From 4d33b0541d3a4ffd7b0ef7fddfea3f848449fa1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
Date: Thu, 28 Jul 2022 21:29:33 +0200
Subject: [PATCH 1/4] packaging: Don't hardcode "edk2" as the cloned repo's
 dir.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As TDVF comes from a different repo, the edk2-staging one, we cannot
simply hardcode the name.  Instead, let's get the name of the directory
from name of the git repo.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 tools/packaging/static-build/ovmf/build-ovmf.sh | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/tools/packaging/static-build/ovmf/build-ovmf.sh b/tools/packaging/static-build/ovmf/build-ovmf.sh
index 83537686c9..a257df3d43 100755
--- a/tools/packaging/static-build/ovmf/build-ovmf.sh
+++ b/tools/packaging/static-build/ovmf/build-ovmf.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 #
 # Copyright (c) 2022 IBM
+# Copyright (c) 2022 Intel
 #
 # SPDX-License-Identifier: Apache-2.0
 
@@ -15,7 +16,6 @@ source "${script_dir}/../../scripts/lib.sh"
 set +u
 ovmf_build="${ovmf_build:-x86_64}"
 ovmf_repo="${ovmf_repo:-}"
-ovmf_dir="edk2"
 ovmf_version="${ovmf_version:-}"
 ovmf_package="${ovmf_package:-}"
 package_output_dir="${package_output_dir:-}"
@@ -30,6 +30,8 @@ build_target="${build_target:-RELEASE}"
 [ -n "$ovmf_package" ] || die "failed to get ovmf package or commit"
 [ -n "$package_output_dir" ] || die "failed to get ovmf package or commit"
 
+ovmf_dir="${ovmf_repo##*/}"
+
 info "Build ${ovmf_repo} version: ${ovmf_version}"
 
 build_root=$(mktemp -d)
@@ -65,4 +67,4 @@ popd
 
 info "Install fd to destdir"
 mkdir -p "$DESTDIR/$PREFIX/share/ovmf"
-cp $build_root/$ovmf_dir/"${build_path}" "$DESTDIR/$PREFIX/share/ovmf"
\ No newline at end of file
+cp $build_root/$ovmf_dir/"${build_path}" "$DESTDIR/$PREFIX/share/ovmf"

From 42eaf19b436ab643c0e47a9e92fbbdd12bee1c7e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
Date: Thu, 28 Jul 2022 21:41:55 +0200
Subject: [PATCH 2/4] packaging: Simplify OVMF repo clone
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Instead of cloning the repo, and then switching to a specific branch,
let's take advantage of `--branch` and directly clone the specific
branch / tag.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 tools/packaging/static-build/ovmf/build-ovmf.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/tools/packaging/static-build/ovmf/build-ovmf.sh b/tools/packaging/static-build/ovmf/build-ovmf.sh
index a257df3d43..fd4586cd4a 100755
--- a/tools/packaging/static-build/ovmf/build-ovmf.sh
+++ b/tools/packaging/static-build/ovmf/build-ovmf.sh
@@ -36,9 +36,8 @@ info "Build ${ovmf_repo} version: ${ovmf_version}"
 
 build_root=$(mktemp -d)
 pushd $build_root
-git clone "${ovmf_repo}"
+git clone --single-branch --depth 1 -b "${ovmf_version}" "${ovmf_repo}"
 cd "${ovmf_dir}"
-git checkout "${ovmf_version}"
 git submodule init
 git submodule update
 

