/OvmfPkg/OvmfPkgX64.fdf |
95 |
+++ b/OvmfPkg/OvmfPkgX64.fdf |
96 |
@@ -289,10 +289,13 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour |
97 |
INF FatPkg/EnhancedFatDxe/Fat.inf
|
98 |
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
|
99 |
|
100 |
+!ifndef $(EXCLUDE_SHELL_FROM_FD)
|
101 |
!if $(TOOL_CHAIN_TAG) != "XCODE5"
|
102 |
INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
|
103 |
!endif
|
104 |
INF ShellPkg/Application/Shell/Shell.inf
|
105 |
+!endif
|
106 |
+
|
107 |
|
108 |
!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(NETWORK_IP6_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
|
109 |
INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
|