From 8a126db2cbdcf65d35506538be749b84de29a220 Mon Sep 17 00:00:00 2001 From: Sumedh Alok Sharma Date: Tue, 28 Apr 2026 15:28:20 +0000 Subject: [PATCH 1/2] edk2: Enables aarch64 OVMF build. Signed-off-by: Sumedh Alok Sharma --- SPECS/edk2/50-edk2-arm-verbose.json | 32 ------- .../ArmVirtPkg_Increase_firmware_size.patch | 38 ++++++++ SPECS/edk2/edk2-build.fedora | 15 --- SPECS/edk2/edk2.signatures.json | 8 +- SPECS/edk2/edk2.spec | 92 ++++++++----------- 5 files changed, 80 insertions(+), 105 deletions(-) delete mode 100644 SPECS/edk2/50-edk2-arm-verbose.json create mode 100644 SPECS/edk2/ArmVirtPkg_Increase_firmware_size.patch diff --git a/SPECS/edk2/50-edk2-arm-verbose.json b/SPECS/edk2/50-edk2-arm-verbose.json deleted file mode 100644 index 52f9c2ce00d..00000000000 --- a/SPECS/edk2/50-edk2-arm-verbose.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "description": "UEFI firmware for arm, verbose logs", - "interface-types": [ - "uefi" - ], - "mapping": { - "device": "flash", - "mode" : "split", - "executable": { - "filename": "/usr/share/edk2/arm/QEMU_EFI-pflash.raw", - "format": "raw" - }, - "nvram-template": { - "filename": "/usr/share/edk2/arm/vars-template-pflash.raw", - "format": "raw" - } - }, - "targets": [ - { - "architecture": "arm", - "machines": [ - "virt-*" - ] - } - ], - "features": [ - "verbose-static" - ], - "tags": [ - - ] -} diff --git a/SPECS/edk2/ArmVirtPkg_Increase_firmware_size.patch b/SPECS/edk2/ArmVirtPkg_Increase_firmware_size.patch new file mode 100644 index 00000000000..3cc0659eb6a --- /dev/null +++ b/SPECS/edk2/ArmVirtPkg_Increase_firmware_size.patch @@ -0,0 +1,38 @@ +From 84e7054790d128c7c9b2dd9d8059ccf54066c70c Mon Sep 17 00:00:00 2001 +From: Mike Beaton +Date: Thu, 11 Dec 2025 19:36:43 +0000 +Subject: [PATCH] ArmVirtPkg: Increase firmware size + +Although almost all tool chain plus package combinations currently stay +under the 2MB firmware size, except for NOOPT builds, ArmVirtQemu DEBUG +built with CLANGDWARF now sneaks over. + +Noting that images will be padded to 64MB for before use anyway, we now +choose 3MB as the default for all. But keep the 2MB vs. 3MB code which +checks FD_SIZE_IN_MB, in this and other files, available for reference +the next time a size change is needed. + +Signed-off-by: Mike Beaton +--- + ArmVirtPkg/ArmVirt.dsc.inc | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc +index 7044790..30aa81c 100644 +--- a/ArmVirtPkg/ArmVirt.dsc.inc ++++ b/ArmVirtPkg/ArmVirt.dsc.inc +@@ -11,11 +11,8 @@ + [Defines] + DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x8000004F + +-!if $(TARGET) != NOOPT +- DEFINE FD_SIZE_IN_MB = 2 +-!else +- DEFINE FD_SIZE_IN_MB = 3 +-!endif ++# Various builds now exceed 2MB so choose 3MB as the default. ++DEFINE FD_SIZE_IN_MB = 3 + + !if $(FD_SIZE_IN_MB) == 2 + DEFINE FD_SIZE = 0x200000 +-- diff --git a/SPECS/edk2/edk2-build.fedora b/SPECS/edk2/edk2-build.fedora index 0a91fd84616..ee86310f1b8 100644 --- a/SPECS/edk2/edk2-build.fedora +++ b/SPECS/edk2/edk2-build.fedora @@ -241,21 +241,6 @@ dest = Fedora/ovmf-ia32 cpy1 = FV/OVMF_CODE.fd OVMF_CODE.secboot.fd cpy2 = IA32/EnrollDefaultKeys.efi -[build.armvirt.arm] -desc = ArmVirt build for qemu, 32-bit (arm v7) -conf = ArmVirtPkg/ArmVirtQemu.dsc -arch = ARM -opts = ovmf.common -pcds = nx.broken.shim.grub -plat = ArmVirtQemu-ARM -dest = Fedora/arm -cpy1 = FV/QEMU_EFI.fd -cpy2 = FV/QEMU_VARS.fd -cpy3 = FV/QEMU_EFI.fd QEMU_EFI-pflash.raw -cpy4 = FV/QEMU_VARS.fd vars-template-pflash.raw -pad3 = QEMU_EFI-pflash.raw 64m -pad4 = vars-template-pflash.raw 64m - ##################################################################### # experimental builds diff --git a/SPECS/edk2/edk2.signatures.json b/SPECS/edk2/edk2.signatures.json index 3a5fe9358ec..5477de7e032 100644 --- a/SPECS/edk2/edk2.signatures.json +++ b/SPECS/edk2/edk2.signatures.json @@ -7,7 +7,6 @@ "40-edk2-ovmf-ia32-sb.json": "de562405d0f9a9400eb58239e10753455216196dface2631858bcf1a3c886ac7", "41-edk2-ovmf-2m-raw-x64-sb.json": "c9c505b6308af28f29c16b4108f7f295408f975a47c94fb7aef523cb2a999d8e", "50-edk2-aarch64-qcow2.json": "a62d1c8b3801a33d670863fd4824252f65b93b64af8e5fd8908e6e09d8d5db99", - "50-edk2-arm-verbose.json": "8805fce3e313705b7b43be6f2601776871c35bac0914fa05c34d09c929044253", "50-edk2-loongarch64.json": "733d208b45c1d15cb96273f9eb405adb91876d64306c6ad791351f6861b85053", "50-edk2-ovmf-4m-qcow2-x64-nosb.json": "a97c1339a837d106ccb25132a68cdeaf13f2b7cff3d4c7411ce4457e75b68278", "50-edk2-ovmf-ia32-nosb.json": "b360162bd55df3b1cb4bfa8d0b7c2b46a7c7b492aabf6d0d57c3dbf3d8c7fd10", @@ -23,7 +22,7 @@ "DBXUpdate-20230509.x64.bin": "3e56c3d9e5b12edbd9e4006413d87fba099de1eba33d2bea566e742166cb366a", "README.experimental": "71ce0b179d0e1325723cc444e45f7eeb67cce4cc1b336f3c5f586de16a6a78fd", "edk2-3e722403cd16.tar.xz": "7ec671f04a183fb0e7f70bba008e8f66e60b44e1709b7bacd293ddb9196f4456", - "edk2-build.fedora": "0c8ed554f434a4b392620cec4e47af5b2ec5288542337216be849b5f7ac93329", + "edk2-build.fedora": "03475abf4448b180e613038cbfe8fca5af6be60a661c7b16a44f9cac2626b6dc", "edk2-build.fedora.platforms": "a4c1c1b34917b451a7f2386bfc053a980e62316b2bbdece1e024d2633d2356c7", "edk2-build.py": "b4be60833465d372662ac4f1f89f40b9c65d59fb17f7716059f980503069ddb7", "edk2-build.rhel-9": "477723037cadf03fa15756de563995cc556ccf84d9a4ba059ea37c97c3a0e3e7", @@ -32,7 +31,6 @@ "hvloader-target.txt": "fcf4f427d3b80e67296be2a1d17ec124d65f673d4f6ea37d238f8d3fc1ddc4b8", "jansson-2.13.1.tar.bz2": "ee90a0f879d2b7b7159124ff22b937a2a9a8c36d3bb65d1da7dd3f04370a10bd", "openssl-rhel-db0287935122edceb91dcda8dfb53b4090734e22.tar.xz": "9fcc5b49513d6ae21c7ddc3d1bbb1f8973cfbe76f2392d10106a8cd435e3eb47", - "ovmf-whitepaper-c770f8c.txt": "842518adadaa837914dbb13a6628002fb7f7acca107c6d6f41815b399dc9f8b8", - "softfloat-20180726-gitb64af41.tar.xz": "c7f2172357ca3022621b9464fd92bf2b462256bda3e019bf9a669fa6b5aeea91" + "ovmf-whitepaper-c770f8c.txt": "842518adadaa837914dbb13a6628002fb7f7acca107c6d6f41815b399dc9f8b8" } -} +} \ No newline at end of file diff --git a/SPECS/edk2/edk2.spec b/SPECS/edk2/edk2.spec index 98afadede3a..e53bfdbde20 100644 --- a/SPECS/edk2/edk2.spec +++ b/SPECS/edk2/edk2.spec @@ -1,5 +1,4 @@ %bcond_without experimental -%bcond_with arm Vendor: Microsoft Corporation Distribution: Azure Linux @@ -25,7 +24,6 @@ Distribution: Azure Linux # Can't build aarch64 due to a dependency on "nasm", which doesn't # officially support