Update to EDK2 stable tag 202411 #38
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (c) 2021-2024, Pete Batard <pete@akeo.ie> | |
# SPDX-License-Identifier: BSD-3-Clause | |
name: UEFI firmware - EDK2 build | |
on: | |
push: | |
tags: | |
- '*' | |
env: | |
PROJECT_URL: https://github.com/pftf/RPi4 | |
RPI_FIRMWARE_URL: https://github.com/raspberrypi/firmware/ | |
ARCH: AARCH64 | |
COMPILER: GCC5 | |
GCC5_AARCH64_PREFIX: aarch64-linux-gnu- | |
# The following should usually be set to 'master' but, in case | |
# of a regression, a specific SHA-1 can be specified. | |
START_ELF_VERSION: master | |
# Set to pre HDMI/Audio changes per https://github.com/pftf/RPi4/issues/252 | |
DTB_VERSION: b49983637106e5fb33e2ae60d8c15a53187541e4 | |
DTBO_VERSION: master | |
jobs: | |
UEFI-Build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Set version | |
id: set_version | |
run: echo "version=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT | |
- name: Set up Linux environment | |
run: | | |
sudo apt-get update | |
sudo apt-get install acpica-tools gcc-aarch64-linux-gnu | |
- name: Check out EDK2 repositories | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Set up EDK2 | |
run: make -C edk2/BaseTools | |
- name: Set up Secure Boot default keys | |
run: | | |
mkdir keys | |
# We don't really need a usable PK, so just generate a public key for it and discard the private key | |
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Raspberry Pi Platform Key/" -keyout /dev/null -outform DER -out keys/pk.cer -days 7300 -nodes -sha256 | |
curl -L https://go.microsoft.com/fwlink/?LinkId=321185 -o keys/ms_kek1.cer | |
curl -L https://go.microsoft.com/fwlink/?linkid=2239775 -o keys/ms_kek2.cer | |
curl -L https://go.microsoft.com/fwlink/?linkid=321192 -o keys/ms_db1.cer | |
curl -L https://go.microsoft.com/fwlink/?linkid=321194 -o keys/ms_db2.cer | |
curl -L https://go.microsoft.com/fwlink/?linkid=2239776 -o keys/ms_db3.cer | |
curl -L https://go.microsoft.com/fwlink/?linkid=2239872 -o keys/ms_db4.cer | |
curl -L https://uefi.org/sites/default/files/resources/dbxupdate_arm64.bin -o keys/arm64_dbx.bin | |
- name: Build UEFI firmware | |
run: | | |
export WORKSPACE=$PWD | |
export PACKAGES_PATH=$WORKSPACE/edk2:$WORKSPACE/edk2-platforms:$WORKSPACE/edk2-non-osi | |
export BUILD_FLAGS="-D SECURE_BOOT_ENABLE=TRUE -D INCLUDE_TFTP_COMMAND=TRUE -D NETWORK_ISCSI_ENABLE=TRUE -D SMC_PCI_SUPPORT=1" | |
export TLS_DISABLE_FLAGS="-D NETWORK_TLS_ENABLE=FALSE -D NETWORK_ALLOW_HTTP_CONNECTIONS=TRUE" | |
export DEFAULT_KEYS="-D DEFAULT_KEYS=TRUE -D PK_DEFAULT_FILE=$WORKSPACE/keys/pk.cer -D KEK_DEFAULT_FILE1=$WORKSPACE/keys/ms_kek1.cer -D KEK_DEFAULT_FILE2=$WORKSPACE/keys/ms_kek2.cer -D DB_DEFAULT_FILE1=$WORKSPACE/keys/ms_db1.cer -D DB_DEFAULT_FILE2=$WORKSPACE/keys/ms_db2.cer -D DB_DEFAULT_FILE3=$WORKSPACE/keys/ms_db3.cer -D DB_DEFAULT_FILE4=$WORKSPACE/keys/ms_db4.cer -D DBX_DEFAULT_FILE1=$WORKSPACE/keys/arm64_dbx.bin" | |
# EDK2's 'build' command doesn't play nice with spaces in environmnent variables, so we can't move the PCDs there... | |
source edk2/edksetup.sh | |
for BUILD_TYPE in DEBUG RELEASE; do | |
build -a ${{ env.ARCH }} -t ${{ env.COMPILER }} -b $BUILD_TYPE -p edk2-platforms/Platform/RaspberryPi/RPi4/RPi4.dsc --pcd gEfiMdeModulePkgTokenSpaceGuid.PcdFirmwareVendor=L"${{ env.PROJECT_URL }}" --pcd gEfiMdeModulePkgTokenSpaceGuid.PcdFirmwareVersionString=L"UEFI Firmware ${{steps.set_version.outputs.version}}" ${BUILD_FLAGS} ${DEFAULT_KEYS} ${TLS_DISABLE_FLAGS} | |
TLS_DISABLE_FLAGS="" | |
done | |
cp Build/RPi4/RELEASE_${{ env.COMPILER }}/FV/RPI_EFI.fd . | |
- name: Upload UEFI firmware artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: RPi4 UEFI Firmware ${{ steps.set_version.outputs.version }} Artifacts | |
path: | | |
Build/RPi4/**/FV/RPI_EFI.fd | |
- name: Download Raspberry Pi support files | |
run: | | |
curl -O -L ${{ env.RPI_FIRMWARE_URL }}/raw/${{ env.START_ELF_VERSION }}/boot/fixup4.dat | |
curl -O -L ${{ env.RPI_FIRMWARE_URL }}/raw/${{ env.START_ELF_VERSION }}/boot/start4.elf | |
curl -O -L ${{ env.RPI_FIRMWARE_URL }}/raw/${{ env.DTB_VERSION }}/boot/bcm2711-rpi-4-b.dtb | |
curl -O -L ${{ env.RPI_FIRMWARE_URL }}/raw/${{ env.DTB_VERSION }}/boot/bcm2711-rpi-cm4.dtb | |
curl -O -L ${{ env.RPI_FIRMWARE_URL }}/raw/${{ env.DTB_VERSION }}/boot/bcm2711-rpi-400.dtb | |
curl -O -L ${{ env.RPI_FIRMWARE_URL }}/raw/${{ env.DTBO_VERSION }}/boot/overlays/miniuart-bt.dtbo | |
curl -O -L ${{ env.RPI_FIRMWARE_URL }}/raw/${{ env.DTBO_VERSION }}/boot/overlays/upstream-pi4.dtbo | |
mkdir overlays | |
mv *.dtbo overlays | |
- name: Create UEFI firmware archive | |
run: zip -r RPi4_UEFI_Firmware_${{ steps.set_version.outputs.version }}.zip RPI_EFI.fd *.dtb config.txt fixup4.dat start4.elf overlays Readme.md firmware | |
- name: Display SHA-256 | |
run: sha256sum Build/RPi4/*/FV/RPI_EFI.fd RPi4_UEFI_Firmware_${{ steps.set_version.outputs.version }}.zip | |
- name: Create release | |
id: create_release | |
uses: softprops/action-gh-release@v1 | |
with: | |
draft: false | |
prerelease: false | |
token: ${{ secrets.GITHUB_TOKEN }} | |
body: Raspberry Pi 4 UEFI Firmware ${{ steps.set_version.outputs.version }} | |
tag_name: ${{ steps.set_version.outputs.version }} | |
files: RPi4_UEFI_Firmware_${{ steps.set_version.outputs.version }}.zip |