diff --git a/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf/0003-Debug-prefix-map.patch b/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf/0003-Debug-prefix-map.patch index 8d850ff..3a50bed 100644 --- a/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf/0003-Debug-prefix-map.patch +++ b/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf/0003-Debug-prefix-map.patch @@ -28,7 +28,7 @@ index cca699c4a8..e758bd8b4e 100755 -DEFINE GCC_PP_FLAGS = -E -x assembler-with-cpp -include AutoGen.h +DEFINE GCC_ASM_FLAGS = -c -x assembler -imacros AutoGen.h ENV(GCC_PREFIX_MAP) +DEFINE GCC_PP_FLAGS = -E -x assembler-with-cpp -include AutoGen.h ENV(GCC_PREFIX_MAP) - DEFINE GCC_VFRPP_FLAGS = -x c -E -DVFRCOMPILE --include $(MODULE_NAME)StrDefs.h + DEFINE GCC_VFRPP_FLAGS = -x c -E -P -DVFRCOMPILE --include $(MODULE_NAME)StrDefs.h DEFINE GCC_ASLPP_FLAGS = -x c -E -include AutoGen.h DEFINE GCC_ASLCC_FLAGS = -x c @@ -1095,7 +1095,7 @@ DEFINE GCC5_LOONGARCH64_PP_FLAGS = -mabi=lp64d -march=loongarch64 DEF( diff --git a/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf_git.bb b/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf_git.bb index 7fbf499..84ca1b3 100644 --- a/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf_git.bb +++ b/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf_git.bb @@ -27,10 +27,31 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ file://0005-Declare-ProcessLibraryConstructorList.patch \ " -PV = "edk2-stable202505" -SRCREV = "6951dfe7d59d144a3a980bd7eda699db2d8554ac" +# Pinned to edk2-stable202502 (Feb 2025) instead of the latest stable202505. +# Between these two tags, six commits land in OvmfPkg / MdeModulePkg that +# rewrite the boot-time RTMR[0] event chain: +# fb56dc78ef QemuFwCfgLib: cache + measurement (adds fw_cfg BootMenu, bootorder) +# 45a56d7505 OvmfPkg: add BootManagerMenuApp to dependencies +# 9d9e3a2ba8 OvmfPkg: use BootManagerMenuApp as BootManagerMenu (Boot0000 hash changes) +# d433b4c8e4 PlatformBootManagerLib: register UiApp as optional boot option (new Boot0001) +# dd5cce3e53 PlatformBootManagerCommonLib: set UiApp as an optional boot option +# cd76265f1a OvmfPkg: Enable Smbios measurement (adds EV_EFI_HANDOFF_TABLES whose +# digest is sha384(filtered QEMU SMBIOS table) — varies with -m / -cpu / +# -smbios type=1 and so cannot be precomputed from VmConfig alone) +# stable202502 contains none of them and so produces the same 13-event RTMR[0] +# layout as the legacy 3a3b12cb snapshot dstack used pre-upgrade, while still +# carrying 5 months of post-Sep-2024 EDK2 fixes (incl. CVEs). +PV = "edk2-stable202502" +SRCREV = "fbe0805b2091393406952e84724188f8c1941837" UPSTREAM_CHECK_GITTAGREGEX = "(?Pedk2-stable.*)" +# Tag identifying the OVMF boot-time RTMR[0] event layout this build produces. +# Consumed by mkimage.sh to stamp `ovmf_variant` into the image metadata.json so +# verifiers can pick the matching dstack-mr code path without parsing PV. +# Keep this in sync with the OvmfVariant enum in dstack/dstack-types when +# bumping PV. +OVMF_VARIANT = "pre202505" + CVE_PRODUCT = "edk2" CVE_VERSION = "${@d.getVar('PV').split('-')[1]}" diff --git a/mkimage.sh b/mkimage.sh index 9f98640..bdf10d6 100755 --- a/mkimage.sh +++ b/mkimage.sh @@ -65,7 +65,17 @@ $Q cp $OVMF_FIRMWARE ${OUTPUT_DIR}/ $Q cp $ROOTFS_IMAGE ${OUTPUT_DIR}/rootfs.img.verity GIT_REVISION=$(git rev-parse HEAD 2>/dev/null || echo "") -echo "Generating metadata.json to ${OUTPUT_DIR}/metadata.json" + +# Lift the OVMF variant tag straight out of the dstack-ovmf recipe so verifiers +# know which RTMR[0] event layout to expect. Required: the recipe must declare +# OVMF_VARIANT alongside PV. +OVMF_VARIANT=$(bitbake-getvar --value OVMF_VARIANT -r dstack-ovmf) +if [ -z "$OVMF_VARIANT" ]; then + echo "Error: dstack-ovmf recipe is missing OVMF_VARIANT" >&2 + exit 1 +fi + +echo "Generating metadata.json to ${OUTPUT_DIR}/metadata.json (ovmf_variant=$OVMF_VARIANT)" KARG0="console=ttyS0 init=/init panic=1 net.ifnames=0 biosdevname=0" KARG1="mce=off oops=panic pci=noearly pci=nommconf random.trust_cpu=y random.trust_bootloader=n tsc=reliable no-kvmclock" @@ -81,7 +91,8 @@ cat < ${OUTPUT_DIR}/metadata.json "version": "$DSTACK_VERSION", "git_revision": "$GIT_REVISION", "shared_ro": true, - "is_dev": ${IS_DEV} + "is_dev": ${IS_DEV}, + "ovmf_variant": "$OVMF_VARIANT" } EOF