7 files changed, 445 insertions, 0 deletions

diff --git a/sys-firmware/edk2/Manifest b/sys-firmware/edk2/Manifest
new file mode 100644
index 000000000000..8bf04542d27b
--- /dev/null
+++ b/sys-firmware/edk2/Manifest
@@ -0,0 +1,9 @@
+DIST brotli-f4153a09f87cbb9c826d8fc12c74642bb2d879ea.tar.gz 512229 BLAKE2B cd86cc2cc7eefad24f87cda8006409bf764922b5f23ccfb951e7a41214b12004ce532b11f94f5fb858b3bf71f9abf8ef17ba219fa96bd5be23b51873afad0fd5 SHA512 7f48e794e738b31c2005e7cef6d8c0cc0d543f1cd8c137ae8ba14602cac2873de6299a3f32ad52be869f513e7548341353ed049609daef1063975694d9a9b80b
+DIST edk2-ovmf-202202-qemu-firmware.tar.xz 664 BLAKE2B 1aa4e25804ce0f3c967c80999315de24eaef6682e42dddd81c274ce4603ec3d15186de752de49e2527c6bd5517080c002a357ed6bc389b5afd6f7a4d93edeb44 SHA512 f9a29212274a99796784673d873e0eee7d3e2a5cf9e63192453841ee3a4ef4b813c7b2357fc7000f39c71ed6c66636daab772abb51d3972a2a56ade8a4c68faf
+DIST edk2-ovmf-202202.tar.gz 14208170 BLAKE2B d8411e6808b335ccd551349a10c983b9448a357e73273fa6c30a07785e27feffed0224950ee98b668712c33f6739a9b006e5043b7dfd014f48dba9fd449b3354 SHA512 200690a4867331de06e0478869b85577bc510213ebe679f2103160efb84d94c82ac8481ef1f15c3e42c1e9f22b7c5ef0d6c8f2c655bce7702ce843551cf9bb83
+DIST edk2-ovmf-202405.tar.gz 17091190 BLAKE2B ee2f4c8674ecd7a17e4ee1b067cf1caffb46c3345f39ab15b715964b8e114d01538ae4d4152ab6a3eeebdae602128604d57c02fc0da83f46c291559fe39f49d2 SHA512 3bad4c8417b0c9b68fc6b6b85a4b15c5be8daf672177ce66d7b224b1da7a90f643021adbdd6bc96f95417fc8654c4c6b191cd39f6c1be955946360bfa8e2cb5f
+DIST libspdm-370b5944c046bab043dd8b133727b2135af7747a.tar.gz 1962880 BLAKE2B 89606315fadcf00b2909f264a6edcb2b900dfe248357ea45c37c5a9c947a4d684866627d85132cc51d44d90853d63814eaf9d2b4acdd1a9621b1d6600ca4a0a4 SHA512 07b2b376a84e86647d7a831ee6686d1cf647033ac339afb7c4ea7846cf4e9f7f529a2866bc68ea172d44f1f1efadc8bf1646c3d7fe7e6b6175286ef9c743b206
+DIST mbedtls-370b5944c046bab043dd8b133727b2135af7747a.tar.gz 4587796 BLAKE2B c28df5c52ac3ed5ef6a2b9eba29f3894d3f5f11083869e8b137cd66d4f72b2a0971c91636ce4626869bd06eeb5e661d90160021f92564b9449fb13001b8e379f SHA512 a421c03c740867210f9e30457bc951928cafec3622e1e304f8c18ce5c5e27c5c8e6c7715180ecb74c6a997e4b91ee160e52b357e1bb65ff76ce8414a87ec4889
+DIST mipi-sys-t-370b5944c046bab043dd8b133727b2135af7747a.tar.gz 378522 BLAKE2B d3f1033e78ad814ebb991e66d8c1437aa3583e91481af9785b97b6021c7c45fb9dcb8d2d58d0a0fe84fbd9f108d24a27234df298eb8a2ba2340e5c9c85c89c40 SHA512 de6888577ceab7ab6915d792f3c48248cfa53357ccd310fc7f7eae4d25a932de8c7c23e5b898c9ebf61cf86cb538277273f2eb131a628b3bf0d46c9a3b9b6686
