summaryrefslogtreecommitdiff
path: root/pcr-testing
diff options
context:
space:
mode:
authorIsaac David <isacdaavid@isacdaavid.info>2017-07-17 16:39:37 -0500
committerIsaac David <isacdaavid@isacdaavid.info>2017-07-17 16:40:11 -0500
commitd9ce509a69137af170f076029ef1b6e0a6c9abd6 (patch)
tree96f71e58e0c402e08ece803c0ace4f5370908634 /pcr-testing
parent50702b51a47ee4021f985fef887d3fd0acf79cd9 (diff)
downloadabslibre-d9ce509a69137af170f076029ef1b6e0a6c9abd6.tar.gz
abslibre-d9ce509a69137af170f076029ef1b6e0a6c9abd6.tar.bz2
abslibre-d9ce509a69137af170f076029ef1b6e0a6c9abd6.zip
pcr/xen: move to pcr-testing
Diffstat (limited to 'pcr-testing')
-rw-r--r--pcr-testing/xen/09_xen231
-rwxr-xr-xpcr-testing/xen/21_linux_xen_multiboot_arch296
-rw-r--r--pcr-testing/xen/ChangeLog169
-rw-r--r--pcr-testing/xen/PKGBUILD513
-rw-r--r--pcr-testing/xen/ati-passthrough.patch415
-rw-r--r--pcr-testing/xen/efi-xen.cfg7
-rw-r--r--pcr-testing/xen/patch-gcc7-minios-udivmod.patch31
-rw-r--r--pcr-testing/xen/patch-gcc7-vtpm-implicit-fallthrough.patch46
-rw-r--r--pcr-testing/xen/patch-gcc7-vtpmmgr-make-inline-static.patch1161
-rw-r--r--pcr-testing/xen/patch-ipxe-patches-series.patch18
-rw-r--r--pcr-testing/xen/patch-ovmf-apply-inbuild-patches.patch26
-rw-r--r--pcr-testing/xen/patch-ovmf-patches-series.patch20
-rw-r--r--pcr-testing/xen/patch-ovmf-use-python2.patch22
-rw-r--r--pcr-testing/xen/tmpfiles.d-xen.conf2
-rw-r--r--pcr-testing/xen/xen.conf19
-rw-r--r--pcr-testing/xen/xen.install140
16 files changed, 3116 insertions, 0 deletions
diff --git a/pcr-testing/xen/09_xen b/pcr-testing/xen/09_xen
new file mode 100644
index 000000000..47d357d99
--- /dev/null
+++ b/pcr-testing/xen/09_xen
@@ -0,0 +1,231 @@
+#!/usr/bin/env bash
+
+##
+## grub-mkconfig helper script specific to Parabola GNU/Linux-libre
+## Contributed by "Keshav Amburay" <the ddoott ridikulus ddoott rat aatt geemmayil ddoott ccoomm>
+## Rebranded for Parabola by "André Silva" <emulatorman@parabola.nu>
+## Updated on 08 February 2014
+##
+## Script based on do_grub_config() function in Arch (the GNU/Linux distribution) Archboot ISO Installer/Setup script
+## Some parts taken from /etc/grub.d/10_linux script shipped by GRUB(2) upstream
+##
+## This script can be freely distributed and/or modified
+## under the terms of the GNU General Public License as published by
+## the Free Software Foundation, either version 3 of the License, or
+## (at your option) any later version.
+##
+## This script is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+
+## Adapted for use with the xen package, to ensure feature comparity
+## Modified by "David Sutton" <kantras - gmail com>
+
+_FUNC_GRUB_FILE_PRESENT() {
+
+ [[ -z "${GRUB_PLATFORM}" ]] && GRUB_PLATFORM="x86"
+
+ if [[ "${GRUB_PLATFORM}" == "x86" ]]; then
+ check="--is-x86-linux32"
+ elif [[ "${GRUB_PLATFORM}" == "i386-xen-pae" ]]; then
+ check="--is-i386-xen-pae-domu"
+ elif [[ "${GRUB_PLATFORM}" == "x86_64-xen" ]]; then
+ check="--is-x86_64-xen-domu"
+ else
+ check="--is-${GRUB_PLATFORM}-linux"
+ fi
+
+ case "${GRUB_PLATFORM}" in
+ x86)
+ list="$(for i in "${GRUB_ROOT}"/boot/vmlinuz-linux* ; do
+ if grub_file_is_not_garbage "${i}" && "${grub_file}" ${check} "${i}" ; then echo -n "${i} " ; fi
+ done)" ;;
+ *)
+ list="$(for i in "${GRUB_ROOT}"/boot/vmlinuz-linux* ; do
+ if grub_file_is_not_garbage "${i}" && "${grub_file}" ${check} "${i}" ; then echo -n "${i} " ; fi
+ done)" ;;
+ esac
+}
+
+set -e
+
+prefix="/usr"
+exec_prefix="${prefix}"
+datarootdir="/usr/share"
+datadir="${datarootdir}"
+sysconfdir="/etc"
+
+. "${datarootdir}/grub/grub-mkconfig_lib"
+
+. "${sysconfdir}/default/grub"
+
+export XEN_HYPERVISOR_CMDLINE="xsave=1"
+export XEN_LINUX_CMDLINE="console=tty0"
+
+[[ -r "${sysconfdir}/xen/grub.conf" ]] && . "${sysconfdir}/xen/grub.conf"
+
+[[ -z "${XEN_LINUX_CMDLINE_OVERRIDE}" ]] && XEN_LINUX_CMDLINE_OVERRIDE="0"
+
+export TEXTDOMAIN="grub"
+export TEXTDOMAINDIR="${datarootdir}/locale"
+
+CLASS="--class xen --class parabola --class gnu-linux --class gnu --class os"
+
+[[ "${grub_file}" != "" ]] && _FUNC_GRUB_FILE_PRESENT
+
+BOOT_PART_FS_UUID="$(${grub_probe} --target="fs_uuid" "/boot" 2>/dev/null)"
+BOOT_PART_HINTS_STRING="$(${grub_probe} --target="hints_string" "/boot" 2>/dev/null || true)"
+BOOT_PART_FS="$(${grub_probe} --target="fs" "/boot" 2>/dev/null)"
+
+ROOT_PART_GRUB_DEVICE="$(${grub_probe} --target=device / || true)"
+ROOT_PART_FS="$(${grub_probe} --device ${ROOT_PART_GRUB_DEVICE} --target=fs 2> /dev/null || echo "unknown")"
+
+if [[ "${GRUB_LINUX_ROOT_DEVICE}" == "" ]]; then
+
+ case "${ROOT_PART_FS}" in
+ btrfs)
+ rootsubvol="$(make_system_path_relative_to_its_root /)"
+ rootsubvol="${rootsubvol#/}"
+ if [[ "${rootsubvol}" != "" ]]; then
+ GRUB_LINUX_ROOT_DEVICE="subvol=${rootsubvol}"
+ fi
+ ;;
+ zfs)
+ rpool="$(${grub_probe} --device ${GRUB_DEVICE} --target=fs_label 2>/dev/null || true)"
+ bootfs="$(make_system_path_relative_to_its_root / | sed -e "s,@$,,")"
+ GRUB_LINUX_ROOT_DEVICE="ZFS=${rpool}${bootfs}"
+ ;;
+ esac
+
+ if [[ "${GRUB_DEVICE_UUID}" == "" ]] || \
+ [[ "${GRUB_DISABLE_LINUX_UUID}" == "true" ]] || \
+ [[ ! -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" ]] || \
+ uses_abstraction "${GRUB_DEVICE}" lvm ; then
+ GRUB_LINUX_ROOT_DEVICE="${GRUB_DEVICE}"
+ else
+ GRUB_LINUX_ROOT_DEVICE="UUID=${GRUB_DEVICE_UUID}"
+ fi
+fi
+
+[[ "${GRUB_LINUX_PARAMS}" == "" ]] && GRUB_LINUX_PARAMS="${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
+if [[ "${XEN_LINUX_CMDLINE_OVERRIDE}" == "0" ]]; then
+ GRUB_LINUX_PARAMS="${GRUB_LINUX_PARAMS} ${XEN_LINUX_CMDLINE}"
+else
+ GRUB_LINUX_PARAMS="${XEN_LINUX_CMDLINE}"
+fi
+
+xen_list=`for i in /boot/xen-*.gz /xen-*.gz ; do
+ if grub_file_is_not_garbage "$i" ; then echo -n "$i "; fi
+done`
+
+while [ "x$xen_list" != "x" ] ; do
+ xen=`version_find_latest $xen_list`
+ echo "Found Xen hypervisor image: $xen" >&2
+ XEN_BASENAME=`basename $xen`
+ XEN_VERSION=`echo $XEN_BASENAME | sed -e "s,^[^0-9]*-,,g" | sed -e "s,.gz,,g"`
+
+ for _KERNEL_ in ${list} ; do
+
+ echo "Found linux image: ${_KERNEL_}" >&2
+
+ basename="$(basename "${_KERNEL_}")"
+ dirname="$(dirname "${_KERNEL_}")"
+ REAL_DIR="$(make_system_path_relative_to_its_root "${dirname}")"
+
+ _KERNEL_FILE_="$(echo ${_KERNEL_} | sed 's,/boot/,,g')"
+ _KERNEL_PKG_="pkg-$(echo ${_KERNEL_FILE_} | sed 's,vmlinuz-,,g')"
+
+ _INITRAMFS_="${_KERNEL_FILE_/vmlinuz-/initramfs-}.img"
+
+ if [[ -e "/boot/${_INITRAMFS_}" ]]; then
+
+ echo "Found initramfs image: /boot/${_INITRAMFS_}" >&2
+
+ cat << EOF
+
+menuentry "Xen ${XEN_VERSION} / Parabola GNU/Linux-libre ${_KERNEL_PKG_} kernel" ${CLASS} {
+ $(save_default_entry)
+ if [ x\$feature_all_video_module = xy ]; then
+ insmod all_video
+ fi
+ set gfxpayload=keep
+ insmod ${BOOT_PART_FS}
+ if [ x\$feature_platform_search_hint = xy ]; then
+ search --no-floppy --fs-uuid --set=root ${BOOT_PART_HINTS_STRING} ${BOOT_PART_FS_UUID}
+ else
+ search --no-floppy --fs-uuid --set=root ${BOOT_PART_FS_UUID}
+ fi
+ echo '$(printf "Loading Xen %s ..." ${XEN_VERSION})'
+ multiboot ${REAL_DIR}/${XEN_BASENAME} ${REAL_DIR}/${XEN_BASENAME} ${XEN_HYPERVISOR_CMDLINE}
+ echo 'Loading Parabola GNU/Linux-libre ${_KERNEL_PKG_} kernel ...'
+ module ${REAL_DIR}/${_KERNEL_FILE_} ${REAL_DIR}/${_KERNEL_FILE_} root=${GRUB_LINUX_ROOT_DEVICE} rw ${GRUB_LINUX_PARAMS}
+ echo 'Loading Parabola GNU/Linux-libre ${_KERNEL_PKG_} kernel initramfs ...'
+ module ${REAL_DIR}/${_INITRAMFS_}
+}
+
+EOF
+ fi
+
+ _INITRAMFS_FALLBACK_="${_KERNEL_FILE_/vmlinuz-/initramfs-}-fallback.img"
+
+ if [[ -e "/boot/${_INITRAMFS_FALLBACK_}" ]]; then
+
+ echo "Found fallback initramfs image: /boot/${_INITRAMFS_FALLBACK_}" >&2
+
+ cat << EOF
+
+menuentry "Xen ${XEN_VERSION} / Parabola GNU/Linux-libre ${_KERNEL_PKG_} kernel (fallback initramfs)" ${CLASS} {
+ $(save_default_entry)
+ if [ x\$feature_all_video_module = xy ]; then
+ insmod all_video
+ fi
+ set gfxpayload=keep
+ insmod ${BOOT_PART_FS}
+ if [ x\$feature_platform_search_hint = xy ]; then
+ search --no-floppy --fs-uuid --set=root ${BOOT_PART_HINTS_STRING} ${BOOT_PART_FS_UUID}
+ else
+ search --no-floppy --fs-uuid --set=root ${BOOT_PART_FS_UUID}
+ fi
+ echo '$(printf "Loading Xen %s ..." ${XEN_VERSION})'
+ multiboot ${REAL_DIR}/${XEN_BASENAME} ${REAL_DIR}/${XEN_BASENAME} ${XEN_HYPERVISOR_CMDLINE}
+ echo 'Loading Parabola GNU/Linux-libre ${_KERNEL_PKG_} kernel ...'
+ module ${REAL_DIR}/${_KERNEL_FILE_} ${REAL_DIR}/${_KERNEL_FILE_} root=${GRUB_LINUX_ROOT_DEVICE} rw ${GRUB_LINUX_PARAMS}
+ echo 'Loading Parabola GNU/Linux-libre ${_KERNEL_PKG_} kernel fallback initramfs ...'
+ module ${REAL_DIR}/${_INITRAMFS_FALLBACK_}
+}
+
+EOF
+ fi
+
+ if [[ ! -e "/boot/${_INITRAMFS_}" ]] && [[ ! -e "/boot/${_INITRAMFS_FALLBACK_}" ]]; then
+ cat << EOF
+
+menuentry "Xen ${XEN_VERSION} / Parabola GNU/Linux-libre ${_KERNEL_PKG_} kernel (no initramfs)" ${CLASS} {
+ $(save_default_entry)
+ if [ x\$feature_all_video_module = xy ]; then
+ insmod all_video
+ fi
+ set gfxpayload=keep
+ insmod ${BOOT_PART_FS}
+ if [ x\$feature_platform_search_hint = xy ]; then
+ search --no-floppy --fs-uuid --set=root ${BOOT_PART_HINTS_STRING} ${BOOT_PART_FS_UUID}
+ else
+ search --no-floppy --fs-uuid --set=root ${BOOT_PART_FS_UUID}
+ fi
+ echo '$(printf "Loading Xen %s ..." ${XEN_VERSION})'
+ multiboot ${REAL_DIR}/${XEN_BASENAME} ${REAL_DIR}/${XEN_BASENAME} ${XEN_HYPERVISOR_CMDLINE}
+ echo 'Loading Parabola GNU/Linux-libre ${_KERNEL_PKG_} kernel ...'
+ module ${REAL_DIR}/${_KERNEL_FILE_} ${REAL_DIR}/${_KERNEL_FILE_} root=${GRUB_LINUX_ROOT_DEVICE} rw ${GRUB_LINUX_PARAMS}
+}
+
+EOF
+ fi
+
+ done
+
+ xen_list=`echo $xen_list | tr ' ' '\n' | grep -vx $xen | tr '\n' ' '`
+done
+
+
diff --git a/pcr-testing/xen/21_linux_xen_multiboot_arch b/pcr-testing/xen/21_linux_xen_multiboot_arch
new file mode 100755
index 000000000..ef3a39b54
--- /dev/null
+++ b/pcr-testing/xen/21_linux_xen_multiboot_arch
@@ -0,0 +1,296 @@
+#! /bin/sh
+set -e
+
+# grub-mkconfig helper script.
+# Copyright (C) 2006,2007,2008,2009,2010 Free Software Foundation, Inc.
+#
+# GRUB is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# GRUB is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+
+prefix="/usr"
+exec_prefix="/usr"
+datarootdir="/usr/share"
+
+. "$pkgdatadir/grub-mkconfig_lib"
+
+export TEXTDOMAIN=grub
+export TEXTDOMAINDIR="${datarootdir}/locale"
+
+CLASS="--class gnu-linux --class gnu --class os --class xen"
+
+if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
+ OS=GNU/Linux-libre
+else
+ OS="${GRUB_DISTRIBUTOR} GNU/Linux-libre"
+ CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr 'A-Z' 'a-z' | cut -d' ' -f1|LC_ALL=C sed 's,[^[:alnum:]_],_,g') ${CLASS}"
+fi
+
+# loop-AES arranges things so that /dev/loop/X can be our root device, but
+# the initrds that Linux-libre uses don't like that.
+case ${GRUB_DEVICE} in
+ /dev/loop/*|/dev/loop[0-9])
+ GRUB_DEVICE=`losetup ${GRUB_DEVICE} | sed -e "s/^[^(]*(\([^)]\+\)).*/\1/"`
+ ;;
+esac
+
+# btrfs may reside on multiple devices. We cannot pass them as value of root= parameter
+# and mounting btrfs requires user space scanning, so force UUID in this case.
+if [ "x${GRUB_DEVICE_UUID}" = "x" ] || [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ] \
+ || ! test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" \
+ || ( test -e "${GRUB_DEVICE}" && uses_abstraction "${GRUB_DEVICE}" lvm ); then
+ LINUX_ROOT_DEVICE=${GRUB_DEVICE}
+else
+ LINUX_ROOT_DEVICE=UUID=${GRUB_DEVICE_UUID}
+fi
+
+# Allow overriding GRUB_CMDLINE_LINUX and GRUB_CMDLINE_LINUX_DEFAULT.
