ovmf: pin to edk2-stable202502 to fix RTMR0 mismatch on CVMs with memory > 2G

meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf/0003-Debug-prefix-map.patch

@@ -28,7 +28,7 @@ index cca699c4a8..e758bd8b4e 100755
 -DEFINE GCC_PP_FLAGS                = -E -x assembler-with-cpp -include AutoGen.h
 +DEFINE GCC_ASM_FLAGS               = -c -x assembler -imacros AutoGen.h ENV(GCC_PREFIX_MAP)
 +DEFINE GCC_PP_FLAGS                = -E -x assembler-with-cpp -include AutoGen.h ENV(GCC_PREFIX_MAP)
- DEFINE GCC_VFRPP_FLAGS             = -x c -E -DVFRCOMPILE --include $(MODULE_NAME)StrDefs.h
+ DEFINE GCC_VFRPP_FLAGS             = -x c -E -P -DVFRCOMPILE --include $(MODULE_NAME)StrDefs.h
  DEFINE GCC_ASLPP_FLAGS             = -x c -E -include AutoGen.h
  DEFINE GCC_ASLCC_FLAGS             = -x c
 @@ -1095,7 +1095,7 @@ DEFINE GCC5_LOONGARCH64_PP_FLAGS           = -mabi=lp64d -march=loongarch64 DEF(

meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf_git.bb

@@ -27,10 +27,31 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
            file://0005-Declare-ProcessLibraryConstructorList.patch \
            "
 
-PV = "edk2-stable202505"
-SRCREV = "6951dfe7d59d144a3a980bd7eda699db2d8554ac"
+# Pinned to edk2-stable202502 (Feb 2025) instead of the latest stable202505.
+# Between these two tags, six commits land in OvmfPkg / MdeModulePkg that
+# rewrite the boot-time RTMR[0] event chain:
+#   fb56dc78ef  QemuFwCfgLib: cache + measurement (adds fw_cfg BootMenu, bootorder)
+#   45a56d7505  OvmfPkg: add BootManagerMenuApp to dependencies
+#   9d9e3a2ba8  OvmfPkg: use BootManagerMenuApp as BootManagerMenu (Boot0000 hash changes)
+#   d433b4c8e4  PlatformBootManagerLib: register UiApp as optional boot option (new Boot0001)
+#   dd5cce3e53  PlatformBootManagerCommonLib: set UiApp as an optional boot option
+#   cd76265f1a  OvmfPkg: Enable Smbios measurement (adds EV_EFI_HANDOFF_TABLES whose
+#               digest is sha384(filtered QEMU SMBIOS table) — varies with -m / -cpu /
+#               -smbios type=1 and so cannot be precomputed from VmConfig alone)
+# stable202502 contains none of them and so produces the same 13-event RTMR[0]
+# layout as the legacy 3a3b12cb snapshot dstack used pre-upgrade, while still
+# carrying 5 months of post-Sep-2024 EDK2 fixes (incl. CVEs).
+PV = "edk2-stable202502"
+SRCREV = "fbe0805b2091393406952e84724188f8c1941837"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>edk2-stable.*)"
 
+# Tag identifying the OVMF boot-time RTMR[0] event layout this build produces.
+# Consumed by mkimage.sh to stamp `ovmf_variant` into the image metadata.json so
+# verifiers can pick the matching dstack-mr code path without parsing PV.
+# Keep this in sync with the OvmfVariant enum in dstack/dstack-types when
+# bumping PV.
+OVMF_VARIANT = "pre202505"
+
 CVE_PRODUCT = "edk2"
 CVE_VERSION = "${@d.getVar('PV').split('-')[1]}"
 

mkimage.sh

@@ -65,7 +65,17 @@ $Q cp $OVMF_FIRMWARE ${OUTPUT_DIR}/
 $Q cp $ROOTFS_IMAGE ${OUTPUT_DIR}/rootfs.img.verity
 
 GIT_REVISION=$(git rev-parse HEAD 2>/dev/null || echo "<unknown>")
-echo "Generating metadata.json to ${OUTPUT_DIR}/metadata.json"
+
+# Lift the OVMF variant tag straight out of the dstack-ovmf recipe so verifiers
+# know which RTMR[0] event layout to expect. Required: the recipe must declare
+# OVMF_VARIANT alongside PV.
+OVMF_VARIANT=$(bitbake-getvar --value OVMF_VARIANT -r dstack-ovmf)
+if [ -z "$OVMF_VARIANT" ]; then
+    echo "Error: dstack-ovmf recipe is missing OVMF_VARIANT" >&2
+    exit 1
+fi
+
+echo "Generating metadata.json to ${OUTPUT_DIR}/metadata.json (ovmf_variant=$OVMF_VARIANT)"
 
 KARG0="console=ttyS0 init=/init panic=1 net.ifnames=0 biosdevname=0"
 KARG1="mce=off oops=panic pci=noearly pci=nommconf random.trust_cpu=y random.trust_bootloader=n tsc=reliable no-kvmclock"
@@ -81,7 +91,8 @@ cat <<EOF > ${OUTPUT_DIR}/metadata.json
     "version": "$DSTACK_VERSION",
     "git_revision": "$GIT_REVISION",
     "shared_ro": true,
-    "is_dev": ${IS_DEV}
+    "is_dev": ${IS_DEV},
+    "ovmf_variant": "$OVMF_VARIANT"
 }
 EOF