-
Notifications
You must be signed in to change notification settings - Fork 27
107 lines (96 loc) · 3.47 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
name: Build
on:
push:
paths-ignore:
- '**.md'
branches:
- master
pull_request:
paths-ignore:
- '**.md'
branches:
- master
workflow_call:
workflow_dispatch:
env:
RPI_FIRMWARE_URL: https://github.com/raspberrypi/firmware/
DTB_VERSION: 1e403e23baab5673f0494a200f57cd01287d5b1a
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
MODEL:
- 5
CONFIGURATION: [Debug, Release]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
- name: Install dependencies
shell: bash
run: |
sudo apt-get update && \
sudo apt-get install -y \
acpica-tools \
binutils-aarch64-linux-gnu \
build-essential \
device-tree-compiler \
gettext \
git \
gcc-aarch64-linux-gnu \
libc6-dev-arm64-cross \
python3 \
python3-pyelftools
- name: Get version tag
id: get_version_tag
shell: bash
run: echo "version=$(git describe --tags --always)" >> $GITHUB_OUTPUT
- name: Set up Secure Boot default keys
if: ${{ false }} # Disable for now, too large for debug builds.
run: |
mkdir keys
# We don't really need a usable PK, so just generate a public key for it and discard the private key
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Rockchip Platform Key/" -keyout /dev/null -outform DER -out keys/pk.cer -days 7300 -nodes -sha256
curl -L https://go.microsoft.com/fwlink/?LinkId=321185 -o keys/ms_kek.cer
curl -L https://go.microsoft.com/fwlink/?linkid=321192 -o keys/ms_db1.cer
curl -L https://go.microsoft.com/fwlink/?linkid=321194 -o keys/ms_db2.cer
curl -L https://uefi.org/sites/default/files/resources/dbxupdate_arm64.bin -o keys/arm64_dbx.bin
- name: Build platform
shell: bash
run: |
export EDK2_SECUREBOOT_FLAGS=""
if [ -d keys ]; then
export EDK2_SECUREBOOT_FLAGS=" \
-D DEFAULT_KEYS=TRUE \
-D PK_DEFAULT_FILE=keys/pk.cer \
-D KEK_DEFAULT_FILE1=keys/ms_kek.cer \
-D DB_DEFAULT_FILE1=keys/ms_db1.cer \
-D DB_DEFAULT_FILE2=keys/ms_db2.cer \
-D DBX_DEFAULT_FILE1=keys/arm64_dbx.bin \
-D SECURE_BOOT_ENABLE=TRUE"
fi
export EDK2_BUILD_FLAGS=" \
--pcd gEfiMdeModulePkgTokenSpaceGuid.PcdFirmwareVendor=L"${{ github.repository_owner }}" \
${EDK2_SECUREBOOT_FLAGS}"
./build.sh \
--model ${{ matrix.MODEL }} \
--debug ${{ matrix.CONFIGURATION == 'Debug' && 1 || 0 }} \
--edk2-flags "${EDK2_BUILD_FLAGS}"
- name: Download Raspberry Pi support files
run: |
curl -O -L ${{ env.RPI_FIRMWARE_URL }}/raw/${{ env.DTB_VERSION }}/boot/bcm2712-rpi-5-b.dtb
- name: Create firmware archive
run: |
zip -r \
RPi${{ matrix.MODEL }}_UEFI_${{ matrix.CONFIGURATION }}_${{ steps.get_version_tag.outputs.version }}.zip \
RPI_EFI.fd \
config.txt \
*.dtb
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: RPi${{ matrix.MODEL }}_UEFI_${{ matrix.CONFIGURATION }}_${{ steps.get_version_tag.outputs.version }}
path: ./*.zip
if-no-files-found: error