+if [ "${GRUB_CMDLINE_LINUX_XEN_REPLACE}" ]; then
+ GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX_XEN_REPLACE}"
+fi
+if [ "${GRUB_CMDLINE_LINUX_XEN_REPLACE_DEFAULT}" ]; then
+ GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_XEN_REPLACE_DEFAULT}"
+fi
+
+case x"$GRUB_FS" in
+ xbtrfs)
+ rootsubvol="`make_system_path_relative_to_its_root /`"
+ rootsubvol="${rootsubvol#/}"
+ if [ "x${rootsubvol}" != x ]; then
+ GRUB_CMDLINE_LINUX="rootflags=subvol=${rootsubvol} ${GRUB_CMDLINE_LINUX}"
+ fi;;
+ xzfs)
+ rpool=`${grub_probe} --device ${GRUB_DEVICE} --target=fs_label 2>/dev/null || true`
+ bootfs="`make_system_path_relative_to_its_root / | sed -e "s,@$,,"`"
+ LINUX_ROOT_DEVICE="ZFS=${rpool}${bootfs}"
+ ;;
+esac
+
+title_correction_code=
+
+linux_entry ()
+{
+ os="$1"
+ version="$2"
+ xen_version="$3"
+ type="$4"
+ args="$5"
+ xen_args="$6"
+ ver=""
+ if $($grub_file --is-x86-multiboot2 ${xen_dirname}/${xen_basename}); then
+ ver="2"
+ fi
+ if [ -z "$boot_device_id" ]; then
+ boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")"
+ fi
+ if [ x$type != xsimple ] ; then
+ if [ x$type = xrecovery ] ; then
+ title="$(gettext_printf "%s, with Xen %s and Linux-%s (recovery mode)" "${os}" "${xen_version}" "${version}")"
+ else
+ title="$(gettext_printf "%s, with Xen %s and Linux-%s" "${os}" "${xen_version}" "${version}")"
+ fi
+ replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')"
+ if [ x"Xen ${xen_version}>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then
+ quoted="$(echo "$GRUB_ACTUAL_DEFAULT" | grub_quote)"
+ title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;"
+ grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")"
+ fi
+ echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+ else
+ title="$(gettext_printf "%s, with Xen hypervisor" "${os}")"
+ echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+ fi
+ if [ x$type != xrecovery ] ; then
+ save_default_entry | grub_add_tab | sed "s/^/$submenu_indentation/"
+ fi
+
+ if [ -z "${prepare_boot_cache}" ]; then
+ prepare_boot_cache="$(prepare_grub_to_access_device ${GRUB_DEVICE_BOOT} | grub_add_tab)"
+ fi
+ printf '%s\n' "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/"
+ xmessage="$(gettext_printf "Loading Xen %s ..." ${xen_version})"
+ lmessage="$(gettext_printf "Loading Linux-libre %s ..." ${version})"
+ sed "s/^/$submenu_indentation/" << EOF
+ echo '$(echo "$xmessage" | grub_quote)'
+ if [ "\$grub_platform" = "pc" -o "\$grub_platform" = "" ]; then
+ xen_rm_opts=
+ else
+ xen_rm_opts="no-real-mode edd=off"
+ fi
+ multiboot${ver} ${rel_xen_dirname}/${xen_basename} placeholder ${xen_args} \${xen_rm_opts}
+ echo '$(echo "$lmessage" | grub_quote)'
+ module${ver} ${rel_dirname}/${basename} placeholder root=${linux_root_device_thisversion} ro ${args}
+EOF
+ if test -n "${initrd}" ; then
+ # TRANSLATORS: ramdisk isn't identifier. Should be translated.
+ message="$(gettext_printf "Loading initial ramdisk ...")"
+ sed "s/^/$submenu_indentation/" << EOF
+ echo '$(echo "$message" | grub_quote)'
+ module${ver} --nounzip ${rel_dirname}/${initrd}
+EOF
+ fi
+ sed "s/^/$submenu_indentation/" << EOF
+}
+EOF
+}
+
+linux_list=
+for i in /boot/vmlinu[xz]-* /vmlinu[xz]-* /boot/kernel-*; do
+ if grub_file_is_not_garbage "$i"; then
+ basename=$(basename $i)
+ version=$(echo $basename | sed -e "s,^[^0-9]*-,,g")
+ dirname=$(dirname $i)
+ config=
+ for j in "${dirname}/config-${version}" "${dirname}/config-${alt_version}" "/etc/kernels/kernel-config-${version}" ; do
+ if test -e "${j}" ; then
+ config="${j}"
+ break
+ fi
+ done
+ if (grep -qx "CONFIG_XEN_DOM0=y" "${config}" 2> /dev/null || grep -qx "CONFIG_XEN_PRIVILEGED_GUEST=y" "${config}" 2> /dev/null || [ -z ${config} ]); then linux_list="$linux_list $i" ; fi
+ fi
+done
+if [ "x${linux_list}" = "x" ] ; then
+ exit 0
+fi
+
+file_is_not_sym () {
+ case "$1" in
+ */xen-syms-*)
+ return 1;;
+ *)
+ return 0;;
+ esac
+}
+
+file_is_not_xen_config () {
+ case "$1" in
+ */xen*\.*config)
+ return 1;;
+ */xen*\.*cfg)
+ return 1;;
+ */xen*\.*efi)
+ return 1;;
+ *)
+ return 0;;
+ esac
+}
+
+
+xen_list=
+for i in /boot/xen*; do
+ if grub_file_is_not_garbage "$i" && file_is_not_sym "$i" && file_is_not_xen_config "$i"; then xen_list="$xen_list $i" ; fi
+done
+prepare_boot_cache=
+boot_device_id=
+
+title_correction_code=
+
+machine=`uname -m`
+
+case "$machine" in
+ i?86) GENKERNEL_ARCH="x86" ;;
+ mips|mips64) GENKERNEL_ARCH="mips" ;;
+ mipsel|mips64el) GENKERNEL_ARCH="mipsel" ;;
+ arm*) GENKERNEL_ARCH="arm" ;;
+ *) GENKERNEL_ARCH="$machine" ;;
+esac
+
+# Extra indentation to add to menu entries in a submenu. We're not in a submenu
+# yet, so it's empty. In a submenu it will be equal to '\t' (one tab).
+submenu_indentation=""
+
+is_top_level=true
+
+while [ "x${xen_list}" != "x" ] ; do
+ list="${linux_list}"
+ current_xen=`version_find_latest $xen_list`
+ xen_basename=`basename ${current_xen}`
+ xen_dirname=`dirname ${current_xen}`
+ rel_xen_dirname=`make_system_path_relative_to_its_root $xen_dirname`
+ xen_version=`echo $xen_basename | sed -e "s,.gz$,,g;s,^xen-,,g"`
+ if [ -z "$boot_device_id" ]; then
+ boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")"
+ fi
+ if [ "x$is_top_level" != xtrue ]; then
+ echo " submenu '$(gettext_printf "Xen hypervisor, version %s" "${xen_version}" | grub_quote)' \$menuentry_id_option 'xen-hypervisor-$xen_version-$boot_device_id' {"
+ fi
+ while [ "x$list" != "x" ] ; do
+ linux=`version_find_latest $list`
+ gettext_printf "Found linux-libre image: %s\n" "$linux" >&2
+ basename=`basename $linux`
+ dirname=`dirname $linux`
+ rel_dirname=`make_system_path_relative_to_its_root $dirname`
+ version=`echo $basename | sed -e "s,^[^0-9]*-,,g"`
+ alt_version=`echo $version | sed -e "s,\.old$,,g"`
+ linux_root_device_thisversion="${LINUX_ROOT_DEVICE}"
+
+ initrd=
+ for i in "initramfs-linux-${version}.img" \
+ "initrd.img-${version}" "initrd-${version}.img" \
+ "initrd-${version}.gz" \
+ "initrd-${version}" "initramfs-${version}.img" \
+ "initrd.img-${alt_version}" "initrd-${alt_version}.img" \
+ "initrd-${alt_version}" "initramfs-${alt_version}.img" \
+ "initramfs-genkernel-${version}" \
+ "initramfs-genkernel-${alt_version}" \
+ "initramfs-genkernel-${GENKERNEL_ARCH}-${version}" \
+ "initramfs-genkernel-${GENKERNEL_ARCH}-${alt_version}" ; do
+ if test -e "${dirname}/${i}" ; then
+ initrd="$i"
+ break
+ fi
+ done
+ if test -n "${initrd}" ; then
+ gettext_printf "Found initrd image: %s\n" "${dirname}/${initrd}" >&2
+ else
+ # "UUID=" magic is parsed by initrds. Since there's no initrd, it can't work here.
+ linux_root_device_thisversion=${GRUB_DEVICE}
+ fi
+
+ if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then
+ linux_entry "${OS}" "${version}" "${xen_version}" simple \
+ "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" "${GRUB_CMDLINE_XEN} ${GRUB_CMDLINE_XEN_DEFAULT}"
+
+ submenu_indentation="$grub_tab$grub_tab"
+
+ if [ -z "$boot_device_id" ]; then
+ boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")"
+ fi
+ # TRANSLATORS: %s is replaced with an OS name
+ echo "submenu '$(gettext_printf "Advanced options for %s (with Xen hypervisor)" "${OS}" | grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {"
+ echo " submenu '$(gettext_printf "Xen hypervisor, version %s" "${xen_version}" | grub_quote)' \$menuentry_id_option 'xen-hypervisor-$xen_version-$boot_device_id' {"
+ is_top_level=false
+ fi
+
+ linux_entry "${OS}" "${version}" "${xen_version}" advanced \
+ "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" "${GRUB_CMDLINE_XEN} ${GRUB_CMDLINE_XEN_DEFAULT}"
+ if [ "x${GRUB_DISABLE_RECOVERY}" != "xtrue" ]; then
+ linux_entry "${OS}" "${version}" "${xen_version}" recovery \
+ "single ${GRUB_CMDLINE_LINUX}" "${GRUB_CMDLINE_XEN}"
+ fi
+
+ list=`echo $list | tr ' ' '\n' | fgrep -vx "$linux" | tr '\n' ' '`
+ done
+ if [ x"$is_top_level" != xtrue ]; then
+ echo ' }'
+ fi
+ xen_list=`echo $xen_list | tr ' ' '\n' | fgrep -vx "$current_xen" | tr '\n' ' '`
+done
+
+# If at least one kernel was found, then we need to
+# add a closing '}' for the submenu command.
+if [ x"$is_top_level" != xtrue ]; then
+ echo '}'
+fi
+
+echo "$title_correction_code"
diff --git a/pcr-testing/xen/ChangeLog b/pcr-testing/xen/ChangeLog
new file mode 100644
index 000000000..b23e810df
--- /dev/null
+++ b/pcr-testing/xen/ChangeLog
@@ -0,0 +1,169 @@
+2015-06-24 John Thomson
+ * 4.7.0-1
+ Xen 4.7.0
+
+2015-06-11 John Thomson
+ * 4.6.1-7
+ Apply XSA patch: 175, 178, 181
+
+2015-05-23 John Thomson
+ * 4.6.1-6
+ Apply XSA patch: 180
+
+2015-05-19 John Thomson
+ * 4.6.1-5
+ Apply XSA patch: 176
+
+2016-05-12 John Thomson
+ * 4.6.1-4
+ Apply XSA patch: 179
+ Patches for GCC6
+
+2016-04-19 John Thomson
+ * 4.6.1-3
+ Apply XSA patch: 173
+
+2016-03-31 John Thomson
+ * 4.6.1-2
+ Apply XSA patch: 172
+
+2016-02-19 John Thomson
+ * 4.6.1-1
+ Xen source package updated to 4.6.1
+ Apply XSA patch: 170
+
+2016-02-19 John Thomson
+ * 4.5.2-1
+ Xen source package updated to 4.5.2
+ Build xen.efi with mingw-w64-binutils
+ Build ovmf
+ Apply XSA patches: 154, 156, 158 to 160, 162 to 168, and 170
+
+2015-07-04 David Sutton <kantras - gmail.com>
+ * 4.5.1-1
+ New major release from upstream
+ Added -fno-caller-saves CFLAG to PKGBUILD to work around GCC5 issues
+ Added in some compile fixes for GCC 5
+ Disabled OVMF for now until patched for GCC 5
+
+2015-05-13 David Sutton <kantras - gmail.com>
+ * 4.5.0-3
+ Added Security patches
+
+2015-04-08 David Sutton <kantras - gmail.com>
+ * 4.5.0-2
+ Updated PKGBUILD to use absolute instead of relative paths for install
+ Updated efi-xen.cfg with syntax fix
+ Added gnuttls-3.4.0 patch
+ Added security patches
+
+2015-03-01 David Sutton <kantras - gmail.com>
+ * 4.5.0-1
+ New major release from upstream
+ Cleaned up old XSA patches
+ Removed old systemd support patches and realigned with the new upstream methods
+
+2014-10-26 David Sutton <kantras - gmail.com>
+ * 4.4.1-3
+ Enabled OVMF support and added patches to fix compile
+ Enabled spice support and added patch to enable qemu support in qemu-xen
+ Added figlet as an make dependancy for the ascii art version number
+ Including an example xen.cfg package for people who will be using EFI
+ Additional cleanup (explictly disabling some unnecessary libraries)
+
+2014-10-12 David Sutton <kantras - gmail.com>
+ * 4.4.1-2:
+ Added XSA 104, 105, 106, 107 and 108 security patches
+ Added .config to resolve compile issues where /etc/sysconfig exists
+
+2014-09-04 David Sutton <kantras - gmail.com>
+ * 4.4.1-1:
+ New Upstream release
+ Cleared out unnecessary patches (security, gcc compile and pit)
+
+2014-06-22 David Sutton <kantras - gmail.com>
+ * 4.4.0-6:
+ Added additional patch to support XSA 100 on AMD platform
+
+2014-06-17 David Sutton <kantras - gmail.com>
+ * 4.4.0-5:
+ Added XSA 96 and 100 security patches
+ Added patch to explictly disable searching for bluez libs
+ Cleaned up PKGBUILD
+
+2014-05-17 David Sutton <kantras - gmail.com>
+ * 4.4.0-4:
+ Added patch to fix shutdown issues with pvh domains
+
+2014-05-01 David Sutton <kantras - gmail.com>
+ * 4.4.0-3:
+ Added XSA 92 Security patch
+ Added fix for compiling under GCC 4.9.0 (From Fedora Rawhide SRPM)
+ Added updates to 09_xen to closer match system 10_linux
+
+2014-03-11 David Sutton <kantras - gmail.com>
+ * 4.4.0-2:
+ Moved xen-syms file so 09_xen won't pick it up as a potential kernel.
+ Added XSA 89 Security patch
+ Minor PKGBUILD cleanup/changes
+
+2014-03-10 David Sutton <kantras - gmail.com>
+ * 4.4.0-1:
+ New upstream release
+ Cleaned up old unnecessary patches
+
+2014-02-19 David Sutton <kantras - gmail.com>
+ * 4.3.2-1:
+ New upstream release
+ Removed unnecessary security patches (since now integrated into source)
+ Attempts to pull down additional required source file to ensure not corrupted
+ Added missing dependancy libseccomp
+
+2013-11-25 David Sutton <kantras - gmail.com>
+ * 4.3.1-2:
+ Changed bluez dependancy from bluez4 to bluez
+ Added recent security patches
+
+2013-10-31 David Sutton <kantras - gmail.com>
+ * 4.3.1-1:
+ New upstream release
+ Removed unnecessary security patches (already merged)
+ Fixed BIOS Workaround patch to apply to the new source files
+ Fixed ATI Passthrough patch to apply to the new source files
+ Updated paths in all patches
+
+2013-09-29 David Sutton <kantras - gmail.com>
+ * 4.3.0-7:
+ Fixed optdepends in PKGBUILD
+ Added in a pre_remove function in xen.install to disable services
+ Minor text formating changes in xen.install
+ Added XSA 62,63,64 and 66 patches (Xen Security Advisories)
+
+2013-09-29 David Sutton <kantras - gmail.com>
+ * 4.3.0-6:
+ Fixed 09_xen so it can detect lts kernels
+
+2013-09-28 David Sutton <kantras - gmail.com>
+ * 4.3.0-5:
+ Fixed mount option in 09_xen from ro to rw
+ Added in dummy /etc/xen/grub.conf to control settings in 09_xen
+ Fix library sanitize so that it returns to the base directory
+ Move the syms file to /usr/share/xen so that it is out of the way of boot but still accessible
+ Added optional dependancy for openvswitch
+
+2013-08-13 David Sutton <kantras - gmail.com>
+ * 4.3.0-4 :
+ Added patch for qemu-xen to add a TOM register for PCI Hole mapping
+ Protected /etc/conf.d/xendomains from being overwritten
+ Included ATI Passthrough patch (not enabled by default, compile tested only)
+
+2013-07-23 David Sutton <kantras - gmail.com>
+
+ * 4.3.0-3 :
+ added ChangeLog.
+ Cleaned up PKGBUILD to match Arch Package Standards
+ Fixed some path references - /var/run to /run
+ Removed some unnecessary empty directories
+ Updated xenconsoled and xenstored so they use /run for pid file
+ Updated auto-created /run directories to include xenstored
+
diff --git a/pcr-testing/xen/PKGBUILD b/pcr-testing/xen/PKGBUILD
new file mode 100644
index 000000000..52eb1f402
--- /dev/null
+++ b/pcr-testing/xen/PKGBUILD
@@ -0,0 +1,513 @@
+# current version adapted from https://gitlab.com/johnth/aur-xen/blob/717dc1c8e32c3c615652f2b40838d1cb12441073/PKGBUILD
+
+# Maintainer (AUR): John Thomson <aur.xen at j0aur.mm.st>
+# Contributor (Arch): David Sutton <kantras - gmail.com>
+# Contributor (Arch): Shanmu Thiagaraja <sthiagaraja+AUR@prshanmu.com>
+# Contributor (Arch): Limao Luo
+# Contributor (Arch): Luceo
+# Contributor (Arch): Revellion
+# Contributor: André Silva <emulatorman@parabola.nu>
+# Contributor: Márcio Silva <coadde@parabola.nu>
+# Contributor: Isaac David <isacdaavid@at@isacdaavid@dot@info>
+
+#linux-4.7 EFI boot panic issue (patch linux)
+#http://lkml.iu.edu/hypermail/linux/kernel/1608.2/03448.html
+
+_build_stubdom="${build_stubdom:-false}"
+_system_seabios="${system_seabios:-false}"
+_build_debug="${build_debug:-false}"
+_build_livepatch="${build_livepatch:-false}"
+
+## use _build_stubdom=true to build xen with stubdom
+## use _system_seabios=true to use system seabios
+## this bios file is slightly different to the xen seabios
+## /usr/share/qemu/bios-256k.bin uses CONFIG_ROM_SIZE=256, and newer seabios
+## can force use this file through vm.cfg bios_path_override='/usr/share/qemu/bios-256k.bin'
+## use _build_debug=true to compile Xen with debug options
+## use _build_livepatch=true to compile Xen with livepatch support
+
+#_build_stubdom=true
+#_system_seabios=true
+#_build_debug=true
+#_build_livepatch=true
+
+pkgbase=xen
+pkgname=(xen{,-docs,-syms})
+_pkgname=xen
+pkgver=4.9.0
+_pkgver=${pkgver/rc/-rc}
+pkgrel=1.parabola1
+pkgdesc="Virtual Machine Hypervisor & Tools (Parabola rebranded)"
+arch=(x86_64 armv7h)
+depends=(
+ bridge-utils
+ curl
+ gnutls
+ iproute2
+ libaio
+ libcap-ng
+ libiscsi
+ libnl
+ libpng
+ lzo
+ pciutils
+ python2
+ sdl
+ spice
+ systemd
+ usbredir
+ yajl
+ # seabios ovmf qemu
+)
+[[ "$CARCH" == 'x86_64' ]] && depends+=(
+ lib32-glibc
+)
+[[ "$CARCH" == *'arm'* ]] && depends+=(
+ dtc-overlay
+)
+[[ "$_system_seabios" == true ]] && depends+=(
+ seabios
+)
+url='http://www.xenproject.org/'
+license=('GPL2')
+makedepends=(
+ cmake
+ figlet
+ git
+ markdown
+ nasm
+ ocaml-findlib
+ spice-protocol
+ wget
+)
+[[ "$CARCH" == 'x86_64' ]] && makedepends+=(
+ bin86
+ dev86
+ gcc-multilib
+ iasl
+)
+
+## For building Xen EFI boot file.
