Dasharo · pietrushnic · Nov 8, 2023 · Oct 23, 2023 · Oct 23, 2023 · Oct 23, 2023
diff --git a/.github/scripts/build-ipxe.sh b/.github/scripts/build-ipxe.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+export CROSS_COMPILE="x86_64-elf-"
+make -C src bin-x86_64-efi-sb/ipxe.efi EMBED=$PWD/dasharo.ipxe BUILD_ID_CMD="echo 0x1234567890" \
+  EXTRA_CFLAGS="-Wno-address-of-packed-member  -m64  -fuse-ld=bfd \
+  -Wl,--build-id=none -fno-delete-null-pointer-checks -Wlogical-op -march=nocona \
+  -malign-data=abi -mcmodel=large -mno-red-zone -fno-pic"
+
diff --git a/.github/scripts/build-qemu.sh b/.github/scripts/build-qemu.sh
@@ -5,6 +5,7 @@ source ./edksetup.sh
 
 export EDK2_PLATFORMS_PATH="$WORKSPACE/edk2-platforms"
 export PACKAGES_PATH="$WORKSPACE:\
+$WORKSPACE/ipxe/src/bin-x86_64-efi-sb:\
 $EDK2_PLATFORMS_PATH/Platform/Intel:\
 $EDK2_PLATFORMS_PATH/Silicon/Intel:\
 $EDK2_PLATFORMS_PATH/Features/Intel:\

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -5,7 +5,7 @@ on:
     branches:
       - dasharo
     tags:
-      - 'dasharo_qemu_v*'
+      - 'qemu_q35_v*'
   pull_request:
     branches:
       - dasharo
@@ -27,6 +27,24 @@ jobs:
         git checkout 3323ed481d35096fb6a7eae7b49f35eff00f86cf && \
         cd -
 
+    - name: Clone iPXE Repository
+      run: |
+        git clone https://git.ipxe.org/ipxe.git && \
+        cd ipxe && \
+        git checkout 4bffe0f0d9d0e1496ae5cfb7579e813277c29b0f && \
+        sed -i 's|//#define\s*IMAGE_SCRIPT.*|#define IMAGE_SCRIPT|' "src/config/general.h" && \
+        sed -i 's|.*DOWNLOAD_PROTO_HTTPS|#define DOWNLOAD_PROTO_HTTPS|g'  "src/config/general.h" && \
+        wget https://raw.githubusercontent.com/Dasharo/dasharo-blobs/main/dasharo/dasharo.ipxe && \
+        cd -
+
+    - name: Build iPXE
+      run: |
+        docker run --rm -i -v $PWD/ipxe:/home/coreboot/ipxe:rw \
+          -v $PWD/.github:/home/coreboot/ipxe/.github \
+          -u $(id -u):$(id -g) -w /home/coreboot/ipxe \
+          coreboot/coreboot-sdk:2021-09-23_b0d87f753c \
+         ./.github/scripts/build-ipxe.sh
+
     - name: Build OVMF Firmware Image
       run: |
         docker run --rm -i -v $PWD:/home/coreboot/coreboot:rw \

diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
@@ -229,7 +229,8 @@ VOID
 PlatformRegisterFvBootOption (
   EFI_GUID                         *FileGuid,
   CHAR16                           *Description,
-  UINT32                           Attributes
+  UINT32                           Attributes,
+  BOOLEAN                          BootNow
   )
 {
   EFI_STATUS                        Status;
@@ -270,6 +271,9 @@ PlatformRegisterFvBootOption (
   ASSERT_EFI_ERROR (Status);
   FreePool (DevicePath);
 
+  if (BootNow)
+    EfiBootManagerBoot (&NewOption);
+
   BootOptions = EfiBootManagerGetLoadOptions (
                   &BootOptionCount, LoadOptionTypeBoot
                   );
@@ -286,6 +290,68 @@ PlatformRegisterFvBootOption (
   EfiBootManagerFreeLoadOptions (BootOptions, BootOptionCount);
 }
 
