* Actually install the new "ms" descriptor.
* Bring back (and fix) the "ms" option and restore the behavior of the
"secboot" option, which had changed when libvirt moved from built-in
nvram configs to parsing external firmware descriptors. LP: #1864532.
- Reintroduce OVMF_CODE.ms.fd symlink, but now it points to
OVMF_CODE.secboot.fd instead of OVMF_CODE.fd, which enforces SMM.
- Update firmware descriptor JSON files:
+ Update the existing secboot descriptor to use an empty variable
store. This makes it Secure Boot-capable, but with Secure Boot
initially disabled. Note that previously it used a store w/ keys
pre-enrolled, without advertising that feature.
+ Add a new "ms" descriptor which has keys pre-enrolled, has Secure
Boot enabled, and advertises the "enrolled-keys" feature.
+ Provide more details in "description" fields.
- README.Debian: Improve the use-case description for each image.
* Fix numeric truncation in S3BootScript[Save]*() API. (CVE-2019-14563)
* Fix use-after-free in PcdHiiOsRuntimeSupport. (CVE-2019-14586)
* Clear memory before free to avoid potential password leak.
(CVE-2019-14558)
* Fix double-unmap in SdMmcCreateTrb(). This did not impact any
of the images built from this package. (CVE-2019-14587)
* Fix memory leak in ArpOnFrameRcvdDpc(). (CVE-2019-14559)
* Fix issue that could allow an efi image with a blacklisted hash in the
dbx to be loaded. (CVE-2019-14575)
* Fix a memory leak in the ARP handler. (CVE-2019-14559)
* Bump debhelper compatibility level to 12.
* Provide an OVMF_VARS.snakeoil.fd image and matching private key for
development testing. LP: #1850848.
* Drop OVMF_CODE.ms.fd symlink. LP: #1864535.
* New upstream release, based on edk2-stable201911 tag.
* Drop patches merged upstream:
- BaseTools-Fix-the-lib-order-in-static_library_files..patch
- 0001-MdePkg-Include-Protocol-Tls.h-Add-the-data-type-of-E.patch
- 0002-CryptoPkg-TlsLib-Add-the-new-API-TlsSetVerifyHost-CV.patch
- 0003-CryptoPkg-Crt-turn-strchr-into-a-function-CVE-2019-1.patch
- 0004-CryptoPkg-Crt-satisfy-inet_pton.c-dependencies-CVE-2.patch
- 0005-CryptoPkg-Crt-import-inet_pton.c-CVE-2019-14553.patch
- 0006-CryptoPkg-TlsLib-TlsSetVerifyHost-parse-IP-address-l.patch
- 0007-NetworkPkg-TlsDxe-Add-the-support-of-host-validation.patch
- 0008-NetworkPkg-HttpDxe-Set-the-HostName-for-the-verifica.patch
* Compile the liblto plugins for ARM & AARCH64, allowing us to
move our toolchain config from GCC49 to GCC5. Move to GCC5.
* Support server identify validation in HTTPS Boot (CVE-2019-14553).
Closes: #941775.
* Don't require an SMM for the OVMF.fd image. Closes: #939928.
* debian/control: Correct Maintainer field.
* New upstream release, based on edk2-stable201908 tag.
- debian/rules: Use git archive in get-orig-source to take advantage
of openssl .gitattributes that will trim cruft from the source tarball.
- d/binary-check.blacklist: Drop binary removed upstream.
- debian/find-binaries.py: Add to the list of heuristically "OK"
file extensions.
* d/p/BaseTools-Fix-the-lib-order-in-static_library_files..patch:
Fix ARM image FTBFS.
* Fix up remaining references to python.
[ dann frazier ]
* d/p/ovmf-vars-generator-ignore-qemu-warnings.patch: Avoid build
hang in Ubuntu resulting from unexpected QEMU warnings in output
while enrolling keys.
[ Steve Langasek ]
* debian/patches/python3.patch: Use python3 syntax.
* Drop python from Build-Depends. Closes: #936470.
* debian/tests/control: Add missing dependencies on ovmf,
qemu-efi-aarch64, and qemu-efi-arm.
* debian/rules: Fix a comment typo in the get-orig-source rules.
* debian/rules: Introduce a setup-build-stamp to avoid unnecessary
BuildTools rebuilds.
* ovmf: Add SecureBoot enabled variant:
- debian/control: add xorriso, qemu-utils, qemu-system-x86, python3 to
Build-Depends for the automatic key enrollment process.