+## mingw-w64-binutils only needed if
+## binutils not built with --enable-targets=x86_64-pep
+_binutils_efi=false
+
+if [[ "$CARCH" == 'x86_64' ]]; then
+ _binutils_emulations="$(ld -V)"
+ if [[ "$_binutils_emulations" == *'i386pep'* ]]; then
+ _binutils_efi=true
+ echo '#ld has efi support'
+ else
+ makedepends+=(
+ mingw-w64-binutils
+ )
+ echo '#ld does not have efi support, using mingw'
+ fi
+fi
+
+
+options=(!buildflags !strip)
+changelog=ChangeLog
+
+##SeaBIOS & OVMF tags are in src/xen-*/tools/Config.mk
+##grep -rE '_(REVISION|VERSION|TAG)( \?| :){0,1}=' src/xen**/{Config.mk,stubdom/configure,tools/firmware/etherboot/Makefile}
+_git_tag_seabios='#tag=rel-1.10.0'
+_git_tag_ovmf='#tag=5920a9d16b1ab887c2858224316a98e961d71b05'
+_git_tag_ipxe='827dd1bfee67daa683935ce65316f7e0f057fe1c'
+
+if [[ "$_build_stubdom" == true ]]; then
+ if [[ "$CARCH" == *'arm'* ]]; then
+ echo '####Compile settings error:'
+ echo "#cannot build stubdom for $CARCH"
+ _build_stubdom=false
+ fi
+fi
+
+source=(
+ "https://downloads.xenproject.org/release/$_pkgname/$_pkgver/$_pkgname-$_pkgver.tar.gz"{,.sig}
+ "http://xenbits.xen.org/xen-extfiles/ipxe-git-$_git_tag_ipxe.tar.gz"
+
+ 'seabios'::"git://xenbits.xen.org/seabios.git$_git_tag_seabios"
+ 'ovmf'::"git://xenbits.xen.org/ovmf.git$_git_tag_ovmf"
+ ##HTTP access
+ #'seabios'::"git+http://xenbits.xen.org/git-http/seabios.git$_git_tag_seabios"
+
+ ## Compile patches
+ ati-passthrough.patch
+ patch-ovmf-use-python2.patch
+ patch-ovmf-apply-inbuild-patches.patch
+ patch-ovmf-patches-series.patch
+ #patch-build-efi-with-mingw.patch::https://github.com/jakogut/xen-igvtg-aur/raw/28c81072e419d72a100ada9c393e37fae35ad263/xen_efi_build.patch
+ patch-inbuild-ovmf-5-hiilib.c-pointer-zero.patch::'https://github.com/tianocore/edk2/commit/fe4a28ccbfd33cae9e1f56b174d46b4eb2329efd.patch'
+ patch-inbuild-ipxe-gcc7-implicit-fallthrough.patch::'https://github.com/ipxe/ipxe/commit/5f85cbb9ee1c00cec81a848a9e871ad5d1e7f53f.patch'
+ patch-inbuild-ipxe-gcc7-implicit-fallthrough-ath5k.patch::'https://github.com/ipxe/ipxe/commit/45f2265bfcbbf2afd7fac24372ae26e453f2b52d.patch'
+ patch-inbuild-ipxe-gcc7-implicit-fallthrough-curses.patch::'https://github.com/ipxe/ipxe/commit/28e26dd2503e6006fabb26f8c33050ba93a99623.patch'
+ patch-ipxe-patches-series.patch
+ patch-gcc7-vtpm-implicit-fallthrough.patch
+ patch-gcc7-vtpmmgr-make-inline-static.patch
+ patch-gcc7-minios-udivmod.patch
+
+ ## Files
+ xen.install
+ 21_linux_xen_multiboot_arch
+ efi-xen.cfg
+ "$_pkgname.conf"
+ "tmpfiles.d-$_pkgname.conf"
+
+ ## XSA patches
+)
+
+if [[ "$_build_stubdom" == true ]]; then
+ echo '#building with stubdom'
+ source+=(
+ http://xenbits.xen.org/xen-extfiles/lwip-1.3.0.tar.gz
+ http://xenbits.xen.org/xen-extfiles/zlib-1.2.3.tar.gz
+ http://xenbits.xen.org/xen-extfiles/newlib-1.16.0.tar.gz
+ http://xenbits.xen.org/xen-extfiles/pciutils-2.2.9.tar.bz2
+ http://xenbits.xen.org/xen-extfiles/polarssl-1.1.4-gpl.tgz
+ http://xenbits.xen.org/xen-extfiles/grub-0.97.tar.gz
+ http://xenbits.xen.org/xen-extfiles/tpm_emulator-0.7.4.tar.gz
+ http://xenbits.xen.org/xen-extfiles/gmp-4.3.2.tar.bz2
+ http://caml.inria.fr/pub/distrib/ocaml-3.11/ocaml-3.11.0.tar.gz
+ )
+fi
+
+
+noextract=(
+ "ipxe-git-$_git_tag_ipxe.tar.gz"
+)
+
+if [[ "$_build_stubdom" == true ]]; then
+ noextract+=(
+ lwip-1.3.0.tar.gz
+ zlib-1.2.3.tar.gz
+ newlib-1.16.0.tar.gz
+ pciutils-2.2.9.tar.bz2
+ polarssl-1.1.4-gpl.tgz
+ grub-0.97.tar.gz
+ tpm_emulator-0.7.4.tar.gz
+ gmp-4.3.2.tar.bz2
+ ocaml-3.11.0.tar.gz
+ )
+fi
+
+validpgpkeys=('23E3222C145F4475FA8060A783FE14C957E82BD9')
+#gpg --keyserver pgp.mit.edu --recv-key 23E3222C145F4475FA8060A783FE14C957E82BD9
+sha256sums=(
+ 'cade643fe3310d4d6f97d0c215c6fa323bc1130d7e64d7e2043ffaa73a96f33b'
+ 'SKIP'
+ '36deacb946c59ad1d6600f6e5b89d6a7a8961e65eb000900e184075920120f49'
+
+ 'SKIP'
+ 'SKIP'
+
+ 'd93c2d5bcdf0c3e4c6e8efb357cb4b9d618209025361f5ccd9d03651a8acd7a3'
+ '5fb65130f96d1728368a09042e55f622c14117572030ce2141bff4ae150e4a01'
+ 'a853a38b8fd661d6b99979831cdae014cd23d831b57a90a467400660343f23f6'
+ '81b93e8c9e0ecb0d8c0555892b27b7e6c39d961af33cdea53ac72070e3e741b2'
+ #'a8ce42777e22af49080131e174b6b89c6e7597539838fb8b17a12280fd10b10b'
+ '79d8ce76bdeb72a1583254f1fb80309e56428d7406a6605a5ec860dc5a1beb3d'
+ 'e042b0161d76ee9af7b113c46703dde2663f762d696f4290585be36d907e97a5'
+ '2be4efb8be044c9b2459d09f5a6390fecb218ed4cb38964bce0674882817b91a'
+ 'db21442e38be53d342c7574c7c17fb8ce45e57c11dd1ad99e60641ea4061653b'
+ '9135c1ca7aed28a86afc7a0feb2930bd95b4fabf865dd368e8912cc77d38fb33'
+ '0ce9de822712e2b538dc144ba23b584970ac73b327277917b4afaa321c5b4b0c'
+ '5727d42575dfac1870d235fab23b8a230857cfdf44372bc1d98bb6384b752367'
+ 'b6fa5bff89242719b20747d7eb197d0aeb59f8a89e841137f0b0cab17de20686'
+
+ #pkgbuild files
+ '330bcc5ab22e982d37495b57176d306353c220fec7c2b6c4a78a9133382a623e'
+ '7fa619845874e1a596acc5fb43b921496fba3014e04f40b2af462c51b02656ee'
+ '95f09bccc104d98c14559000823cb50f0d076f6a65b9f3b4e7725762b84ab5c7'
+ '50a9b7fd19e8beb1dea09755f07318f36be0b7ec53d3c9e74f3266a63e682c0c'
+ '40e0760810a49f925f2ae9f986940b40eba477dc6d3e83a78baaae096513b3cf'
+
+ ## XSA patches
+)
+
+
+if [[ "$_build_stubdom" == true ]]; then
+ sha256sums+=(
+ #stubdom bits
+ '772e4d550e07826665ed0528c071dd5404ef7dbe1825a38c8adbc2a00bca948f'
+ '1795c7d067a43174113fdf03447532f373e1c6c57c08d61d9e4e9be5e244b05e'
+ 'db426394965c48c1d29023e1cc6d965ea6b9a9035d8a849be2750ca4659a3d07'
+ 'f60ae61cfbd5da1d849d0beaa21f593c38dac9359f0b3ddc612f447408265b24'
+ '2d29fd04a0d0ba29dae6bd29fb418944c08d3916665dcca74afb297ef37584b6'
+ '4e1d15d12dbd3e9208111d6b806ad5a9857ca8850c47877d36575b904559260b'
+ '4e48ea0d83dd9441cc1af04ab18cd6c961b9fa54d5cbf2c2feee038988dea459'
+ '936162c0312886c21581002b79932829aa048cfaf9937c6265aeaa14f1cd1775'
+ 'ecdd4f8473ab0dee5d3acb5c0a31a4c1dd6aa12179895cf1903dd0f455c43a4f'
+
+ #stubdom patches
+ )
+fi
+
+_xen_kconfig_debug=$(cat <<EOF
+CONFIG_DEBUG=y
+CONFIG_CRASH_DEBUG=y
+EOF
+)
+_xen_kconfig_livepatch=$(cat <<EOF
+CONFIG_LIVEPATCH=y
+EOF
+)
+
+_makevars=(
+ LANG=C
+ PYTHON=python2
+)
+
+prepare() {
+ cd "$_pkgname-$_pkgver/"
+
+ ### Copy git sourced tools/firmware
+ # move seabios into place
+ mv --force "$srcdir/seabios" tools/firmware/seabios-dir-remote
+ # move ovmf into place
+ mv --force "$srcdir/ovmf" tools/firmware/ovmf-dir-remote
+
+ ### Patching
+
+ # XSA Patches
+ echo 'XSA patches'
+ # Security Patches - Base
+
+ # Security Patches - qemu-xen-traditional
+ cd 'tools/qemu-xen-traditional/'
+ cd '../../'
+
+ # Security Patches - qemu-xen (upstream)
+ cd 'tools/qemu-xen/'
+ cd '../../'
+
+
+ # Compile Patches
+ echo 'Compile patches'
+
+ # Build EFI binary with mingw
+ if [[ "$_binutils_efi" != true ]]; then
+ if $(stat /usr/x86_64-w64-mingw32/bin/ld >/dev/null 2>&1); then
+ #patch -Np1 -i "$srcdir/patch-build-efi-with-mingw.patch"
+ sed -i.bak '/ EFI_LD/s/LD/LD_EFI/' xen/arch/x86/Makefile
+ sed -i.bak 's/LD/LD_EFI/' xen/arch/x86/efi/Makefile
+ sed -i.bak '/EFI_MOUNTPOINT .*/aLD_EFI ?= $(LD)' xen/Makefile
+ else
+ echo '#Not capable of building xen.efi. Need either:'
+ echo '#(preferred) binutils compiled with --enable-targets=x86_64-pep'
+ echo '#or install mingw-w64-binutils'
+ fi
+ fi
+
+ # OVMF Compile support (Pulls from GIT repo, so patching to patch after pull request)
+ patch -Np1 -i "$srcdir/patch-ovmf-use-python2.patch"
+ patch -Np1 -i "$srcdir/patch-ovmf-apply-inbuild-patches.patch"
+ mkdir -p tools/firmware/ovmf-patches
+ patch -Np1 -i "$srcdir/patch-ovmf-patches-series.patch"
+ cp "$srcdir"/patch-inbuild-ovmf*.patch tools/firmware/ovmf-patches/
+
+ # Uncomment line below if you want to enable ATI Passthrough support (some reported successes, untested with 4.4)
+ #patch -Np1 -i "$srcdir/ati-passthrough.patch"
+
+ ## Fix fixed rundir paths
+ ## grep -Rl '\/var\/run\/xen' * 2> /dev/null
+ _var_run_fixed_paths=(
+ tools/hotplug/Linux/locking.sh
+ tools/xenmon/xenbaked.c
+ tools/xenmon/xenmon.py
+ tools/pygrub/src/pygrub
+ )
+ sed -i 's:/var/run:/run:' ${_var_run_fixed_paths[@]}
+
+ ## Fix python version in shebang
+ echo 'Fix python shebang to python2'
+ _python_files=( $(grep -Rlse '^#!/usr/bin/.*python$' || : ) )
+ sed -Ei 's|(^#!.*/usr/bin/(env ){0,1})python$|\1python2|' ${_python_files[@]}
+
+ if [[ "$_build_stubdom" == true ]]; then
+ # Copy supporting tarballs into place
+ ln -s "$srcdir/lwip-1.3.0.tar.gz" stubdom/
+ ln -s "$srcdir/zlib-1.2.3.tar.gz" stubdom/
+ ln -s "$srcdir/newlib-1.16.0.tar.gz" stubdom/
+ ln -s "$srcdir/pciutils-2.2.9.tar.bz2" stubdom/
+ ln -s "$srcdir/polarssl-1.1.4-gpl.tgz" stubdom/
+ ln -s "$srcdir/grub-0.97.tar.gz" stubdom/
+ ln -s "$srcdir/tpm_emulator-0.7.4.tar.gz" stubdom/
+ ln -s "$srcdir/gmp-4.3.2.tar.bz2" stubdom/
+ ln -s "$srcdir/ocaml-3.11.0.tar.gz" stubdom/
+
+ ## Stubdom patches
+ cd 'extras/mini-os'
+ patch -Np1 -i "$srcdir/patch-gcc7-minios-udivmod.patch"
+ cd '../../'
+
+ #vtpm
+ patch -Np1 -i "$srcdir/patch-gcc7-vtpmmgr-make-inline-static.patch"
+ patch -Np1 -i "$srcdir/patch-gcc7-vtpm-implicit-fallthrough.patch"
+ fi
+
+ #etherboot
+ ln -s "$srcdir/ipxe-git-$_git_tag_ipxe.tar.gz" tools/firmware/etherboot/ipxe.tar.gz
+ patch -Np1 -i "$srcdir/patch-ipxe-patches-series.patch"
+ cp "$srcdir"/patch-inbuild-ipxe*.patch tools/firmware/etherboot/patches/
+}
+
+build() {
+ cd "$_pkgname-$_pkgver/"
+ export LD_EFI='/usr/x86_64-w64-mingw32/bin/ld'
+ ./autogen.sh
+ if [[ "$_build_stubdom" == true ]]; then
+ _config_stubdom=(--enable-stubdom)
+ _config_stubdom+=(
+ #--enable-ioemu-stubdom=no
+ #--enable-c-stubdom=no
+ #--enable-caml-stubdom=no
+ #--enable-pv-grub=no
+ #--enable-xenstore-stubdom=no
+ #--enable-vtpm-stubdom=no
+ #--enable-vtpmmgr-stubdom=no
+ )
+ else
+ _config_stubdom=(--disable-stubdom)
+ fi
+ _config_seabios=()
+ if [[ "$_system_seabios" == true ]]; then
+ _config_seabios=(--with-system-seabios=/usr/share/qemu/bios-256k.bin)
+ fi
+ _config_xen_kconfig=''
+ _config_debug=()
+ if [[ "$_build_debug" == true ]]; then
+ _config_debug=(--enable-debug --enable-debug-tcg --enable-debug-info)
+ _config_xen_kconfig+="\n$_xen_kconfig_debug"
+ _makevars+=(debug=y CONFIG_DEBUG=y)
+ fi
+ if [[ "$_build_livepatch" == true ]]; then
+ _config_xen_kconfig+="\n$_xen_kconfig_livepatch"
+ fi
+ if [[ -n "$_config_xen_kconfig" ]]; then
+ cd xen
+ echo -e "$_config_xen_kconfig" > .config
+ make "${_makevars[@]}" olddefconfig V=1
+ cd ../
+ fi
+ ./configure PYTHON=/usr/bin/python2 --prefix=/usr --sbindir=/usr/bin --with-sysconfig-leaf-dir=conf.d --with-rundir=/run \
+ --enable-systemd --enable-ovmf \
+ "${_config_seabios[@]}" \
+ "${_config_stubdom[@]}" \
+ "${_config_debug[@]}" \
+ --with-extra-qemuu-configure-args='--disable-bluez --disable-gtk --enable-spice --enable-usb-redir'
+ #--with-system-qemu --with-system-seabios --with-system-ovmf
+ #defaults --enable-qemu-traditional --enable-rombios \
+ make "${_makevars[@]}" dist
+ if [[ "$_build_livepatch" == true ]]; then
+ make "${_makevars[@]}" build-tests
+ fi
+}
+
+package_xen() {
+ _makevars_package=("${_makevars[@]}" DESTDIR="$pkgdir")
+ optdepends=(
+ 'xen-docs: Official Xen documentation'
+ 'openvswitch: Optional advanced networking support'
+ 'urlgrabber: Required for xenpvnetboot'
+ )
+ conflicts=(xen-{git,rc,igvtg,4.{5,6,7}} xenstore)
+ provides=(xenstore)
+ replaces=(xen-{git,rc,4.{5,6,7}})
+ backup=(
+ etc/conf.d/xen{domains,commons}
+ "etc/$_pkgname/grub.conf"
+ "etc/$_pkgname/oxenstored.conf"
+ "etc/$_pkgname/xl.conf"
+ )
+ install="$_pkgname.install"
+
+ cd "$_pkgname-$_pkgver/"
+
+ make "${_makevars_package[@]}" install-xen
+ make "${_makevars_package[@]}" install-tools
+ if [[ "$_build_stubdom" == true ]]; then
+ make "${_makevars_package[@]}" install-stubdom
+ fi
+ if [[ "$_build_livepatch" == true ]]; then
+ make "${_makevars_package[@]}" install-tests
+ fi
+
+ cd "$pkgdir"
+
+ # Install files from Parabola package
+ install -Dm644 "$srcdir/tmpfiles.d-$_pkgname.conf" "usr/lib/tmpfiles.d/$_pkgname.conf"
+ install -Dm755 "$srcdir/21_linux_xen_multiboot_arch" etc/grub.d/21_linux_xen_multiboot_arch
+ install -Dm644 "$srcdir/efi-xen.cfg" etc/xen/efi-xen.cfg
+
+ mkdir -p var/log/xen/console
+
+ # Sanitize library path (if lib64 exists)
+ if [[ -d usr/lib64 ]]; then
+ cd usr/
+ mv lib64/* lib/
+ rmdir lib64
+ cd ../
+ fi
+
+ # If EFI binaries built, move to /boot
+ if [[ -f usr/lib/efi/xen.efi ]]; then
+ mv usr/lib/efi/*.efi boot/
+ rmdir usr/lib/efi
+ fi
+
+ # Remove syms
+ find usr/lib/debug -type f \( -name '*-syms*' -or -name '*\.map' \) -delete
+ rmdir --ignore-fail-on-non-empty usr/lib/debug
+
+ # Remove hypervisor boot symlinks
+ rm -f boot/xen{,-4{,.8,.9}}{,.{gz,efi}}
+
+ # Documentation cleanup ( see xen-docs package )
+ #rm -rf usr/share/doc
+ #rm -rf usr/share/man
+
+ # Remove tempdirs
+ rmdir run/xen{,stored}
+ rmdir run
+
+ # Remove unnecessary qemu ELF support files
+ # qemuu
+ rm -f usr/share/qemu-xen/qemu/{palcode,openbios,s390}-*
+ rm -f usr/share/qemu-xen/qemu/u-boot.e500
+ # qemut
+ if [[ "$CARCH" == *'x86'* ]]; then
+ rm -f usr/share/xen/qemu/openbios-*
+ fi
+
+ # adhere to Static Library Packaging Guidelines
+ rm -rf usr/lib/*.a
+
+ # Remove unneeded init.d files
+ rm -rf etc/init.d
+}
+
+package_xen-docs(){
+ _makevars_package=("${_makevars[@]}" DESTDIR="$pkgdir")
+ pkgdesc='Xen virtual machine hypervisor documentation'
+ arch=('any')
+ depends=()
+ cd "$_pkgname-$_pkgver/"
+ make "${_makevars_package[@]}" install-docs
+}
+
+package_xen-syms(){
+ _makevars_package=("${_makevars[@]}" DESTDIR="$pkgdir")
+ pkgdesc='Xen virtual machine hypervisor debugging symbols'
+ arch=('any')
+ depends=()
+ _installdir="${pkgdir}/usr/lib/debug"
+ cd "$_pkgname-$_pkgver/"
+ install -d -m0755 "$_installdir"
+ for _path in $(find xen -type f \( -name '*-syms' -or -name '*\.map' \)); do
+ _file=$(basename "$_path")
+ _installfile=$(echo "$_file" |
