[PATCH 1/2] boot/efibootguard: new boot package
1 view
Skip to first unread message
Christopher Obbard
Dec 19, 2025, 5:50:16 PM (10 days ago) Dec 19
to buil...@buildroot.org, James Hilliard, Thomas Petazzoni, Yegor Yefremov, efibootg...@googlegroups.com, Christopher Obbard
This patch adds a new boot package to Buildroot for building the
efibootguard bootloader from the https://github.com/siemens/efibootguard
repository.
efibootguard can be chainloaded as an EFI application or used as a
standalone bootloader and can be useful when building A/B systems.
Add a recipe to build the EFI bootloader application, user-space
tooling & host tooling (both of which are used to manage efibootguard
configuration).
efibootguard supports multiple architectures, but for now only build
the EFI bootloader for x86_64.
Signed-off-by: Christopher Obbard <obb...@gmail.com>
---
DEVELOPERS | 3 +
boot/Config.in | 2 +
...e-segfault-when-building-with-busybox-ash.patch | 38 ++++++++++
...-parsing-and-checks-to-also-support-gnu-e.patch | 88 ++++++++++++++++++++++
boot/efibootguard/Config.in | 37 +++++++++
boot/efibootguard/Config.in.host | 8 ++
boot/efibootguard/efibootguard.hash | 3 +
boot/efibootguard/efibootguard.mk | 60 +++++++++++++++
8 files changed, 239 insertions(+)
diff --git a/DEVELOPERS b/DEVELOPERS
index 1b27df9beb..9b789b3023 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -689,6 +689,9 @@ F: package/perl-sys-mmap/
F: package/perl-time-parsedate/
F: package/perl-x10/
+N: Christopher Obbard <obb...@gmail.com>
+F: boot/efibootguard/
+
N: Clayton Shotwell <clayton....@collins.com>
F: package/audit/
F: package/checkpolicy/
diff --git a/boot/Config.in b/boot/Config.in
index d3e1b9c055..1aa1a4bfff 100644
--- a/boot/Config.in
+++ b/boot/Config.in
@@ -15,6 +15,8 @@ source "boot/barebox/Config.in"
source "boot/binaries-marvell/Config.in"
source "boot/boot-wrapper-aarch64/Config.in"
source "boot/edk2/Config.in"
+source "boot/efibootguard/Config.in"
+source "boot/efibootguard/Config.in.host"
source "boot/grub2/Config.in"
source "boot/mv-ddr-marvell/Config.in"
source "boot/mxs-bootlets/Config.in"
diff --git a/boot/efibootguard/0001-fix-resolve-segfault-when-building-with-busybox-ash.patch b/boot/efibootguard/0001-fix-resolve-segfault-when-building-with-busybox-ash.patch
new file mode 100644
index 0000000000..db301c8e93
--- /dev/null
+++ b/boot/efibootguard/0001-fix-resolve-segfault-when-building-with-busybox-ash.patch
@@ -0,0 +1,38 @@
+From f094a141df61c960bf7db4a26ab6a461438a2502 Mon Sep 17 00:00:00 2001
+From: Philip Schildkamp <philip.s...@uni-koeln.de>
+Date: Sun, 28 Sep 2025 13:29:46 +0200
+Subject: [PATCH] fix: resolve segfault when building with busybox/ash
+
+This patch resolves a segmentation fault caused by the configure script,
+when building efibootguard using the BusyBox shell ash. The segmentation
+fault seems to be caused by the BusyBox shell consuming the opening $((
+as the beginning of an arithmetic statement.
+
+To mitigate this, this patch simply inserts one space character between
+the opening double parenthesis, whereby the BusyBox shell no longer
+tries to parse this as an arithmetic expression.
+
+Signed-off-by: Philip Schildkamp <philip.s...@uni-koeln.de>
+Signed-off-by: Jan Kiszka <jan.k...@siemens.com>
+
+Upstream: f094a141df61c960bf7db4a26ab6a461438a2502
+Signed-off-by: Christopher Obbard <obb...@gmail.com>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 038930b..d1c932b 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -234,7 +234,7 @@ fi
+ # Note: gnu-efi introduced pkg-config with version 3.0.16
+ # GNU_EFI_VERSION resolves to gnu-efi's version without dots, e.g., GNU_EFI_VERSION=3016
+ # gnu-efi versions < 3.0.16 resolve to GNU_EFI_VERSION=0
+-AC_SUBST([GNU_EFI_VERSION], [$(($PKG_CONFIG --modversion "gnu-efi" 2>/dev/null || echo 0) | $TR -d '.' )])
++AC_SUBST([GNU_EFI_VERSION], [$( ($PKG_CONFIG --modversion "gnu-efi" 2>/dev/null || echo 0) | $TR -d '.' )])
+ AC_DEFINE_UNQUOTED([GNU_EFI_VERSION], [${GNU_EFI_VERSION}], [gnu-efi version])
+
+ AC_SUBST([OBJCOPY_HAS_EFI_APP_TARGET], [$($OBJCOPY --info | $GREP -q pei- 2>/dev/null && echo "true")])
+--
+2.51.0
diff --git a/boot/efibootguard/0002-Fix-version-parsing-and-checks-to-also-support-gnu-e.patch b/boot/efibootguard/0002-Fix-version-parsing-and-checks-to-also-support-gnu-e.patch
new file mode 100644
index 0000000000..3cc22db75e
--- /dev/null
+++ b/boot/efibootguard/0002-Fix-version-parsing-and-checks-to-also-support-gnu-e.patch
@@ -0,0 +1,88 @@
+From 933dd15d71205ead6bc017740ad4618ee6c470ae Mon Sep 17 00:00:00 2001
+From: Christian Storm <christi...@siemens.com>
+Date: Thu, 20 Nov 2025 19:01:37 +0000
+Subject: [PATCH] Fix version parsing and checks to also support gnu-efi >= 4.0
+
+The current mechanism to parse gnu-efi's version is restricted to
+gnu-efi 3.x series. Improve the calculation to also account for
+gnu-efi 4.x series (and beyond).
