artur/environment
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
environment/bin/recipes/edk2/make

108 lines
3.3 KiB
Bash
Executable file
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/env bash
rm -rf edk2
rm -rf output
git clone https://github.com/tianocore/edk2.git
cd edk2
git checkout fc0fffa7e9089e7b79b9ae7babb950f1f153e0ae
# 0) Make sure LLVM is installed
brew install llvm acpica nasm
brew install lld
# 1) Point PATH and tool vars to Homebrews LLVM (Apple Silicon path shown)
export LLVM_PREFIX="/opt/homebrew/opt/llvm" # Intel Macs: /usr/local/opt/llvm
export LLD_PREFIX="/opt/homebrew/opt/lld"
export PATH="$LLVM_PREFIX/bin:$LLD_PREFIX/bin:$PATH"
hash -r
# 2) Explicitly select LLVM tools so EDK2 doesnt fall back to Apples
export CC="$LLVM_PREFIX/bin/clang"
export CXX="$LLVM_PREFIX/bin/clang++"
export LD="$LLD_PREFIX/bin/ld.lld"
export AR="$LLVM_PREFIX/bin/llvm-ar"
export RANLIB="$LLVM_PREFIX/bin/llvm-ranlib"
export NM="$LLVM_PREFIX/bin/llvm-nm"
export STRIP="$LLVM_PREFIX/bin/llvm-strip"
export OBJCOPY="$LLVM_PREFIX/bin/llvm-objcopy"
export OBJDUMP="$LLVM_PREFIX/bin/llvm-objdump"
# 3) Sanity check — these MUST point into .../opt/llvm/bin
which clang; clang --version
which ld.lld
which llvm-ar
# 4) Rebuild tools & firmware
make -C BaseTools -j
source ./edksetup.sh
build -a AARCH64 -t CLANGDWARF \
-p ShellPkg/ShellPkg.dsc \
-m ShellPkg/Application/KeyTools/KeyTool/KeyTool.inf \
-b RELEASE
cd ..
mkdir -p output/keys/EFI/Boot
openssl x509 -in "microsoft corporation kek 2k ca 2023.crt" -outform DER -out output/keys/kek2023.cer
openssl x509 -in "windows uefi ca 2023.crt" -outform DER -out output/keys/db2023.cer
open /Users/artur/projs/edk2
exit 0
# (Optional) clean the previous failed build to avoid stale flags/objects
rm -rf Build/ArmVirtQemu-AARCH64
build -a AARCH64 \
-t CLANGDWARF \
-p ArmVirtPkg/ArmVirtQemu.dsc \
-D SECURE_BOOT_ENABLE=TRUE \
-b DEBUG
# CODE="/Volumes/Cache/vms/image/win11-arm64/win11/QEMU_EFI.fd"
# VARS="/Volumes/Cache/vms/image/win11-arm64/win11/QEMU_VARS.fd"
# # Make blank 64 MiB raws
# qemu-img create -f raw QEMU_EFI-pflash.raw 64M
# qemu-img create -f raw QEMU_VARS-pflash.raw 64M
# # Copy firmware into the front of each file without truncating the 64 MiB size
# dd if="$CODE" of=QEMU_EFI-pflash.raw conv=notrunc
# dd if="$VARS" of=QEMU_VARS-pflash.raw conv=notrunc
# # Confirm size is exactly 67108864 bytes
# stat -f "%z %N" QEMU_EFI-pflash.raw QEMU_VARS-pflash.raw
# https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11
# https://go.microsoft.com/fwlink/?linkid=2239775
# https://go.microsoft.com/fwlink/?linkid=2239776
# -drive if=none,id=mskeys,format=raw,file=fat:rw:keys
# -device usb-storage,drive=mskeys
# 5. Enroll the certs in firmware
# Boot into UEFI shell, run FS0:\EFI\Boot\KeyTool.efi.
# In KeyTool:
# Go to Edit Keys → KEK → Add New Key, pick kek2023.cer.
# Go to Edit Keys → db → Add New Key, pick db2023.cer.
# If no PK is present yet, you must enroll a Platform Key (PK) first (can be self-signed with OpenSSL; KeyTool can also generate). Without a PK, Secure Boot remains “greyed out.”
# ✅ After PK + KEK + DB are enrolled, reboot → go into firmware setup → Secure Boot option will be toggleable → set it to Enabled.
# Now Windows 11 installer/bootloader should run under Secure Boot.
# Ref: 68adf715-f29c-832e-89d7-a37025f63cf3
Reference in a new issue View git blame Copy permalink