Merge pull request #2430 from flatcar/chewi/virt-firmware

app-crypt/efitools: Drop in favour of app-emulation/virt-firmware
flatcar · Nov 7, 2024 · 2fcff86 · 2fcff86
2 parents 97af4e5 + bcd203e
commit 2fcff86
Show file tree

Hide file tree

Showing 44 changed files with 3,743 additions and 303 deletions.
diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list
@@ -117,7 +117,6 @@ app-containers/runc
 app-crypt/adcli
 app-crypt/argon2
 app-crypt/ccid
-app-crypt/efitools
 app-crypt/gnupg
 app-crypt/gpgme
 app-crypt/libb2
@@ -138,6 +137,7 @@ app-editors/vim-core
 
 app-emulation/qemu
 app-emulation/qemu-guest-agent
+app-emulation/virt-firmware
 
 app-eselect/eselect-iptables
 app-eselect/eselect-lib-bin-symlink
@@ -284,10 +284,12 @@ dev-python/autocommand
 dev-python/backports-tarfile
 dev-python/cachecontrol
 dev-python/certifi
+dev-python/cffi
 dev-python/chardet
 dev-python/charset-normalizer
 dev-python/colorama
 dev-python/crcmod
+dev-python/cryptography
 dev-python/cython
 dev-python/distlib
 dev-python/distro
@@ -322,11 +324,14 @@ dev-python/olefile
 dev-python/ordered-set
 dev-python/packaging
 dev-python/pathspec
+dev-python/pefile
 dev-python/pillow
 dev-python/pip
 dev-python/platformdirs
 dev-python/pluggy
+dev-python/ply
 dev-python/poetry-core
+dev-python/pycparser
 dev-python/pydecomp
 dev-python/pygments
 dev-python/pyproject-hooks
@@ -355,6 +360,7 @@ dev-util/desktop-file-utils
 dev-util/gdbus-codegen
 dev-util/glib-utils
 dev-util/gperf
+dev-util/maturin
 dev-util/pahole
 dev-util/patchelf
 dev-util/patchutils
@@ -450,6 +456,7 @@ eclass/savedconfig.eclass
 eclass/secureboot.eclass
 eclass/selinux-policy-2.eclass
 eclass/sgml-catalog-r1.eclass
+eclass/shell-completion.eclass
 eclass/ssl-cert.eclass
 eclass/strip-linguas.eclass
 eclass/subversion.eclass

diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh
@@ -816,13 +816,12 @@ _write_qemu_conf() {
 }
 
 _write_qemu_uefi_conf() {
+    local flash_ro="$(_dst_name "_efi_code.fd")"
+    local flash_rw="$(_dst_name "_efi_vars.fd")"
     local script="$(_dst_dir)/$(_dst_name ".sh")"
 
     _write_qemu_conf
 
-    local flash_ro="$(_dst_name "_efi_code.fd")"
-    local flash_rw="$(_dst_name "_efi_vars.fd")"
-
     case $BOARD in
         amd64-usr)
             cp "/usr/share/edk2-ovmf/OVMF_CODE.fd" "$(_dst_dir)/${flash_ro}"
@@ -861,15 +860,18 @@ _write_qemu_uefi_secure_conf() {
     local flash_rw="$(_dst_name "_efi_vars.fd")"
     local flash_ro="$(_dst_name "_efi_code.fd")"
     local script="$(_dst_dir)/$(_dst_name ".sh")"
+    local owner="00000000-0000-0000-0000-000000000000"
 
     _write_qemu_uefi_conf
     cp "/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd" "$(_dst_dir)/${flash_ro}"
-    cert-to-efi-sig-list "/usr/share/sb_keys/PK.crt" "${VM_TMP_DIR}/PK.esl"
-    cert-to-efi-sig-list "/usr/share/sb_keys/KEK.crt" "${VM_TMP_DIR}/KEK.esl"
-    cert-to-efi-sig-list "/usr/share/sb_keys/DB.crt" "${VM_TMP_DIR}/DB.esl"
-    flash-var "$(_dst_dir)/${flash_rw}" "PK" "${VM_TMP_DIR}/PK.esl"
-    flash-var "$(_dst_dir)/${flash_rw}" "KEK" "${VM_TMP_DIR}/KEK.esl"
-    flash-var "$(_dst_dir)/${flash_rw}" "db" "${VM_TMP_DIR}/DB.esl"
+
+    virt-fw-vars \
+        --inplace "$(_dst_dir)/${flash_rw}" \
+        --set-pk  "${owner}" /usr/share/sb_keys/PK.crt \
+        --add-kek "${owner}" /usr/share/sb_keys/KEK.crt \
+        --add-db  "${owner}" /usr/share/sb_keys/DB.crt \
+        --secure-boot --no-microsoft
+
     sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}"
 }
 

diff --git a/...ontainer/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild b/...ontainer/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild
@@ -17,9 +17,9 @@ DEPEND="
 	app-admin/sudo
 	app-admin/updateservicectl
 	app-arch/pbzip2
-	app-crypt/efitools
 	app-crypt/sbsigntools
 	app-emulation/open-vmdk
+	app-emulation/virt-firmware
 	app-eselect/eselect-python
 	app-misc/jq
 	app-shells/bash-completion

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -53,8 +53,10 @@
 # The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
 =app-crypt/clevis-19-r1 **
 
+# Needed in SDK for Secure Boot.
+=app-emulation/virt-firmware-24.7 ~amd64 ~arm64
+
 # Needed by arm64-native SDK.
-=app-crypt/efitools-1.9.2-r1 ~arm64
 =app-emulation/open-vmdk-1.0 *
 
 # Keep versions on both arches in sync.

diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/efitools/Manifest b/sdk_container/src/third_party/portage-stable/app-crypt/efitools/Manifest
diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/efitools/efitools-1.9.2-r1.ebuild b/sdk_container/src/third_party/portage-stable/app-crypt/efitools/efitools-1.9.2-r1.ebuild
diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/efitools/files/1.9.2-Makefile.patch b/sdk_container/src/third_party/portage-stable/app-crypt/efitools/files/1.9.2-Makefile.patch