+
+Reported-by: Andreas Tobler <andreas...@onway.ch>
+Signed-off-by: Christian Storm <christi...@siemens.com>
+Signed-off-by: Jan Kiszka <jan.k...@siemens.com>
+
+Upstream: 933dd15d71205ead6bc017740ad4618ee6c470ae
+Signed-off-by: Christopher Obbard <obb...@gmail.com>
+---
+ configure.ac | 6 +++---
+ drivers/watchdog/wdfuncs_end.c | 2 +-
+ drivers/watchdog/wdfuncs_start.c | 2 +-
+ main.c | 2 +-
+ 4 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index d1c932b..7f22339 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -40,7 +40,7 @@ AC_PROG_CC
+ AC_CHECK_TOOL(LD, ld)
+ AC_CHECK_TOOL(OBJCOPY, objcopy)
+ AC_CHECK_TOOL(GREP, grep)
+-AC_CHECK_TOOL(TR, tr)
++AC_CHECK_TOOL(AWK, awk)
+
+ dnl Dont try to use things like -std=c99 for efi compilation
+ GNUEFI_CC=$CC
+@@ -232,9 +232,9 @@ if test "x$PKG_CONFIG" = "xno"; then
+ fi
+
+ # Note: gnu-efi introduced pkg-config with version 3.0.16
+-# GNU_EFI_VERSION resolves to gnu-efi's version without dots, e.g., GNU_EFI_VERSION=3016
++# GNU_EFI_VERSION resolves to gnu-efi's version without dots, e.g., GNU_EFI_VERSION=3000016
+ # gnu-efi versions < 3.0.16 resolve to GNU_EFI_VERSION=0
+-AC_SUBST([GNU_EFI_VERSION], [$( ($PKG_CONFIG --modversion "gnu-efi" 2>/dev/null || echo 0) | $TR -d '.' )])
++AC_SUBST([GNU_EFI_VERSION], [$( ($PKG_CONFIG --modversion "gnu-efi" 2>/dev/null || echo 0) | $AWK -F. '{print $1*1000000 + $2*1000 + $3}' )])
+ AC_DEFINE_UNQUOTED([GNU_EFI_VERSION], [${GNU_EFI_VERSION}], [gnu-efi version])
+
+ AC_SUBST([OBJCOPY_HAS_EFI_APP_TARGET], [$($OBJCOPY --info | $GREP -q pei- 2>/dev/null && echo "true")])
+diff --git a/drivers/watchdog/wdfuncs_end.c b/drivers/watchdog/wdfuncs_end.c
+index d19a0ab..f90ffc7 100644
+--- a/drivers/watchdog/wdfuncs_end.c
++++ b/drivers/watchdog/wdfuncs_end.c
+@@ -12,7 +12,7 @@
+ * SPDX-License-Identifier: GPL-2.0-only
+ */
+
+-#if GNU_EFI_VERSION < 3016
++#if GNU_EFI_VERSION < 3000016
+
+ #include <efi.h>
+ #include "utils.h"
+diff --git a/drivers/watchdog/wdfuncs_start.c b/drivers/watchdog/wdfuncs_start.c
+index bdf47f5..c627050 100644
+--- a/drivers/watchdog/wdfuncs_start.c
++++ b/drivers/watchdog/wdfuncs_start.c
+@@ -12,7 +12,7 @@
+ * SPDX-License-Identifier: GPL-2.0-only
+ */
+
+-#if GNU_EFI_VERSION < 3016
++#if GNU_EFI_VERSION < 3000016
+
+ #include <efi.h>
+ #include "utils.h"
+diff --git a/main.c b/main.c
+index 5d61385..b1bbc56 100644
+--- a/main.c
++++ b/main.c
+@@ -45,7 +45,7 @@ VOID register_watchdog(WATCHDOG_DRIVER *driver)
+
+ static EFI_STATUS probe_watchdogs(UINTN timeout)
+ {
+-#if GNU_EFI_VERSION < 3016
++#if GNU_EFI_VERSION < 3000016
+ const unsigned long *entry = wdfuncs_start;
+ for (entry++; entry < wdfuncs_end; entry++) {
+ ((void (*)(void))*entry)();
+--
+2.51.0
diff --git a/boot/efibootguard/Config.in b/boot/efibootguard/Config.in
new file mode 100644
index 0000000000..47fd478e8b
--- /dev/null
+++ b/boot/efibootguard/Config.in
@@ -0,0 +1,37 @@
+config BR2_TARGET_EFIBOOTGUARD_ARCH_SUPPORTS
+ bool
+ default y if BR2_x86_64
+ depends on BR2_USE_MMU
+
+config BR2_TARGET_EFIBOOTGUARD
+ bool "efibootguard"
+ depends on BR2_TARGET_EFIBOOTGUARD_ARCH_SUPPORTS
+ depends on BR2_USE_WCHAR
+ select BR2_PACKAGE_GNU_EFI
+ select BR2_PACKAGE_PCIUTILS if BR2_TARGET_EFIBOOTGUARD_INSTALL_TOOLS
+ help
+ EFI Boot Guard is a UEFI bootloader intended for robust
+ A/B style updates. It arms a hardware watchdog before
+ handing over control to the OS and supports a fail-safe
+ boot mechanism to roll back if a boot attempt fails.
+
+ https://github.com/siemens/efibootguard
+
+if BR2_TARGET_EFIBOOTGUARD
+
+config BR2_TARGET_EFIBOOTGUARD_X86_64
+ bool "x86-64"
+ depends on BR2_x86_64
+ help
+ Select this option if the platform you're targeting has a
+ 64 bits EFI BIOS.
+
+config BR2_TARGET_EFIBOOTGUARD_INSTALL_TOOLS
+ bool "install tools"
+ help
+ Install the efibootguard user-space tools (e.g.
+ bg_printenv and bg_setenv) on the target. These tools
+ allow reading and updating efibootguard's configuration
+ in user-space.
+
+endif # BR2_TARGET_EFIBOOTGUARD
diff --git a/boot/efibootguard/Config.in.host b/boot/efibootguard/Config.in.host
new file mode 100644
index 0000000000..845c14c079
--- /dev/null
+++ b/boot/efibootguard/Config.in.host
@@ -0,0 +1,8 @@
+config BR2_TARGET_HOST_EFIBOOTGUARD
+ bool "host efibootguard"
+ help
+ Build efibootguard companion tools for the host. These
+ can be used during image creation to inspect and
+ modify the efibootguard configuration data.
+
+ https://github.com/siemens/efibootguard
diff --git a/boot/efibootguard/efibootguard.hash b/boot/efibootguard/efibootguard.hash
new file mode 100644
index 0000000000..48e03496ff
--- /dev/null
+++ b/boot/efibootguard/efibootguard.hash
@@ -0,0 +1,3 @@
+# Locally calculated
+sha256 f252e87b6acc74df34a0d894f2b5188fe797c2a2b7a14a231b9f224ad9b9de20 efibootguard-0.21.tar.gz
+sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
diff --git a/boot/efibootguard/efibootguard.mk b/boot/efibootguard/efibootguard.mk
new file mode 100644
index 0000000000..9fe8ff63a7
--- /dev/null
+++ b/boot/efibootguard/efibootguard.mk
@@ -0,0 +1,60 @@
+################################################################################
+#
+# efibootguard
+#
+################################################################################
+
+EFIBOOTGUARD_VERSION = 0.21
+EFIBOOTGUARD_SITE = $(call github,siemens,efibootguard,refs/tags/v$(EFIBOOTGUARD_VERSION))
+EFIBOOTGUARD_LICENSE = GPL-2.0-only
+EFIBOOTGUARD_LICENSE_FILES = COPYING
+
+EFIBOOTGUARD_DEPENDENCIES = \
+ gnu-efi \
+ host-autoconf-archive
+
+ifeq ($(BR2_TARGET_EFIBOOTGUARD_INSTALL_TOOLS),y)
+EFIBOOTGUARD_DEPENDENCIES += pciutils
+EFIBOOTGUARD_INSTALL_TARGET = YES
+else
+EFIBOOTGUARD_INSTALL_TARGET = NO
+endif
+
+EFIBOOTGUARD_INSTALL_IMAGES = YES
+
+EFIBOOTGUARD_AUTORECONF = YES
+
+EFIBOOTGUARD_AUTORECONF_OPTS = \
+ -I $(HOST_DIR)/share/autoconf-archive
+
+EFIBOOTGUARD_CONF_OPTS = \
+ --with-gnuefi-sys-dir=$(STAGING_DIR) \
+ --with-gnuefi-include-dir=$(STAGING_DIR)/usr/include/efi \
+ --with-gnuefi-lib-dir=$(STAGING_DIR)/usr/lib \
+ --disable-completion \
+ --disable-tests
+
+# TODO: Perhaps take inspiration from Debian patch https://salsa.debian.org/debian/efibootguard/-/blob/master/debian/patches/always-override-stack-protector-variables-in-EFI-bui.patch?ref_type=heads
+EFIBOOTGUARD_CONF_ENV = \
+ LDFLAGS="$(LDFLAGS) -no-pie"
+
+define EFIBOOTGUARD_INSTALL_IMAGES_CMDS
+ $(INSTALL) -d $(BINARIES_DIR)/efibootguard
+ $(INSTALL) -m 0644 $(@D)/efibootguardx64.efi $(BINARIES_DIR)/efibootguard/
+endef
+
+HOST_EFIBOOTGUARD_DEPENDENCIES = \
+ host-autoconf-archive
+
+HOST_EFIBOOTGUARD_AUTORECONF = YES
+
+HOST_EFIBOOTGUARD_AUTORECONF_OPTS = \
+ -I $(HOST_DIR)/share/autoconf-archive
+
+HOST_EFIBOOTGUARD_CONF_OPTS = \
+ --disable-bootloader \
+ --disable-completion \
+ --disable-tests
+
+$(eval $(autotools-package))
+$(eval $(host-autotools-package))
--
2.51.0
efibootguard bootloader from the https://github.com/siemens/efibootguard
repository.