From e6a5a5106d670f724f46b0afb851fb99092b2eda Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
Date: Fri, 29 Jul 2022 14:44:21 +0200
Subject: [PATCH 3/4] packaging: Generate a tarball as OVMF build result
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Instead of having as a result the directory where OVMF artefacts where
installed, let's follow what we do with the other components and have a
tarball as a result of the OVMF build.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 tools/packaging/static-build/ovmf/build-ovmf.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/tools/packaging/static-build/ovmf/build-ovmf.sh b/tools/packaging/static-build/ovmf/build-ovmf.sh
index fd4586cd4a..906293ee5b 100755
--- a/tools/packaging/static-build/ovmf/build-ovmf.sh
+++ b/tools/packaging/static-build/ovmf/build-ovmf.sh
@@ -67,3 +67,8 @@ popd
 info "Install fd to destdir"
 mkdir -p "$DESTDIR/$PREFIX/share/ovmf"
 cp $build_root/$ovmf_dir/"${build_path}" "$DESTDIR/$PREFIX/share/ovmf"
+
+pushd $DESTDIR
+tar -czvf "${ovmf_dir}-${ovmf_build}.tar.gz" "./$PREFIX"
+rm -rf $(dirname ./$PREFIX) 
+popd

From c9b5bde30b23ed7269666f296a378e634aa9a4a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
Date: Thu, 28 Jul 2022 21:15:35 +0200
Subject: [PATCH 4/4] versions: Track and build TDVF
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

TDVF is the firmware used by QEMU to start TDX capable VMs.  Let's start
tracking it as it'll become part of the Confidential Containers sooner
or later.

TDVF lives in the public https://github.com/tianocore/edk2-staging repo
and we're using as its version tags that are consumed internally at
Intel.

Fixes: #4624

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 tools/packaging/static-build/ovmf/Dockerfile  |  1 +
 .../packaging/static-build/ovmf/build-ovmf.sh | 32 ++++++++++++++++---
 tools/packaging/static-build/ovmf/build.sh    | 10 +++++-
 versions.yaml                                 |  6 ++++
 4 files changed, 43 insertions(+), 6 deletions(-)

diff --git a/tools/packaging/static-build/ovmf/Dockerfile b/tools/packaging/static-build/ovmf/Dockerfile
index cffeb2ffb2..a9a148a756 100644
--- a/tools/packaging/static-build/ovmf/Dockerfile
+++ b/tools/packaging/static-build/ovmf/Dockerfile
@@ -17,5 +17,6 @@ RUN apt-get update && \
         nasm \
         python \
         python3 \
+        python3-distutils \
         uuid-dev && \
     apt-get clean && rm -rf /var/lib/lists/
diff --git a/tools/packaging/static-build/ovmf/build-ovmf.sh b/tools/packaging/static-build/ovmf/build-ovmf.sh
index 906293ee5b..fe3925b1ce 100755
--- a/tools/packaging/static-build/ovmf/build-ovmf.sh
+++ b/tools/packaging/static-build/ovmf/build-ovmf.sh
@@ -54,19 +54,41 @@ if [ "${ovmf_build}" == "sev" ]; then
 fi
 
 info "Building ovmf"
-build -b "${build_target}" -t "${toolchain}" -a "${architecture}" -p "${ovmf_package}"
+build_cmd="build -b ${build_target} -t ${toolchain} -a ${architecture} -p ${ovmf_package}"
+if [ "${ovmf_build}" == "tdx" ]; then
+	build_cmd+=" -D DEBUG_ON_SERIAL_PORT=TRUE -D TDX_MEM_PARTIAL_ACCEPT=512 -D TDX_EMULATION_ENABLE=FALSE -D TDX_ACCEPT_PAGE_SIZE=2M"
+fi
+
+eval "${build_cmd}"
 
 info "Done Building"
 
-build_path="Build/${package_output_dir}/${build_target}_${toolchain}/FV/OVMF.fd"
-stat "${build_path}"
+build_path_target_toolchain="Build/${package_output_dir}/${build_target}_${toolchain}"
+build_path_fv="${build_path_target_toolchain}/FV"
+stat "${build_path_fv}/OVMF.fd"
+if [ "${ovmf_build}" == "tdx" ]; then
+	build_path_arch="${build_path_target_toolchain}/X64"
+	stat "${build_path_fv}/OVMF_CODE.fd"
+	stat "${build_path_fv}/OVMF_VARS.fd"
+	stat "${build_path_arch}/DumpTdxEventLog.efi"
+fi
 