+DIST openssl-d82e959e621a3d597f1e0d50ff8c2d8b96915fd7.tar.gz 10034310 BLAKE2B 6996979dc12a523d565830e7b0943feb682a376f71ddb6f20cb8b9976bb7f12e39f088abaa45d514933ef79c0e4a2933dc6f1af4774fedaa16e74c0081c358e7 SHA512 a89bc652dc4318c5e8a9c594a43d890ca05dfc1acd6b15e2a8ab8b5628b5f33994143ff8024230e07b9e67556b28ea3a5e36763aa72dec20b52022ca8c6f2a7e
+DIST openssl-de90e54bbe82e5be4fb9608b6f5c308bb837d355.tar.gz 15337569 BLAKE2B bb0b2f4ee7838178e8e23317b6c63048611d805e20c81d6c875d9b515e6dbcf981cda38f031965c9ec45bcab3ac4725cfa793718b0212e92bf53b4c7fc3f4e32 SHA512 4bba15075dacc8c1772a95759cfe8620ff3a9d535e5d3d29bb15e4790cc543555ab45f0b239195361e534eca26249ae1b491b63cbf6b7ecda6f0840c7f6253ac
diff --git a/sys-firmware/edk2/edk2-202202.ebuild b/sys-firmware/edk2/edk2-202202.ebuild
new file mode 100644
index 000000000000..2baca0ed771a
--- /dev/null
+++ b/sys-firmware/edk2/edk2-202202.ebuild
@@ -0,0 +1,161 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_REQ_USE="sqlite"
+PYTHON_COMPAT=( python3_{10..11} )
+
+inherit python-any-r1 readme.gentoo-r1 secureboot
+
+DESCRIPTION="UEFI firmware for 64-bit x86 virtual machines"
+HOMEPAGE="https://github.com/tianocore/edk2"
+
+BUNDLED_OPENSSL_SUBMODULE_SHA="d82e959e621a3d597f1e0d50ff8c2d8b96915fd7"
+BUNDLED_BROTLI_SUBMODULE_SHA="f4153a09f87cbb9c826d8fc12c74642bb2d879ea"
+
+# TODO: talk with tamiko about unbundling (mva)
+
+# TODO: the binary 202105 package currently lacks the preseeded
+#       OVMF_VARS.secboot.fd file (that we typically get from fedora)
+
+SRC_URI="https://github.com/tianocore/edk2/archive/edk2-stable${PV}.tar.gz -> edk2-ovmf-${PV}.tar.gz
+	https://github.com/openssl/openssl/archive/${BUNDLED_OPENSSL_SUBMODULE_SHA}.tar.gz -> openssl-${BUNDLED_OPENSSL_SUBMODULE_SHA}.tar.gz
+	https://github.com/google/brotli/archive/${BUNDLED_BROTLI_SUBMODULE_SHA}.tar.gz -> brotli-${BUNDLED_BROTLI_SUBMODULE_SHA}.tar.gz
+	https://dev.gentoo.org/~ajak/distfiles/edk2-ovmf-${PV}-qemu-firmware.tar.xz"
+
+LICENSE="BSD-2 MIT"
+SLOT="0"
+KEYWORDS="-* amd64"
+
+BDEPEND="app-emulation/qemu
+	>=dev-lang/nasm-2.0.7
+	>=sys-power/iasl-20160729
+	${PYTHON_DEPS}"
+RDEPEND="!sys-firmware/edk2-ovmf-bin"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-202105-werror.patch"
+	"${FILESDIR}/${PN}-202202-lld-textrels.patch"
+	"${FILESDIR}/${PN}-202202-binutils-2.41-textrels.patch"
+)
+
+S="${WORKDIR}/edk2-edk2-stable${PV}"
+
+DISABLE_AUTOFORMATTING=true
+DOC_CONTENTS="This package contains the tianocore edk2 UEFI firmware for 64-bit x86
+virtual machines. The firmware is located under