efibootguard can be chainloaded as an EFI application or used as a
standalone bootloader and can be useful when building A/B systems.
Add a recipe to build the EFI bootloader application, user-space
tooling & host tooling (both of which are used to manage efibootguard
configuration).
efibootguard supports multiple architectures, but for now only build
the EFI bootloader for x86_64.
Signed-off-by: Christopher Obbard <obb...@gmail.com>
---
DEVELOPERS | 3 +
boot/Config.in | 2 +
...e-segfault-when-building-with-busybox-ash.patch | 38 ++++++++++
...-parsing-and-checks-to-also-support-gnu-e.patch | 88 ++++++++++++++++++++++
boot/efibootguard/Config.in | 37 +++++++++
boot/efibootguard/Config.in.host | 8 ++
boot/efibootguard/efibootguard.hash | 3 +
boot/efibootguard/efibootguard.mk | 60 +++++++++++++++
8 files changed, 239 insertions(+)
diff --git a/DEVELOPERS b/DEVELOPERS
index 1b27df9beb..9b789b3023 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -689,6 +689,9 @@ F: package/perl-sys-mmap/
F: package/perl-time-parsedate/
F: package/perl-x10/
+N: Christopher Obbard <obb...@gmail.com>
+F: boot/efibootguard/
+
N: Clayton Shotwell <clayton....@collins.com>
F: package/audit/
F: package/checkpolicy/
diff --git a/boot/Config.in b/boot/Config.in
index d3e1b9c055..1aa1a4bfff 100644
--- a/boot/Config.in
+++ b/boot/Config.in
@@ -15,6 +15,8 @@ source "boot/barebox/Config.in"
source "boot/binaries-marvell/Config.in"
source "boot/boot-wrapper-aarch64/Config.in"
source "boot/edk2/Config.in"
+source "boot/efibootguard/Config.in"
+source "boot/efibootguard/Config.in.host"
source "boot/grub2/Config.in"
source "boot/mv-ddr-marvell/Config.in"
source "boot/mxs-bootlets/Config.in"
diff --git a/boot/efibootguard/0001-fix-resolve-segfault-when-building-with-busybox-ash.patch b/boot/efibootguard/0001-fix-resolve-segfault-when-building-with-busybox-ash.patch
new file mode 100644
index 0000000000..db301c8e93
--- /dev/null
+++ b/boot/efibootguard/0001-fix-resolve-segfault-when-building-with-busybox-ash.patch
@@ -0,0 +1,38 @@
+From f094a141df61c960bf7db4a26ab6a461438a2502 Mon Sep 17 00:00:00 2001
+From: Philip Schildkamp <philip.s...@uni-koeln.de>
+Date: Sun, 28 Sep 2025 13:29:46 +0200
+Subject: [PATCH] fix: resolve segfault when building with busybox/ash
+
+This patch resolves a segmentation fault caused by the configure script,
+when building efibootguard using the BusyBox shell ash. The segmentation
+fault seems to be caused by the BusyBox shell consuming the opening $((
+as the beginning of an arithmetic statement.
+
+To mitigate this, this patch simply inserts one space character between
+the opening double parenthesis, whereby the BusyBox shell no longer
+tries to parse this as an arithmetic expression.
+
+Signed-off-by: Philip Schildkamp <philip.s...@uni-koeln.de>
+Signed-off-by: Jan Kiszka <jan.k...@siemens.com>
+
+Upstream: f094a141df61c960bf7db4a26ab6a461438a2502
+Signed-off-by: Christopher Obbard <obb...@gmail.com>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 038930b..d1c932b 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -234,7 +234,7 @@ fi
+ # Note: gnu-efi introduced pkg-config with version 3.0.16
+ # GNU_EFI_VERSION resolves to gnu-efi's version without dots, e.g., GNU_EFI_VERSION=3016
+ # gnu-efi versions < 3.0.16 resolve to GNU_EFI_VERSION=0
+-AC_SUBST([GNU_EFI_VERSION], [$(($PKG_CONFIG --modversion "gnu-efi" 2>/dev/null || echo 0) | $TR -d '.' )])
++AC_SUBST([GNU_EFI_VERSION], [$( ($PKG_CONFIG --modversion "gnu-efi" 2>/dev/null || echo 0) | $TR -d '.' )])
+ AC_DEFINE_UNQUOTED([GNU_EFI_VERSION], [${GNU_EFI_VERSION}], [gnu-efi version])
+
+ AC_SUBST([OBJCOPY_HAS_EFI_APP_TARGET], [$($OBJCOPY --info | $GREP -q pei- 2>/dev/null && echo "true")])
+--
+2.51.0
diff --git a/boot/efibootguard/0002-Fix-version-parsing-and-checks-to-also-support-gnu-e.patch b/boot/efibootguard/0002-Fix-version-parsing-and-checks-to-also-support-gnu-e.patch
new file mode 100644
index 0000000000..3cc22db75e
--- /dev/null
+++ b/boot/efibootguard/0002-Fix-version-parsing-and-checks-to-also-support-gnu-e.patch
@@ -0,0 +1,88 @@
+From 933dd15d71205ead6bc017740ad4618ee6c470ae Mon Sep 17 00:00:00 2001
+From: Christian Storm <christi...@siemens.com>
+Date: Thu, 20 Nov 2025 19:01:37 +0000
+Subject: [PATCH] Fix version parsing and checks to also support gnu-efi >= 4.0
+
+The current mechanism to parse gnu-efi's version is restricted to
+gnu-efi 3.x series. Improve the calculation to also account for
+gnu-efi 4.x series (and beyond).
