From cde80e5a03bd43c03ab9ad95e2af775f86d8b042 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Dec 21 2022 13:50:37 +0000
Subject: add stateless secure boot build


---

diff --git a/edk2-build.fedora b/edk2-build.fedora
index 6107e72..2e0960c 100644
--- a/edk2-build.fedora
+++ b/edk2-build.fedora
@@ -24,6 +24,11 @@ EXCLUDE_SHELL_FROM_FD    = TRUE
 # new upstream
 BUILD_SHELL              = FALSE
 
+# requires edk2 2022-11 or newer
+[opts.ovmf.sb.stateless]
+SECURE_BOOT_ENABLE       = TRUE
+SMM_REQUIRE              = FALSE
+
 [opts.armvirt.verbose]
 DEBUG_PRINT_ERROR_LEVEL  = 0x8040004F
 
@@ -172,3 +177,16 @@ cpy3 = FV/QEMU_EFI.fd  QEMU_EFI-pflash.raw
 cpy4 = FV/QEMU_VARS.fd vars-template-pflash.raw
 pad3 = QEMU_EFI-pflash.raw      64m
 pad4 = vars-template-pflash.raw 64m
+
+
+#####################################################################
+# experimental builds
+
+[build.ovmf.sb.stateless]
+desc = ovmf build (64-bit, stateless secure boot)
+conf = OvmfPkg/OvmfPkgX64.dsc
+arch = X64
+opts = ovmf.common ovmf.4m ovmf.sb.stateless
+plat = OvmfX64
+dest = Fedora/experimental
+cpy1 = FV/OVMF.fd OVMF.stateless.fd
diff --git a/edk2.spec b/edk2.spec
index 36829ff..e8723aa 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -194,6 +194,15 @@ BuildArch:      noarch
 EFI Development Kit II
 Open Virtual Machine Firmware (ia32)
 
+%package ovmf-experimental
+Summary:        Open Virtual Machine Firmware, experimental builds
+License:        BSD-2-Clause-Patent and OpenSSL
+Provides:       bundled(openssl)
+BuildArch:      noarch
+%description ovmf-experimental
+EFI Development Kit II
+Open Virtual Machine Firmware (experimental builds)
+
 %package arm
 Summary:        ARM Virtual Machine Firmware
 BuildArch:      noarch
@@ -305,6 +314,11 @@ virt-fw-vars --input  Fedora/ovmf-ia32/OVMF_VARS.fd \
 build_iso Fedora/ovmf
 build_iso Fedora/ovmf-ia32
 
+# experimental stateless builds
+virt-fw-vars --input  Fedora/experimental/OVMF.stateless.fd \
+             --output Fedora/experimental/OVMF.stateless.secboot.fd \
+             --enroll-redhat --secure-boot
+
 %endif
 %endif
 
@@ -535,6 +549,11 @@ done
 %{_datadir}/qemu/firmware/30-edk2-ovmf-ia32-sb-enrolled.json
 %{_datadir}/qemu/firmware/40-edk2-ovmf-ia32-sb.json
 %{_datadir}/qemu/firmware/50-edk2-ovmf-ia32.json
+
+%files ovmf-experimental
+%common_files
+%dir %{_datadir}/%{name}/experimental
+%{_datadir}/%{name}/experimental/*.fd
 %endif
 
 %files arm