+	/usr/share/edk2-ovmf/OVMF_CODE.fd
+	/usr/share/edk2-ovmf/OVMF_VARS.fd
+	/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd
+
+If USE=binary is enabled, we also install an OVMF variables file (coming from
+fedora) that contains secureboot default keys
+
+	/usr/share/edk2-ovmf/OVMF_VARS.secboot.fd
+
+If you have compiled this package by hand, you need to either populate all
+necessary EFI variables by hand by booting
+	/usr/share/edk2-ovmf/UefiShell.(iso|img)
+or creating OVMF_VARS.secboot.fd by hand:
+	https://github.com/puiterwijk/qemu-ovmf-secureboot
+
+The firmware does not support csm (due to no free csm implementation
+available). If you need a firmware with csm support you have to download
+one for yourself. Firmware blobs are commonly labeled
+	OVMF{,_CODE,_VARS}-with-csm.fd
+
+In order to use the firmware you can run qemu the following way
+
+	$ qemu-system-x86_64 \
+		-drive file=/usr/share/edk2-ovmf/OVMF.fd,if=pflash,format=raw,unit=0,readonly=on \
+		..."
+
+pkg_setup() {
+	python-any-r1_pkg_setup
+	secureboot_pkg_setup
+}
+
+src_prepare() {
+	# Bundled submodules
+	cp -rl "${WORKDIR}/openssl-${BUNDLED_OPENSSL_SUBMODULE_SHA}"/* "CryptoPkg/Library/OpensslLib/openssl/"
+	cp -rl "${WORKDIR}/brotli-${BUNDLED_BROTLI_SUBMODULE_SHA}"/* "BaseTools/Source/C/BrotliCompress/brotli/"
+	cp -rl "${WORKDIR}/brotli-${BUNDLED_BROTLI_SUBMODULE_SHA}"/* "MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/"
+
+	sed -i -r \
+		-e "/function SetupPython3/,/\}/{s,\\\$\(whereis python3\),${EPYTHON},g}" \
+		"${S}"/edksetup.sh || die "Fixing for correct Python3 support failed"
+
+	default
+}
+
+src_compile() {
+	TARGET_ARCH=X64
+	TARGET_NAME=RELEASE
+	TARGET_TOOLS=GCC49
+
+	BUILD_FLAGS="-D TLS_ENABLE \
+		-D HTTP_BOOT_ENABLE \
+		-D NETWORK_IP6_ENABLE \
+		-D TPM_ENABLE \
+		-D TPM2_ENABLE -D TPM2_CONFIG_ENABLE \
+		-D FD_SIZE_2MB"
+
+	SECUREBOOT_BUILD_FLAGS="${BUILD_FLAGS} \
+		-D SECURE_BOOT_ENABLE \
+		-D SMM_REQUIRE \
+		-D EXCLUDE_SHELL_FROM_FD"
+
+	export LDFLAGS="-z notext"
+	export EXTRA_LDFLAGS="-z notext"
+	export DLINK_FLAGS="-z notext"
+
+	emake ARCH=${TARGET_ARCH} -C BaseTools
+
+	. ./edksetup.sh
+
+	# Build all EFI firmware blobs:
+
+	mkdir -p ovmf
+
+	./OvmfPkg/build.sh \
+		-a "${TARGET_ARCH}" -b "${TARGET_NAME}" -t "${TARGET_TOOLS}" \
+		${BUILD_FLAGS} || die "OvmfPkg/build.sh failed"
+
+	cp Build/OvmfX64/*/FV/OVMF_*.fd ovmf/
+	rm -rf Build/OvmfX64
+
+	./OvmfPkg/build.sh \
+		-a "${TARGET_ARCH}" -b "${TARGET_NAME}" -t "${TARGET_TOOLS}" \
+		${SECUREBOOT_BUILD_FLAGS} || die "OvmfPkg/build.sh failed"