+
+Reported-by: Andreas Tobler <andreas...@onway.ch>
+Signed-off-by: Christian Storm <christi...@siemens.com>
+Signed-off-by: Jan Kiszka <jan.k...@siemens.com>
+
+Upstream: 933dd15d71205ead6bc017740ad4618ee6c470ae
+Signed-off-by: Christopher Obbard <obb...@gmail.com>
+---
+ configure.ac | 6 +++---
+ drivers/watchdog/wdfuncs_end.c | 2 +-
+ drivers/watchdog/wdfuncs_start.c | 2 +-
+ main.c | 2 +-
+ 4 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index d1c932b..7f22339 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -40,7 +40,7 @@ AC_PROG_CC
+ AC_CHECK_TOOL(LD, ld)
+ AC_CHECK_TOOL(OBJCOPY, objcopy)
+ AC_CHECK_TOOL(GREP, grep)
+-AC_CHECK_TOOL(TR, tr)
++AC_CHECK_TOOL(AWK, awk)
+
+ dnl Dont try to use things like -std=c99 for efi compilation
+ GNUEFI_CC=$CC
+@@ -232,9 +232,9 @@ if test "x$PKG_CONFIG" = "xno"; then
+ fi
+
+ # Note: gnu-efi introduced pkg-config with version 3.0.16
+-# GNU_EFI_VERSION resolves to gnu-efi's version without dots, e.g., GNU_EFI_VERSION=3016
++# GNU_EFI_VERSION resolves to gnu-efi's version without dots, e.g., GNU_EFI_VERSION=3000016
+ # gnu-efi versions < 3.0.16 resolve to GNU_EFI_VERSION=0
+-AC_SUBST([GNU_EFI_VERSION], [$( ($PKG_CONFIG --modversion "gnu-efi" 2>/dev/null || echo 0) | $TR -d '.' )])
++AC_SUBST([GNU_EFI_VERSION], [$( ($PKG_CONFIG --modversion "gnu-efi" 2>/dev/null || echo 0) | $AWK -F. '{print $1*1000000 + $2*1000 + $3}' )])
+ AC_DEFINE_UNQUOTED([GNU_EFI_VERSION], [${GNU_EFI_VERSION}], [gnu-efi version])
+
+ AC_SUBST([OBJCOPY_HAS_EFI_APP_TARGET], [$($OBJCOPY --info | $GREP -q pei- 2>/dev/null && echo "true")])
+diff --git a/drivers/watchdog/wdfuncs_end.c b/drivers/watchdog/wdfuncs_end.c
+index d19a0ab..f90ffc7 100644
+--- a/drivers/watchdog/wdfuncs_end.c
++++ b/drivers/watchdog/wdfuncs_end.c
+@@ -12,7 +12,7 @@
+ * SPDX-License-Identifier: GPL-2.0-only
+ */
+
+-#if GNU_EFI_VERSION < 3016
++#if GNU_EFI_VERSION < 3000016
+
+ #include <efi.h>
+ #include "utils.h"
+diff --git a/drivers/watchdog/wdfuncs_start.c b/drivers/watchdog/wdfuncs_start.c
+index bdf47f5..c627050 100644
+--- a/drivers/watchdog/wdfuncs_start.c
++++ b/drivers/watchdog/wdfuncs_start.c
+@@ -12,7 +12,7 @@
+ * SPDX-License-Identifier: GPL-2.0-only
+ */
+
+-#if GNU_EFI_VERSION < 3016
++#if GNU_EFI_VERSION < 3000016
+
+ #include <efi.h>
+ #include "utils.h"
+diff --git a/main.c b/main.c
+index 5d61385..b1bbc56 100644
+--- a/main.c
++++ b/main.c
+@@ -45,7 +45,7 @@ VOID register_watchdog(WATCHDOG_DRIVER *driver)
+
+ static EFI_STATUS probe_watchdogs(UINTN timeout)
+ {
+-#if GNU_EFI_VERSION < 3016
++#if GNU_EFI_VERSION < 3000016
+ const unsigned long *entry = wdfuncs_start;
+ for (entry++; entry < wdfuncs_end; entry++) {
+ ((void (*)(void))*entry)();
+--
+2.51.0
diff --git a/boot/efibootguard/Config.in b/boot/efibootguard/Config.in
new file mode 100644
index 0000000000..47fd478e8b
--- /dev/null
+++ b/boot/efibootguard/Config.in
@@ -0,0 +1,37 @@
+config BR2_TARGET_EFIBOOTGUARD_ARCH_SUPPORTS
+ bool
+ default y if BR2_x86_64
+ depends on BR2_USE_MMU
+
+config BR2_TARGET_EFIBOOTGUARD
+ bool "efibootguard"
+ depends on BR2_TARGET_EFIBOOTGUARD_ARCH_SUPPORTS
+ depends on BR2_USE_WCHAR
+ select BR2_PACKAGE_GNU_EFI
+ select BR2_PACKAGE_PCIUTILS if BR2_TARGET_EFIBOOTGUARD_INSTALL_TOOLS
+ help
+ EFI Boot Guard is a UEFI bootloader intended for robust
+ A/B style updates. It arms a hardware watchdog before
+ handing over control to the OS and supports a fail-safe
+ boot mechanism to roll back if a boot attempt fails.
+
+ https://github.com/siemens/efibootguard
+
+if BR2_TARGET_EFIBOOTGUARD
+
+config BR2_TARGET_EFIBOOTGUARD_X86_64
+ bool "x86-64"
+ depends on BR2_x86_64
+ help
+ Select this option if the platform you're targeting has a
+ 64 bits EFI BIOS.
+
+config BR2_TARGET_EFIBOOTGUARD_INSTALL_TOOLS
+ bool "install tools"
+ help
+ Install the efibootguard user-space tools (e.g.
+ bg_printenv and bg_setenv) on the target. These tools
+ allow reading and updating efibootguard's configuration
+ in user-space.
+
+endif # BR2_TARGET_EFIBOOTGUARD
diff --git a/boot/efibootguard/Config.in.host b/boot/efibootguard/Config.in.host
new file mode 100644
index 0000000000..845c14c079
--- /dev/null
+++ b/boot/efibootguard/Config.in.host
@@ -0,0 +1,8 @@
+config BR2_TARGET_HOST_EFIBOOTGUARD
+ bool "host efibootguard"
+ help
+ Build efibootguard companion tools for the host. These
+ can be used during image creation to inspect and
+ modify the efibootguard configuration data.
