deckhouse · universal-itengineer · Mar 18, 2025 · Mar 18, 2025 · Mar 18, 2025 · Mar 18, 2025
@@ -2,10 +2,11 @@
 REGISTRY_PATH: "docker.io/"
 
 # Virtualization images
-BASE_DEBIAN_BOOKWORM_SLIM: "debian:bookworm-slim@sha256:a629e796d77a7b2ff82186ed15d01a493801c020eed5ce6adaa2704356f15a1c"
+BASE_DEBIAN_BOOKWORM_SLIM: "debian:bookworm-slim@sha256:e9ac68ffde903b241342267a51cd74c5417414af652cb2e380c6ddcf522589bc"
 BASE_CONTAINER_REGISTRY: "registry:2.8.3@sha256:ac0192b549007e22998eb74e8d8488dcfe70f1489520c3b144a6047ac5efbe90"
 BASE_GOLANG_22_BOOKWORM: "golang:1.22.8-bookworm@sha256:3f0457a0a56a926d93c2baf4cf0057a645e8ff69ff31314080fcc62389643b8e"
 BASE_GOLANG_23_BOOKWORM: "golang:1.23.6-bookworm@sha256:441f59f8a2104b99320e1f5aaf59a81baabbc36c81f4e792d5715ef09dd29355"
+BASE_DEBIAN_BOOKWORM: "debian:bookworm@sha256:d12a7c2a24a396fc669fc4a571e482b75346dfc5af4a5c1140c8250eacdf3b3f"
 
 BASE_ALT_P10: "alt:p10@sha256:4fab03b8d23eb16147397b0bc41a5025ba59f4e834f7fb4b933ac5206431d740"
 # Digest for image created at 2024-09-20.

@@ -1,4 +1,4 @@
 firmware:
-  qemu: 9.2.0
+  qemu: 9.0.4
   libvirt: 10.9.0
   edk2: stable202411
@@ -0,0 +1,144 @@
+#!/usr/bin/env bash
+
+# Copyright 2024 Flant JSC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -Eeuo pipefail
+shopt -s failglob
+
+FILE_TEMPLATE_BINS=""
+TEMPLATE_BINS=""
+OUT_DIR=""
+
+tools=("ldd" "readlink" "awk" "dirname" "ls" "cat")
+for tool in "${tools[@]}"; do
+  if ! command -v "$tool" >/dev/null 2>&1; then
+    echo "$tool is not installed."
+    exit 1
+  fi
+done
+
+function Help() {
+   # Display Help
+   cat<<'EOF'
+   Copy binaries and their libraries to a folder
+   Only one input parameter allowed (-f or -i) !!!
+
+   Syntax: scriptTemplate [-h|f|i|o]
+   options:
+
+   -f     Files with paths to binaries; Support mask like /sbin/m*
+   -i     Paths to binaries separated by space; Support mask like /sbin/m*; Example: /bin/chmod /bin/mount /sbin/m*
+          List of binaries should be in double quotes, -i /bin/chmod /bin/mount
+   -o     Output directory (Default value: '/relocate')
+   -h     Print this help
+
+EOF
+}
+
+while getopts ":h:i:f:o:" option; do
+    case $option in
+      h) # display Help
+         Help
+         exit;;
+      f)
+        FILE_TEMPLATE_BINS=$OPTARG
+        ;;
+      i)
+        TEMPLATE_BINS=$OPTARG
+        ;;
+      o)
+        OUT_DIR=$OPTARG
+        ;;
+      \?)
+        echo "Error: Invalid option"
+        exit;;
+    esac
+done
+
+if [[ -z $OUT_DIR ]];then
+  OUT_DIR="/relocate"
+fi
+mkdir -p "${OUT_DIR}"
+
+function relocate_item() {
+  local file=$1
+
+  # bypass ld-linux
+  if [[ $file =~ ^/lib64/ld-linux-x86-64.so.2 ]];then
+    return
+  fi
+
+  if [[ $file =~ ^(/lib|/lib64|/bin|/sbin) ]];then
+    file="/usr${file}"
+  fi
+
+  local new_place="${OUT_DIR}$(dirname ${file})"
+
+  mkdir -p ${new_place}
+  cp -a ${file} ${new_place} || true
+
+  # if symlink, copy original file too
+  local orig_file="$(readlink -f ${file})"
+  if [[ "${file}" != "${orig_file}" ]]; then
+    cp -a ${orig_file} ${new_place} || true
+  fi
+}
+
+function relocate_lib() {
+  local item=$1
+  if ! [[ $item =~ /(BINS|VBINS) ]];then
+    relocate_item ${item}
+  fi
+
+  for lib in $(ldd ${item} 2>/dev/null | awk '{if ($2=="=>") print $3; else print $1}'); do
+    # don't try to relocate linux-vdso.so lib due to this lib is virtual
+    if [[ "${lib}" =~ "linux-vdso" || "${lib}" == "not" ]]; then
+      continue
+    fi
+    relocate_item ${lib}
+  done
+}
+
+function get_binary_path () {
+  local bin
+  BINARY_LIST=()
+
+  for bin in "$@"; do
+    if [[ ! -f $bin ]] || [ "${bin}" == "${OUT_DIR}" ]; then
+      echo "Not found $bin"
+      exit 1
+    fi
+    BINARY_LIST+=$(ls -la $bin 2>/dev/null | awk '{print $9}')" "
+  done
+
+  if [[ -z $BINARY_LIST ]]; then echo "No binaryes for replace"; exit 1; fi;
+}
+
+# if get file with binaryes (-f)
+if [[ -n $FILE_TEMPLATE_BINS ]] && [[ -f $FILE_TEMPLATE_BINS ]] && [[ -z $TEMPLATE_BINS ]]; then
+  BIN_TEMPLATE=$(cat $FILE_TEMPLATE_BINS)
+  get_binary_path ${BIN_TEMPLATE}
+# Or get paths to bin via raw input (-i)
+elif [[ -n $TEMPLATE_BINS ]] && [[ -z $FILE_TEMPLATE_BINS ]]; then
+  get_binary_path ${TEMPLATE_BINS}
+else
+  Help
+  exit
+fi
+
+
+for binary in ${BINARY_LIST[@]}; do
+  relocate_lib ${binary}
+done
@@ -0,0 +1,18 @@
+---
+image: {{ $.ImageName }}
+final: false
+from: {{ $.Images.BASE_DEBIAN_BOOKWORM }}
+git:
+  - add: /images/{{ $.ImageName }}
+    to: /
+    includePaths:
+    - relocate_binaries.sh
+shell:
+  install:
+  - |
+    apt-get update && apt-get install -y \
+    libc-bin \
+    libffi8 libssh-dev libssh2-1-dev \
+    mount xfsprogs util-linux e2fsprogs binutils
+  - |
+    apt-get clean
@@ -81,7 +81,7 @@ fi
 EDK2_DIR="/${gitRepoName}-${edk2Branch}"
 FIRMWARE="/FIRMWARE"
 