- debian/rules:
- build a SecureBoot/SMM enabled variant of OVMF_CODE too.
- build OVMF_VARS.ms.fd with embedded Microsoft keys from the binary
EnrollDefaultKeys.efi
- debian/ovmf.links: add OVMF_CODE.ms.fd.
- debian/ovmf.install: install OVMF_VARS.ms.fd.
- d/p/ovmf-vars-generator-Pass-OEM-Strings-to-the-guest.patch: Support
passing in the PK/KEK via QEMU's --oemstring.
* Reenable HTTP Boot, which was accidentally disabled due to an upstream
macro rename.
* Add firmware descriptor files. Closes: #932269, LP: #1836859.
* New upstream release, based on edk2-stable201905 tag.
- d/binary-check.blacklist: Drop binaries removed upstream.
- Remove unused embedded copy of BrotliCompress to avoid
security scanner false-positives.
- Adapt to upstream's use of git submodules for openssl and
berkeley-softfloat-3.
* debian/control: Fold and sort Build-Depends line.
* debian/control: Add bc to Build-Depends, as it is now used by
edksetup.sh.
* debian/control: Add python3-distutils to Build-Depends. Part of
the build will now use python3 instead of python if found at build-time.
However, the build requires distutils, and upstream only embeds the
python(2) version of that.
* Revert "Adjust debian/rules to only build ovmf when building with -b"
commit, as Debian now has the necessary cross-compilers.
* Remove unnecessary sourcing of edksetup.sh. It only needs to be
sourced in targets that need to inherent its environment.
* Add a set of autopkgtests that verify each image type boots to a
UEFI shell prompt in QEMU.
* Include /usr/share/dpkg/architecture.mk instead of manually defining
equivalent variables.
* New upstream release, based on edk2-stable201903 tag.
- Fixes for CVE-2018-12178, CVE-2018-12180 and CVE-2018-12181
Closes: #924615.
- qemu-efi-*: Avoid silent corruption of firmware flash image
by buggy EFI apps. Closes: #924620, LP: #1812093.
- d/binary-check.blacklist: Drop binaries removed upstream.
- d/binary-check.whitelist: Add new files detected as binary
that were hand-verified to be source.
- Bump openssl up to 1.1.0j.
- qemu-efi-{arm,aarch64}: Drop -DINTEL_BDS from build flags.
It became the default some time ago and was removed.
- ovmf: Stop cargo-culting the inclusion and build of external
EdkShell source. This is now no longer supported by upstream,
and is a no-op because it was replaced by the internal UEFI
shell back 2013 (9bef3cdc "OvmfPkg: Build and use the UEFI shell
by default").
- qemu-efi-{arm,aarch64}: Don't explicitly build ShellPkg,
ArmVirtPkg has been doing it since 2015 (da1ce6f8
"ArmVirtualizationPkg: build UEFI shell from source").
- Don't explicitly build FatPkg, OvmfPkg & ArmVirtPkg have
included it since 2016 (aa47e529 "OvmfPkg: Convert to using
FatPkg in the EDK II tree"), (42e3d9eb "ArmVirtPkg: Convert to
build FatPkg from source").
- d/p/no-missing-braces.diff: Forward port.
- d/p/no-stack-protector-all-archs.diff: Forward port.
* Security fixes (Closes: #924615):
- Fix buffer overflow in BlockIo service (CVE-2018-12180)
- DNS: Check received packet size before using (CVE-2018-12178)
- Fix stack overflow with corrupted BMP (CVE-2018-12181)
* debian/rules: Factor out common feature flags across builds.
* ovmf: Enable TPM2 device support. Closes: #914722.
* New upstream release, based on edk2-stable201811 tag.
* New upstream release, based on edk2-stable201808 tag.
* New upstream release.
* debian/control: Point the Vcs-* links to the new location on salsa.
* d/p/ShellPkg-dp-Correct-case-of-included-file.patch: Drop;
now upstream.
* New upstream release.
* d/p/ShellPkg-dp-Correct-case-of-included-file.patch: Add; fixes FTBFS.
* debian/control: Point the Vcs-* links to the edk2 project in my
namespace on salsa until we identify a more permanent location.
* New upstream release.
* New upstream release.
* Bump openssl up to latest upstream version, 1.1.0h.
* Enable HTTP Boot. LP: #1750481.
* New upstream release.
* New upstream release.
- d/p/Revert-BaseTools-Update-Gensec-to-set-PROCESSING_REQ.patch: Drop;
superseded by upstream fix:
1e6e6e18 BaseTools: Fix GenSec GCC make failure
* Bump Standards-Version from 4.1.1 to 4.1.3.