+
+ https://github.com/siemens/efibootguard
diff --git a/boot/efibootguard/efibootguard.hash b/boot/efibootguard/efibootguard.hash
new file mode 100644
index 0000000000..48e03496ff
--- /dev/null
+++ b/boot/efibootguard/efibootguard.hash
@@ -0,0 +1,3 @@
+# Locally calculated
+sha256 f252e87b6acc74df34a0d894f2b5188fe797c2a2b7a14a231b9f224ad9b9de20 efibootguard-0.21.tar.gz
+sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
diff --git a/boot/efibootguard/efibootguard.mk b/boot/efibootguard/efibootguard.mk
new file mode 100644
index 0000000000..9fe8ff63a7
--- /dev/null
+++ b/boot/efibootguard/efibootguard.mk
@@ -0,0 +1,60 @@
+################################################################################
+#
+# efibootguard
+#
+################################################################################
+
+EFIBOOTGUARD_VERSION = 0.21
+EFIBOOTGUARD_SITE = $(call github,siemens,efibootguard,refs/tags/v$(EFIBOOTGUARD_VERSION))
+EFIBOOTGUARD_LICENSE = GPL-2.0-only
+EFIBOOTGUARD_LICENSE_FILES = COPYING
+
+EFIBOOTGUARD_DEPENDENCIES = \
+ gnu-efi \
+ host-autoconf-archive
+
+ifeq ($(BR2_TARGET_EFIBOOTGUARD_INSTALL_TOOLS),y)
+EFIBOOTGUARD_DEPENDENCIES += pciutils
+EFIBOOTGUARD_INSTALL_TARGET = YES
+else
+EFIBOOTGUARD_INSTALL_TARGET = NO
+endif
+
+EFIBOOTGUARD_INSTALL_IMAGES = YES
+
+EFIBOOTGUARD_AUTORECONF = YES
+
+EFIBOOTGUARD_AUTORECONF_OPTS = \
+ -I $(HOST_DIR)/share/autoconf-archive
+
+EFIBOOTGUARD_CONF_OPTS = \
+ --with-gnuefi-sys-dir=$(STAGING_DIR) \
+ --with-gnuefi-include-dir=$(STAGING_DIR)/usr/include/efi \
+ --with-gnuefi-lib-dir=$(STAGING_DIR)/usr/lib \
+ --disable-completion \
+ --disable-tests
+
+# TODO: Perhaps take inspiration from Debian patch https://salsa.debian.org/debian/efibootguard/-/blob/master/debian/patches/always-override-stack-protector-variables-in-EFI-bui.patch?ref_type=heads
+EFIBOOTGUARD_CONF_ENV = \
+ LDFLAGS="$(LDFLAGS) -no-pie"
+
+define EFIBOOTGUARD_INSTALL_IMAGES_CMDS
+ $(INSTALL) -d $(BINARIES_DIR)/efibootguard
+ $(INSTALL) -m 0644 $(@D)/efibootguardx64.efi $(BINARIES_DIR)/efibootguard/
+endef
+
+HOST_EFIBOOTGUARD_DEPENDENCIES = \
+ host-autoconf-archive
+
+HOST_EFIBOOTGUARD_AUTORECONF = YES
+
+HOST_EFIBOOTGUARD_AUTORECONF_OPTS = \
+ -I $(HOST_DIR)/share/autoconf-archive
+
+HOST_EFIBOOTGUARD_CONF_OPTS = \
+ --disable-bootloader \
+ --disable-completion \
+ --disable-tests
+
+$(eval $(autotools-package))
+$(eval $(host-autotools-package))
--
2.51.0
Christopher Obbard
Dec 19, 2025, 5:50:16 PM (10 days ago) Dec 19
to buil...@buildroot.org, James Hilliard, Thomas Petazzoni, Yegor Yefremov, efibootg...@googlegroups.com, Christopher Obbard
This patch series adds support for the efibootguard bootloader
(https://github.com/siemens/efibootguard) to buildroot. efibootguard
can be useful when designing systems using A/B slot-based upgrades.
The first patch introduces the efibootguard bootloader package which
builds the EFI application, user-space applications and host
applications.
The second patch adds an example recipe which demonstrates how to use
efibootguard in a typical EFI boot scenario. This may serve as a
reference for users looking to integrate efibootguard into their system.
efibootguard can be built for multiple architectures, but for now this
patch series only builds for x86_64 (since that was what the project I
added efibootguard to used). Support for additional architectures
(including arm, aarch64 and riscv) will come in future follow-up patches.
I expect to do that once this series has been merged.
The example recipe has been boot-tested on QEMU with OVMF firmware and
I have confirmed the image boots & runs as expected.
Feedback welcome!
Christopher Obbard (2):
boot/efibootguard: new boot package
board/pc-efibootguard: add example efibootguard recipe
DEVELOPERS | 5 ++
board/pc-efibootguard/genimage.cfg | 59 +++++++++++++++
board/pc-efibootguard/linux-efistub.fragment | 4 +
board/pc-efibootguard/post-build.sh | 35 +++++++++
board/pc-efibootguard/post-image.sh | 7 ++
board/pc-efibootguard/readme.txt | 30 ++++++++
board/pc-efibootguard/run-image-qemu.sh | 9 +++
15 files changed, 436 insertions(+)
---
base-commit: 11d6d10debc81a64de901ec0217b8103c0f366b0
change-id: 20250207-wip-obbardc-boot-efibootguard-initial-pkg-9d16e4b283fd
Best regards,
--
Christopher Obbard <obb...@gmail.com>
(https://github.com/siemens/efibootguard) to buildroot. efibootguard
can be useful when designing systems using A/B slot-based upgrades.
The first patch introduces the efibootguard bootloader package which
builds the EFI application, user-space applications and host
applications.
The second patch adds an example recipe which demonstrates how to use
efibootguard in a typical EFI boot scenario. This may serve as a
reference for users looking to integrate efibootguard into their system.
efibootguard can be built for multiple architectures, but for now this
patch series only builds for x86_64 (since that was what the project I
added efibootguard to used). Support for additional architectures
(including arm, aarch64 and riscv) will come in future follow-up patches.
I expect to do that once this series has been merged.
The example recipe has been boot-tested on QEMU with OVMF firmware and
I have confirmed the image boots & runs as expected.
Feedback welcome!
Christopher Obbard (2):
boot/efibootguard: new boot package
board/pc-efibootguard: add example efibootguard recipe
DEVELOPERS | 5 ++
board/pc-efibootguard/genimage.cfg | 59 +++++++++++++++
board/pc-efibootguard/linux-efistub.fragment | 4 +
board/pc-efibootguard/post-build.sh | 35 +++++++++
board/pc-efibootguard/post-image.sh | 7 ++
board/pc-efibootguard/readme.txt | 30 ++++++++
board/pc-efibootguard/run-image-qemu.sh | 9 +++
boot/Config.in | 2 +
...e-segfault-when-building-with-busybox-ash.patch | 38 ++++++++++
...-parsing-and-checks-to-also-support-gnu-e.patch | 88 ++++++++++++++++++++++
boot/efibootguard/Config.in | 37 +++++++++
boot/efibootguard/Config.in.host | 8 ++
boot/efibootguard/efibootguard.hash | 3 +
boot/efibootguard/efibootguard.mk | 60 +++++++++++++++
configs/pc_x86_64_efibootguard_defconfig | 51 +++++++++++++
...e-segfault-when-building-with-busybox-ash.patch | 38 ++++++++++
...-parsing-and-checks-to-also-support-gnu-e.patch | 88 ++++++++++++++++++++++
boot/efibootguard/Config.in | 37 +++++++++
boot/efibootguard/Config.in.host | 8 ++
boot/efibootguard/efibootguard.hash | 3 +
boot/efibootguard/efibootguard.mk | 60 +++++++++++++++
15 files changed, 436 insertions(+)
---
base-commit: 11d6d10debc81a64de901ec0217b8103c0f366b0
change-id: 20250207-wip-obbardc-boot-efibootguard-initial-pkg-9d16e4b283fd
Best regards,
--
Christopher Obbard <obb...@gmail.com>
Christopher Obbard
Dec 19, 2025, 5:50:17 PM (10 days ago) Dec 19
to buil...@buildroot.org, James Hilliard, Thomas Petazzoni, Yegor Yefremov, efibootg...@googlegroups.com, Christopher Obbard
Add an example recipe (based on configs/pc_x86_64_efi_defconfig) to
generate an x86-64 image which boots the system using the efibootguard
bootloader. The recipe is an example of how to create an image using
efibootguard, including how to create the disk image & how to configure
efibootguard.