+ sed "s/\([^.]*\)\(\.*\)/\1-${_pkgver}\2/" )
+ install -D -m0644 -p "$_path" "$_installdir/$_installfile"
+ done
+}
diff --git a/pcr-testing/xen/ati-passthrough.patch b/pcr-testing/xen/ati-passthrough.patch
new file mode 100644
index 000000000..7c20b1ecd
--- /dev/null
+++ b/pcr-testing/xen/ati-passthrough.patch
@@ -0,0 +1,415 @@
+--- xen-4.3.1/tools/qemu-xen-traditional/hw/pass-through.c Thu Sep 6 11:05:30 2012
++++ xen-4.3.1-new/tools/qemu-xen-traditional/hw/pass-through.c Sat Nov 24 08:27:07 2012
+@@ -1438,9 +1438,17 @@ static void pt_ioport_map(PCIDevice *d,
+ if (e_phys != -1)
+ {
+ /* Create new mapping */
+- ret = xc_domain_ioport_mapping(xc_handle, domid, e_phys,
+- assigned_device->bases[i].access.pio_base, e_size,
+- DPCI_ADD_MAPPING);
++ if ( vga_skip_ioport_map(d) )
++ {
++ assigned_device->bases[i].e_physbase = -1;
++ }
++ else
++ {
++ ret = xc_domain_ioport_mapping(xc_handle, domid, e_phys,
++ assigned_device->bases[i].access.pio_base, e_size,
++ DPCI_ADD_MAPPING);
++ }
++
+ if ( ret != 0 )
+ {
+ PT_LOG("Error: create new mapping failed!\n");
+--- xen-4.3.1/tools/qemu-xen-traditional/hw/pass-through.h Thu Sep 6 11:05:30 2012
++++ xen-4.3.1-new/tools/qemu-xen-traditional/hw/pass-through.h Sat Nov 24 08:27:07 2012
+@@ -419,6 +419,11 @@ int pt_pci_host_write(struct pci_dev *pc
+ void intel_pch_init(PCIBus *bus);
+ int register_vga_regions(struct pt_dev *real_device);
+ int unregister_vga_regions(struct pt_dev *real_device);
++int vga_skip_ioport_map(PCIDevice *d);
++int igd_register_vga_regions(struct pt_dev *real_device);
++int igd_unregister_vga_regions(struct pt_dev *real_device);
++int ati_register_vga_regions(struct pt_dev *real_device);
++int ati_unregister_vga_regions(struct pt_dev *real_device);
+ int setup_vga_pt(struct pt_dev *real_device);
+ PCIBus *intel_pci_bridge_init(PCIBus *bus, int devfn, uint16_t vid,
+ uint16_t did, const char *name, uint16_t revision);
+--- xen-4.3.1/tools/qemu-xen-traditional/hw/pci.h Thu Sep 6 11:05:30 2012
++++ xen-4.3.1-new/tools/qemu-xen-traditional/hw/pci.h Sat Nov 24 08:27:07 2012
+@@ -54,6 +54,8 @@ extern target_phys_addr_t pci_mem_base;
+
+ #define PCI_VENDOR_ID_CIRRUS 0x1013
+
++#define PCI_VENDOR_ID_ATI 0x1002
++
+ #define PCI_VENDOR_ID_IBM 0x1014
+ #define PCI_DEVICE_ID_IBM_OPENPIC2 0xffff
+
+--- xen-4.3.1/tools/qemu-xen-traditional/hw/pt-graphics.c Thu Sep 6 11:05:30 2012
++++ xen-4.3.1-new/tools/qemu-xen-traditional/hw/pt-graphics.c Sat Nov 24 08:28:10 2012
+@@ -13,6 +13,207 @@
+
+ extern int gfx_passthru;
+ extern int igd_passthru;
++/*********************************/
++/* Code for ATI GFX Passthru */
++/*********************************/
++/* ATI VBIOS Working Mechanism
++ *
++ * Generally there are three memory resources (two MMIO and one PIO)
++ * associated with modern ATI gfx. VBIOS uses special tricks to figure out
++ * BARs, instead of using regular PCI config space read.
++ *
++ * (1) VBIOS relies on I/O port 0x3C3 to retrieve PIO BAR
++ * (2) VBIOS maintains a shadow copy of PCI configure space. It retries the
++ * MMIO BARs from this shadow copy via sending I/O requests to first two
++ * registers of PIO (MMINDEX and MMDATA). The workflow is like this:
++ * MMINDEX (register 0) is written with an index value, specifying the
++ * register VBIOS wanting to access. Then the shadowed data can be
++ * read/written from MMDATA (register 1). For two MMIO BARs, the index
++ * values are 0x4010 and 0x4014 respectively.
++ *
++ */
++
++#define ATI_BAR1_INDEX 0 //MMIO BAR1
++#define ATI_BAR2_INDEX 1 //MMIO BAR2
++#define ATI_BAR5_INDEX 4 //PIO BAR == BAR5
++
++#define ATI_BAR1_MMINDEX 0x4010 //data written to MMINDEX for MMIO BAR1
++#define ATI_BAR2_MMINDEX 0x4014 //data written to MMINDEX FOR MMIO BAR2
++
++struct ati_gfx_info {
++ int initialized; /* initialized already? */
++
++ /* PIO */
++ uint32_t host_pio_base; /* host base addr of PIO */
++ uint32_t guest_pio_base; /* guest base addr of PIO */
++ uint32_t pio_size; /* PIO size */
++
++ /* MMIO */
++ uint32_t guest_mmio_base1; /* guest base addr of MMIO 1 */
++ uint32_t guest_mmio_base2; /* guest base addr of MMIO 2 */
++
++ /* PIO MMINDEX access recording */
++ uint32_t pre_mmindex_data; /* previous data written to MMINDEX */
++};
++
++static struct ati_gfx_info gfx_info;
++
++/* Convert guest PIO port to host PIO port */
++static uint16_t gport_to_hport(uint16_t gport)
++{
++ return (gport - gfx_info.guest_pio_base) + gfx_info.host_pio_base;
++}
++
++/* Read host PIO port */
++static uint32_t ati_hw_in(uint16_t hport)
++{
++ unsigned val;
++
++ //iopl(3);
++ asm volatile ("in %1,%0":"=a"(val):"Nd"(hport));
++ //iopl(0);
++
++ return val;
++}
++
++/* Write data to host PIO */
++static void ati_hw_out(uint16_t hport, uint32_t data)
++{
++ //iopl(3);
++ asm volatile ("out %1, %0"::"Nd"(hport),"a"(data));
++ //iopl(0);
++}
++
++static uint32_t ati_io_regs_read(void *opaque, uint32_t addr)
++{
++ uint32_t val;
++
++ val = ati_hw_in(gport_to_hport(addr));
++
++ /* tweak the value if VBIOS is reading MMIO BAR1 and BAR2 */
++ if ( addr == (gfx_info.guest_pio_base + 4) )
++ {
++ switch ( gfx_info.pre_mmindex_data )
++ {
++ case ATI_BAR1_MMINDEX:
++ val = gfx_info.guest_mmio_base1 | (val & 0x0000000f);
++ break;
++ case ATI_BAR2_MMINDEX:
++ val = gfx_info.guest_mmio_base2 | (val & 0x0000000f);
++ break;
++ default:
++ break;
++ }
++ }
++
++ return val;
++}
++
++static void ati_io_regs_write(void *opaque, uint32_t addr, uint32_t val)
++{
++ ati_hw_out(gport_to_hport(addr), val);
++
++ /* book keeping */
++ if ( addr == gfx_info.guest_pio_base )
++ gfx_info.pre_mmindex_data = val;
++}
++
++static void ati_gfx_init(struct pt_dev *assigned)
++{
++ PCIDevice *dev = (PCIDevice *)&assigned->dev;
++
++ register_ioport_read(dev->io_regions[ATI_BAR5_INDEX].addr,
++ dev->io_regions[ATI_BAR5_INDEX].size, 4, ati_io_regs_read, assigned);
++
++ register_ioport_write(dev->io_regions[ATI_BAR5_INDEX].addr,
++ dev->io_regions[ATI_BAR5_INDEX].size, 4, ati_io_regs_write, assigned);
++
++ /* initialize IO registers */
++ gfx_info.guest_pio_base = dev->io_regions[ATI_BAR5_INDEX].addr;
++ gfx_info.pio_size = dev->io_regions[ATI_BAR5_INDEX].size;
++ gfx_info.host_pio_base = assigned->bases[ATI_BAR5_INDEX].access.pio_base;
++
++ gfx_info.guest_mmio_base1 = dev->io_regions[ATI_BAR1_INDEX].addr;
++ gfx_info.guest_mmio_base2 = dev->io_regions[ATI_BAR2_INDEX].addr;
++ gfx_info.initialized = 1;
++
++ PT_LOG("guest_pio_bar = 0x%x, host_pio_bar = 0x%x, pio_size=0x%x "
++ "guest_mmio_bar1=0x%x, guest_mmio_bar2=0x%x\n",
++ gfx_info.guest_pio_base, gfx_info.host_pio_base, gfx_info.pio_size,
++ gfx_info.guest_mmio_base1, gfx_info.guest_mmio_base2);
++}
++
++static uint32_t ati_legacy_io_read(void *opaque, uint32_t addr)
++{
++ struct pt_dev *assigned_device = opaque;
++ PCIDevice *dev = (PCIDevice *)&assigned_device->dev;
++ uint32_t val = 0xFF;
++
++ switch( addr )
++ {
++ case 0x3c3:
++ val = dev->io_regions[ATI_BAR5_INDEX].addr >> 8;
++ /* Intercept GFX IO registers. This supposes to happen in
++ * ati_register_vga_regions(). But we cannot get guest phys IO BAR
++ * over there. */
++ if ( !gfx_info.initialized )
++ ati_gfx_init(assigned_device);
++ break;
++ default:
++ PT_LOG("ERROR: port 0x%x I/O read not handled\n", addr);
++ break;
++ }
++
++ return val;
++}
++
++static void ati_legacy_io_write(void *opaque, uint32_t addr, uint32_t val)
++{
++ PT_LOG("ERROR: port 0x%x I/O write not handled\n", addr);
++}
++
++int ati_register_vga_regions(struct pt_dev *real_device)
++{
++ PCIDevice *dev = (PCIDevice *)&real_device->dev;
++ int ret = 0;
++
++ /* We need to intercept VBIOS accesses to port 0x3C3, which returns
++ * device port I/O BAR. For the rest of legacy I/O ports, we allow direct
++ * accesses.
++ */
++ ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3C0,
++ 0x3C0, 0x3, DPCI_ADD_MAPPING);
++
++ ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3C4,
++ 0x3C4, 0x1C, DPCI_ADD_MAPPING);
++
++ register_ioport_read(0x3c3, 1, 1, ati_legacy_io_read, real_device);
++ register_ioport_write(0x3c3, 1, 1, ati_legacy_io_write, real_device);
++
++ /* initialized on the first port 0x3C3 access in ati_gfx_init */
++ gfx_info.initialized = 0;
++
++ return ret;
++}
++
++int ati_unregister_vga_regions(struct pt_dev *real_device)
++{
++ int ret = 0;
++
++ ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3C0,
++ 0x3C0, 0x3, DPCI_REMOVE_MAPPING);
++
++ ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3C4,
++ 0x3C4, 0x1C, DPCI_REMOVE_MAPPING);
++
++ gfx_info.initialized = 0;
++
++ return ret;
++}
++
++/*********************************/
++/* Code for Intel IGD Passthru */
++/*********************************/
+
+ static uint32_t igd_guest_opregion = 0;
+
+@@ -176,6 +377,77 @@ read_default:
+ return pci_default_read_config(pci_dev, config_addr, len);
+ }
+
++int igd_register_vga_regions(struct pt_dev *real_device)
++{
++ u32 vendor_id, igd_opregion;
++ int ret = 0;
++
++ /* legacy I/O ports 0x3C0 -- 0x3E0 */
++ ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3C0,
++ 0x3C0, 0x20, DPCI_ADD_MAPPING);
++
++ /* 1:1 map ASL Storage register value */
++ vendor_id = pt_pci_host_read(real_device->pci_dev, PCI_VENDOR_ID, 2);
++ igd_opregion = pt_pci_host_read(real_device->pci_dev, PCI_INTEL_OPREGION, 4);
++ if ( (vendor_id == PCI_VENDOR_ID_INTEL) && igd_opregion )
++ {
++ ret |= xc_domain_memory_mapping(xc_handle, domid,
++ igd_opregion >> XC_PAGE_SHIFT,
++ igd_opregion >> XC_PAGE_SHIFT,
++ 2,
++ DPCI_ADD_MAPPING);
++ PT_LOG("register_vga: igd_opregion = %x\n", igd_opregion);
++ }
++
++ return ret;
++}
++
++int igd_unregister_vga_regions(struct pt_dev *real_device)
++{
++ u32 vendor_id, igd_opregion;
++ int ret = 0;
++
++ ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3C0,
++ 0x3C0, 0x20, DPCI_REMOVE_MAPPING);
++
++ vendor_id = pt_pci_host_read(real_device->pci_dev, PCI_VENDOR_ID, 2);
++ igd_opregion = pt_pci_host_read(real_device->pci_dev, PCI_INTEL_OPREGION, 4);
++ if ( (vendor_id == PCI_VENDOR_ID_INTEL) && igd_opregion )
++ {
++ ret |= xc_domain_memory_mapping(xc_handle, domid,
++ igd_opregion >> XC_PAGE_SHIFT,
++ igd_opregion >> XC_PAGE_SHIFT,
++ 2,
++ DPCI_REMOVE_MAPPING);
++ }
++
++ return ret;
++}
++/*********************************/
++/* Generic Code for GFX Passthru */
++/*********************************/
++/* This function decides whether I/O port map should be skipped */
++int vga_skip_ioport_map(PCIDevice *d)
++{
++ struct pt_dev *dev = (struct pt_dev *)d;
++ int skip = 0;
++
++ if ( !gfx_passthru || dev->pci_dev->device_class != 0x0300 )
++ return 0;
++
++ switch( dev->pci_dev->vendor_id )
++ {
++ case PCI_VENDOR_ID_ATI:
++ case PCI_VENDOR_ID_AMD:
++ skip = 1;
++ break;
++ default:
++ skip = 0;
++ break;
++ }
++
++ return skip;
++}
+ /*
+ * register VGA resources for the domain with assigned gfx
+ */
+@@ -187,18 +459,33 @@ int register_vga_regions(struct pt_dev *
+ if ( !gfx_passthru || real_device->pci_dev->device_class != 0x0300 )
+ return ret;
+
++ /* legacy I/O ports 0x3B0 - 0x3BC */
+ ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3B0,
+ 0x3B0, 0xC, DPCI_ADD_MAPPING);
+
+- ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3C0,
+- 0x3C0, 0x20, DPCI_ADD_MAPPING);
+-
++ /* legacy video MMIO range 0xA0000 - 0xBFFFF */
+ ret |= xc_domain_memory_mapping(xc_handle, domid,
+ 0xa0000 >> XC_PAGE_SHIFT,
+ 0xa0000 >> XC_PAGE_SHIFT,
+ 0x20,
+ DPCI_ADD_MAPPING);
+
++ /* Other VGA regions are vendor specific */
++ switch( real_device->pci_dev->vendor_id )
++ {
++ case PCI_VENDOR_ID_INTEL:
++ ret = igd_register_vga_regions(real_device);
++ break;
++ case PCI_VENDOR_ID_ATI:
++ case PCI_VENDOR_ID_AMD:
++ ret = ati_register_vga_regions(real_device);
++ break;
++ default:
++ PT_LOG("gfx card wasn't supported by Xen passthru!\n");
++ ret = 1;
++ break;
++ }
++
+ if ( ret != 0 )
+ PT_LOG("VGA region mapping failed\n");
+
+@@ -216,26 +503,31 @@ int unregister_vga_regions(struct pt_dev
+ if ( !gfx_passthru || real_device->pci_dev->device_class != 0x0300 )
+ return ret;
+
++ /* legacy I/O ports 0x3B0 - 0x3BC */
+ ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3B0,
+ 0x3B0, 0xC, DPCI_REMOVE_MAPPING);
+
+- ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3C0,
+- 0x3C0, 0x20, DPCI_REMOVE_MAPPING);
+-
++ /* legacy video MMIO range 0xA0000 - 0xBFFFF */
+ ret |= xc_domain_memory_mapping(xc_handle, domid,
+ 0xa0000 >> XC_PAGE_SHIFT,
+ 0xa0000 >> XC_PAGE_SHIFT,
+ 20,
+ DPCI_REMOVE_MAPPING);
+
+- vendor_id = pt_pci_host_read(real_device->pci_dev, PCI_VENDOR_ID, 2);
+- if ( (vendor_id == PCI_VENDOR_ID_INTEL) && igd_guest_opregion )
++ /* Other VGA regions are vendor specific */
++ switch( real_device->pci_dev->vendor_id )
+ {
+- ret |= xc_domain_memory_mapping(xc_handle, domid,
+- igd_guest_opregion >> XC_PAGE_SHIFT,
+- igd_guest_opregion >> XC_PAGE_SHIFT,
+- 2,
+- DPCI_REMOVE_MAPPING);
++ case PCI_VENDOR_ID_INTEL:
++ ret = igd_unregister_vga_regions(real_device);
++ break;
++ case PCI_VENDOR_ID_ATI:
++ case PCI_VENDOR_ID_AMD:
++ ret = ati_unregister_vga_regions(real_device);
++ break;
++ default:
++ PT_LOG("gfx card wasn't supported by Xen passthru!\n");
++ ret = 1;
++ break;
+ }
+
+ if ( ret != 0 )
diff --git a/pcr-testing/xen/efi-xen.cfg b/pcr-testing/xen/efi-xen.cfg
new file mode 100644
index 000000000..3c8e4d04c
--- /dev/null
+++ b/pcr-testing/xen/efi-xen.cfg
@@ -0,0 +1,7 @@
+[global]
+default=xen
+
+[xen]
+options=console=vga dom0_mem=1024M,max:1024M dom0_max_vcpus=4 loglvl=all noreboot
+kernel=vmlinuz-linux-libre root=<Root Device> rw
+ramdisk=initramfs-linux-libre.img
diff --git a/pcr-testing/xen/patch-gcc7-minios-udivmod.patch b/pcr-testing/xen/patch-gcc7-minios-udivmod.patch
new file mode 100644
index 000000000..868e63c20
--- /dev/null
+++ b/pcr-testing/xen/patch-gcc7-minios-udivmod.patch
@@ -0,0 +1,31 @@
+gcc7 generates a call to __udivmoddi4 ...