- Use https instead of http in Vcs-Browser URL.
* New upstream release.
- Fix Windows Server 2012 BSOD during installation. Closes: #881219.
Thanks to Jeff Ketchum.
- Bump openssl up to latest upstream version, 1.1.0g.
* d/p/Revert-BaseTools-Update-Gensec-to-set-PROCESSING_REQ.patch: Add;
fixes FTBFS.
* Change package priorities from extra (now deprecated) to optional.
* New upstream release.
- Fix Win10 guests booting from IDE drives. LP: #1725560.
* New upstream release.
- d/p/demote-maybe-uninitialized-to-warning.patch: Drop; issue resolved
upstream.
* Bump Standards-Version from 3.9.8 to 4.1.1.
* Bump debhelper compatibility level to 10.
* New upstream release.
- Now builds with gcc-7. Closes: #853382.
- d/p/no-missing-braces.diff: Refresh.
- d/p/no-stack-protector-all-archs.diff: Refresh.
- d/p/no-pie-for-arm.diff: Drop; superseded by upstream commit
a6b53806.
- OpenSSL: Switch to the new openssl-1.1-based system, which no
longer requires patching.
- d/p/demote-maybe-uninitialized-to-warning.patch: Workaround compiler
error until upstream code is fixed.
* Unset environment variables that are used internally by edk2.
* Avoid the need for "post-patches" by explicitly setting the
ACTIVE_PLATFORM and TARGET_ARCH variables on the build commandline
for ovmf, like we already do for qemu-efi-{arm,aarch64}.
* debian/rules: Replace hardcoded "AARCH64" strings with $(EDK2_HOST_ARCH).
* debian/rules: AAVMF image generation doesn't require the edksetup
environment, so move that code outside of it.
* debian/rules: Refactor build-qemu-efi into common and aarch64-specific
targets, so that the common target can be used by a future arm-specific
target.
* d/p/arm64-no-pie-for-you.diff -> d/p/no-pie-for-arm.diff: Update patch
to also apply to arm builds.
* Rename qemu-efi to qemu-efi-aarch64 to open the namespace for
qemu-efi-arm. qemu-efi is now a transitional package with a compatibility
symlink.
* Add qemu-efi-arm package. Closes: #857858.
* New upstream release.
- GOP driver for the VirtIo GPU (virtio-gpu-pci). Closes: #842680.
- Drop precompiled binaries from Vlv2TbltDevicePkg/.
- Drop precompiled liblto-*.a binaries from ArmPkg/.
* Add myself to Uploaders.
* debian/rules: Set OpenSSL version in one place.
* d/p/arm64-reorder-blocks-algorithm.diff: Drop; superseded by
upstream commit 8866d337.
* d/p/arm64-no-pie-for-you.diff: Fix FTBFS w/ GCC that has PIE
enabled by default (now the case in Debian). Closes: #846690.
* debian/control: Clarify the package/guest architecture mapping.
Closes: #837092.
* d/p/no-missing-braces.diff: Refresh.
* d/p/no-stack-protector-all-archs.diff: Refresh.
* debian/copyright: Update.
[ dann frazier ]
* d/p/arm64-reorder-blocks-algorithm.diff: Workaround to fix
booting in KVM mode. LP: #1632875.
* debian/rules: Export compiler prefix variable to simplify
build-qemu-efi target.
* debian/rules: Make the target dependencies on setup-build explicit.
* debian/rules: Set the aarch64 toolchain prefix agnostically of the
toolchain tag being used.
* debian/rules: Respect EDK2_TOOLCHAIN tag when building ovmf.
* New upstream release.
- fixes build failure with gcc-6. Closes: #834467.
- increases variable size for arm64 build, to support SecureBoot.
Closes: #830488.
* debian/patches/shell-proper-valist.patch: use VA_COPY() in Shell.
* update Standards Version.
* Provide split AAVMF_{CODE,VARS}.fd for arm64 in the qemu-efi package,
for VM-friendly nvram persistence in the same style as Fedora et al.
and by analogy with the OVMF_{CODE,VARS}.fd on x86. Thanks to
William Grant <wgrant@ubuntu.com> for the patch.
[ dann frazier ]
* New upstream version.
- d/p/enable-nvme: Drop; superseded by upstream commit 8ae3832d.
- d/p/no-missing-braces.diff: Refresh.