The created example image contains two boot slots; one of which contains
the kernel and the other is a dummy slot (e.g. cannot be booted from).
Also add instructions (and a silly script) to boot the example image
with QEMU.
DEVELOPERS | 2 +
board/pc-efibootguard/genimage.cfg | 59 ++++++++++++++++++++++++++++
board/pc-efibootguard/linux-efistub.fragment | 4 ++
board/pc-efibootguard/post-build.sh | 35 +++++++++++++++++
board/pc-efibootguard/post-image.sh | 7 ++++
board/pc-efibootguard/readme.txt | 30 ++++++++++++++
board/pc-efibootguard/run-image-qemu.sh | 9 +++++
configs/pc_x86_64_efibootguard_defconfig | 51 ++++++++++++++++++++++++
8 files changed, 197 insertions(+)
diff --git a/DEVELOPERS b/DEVELOPERS
index 9b789b3023..fee1ba423d 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -691,6 +691,8 @@ F: package/perl-x10/
N: Christopher Obbard <obb...@gmail.com>
F: boot/efibootguard/
+F: board/pc-efibootguard/
+F: configs/pc_x86_64_efibootguard_defconfig
diff --git a/board/pc-efibootguard/genimage.cfg b/board/pc-efibootguard/genimage.cfg
new file mode 100644
index 0000000000..2437a89b63
--- /dev/null
+++ b/board/pc-efibootguard/genimage.cfg
@@ -0,0 +1,59 @@
+image EFI.vfat {
+ vfat {
+ file EFI/BOOT/BOOTX64.EFI {
+ image = "efibootguard/efibootguardx64.efi"
+ }
+ }
+
+ size = 16352K # 16MB - 32KB
+}
+
+image boot-a.vfat {
+ vfat {}
+
+ size = 128M
+ srcpath = "output/images/boot-a-part"
+}
+
+# # boot-b is a placeholder
+image boot-b.vfat {
+ vfat {}
+
+ size = 128M
+ srcpath = "output/images/boot-b-part"
+}
+
+image disk.img {
+ hdimage {
+ partition-table-type = "gpt"
+ }
+
+ partition EFI {
+ image = "EFI.vfat"
+ partition-type-uuid = esp
+ offset = 32K
+ bootable = true
+ }
+
+ partition boot-a {
+ partition-type-uuid = fat32
+ image = "boot-a.vfat"
+ }
+
+ partition boot-b {
+ partition-type-uuid = fat32
+ image = "boot-b.vfat"
+ }
+
+ partition system-a {
+ partition-type-uuid = root-x86-64
+ image = "rootfs.ext4"
+ size = 2G
+ }
+
+ # system-b is a placeholder
+ partition system-b {
+ partition-type-uuid = root-x86-64
+ size = 2G
+ }
+}
diff --git a/board/pc-efibootguard/linux-efistub.fragment b/board/pc-efibootguard/linux-efistub.fragment
new file mode 100644
index 0000000000..82f757b098
--- /dev/null
+++ b/board/pc-efibootguard/linux-efistub.fragment
@@ -0,0 +1,4 @@
+CONFIG_EFI=y
+CONFIG_EFI_STUB=y
+CONFIG_EFIVAR_FS=y
+CONFIG_EFI_PARTITION=y
diff --git a/board/pc-efibootguard/post-build.sh b/board/pc-efibootguard/post-build.sh
new file mode 100755
index 0000000000..7f5973cd39
--- /dev/null
+++ b/board/pc-efibootguard/post-build.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+set -e
+
+BOARD_DIR=$(dirname "$0")
+
+# Kernel cmdline to append
+KERNEL_CMDLINE=""
+
+# Create efibootguard boot-a slot configuration
+mkdir -p ${BINARIES_DIR}/boot-a-part
+echo -n "boot-a" | iconv -f ascii -t UTF-16LE > ${BINARIES_DIR}/boot-a-part/EFILABEL
+${HOST_DIR}/bin/bg_setenv \
+ --verbose \
+ --watchdog=0 \
+ --filepath=${BINARIES_DIR}/boot-a-part/BGENV.DAT \
+ --revision=2 \
+ --ustate=OK \
+ --kernel="C:boot-a:bzImage" \
+ --args="root=PARTLABEL=system-a $KERNEL_CMDLINE"
+
+# Create efibootguard boot-a slot configuration (unbootable)
+mkdir -p ${BINARIES_DIR}/boot-b-part
+echo -n "boot-b" | iconv -f ascii -t UTF-16LE > ${BINARIES_DIR}/boot-b-part/EFILABEL
+${HOST_DIR}/bin/bg_setenv \
+ --verbose \
+ --watchdog=0 \
+ --filepath=${BINARIES_DIR}/boot-b-part/BGENV.DAT \
+ --revision=1 \
+ --ustate=FAILED \
+ --kernel="C:boot-b:bzImage" \
+ --args="root=PARTLABEL=system-b $KERNEL_CMDLINE"
+
+# Copy kernel into boot-a.
+cp ${BINARIES_DIR}/bzImage ${BINARIES_DIR}/boot-a-part/
diff --git a/board/pc-efibootguard/post-image.sh b/board/pc-efibootguard/post-image.sh
new file mode 100755
index 0000000000..eec88f707d
--- /dev/null
+++ b/board/pc-efibootguard/post-image.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+UUID=$(dumpe2fs "$BINARIES_DIR/rootfs.ext2" 2>/dev/null | sed -n 's/^Filesystem UUID: *\(.*\)/\1/p')
+sed "s/UUID_TMP/$UUID/g" board/pc-efibootguard/genimage.cfg > "$BINARIES_DIR/genimage.cfg"
+support/scripts/genimage.sh -c "$BINARIES_DIR/genimage.cfg"
diff --git a/board/pc-efibootguard/readme.txt b/board/pc-efibootguard/readme.txt
new file mode 100644
index 0000000000..d3eeb9793a
--- /dev/null
+++ b/board/pc-efibootguard/readme.txt
@@ -0,0 +1,30 @@
+EFI Boot Guard Example Recipe
+=============================
+
+1. Build
+
+ Build the image:
+
+ $ make pc_x86_64_efibootguard_defconfig
+
+ Add any additional packages required and build:
+
+ $ make
+
+Emulation in qemu
+=================
+
+Run the emulation with:
+
+qemu-system-x86_64 \
+ -M pc \
+ -drive if=pflash,format=raw,readonly=on,file=</path/to/OVMF_CODE.fd> \
+ -drive file=output/images/disk.img,if=virtio,format=raw \
+ -boot menu=on \
+ -net nic,model=virtio \
+ -net user
+
+Note that </path/to/OVMF.fd> needs to point to a valid x86_64 UEFI
+firmware image for qemu. It may be provided by your distribution as a
+edk2 or OVMF package, in a path such as /usr/share/OVMF/OVMF_CODE_4M.fd
+(for Debian).
