Skip to content

Update to EDK2 stable tag 202411 #38

Update to EDK2 stable tag 202411

Update to EDK2 stable tag 202411 #38

Workflow file for this run

# Copyright (c) 2021-2024, Pete Batard <pete@akeo.ie>
# SPDX-License-Identifier: BSD-3-Clause
name: UEFI firmware - EDK2 build
on:
push:
tags:
- '*'
env:
PROJECT_URL: https://github.com/pftf/RPi4
RPI_FIRMWARE_URL: https://github.com/raspberrypi/firmware/
ARCH: AARCH64
COMPILER: GCC5
GCC5_AARCH64_PREFIX: aarch64-linux-gnu-
# The following should usually be set to 'master' but, in case
# of a regression, a specific SHA-1 can be specified.
START_ELF_VERSION: master
# Set to pre HDMI/Audio changes per https://github.com/pftf/RPi4/issues/252
DTB_VERSION: b49983637106e5fb33e2ae60d8c15a53187541e4
DTBO_VERSION: master
jobs:
UEFI-Build:
runs-on: ubuntu-latest
steps:
- name: Set version
id: set_version
run: echo "version=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
- name: Set up Linux environment
run: |
sudo apt-get update
sudo apt-get install acpica-tools gcc-aarch64-linux-gnu
- name: Check out EDK2 repositories
uses: actions/checkout@v4
with:
submodules: recursive
- name: Set up EDK2
run: make -C edk2/BaseTools
- name: Set up Secure Boot default keys
run: |
mkdir keys
# We don't really need a usable PK, so just generate a public key for it and discard the private key
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Raspberry Pi Platform Key/" -keyout /dev/null -outform DER -out keys/pk.cer -days 7300 -nodes -sha256
curl -L https://go.microsoft.com/fwlink/?LinkId=321185 -o keys/ms_kek1.cer
curl -L https://go.microsoft.com/fwlink/?linkid=2239775 -o keys/ms_kek2.cer
curl -L https://go.microsoft.com/fwlink/?linkid=321192 -o keys/ms_db1.cer
curl -L https://go.microsoft.com/fwlink/?linkid=321194 -o keys/ms_db2.cer
curl -L https://go.microsoft.com/fwlink/?linkid=2239776 -o keys/ms_db3.cer
curl -L https://go.microsoft.com/fwlink/?linkid=2239872 -o keys/ms_db4.cer
curl -L https://uefi.org/sites/default/files/resources/dbxupdate_arm64.bin -o keys/arm64_dbx.bin
- name: Build UEFI firmware
run: |
export WORKSPACE=$PWD
export PACKAGES_PATH=$WORKSPACE/edk2:$WORKSPACE/edk2-platforms:$WORKSPACE/edk2-non-osi
export BUILD_FLAGS="-D SECURE_BOOT_ENABLE=TRUE -D INCLUDE_TFTP_COMMAND=TRUE -D NETWORK_ISCSI_ENABLE=TRUE -D SMC_PCI_SUPPORT=1"
export TLS_DISABLE_FLAGS="-D NETWORK_TLS_ENABLE=FALSE -D NETWORK_ALLOW_HTTP_CONNECTIONS=TRUE"
export DEFAULT_KEYS="-D DEFAULT_KEYS=TRUE -D PK_DEFAULT_FILE=$WORKSPACE/keys/pk.cer -D KEK_DEFAULT_FILE1=$WORKSPACE/keys/ms_kek1.cer -D KEK_DEFAULT_FILE2=$WORKSPACE/keys/ms_kek2.cer -D DB_DEFAULT_FILE1=$WORKSPACE/keys/ms_db1.cer -D DB_DEFAULT_FILE2=$WORKSPACE/keys/ms_db2.cer -D DB_DEFAULT_FILE3=$WORKSPACE/keys/ms_db3.cer -D DB_DEFAULT_FILE4=$WORKSPACE/keys/ms_db4.cer -D DBX_DEFAULT_FILE1=$WORKSPACE/keys/arm64_dbx.bin"
# EDK2's 'build' command doesn't play nice with spaces in environmnent variables, so we can't move the PCDs there...
source edk2/edksetup.sh
for BUILD_TYPE in DEBUG RELEASE; do
build -a ${{ env.ARCH }} -t ${{ env.COMPILER }} -b $BUILD_TYPE -p edk2-platforms/Platform/RaspberryPi/RPi4/RPi4.dsc --pcd gEfiMdeModulePkgTokenSpaceGuid.PcdFirmwareVendor=L"${{ env.PROJECT_URL }}" --pcd gEfiMdeModulePkgTokenSpaceGuid.PcdFirmwareVersionString=L"UEFI Firmware ${{steps.set_version.outputs.version}}" ${BUILD_FLAGS} ${DEFAULT_KEYS} ${TLS_DISABLE_FLAGS}
TLS_DISABLE_FLAGS=""
done
cp Build/RPi4/RELEASE_${{ env.COMPILER }}/FV/RPI_EFI.fd .
- name: Upload UEFI firmware artifacts
uses: actions/upload-artifact@v4
with:
name: RPi4 UEFI Firmware ${{ steps.set_version.outputs.version }} Artifacts
path: |
Build/RPi4/**/FV/RPI_EFI.fd
- name: Download Raspberry Pi support files
run: |
curl -O -L ${{ env.RPI_FIRMWARE_URL }}/raw/${{ env.START_ELF_VERSION }}/boot/fixup4.dat
curl -O -L ${{ env.RPI_FIRMWARE_URL }}/raw/${{ env.START_ELF_VERSION }}/boot/start4.elf
curl -O -L ${{ env.RPI_FIRMWARE_URL }}/raw/${{ env.DTB_VERSION }}/boot/bcm2711-rpi-4-b.dtb
curl -O -L ${{ env.RPI_FIRMWARE_URL }}/raw/${{ env.DTB_VERSION }}/boot/bcm2711-rpi-cm4.dtb
curl -O -L ${{ env.RPI_FIRMWARE_URL }}/raw/${{ env.DTB_VERSION }}/boot/bcm2711-rpi-400.dtb
curl -O -L ${{ env.RPI_FIRMWARE_URL }}/raw/${{ env.DTBO_VERSION }}/boot/overlays/miniuart-bt.dtbo
curl -O -L ${{ env.RPI_FIRMWARE_URL }}/raw/${{ env.DTBO_VERSION }}/boot/overlays/upstream-pi4.dtbo
mkdir overlays
mv *.dtbo overlays
- name: Create UEFI firmware archive
run: zip -r RPi4_UEFI_Firmware_${{ steps.set_version.outputs.version }}.zip RPI_EFI.fd *.dtb config.txt fixup4.dat start4.elf overlays Readme.md firmware
- name: Display SHA-256
run: sha256sum Build/RPi4/*/FV/RPI_EFI.fd RPi4_UEFI_Firmware_${{ steps.set_version.outputs.version }}.zip
- name: Create release
id: create_release
uses: softprops/action-gh-release@v1
with:
draft: false
prerelease: false
token: ${{ secrets.GITHUB_TOKEN }}
body: Raspberry Pi 4 UEFI Firmware ${{ steps.set_version.outputs.version }}
tag_name: ${{ steps.set_version.outputs.version }}
files: RPi4_UEFI_Firmware_${{ steps.set_version.outputs.version }}.zip