-mv -f Logo.bmp $EDK2_DIR/MdeModulePkg/Logo/
+mv -f /Logo.bmp $EDK2_DIR/MdeModulePkg/Logo/Logo.bmp
 echo "=== cd $EDK2_DIR ==="
 cd $EDK2_DIR
 
@@ -109,7 +109,6 @@ CC_FLAGS="${CC_FLAGS} -D TPM1_ENABLE=FALSE"
 CC_FLAGS="${CC_FLAGS} -D CAVIUM_ERRATUM_27456=TRUE"
 
 # ovmf features
-OVMF_2M_FLAGS="${CC_FLAGS} -D FD_SIZE_2MB=TRUE -D NETWORK_TLS_ENABLE=FALSE -D NETWORK_ISCSI_ENABLE=FALSE"
 OVMF_4M_FLAGS="${CC_FLAGS} -D FD_SIZE_4MB=TRUE -D NETWORK_TLS_ENABLE=TRUE -D NETWORK_ISCSI_ENABLE=TRUE"
 
 # secure boot features
@@ -122,6 +121,8 @@ echo "run source edksetup.sh"
 source ./edksetup.sh BaseTools
 source ./edksetup.sh
 
+python3 CryptoPkg/Library/OpensslLib/configure.py
+
 build_iso() {
   dir="$1"
   UEFI_SHELL_BINARY=${dir}/Shell.efi
@@ -156,19 +157,45 @@ build_iso() {
     -o "$ISO_IMAGE" "$UEFI_SHELL_IMAGE"
 }
 
+prep() {
+  build -a X64 -p MdeModulePkg/MdeModulePkg.dsc -t GCC5 -b RELEASE
+}
+
+build_ovmf_deb_style() {
+  build -a X64 \
+    -t GCC5 \
+    -p OvmfPkg/OvmfPkgX64.dsc \
+    -DCC_MEASUREMENT_ENABLE=TRUE -DNETWORK_HTTP_BOOT_ENABLE=TRUE -DNETWORK_IP6_ENABLE=TRUE -DNETWORK_TLS_ENABLE --pcd PcdFirmwareVendor=L"DVP distribution of EDK II\\0" --pcd PcdFirmwareVersionString=L"2025.02-1\\0" --pcd PcdFirmwareReleaseDateString=L"03/02/2025\\0" -DTPM2_ENABLE=TRUE -DFD_SIZE_4MB -b RELEASE
+    cp -p Build/OvmfX64/*/FV/OVMF_CODE.fd $FIRMWARE/OVMF_CODE.fd
+    cp -p Build/OvmfX64/*/FV/OVMF_VARS.fd $FIRMWARE/OVMF_VARS.fd
+}
+
+build_ovmf_secboot_deb_style() {
+  build -a X64 \
+		-t GCC5 \
+		-p OvmfPkg/OvmfPkgX64.dsc \
+		-DCC_MEASUREMENT_ENABLE=TRUE -DNETWORK_HTTP_BOOT_ENABLE=TRUE -DNETWORK_IP6_ENABLE=TRUE -DNETWORK_TLS_ENABLE --pcd PcdFirmwareVendor=L"DVP distribution of EDK II\\0" --pcd PcdFirmwareVersionString=L"2025.02-1\\0" --pcd PcdFirmwareReleaseDateString=L"03/02/2025\\0" -DTPM2_ENABLE=TRUE -DFD_SIZE_4MB -DBUILD_SHELL=FALSE -DSECURE_BOOT_ENABLE=TRUE -DSMM_REQUIRE=TRUE -b RELEASE
+    cp -p Build/OvmfX64/*/FV/OVMF_CODE.fd           $FIRMWARE/OVMF_CODE.secboot.fd
+    cp -p Build/OvmfX64/*/FV/OVMF_VARS.fd           $FIRMWARE/OVMF_VARS.secboot.fd
+    cp -p Build/OvmfX64/*/X64/EnrollDefaultKeys.efi $FIRMWARE/
+    cp -p Build/OvmfX64/*/X64/Shell.efi             $FIRMWARE/
+}
+
 # Build with SB and SMM; exclude UEFI shell.
 build_ovmf() {
   echo_dbg "build ${OVMF_4M_FLAGS} -a X64 -p OvmfPkg/OvmfPkgX64.dsc"
   build ${OVMF_4M_FLAGS} -a X64 -p OvmfPkg/OvmfPkgX64.dsc
   cp -p Build/OvmfX64/*/FV/OVMF_CODE.fd $FIRMWARE/OVMF_CODE.fd
   cp -p Build/OvmfX64/*/FV/OVMF_VARS.fd $FIRMWARE/OVMF_VARS.fd
+  rm -rf Build/*
 }
 