diff --git a/board/pc-efibootguard/run-image-qemu.sh b/board/pc-efibootguard/run-image-qemu.sh
new file mode 100755
index 0000000000..32be727c3e
--- /dev/null
+++ b/board/pc-efibootguard/run-image-qemu.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+qemu-system-x86_64 \
+ -M pc \
+ -drive if=pflash,format=raw,readonly=on,file=/usr/share/OVMF/OVMF_CODE_4M.fd \
+ -drive file=output/images/disk.img,if=virtio,format=raw \
+ -boot menu=on \
+ -net nic,model=virtio \
+ -net user
diff --git a/configs/pc_x86_64_efibootguard_defconfig b/configs/pc_x86_64_efibootguard_defconfig
new file mode 100644
index 0000000000..276c628e18
--- /dev/null
+++ b/configs/pc_x86_64_efibootguard_defconfig
@@ -0,0 +1,51 @@
+BR2_x86_64=y
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_6_12=y
+BR2_GLOBAL_PATCH_DIR="board/pc/patches"
+BR2_DOWNLOAD_FORCE_CHECK_HASHES=y
+BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y
+BR2_TARGET_GENERIC_GETTY_PORT="tty1"
+BR2_ROOTFS_POST_BUILD_SCRIPT="board/pc-efibootguard/post-build.sh"
+BR2_ROOTFS_POST_IMAGE_SCRIPT="board/pc-efibootguard/post-image.sh"
+BR2_LINUX_KERNEL=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.12.47"
+BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
+BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/pc/linux.config"
+BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/pc-efibootguard/linux-efistub.fragment"
+BR2_LINUX_KERNEL_INSTALL_TARGET=y
+BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
+BR2_LINUX_KERNEL_NEEDS_HOST_LIBELF=y
+BR2_PACKAGE_LINUX_FIRMWARE=y
+BR2_PACKAGE_LINUX_FIRMWARE_ATHEROS_9170=y
+BR2_PACKAGE_LINUX_FIRMWARE_ATHEROS_9271=y
+BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_3160=y
+BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_3168=y
+BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_5000=y
+BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_6000G2A=y
+BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_6000G2B=y
+BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_7260=y
+BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_7265D=y
+BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_8000C=y
+BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_8265=y
+BR2_PACKAGE_LINUX_FIRMWARE_RALINK_RT73=y
+BR2_PACKAGE_LINUX_FIRMWARE_RALINK_RT2XX=y
+BR2_PACKAGE_LINUX_FIRMWARE_RTL_81XX=y
+BR2_PACKAGE_LINUX_FIRMWARE_RTL_87XX=y
+BR2_PACKAGE_LINUX_FIRMWARE_RTL_88XX=y
+BR2_PACKAGE_LINUX_FIRMWARE_RTL_8169=y
+BR2_PACKAGE_ACPID=y
+BR2_PACKAGE_CONNMAN=y
+BR2_PACKAGE_CONNMAN_WIFI=y
+BR2_PACKAGE_CONNMAN_CLIENT=y
+BR2_PACKAGE_WIRELESS_REGDB=y
+BR2_TARGET_ROOTFS_EXT2=y
+BR2_TARGET_ROOTFS_EXT2_4=y
+BR2_TARGET_ROOTFS_EXT2_SIZE="120M"
+# BR2_TARGET_ROOTFS_TAR is not set
+BR2_TARGET_EFIBOOTGUARD=y
+BR2_TARGET_EFIBOOTGUARD_X86_64=y
+BR2_TARGET_EFIBOOTGUARD_INSTALL_TOOLS=y
+BR2_TARGET_HOST_EFIBOOTGUARD=y
+BR2_PACKAGE_HOST_DOSFSTOOLS=y
+BR2_PACKAGE_HOST_GENIMAGE=y
+BR2_PACKAGE_HOST_MTOOLS=y
--
2.51.0
generate an x86-64 image which boots the system using the efibootguard
bootloader. The recipe is an example of how to create an image using
efibootguard, including how to create the disk image & how to configure
efibootguard.
The created example image contains two boot slots; one of which contains
the kernel and the other is a dummy slot (e.g. cannot be booted from).
Also add instructions (and a silly script) to boot the example image
with QEMU.
DEVELOPERS | 2 +
board/pc-efibootguard/genimage.cfg | 59 ++++++++++++++++++++++++++++
board/pc-efibootguard/linux-efistub.fragment | 4 ++
board/pc-efibootguard/post-build.sh | 35 +++++++++++++++++
board/pc-efibootguard/post-image.sh | 7 ++++
board/pc-efibootguard/readme.txt | 30 ++++++++++++++
board/pc-efibootguard/run-image-qemu.sh | 9 +++++
configs/pc_x86_64_efibootguard_defconfig | 51 ++++++++++++++++++++++++
8 files changed, 197 insertions(+)
diff --git a/DEVELOPERS b/DEVELOPERS
index 9b789b3023..fee1ba423d 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -691,6 +691,8 @@ F: package/perl-x10/
N: Christopher Obbard <obb...@gmail.com>
F: boot/efibootguard/
+F: board/pc-efibootguard/
+F: configs/pc_x86_64_efibootguard_defconfig
diff --git a/board/pc-efibootguard/genimage.cfg b/board/pc-efibootguard/genimage.cfg
new file mode 100644
index 0000000000..2437a89b63
--- /dev/null
+++ b/board/pc-efibootguard/genimage.cfg
@@ -0,0 +1,59 @@
+image EFI.vfat {
+ vfat {
+ file EFI/BOOT/BOOTX64.EFI {
+ image = "efibootguard/efibootguardx64.efi"
+ }
+ }
+
+ size = 16352K # 16MB - 32KB
+}
+
+image boot-a.vfat {
+ vfat {}
+
+ size = 128M
+ srcpath = "output/images/boot-a-part"
+}
+
+# # boot-b is a placeholder
+image boot-b.vfat {
+ vfat {}
+
+ size = 128M
+ srcpath = "output/images/boot-b-part"
+}
+
+image disk.img {
+ hdimage {
+ partition-table-type = "gpt"
+ }
+
+ partition EFI {
+ image = "EFI.vfat"
+ partition-type-uuid = esp
+ offset = 32K
+ bootable = true
+ }
+
+ partition boot-a {
+ partition-type-uuid = fat32
+ image = "boot-a.vfat"
+ }
+
+ partition boot-b {
+ partition-type-uuid = fat32
+ image = "boot-b.vfat"
+ }
+
+ partition system-a {
+ partition-type-uuid = root-x86-64
+ image = "rootfs.ext4"
+ size = 2G
+ }
+
+ # system-b is a placeholder
+ partition system-b {
+ partition-type-uuid = root-x86-64
+ size = 2G
+ }
+}
diff --git a/board/pc-efibootguard/linux-efistub.fragment b/board/pc-efibootguard/linux-efistub.fragment
new file mode 100644
index 0000000000..82f757b098
--- /dev/null
+++ b/board/pc-efibootguard/linux-efistub.fragment
@@ -0,0 +1,4 @@
+CONFIG_EFI=y
+CONFIG_EFI_STUB=y
+CONFIG_EFIVAR_FS=y
+CONFIG_EFI_PARTITION=y
diff --git a/board/pc-efibootguard/post-build.sh b/board/pc-efibootguard/post-build.sh
new file mode 100755
index 0000000000..7f5973cd39
--- /dev/null
+++ b/board/pc-efibootguard/post-build.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+set -e
+
+BOARD_DIR=$(dirname "$0")
+
+# Kernel cmdline to append
+KERNEL_CMDLINE=""
+
+# Create efibootguard boot-a slot configuration
+mkdir -p ${BINARIES_DIR}/boot-a-part
+echo -n "boot-a" | iconv -f ascii -t UTF-16LE > ${BINARIES_DIR}/boot-a-part/EFILABEL
+${HOST_DIR}/bin/bg_setenv \
+ --verbose \
+ --watchdog=0 \
+ --filepath=${BINARIES_DIR}/boot-a-part/BGENV.DAT \
+ --revision=2 \
+ --ustate=OK \
+ --kernel="C:boot-a:bzImage" \
+ --args="root=PARTLABEL=system-a $KERNEL_CMDLINE"
+
+# Create efibootguard boot-a slot configuration (unbootable)
+mkdir -p ${BINARIES_DIR}/boot-b-part
+echo -n "boot-b" | iconv -f ascii -t UTF-16LE > ${BINARIES_DIR}/boot-b-part/EFILABEL
+${HOST_DIR}/bin/bg_setenv \
+ --verbose \
+ --watchdog=0 \
+ --filepath=${BINARIES_DIR}/boot-b-part/BGENV.DAT \
+ --revision=1 \
+ --ustate=FAILED \
+ --kernel="C:boot-b:bzImage" \
+ --args="root=PARTLABEL=system-b $KERNEL_CMDLINE"
+
+# Copy kernel into boot-a.