the ARM64 architecture. See here: # https://github.com/netwide-assembler/nasm/pull/3 -ExclusiveArch: x86_64 # edk2-stable202402 %define GITDATE 20240524 @@ -42,20 +40,29 @@ ExclusiveArch: x86_64 %define HVLOADER_VER 1.0.1 %define HVLOADER_COMMIT 286f1c642ed624af2c7840fbca7923497891fe68 +%define edk2_arch X64 +%ifarch aarch64 +%define edk2_arch AARCH64 +%endif + %define build_ovmf 1 -%define build_aarch64 0 +%ifarch aarch64 +%define build_ovmf 0 +%endif +%define build_aarch64 1 %define build_riscv64 0 # Undefine this to get *HUGE* (50MB+) verbose build logs %define silent --silent - + %global softfloat_version 20180726-gitb64af41 + %define disable_werror 1 Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 16%{?dist} +Release: 17%{?dist} Summary: UEFI firmware for 64-bit virtual machines License: Apache-2.0 AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-Patent AND BSD-3-Clause AND BSD-4-Clause AND ISC AND MIT AND LicenseRef-Fedora-Public-Domain URL: https://www.tianocore.org @@ -67,12 +74,11 @@ URL: https://www.tianocore.org Source0: https://src.fedoraproject.org/repo/pkgs/edk2/edk2-%{GITCOMMIT}.tar.xz/sha512/58550636ea26810a0184423765db24e43319a0cc5e38dfd5fbd7f09b5f6e1c2d2b9e1e33112a3b721e05c7f088dbfd8a2ddd4a73d833c3019a16101ef1d0342a/edk2-%{GITCOMMIT}.tar.xz Source1: ovmf-whitepaper-c770f8c.txt Source2: openssl-rhel-%{OPENSSL_COMMIT}.tar.xz -Source3: softfloat-%{softfloat_version}.tar.xz -Source4: edk2-platforms-%{PLATFORMS_COMMIT}.tar.xz -Source5: jansson-2.13.1.tar.bz2 -Source6: README.experimental -Source7: hvloader-%{HVLOADER_COMMIT}.tar.gz -Source8: hvloader-target.txt +Source3: edk2-platforms-%{PLATFORMS_COMMIT}.tar.xz +Source4: jansson-2.13.1.tar.bz2 +Source5: README.experimental +Source6: hvloader-%{HVLOADER_COMMIT}.tar.gz +Source7: hvloader-target.txt # json description files Source10: 50-edk2-aarch64-qcow2.json @@ -80,8 +86,6 @@ Source11: 51-edk2-aarch64-raw.json Source12: 52-edk2-aarch64-verbose-qcow2.json Source13: 53-edk2-aarch64-verbose-raw.json -Source20: 50-edk2-arm-verbose.json - Source30: 30-edk2-ovmf-ia32-sb-enrolled.json Source31: 40-edk2-ovmf-ia32-sb.json Source32: 50-edk2-ovmf-ia32-nosb.json @@ -131,6 +135,7 @@ Patch0018: 0018-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch Patch0019: 0019-NetworkPkg-DxeNetLib-adjust-PseudoRandom-error-loggi.patch Patch0020: CVE-2024-38796.patch Patch0021: CVE-2025-2296.patch +Patch0022: ArmVirtPkg_Increase_firmware_size.patch # Patches for the vendored OpenSSL are in the range from 1000 to 1999 (inclusive). Patch1000: CVE-2022-3996.patch @@ -149,8 +154,6 @@ Patch1012: CVE-2025-69420.patch Patch1013: CVE-2025-69421.patch Patch1014: CVE-2026-22796.patch Patch1015: CVE-2025-69419.patch -Patch1016: CVE-2026-28389.patch -Patch1017: CVE-2026-28390.patch # python3-devel and libuuid-devel are required for building tools. # python3-devel is also needed for varstore template generation and @@ -190,6 +193,11 @@ BuildRequires: python3-pefile # endif build_ovmf %endif +%ifarch x86_64 +%if %{build_aarch64} +BuildRequires: gcc-aarch64-linux-gnu +%endif +%endif %package ovmf Summary: UEFI firmware for x86_64 virtual machines @@ -217,6 +225,7 @@ and KVM. %package aarch64 