new(tianocore.org/edk2): standalone OVMF firmware blobs#13239
Open
tannevaled wants to merge 8 commits into
Open
new(tianocore.org/edk2): standalone OVMF firmware blobs#13239tannevaled wants to merge 8 commits into
tannevaled wants to merge 8 commits into
Conversation
Defense-in-depth follow-up to pkgxdev/brewkit#353. Some recipes ship binaries with entitlements that require either adhoc signing or a Developer ID with a matching provisioning profile (notably `com.apple.security.virtualization` and `com.apple.security.hypervisor`). brewkit#353 already handles the binary side correctly -- it sees these entitlements in the Mach-O and forces adhoc signing in fix-machos.rb, regardless of what signing identity the workflow imported. This change adds a complementary workflow-level lever: when a caller knows a recipe needs adhoc only, it can pass `skip-codesign-import: true` and the Apple Developer ID is never brought into the keychain in the first place. Avoids importing a cert we won't end up using, and reduces the window during which the cert exists on the runner. The default stays false -- behavior of every existing call is unchanged. This patch only exposes the lever through the call chain: pkg.yml (workflow_call input) -> pkg-platform.yml (workflow_call input) -> .github/actions/setup (composite input, gates the import step) Picking which recipes opt in is intentionally left out of this patch. lima-vm.io is the obvious first candidate (see pkgxdev#7853). Refs: pkgxdev#7853, pkgxdev/brewkit#353 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Decouples cloud-boot's UEFI firmware from qemu's release cadence by
shipping reproducible TianoCore EDK II builds (OvmfPkg X64 + ArmVirtPkg
AARCH64) directly via pkgx. Output layout mirrors qemu's `share/qemu/`
bundle (edk2-x86_64-code.fd, edk2-i386-vars.fd, edk2-aarch64-code.fd,
edk2-arm-vars.fd) so existing runners can pick it up via env-var
overrides without code changes.
Cross-platform via two EDK II toolchains:
- GCC5 on Linux (uses pantry's gnu.org/gcc)
- CLANGPDB on Darwin (uses pantry's llvm.org for clang + lld-link,
sidestepping the macOS-only `mtoc` from XCODE5)
Includes a thin `bin/edk2-firmware-path` shim so pkgx has a discoverable
`bin/*` entry, plus runtime env vars (OVMF_CODE, OVMF_VARS, AAVMF_*).
Test step boots qemu-system-x86_64 with the built firmware over TCG and
greps for the TianoCore banner.
Versioned against `edk2-stableYYYYMM[.N]` tags via match+strip.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Reproduced the all-platform `brewkit/build` failure locally and fixed
the three root causes:
1. BaseTools built serially. VfrCompile's sub-makefile lacks a dep
between the dlg-generated VfrLexer.cpp and its compile; under `make
-j` the compiler reads a half-written file ("VfrLexer.cpp: error:
expected expression"). Near-deterministic on multi-core runners, so
every platform was red. The EDK II `build` stays parallel via -n.
2. Added the acpica.org build dep for iasl. OVMF compiles .asl ACPI
tables to .aml (RamDiskDxe NFIT, ...); without iasl the X64 build
dies with exit 127 ("iasl: command not found").
3. Fixed the qemu smoke test: dropped `-nographic` (it fights
`-serial stdio` for stdio and qemu aborts), and pulled in
gnu.org/coreutils so `timeout` exists on macOS.
Validated on darwin/arm64 (pantry clang 22): OVMF X64 + AArch64 build
clean and the X64 blob boots to BdsDxe under qemu-system-x86_64.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…t echo
Two failures surfaced once the acpica.org dep resolved and BaseTools got
past the (now-serial) VfrCompile step:
- linux: BaseTools' GenFv #includes <uuid/uuid.h> and links -luuid, which
on Linux comes from util-linux's libuuid (darwin gets it from the SDK).
Added github.com/util-linux/util-linux to the linux build deps;
without it: `GenFvInternalLib.c: fatal error: uuid/uuid.h`.
- darwin: the `echo "edk2: patched $(grep …"(DEBUG|RELEASE|NOOPT)"… )"`
diagnostic nested a command substitution (with escaped quotes + regex
parens) inside a double-quoted string, which the runner's shell parsed
as `syntax error near unexpected token '('`. Compute the count into a
variable first, then echo it — no nested quoting.
