diff --git a/90-edk2-aarch64-qemuvars-sb-enrolled.json b/90-edk2-aarch64-qemuvars-sb-enrolled.json new file mode 100644 index 0000000..9142d8f --- /dev/null +++ b/90-edk2-aarch64-qemuvars-sb-enrolled.json @@ -0,0 +1,29 @@ +{ + "description": "UEFI firmware for ARM64 virtual machines, SB enabled, MS certs enrolled", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "memory", + "filename": "/usr/share/edk2/aarch64/QEMU_EFI.qemuvars.fd", + "uefi-vars": { + "template": "/usr/share/edk2/aarch64/vars.secboot.json" + } + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + "enrolled-keys", + "secure-boot", + "host-uefi-vars" + ], + "tags": [ + + ] +} diff --git a/90-edk2-ovmf-qemuvars-x64-sb-enrolled.json b/90-edk2-ovmf-qemuvars-x64-sb-enrolled.json new file mode 100644 index 0000000..5b1b483 --- /dev/null +++ b/90-edk2-ovmf-qemuvars-x64-sb-enrolled.json @@ -0,0 +1,31 @@ +{ + "description": "OVMF for qemu uefi-vars, SB enabled, MS certs enrolled", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "memory", + "filename": "/usr/share/edk2/ovmf/OVMF.qemuvars.fd", + "uefi-vars": { + "template": "/usr/share/edk2/ovmf/vars.secboot.json" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "enrolled-keys", + "secure-boot", + "host-uefi-vars", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/91-edk2-aarch64-qemuvars-sb.json b/91-edk2-aarch64-qemuvars-sb.json new file mode 100644 index 0000000..95c2598 --- /dev/null +++ b/91-edk2-aarch64-qemuvars-sb.json @@ -0,0 +1,28 @@ +{ + "description": "UEFI firmware for ARM64 virtual machines, SB disabled", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "memory", + "filename": "/usr/share/edk2/aarch64/QEMU_EFI.qemuvars.fd", + "uefi-vars": { + "template": "/usr/share/edk2/aarch64/vars.blank.json" + } + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + "secure-boot", + "host-uefi-vars" + ], + "tags": [ + + ] +} diff --git a/91-edk2-ovmf-qemuvars-x64-sb.json b/91-edk2-ovmf-qemuvars-x64-sb.json new file mode 100644 index 0000000..b3fb98c --- /dev/null +++ b/91-edk2-ovmf-qemuvars-x64-sb.json @@ -0,0 +1,30 @@ +{ + "description": "OVMF for qemu uefi-vars, SB disabled", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "memory", + "filename": "/usr/share/edk2/ovmf/OVMF.qemuvars.fd", + "uefi-vars": { + "template": "/usr/share/edk2/ovmf/vars.blank.json" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "secure-boot", + "host-uefi-vars", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/edk2.spec b/edk2.spec index ecaed6b..855038c 100644 --- a/edk2.spec +++ b/edk2.spec @@ -25,7 +25,7 @@ ExclusiveArch: x86_64 aarch64 riscv64 Name: edk2 Version: %{GITDATE} -Release: 4%{?dist} +Release: 5%{?dist} Summary: UEFI firmware for 64-bit virtual machines License: BSD-2-Clause-Patent and Apache-2.0 and MIT URL: http://www.tianocore.org @@ -45,6 +45,11 @@ Source11: 51-edk2-aarch64-raw.json Source12: 52-edk2-aarch64-verbose-qcow2.json Source13: 53-edk2-aarch64-verbose-raw.json +Source20: 90-edk2-ovmf-qemuvars-x64-sb-enrolled.json +Source21: 91-edk2-ovmf-qemuvars-x64-sb.json +Source22: 90-edk2-aarch64-qemuvars-sb-enrolled.json +Source23: 91-edk2-aarch64-qemuvars-sb.json + Source40: 30-edk2-ovmf-x64-sb-enrolled.json Source41: 40-edk2-ovmf-x64-sb.json Source43: 50-edk2-ovmf-x64-nosb.json @@ -113,6 +118,9 @@ BuildRequires: binutils gcc git gcc-c++ make BuildRequires: perl perl(JSON) BuildRequires: qemu-img +# secure boot enrollment +BuildRequires: python3dist(virt-firmware) >= 25.4 + %if %{build_ovmf} # Only OVMF includes 80x86 assembly files (*.nasm*). BuildRequires: nasm @@ -123,9 +131,6 @@ BuildRequires: dosfstools BuildRequires: mtools BuildRequires: xorriso -# secure boot enrollment -BuildRequires: python3dist(virt-firmware) >= 25.4 - # endif build_ovmf %endif @@ -220,6 +225,7 @@ git config am.keepcr true cp -a -- %{SOURCE1} . cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} . +cp -a -- %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} . cp -a -- %{SOURCE40} %{SOURCE41} %{SOURCE43} %{SOURCE44} %{SOURCE45} . cp -a -- %{SOURCE50} . cp -a -- %{SOURCE80} %{SOURCE82} . @@ -292,6 +298,10 @@ virt-fw-vars --input RHEL-10/ovmf/OVMF.inteltdx.fd \ --set-dbx DBXUpdate-%{DBXDATE}.x64.bin \ --enroll-redhat --secure-boot \ --set-fallback-no-reboot +virt-fw-vars --output-json RHEL-10/ovmf/vars.blank.json +virt-fw-vars --output-json RHEL-10/ovmf/vars.secboot.json \ + --set-dbx DBXUpdate-%{DBXDATE}.x64.bin \ + --enroll-redhat --secure-boot %endif %if %{build_aarch64} @@ -301,6 +311,10 @@ for raw in */aarch64/*.raw; do qcow2="${raw%.raw}.qcow2" qemu-img convert -f raw -O qcow2 -o cluster_size=4096 -S 4096 "$raw" "$qcow2" done +virt-fw-vars --output-json RHEL-10/aarch64/vars.blank.json +virt-fw-vars --output-json RHEL-10/aarch64/vars.secboot.json \ + --set-dbx DBXUpdate-%{DBXDATE}.aa64.bin \ + --enroll-redhat --secure-boot %endif %if %{build_riscv64} @@ -347,7 +361,9 @@ ln -s OVMF_CODE.fd %{buildroot}%{_datadir}/%{name}/ovmf/OVMF_CODE.cc.fd install -m 0644 \ 30-edk2-ovmf-x64-sb-enrolled.json \ + 90-edk2-ovmf-qemuvars-x64-sb-enrolled.json \ 40-edk2-ovmf-x64-sb.json \ + 91-edk2-ovmf-qemuvars-x64-sb.json \ 50-edk2-ovmf-x64-nosb.json \ 60-edk2-ovmf-x64-amdsev.json \ 60-edk2-ovmf-x64-inteltdx.json \ @@ -371,6 +387,8 @@ install -m 0644 \ 51-edk2-aarch64-raw.json \ 52-edk2-aarch64-verbose-qcow2.json \ 53-edk2-aarch64-verbose-raw.json \ + 90-edk2-aarch64-qemuvars-sb-enrolled.json \ + 91-edk2-aarch64-qemuvars-sb.json \ %{buildroot}%{_datadir}/qemu/firmware # endif build_aarch64 @@ -414,8 +432,11 @@ install -m 0644 \ %{_datadir}/OVMF/UefiShell.iso %{_datadir}/%{name}/ovmf/Shell.efi %{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi +%{_datadir}/%{name}/ovmf/vars.*.json %{_datadir}/qemu/firmware/30-edk2-ovmf-x64-sb-enrolled.json +%{_datadir}/qemu/firmware/90-edk2-ovmf-qemuvars-x64-sb-enrolled.json %{_datadir}/qemu/firmware/40-edk2-ovmf-x64-sb.json +%{_datadir}/qemu/firmware/91-edk2-ovmf-qemuvars-x64-sb.json %{_datadir}/qemu/firmware/50-edk2-ovmf-x64-nosb.json %{_datadir}/qemu/firmware/60-edk2-ovmf-x64-amdsev.json %{_datadir}/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json @@ -439,10 +460,13 @@ install -m 0644 \ %{_datadir}/%{name}/aarch64/QEMU_EFI.silent.fd %{_datadir}/%{name}/aarch64/QEMU_EFI.qemuvars.fd %{_datadir}/%{name}/aarch64/QEMU_VARS.fd +%{_datadir}/%{name}/aarch64/vars.*.json %{_datadir}/qemu/firmware/50-edk2-aarch64-qcow2.json %{_datadir}/qemu/firmware/51-edk2-aarch64-raw.json %{_datadir}/qemu/firmware/52-edk2-aarch64-verbose-qcow2.json %{_datadir}/qemu/firmware/53-edk2-aarch64-verbose-raw.json +%{_datadir}/qemu/firmware/90-edk2-aarch64-qemuvars-sb-enrolled.json +%{_datadir}/qemu/firmware/91-edk2-aarch64-qemuvars-sb.json # endif build_aarch64 %endif @@ -479,6 +503,11 @@ install -m 0644 \ %changelog +* Mon Mar 09 2026 Miroslav Rezanina - 20251114-5 +- edk2-add-uefi-vars-firmware-json-files.patch [RHEL-150696] +- Resolves: RHEL-150696 + (edk2: Add JSON descriptors for uefi-vars builds) + * Thu Feb 12 2026 Miroslav Rezanina - 20251114-4 - edk2-OvmfPkg-X86QemuLoadImageLib-flip-default-for-EnableL.patch [RHEL-134956] - edk2-update-openssl-rhel-submodule.patch [RHEL-147785]