Last night I merged a large set of changes into TianoCore’s edk2-platforms repo.
Among them were commits to add support for ASRock Rack’s ALTRAD8UD-1L2T and ALTRAD8UD2-1L2Q boards, and improvements to the new build script, buildfw.sh which affect builds of firmware for Ampere’s Mt Jade and ADLINK’s COM-HPC-ALT (AADP, AADK, AADR) platforms too.
I added buildfw.sh because I didn’t find the scripts in the edk2-ampere-tools repo to be very user-friendly. buildfw.sh can be used whether you have access to the TF-A (ATF) binaries or not.
If you don’t have them, you’ll see the following message at the end of the build:
Warning: the TF-A (Trusted Firmware) binary wasn’t found. Only the UEFI firmware was built.
Done. Firmware is in Build/<PlatformName>/.
You can use this firmware by reading out the existing BIOS/UEFI SPI-NOR, dd’ing the new firmware into the correct location and then writing the file back to the EEPROM.
Another optional binary is the Renesas USB controller firmware, K2026090.mem.
It’s freely available, but if you choose not to use it you’ll see the following message at the end of the build:
Warning: the Renesas UPD720202 USB3 Controller firmware file $HOME/src/uefi/K2026090.mem was not found.
The firmware was built without the firmware. The USB3 controller will not work unless the firmware is loaded in the OS.
See edk2-platforms/Drivers/OptionRomPkg/RenesasFirmwarePD720202/README.md for details on how to obtain it.
To build the firmware, run buildfw.sh:
./edk2-platforms/Platform/Ampere/buildfw.sh --help
Usage:
./edk2-platforms/Platform/Ampere/buildfw.sh [options]
Options:
-b <bldtype>, --build <bldtype> Specify the build type: DEBUG or RELEASE
-t <tc>, --toolchain <tc> Specify the toolchain to use: GCC or CLANG
-m <mfg>, --manufacturer <mfg> Specify platform manufacturer (e.g. Ampere)
-p <plat>, --platform <plat> Specify platform to build (e.g. Jade)
-l <kern>, --linuxboot <kern> Build LinuxBoot firmware instead of full EDK2 with UEFI Shell, specifying path to flashkernel
-f, --flash Copy firmware to BMC and flash firmware (keeping EFI variables and NVPARAMs) after building
-F, --full-flash Copy firmware to BMC and flash full EEPROM (resetting EFI variables and NVPARAMs) after building
Note: flash options require bmc.sh file with env vars BMC_HOST, BMC_USER and BMC_PASS defined
Available manufacturers:
ADLINK
Ampere
ASRockRack
Available platforms:
ADLINK -> ComHpcAlt
Ampere -> Jade
ASRockRack -> Altra1L2Q
ASRockRack -> Altra1L2T
Environment Variables:
SECUREBOOT_DIR - directory to store SecureBoot keys, certs etc.
USE_EXISTING_SB_KEYS - use existing Secure Boot Platform and Update keys
DOWNLOAD_MS_SB_KEYS - force re-download of Microsoft Secure Boot KEK and DB certificates
CERT_PASSWORD - password to use when generating Platform and Update Keys and certificates
defaults to "password" if not specified.
EDK2_SECURE_BOOT_ENABLE (TRUE)
EDK2_NETWORK_ENABLE (TRUE)
EDK2_INCLUDE_TFTP_COMMAND (TRUE)
EDK2_NETWORK_IP6_ENABLE (TRUE)
EDK2_NETWORK_ALLOW_HTTP_CONNECTIONS (FALSE)
EDK2_NETWORK_TLS_ENABLE (TRUE)
EDK2_REDFISH_ENABLE (TRUE)
EDK2_PERFORMANCE_MEASUREMENT_ENABLE (FALSE)
EDK2_TPM2_ENABLE (TRUE)
EDK2_HEAP_GUARD_ENABLE (FALSE)
EDK2_X86_EMULATOR_ENABLE (TRUE)
EDK2_SHELL_ENABLE (TRUE)
Other improvements are the build-time generation of ./edk2-platforms/Platform/<Manufacturer>/<Platform>Pkg/Capsule/SystemFirmwareDescriptor/HostFwInfo.h - this contains the firmware version generated from the current date combined with the build number (which is stored in the file .fw_bld
). This means the version is now monotonically increasing and the Linux fwupdmgr
tool can be used to initiate the firmware upgrade by running fwupdmgr install <firmware-filename.cab>
. Run fwupdmgr get-details <firmware-filename.cab>
to see information about the currently installed firmware and the firmware in the file specified.
I’ve also changed the way Secure Boot and Capsule updates are done: instead of using test keys from e.g. edk2/BaseTools/Source/Python/Pkcs7Sign/, I added edk2-platforms/Platform/Ampere/Tools/GenerateSecureBootKeys.sh which generates fresh keys during the build and downloads the set of Microsoft certificates for Windows.
Set USE_EXISTING_SB_KEYS
to prevent that automatic generation process and use existing keys in the secureboot_objects
directory.