 # Build with SB and SMM with secure boot; exclude UEFI shell.
 build_ovmf_secboot() {
   echo_dbg "build ${OVMF_4M_FLAGS} ${OVMF_SB_FLAGS} -a X64 -p OvmfPkg/OvmfPkgX64.dsc"
   build ${OVMF_4M_FLAGS} ${OVMF_SB_FLAGS} -a X64 -p OvmfPkg/OvmfPkgX64.dsc
   cp -p Build/OvmfX64/*/FV/OVMF_CODE.fd $FIRMWARE/OVMF_CODE.secboot.fd
+  rm -rf Build/*
 }
 
 # Build AmdSev and IntelTdx variants
@@ -182,6 +209,7 @@ build_ovmf_amdsev() {
   echo_dbg "build ${OVMF_4M_FLAGS} -a X64 -p OvmfPkg/IntelTdx/IntelTdxX64.dsc"
   build ${OVMF_4M_FLAGS} -a X64 -p OvmfPkg/IntelTdx/IntelTdxX64.dsc
   cp -p Build/IntelTdx/*/FV/OVMF.fd $FIRMWARE/OVMF.inteltdx.fd
+  rm -rf Build/*
 }
 
 # Build ovmf (x64) shell iso with EnrollDefaultKeys
@@ -191,31 +219,37 @@ build_shell() {
   build ${OVMF_4M_FLAGS} -a IA32 -p ShellPkg/ShellPkg.dsc
 
   cp -p Build/Shell/*/X64/ShellPkg/Application/Shell/Shell/OUTPUT/Shell.efi $FIRMWARE/
-  cp -p Build/OvmfX64/*/X64/EnrollDefaultKeys.efi $FIRMWARE/
+  # cp -p Build/OvmfX64/*/X64/EnrollDefaultKeys.efi $FIRMWARE/
+  rm -rf Build/*
 }
 
 
 enroll() {
   virt-fw-vars --input  $FIRMWARE/OVMF_VARS.fd \
               --output  $FIRMWARE/OVMF_VARS.secboot.fd \
               --set-dbx $FIRMWARE/DBXUpdate-20230509.x64.bin \
-              --secure-boot 
+              --secure-boot --enroll-generate dvp.deckhouse.io
 
   virt-fw-vars --input  $FIRMWARE/OVMF.inteltdx.fd \
               --output  $FIRMWARE/OVMF.inteltdx.secboot.fd \
               --set-dbx $FIRMWARE/DBXUpdate-20230509.x64.bin \
-              --secure-boot 
+              --secure-boot --enroll-generate dvp.deckhouse.io
 }
 
 no_enroll() {
   cp -p $FIRMWARE/OVMF_VARS.fd $FIRMWARE/OVMF_VARS.secboot.fd
   cp -p $FIRMWARE/OVMF.inteltdx.fd $FIRMWARE/OVMF.inteltdx.secboot.fd  
 }
 
-build_ovmf 2>&1 > /dev/null
-build_ovmf_secboot 2>&1 > /dev/null
+prep 2>&1 > /dev/null
+build_ovmf_deb_style 2>&1 > /dev/null
+build_ovmf_secboot_deb_style 2>&1 > /dev/null
 build_ovmf_amdsev 2>&1 > /dev/null
-build_shell 2>&1 > /dev/null
+
+# build_ovmf 2>&1 > /dev/null
+# build_ovmf_secboot 2>&1 > /dev/null
+# build_shell 2>&1 > /dev/null
 
 build_iso $FIRMWARE
-no_enroll
+enroll
+# no_enroll