+
+stubdom/mini-os-x86_32-grub/mini-os.o: In function `_strtoll_r':
+stubdom/newlib-x86_32/i686-xen-elf/newlib/libc/stdlib/../../../../../newlib-1.16.0/newlib/libc/stdlib/strtoll_r.c:110: undefined reference to `__udivmoddi4'
+make[2]: *** [Makefile:167: stubdom/mini-os-x86_32-grub/mini-os] Error 1
+
+... which the linker only finds if libgcc.a is provided on the commandline.
+
+Signed-off-by: Olaf Hering <olaf@aepfle.de>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index ef8559b..b9c1336 100644
+--- a/Makefile
++++ b/Makefile
+@@ -162,7 +162,7 @@ $(OBJ_DIR)/arch/x86/minios-x86%.lds: arch/x86/minios-x86.lds.S
+ $(CPP) $(ASFLAGS) -P $< -o $@
+
+ $(OBJ_DIR)/$(TARGET): $(OBJS) $(APP_O) arch_lib $(OBJ_DIR)/$(TARGET_ARCH_DIR)/minios-$(MINIOS_TARGET_ARCH).lds
+- $(LD) -r $(LDFLAGS) $(HEAD_OBJ) $(APP_O) $(OBJS) $(LDARCHLIB) $(LDLIBS) -o $@.o
++ $(LD) -r $(LDFLAGS) $(HEAD_OBJ) $(APP_O) $(OBJS) $(LDARCHLIB) $(LDLIBS) $$(gcc -print-libgcc-file-name $(CFLAGS)) -o $@.o
+ $(OBJCOPY) -w -G $(GLOBAL_PREFIX)* -G _start $@.o $@.o
+ $(LD) $(LDFLAGS) $(LDFLAGS_FINAL) $@.o $(EXTRA_OBJS) -o $@
+ gzip -f -9 -c $@ >$@.gz
+
+_______________________________________________
+Xen-devel mailing list
+Xen-devel@lists.xen.org
+https://lists.xen.org/xen-devel
diff --git a/pcr-testing/xen/patch-gcc7-vtpm-implicit-fallthrough.patch b/pcr-testing/xen/patch-gcc7-vtpm-implicit-fallthrough.patch
new file mode 100644
index 000000000..068752d2d
--- /dev/null
+++ b/pcr-testing/xen/patch-gcc7-vtpm-implicit-fallthrough.patch
@@ -0,0 +1,46 @@
+GCC-7 have -Wimplicit-fallthrough enabled with -Wextra. Add appropriate
+comment which both mute the warning and improve readibility.
+
+Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+---
+ stubdom/Makefile | 1 +
+ stubdom/vtpm-implicit-fallthrough.patch | 10 ++++++++++
+ 2 files changed, 11 insertions(+)
+ create mode 100644 stubdom/vtpm-implicit-fallthrough.patch
+
+diff --git a/stubdom/Makefile b/stubdom/Makefile
+index db01827..5055e31 100644
+--- a/stubdom/Makefile
++++ b/stubdom/Makefile
+@@ -228,6 +228,7 @@ tpm_emulator-$(XEN_TARGET_ARCH): tpm_emulator-$(TPMEMU_VERSION).tar.gz
+ patch -d $@ -p1 < vtpm-deepquote.patch
+ patch -d $@ -p1 < vtpm-deepquote-anyloc.patch
+ patch -d $@ -p1 < vtpm-cmake-Wextra.patch
++ patch -d $@ -p1 < vtpm-implicit-fallthrough.patch
+ mkdir $@/build
+ cd $@/build; CC=${CC} $(CMAKE) .. -DCMAKE_C_FLAGS:STRING="-std=c99 -DTPM_NO_EXTERN $(TARGET_CPPFLAGS) $(TARGET_CFLAGS) -Wno-declaration-after-statement"
+ touch $@
+diff --git a/stubdom/vtpm-implicit-fallthrough.patch b/stubdom/vtpm-implicit-fallthrough.patch
+new file mode 100644
+index 0000000..db97be5
+--- /dev/null
++++ b/stubdom/vtpm-implicit-fallthrough.patch
+@@ -0,0 +1,10 @@
++--- tpm_emulator-x86_64/tpm/tpm_cmd_handler.c.orig 2017-04-27 13:37:14.408000000 +0200
+++++ tpm_emulator-x86_64/tpm/tpm_cmd_handler.c 2017-04-27 13:39:53.585000000 +0200
++@@ -3397,6 +3397,7 @@
++ sizeof(rsp->auth2->nonceOdd.nonce));
++ tpm_hmac_update(&hmac, (BYTE*)&rsp->auth2->continueAuthSession, 1);
++ tpm_hmac_final(&hmac, rsp->auth2->auth);
+++ /* fall-thru */
++ case TPM_TAG_RSP_AUTH1_COMMAND:
++ tpm_hmac_init(&hmac, rsp->auth1->secret, sizeof(rsp->auth1->secret));
++ tpm_hmac_update(&hmac, rsp->auth1->digest, sizeof(rsp->auth1->digest));
+--
+2.7.4
+
+
+_______________________________________________
+Xen-devel mailing list
+Xen-devel@lists.xen.org
+https://lists.xen.org/xen-devel
diff --git a/pcr-testing/xen/patch-gcc7-vtpmmgr-make-inline-static.patch b/pcr-testing/xen/patch-gcc7-vtpmmgr-make-inline-static.patch
new file mode 100644
index 000000000..a2c96691a
--- /dev/null
+++ b/pcr-testing/xen/patch-gcc7-vtpmmgr-make-inline-static.patch
@@ -0,0 +1,1161 @@
+gcc7 is more strict with functions marked as inline. They are not
+automatically inlined. Instead a function call is generated, but the
+actual code is not visible by the linker.
+
+Do a mechanical change and mark every 'inline' as 'static inline'. For
+simpler review the static goes into an extra line.
+
+Signed-off-by: Olaf Hering <olaf@aepfle.de>
+---
+ stubdom/vtpmmgr/marshal.h | 76 ++++++++++++++++++++++++++++++++++++++++++
+ stubdom/vtpmmgr/tcg.h | 14 ++++++++
+ stubdom/vtpmmgr/tpm2_marshal.h | 58 ++++++++++++++++++++++++++++++++
+ stubdom/vtpmmgr/tpmrsa.h | 1 +
+ 4 files changed, 149 insertions(+)
+
+diff --git a/stubdom/vtpmmgr/marshal.h b/stubdom/vtpmmgr/marshal.h
+index d826f19d89..dce19c6439 100644
+--- a/stubdom/vtpmmgr/marshal.h
++++ b/stubdom/vtpmmgr/marshal.h
+@@ -47,16 +47,19 @@ typedef enum UnpackPtr {
+ UNPACK_ALLOC
+ } UnpackPtr;
+
++static
+ inline BYTE* pack_BYTE(BYTE* ptr, BYTE t) {
+ ptr[0] = t;
+ return ++ptr;
+ }
+
++static
+ inline BYTE* unpack_BYTE(BYTE* ptr, BYTE* t) {
+ t[0] = ptr[0];
+ return ++ptr;
+ }
+
++static
+ inline int unpack3_BYTE(BYTE* ptr, UINT32* pos, UINT32 max, BYTE *t)
+ {
+ if (*pos + 1 > max)
+@@ -72,18 +75,21 @@ inline int unpack3_BYTE(BYTE* ptr, UINT32* pos, UINT32 max, BYTE *t)
+ #define unpack3_BOOL(p, x, m, t) unpack3_BYTE(p, x, m, t)
+ #define sizeof_BOOL(t) 1
+
++static
+ inline BYTE* pack_UINT16(void* ptr, UINT16 t) {
+ UINT16* p = ptr;
+ *p = cpu_to_be16(t);
+ return ptr + sizeof(UINT16);
+ }
+
++static
+ inline BYTE* unpack_UINT16(void* ptr, UINT16* t) {
+ UINT16* p = ptr;
+ *t = be16_to_cpu(*p);
+ return ptr + sizeof(UINT16);
+ }
+
++static
+ inline int unpack3_UINT16(BYTE* ptr, UINT32* pos, UINT32 max, UINT16 *t)
+ {
+ if (*pos + 2 > max)
+@@ -93,18 +99,21 @@ inline int unpack3_UINT16(BYTE* ptr, UINT32* pos, UINT32 max, UINT16 *t)
+ return 0;
+ }
+
++static
+ inline BYTE* pack_UINT32(void* ptr, UINT32 t) {
+ UINT32* p = ptr;
+ *p = cpu_to_be32(t);
+ return ptr + sizeof(UINT32);
+ }
+
++static
+ inline BYTE* unpack_UINT32(void* ptr, UINT32* t) {
+ UINT32* p = ptr;
+ *t = be32_to_cpu(*p);
+ return ptr + sizeof(UINT32);
+ }
+
++static
+ inline int unpack3_UINT32(BYTE* ptr, UINT32* pos, UINT32 max, UINT32 *t)
+ {
+ if (*pos + 4 > max)
+@@ -236,16 +245,19 @@ inline int unpack3_UINT32(BYTE* ptr, UINT32* pos, UINT32 max, UINT32 *t)
+ #define sizeof_TCS_KEY_HANDLE(t) sizeof_UINT32(t)
+
+
++static
+ inline BYTE* pack_BUFFER(BYTE* ptr, const BYTE* buf, UINT32 size) {
+ memcpy(ptr, buf, size);
+ return ptr + size;
+ }
+
++static
+ inline BYTE* unpack_BUFFER(BYTE* ptr, BYTE* buf, UINT32 size) {
+ memcpy(buf, ptr, size);
+ return ptr + size;
+ }
+
++static
+ inline int unpack3_BUFFER(BYTE* ptr, UINT32* pos, UINT32 max, BYTE* buf, UINT32 size) {
+ if (*pos + size > max)
+ return TPM_SIZE;
+@@ -256,11 +268,13 @@ inline int unpack3_BUFFER(BYTE* ptr, UINT32* pos, UINT32 max, BYTE* buf, UINT32
+
+ #define sizeof_BUFFER(b, s) s
+
++static
+ inline BYTE* unpack_ALIAS(BYTE* ptr, BYTE** buf, UINT32 size) {
+ *buf = ptr;
+ return ptr + size;
+ }
+
++static
+ inline BYTE* unpack_ALLOC(BYTE* ptr, BYTE** buf, UINT32 size) {
+ if(size) {
+ *buf = malloc(size);
+@@ -271,6 +285,7 @@ inline BYTE* unpack_ALLOC(BYTE* ptr, BYTE** buf, UINT32 size) {
+ return ptr + size;
+ }
+
++static
+ inline BYTE* unpack_PTR(BYTE* ptr, BYTE** buf, UINT32 size, UnpackPtr alloc) {
+ if(alloc == UNPACK_ALLOC) {
+ return unpack_ALLOC(ptr, buf, size);
+@@ -279,6 +294,7 @@ inline BYTE* unpack_PTR(BYTE* ptr, BYTE** buf, UINT32 size, UnpackPtr alloc) {
+ }
+ }
+
++static
+ inline int unpack3_PTR(BYTE* ptr, UINT32* pos, UINT32 max, BYTE** buf, UINT32 size, UnpackPtr alloc) {
+ if (size > max || *pos + size > max)
+ return TPM_SIZE;
+@@ -292,14 +308,17 @@ inline int unpack3_PTR(BYTE* ptr, UINT32* pos, UINT32 max, BYTE** buf, UINT32 si
+ }
+ #define unpack3_VPTR(ptr, pos, max, buf, size, alloc) unpack3_PTR(ptr, pos, max, (void*)(buf), size, alloc)
+
++static
+ inline BYTE* pack_TPM_AUTHDATA(BYTE* ptr, const TPM_AUTHDATA* d) {
+ return pack_BUFFER(ptr, *d, TPM_DIGEST_SIZE);
+ }
+
++static
+ inline BYTE* unpack_TPM_AUTHDATA(BYTE* ptr, TPM_AUTHDATA* d) {
+ return unpack_BUFFER(ptr, *d, TPM_DIGEST_SIZE);
+ }
+
++static
+ inline int unpack3_TPM_AUTHDATA(BYTE* ptr, UINT32* pos, UINT32 len, TPM_AUTHDATA* d) {
+ return unpack3_BUFFER(ptr, pos, len, *d, TPM_DIGEST_SIZE);
+ }
+@@ -325,6 +344,7 @@ inline int unpack3_TPM_AUTHDATA(BYTE* ptr, UINT32* pos, UINT32 len, TPM_AUTHDATA
+ #define sizeof_TPM_TAG(t) sizeof_UINT16(t)
+ #define sizeof_TPM_STRUCTURE_TAG(t) sizeof_UINT16(t)
+
++static
+ inline BYTE* pack_TPM_VERSION(BYTE* ptr, const TPM_VERSION* t) {
+ ptr[0] = t->major;
+ ptr[1] = t->minor;
+@@ -333,6 +353,7 @@ inline BYTE* pack_TPM_VERSION(BYTE* ptr, const TPM_VERSION* t) {
+ return ptr + 4;
+ }
+
++static
+ inline BYTE* unpack_TPM_VERSION(BYTE* ptr, TPM_VERSION* t) {
+ t->major = ptr[0];
+ t->minor = ptr[1];
+@@ -341,6 +362,7 @@ inline BYTE* unpack_TPM_VERSION(BYTE* ptr, TPM_VERSION* t) {
+ return ptr + 4;
+ }
+
++static
+ inline int unpack3_TPM_VERSION(BYTE* ptr, UINT32 *pos, UINT32 max, TPM_VERSION* t) {
+ if (*pos + 4 > max)
+ return TPM_SIZE;
+@@ -355,6 +377,7 @@ inline int unpack3_TPM_VERSION(BYTE* ptr, UINT32 *pos, UINT32 max, TPM_VERSION*
+
+ #define sizeof_TPM_VERSION(x) 4
+
++static
+ inline BYTE* pack_TPM_CAP_VERSION_INFO(BYTE* ptr, const TPM_CAP_VERSION_INFO* v) {
+ ptr = pack_TPM_STRUCTURE_TAG(ptr, v->tag);
+ ptr = pack_TPM_VERSION(ptr, &v->version);
+@@ -366,6 +389,7 @@ inline BYTE* pack_TPM_CAP_VERSION_INFO(BYTE* ptr, const TPM_CAP_VERSION_INFO* v)
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPM_CAP_VERSION_INFO(BYTE* ptr, TPM_CAP_VERSION_INFO* v, UnpackPtr alloc) {
+ ptr = unpack_TPM_STRUCTURE_TAG(ptr, &v->tag);
+ ptr = unpack_TPM_VERSION(ptr, &v->version);
+@@ -377,14 +401,17 @@ inline BYTE* unpack_TPM_CAP_VERSION_INFO(BYTE* ptr, TPM_CAP_VERSION_INFO* v, Unp
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPM_DIGEST(BYTE* ptr, const TPM_DIGEST* d) {
+ return pack_BUFFER(ptr, d->digest, TPM_DIGEST_SIZE);
+ }
+
++static
+ inline BYTE* unpack_TPM_DIGEST(BYTE* ptr, TPM_DIGEST* d) {
+ return unpack_BUFFER(ptr, d->digest, TPM_DIGEST_SIZE);
+ }
+
++static
+ inline int unpack3_TPM_DIGEST(BYTE* ptr, UINT32* pos, UINT32 max, TPM_DIGEST* d) {
+ return unpack3_BUFFER(ptr, pos, max, d->digest, TPM_DIGEST_SIZE);
+ }
+@@ -409,20 +436,24 @@ inline int unpack3_TPM_DIGEST(BYTE* ptr, UINT32* pos, UINT32 max, TPM_DIGEST* d)
+ #define pack_TPM_CHOSENID_HASH(ptr, d) pack_TPM_DIGEST(ptr, d)
+ #define unpack_TPM_CHOSENID_HASH(ptr, d) unpack_TPM_DIGEST(ptr, d)
+
++static
+ inline BYTE* pack_TPM_NONCE(BYTE* ptr, const TPM_NONCE* n) {
+ return pack_BUFFER(ptr, n->nonce, TPM_DIGEST_SIZE);
+ }
+
++static
+ inline BYTE* unpack_TPM_NONCE(BYTE* ptr, TPM_NONCE* n) {
+ return unpack_BUFFER(ptr, n->nonce, TPM_DIGEST_SIZE);
+ }
+
+ #define sizeof_TPM_NONCE(x) TPM_DIGEST_SIZE
+
++static
+ inline int unpack3_TPM_NONCE(BYTE* ptr, UINT32* pos, UINT32 max, TPM_NONCE* n) {
+ return unpack3_BUFFER(ptr, pos, max, n->nonce, TPM_DIGEST_SIZE);
+ }
+
++static
+ inline BYTE* pack_TPM_SYMMETRIC_KEY_PARMS(BYTE* ptr, const TPM_SYMMETRIC_KEY_PARMS* k) {
+ ptr = pack_UINT32(ptr, k->keyLength);
+ ptr = pack_UINT32(ptr, k->blockSize);
+@@ -430,6 +461,7 @@ inline BYTE* pack_TPM_SYMMETRIC_KEY_PARMS(BYTE* ptr, const TPM_SYMMETRIC_KEY_PAR
+ return pack_BUFFER(ptr, k->IV, k->ivSize);
+ }
+
++static
+ inline BYTE* pack_TPM_SYMMETRIC_KEY(BYTE* ptr, const TPM_SYMMETRIC_KEY* k) {
+ ptr = pack_UINT32(ptr, k->algId);
+ ptr = pack_UINT16(ptr, k->encScheme);