+
+	cp Build/OvmfX64/*/FV/OVMF_CODE.fd ovmf/OVMF_CODE.secboot.fd || die "cp failed"
+	cp Build/OvmfX64/*/X64/Shell.efi ovmf/ || die "cp failed"
+	cp Build/OvmfX64/*/X64/EnrollDefaultKeys.efi ovmf || die "cp failed"
+
+	# Build a convenience UefiShell.img:
+
+	mkdir -p iso_image/efi/boot || die "mkdir failed"
+	cp ovmf/Shell.efi iso_image/efi/boot/bootx64.efi || die "cp failed"
+	cp ovmf/EnrollDefaultKeys.efi iso_image || die "cp failed"
+	qemu-img convert --image-opts \
+		driver=vvfat,floppy=on,fat-type=12,label=UEFI_SHELL,dir=iso_image \
+		ovmf/UefiShell.img || die "qemu-img failed"
+}
+
+src_install() {
+	insinto /usr/share/edk2-ovmf
+	doins ovmf/*
+
+	insinto /usr/share/qemu/firmware
+	doins qemu/*
+	rm "${ED}"/usr/share/qemu/firmware/40-edk2-ovmf-x64-sb-enrolled.json || die "rm failed"
+
+	secureboot_auto_sign --in-place
+
+	readme.gentoo_create_doc
+}
+
+pkg_postinst() {
+	readme.gentoo_print_elog
+}
diff --git a/sys-firmware/edk2/edk2-202405.ebuild b/sys-firmware/edk2/edk2-202405.ebuild
new file mode 100644
index 000000000000..aca5700f3df5
--- /dev/null
+++ b/sys-firmware/edk2/edk2-202405.ebuild
@@ -0,0 +1,161 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_REQ_USE="sqlite"
+PYTHON_COMPAT=( python3_12 )
+
+inherit python-any-r1 readme.gentoo-r1 secureboot
+
+DESCRIPTION="UEFI firmware for 64-bit x86 virtual machines"
+HOMEPAGE="https://github.com/tianocore/edk2"
+
+BUNDLED_OPENSSL_SUBMODULE_SHA="de90e54bbe82e5be4fb9608b6f5c308bb837d355"
+BUNDLED_BROTLI_SUBMODULE_SHA="f4153a09f87cbb9c826d8fc12c74642bb2d879ea"
+BUNDLED_MIPI_SYS_T_SUBMODULE_SHA="370b5944c046bab043dd8b133727b2135af7747a"
+BUNDLED_MBEDTLS_SUBMODULE_SHA="8c89224991adff88d53cd380f42a2baa36f91454"
+BUNDLED_LIBSPDM_SUBMODULE_SHA="828ef62524bcaeca4e90d0c021221e714872e2b5"
+
+SRC_URI="https://github.com/tianocore/edk2/archive/edk2-stable${PV}.tar.gz -> edk2-ovmf-${PV}.tar.gz
+	https://github.com/openssl/openssl/archive/${BUNDLED_OPENSSL_SUBMODULE_SHA}.tar.gz -> openssl-${BUNDLED_OPENSSL_SUBMODULE_SHA}.tar.gz
+	https://github.com/google/brotli/archive/${BUNDLED_BROTLI_SUBMODULE_SHA}.tar.gz -> brotli-${BUNDLED_BROTLI_SUBMODULE_SHA}.tar.gz
+	https://github.com/MIPI-Alliance/public-mipi-sys-t/archive/${BUNDLED_MIPI_SYS_T_SUBMODULE_SHA}.tar.gz -> mipi-sys-t-${BUNDLED_MIPI_SYS_T_SUBMODULE_SHA}.tar.gz
+	https://github.com/Mbed-TLS/mbedtls/archive/${BUNDLED_MBEDTLS_SUBMODULE_SHA}.tar.gz -> mbedtls-${BUNDLED_MIPI_SYS_T_SUBMODULE_SHA}.tar.gz
+	https://github.com/DMTF/libspdm/archive/${BUNDLED_LIBSPDM_SUBMODULE_SHA}.tar.gz -> libspdm-${BUNDLED_MIPI_SYS_T_SUBMODULE_SHA}.tar.gz
