From 4693c29094f02e8b16afbc670db30c94446b3bef Mon Sep 17 00:00:00 2001
From: Kevin Wang <wy721@qq.com>
Date: Tue, 26 May 2026 01:47:45 -0700
Subject: [PATCH 1/2] ovmf: pin to edk2-stable202502 and stamp ovmf_variant
 into metadata
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

f9f11f3 ("fix: upgrade OVMF to edk2-stable202505") moved OVMF from the
2024-09 snapshot 3a3b12cb to edk2-stable202505. The six commits below
land between those two and rewrite the boot-time RTMR[0] event chain
that dstack's verifier replays:

  fb56dc78ef  QemuFwCfgLib: cache + measurement
              (adds fw_cfg BootMenu, bootorder)
  45a56d7505  OvmfPkg: add BootManagerMenuApp to dependencies
  9d9e3a2ba8  OvmfPkg: use BootManagerMenuApp as BootManagerMenu
              (Boot0000 hash changes)
  d433b4c8e4  PlatformBootManagerLib: register UiApp as optional
              boot option (new Boot0001)
  dd5cce3e53  PlatformBootManagerCommonLib: set UiApp as optional
  cd76265f1a  OvmfPkg: Enable Smbios measurement (adds
              EV_EFI_HANDOFF_TABLES whose digest is sha384 over the
              filtered QEMU SMBIOS table — content varies with -m,
              -cpu, -smbios type=1 ... so cannot be precomputed from
              VmConfig alone)

dstack PR #678 modelled the new 17-event layout in dstack-mr and worked
for 2 GB CVMs, but EV_EFI_HANDOFF_TABLES was hardcoded to the digest
captured from a 2 GB CVM. Any other memory size produced a different
SMBIOS Type 16/17/19 layout and a different digest, so e.g. 8 GB CVMs
failed KMS verify with `RTMR0 mismatch` regardless of dstack-mr fixes.

Pin to edk2-stable202502 (Feb 2025) — the most recent stable tag still
before all six commits. It produces the same 13-event RTMR[0] layout
as the legacy 3a3b12cb snapshot dstack used pre-upgrade, while still
carrying ~5 months of post-Sep-2024 EDK2 fixes (incl. CVEs).

Three changes here:

  * dstack-ovmf_git.bb: bump PV to edk2-stable202502, refresh SRCREV,
    add OVMF_VARIANT = "pre202505" so mkimage.sh can stamp the layout
    tag into image metadata.

  * 0003-Debug-prefix-map.patch: one context line (GCC_VFRPP_FLAGS)
    differs between stable202502 and stable202505. Add the missing `-P`
    flag to the patch context so quilt applies on stable202502.

  * mkimage.sh: read OVMF_VARIANT from the dstack-ovmf recipe via
    bitbake-getvar and stamp it into metadata.json. dstack-mr's verifier
    reads this field to pick the matching event-layout code path
    (Pre202505 vs Stable202505); without it, verifiers must fall back to
    parsing the image name, which gets the wrong answer for any image
    that ships pre-202505 OVMF under a 0.5.10+ name.

Validated end-to-end on tdxlab: built dstack-0.5.11 with this recipe,
deployed an 8 GB CVM through dstack-vmm, KMS verified successfully,
RTMR0 from the live quote matches dstack-mr's prediction byte-for-byte
(5bba6288696c9369311fe673001f386b8494ad8d9fbb918b8571eaf73ededa420c2e5
1f4fe3118556f8afbc1412ff1b6, 13 events on RTMR0).
---
 .../dstack-ovmf/0003-Debug-prefix-map.patch   |  2 +-
 .../dstack-ovmf/dstack-ovmf_git.bb            | 25 +++++++++++++++++--
 mkimage.sh                                    | 15 +++++++++--
 3 files changed, 37 insertions(+), 5 deletions(-)

diff --git a/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf/0003-Debug-prefix-map.patch b/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf/0003-Debug-prefix-map.patch
index 8d850ff..3a50bed 100644
--- a/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf/0003-Debug-prefix-map.patch
+++ b/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf/0003-Debug-prefix-map.patch
@@ -28,7 +28,7 @@ index cca699c4a8..e758bd8b4e 100755
 -DEFINE GCC_PP_FLAGS                = -E -x assembler-with-cpp -include AutoGen.h
 +DEFINE GCC_ASM_FLAGS               = -c -x assembler -imacros AutoGen.h ENV(GCC_PREFIX_MAP)
 +DEFINE GCC_PP_FLAGS                = -E -x assembler-with-cpp -include AutoGen.h ENV(GCC_PREFIX_MAP)
- DEFINE GCC_VFRPP_FLAGS             = -x c -E -DVFRCOMPILE --include $(MODULE_NAME)StrDefs.h
+ DEFINE GCC_VFRPP_FLAGS             = -x c -E -P -DVFRCOMPILE --include $(MODULE_NAME)StrDefs.h
  DEFINE GCC_ASLPP_FLAGS             = -x c -E -include AutoGen.h
  DEFINE GCC_ASLCC_FLAGS             = -x c
 @@ -1095,7 +1095,7 @@ DEFINE GCC5_LOONGARCH64_PP_FLAGS           = -mabi=lp64d -march=loongarch64 DEF(
diff --git a/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf_git.bb b/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf_git.bb
index 7fbf499..84ca1b3 100644
--- a/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf_git.bb
+++ b/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf_git.bb
@@ -27,10 +27,31 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
            file://0005-Declare-ProcessLibraryConstructorList.patch \
            "
 