 #need to leave tmp dir
 popd
 
 info "Install fd to destdir"
-mkdir -p "$DESTDIR/$PREFIX/share/ovmf"
-cp $build_root/$ovmf_dir/"${build_path}" "$DESTDIR/$PREFIX/share/ovmf"
+install_dir="${DESTDIR}/${PREFIX}/share/ovmf"
+if [ "${ovmf_build}" == "tdx" ]; then
+	install_dir="$DESTDIR/$PREFIX/share/tdvf"
+fi
+
+mkdir -p "${install_dir}"
+install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF.fd "${install_dir}"
+if [ "${ovmf_build}" == "tdx" ]; then
+	install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF_CODE.fd ${install_dir}
+	install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF_VARS.fd ${install_dir}
+	install $build_root/$ovmf_dir/"${build_path_arch}"/DumpTdxEventLog.efi ${install_dir}
+fi
 
 pushd $DESTDIR
 tar -czvf "${ovmf_dir}-${ovmf_build}.tar.gz" "./$PREFIX"
diff --git a/tools/packaging/static-build/ovmf/build.sh b/tools/packaging/static-build/ovmf/build.sh
index 0662d20b82..fcbbd93210 100755
--- a/tools/packaging/static-build/ovmf/build.sh
+++ b/tools/packaging/static-build/ovmf/build.sh
@@ -25,7 +25,11 @@ ovmf_package="${ovmf_package:-}"
 package_output_dir="${package_output_dir:-}"
 
 if [ -z "$ovmf_repo" ]; then
-       ovmf_repo=$(get_from_kata_deps "externals.ovmf.url" "${kata_version}")
+       if [ "${ovmf_build}" == "tdx" ]; then
+	       ovmf_repo=$(get_from_kata_deps "externals.ovmf.tdx.url" "${kata_version}")
+       else
+	       ovmf_repo=$(get_from_kata_deps "externals.ovmf.url" "${kata_version}")
+       fi
 fi
 
 [ -n "$ovmf_repo" ] || die "failed to get ovmf repo"
@@ -38,6 +42,10 @@ elif [ "${ovmf_build}" == "sev" ]; then
        [ -n "$ovmf_version" ] || ovmf_version=$(get_from_kata_deps "externals.ovmf.sev.version" "${kata_version}")
        [ -n "$ovmf_package" ] || ovmf_package=$(get_from_kata_deps "externals.ovmf.sev.package" "${kata_version}")
        [ -n "$package_output_dir" ] || package_output_dir=$(get_from_kata_deps "externals.ovmf.sev.package_output_dir" "${kata_version}")
+elif [ "${ovmf_build}" == "tdx" ]; then
+       [ -n "$ovmf_version" ] || ovmf_version=$(get_from_kata_deps "externals.ovmf.tdx.version" "${kata_version}")
+       [ -n "$ovmf_package" ] || ovmf_package=$(get_from_kata_deps "externals.ovmf.tdx.package" "${kata_version}")
+       [ -n "$package_output_dir" ] || package_output_dir=$(get_from_kata_deps "externals.ovmf.tdx.package_output_dir" "${kata_version}")
 fi
 
 [ -n "$ovmf_version" ] || die "failed to get ovmf version or commit"
diff --git a/versions.yaml b/versions.yaml
index b903546d3f..075b7e0070 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -261,6 +261,12 @@ externals:
       version: "edk2-stable202202"
       package: "OvmfPkg/AmdSev/AmdSevX64.dsc"
       package_output_dir: "AmdSev"
+    tdx:
+      url: "https://github.com/tianocore/edk2-staging"
+      description: "TDVF build needed for TDX measured direct boot."
+      version: "2022-tdvf-ww28.5"
+      package: "OvmfPkg/OvmfPkgX64.dsc"
+      package_output_dir: "OvmfX64"
 
   td-shim:
     description: "Confidential Containers Shim Firmware"