+	https://dev.gentoo.org/~ajak/distfiles/edk2-ovmf-202202-qemu-firmware.tar.xz"
+
+S="${WORKDIR}/edk2-edk2-stable${PV}"
+
+LICENSE="BSD-2 MIT"
+SLOT="0"
+KEYWORDS="-* ~amd64"
+
+BDEPEND="app-emulation/qemu
+	>=dev-lang/nasm-2.0.7
+	>=sys-power/iasl-20160729
+	${PYTHON_DEPS}"
+RDEPEND="!sys-firmware/edk2-ovmf-bin"
+
+DISABLE_AUTOFORMATTING=true
+DOC_CONTENTS="This package contains the tianocore edk2 UEFI firmware for 64-bit x86
+virtual machines. The firmware is located under
+	/usr/share/edk2-ovmf/OVMF_CODE.fd
+	/usr/share/edk2-ovmf/OVMF_VARS.fd
+	/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd
+
+If USE=binary is enabled, we also install an OVMF variables file (coming from
+fedora) that contains secureboot default keys
+
+	/usr/share/edk2-ovmf/OVMF_VARS.secboot.fd
+
+If you have compiled this package by hand, you need to either populate all
+necessary EFI variables by hand by booting
+	/usr/share/edk2-ovmf/UefiShell.(iso|img)
+or creating OVMF_VARS.secboot.fd by hand:
+	https://github.com/puiterwijk/qemu-ovmf-secureboot
+
+The firmware does not support csm (due to no free csm implementation
+available). If you need a firmware with csm support you have to download
+one for yourself. Firmware blobs are commonly labeled
+	OVMF{,_CODE,_VARS}-with-csm.fd
+
+In order to use the firmware you can run qemu the following way
+
+	$ qemu-system-x86_64 \
+		-drive file=/usr/share/edk2-ovmf/OVMF.fd,if=pflash,format=raw,unit=0,readonly=on \
+		..."
+
+pkg_setup() {
+	python-any-r1_pkg_setup
+	secureboot_pkg_setup
+}
+
+src_prepare() {
+	# Bundled submodules
+	cp -rl "${WORKDIR}/openssl-${BUNDLED_OPENSSL_SUBMODULE_SHA}"/* "CryptoPkg/Library/OpensslLib/openssl/" \
+		|| die "copying openssl failed"
+	cp -rl "${WORKDIR}/brotli-${BUNDLED_BROTLI_SUBMODULE_SHA}"/* "BaseTools/Source/C/BrotliCompress/brotli/" \
+		|| die "copying brotli failed"
+	cp -rl "${WORKDIR}/brotli-${BUNDLED_BROTLI_SUBMODULE_SHA}"/* \
+		"MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/" || die "copying brotli failed"
+	cp -rl "${WORKDIR}/public-mipi-sys-t-${BUNDLED_MIPI_SYS_T_SUBMODULE_SHA}"/* "MdePkg/Library/MipiSysTLib/mipisyst/" \
+		|| die "copying mipi-sys-t failed"
+	cp -rl "${WORKDIR}/mbedtls-${BUNDLED_MBEDTLS_SUBMODULE_SHA}"/* "CryptoPkg/Library/MbedTlsLib/mbedtls/" \
+		|| die "copying mbedtls failed"
+	cp -rl "${WORKDIR}/libspdm-${BUNDLED_LIBSPDM_SUBMODULE_SHA}"/* "SecurityPkg/DeviceSecurity/SpdmLib/libspdm" \
+		|| die "copying libspdm failed"
+
+	default
+}