+VOID
+PlatformUnregisterFvBootOption (
+  EFI_GUID                         *FileGuid,
+  CHAR16                           *Description,
+  UINT32                           Attributes
+  )
+{
+  EFI_STATUS                        Status;
+  INTN                              OptionIndex;
+  EFI_BOOT_MANAGER_LOAD_OPTION      NewOption;
+  EFI_BOOT_MANAGER_LOAD_OPTION      *BootOptions;
+  UINTN                             BootOptionCount;
+  MEDIA_FW_VOL_FILEPATH_DEVICE_PATH FileNode;
+  EFI_LOADED_IMAGE_PROTOCOL         *LoadedImage;
+  EFI_DEVICE_PATH_PROTOCOL          *DevicePath;
+
+  Status = gBS->HandleProtocol (
+                  gImageHandle,
+                  &gEfiLoadedImageProtocolGuid,
+                  (VOID **) &LoadedImage
+                  );
+  ASSERT_EFI_ERROR (Status);
+
+  EfiInitializeFwVolDevicepathNode (&FileNode, FileGuid);
+  DevicePath = DevicePathFromHandle (LoadedImage->DeviceHandle);
+  ASSERT (DevicePath != NULL);
+  DevicePath = AppendDevicePathNode (
+                 DevicePath,
+                 (EFI_DEVICE_PATH_PROTOCOL *) &FileNode
+                 );
+  ASSERT (DevicePath != NULL);
+
+  Status = EfiBootManagerInitializeLoadOption (
+             &NewOption,
+             LoadOptionNumberUnassigned,
+             LoadOptionTypeBoot,
+             Attributes,
+             Description,
+             DevicePath,
+             NULL,
+             0
+             );
+  ASSERT_EFI_ERROR (Status);
+  FreePool (DevicePath);
+
+  BootOptions = EfiBootManagerGetLoadOptions (
+                  &BootOptionCount, LoadOptionTypeBoot
+                  );
+
+  OptionIndex = EfiBootManagerFindLoadOption (
+                  &NewOption, BootOptions, BootOptionCount
+                  );
+
+  if (OptionIndex >= 0 && OptionIndex < BootOptionCount) {
+    Status = EfiBootManagerDeleteLoadOptionVariable (BootOptions[OptionIndex].OptionNumber,
+                                                     BootOptions[OptionIndex].OptionType);
+    ASSERT_EFI_ERROR (Status);
+  }
+  EfiBootManagerFreeLoadOption (&NewOption);
+  EfiBootManagerFreeLoadOptions (BootOptions, BootOptionCount);
+}
+
 /**
   Remove all MemoryMapped(...)/FvFile(...) and Fv(...)/FvFile(...) boot options
   whose device paths do not resolve exactly to an FvFile in the system.
@@ -1633,6 +1699,9 @@ PlatformBootManagerAfterConsole (
   )
 {
   EFI_BOOT_MODE                      BootMode;
+  BOOLEAN                            NetBootEnabled;
+  UINTN                              VarSize;
+  EFI_STATUS                         Status;
 
   DEBUG ((EFI_D_INFO, "PlatformBootManagerAfterConsole\n"));
 
@@ -1692,11 +1761,48 @@ PlatformBootManagerAfterConsole (
 
   EfiBootManagerRefreshAllBootOption ();
 
+  VarSize = sizeof (NetBootEnabled);
+  Status = gRT->GetVariable (
+      L"NetworkBoot",
+      &gDasharoSystemFeaturesGuid,
+      NULL,
+      &VarSize,
+      &NetBootEnabled
+      );
+
+  //
+  // Register iPXE
+  //
+  if ((Status != EFI_NOT_FOUND) && (VarSize == sizeof(NetBootEnabled))) {
+    if (NetBootEnabled) {
+      DEBUG((DEBUG_INFO, "Registering iPXE boot option by variable\n"));
+      PlatformRegisterFvBootOption (PcdGetPtr (PcdiPXEFile),
+                                    (CHAR16 *) PcdGetPtr(PcdiPXEOptionName),
+                                    LOAD_OPTION_ACTIVE,
+                                    FALSE);
+    } else {
+        DEBUG((DEBUG_INFO, "Unregistering iPXE boot option by variable\n"));
+        PlatformUnregisterFvBootOption (PcdGetPtr (PcdiPXEFile),
+                                        (CHAR16 *) PcdGetPtr(PcdiPXEOptionName),
+                                        LOAD_OPTION_ACTIVE);
+    }
+  } else if ((Status == EFI_NOT_FOUND) && FixedPcdGetBool(PcdDefaultNetworkBootEnable)) {
+    DEBUG((DEBUG_INFO, "Registering iPXE boot option by policy\n"));
+    PlatformRegisterFvBootOption (PcdGetPtr (PcdiPXEFile),
+                                  (CHAR16 *) PcdGetPtr(PcdiPXEOptionName),
+                                  LOAD_OPTION_ACTIVE,
+                                  FALSE);
+  } else {
+    DEBUG((DEBUG_INFO, "Unregistering iPXE boot option\n"));
+    PlatformUnregisterFvBootOption (PcdGetPtr (PcdiPXEFile),
+                                    (CHAR16 *) PcdGetPtr(PcdiPXEOptionName),
+                                    LOAD_OPTION_ACTIVE);
+  }
   //
   // Register UEFI Shell
   //
   PlatformRegisterFvBootOption (
-    &gUefiShellFileGuid, L"UEFI Shell", LOAD_OPTION_ACTIVE
+    &gUefiShellFileGuid, L"UEFI Shell", LOAD_OPTION_ACTIVE, FALSE
     );
 