Summary: UEFI firmware for aarch64 virtual machines BuildArch: noarch +BuildRequires: python3-virt-firmware >= 24.2 Provides: AAVMF = %{version}-%{release} Obsoletes: AAVMF < 20180508-100.gitee3198e672e2.el7 @@ -289,16 +298,6 @@ EFI Development Kit II Open Virtual Machine Firmware (experimental builds) %endif -%if %{with arm} -%package arm -Summary: ARM Virtual Machine Firmware -BuildArch: noarch -License: Apache-2.0 AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-Patent AND BSD-3-Clause AND BSD-4-Clause AND ISC AND LicenseRef-Fedora-Public-Domain -%description arm -EFI Development Kit II -ARMv7 UEFI Firmware -%endif - %if %{build_riscv64} %package riscv64 Summary: RISC-V Virtual Machine Firmware @@ -371,10 +370,9 @@ git commit -m 'add vendored openssl' cp -a -- %{SOURCE1} . # extract softfloat into place -tar -xf %{SOURCE3} --strip-components=1 --directory ArmPkg/Library/ArmSoftFloatLib/berkeley-softfloat-3/ -tar -xf %{SOURCE4} --strip-components=1 --wildcards "*/Drivers" "*/Features" "*/Platform" "*/Silicon" +tar -xf %{SOURCE3} --strip-components=1 --wildcards "*/Drivers" "*/Features" "*/Platform" "*/Silicon" mkdir -p RedfishPkg/Library/JsonLib/jansson -tar -xf %{SOURCE5} --strip-components=1 --directory RedfishPkg/Library/JsonLib/jansson +tar -xf %{SOURCE4} --strip-components=1 --directory RedfishPkg/Library/JsonLib/jansson # include paths pointing to unused submodules mkdir -p MdePkg/Library/MipiSysTLib/mipisyst/library/include @@ -387,9 +385,8 @@ mkdir -p SecurityPkg/DeviceSecurity/SpdmLib/libspdm/include chmod -Rf a+rX,u+w,g-w,o-w . cp -a -- \ - %{SOURCE6} \ + %{SOURCE5} \ %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} \ - %{SOURCE20} \ %{SOURCE30} %{SOURCE31} %{SOURCE32} \ %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE43} %{SOURCE44} \ %{SOURCE45} %{SOURCE46} %{SOURCE47} %{SOURCE48} \ @@ -400,7 +397,7 @@ cp -a -- \ . # extract hvloader source into place -tar -xf %{SOURCE7} --directory MdeModulePkg/Application +tar -xf %{SOURCE6} --directory MdeModulePkg/Application sed -i '/MdeModulePkg\/Application\/HelloWorld\/HelloWorld.inf/a \ \ MdeModulePkg\/Application\/HvLoader-%{HVLOADER_VER}/HvLoader.inf' MdeModulePkg/MdeModulePkg.dsc %build @@ -504,6 +501,7 @@ done %endif %if %{build_aarch64} +# gcc does not provide 32 bit arm cross compiler, so only building 64 bit targets ./edk2-build.py --config edk2-build.fedora %{?silent} --release-date "$RELEASE_DATE" -m armvirt ./edk2-build.py --config edk2-build.fedora.platforms %{?silent} -m aa64 virt-fw-vars --input Fedora/aarch64/vars-template-pflash.raw \ @@ -527,8 +525,8 @@ done source ./edksetup.sh make -C BaseTools -cp %{SOURCE8} Conf/target.txt -build -p MdeModulePkg/MdeModulePkg.dsc -m MdeModulePkg/Application/HvLoader-%{HVLOADER_VER}/HvLoader.inf +cp %{SOURCE7} Conf/target.txt +build -p MdeModulePkg/MdeModulePkg.dsc -m MdeModulePkg/Application/HvLoader-%{HVLOADER_VER}/HvLoader.inf -a %{edk2_arch} %install @@ -554,7 +552,7 @@ install BaseTools/Scripts/GccBase.lds \ # install firmware images mkdir -p %{buildroot}%{_datadir}/%{name} cp -av Fedora/* %{buildroot}%{_datadir}/%{name} -%if !%{with experimental} +%if !