+
+src_compile() {
+	TARGET_ARCH=X64
+	TARGET_NAME=RELEASE
+	TARGET_TOOLS=GCC5
+
+	BUILD_FLAGS="-D TLS_ENABLE \
+		-D HTTP_BOOT_ENABLE \
+		-D NETWORK_IP6_ENABLE \
+		-D TPM_ENABLE \
+		-D TPM2_ENABLE -D TPM2_CONFIG_ENABLE \
+		-D FD_SIZE_2MB"
+
+	SECUREBOOT_BUILD_FLAGS="${BUILD_FLAGS} \
+		-D SECURE_BOOT_ENABLE \
+		-D SMM_REQUIRE \
+		-D EXCLUDE_SHELL_FROM_FD"
+
+	export LDFLAGS="-z notext"
+	export EXTRA_LDFLAGS="-z notext"
+	export DLINK_FLAGS="-z notext"
+
+	emake ARCH=${TARGET_ARCH} -C BaseTools
+
+	. ./edksetup.sh
+
+	# Build all EFI firmware blobs:
+
+	mkdir -p ovmf || die
+
+	./OvmfPkg/build.sh \
+		-a "${TARGET_ARCH}" -b "${TARGET_NAME}" -t "${TARGET_TOOLS}" \
+		${BUILD_FLAGS} || die "OvmfPkg/build.sh failed"
+
+	cp Build/OvmfX64/*/FV/OVMF_*.fd ovmf/
+	rm -r Build/OvmfX64 || die
+
+	./OvmfPkg/build.sh \
+		-a "${TARGET_ARCH}" -b "${TARGET_NAME}" -t "${TARGET_TOOLS}" \
+		${SECUREBOOT_BUILD_FLAGS} || die "OvmfPkg/build.sh failed"
+
+	cp Build/OvmfX64/*/FV/OVMF_CODE.fd ovmf/OVMF_CODE.secboot.fd || die "cp failed"
+	cp Build/OvmfX64/*/X64/Shell.efi ovmf/ || die "cp failed"
+	cp Build/OvmfX64/*/X64/EnrollDefaultKeys.efi ovmf || die "cp failed"
+
+	# Build a convenience UefiShell.img:
+
+	mkdir -p iso_image/efi/boot || die "mkdir failed"
+	cp ovmf/Shell.efi iso_image/efi/boot/bootx64.efi || die "cp failed"
+	cp ovmf/EnrollDefaultKeys.efi iso_image || die "cp failed"
+	qemu-img convert --image-opts \
+		driver=vvfat,floppy=on,fat-type=12,label=UEFI_SHELL,dir=iso_image \
+		ovmf/UefiShell.img || die "qemu-img failed"
+}
+
+src_install() {
+	insinto /usr/share/edk2-ovmf
+	doins ovmf/*
+
+	insinto /usr/share/qemu/firmware
+	doins "${S}"/../edk2-edk2-stable202202/qemu/*
+	rm "${ED}"/usr/share/qemu/firmware/40-edk2-ovmf-x64-sb-enrolled.json || die "rm failed"
+
+	secureboot_auto_sign --in-place
+
+	readme.gentoo_create_doc
+}
+
+pkg_postinst() {
+	readme.gentoo_print_elog
+}
diff --git a/sys-firmware/edk2/files/edk2-202105-werror.patch b/sys-firmware/edk2/files/edk2-202105-werror.patch
new file mode 100644
index 000000000000..db71faed7728
--- /dev/null
+++ b/sys-firmware/edk2/files/edk2-202105-werror.patch
@@ -0,0 +1,38 @@
+diff --git a/BaseTools/Conf/tools_def.template b/BaseTools/Conf/tools_def.template
+index 498696e..8a360f4 100755
+--- a/BaseTools/Conf/tools_def.template
++++ b/BaseTools/Conf/tools_def.template
+@@ -1863,7 +1863,7 @@ NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG     = --add-gnu-debuglink=$(DEBUG_DIR)/$(MODULE_N
+ *_*_*_DTCPP_PATH                   = DEF(DTCPP_BIN)