Full build script now parses clean under both sh and bash.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…rwin Both platforms now reach the EDK II build phase (BaseTools builds fully) and fail there: - linux: edk2-stable202605 dropped the legacy GCC5/GCC49/... toolchain family for a single `GCC`; tools_def.template only ships *_GCC_*, so `-t GCC5` errors `4000: [GCC5] not defined. No toolchain available`. Use `-t GCC`. (This also makes the CC_FLAGS soften-sed match again.) - darwin: CLANGPDB calls clang/lld-link as `DEF(CLANG_BIN)<tool>`; with CLANG_BIN unset the bare `lld-link` resolves to brewkit's PATH shim, which execs a non-existent /usr/bin/lld-link → `lld-link: No such file`. Set CLANG_BIN to the llvm.org bottle bin via a darwin-only `env:` block (dep prefix, not `which clang`, to avoid the shim). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
linux/aarch64 was the last red: the X64 OvmfPkg build feeds x86-only gcc flags (-m64, -mno-red-zone, -mno-sse, …) to the native aarch64 gcc, which rejects them (`unrecognized command-line option '-m64'`). gcc only targets its own arch; only clang (darwin CLANGPDB) cross-compiles freely. So make each target best-effort and require just the host-native blob: - x86_64 host → X64 native (+ AArch64 best-effort), bottle ships x86_64 fw - arm64 host → AArch64 native (+ X64 best-effort), bottle ships aarch64 fw - darwin → clang builds both, bottle ships both A bottle missing its own arch's firmware is still a hard failure. The test now boots whichever blobs shipped under the matching qemu (qemu-system-x86_64 / -aarch64 with `-machine virt -cpu cortex-a57`, ArmVirt pflash padded to 64MiB) and requires at least one to reach BdsDxe. Verified both boots locally on darwin/arm64. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The AArch64 build succeeds on linux/aarch64, but the install then failed: `install: cannot stat '…/ArmVirtQemu-AARCH64/…/QEMU_EFI.fd'`. EDK II names the dir `ArmVirtQemu-AArch64` (mixed case, from ArmVirtQemu.dsc, not the `-a AARCH64` flag). The hardcoded all-caps path matched on darwin's case-insensitive filesystem but not on case-sensitive Linux — which is why this only ever bit the linux/aarch64 job. Glob the dir instead. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
projects/tianocore.org/edk2/package.ymlships TianoCore EDK II OVMF firmware blobs (X64 + AARCH64) at${prefix}/share/qemu/edk2-*-code.fd/edk2-*-vars.fd, matching qemu's bundle layout so existing runners can pick it up via env-var overrides.llvm.orgfor clang + lld-link, avoiding the macOS-onlymtoc).edk2-stableYYYYMM[.N]tags withmatch: /^edk2-stable\d+(\.\d+)?$/+ matchingstrip.Motivation
Today the only convenient way to get OVMF on a pkgx machine is to fish it out of
qemu.org's bottle (or grep a distro'sovmfpackage). That couples firmware updates to qemu's release cadence and ships nothing on systems that only need the firmware (e.g. cloud-boot harnesses). This recipe makes EDK II a first-class package: bump the recipe version and you get a fresh stable EDK II without waiting on qemu.Recipe shape
distributable: git+https://github.com/tianocore/edk2withref: edk2-stable{{version.raw}}.git-scm.org,python.org ~3.11,nasm.us,freedesktop.org/pkg-config; platform-conditionalgnu.org/gcc(linux) andllvm.org(darwin).edksetup.sh BaseTools, twobuildinvocations (X64 OvmfPkg + AARCH64 ArmVirtQemu), install intoshare/qemu/.-Wno-error=cast-function-type-mismatchpatch (CryptoPkg/Pem) for newer clang.runtime.envexportsEDK2_FIRMWARE_DIR,OVMF_CODE,OVMF_VARS,AAVMF_CODE,AAVMF_VARS.provides: bin/edk2-firmware-pathis a thin shim that prints absolute blob paths for downstream tooling.Follow-ups (not in this PR)
acpica-tools(iasl) dep when pantry ships one; current build paths use precompiled ACPI tables, so it's not required for OVMF/ArmVirt.Test plan
bk build tianocore.org/edk2on linux/x86_64 — primary path, no toolchain quirks expected.bk build tianocore.org/edk2on linux/aarch64.bk build tianocore.org/edk2on darwin/arm64 — CLANGPDB path.bk test tianocore.org/edk2boots qemu-system-x86_64 with the built firmware and greps the TianoCore banner.