%{with experimental} || "%{edk2_arch}" == "AARCH64" rm -rf %{buildroot}%{_datadir}/%{name}/experimental %endif @@ -598,8 +596,6 @@ ln -s ../%{name}/aarch64/QEMU_EFI-silent-pflash.raw \ %{buildroot}%{_datadir}/AAVMF/AAVMF_CODE.fd ln -s ../%{name}/aarch64/vars-template-pflash.raw \ %{buildroot}%{_datadir}/AAVMF/AAVMF_VARS.fd -ln -s ../%{name}/arm/QEMU_EFI-pflash.raw \ - %{buildroot}%{_datadir}/AAVMF/AAVMF32_CODE.fd # json description files install -m 0644 \ @@ -608,9 +604,6 @@ install -m 0644 \ 52-edk2-aarch64-verbose-qcow2.json \ 53-edk2-aarch64-verbose-raw.json \ %{buildroot}%{_datadir}/qemu/firmware -install -m 0644 \ - 50-edk2-arm-verbose.json \ - %{buildroot}%{_datadir}/qemu/firmware # endif build_aarch64 %endif @@ -629,7 +622,7 @@ done %endif mkdir -p %{buildroot}/boot/efi -cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/HvLoader-%{HVLOADER_VER}/HvLoader/OUTPUT/HvLoader.efi %{buildroot}/boot/efi +cp ./Build/MdeModule/RELEASE_GCC5/%{edk2_arch}/MdeModulePkg/Application/HvLoader-%{HVLOADER_VER}/HvLoader/OUTPUT/HvLoader.efi %{buildroot}/boot/efi %check for file in %{buildroot}%{_datadir}/%{name}/*/*VARS.secboot.fd; do @@ -766,19 +759,6 @@ done %{_datadir}/%{name}/xen/*.fd %endif -%if %{with arm} -%files arm -%common_files -%dir %{_datadir}/AAVMF/ -%{_datadir}/AAVMF/AAVMF32_CODE.fd -%dir %{_datadir}/%{name}/arm -%{_datadir}/%{name}/arm/QEMU_EFI-pflash.raw -%{_datadir}/%{name}/arm/QEMU_EFI.fd -%{_datadir}/%{name}/arm/QEMU_VARS.fd -%{_datadir}/%{name}/arm/vars-template-pflash.raw -%{_datadir}/qemu/firmware/50-edk2-arm-verbose.json -%endif - %if %{build_riscv64} %files riscv64 %common_files @@ -812,6 +792,12 @@ done /boot/efi/HvLoader.efi %changelog +* Wed May 06 2026 Sumedh Sharma - 20240524git3e722403cd16-17 +- Enable build_aarch64 to build arm64 firmware bins +- Disable OVMF compilation on aarch64 hosts due to missing cross gcc-x86_64-linux-gnu +- Remove 32bit arm compilation due to missing gcc compiler/cross-compiler +- Add patch to increase default firmware size in ArmVirtPkg to 3Mb for debug package builds + * Wed Apr 22 2026 Azure Linux Security Servicing Account - 20240524git3e722403cd16-16 - Patch for CVE-2026-28390, CVE-2026-28389 From 477f589bb404459e5cabc4621e27ca065b19fd57 Mon Sep 17 00:00:00 2001 From: Sumedh Alok Sharma Date: Wed, 6 May 2026 06:57:22 +0000 Subject: [PATCH 2/2] Bump edk2-hvloader-signed release version inline with edk2 Signed-off-by: Sumedh Alok Sharma --- SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec b/SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec index 9cc400737f7..ec98ea66e73 100644 --- a/SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec +++ b/SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec @@ -11,7 +11,7 @@ Summary: Signed HvLoader.efi for %{buildarch} systems Name: edk2-hvloader-signed-%{buildarch} Version: %{GITDATE}git%{GITCOMMIT} -Release: 16%{?dist} +Release: 17%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -74,6 +74,9 @@ popd /boot/efi/HvLoader.efi %changelog +* Wed May 06 2026 Sumedh Sharma - 20240524git3e722403cd16-17 +- Bump release for consistency with edk2 spec. + * Wed Apr 22 2026 Azure Linux Security Servicing Account - 20240524git3e722403cd16-16 - Bump release for consistency with edk2 spec.