+@@ -437,6 +469,7 @@ inline BYTE* pack_TPM_SYMMETRIC_KEY(BYTE* ptr, const TPM_SYMMETRIC_KEY* k) {
+ return pack_BUFFER(ptr, k->data, k->size);
+ }
+
++static
+ inline int unpack3_TPM_SYMMETRIC_KEY_PARMS(BYTE* ptr, UINT32* pos, UINT32 max, TPM_SYMMETRIC_KEY_PARMS* k, UnpackPtr alloc) {
+ return unpack3_UINT32(ptr, pos, max, &k->keyLength) ||
+ unpack3_UINT32(ptr, pos, max, &k->blockSize) ||
+@@ -444,10 +477,12 @@ inline int unpack3_TPM_SYMMETRIC_KEY_PARMS(BYTE* ptr, UINT32* pos, UINT32 max, T
+ unpack3_PTR(ptr, pos, max, &k->IV, k->ivSize, alloc);
+ }
+
++static
+ inline int sizeof_TPM_SYMMETRIC_KEY_PARMS(const TPM_SYMMETRIC_KEY_PARMS* k) {
+ return 12 + k->ivSize;
+ }
+
++static
+ inline int unpack3_TPM_SYMMETRIC_KEY(BYTE* ptr, UINT32* pos, UINT32 max, TPM_SYMMETRIC_KEY* k, UnpackPtr alloc) {
+ return unpack3_UINT32(ptr, pos, max, &k->algId) ||
+ unpack3_UINT16(ptr, pos, max, &k->encScheme) ||
+@@ -455,6 +490,7 @@ inline int unpack3_TPM_SYMMETRIC_KEY(BYTE* ptr, UINT32* pos, UINT32 max, TPM_SYM
+ unpack3_PTR(ptr, pos, max, &k->data, k->size, alloc);
+ }
+
++static
+ inline BYTE* pack_TPM_RSA_KEY_PARMS(BYTE* ptr, const TPM_RSA_KEY_PARMS* k) {
+ ptr = pack_UINT32(ptr, k->keyLength);
+ ptr = pack_UINT32(ptr, k->numPrimes);
+@@ -462,6 +498,7 @@ inline BYTE* pack_TPM_RSA_KEY_PARMS(BYTE* ptr, const TPM_RSA_KEY_PARMS* k) {
+ return pack_BUFFER(ptr, k->exponent, k->exponentSize);
+ }
+
++static
+ inline int unpack3_TPM_RSA_KEY_PARMS(BYTE* ptr, UINT32* pos, UINT32 max, TPM_RSA_KEY_PARMS* k, UnpackPtr alloc) {
+ return unpack3_UINT32(ptr, pos, max, &k->keyLength) ||
+ unpack3_UINT32(ptr, pos, max, &k->numPrimes) ||
+@@ -469,11 +506,13 @@ inline int unpack3_TPM_RSA_KEY_PARMS(BYTE* ptr, UINT32* pos, UINT32 max, TPM_RSA
+ unpack3_PTR(ptr, pos, max, &k->exponent, k->exponentSize, alloc);
+ }
+
++static
+ inline int sizeof_TPM_RSA_KEY_PARMS(const TPM_RSA_KEY_PARMS* k) {
+ return 12 + k->exponentSize;
+ }
+
+
++static
+ inline BYTE* pack_TPM_KEY_PARMS(BYTE* ptr, const TPM_KEY_PARMS* k) {
+ ptr = pack_TPM_ALGORITHM_ID(ptr, k->algorithmID);
+ ptr = pack_TPM_ENC_SCHEME(ptr, k->encScheme);
+@@ -493,6 +532,7 @@ inline BYTE* pack_TPM_KEY_PARMS(BYTE* ptr, const TPM_KEY_PARMS* k) {
+ return ptr;
+ }
+
++static
+ inline int unpack3_TPM_KEY_PARMS(BYTE* ptr, UINT32* pos, UINT32 len, TPM_KEY_PARMS* k, UnpackPtr alloc) {
+ int rc = unpack3_TPM_ALGORITHM_ID(ptr, pos, len, &k->algorithmID) ||
+ unpack3_TPM_ENC_SCHEME(ptr, pos, len, &k->encScheme) ||
+@@ -511,6 +551,7 @@ inline int unpack3_TPM_KEY_PARMS(BYTE* ptr, UINT32* pos, UINT32 len, TPM_KEY_PAR
+ return TPM_FAIL;
+ }
+
++static
+ inline int sizeof_TPM_KEY_PARMS(const TPM_KEY_PARMS* k) {
+ int rc = 0;
+ rc += sizeof_TPM_ALGORITHM_ID(&k->algorithmID);
+@@ -532,52 +573,62 @@ inline int sizeof_TPM_KEY_PARMS(const TPM_KEY_PARMS* k) {
+ return rc;
+ }
+
++static
+ inline BYTE* pack_TPM_STORE_PUBKEY(BYTE* ptr, const TPM_STORE_PUBKEY* k) {
+ ptr = pack_UINT32(ptr, k->keyLength);
+ ptr = pack_BUFFER(ptr, k->key, k->keyLength);
+ return ptr;
+ }
+
++static
+ inline int unpack3_TPM_STORE_PUBKEY(BYTE* ptr, UINT32* pos, UINT32 max, TPM_STORE_PUBKEY* k, UnpackPtr alloc) {
+ return unpack3_UINT32(ptr, pos, max, &k->keyLength) ||
+ unpack3_PTR(ptr, pos, max, &k->key, k->keyLength, alloc);
+ }
+
++static
+ inline int sizeof_TPM_STORE_PUBKEY(const TPM_STORE_PUBKEY* k) {
+ return 4 + k->keyLength;
+ }
+
++static
+ inline BYTE* pack_TPM_PUBKEY(BYTE* ptr, const TPM_PUBKEY* k) {
+ ptr = pack_TPM_KEY_PARMS(ptr, &k->algorithmParms);
+ return pack_TPM_STORE_PUBKEY(ptr, &k->pubKey);
+ }
+
++static
+ inline int unpack3_TPM_PUBKEY(BYTE* ptr, UINT32* pos, UINT32 len, TPM_PUBKEY* k, UnpackPtr alloc) {
+ return unpack3_TPM_KEY_PARMS(ptr, pos, len, &k->algorithmParms, alloc) ||
+ unpack3_TPM_STORE_PUBKEY(ptr, pos, len, &k->pubKey, alloc);
+ }
+
++static
+ inline BYTE* pack_TPM_PCR_SELECTION(BYTE* ptr, const TPM_PCR_SELECTION* p) {
+ ptr = pack_UINT16(ptr, p->sizeOfSelect);
+ ptr = pack_BUFFER(ptr, p->pcrSelect, p->sizeOfSelect);
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPM_PCR_SELECTION(BYTE* ptr, TPM_PCR_SELECTION* p, UnpackPtr alloc) {
+ ptr = unpack_UINT16(ptr, &p->sizeOfSelect);
+ ptr = unpack_PTR(ptr, &p->pcrSelect, p->sizeOfSelect, alloc);
+ return ptr;
+ }
+
++static
+ inline int unpack3_TPM_PCR_SELECTION(BYTE* ptr, UINT32* pos, UINT32 max, TPM_PCR_SELECTION* p, UnpackPtr alloc) {
+ return unpack3_UINT16(ptr, pos, max, &p->sizeOfSelect) ||
+ unpack3_PTR(ptr, pos, max, &p->pcrSelect, p->sizeOfSelect, alloc);
+ }
+
++static
+ inline int sizeof_TPM_PCR_SELECTION(const TPM_PCR_SELECTION* p) {
+ return 2 + p->sizeOfSelect;
+ }
+
++static
+ inline BYTE* pack_TPM_PCR_INFO(BYTE* ptr, const TPM_PCR_INFO* p) {
+ ptr = pack_TPM_PCR_SELECTION(ptr, &p->pcrSelection);
+ ptr = pack_TPM_COMPOSITE_HASH(ptr, &p->digestAtRelease);
+@@ -585,12 +636,14 @@ inline BYTE* pack_TPM_PCR_INFO(BYTE* ptr, const TPM_PCR_INFO* p) {
+ return ptr;
+ }
+
++static
+ inline int unpack3_TPM_PCR_INFO(BYTE* ptr, UINT32* pos, UINT32 max, TPM_PCR_INFO* p, UnpackPtr alloc) {
+ return unpack3_TPM_PCR_SELECTION(ptr, pos, max, &p->pcrSelection, alloc) ||
+ unpack3_TPM_COMPOSITE_HASH(ptr, pos, max, &p->digestAtRelease) ||
+ unpack3_TPM_COMPOSITE_HASH(ptr, pos, max, &p->digestAtCreation);
+ }
+
++static
+ inline int sizeof_TPM_PCR_INFO(const TPM_PCR_INFO* p) {
+ int rc = 0;
+ rc += sizeof_TPM_PCR_SELECTION(&p->pcrSelection);
+@@ -599,6 +652,7 @@ inline int sizeof_TPM_PCR_INFO(const TPM_PCR_INFO* p) {
+ return rc;
+ }
+
++static
+ inline BYTE* pack_TPM_PCR_INFO_LONG(BYTE* ptr, const TPM_PCR_INFO_LONG* p) {
+ ptr = pack_TPM_STRUCTURE_TAG(ptr, p->tag);
+ ptr = pack_TPM_LOCALITY_SELECTION(ptr, p->localityAtCreation);
+@@ -610,6 +664,7 @@ inline BYTE* pack_TPM_PCR_INFO_LONG(BYTE* ptr, const TPM_PCR_INFO_LONG* p) {
+ return ptr;
+ }
+
++static
+ inline int sizeof_TPM_PCR_INFO_LONG(const TPM_PCR_INFO_LONG* p) {
+ int rc = 0;
+ rc += sizeof_TPM_STRUCTURE_TAG(p->tag);
+@@ -622,6 +677,7 @@ inline int sizeof_TPM_PCR_INFO_LONG(const TPM_PCR_INFO_LONG* p) {
+ return rc;
+ }
+
++static
+ inline int unpack3_TPM_PCR_INFO_LONG(BYTE* ptr, UINT32* pos, UINT32 max, TPM_PCR_INFO_LONG* p, UnpackPtr alloc) {
+ return unpack3_TPM_STRUCTURE_TAG(ptr, pos, max, &p->tag) ||
+ unpack3_TPM_LOCALITY_SELECTION(ptr, pos, max,
+@@ -637,6 +693,7 @@ inline int unpack3_TPM_PCR_INFO_LONG(BYTE* ptr, UINT32* pos, UINT32 max, TPM_PCR
+ unpack3_TPM_COMPOSITE_HASH(ptr, pos, max, &p->digestAtRelease);
+ }
+
++static
+ inline BYTE* pack_TPM_PCR_COMPOSITE(BYTE* ptr, const TPM_PCR_COMPOSITE* p) {
+ ptr = pack_TPM_PCR_SELECTION(ptr, &p->select);
+ ptr = pack_UINT32(ptr, p->valueSize);
+@@ -644,12 +701,14 @@ inline BYTE* pack_TPM_PCR_COMPOSITE(BYTE* ptr, const TPM_PCR_COMPOSITE* p) {
+ return ptr;
+ }
+
++static
+ inline int unpack3_TPM_PCR_COMPOSITE(BYTE* ptr, UINT32* pos, UINT32 max, TPM_PCR_COMPOSITE* p, UnpackPtr alloc) {
+ return unpack3_TPM_PCR_SELECTION(ptr, pos, max, &p->select, alloc) ||
+ unpack3_UINT32(ptr, pos, max, &p->valueSize) ||
+ unpack3_PTR(ptr, pos, max, (BYTE**)&p->pcrValue, p->valueSize, alloc);
+ }
+
++static
+ inline BYTE* pack_TPM_KEY(BYTE* ptr, const TPM_KEY* k) {
+ ptr = pack_TPM_VERSION(ptr, &k->ver);
+ ptr = pack_TPM_KEY_USAGE(ptr, k->keyUsage);
+@@ -665,6 +724,7 @@ inline BYTE* pack_TPM_KEY(BYTE* ptr, const TPM_KEY* k) {
+ return pack_BUFFER(ptr, k->encData, k->encDataSize);
+ }
+
++static
+ inline int unpack3_TPM_KEY(BYTE* ptr, UINT32* pos, UINT32 max, TPM_KEY* k, UnpackPtr alloc) {
+ int rc = unpack3_TPM_VERSION(ptr, pos, max, &k->ver) ||
+ unpack3_TPM_KEY_USAGE(ptr, pos, max, &k->keyUsage) ||
+@@ -682,6 +742,7 @@ inline int unpack3_TPM_KEY(BYTE* ptr, UINT32* pos, UINT32 max, TPM_KEY* k, Unpac
+ unpack3_PTR(ptr, pos, max, &k->encData, k->encDataSize, alloc);
+ }
+
++static
+ inline int sizeof_TPM_KEY(const TPM_KEY* k) {
+ int rc = 0;
+ rc += sizeof_TPM_VERSION(&k->ver);
+@@ -699,18 +760,21 @@ inline int sizeof_TPM_KEY(const TPM_KEY* k) {
+ return rc;
+ }
+
++static
+ inline BYTE* pack_TPM_BOUND_DATA(BYTE* ptr, const TPM_BOUND_DATA* b, UINT32 payloadSize) {
+ ptr = pack_TPM_VERSION(ptr, &b->ver);
+ ptr = pack_TPM_PAYLOAD_TYPE(ptr, b->payload);
+ return pack_BUFFER(ptr, b->payloadData, payloadSize);
+ }
+
++static
+ inline BYTE* unpack_TPM_BOUND_DATA(BYTE* ptr, TPM_BOUND_DATA* b, UINT32 payloadSize, UnpackPtr alloc) {
+ ptr = unpack_TPM_VERSION(ptr, &b->ver);
+ ptr = unpack_TPM_PAYLOAD_TYPE(ptr, &b->payload);
+ return unpack_PTR(ptr, &b->payloadData, payloadSize, alloc);
+ }
+
++static
+ inline BYTE* pack_TPM_STORED_DATA(BYTE* ptr, const TPM_STORED_DATA* d) {
+ ptr = pack_TPM_VERSION(ptr, &d->ver);
+ ptr = pack_UINT32(ptr, d->sealInfoSize);
+@@ -722,6 +786,7 @@ inline BYTE* pack_TPM_STORED_DATA(BYTE* ptr, const TPM_STORED_DATA* d) {
+ return ptr;
+ }
+
++static
+ inline int sizeof_TPM_STORED_DATA(const TPM_STORED_DATA* d) {
+ int rv = sizeof_TPM_VERSION(&d->ver) + sizeof_UINT32(d->sealInfoSize);
+ if (d->sealInfoSize) {
+@@ -732,6 +797,7 @@ inline int sizeof_TPM_STORED_DATA(const TPM_STORED_DATA* d) {
+ return rv;
+ }
+
++static
+ inline int unpack3_TPM_STORED_DATA(BYTE* ptr, UINT32* pos, UINT32 len, TPM_STORED_DATA* d, UnpackPtr alloc) {
+ int rc = unpack3_TPM_VERSION(ptr, pos, len, &d->ver) ||
+ unpack3_UINT32(ptr, pos, len, &d->sealInfoSize);
+@@ -746,6 +812,7 @@ inline int unpack3_TPM_STORED_DATA(BYTE* ptr, UINT32* pos, UINT32 len, TPM_STORE
+ return rc;
+ }
+
++static
+ inline BYTE* pack_TPM_STORED_DATA12(BYTE* ptr, const TPM_STORED_DATA12* d) {
+ ptr = pack_TPM_STRUCTURE_TAG(ptr, d->tag);
+ ptr = pack_TPM_ENTITY_TYPE(ptr, d->et);
+@@ -758,6 +825,7 @@ inline BYTE* pack_TPM_STORED_DATA12(BYTE* ptr, const TPM_STORED_DATA12* d) {
+ return ptr;
+ }
+
++static
+ inline int sizeof_TPM_STORED_DATA12(const TPM_STORED_DATA12* d) {
+ int rv = sizeof_TPM_STRUCTURE_TAG(&d->ver) +
+ sizeof_TPM_ENTITY_TYPE(&d->et) +
+@@ -770,6 +838,7 @@ inline int sizeof_TPM_STORED_DATA12(const TPM_STORED_DATA12* d) {
+ return rv;
+ }
+
++static
+ inline int unpack3_TPM_STORED_DATA12(BYTE* ptr, UINT32* pos, UINT32 len, TPM_STORED_DATA12* d, UnpackPtr alloc) {
+ int rc = unpack3_TPM_STRUCTURE_TAG(ptr, pos, len, &d->tag) ||
+ unpack3_TPM_ENTITY_TYPE(ptr, pos, len, &d->et) ||
+@@ -786,6 +855,7 @@ inline int unpack3_TPM_STORED_DATA12(BYTE* ptr, UINT32* pos, UINT32 len, TPM_STO
+ return rc;
+ }
+
++static
+ inline BYTE* pack_TPM_AUTH_SESSION(BYTE* ptr, const TPM_AUTH_SESSION* auth) {
+ ptr = pack_TPM_AUTH_HANDLE(ptr, auth->AuthHandle);
+ ptr = pack_TPM_NONCE(ptr, &auth->NonceOdd);
+@@ -794,6 +864,7 @@ inline BYTE* pack_TPM_AUTH_SESSION(BYTE* ptr, const TPM_AUTH_SESSION* auth) {
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPM_AUTH_SESSION(BYTE* ptr, TPM_AUTH_SESSION* auth) {
+ ptr = unpack_TPM_NONCE(ptr, &auth->NonceEven);
+ ptr = unpack_BOOL(ptr, &auth->fContinueAuthSession);
+@@ -801,6 +872,7 @@ inline BYTE* unpack_TPM_AUTH_SESSION(BYTE* ptr, TPM_AUTH_SESSION* auth) {
+ return ptr;
+ }
+
++static
+ inline int unpack3_TPM_AUTH_SESSION(BYTE* ptr, UINT32* pos, UINT32 len, TPM_AUTH_SESSION* auth) {
+ return unpack3_TPM_NONCE(ptr, pos, len, &auth->NonceEven) ||
+ unpack3_BOOL(ptr, pos, len, &auth->fContinueAuthSession) ||
+@@ -808,6 +880,7 @@ inline int unpack3_TPM_AUTH_SESSION(BYTE* ptr, UINT32* pos, UINT32 len, TPM_AUTH
+ }
+
+
++static