+ *_*_*_DTC_PATH                     = DEF(DTC_BIN)

+ 

+-DEFINE GCC_ALL_CC_FLAGS            = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -include AutoGen.h -fno-common

++DEFINE GCC_ALL_CC_FLAGS            = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall  -Wno-array-bounds -include AutoGen.h -fno-common

+ DEFINE GCC_IA32_CC_FLAGS           = DEF(GCC_ALL_CC_FLAGS) -m32 -malign-double -freorder-blocks -freorder-blocks-and-partition -O2 -mno-stack-arg-probe

+ DEFINE GCC_X64_CC_FLAGS            = DEF(GCC_ALL_CC_FLAGS) -mno-red-zone -Wno-address -mno-stack-arg-probe

+ DEFINE GCC_ARM_CC_FLAGS            = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -mfloat-abi=soft -fno-pic -fno-pie

+diff --git a/BaseTools/Source/C/Makefiles/header.makefile b/BaseTools/Source/C/Makefiles/header.makefile
+index 0df728f..49f9706 100644
+--- a/BaseTools/Source/C/Makefiles/header.makefile
++++ b/BaseTools/Source/C/Makefiles/header.makefile
+@@ -82,17 +82,17 @@ BUILD_OPTFLAGS = -O2 $(EXTRA_OPTFLAGS)
+ 

+ ifeq ($(DARWIN),Darwin)

+ # assume clang or clang compatible flags on OS X

+-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror \

++BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall  \

+ -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -g

+ else

+ ifeq ($(CXX), llvm)

+ BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \

+--fno-delete-null-pointer-checks -Wall -Werror \

++-fno-delete-null-pointer-checks -Wall  \

+ -Wno-deprecated-declarations -Wno-self-assign \

+ -Wno-unused-result -nostdlib -g

+ else

+ BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \

+--fno-delete-null-pointer-checks -Wall -Werror \

++-fno-delete-null-pointer-checks -Wall  \

+ -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict \

+ -Wno-unused-result -nostdlib -g

+ endif

diff --git a/sys-firmware/edk2/files/edk2-202202-binutils-2.41-textrels.patch b/sys-firmware/edk2/files/edk2-202202-binutils-2.41-textrels.patch
new file mode 100644
index 000000000000..22d33c9097aa
--- /dev/null
+++ b/sys-firmware/edk2/files/edk2-202202-binutils-2.41-textrels.patch
@@ -0,0 +1,21 @@
+https://bugs.gentoo.org/913110
+--- a/BaseTools/Conf/tools_def.template
++++ b/BaseTools/Conf/tools_def.template
+@@ -1906,7 +1906,7 @@ DEFINE GCC48_IA32_X64_DLINK_COMMON   = -nostdlib -Wl,-n,-q,--gc-sections -z comm
+ DEFINE GCC48_IA32_CC_FLAGS           = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -Wno-address

+ DEFINE GCC48_X64_CC_FLAGS            = DEF(GCC48_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address

+ DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable

+-DEFINE GCC48_IA32_X64_DLINK_FLAGS    = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive

++DEFINE GCC48_IA32_X64_DLINK_FLAGS    = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive -Wl,-z,notext

+ DEFINE GCC48_IA32_DLINK2_FLAGS       = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON)

+ DEFINE GCC48_X64_DLINK_FLAGS         = DEF(GCC48_IA32_X64_DLINK_FLAGS) -Wl,-melf_x86_64,--oformat=elf64-x86-64,-pie

+ DEFINE GCC48_X64_DLINK2_FLAGS        = -Wl,--defsym=PECOFF_HEADER_SIZE=0x228 DEF(GCC_DLINK2_FLAGS_COMMON)

+@@ -1929,7 +1929,7 @@ DEFINE GCC49_IA32_CC_FLAGS           = DEF(GCC48_IA32_CC_FLAGS) -fno-pic -fno-pi
+ DEFINE GCC49_X64_CC_FLAGS            = DEF(GCC48_X64_CC_FLAGS)

+ DEFINE GCC49_IA32_X64_DLINK_COMMON   = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x40

+ DEFINE GCC49_IA32_X64_ASLDLINK_FLAGS = DEF(GCC49_IA32_X64_DLINK_COMMON) -Wl,--defsym=PECOFF_HEADER_SIZE=0 DEF(GCC_DLINK2_FLAGS_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable

+-DEFINE GCC49_IA32_X64_DLINK_FLAGS    = DEF(GCC49_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive

++DEFINE GCC49_IA32_X64_DLINK_FLAGS    = DEF(GCC49_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive -Wl,-z,notext

+ DEFINE GCC49_IA32_DLINK2_FLAGS       = DEF(GCC48_IA32_DLINK2_FLAGS)

+ DEFINE GCC49_X64_DLINK_FLAGS         = DEF(GCC49_IA32_X64_DLINK_FLAGS) -Wl,-melf_x86_64,--oformat=elf64-x86-64,-pie