+cp ${BINARIES_DIR}/bzImage ${BINARIES_DIR}/boot-a-part/
diff --git a/board/pc-efibootguard/post-image.sh b/board/pc-efibootguard/post-image.sh
new file mode 100755
index 0000000000..eec88f707d
--- /dev/null
+++ b/board/pc-efibootguard/post-image.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+UUID=$(dumpe2fs "$BINARIES_DIR/rootfs.ext2" 2>/dev/null | sed -n 's/^Filesystem UUID: *\(.*\)/\1/p')
+sed "s/UUID_TMP/$UUID/g" board/pc-efibootguard/genimage.cfg > "$BINARIES_DIR/genimage.cfg"
+support/scripts/genimage.sh -c "$BINARIES_DIR/genimage.cfg"
diff --git a/board/pc-efibootguard/readme.txt b/board/pc-efibootguard/readme.txt
new file mode 100644
index 0000000000..d3eeb9793a
--- /dev/null
+++ b/board/pc-efibootguard/readme.txt
@@ -0,0 +1,30 @@
+EFI Boot Guard Example Recipe
+=============================
+
+1. Build
+
+ Build the image:
+
+ $ make pc_x86_64_efibootguard_defconfig
+
+ Add any additional packages required and build:
+
+ $ make
+
+Emulation in qemu
+=================
+
+Run the emulation with:
+
+qemu-system-x86_64 \
+ -M pc \
+ -drive if=pflash,format=raw,readonly=on,file=</path/to/OVMF_CODE.fd> \
+ -drive file=output/images/disk.img,if=virtio,format=raw \
+ -boot menu=on \
+ -net nic,model=virtio \
+ -net user
+
+Note that </path/to/OVMF.fd> needs to point to a valid x86_64 UEFI
+firmware image for qemu. It may be provided by your distribution as a
+edk2 or OVMF package, in a path such as /usr/share/OVMF/OVMF_CODE_4M.fd
+(for Debian).
diff --git a/board/pc-efibootguard/run-image-qemu.sh b/board/pc-efibootguard/run-image-qemu.sh
new file mode 100755
index 0000000000..32be727c3e
--- /dev/null
+++ b/board/pc-efibootguard/run-image-qemu.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+qemu-system-x86_64 \
+ -M pc \
+ -drive if=pflash,format=raw,readonly=on,file=/usr/share/OVMF/OVMF_CODE_4M.fd \
+ -drive file=output/images/disk.img,if=virtio,format=raw \
+ -boot menu=on \
+ -net nic,model=virtio \
+ -net user
diff --git a/configs/pc_x86_64_efibootguard_defconfig b/configs/pc_x86_64_efibootguard_defconfig
new file mode 100644
index 0000000000..276c628e18
--- /dev/null
+++ b/configs/pc_x86_64_efibootguard_defconfig
@@ -0,0 +1,51 @@
+BR2_x86_64=y
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_6_12=y
+BR2_GLOBAL_PATCH_DIR="board/pc/patches"
+BR2_DOWNLOAD_FORCE_CHECK_HASHES=y
+BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y
+BR2_TARGET_GENERIC_GETTY_PORT="tty1"
+BR2_ROOTFS_POST_BUILD_SCRIPT="board/pc-efibootguard/post-build.sh"
+BR2_ROOTFS_POST_IMAGE_SCRIPT="board/pc-efibootguard/post-image.sh"
+BR2_LINUX_KERNEL=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.12.47"
+BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
+BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/pc/linux.config"
+BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/pc-efibootguard/linux-efistub.fragment"
+BR2_LINUX_KERNEL_INSTALL_TARGET=y
+BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
+BR2_LINUX_KERNEL_NEEDS_HOST_LIBELF=y
+BR2_PACKAGE_LINUX_FIRMWARE=y
+BR2_PACKAGE_LINUX_FIRMWARE_ATHEROS_9170=y
+BR2_PACKAGE_LINUX_FIRMWARE_ATHEROS_9271=y
+BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_3160=y
+BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_3168=y
+BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_5000=y
+BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_6000G2A=y
+BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_6000G2B=y
+BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_7260=y
+BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_7265D=y
+BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_8000C=y
+BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_8265=y
+BR2_PACKAGE_LINUX_FIRMWARE_RALINK_RT73=y
+BR2_PACKAGE_LINUX_FIRMWARE_RALINK_RT2XX=y
+BR2_PACKAGE_LINUX_FIRMWARE_RTL_81XX=y
+BR2_PACKAGE_LINUX_FIRMWARE_RTL_87XX=y
+BR2_PACKAGE_LINUX_FIRMWARE_RTL_88XX=y
+BR2_PACKAGE_LINUX_FIRMWARE_RTL_8169=y
+BR2_PACKAGE_ACPID=y
+BR2_PACKAGE_CONNMAN=y
+BR2_PACKAGE_CONNMAN_WIFI=y
+BR2_PACKAGE_CONNMAN_CLIENT=y
+BR2_PACKAGE_WIRELESS_REGDB=y
+BR2_TARGET_ROOTFS_EXT2=y
+BR2_TARGET_ROOTFS_EXT2_4=y
+BR2_TARGET_ROOTFS_EXT2_SIZE="120M"
+# BR2_TARGET_ROOTFS_TAR is not set
+BR2_TARGET_EFIBOOTGUARD=y
+BR2_TARGET_EFIBOOTGUARD_X86_64=y
+BR2_TARGET_EFIBOOTGUARD_INSTALL_TOOLS=y
+BR2_TARGET_HOST_EFIBOOTGUARD=y
+BR2_PACKAGE_HOST_DOSFSTOOLS=y
+BR2_PACKAGE_HOST_GENIMAGE=y
+BR2_PACKAGE_HOST_MTOOLS=y
--
2.51.0
Reply all
Reply to author
Forward
0 new messages