-PV = "edk2-stable202505"
-SRCREV = "6951dfe7d59d144a3a980bd7eda699db2d8554ac"
+# Pinned to edk2-stable202502 (Feb 2025) instead of the latest stable202505.
+# Between these two tags, six commits land in OvmfPkg / MdeModulePkg that
+# rewrite the boot-time RTMR[0] event chain:
+#   fb56dc78ef  QemuFwCfgLib: cache + measurement (adds fw_cfg BootMenu, bootorder)
+#   45a56d7505  OvmfPkg: add BootManagerMenuApp to dependencies
+#   9d9e3a2ba8  OvmfPkg: use BootManagerMenuApp as BootManagerMenu (Boot0000 hash changes)
+#   d433b4c8e4  PlatformBootManagerLib: register UiApp as optional boot option (new Boot0001)
+#   dd5cce3e53  PlatformBootManagerCommonLib: set UiApp as an optional boot option
+#   cd76265f1a  OvmfPkg: Enable Smbios measurement (adds EV_EFI_HANDOFF_TABLES whose
+#               digest is sha384(filtered QEMU SMBIOS table) — varies with -m / -cpu /
+#               -smbios type=1 and so cannot be precomputed from VmConfig alone)
+# stable202502 contains none of them and so produces the same 13-event RTMR[0]
+# layout as the legacy 3a3b12cb snapshot dstack used pre-upgrade, while still
+# carrying 5 months of post-Sep-2024 EDK2 fixes (incl. CVEs).
+PV = "edk2-stable202502"
+SRCREV = "fbe0805b2091393406952e84724188f8c1941837"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>edk2-stable.*)"
 
+# Tag identifying the OVMF boot-time RTMR[0] event layout this build produces.
+# Consumed by mkimage.sh to stamp `ovmf_variant` into the image metadata.json so
+# verifiers can pick the matching dstack-mr code path without parsing PV.
+# Keep this in sync with the OvmfVariant enum in dstack/dstack-types when
+# bumping PV.
+OVMF_VARIANT = "pre202505"
+
 CVE_PRODUCT = "edk2"
 CVE_VERSION = "${@d.getVar('PV').split('-')[1]}"
 
diff --git a/mkimage.sh b/mkimage.sh
index 9f98640..69579c7 100755
--- a/mkimage.sh
+++ b/mkimage.sh
@@ -65,7 +65,17 @@ $Q cp $OVMF_FIRMWARE ${OUTPUT_DIR}/
 $Q cp $ROOTFS_IMAGE ${OUTPUT_DIR}/rootfs.img.verity
 
 GIT_REVISION=$(git rev-parse HEAD 2>/dev/null || echo "<unknown>")
-echo "Generating metadata.json to ${OUTPUT_DIR}/metadata.json"
+
+# Lift the OVMF variant tag straight out of the dstack-ovmf recipe so verifiers
+# know which RTMR[0] event layout to expect. Required: the recipe must declare
+# OVMF_VARIANT alongside PV.
+OVMF_VARIANT=$(bitbake-getvar --value OVMF_VARIANT -r dstack-ovmf | tail -n1)
+if [ -z "$OVMF_VARIANT" ]; then
+    echo "Error: dstack-ovmf recipe is missing OVMF_VARIANT" >&2
+    exit 1
+fi
+
+echo "Generating metadata.json to ${OUTPUT_DIR}/metadata.json (ovmf_variant=$OVMF_VARIANT)"
 
 KARG0="console=ttyS0 init=/init panic=1 net.ifnames=0 biosdevname=0"
 KARG1="mce=off oops=panic pci=noearly pci=nommconf random.trust_cpu=y random.trust_bootloader=n tsc=reliable no-kvmclock"
@@ -81,7 +91,8 @@ cat <<EOF > ${OUTPUT_DIR}/metadata.json
     "version": "$DSTACK_VERSION",
     "git_revision": "$GIT_REVISION",
     "shared_ro": true,
-    "is_dev": ${IS_DEV}
+    "is_dev": ${IS_DEV},
+    "ovmf_variant": "$OVMF_VARIANT"
 }
 EOF
 

From 716729c9821781da026cef8c15d0287f9bcd4ca7 Mon Sep 17 00:00:00 2001
From: Kevin Wang <wy721@qq.com>
Date: Tue, 26 May 2026 02:48:27 -0700
Subject: [PATCH 2/2] mkimage: drop tail -n1 from OVMF_VARIANT lookup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

bitbake-getvar --value emits a single line for any defined variable, so
the `| tail -n1` was defensive padding rather than load-bearing — and
under `set -e` without `set -o pipefail` it would swallow a
bitbake-getvar failure and let `tail` exit 0 with whatever spilled out
of stderr. Match the existing DSTACK_VERSION line a few lines above
that uses the same plain assignment, so `set -e` propagates correctly
and the existing empty-string guard becomes the only thing we rely on.

Addresses Copilot review on #63.
---
 mkimage.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mkimage.sh b/mkimage.sh
index 69579c7..bdf10d6 100755
--- a/mkimage.sh
+++ b/mkimage.sh
@@ -69,7 +69,7 @@ GIT_REVISION=$(git rev-parse HEAD 2>/dev/null || echo "<unknown>")
 # Lift the OVMF variant tag straight out of the dstack-ovmf recipe so verifiers
 # know which RTMR[0] event layout to expect. Required: the recipe must declare
 # OVMF_VARIANT alongside PV.
-OVMF_VARIANT=$(bitbake-getvar --value OVMF_VARIANT -r dstack-ovmf | tail -n1)
+OVMF_VARIANT=$(bitbake-getvar --value OVMF_VARIANT -r dstack-ovmf)
 if [ -z "$OVMF_VARIANT" ]; then
     echo "Error: dstack-ovmf recipe is missing OVMF_VARIANT" >&2
     exit 1