+ inline int sizeof_TPM_AUTH_SESSION(const TPM_AUTH_SESSION* auth) {
+ int rv = 0;
+ rv += sizeof_TPM_AUTH_HANDLE(auth->AuthHandle);
+@@ -817,6 +890,7 @@ inline int sizeof_TPM_AUTH_SESSION(const TPM_AUTH_SESSION* auth) {
+ return rv;
+ }
+
++static
+ inline BYTE* pack_TPM_RQU_HEADER(BYTE* ptr,
+ TPM_TAG tag,
+ UINT32 size,
+@@ -826,6 +900,7 @@ inline BYTE* pack_TPM_RQU_HEADER(BYTE* ptr,
+ return pack_UINT32(ptr, ord);
+ }
+
++static
+ inline BYTE* unpack_TPM_RQU_HEADER(BYTE* ptr,
+ TPM_TAG* tag,
+ UINT32* size,
+@@ -836,6 +911,7 @@ inline BYTE* unpack_TPM_RQU_HEADER(BYTE* ptr,
+ return ptr;
+ }
+
++static
+ inline int unpack3_TPM_RQU_HEADER(BYTE* ptr, UINT32* pos, UINT32 max,
+ TPM_TAG* tag, UINT32* size, TPM_COMMAND_CODE* ord) {
+ return
+diff --git a/stubdom/vtpmmgr/tcg.h b/stubdom/vtpmmgr/tcg.h
+index 813ce57a2d..423131dc25 100644
+--- a/stubdom/vtpmmgr/tcg.h
++++ b/stubdom/vtpmmgr/tcg.h
+@@ -461,6 +461,7 @@ typedef struct TPM_CAP_VERSION_INFO {
+ BYTE* vendorSpecific;
+ } TPM_CAP_VERSION_INFO;
+
++static
+ inline void free_TPM_CAP_VERSION_INFO(TPM_CAP_VERSION_INFO* v) {
+ free(v->vendorSpecific);
+ v->vendorSpecific = NULL;
+@@ -494,6 +495,7 @@ typedef struct TPM_SYMMETRIC_KEY {
+ BYTE* data;
+ } TPM_SYMMETRIC_KEY;
+
++static
+ inline void free_TPM_SYMMETRIC_KEY_PARMS(TPM_SYMMETRIC_KEY_PARMS* p) {
+ free(p->IV);
+ p->IV = NULL;
+@@ -510,6 +512,7 @@ typedef struct TPM_RSA_KEY_PARMS {
+
+ #define TPM_RSA_KEY_PARMS_INIT { 0, 0, 0, NULL }
+
++static
+ inline void free_TPM_RSA_KEY_PARMS(TPM_RSA_KEY_PARMS* p) {
+ free(p->exponent);
+ p->exponent = NULL;
+@@ -528,6 +531,7 @@ typedef struct TPM_KEY_PARMS {
+
+ #define TPM_KEY_PARMS_INIT { 0, 0, 0, 0 }
+
++static
+ inline void free_TPM_KEY_PARMS(TPM_KEY_PARMS* p) {
+ if(p->parmSize) {
+ switch(p->algorithmID) {
+@@ -550,6 +554,7 @@ typedef struct TPM_STORE_PUBKEY {
+
+ #define TPM_STORE_PUBKEY_INIT { 0, NULL }
+
++static
+ inline void free_TPM_STORE_PUBKEY(TPM_STORE_PUBKEY* p) {
+ free(p->key);
+ p->key = NULL;
+@@ -562,6 +567,7 @@ typedef struct TPM_PUBKEY {
+
+ #define TPM_PUBKEY_INIT { TPM_KEY_PARMS_INIT, TPM_STORE_PUBKEY_INIT }
+
++static
+ inline void free_TPM_PUBKEY(TPM_PUBKEY* k) {
+ free_TPM_KEY_PARMS(&k->algorithmParms);
+ free_TPM_STORE_PUBKEY(&k->pubKey);
+@@ -574,6 +580,7 @@ typedef struct TPM_PCR_SELECTION {
+
+ #define TPM_PCR_SELECTION_INIT { 0, NULL }
+
++static
+ inline void free_TPM_PCR_SELECTION(TPM_PCR_SELECTION* p) {
+ free(p->pcrSelect);
+ p->pcrSelect = NULL;
+@@ -594,6 +601,7 @@ typedef struct TPM_PCR_INFO_LONG {
+ #define TPM_PCR_INFO_LONG_INIT { 0, 0, 0, TPM_PCR_SELECTION_INIT, \
+ TPM_PCR_SELECTION_INIT }
+
++static
+ inline void free_TPM_PCR_INFO_LONG(TPM_PCR_INFO_LONG* p) {
+ free_TPM_PCR_SELECTION(&p->creationPCRSelection);
+ free_TPM_PCR_SELECTION(&p->releasePCRSelection);
+@@ -607,6 +615,7 @@ typedef struct TPM_PCR_INFO {
+
+ #define TPM_PCR_INFO_INIT { TPM_PCR_SELECTION_INIT }
+
++static
+ inline void free_TPM_PCR_INFO(TPM_PCR_INFO* p) {
+ free_TPM_PCR_SELECTION(&p->pcrSelection);
+ }
+@@ -619,6 +628,7 @@ typedef struct TPM_PCR_COMPOSITE {
+
+ #define TPM_PCR_COMPOSITE_INIT { TPM_PCR_SELECTION_INIT, 0, NULL }
+
++static
+ inline void free_TPM_PCR_COMPOSITE(TPM_PCR_COMPOSITE* p) {
+ free_TPM_PCR_SELECTION(&p->select);
+ free(p->pcrValue);
+@@ -643,6 +653,7 @@ typedef struct TPM_KEY {
+ .pubKey = TPM_STORE_PUBKEY_INIT, \
+ .encDataSize = 0, .encData = NULL }
+
++static
+ inline void free_TPM_KEY(TPM_KEY* k) {
+ if(k->PCRInfoSize) {
+ free_TPM_PCR_INFO(&k->PCRInfo);
+@@ -660,6 +671,7 @@ typedef struct TPM_BOUND_DATA {
+
+ #define TPM_BOUND_DATA_INIT { .payloadData = NULL }
+
++static
+ inline void free_TPM_BOUND_DATA(TPM_BOUND_DATA* d) {
+ free(d->payloadData);
+ d->payloadData = NULL;
+@@ -676,6 +688,7 @@ typedef struct TPM_STORED_DATA {
+ #define TPM_STORED_DATA_INIT { .sealInfoSize = 0, sealInfo = TPM_PCR_INFO_INIT,\
+ .encDataSize = 0, .encData = NULL }
+
++static
+ inline void free_TPM_STORED_DATA(TPM_STORED_DATA* d) {
+ if(d->sealInfoSize) {
+ free_TPM_PCR_INFO(&d->sealInfo);
+@@ -696,6 +709,7 @@ typedef struct TPM_STORED_DATA12 {
+ #define TPM_STORED_DATA12_INIT { .sealInfoLongSize = 0, \
+ sealInfoLong = TPM_PCR_INFO_INIT, .encDataSize = 0, .encData = NULL }
+
++static
+ inline void free_TPM_STORED_DATA12(TPM_STORED_DATA12* d) {
+ if(d->sealInfoLongSize) {
+ free_TPM_PCR_INFO_LONG(&d->sealInfoLong);
+diff --git a/stubdom/vtpmmgr/tpm2_marshal.h b/stubdom/vtpmmgr/tpm2_marshal.h
+index aaa44645a2..ba070ad38e 100644
+--- a/stubdom/vtpmmgr/tpm2_marshal.h
++++ b/stubdom/vtpmmgr/tpm2_marshal.h
+@@ -52,6 +52,7 @@
+ #define pack_TPM_BUFFER(ptr, buf, size) pack_BUFFER(ptr, buf, size)
+ #define unpack_TPM_BUFFER(ptr, buf, size) unpack_BUFFER(ptr, buf, size)
+
++static
+ inline BYTE* pack_BYTE_ARRAY(BYTE* ptr, const BYTE* array, UINT32 size)
+ {
+ int i;
+@@ -60,21 +61,25 @@ inline BYTE* pack_BYTE_ARRAY(BYTE* ptr, const BYTE* array, UINT32 size)
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPMA_SESSION(BYTE* ptr, const TPMA_SESSION *attr)
+ {
+ return pack_BYTE(ptr, (BYTE)(*attr));
+ }
+
++static
+ inline BYTE* unpack_TPMA_SESSION(BYTE* ptr, TPMA_SESSION *attr)
+ {
+ return unpack_BYTE(ptr, (BYTE *)attr);
+ }
+
++static
+ inline BYTE* pack_TPMI_ALG_HASH(BYTE* ptr, const TPMI_ALG_HASH *hash)
+ {
+ return pack_UINT16(ptr, *hash);
+ }
+
++static
+ inline BYTE* unpack_TPMI_ALG_HASH(BYTE *ptr, TPMI_ALG_HASH *hash)
+ {
+ return unpack_UINT16(ptr, hash);
+@@ -125,6 +130,7 @@ inline BYTE* unpack_TPMI_ALG_HASH(BYTE *ptr, TPMI_ALG_HASH *hash)
+ #define pack_TPMI_RH_LOCKOUT(ptr, l) pack_TPM2_HANDLE(ptr, l)
+ #define unpack_TPMI_RH_LOCKOUT(ptr, l) unpack_TPM2_HANDLE(ptr, l)
+
++static
+ inline BYTE* pack_TPM2B_DIGEST(BYTE* ptr, const TPM2B_DIGEST *digest)
+ {
+ ptr = pack_UINT16(ptr, digest->size);
+@@ -132,6 +138,7 @@ inline BYTE* pack_TPM2B_DIGEST(BYTE* ptr, const TPM2B_DIGEST *digest)
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPM2B_DIGEST(BYTE* ptr, TPM2B_DIGEST *digest)
+ {
+ ptr = unpack_UINT16(ptr, &digest->size);
+@@ -139,6 +146,7 @@ inline BYTE* unpack_TPM2B_DIGEST(BYTE* ptr, TPM2B_DIGEST *digest)
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPMT_TK_CREATION(BYTE* ptr,const TPMT_TK_CREATION *ticket )
+ {
+ ptr = pack_TPM_ST(ptr , &ticket->tag);
+@@ -147,6 +155,7 @@ inline BYTE* pack_TPMT_TK_CREATION(BYTE* ptr,const TPMT_TK_CREATION *ticket )
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPMT_TK_CREATION(BYTE* ptr, TPMT_TK_CREATION *ticket )
+ {
+ ptr = unpack_TPM_ST(ptr, &ticket->tag);
+@@ -155,6 +164,7 @@ inline BYTE* unpack_TPMT_TK_CREATION(BYTE* ptr, TPMT_TK_CREATION *ticket )
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPM2B_NAME(BYTE* ptr,const TPM2B_NAME *name )
+ {
+ ptr = pack_UINT16(ptr, name->size);
+@@ -162,6 +172,7 @@ inline BYTE* pack_TPM2B_NAME(BYTE* ptr,const TPM2B_NAME *name )
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPM2B_NAME(BYTE* ptr, TPM2B_NAME *name)
+ {
+ ptr = unpack_UINT16(ptr, &name->size);
+@@ -169,6 +180,7 @@ inline BYTE* unpack_TPM2B_NAME(BYTE* ptr, TPM2B_NAME *name)
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPM2B_NONCE(BYTE* ptr, const TPM2B_NONCE *nonce)
+ {
+ return pack_TPM2B_DIGEST(ptr, (const TPM2B_DIGEST*)nonce);
+@@ -176,6 +188,7 @@ inline BYTE* pack_TPM2B_NONCE(BYTE* ptr, const TPM2B_NONCE *nonce)
+
+ #define unpack_TPM2B_NONCE(ptr, nonce) unpack_TPM2B_DIGEST(ptr, (TPM2B_DIGEST*)nonce)
+
++static
+ inline BYTE* pack_TPM2B_AUTH(BYTE* ptr, const TPM2B_AUTH *auth)
+ {
+ return pack_TPM2B_DIGEST(ptr, (const TPM2B_DIGEST*)auth);
+@@ -183,6 +196,7 @@ inline BYTE* pack_TPM2B_AUTH(BYTE* ptr, const TPM2B_AUTH *auth)
+
+ #define unpack_TPM2B_AUTH(ptr, auth) unpack_TPM2B_DIGEST(ptr, (TPM2B_DIGEST*)auth)
+
++static
+ inline BYTE* pack_TPM2B_DATA(BYTE* ptr, const TPM2B_DATA *data)
+ {
+ return pack_TPM2B_DIGEST(ptr, (const TPM2B_DIGEST*)data);
+@@ -190,6 +204,7 @@ inline BYTE* pack_TPM2B_DATA(BYTE* ptr, const TPM2B_DATA *data)
+
+ #define unpack_TPM2B_DATA(ptr, data) unpack_TPM2B_DIGEST(ptr, (TPM2B_DIGEST*)data)
+
++static
+ inline BYTE* pack_TPM2B_SENSITIVE_DATA(BYTE* ptr, const TPM2B_SENSITIVE_DATA *data)
+ {
+ return pack_TPM2B_DIGEST(ptr, (const TPM2B_DIGEST*)data);
+@@ -197,6 +212,7 @@ inline BYTE* pack_TPM2B_SENSITIVE_DATA(BYTE* ptr, const TPM2B_SENSITIVE_DATA *da
+
+ #define unpack_TPM2B_SENSITIVE_DATA(ptr, data) unpack_TPM2B_DIGEST(ptr, (TPM2B_DIGEST*)data)
+
++static
+ inline BYTE* pack_TPM2B_PUBLIC_KEY_RSA(BYTE* ptr, const TPM2B_PUBLIC_KEY_RSA *rsa)
+ {
+ return pack_TPM2B_DIGEST(ptr, (const TPM2B_DIGEST*)rsa);
+@@ -204,6 +220,7 @@ inline BYTE* pack_TPM2B_PUBLIC_KEY_RSA(BYTE* ptr, const TPM2B_PUBLIC_KEY_RSA *rs
+
+ #define unpack_TPM2B_PUBLIC_KEY_RSA(ptr, rsa) unpack_TPM2B_DIGEST(ptr, (TPM2B_DIGEST*)rsa)
+
++static
+ inline BYTE* pack_TPM2B_PRIVATE(BYTE* ptr, const TPM2B_PRIVATE *Private)
+ {
+ ptr = pack_UINT16(ptr, Private->size);
+@@ -211,6 +228,7 @@ inline BYTE* pack_TPM2B_PRIVATE(BYTE* ptr, const TPM2B_PRIVATE *Private)
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPM2B_PRIVATE(BYTE* ptr, TPM2B_PRIVATE *Private)
+ {
+ ptr = unpack_UINT16(ptr, &Private->size);
+@@ -218,6 +236,7 @@ inline BYTE* unpack_TPM2B_PRIVATE(BYTE* ptr, TPM2B_PRIVATE *Private)
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPMS_PCR_SELECTION_ARRAY(BYTE* ptr, const TPMS_PCR_SELECTION *sel, UINT32 count)
+ {
+ int i;
+@@ -229,6 +248,7 @@ inline BYTE* pack_TPMS_PCR_SELECTION_ARRAY(BYTE* ptr, const TPMS_PCR_SELECTION *
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPMS_PCR_SELECTION_ARRAY(BYTE* ptr, TPMS_PCR_SELECTION *sel, UINT32 count)
+ {
+ int i;
+@@ -240,6 +260,7 @@ inline BYTE* unpack_TPMS_PCR_SELECTION_ARRAY(BYTE* ptr, TPMS_PCR_SELECTION *sel,
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPML_PCR_SELECTION(BYTE* ptr, const TPML_PCR_SELECTION *sel)
+ {
+ ptr = pack_UINT32(ptr, sel->count);
+@@ -247,6 +268,7 @@ inline BYTE* pack_TPML_PCR_SELECTION(BYTE* ptr, const TPML_PCR_SELECTION *sel)
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPML_PCR_SELECTION(BYTE* ptr, TPML_PCR_SELECTION *sel)
+ {
+ ptr = unpack_UINT32(ptr, &sel->count);
+@@ -254,6 +276,7 @@ inline BYTE* unpack_TPML_PCR_SELECTION(BYTE* ptr, TPML_PCR_SELECTION *sel)
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPML_DIGEST(BYTE* ptr,TPML_DIGEST *digest)
+ {
+ int i;
+@@ -265,6 +288,7 @@ inline BYTE* unpack_TPML_DIGEST(BYTE* ptr,TPML_DIGEST *digest)
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPMS_CREATION_DATA(BYTE* ptr,const TPMS_CREATION_DATA *data)
+ {
+ ptr = pack_TPML_PCR_SELECTION(ptr, &data->pcrSelect);
+@@ -276,6 +300,7 @@ inline BYTE* pack_TPMS_CREATION_DATA(BYTE* ptr,const TPMS_CREATION_DATA *data)
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPMS_CREATION_DATA(BYTE* ptr, TPMS_CREATION_DATA *data)
+ {
+ ptr = unpack_TPML_PCR_SELECTION(ptr, &data->pcrSelect);
+@@ -288,6 +313,7 @@ inline BYTE* unpack_TPMS_CREATION_DATA(BYTE* ptr, TPMS_CREATION_DATA *data)
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPM2B_CREATION_DATA(BYTE* ptr, const TPM2B_CREATION_DATA *data )
+ {
+ ptr = pack_UINT16(ptr, data->size);
+@@ -295,6 +321,7 @@ inline BYTE* pack_TPM2B_CREATION_DATA(BYTE* ptr, const TPM2B_CREATION_DATA *data
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPM2B_CREATION_DATA(BYTE* ptr, TPM2B_CREATION_DATA * data)
+ {