+ DEFINE GCC49_X64_DLINK2_FLAGS        = DEF(GCC48_X64_DLINK2_FLAGS)

diff --git a/sys-firmware/edk2/files/edk2-202202-lld-textrels.patch b/sys-firmware/edk2/files/edk2-202202-lld-textrels.patch
new file mode 100644
index 000000000000..eb8b6296fcff
--- /dev/null
+++ b/sys-firmware/edk2/files/edk2-202202-lld-textrels.patch
@@ -0,0 +1,43 @@
+https://bugs.gentoo.org/913110
+https://github.com/tianocore/edk2/commit/a257988f590ba90dd8394dd6bc7014ae9d814a08
+
+From a257988f590ba90dd8394dd6bc7014ae9d814a08 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Mon, 3 Apr 2023 22:29:15 +0800
+Subject: [PATCH] BaseTools/tools_def CLANGDWARF: Permit text relocations
+
+We rely on PIE executables to get the codegen that is suitable for
+PE/COFF conversion where the resulting executables can be loaded
+anywhere in the address space.
+
+However, ELF linkers may default to disallowing text relocations in PIE
+executables, as this would require text segments to be updated at
+runtime, which is bad for security and increases the copy-on-write
+footprint of ELF executables and shared libraries.
+
+However, none of those concerns apply to PE/COFF executables in the
+context of EFI, which are copied into memory rather than mmap()'ed, and
+fixed up by the loader before launch.
+
+So pass -z notext to the LLD linker to permit runtime relocations in
+read-only sections.
+
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Reviewed-by: Rebecca Cran <rebecca@bsdio.com>
+---
+ BaseTools/Conf/tools_def.template | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/BaseTools/Conf/tools_def.template b/BaseTools/Conf/tools_def.template
+index 39c49b8001f4..9a5c11f6a385 100755
+--- a/BaseTools/Conf/tools_def.template
++++ b/BaseTools/Conf/tools_def.template
+@@ -2870,7 +2870,7 @@ DEFINE CLANGDWARF_X64_PREFIX        = ENV(CLANG_BIN)
+ DEFINE CLANGDWARF_IA32_X64_DLINK_COMMON   = -nostdlib -Wl,-q,--gc-sections -z max-page-size=0x40

+ DEFINE CLANGDWARF_DLINK2_FLAGS_COMMON     = -Wl,--script=$(EDK_TOOLS_PATH)/Scripts/ClangBase.lds

+ DEFINE CLANGDWARF_IA32_X64_ASLDLINK_FLAGS = DEF(CLANGDWARF_IA32_X64_DLINK_COMMON) -Wl,--defsym=PECOFF_HEADER_SIZE=0 DEF(CLANGDWARF_DLINK2_FLAGS_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable

+-DEFINE CLANGDWARF_IA32_X64_DLINK_FLAGS    = DEF(CLANGDWARF_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive

++DEFINE CLANGDWARF_IA32_X64_DLINK_FLAGS    = DEF(CLANGDWARF_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive -Wl,-z,notext

+ DEFINE CLANGDWARF_IA32_DLINK2_FLAGS       = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(CLANGDWARF_DLINK2_FLAGS_COMMON)

+ DEFINE CLANGDWARF_X64_DLINK2_FLAGS        = -Wl,--defsym=PECOFF_HEADER_SIZE=0x228 DEF(CLANGDWARF_DLINK2_FLAGS_COMMON)

+ 

diff --git a/sys-firmware/edk2/metadata.xml b/sys-firmware/edk2/metadata.xml
new file mode 100644
index 000000000000..25727c4c2437
--- /dev/null
+++ b/sys-firmware/edk2/metadata.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<maintainer type="project">
+	<email>virtualization@gentoo.org</email>
+	<name>Gentoo Virtualization Project</name>
+</maintainer>
+<upstream>
+	<remote-id type="github">tianocore/edk2</remote-id>
+	<remote-id type="cpe">cpe:/a:tianocore:edk2</remote-id>
+</upstream>
+</pkgmetadata>