new(tianocore.org/edk2): standalone OVMF firmware blobs#13239
Open
tannevaled wants to merge 3 commits into
Open
new(tianocore.org/edk2): standalone OVMF firmware blobs#13239tannevaled wants to merge 3 commits into
tannevaled wants to merge 3 commits into
Conversation
Defense-in-depth follow-up to pkgxdev/brewkit#353. Some recipes ship binaries with entitlements that require either adhoc signing or a Developer ID with a matching provisioning profile (notably `com.apple.security.virtualization` and `com.apple.security.hypervisor`). brewkit#353 already handles the binary side correctly -- it sees these entitlements in the Mach-O and forces adhoc signing in fix-machos.rb, regardless of what signing identity the workflow imported. This change adds a complementary workflow-level lever: when a caller knows a recipe needs adhoc only, it can pass `skip-codesign-import: true` and the Apple Developer ID is never brought into the keychain in the first place. Avoids importing a cert we won't end up using, and reduces the window during which the cert exists on the runner. The default stays false -- behavior of every existing call is unchanged. This patch only exposes the lever through the call chain: pkg.yml (workflow_call input) -> pkg-platform.yml (workflow_call input) -> .github/actions/setup (composite input, gates the import step) Picking which recipes opt in is intentionally left out of this patch. lima-vm.io is the obvious first candidate (see pkgxdev#7853). Refs: pkgxdev#7853, pkgxdev/brewkit#353 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Decouples cloud-boot's UEFI firmware from qemu's release cadence by
shipping reproducible TianoCore EDK II builds (OvmfPkg X64 + ArmVirtPkg
AARCH64) directly via pkgx. Output layout mirrors qemu's `share/qemu/`
bundle (edk2-x86_64-code.fd, edk2-i386-vars.fd, edk2-aarch64-code.fd,
edk2-arm-vars.fd) so existing runners can pick it up via env-var
overrides without code changes.
Cross-platform via two EDK II toolchains:
- GCC5 on Linux (uses pantry's gnu.org/gcc)
- CLANGPDB on Darwin (uses pantry's llvm.org for clang + lld-link,
sidestepping the macOS-only `mtoc` from XCODE5)
Includes a thin `bin/edk2-firmware-path` shim so pkgx has a discoverable
`bin/*` entry, plus runtime env vars (OVMF_CODE, OVMF_VARS, AAVMF_*).
Test step boots qemu-system-x86_64 with the built firmware over TCG and
greps for the TianoCore banner.
Versioned against `edk2-stableYYYYMM[.N]` tags via match+strip.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Reproduced the all-platform `brewkit/build` failure locally and fixed
the three root causes:
1. BaseTools built serially. VfrCompile's sub-makefile lacks a dep
between the dlg-generated VfrLexer.cpp and its compile; under `make
-j` the compiler reads a half-written file ("VfrLexer.cpp: error:
expected expression"). Near-deterministic on multi-core runners, so
every platform was red. The EDK II `build` stays parallel via -n.
2. Added the acpica.org build dep for iasl. OVMF compiles .asl ACPI
tables to .aml (RamDiskDxe NFIT, ...); without iasl the X64 build
dies with exit 127 ("iasl: command not found").
3. Fixed the qemu smoke test: dropped `-nographic` (it fights
`-serial stdio` for stdio and qemu aborts), and pulled in
gnu.org/coreutils so `timeout` exists on macOS.
Validated on darwin/arm64 (pantry clang 22): OVMF X64 + AArch64 build
clean and the X64 blob boots to BdsDxe under qemu-system-x86_64.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
projects/tianocore.org/edk2/package.ymlships TianoCore EDK II OVMF firmware blobs (X64 + AARCH64) at${prefix}/share/qemu/edk2-*-code.fd/edk2-*-vars.fd, matching qemu's bundle layout so existing runners can pick it up via env-var overrides.llvm.orgfor clang + lld-link, avoiding the macOS-onlymtoc).edk2-stableYYYYMM[.N]tags withmatch: /^edk2-stable\d+(\.\d+)?$/+ matchingstrip.Motivation
Today the only convenient way to get OVMF on a pkgx machine is to fish it out of
qemu.org's bottle (or grep a distro'sovmfpackage). That couples firmware updates to qemu's release cadence and ships nothing on systems that only need the firmware (e.g. cloud-boot harnesses). This recipe makes EDK II a first-class package: bump the recipe version and you get a fresh stable EDK II without waiting on qemu.Recipe shape
distributable: git+https://github.com/tianocore/edk2withref: edk2-stable{{version.raw}}.git-scm.org,python.org ~3.11,nasm.us,freedesktop.org/pkg-config; platform-conditionalgnu.org/gcc(linux) andllvm.org(darwin).edksetup.sh BaseTools, twobuildinvocations (X64 OvmfPkg + AARCH64 ArmVirtQemu), install intoshare/qemu/.-Wno-error=cast-function-type-mismatchpatch (CryptoPkg/Pem) for newer clang.runtime.envexportsEDK2_FIRMWARE_DIR,OVMF_CODE,OVMF_VARS,AAVMF_CODE,AAVMF_VARS.provides: bin/edk2-firmware-pathis a thin shim that prints absolute blob paths for downstream tooling.Follow-ups (not in this PR)
acpica-tools(iasl) dep when pantry ships one; current build paths use precompiled ACPI tables, so it's not required for OVMF/ArmVirt.Test plan
bk build tianocore.org/edk2on linux/x86_64 — primary path, no toolchain quirks expected.bk build tianocore.org/edk2on linux/aarch64.bk build tianocore.org/edk2on darwin/arm64 — CLANGPDB path.bk test tianocore.org/edk2boots qemu-system-x86_64 with the built firmware and greps the TianoCore banner.