   RemoveStaleFvFileOptions ();

diff --git a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
@@ -33,6 +33,8 @@
   OvmfPkg/OvmfPkg.dec
   SecurityPkg/SecurityPkg.dec
   ShellPkg/ShellPkg.dec
+  UefiPayloadPkg/UefiPayloadPkg.dec
+  DasharoModulePkg/DasharoModulePkg.dec
 
 [LibraryClasses]
   BaseLib
@@ -61,6 +63,9 @@
   gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId
+  gUefiPayloadPkgTokenSpaceGuid.PcdiPXEFile
+  gUefiPayloadPkgTokenSpaceGuid.PcdiPXEOptionName
+  gDasharoSystemFeaturesTokenSpaceGuid.PcdDefaultNetworkBootEnable
   gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut
   gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate         ## CONSUMES
   gEfiMdePkgTokenSpaceGuid.PcdUartDefaultDataBits         ## CONSUMES
@@ -84,3 +89,4 @@
   gRootBridgesConnectedEventGroupGuid
   gUefiShellFileGuid
   gEfiTtyTermGuid
+  gDasharoSystemFeaturesGuid
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
@@ -45,12 +45,29 @@
   #
   # Network definition
   #
+  DEFINE NETWORK_PXE_BOOT               = FALSE
+  DEFINE NETWORK_ENABLE                 = FALSE
   DEFINE NETWORK_TLS_ENABLE             = FALSE
   DEFINE NETWORK_IP6_ENABLE             = FALSE
+  DEFINE NETWORK_IP4_ENABLE             = TRUE
+  DEFINE NETWORK_LAN_ROM                = FALSE
+
+!if $(NETWORK_PXE_BOOT) == TRUE
+  DEFINE NETWORK_SNP_ENABLE             = TRUE
   DEFINE NETWORK_HTTP_BOOT_ENABLE       = FALSE
+  DEFINE NETWORK_ISCSI_ENABLE           = FALSE
+!else
+  DEFINE NETWORK_SNP_ENABLE             = FALSE
+  DEFINE NETWORK_HTTP_BOOT_ENABLE       = TRUE
   DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = TRUE
+  DEFINE NETWORK_ISCSI_ENABLE           = TRUE
+!endif
 
 !include NetworkPkg/NetworkDefines.dsc.inc
+  #
+  # IPXE support
+  #
+  DEFINE NETWORK_IPXE                   = TRUE
 
   #
   # Device drivers

diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
@@ -319,6 +319,18 @@ INF MdeModulePkg/Logo/LogoDxe.inf
 !include NetworkPkg/Network.fdf.inc
   INF  OvmfPkg/VirtioNetDxe/VirtioNet.inf
 
+#
+# iPXE support
+#
+!if $(NETWORK_IPXE) == TRUE
+  #
+  # build system or user should put the ipxe.efi file here before EDK2 build
+  #
+  FILE FREEFORM = B68653C7-EEA1-4435-A199-A44F59E4476C {
+   SECTION PE32 = ipxe.efi
+  }
+!endif
+
 INF DasharoModulePkg/DasharoBootPolicies/DasharoBootPolicies.inf
 
 #