- d/p/FatPkg-AARCH64.diff: Drop; fixed upstream in commit 04a4fdb9.
- d/p/no-stack-protector-all-archs.diff: Refresh.
- d/p/arm64-mistrict-align.patch: Drop; superseded by upstream
commit d764d5984.
* Move out of non-free as the FAT driver has been replaced with a free
implementation, Thanks to Microsoft. Closes: #815618, LP: #1569602.
* Add SECURE_BOOT_ENABLE flag to aarch64 build to enable support for UEFI
Secure Boot. Closes: #819757. Thanks to Linn Crosetto.
* New upstream version.
- Fixes support for kvm GPU passthrough. Closes: #810163.
- Adds GICv3 support. Closes: #810495.
[ dann frazier ]
* Use GCC49 toolchain for all architectures; the ARMGCC toolchain has
been dropped upstream.
* Supersede debian/patches/arm64-no-expensive-optimizations.patch
with debian/patches/arm64-mstrict-align.patch. Closes LP: #1489460.
[ Steve Langasek ]
* Build-depend on gcc-aarch64-linux-gnu and make qemu-efi an Arch: all
package.
* Ship OVMF_CODE.fd and OVMF_VARS.fd for proper EFI variable support.
Closes: #764918. Continue shipping OVMF.fd too for now, for
compatibility.
[ dann frazier ]
* qemu-efi: Switch to Intel BDS. This supports a fallback to the removable
media path (i.e. \EFI\BOOT\BOOTaa64.EFI) as required by the Linaro VM
Specification. Closes: #796928.
* debian/patches/arm64-no-expensive-optimizations.patch: Workaround
ARM64 compiler issue by disabling certain optimizations.
Closes: LP #1489560
* New upstream release, for arm64 support.
* debian/patches/no-missing-braces.diff: Add -Wno-missing-braces to
CFLAGS to avoid build failures. Thanks to dann frazier
<dannf@debian.org>.
* debian/patches/FatPkg-AARCH64.diff: AARCH64 support. Thanks to dann
frazier <dannf@debian.org>.
* Drop debian/patches/fix-undefined-behavior-in-vfrcompiler.patch, included
upstream.
* Drop debian/patches/gcc-4.9-align.patch in favor of using the GCC49
upstream toolchain rules.
* Adjust debian/rules to only build ovmf when building with -b, in
preparation for enabling other architecture builds (which currently can't
be Arch: all due to lack of cross-compilers in the Debian archive).
[ dann frazier ]
* Add new qemu-efi package for arm64. Closes: #775308.
[ Steve Langasek ]
* Refactor debian/rules to support cross-building.
* debian/patches/no-stack-protector-all-archs.diff: pass
-fno-stack-protector to all ARM GCC toolchains.
* Add XS-Build-Indep-Architecture to debian/control, as a temporary
measure pending standardization, to work around Launchpad builder
behavior which would try to build our arch: all package on an arm64
builder instead of an x86 one.
* Fix Vcs-Git URI in debian/control.
* Standards-Version 3.9.6.
[ Steve Langasek ]
* debian/copyright: include a Disclaimer field to document clearly why
this package is not in main. Closes: #742589.
[ Michael Tokarev ]
* apply gcc-4.9-align.patch kindly provided by dann frazier to fix ftbfs
with gcc-4.9 (Closes: #771114)
* apply upstream fix-undefined-behavior-in-vfrcompiler.patch, kindly provided
by dann frazier, to fix another ftbfs (Closes: #773492)
* debian/ovmf.links: create a OVMF.fd link for qemu
* debian/control: ovmf Replaces qemu-system-common versions which
shipped that link in Ubuntu.
* New upstream release, requested by Dimitri Ledkov for persistent nvram
variable support.
* Pass -DFD_SIZE_2MB to the build, since we're now over the size limit
* New upstream release. Closes: #714463.
- update debian/rules to pull a new version of the shell.
- drop debian/patches/enum-handling, fixed upstream.
- drop debian/patches/mismatched-enums, fixed upstream.
- fixes breakage with the EFI shell. LP: #1223413.
* debian/patches/enable-nvme: enable the NVMe driver.
Closes LP: #1267816.
* debian/post-patches/setup.diff: drop gcc4.7 handling, which is
sorted upstream.
* Update debian/copyright
* Fix the package section and debian/copyright: the FAT driver has a
license addendum which makes it non-free instead of BSD.
Closes: #714322.
* Make our build friendlier to git checkouts, by making sure our target
dir exists before copying.
* Initial release.