+ ptr = unpack_UINT16(ptr, &data->size);
+@@ -302,6 +329,7 @@ inline BYTE* unpack_TPM2B_CREATION_DATA(BYTE* ptr, TPM2B_CREATION_DATA * data)
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPMS_SENSITIVE_CREATE(BYTE* ptr, const TPMS_SENSITIVE_CREATE *create)
+ {
+ ptr = pack_TPM2B_AUTH(ptr, &create->userAuth);
+@@ -309,6 +337,7 @@ inline BYTE* pack_TPMS_SENSITIVE_CREATE(BYTE* ptr, const TPMS_SENSITIVE_CREATE *
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPM2B_SENSITIVE_CREATE(BYTE* ptr, const TPM2B_SENSITIVE_CREATE *create)
+ {
+ BYTE* sizePtr = ptr;
+@@ -318,6 +347,7 @@ inline BYTE* pack_TPM2B_SENSITIVE_CREATE(BYTE* ptr, const TPM2B_SENSITIVE_CREATE
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPMU_SYM_MODE(BYTE* ptr, const TPMU_SYM_MODE *p,
+ const TPMI_ALG_SYM_OBJECT *sel)
+ {
+@@ -336,6 +366,7 @@ inline BYTE* pack_TPMU_SYM_MODE(BYTE* ptr, const TPMU_SYM_MODE *p,
+ }
+ return ptr;
+ }
++static
+ inline BYTE* unpack_TPMU_SYM_MODE(BYTE* ptr, TPMU_SYM_MODE *p,
+ const TPMI_ALG_SYM_OBJECT *sel)
+ {
+@@ -355,6 +386,7 @@ inline BYTE* unpack_TPMU_SYM_MODE(BYTE* ptr, TPMU_SYM_MODE *p,
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPMU_SYM_KEY_BITS(BYTE* ptr, const TPMU_SYM_KEY_BITS *p,
+ const TPMI_ALG_SYM_OBJECT *sel)
+ {
+@@ -376,6 +408,7 @@ inline BYTE* pack_TPMU_SYM_KEY_BITS(BYTE* ptr, const TPMU_SYM_KEY_BITS *p,
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPMU_SYM_KEY_BITS(BYTE* ptr, TPMU_SYM_KEY_BITS *p,
+ const TPMI_ALG_SYM_OBJECT *sel)
+ {
+@@ -397,6 +430,7 @@ inline BYTE* unpack_TPMU_SYM_KEY_BITS(BYTE* ptr, TPMU_SYM_KEY_BITS *p,
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPMT_SYM_DEF_OBJECT(BYTE* ptr, const TPMT_SYM_DEF_OBJECT *p)
+ {
+ ptr = pack_TPMI_ALG_SYM_OBJECT(ptr, &p->algorithm);
+@@ -405,6 +439,7 @@ inline BYTE* pack_TPMT_SYM_DEF_OBJECT(BYTE* ptr, const TPMT_SYM_DEF_OBJECT *p)
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPMT_SYM_DEF_OBJECT(BYTE *ptr, TPMT_SYM_DEF_OBJECT *p)
+ {
+ ptr = unpack_TPMI_ALG_SYM_OBJECT(ptr, &p->algorithm);
+@@ -416,6 +451,7 @@ inline BYTE* unpack_TPMT_SYM_DEF_OBJECT(BYTE *ptr, TPMT_SYM_DEF_OBJECT *p)
+ #define pack_TPMS_SCHEME_OAEP(p, t) pack_TPMI_ALG_HASH(p, &((t)->hashAlg))
+ #define unpack_TPMS_SCHEME_OAEP(p, t) unpack_TPMI_ALG_HASH(p, &((t)->hashAlg))
+
++static
+ inline BYTE* pack_TPMU_ASYM_SCHEME(BYTE *ptr, const TPMU_ASYM_SCHEME *p,
+ const TPMI_ALG_RSA_SCHEME *s)
+ {
+@@ -438,6 +474,7 @@ inline BYTE* pack_TPMU_ASYM_SCHEME(BYTE *ptr, const TPMU_ASYM_SCHEME *p,
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPMU_ASYM_SCHEME(BYTE *ptr, TPMU_ASYM_SCHEME *p,
+ const TPMI_ALG_RSA_SCHEME *s)
+ {
+@@ -462,6 +499,7 @@ inline BYTE* unpack_TPMU_ASYM_SCHEME(BYTE *ptr, TPMU_ASYM_SCHEME *p,
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPMT_RSA_SCHEME(BYTE* ptr, const TPMT_RSA_SCHEME *p)
+ {
+ ptr = pack_TPMI_ALG_RSA_SCHEME(ptr, &p->scheme);
+@@ -469,6 +507,7 @@ inline BYTE* pack_TPMT_RSA_SCHEME(BYTE* ptr, const TPMT_RSA_SCHEME *p)
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPMT_RSA_SCHEME(BYTE* ptr, TPMT_RSA_SCHEME *p)
+ {
+ ptr = unpack_TPMI_ALG_RSA_SCHEME(ptr, &p->scheme);
+@@ -476,6 +515,7 @@ inline BYTE* unpack_TPMT_RSA_SCHEME(BYTE* ptr, TPMT_RSA_SCHEME *p)
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPMT_RSA_DECRYPT(BYTE* ptr, const TPMT_RSA_DECRYPT *p)
+ {
+ ptr = pack_TPMI_ALG_RSA_SCHEME(ptr, &p->scheme);
+@@ -483,6 +523,7 @@ inline BYTE* pack_TPMT_RSA_DECRYPT(BYTE* ptr, const TPMT_RSA_DECRYPT *p)
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPMS_RSA_PARMS(BYTE* ptr, const TPMS_RSA_PARMS *p)
+ {
+ ptr = pack_TPMT_SYM_DEF_OBJECT(ptr, &p->symmetric);
+@@ -492,6 +533,7 @@ inline BYTE* pack_TPMS_RSA_PARMS(BYTE* ptr, const TPMS_RSA_PARMS *p)
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPMS_RSA_PARMS(BYTE *ptr, TPMS_RSA_PARMS *p)
+ {
+ ptr = unpack_TPMT_SYM_DEF_OBJECT(ptr, &p->symmetric);
+@@ -501,6 +543,7 @@ inline BYTE* unpack_TPMS_RSA_PARMS(BYTE *ptr, TPMS_RSA_PARMS *p)
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPMU_PUBLIC_PARMS(BYTE* ptr, const TPMU_PUBLIC_PARMS *param,
+ const TPMI_ALG_PUBLIC *selector)
+ {
+@@ -518,6 +561,7 @@ inline BYTE* pack_TPMU_PUBLIC_PARMS(BYTE* ptr, const TPMU_PUBLIC_PARMS *param,
+ return NULL;
+ }
+
++static
+ inline BYTE* unpack_TPMU_PUBLIC_PARMS(BYTE* ptr, TPMU_PUBLIC_PARMS *param,
+ const TPMI_ALG_PUBLIC *selector)
+ {
+@@ -535,18 +579,21 @@ inline BYTE* unpack_TPMU_PUBLIC_PARMS(BYTE* ptr, TPMU_PUBLIC_PARMS *param,
+ return NULL;
+ }
+
++static
+ inline BYTE* pack_TPMS_ECC_POINT(BYTE* ptr, const TPMS_ECC_POINT *point)
+ {
+ assert(false);
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPMS_ECC_POINT(BYTE* ptr, TPMS_ECC_POINT *point)
+ {
+ assert(false);
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPMU_PUBLIC_ID(BYTE* ptr, const TPMU_PUBLIC_ID *id,
+ const TPMI_ALG_PUBLIC *selector)
+ {
+@@ -564,6 +611,7 @@ inline BYTE* pack_TPMU_PUBLIC_ID(BYTE* ptr, const TPMU_PUBLIC_ID *id,
+ return NULL;
+ }
+
++static
+ inline BYTE* unpack_TPMU_PUBLIC_ID(BYTE* ptr, TPMU_PUBLIC_ID *id, TPMI_ALG_PUBLIC *selector)
+ {
+ switch (*selector) {
+@@ -580,6 +628,7 @@ inline BYTE* unpack_TPMU_PUBLIC_ID(BYTE* ptr, TPMU_PUBLIC_ID *id, TPMI_ALG_PUBLI
+ return NULL;
+ }
+
++static
+ inline BYTE* pack_TPMT_PUBLIC(BYTE* ptr, const TPMT_PUBLIC *public)
+ {
+ ptr = pack_TPMI_ALG_PUBLIC(ptr, &public->type);
+@@ -591,6 +640,7 @@ inline BYTE* pack_TPMT_PUBLIC(BYTE* ptr, const TPMT_PUBLIC *public)
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPMT_PUBLIC(BYTE* ptr, TPMT_PUBLIC *public)
+ {
+ ptr = unpack_TPMI_ALG_PUBLIC(ptr, &public->type);
+@@ -602,6 +652,7 @@ inline BYTE* unpack_TPMT_PUBLIC(BYTE* ptr, TPMT_PUBLIC *public)
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPM2B_PUBLIC(BYTE* ptr, const TPM2B_PUBLIC *public)
+ {
+ BYTE *sizePtr = ptr;
+@@ -611,6 +662,7 @@ inline BYTE* pack_TPM2B_PUBLIC(BYTE* ptr, const TPM2B_PUBLIC *public)
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPM2B_PUBLIC(BYTE* ptr, TPM2B_PUBLIC *public)
+ {
+ ptr = unpack_UINT16(ptr, &public->size);
+@@ -618,6 +670,7 @@ inline BYTE* unpack_TPM2B_PUBLIC(BYTE* ptr, TPM2B_PUBLIC *public)
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPMS_PCR_SELECTION(BYTE* ptr, const TPMS_PCR_SELECTION *selection)
+ {
+ ptr = pack_TPMI_ALG_HASH(ptr, &selection->hash);
+@@ -626,6 +679,7 @@ inline BYTE* pack_TPMS_PCR_SELECTION(BYTE* ptr, const TPMS_PCR_SELECTION *select
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPMS_PCR_SELECTION_Array(BYTE* ptr, const TPMS_PCR_SELECTION *selections,
+ const UINT32 cnt)
+ {
+@@ -635,6 +689,7 @@ inline BYTE* pack_TPMS_PCR_SELECTION_Array(BYTE* ptr, const TPMS_PCR_SELECTION *
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPM_AuthArea(BYTE* ptr, const TPM_AuthArea *auth)
+ {
+ BYTE* sizePtr = ptr;
+@@ -647,6 +702,7 @@ inline BYTE* pack_TPM_AuthArea(BYTE* ptr, const TPM_AuthArea *auth)
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPM_AuthArea(BYTE* ptr, TPM_AuthArea *auth)
+ {
+ ptr = unpack_UINT32(ptr, &auth->size);
+@@ -657,6 +713,7 @@ inline BYTE* unpack_TPM_AuthArea(BYTE* ptr, TPM_AuthArea *auth)
+ return ptr;
+ }
+
++static
+ inline BYTE* pack_TPM2_RSA_KEY(BYTE* ptr, const TPM2_RSA_KEY *key)
+ {
+ ptr = pack_TPM2B_PRIVATE(ptr, &key->Private);
+@@ -664,6 +721,7 @@ inline BYTE* pack_TPM2_RSA_KEY(BYTE* ptr, const TPM2_RSA_KEY *key)
+ return ptr;
+ }
+
++static
+ inline BYTE* unpack_TPM2_RSA_KEY(BYTE* ptr, TPM2_RSA_KEY *key)
+ {
+ ptr = unpack_TPM2B_PRIVATE(ptr, &key->Private);
+diff --git a/stubdom/vtpmmgr/tpmrsa.h b/stubdom/vtpmmgr/tpmrsa.h
+index 08213bbb7a..65fd32a45c 100644
+--- a/stubdom/vtpmmgr/tpmrsa.h
++++ b/stubdom/vtpmmgr/tpmrsa.h
+@@ -62,6 +62,7 @@ TPM_RESULT tpmrsa_pub_encrypt_oaep( tpmrsa_context *ctx,
+ unsigned char *output );
+
+ /* free tpmrsa key */
++static
+ inline void tpmrsa_free( tpmrsa_context *ctx ) {
+ mpi_free( &ctx->RN ); mpi_free( &ctx->E ); mpi_free( &ctx->N );
+ }
+
+_______________________________________________
+Xen-devel mailing list
+Xen-devel@lists.xen.org
+https://lists.xen.org/xen-devel
diff --git a/pcr-testing/xen/patch-ipxe-patches-series.patch b/pcr-testing/xen/patch-ipxe-patches-series.patch
new file mode 100644
index 000000000..30e916417
--- /dev/null
+++ b/pcr-testing/xen/patch-ipxe-patches-series.patch
@@ -0,0 +1,18 @@
+Subject: [PATCH] Fix gcc7 warn
+
+---
+ tools/firmware/etherboot/patches/series | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/firmware/etherboot/patches/series b/tools/firmware/etherboot/patches/series
+index 86cb300..780c6c6 100644
+--- a/tools/firmware/etherboot/patches/series
++++ b/tools/firmware/etherboot/patches/series
+@@ -1 +1,4 @@
+ boot_prompt_option.patch
++patch-inbuild-ipxe-gcc7-implicit-fallthrough.patch
++patch-inbuild-ipxe-gcc7-implicit-fallthrough-ath5k.patch
++patch-inbuild-ipxe-gcc7-implicit-fallthrough-curses.patch
+--
+2.13.0
+
diff --git a/pcr-testing/xen/patch-ovmf-apply-inbuild-patches.patch b/pcr-testing/xen/patch-ovmf-apply-inbuild-patches.patch
new file mode 100644
index 000000000..2c2f3ed75
--- /dev/null
+++ b/pcr-testing/xen/patch-ovmf-apply-inbuild-patches.patch
@@ -0,0 +1,26 @@
+From 088d0d605131eeb43dc1c4ab21631ea7e51f8501 Mon Sep 17 00:00:00 2001
+From: John Thomson <git@johnthomson.fastmail.com.au>
+Date: Sat, 24 Jun 2017 09:38:13 +1000
+Subject: [PATCH] Fix OVMF apply patches series
+
+---
+ tools/firmware/Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/firmware/Makefile b/tools/firmware/Makefile
+index a5a6802..875e7e5 100644
+--- a/tools/firmware/Makefile
++++ b/tools/firmware/Makefile
+@@ -20,6 +20,9 @@ ovmf-dir:
+ sed 's|python |python2 |g' -i "ovmf-dir/BaseTools/BinWrappers/PosixLike"/* || true
+ sed 's|python |python2 |g' -i "ovmf-dir/BaseTools/Tests/GNUmakefile"
+ cp ovmf-makefile ovmf-dir/Makefile;
++ for i in $$(cat ovmf-patches/series); do \
++ patch -d ovmf-dir -Np1 < ovmf-patches/$$i || exit 1; \
++ done
+
+ seabios-dir:
+ GIT=$(GIT) $(XEN_ROOT)/scripts/git-checkout.sh $(SEABIOS_UPSTREAM_URL) $(SEABIOS_UPSTREAM_REVISION) seabios-dir
+--
+2.13.1
+
diff --git a/pcr-testing/xen/patch-ovmf-patches-series.patch b/pcr-testing/xen/patch-ovmf-patches-series.patch
new file mode 100644
index 000000000..0f230e504
--- /dev/null
+++ b/pcr-testing/xen/patch-ovmf-patches-series.patch
@@ -0,0 +1,20 @@
+From 30f9f61c42b9530332a856a5bc09db52c446289d Mon Sep 17 00:00:00 2001
+From: John Thomson <git@johnthomson.fastmail.com.au>
+Date: Sat, 24 Jun 2017 09:48:02 +1000
+Subject: [PATCH] Add ovmf patches series file
+
+---
+ tools/firmware/ovmf-patches/series | 1 +
+ 1 file changed, 1 insertion(+)
+ create mode 100644 tools/firmware/ovmf-patches/series
+
+diff --git a/tools/firmware/ovmf-patches/series b/tools/firmware/ovmf-patches/series
+new file mode 100644
+index 0000000..ac6bda5
+--- /dev/null
++++ b/tools/firmware/ovmf-patches/series
+@@ -0,0 +1 @@
++patch-inbuild-ovmf-5-hiilib.c-pointer-zero.patch
+--
+2.13.1
+
diff --git a/pcr-testing/xen/patch-ovmf-use-python2.patch b/pcr-testing/xen/patch-ovmf-use-python2.patch
new file mode 100644
index 000000000..b52b9230c
--- /dev/null
+++ b/pcr-testing/xen/patch-ovmf-use-python2.patch
@@ -0,0 +1,22 @@
+Subject: [PATCH] Fix ovmf, use python2
+
+---
+ tools/firmware/Makefile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/firmware/Makefile b/tools/firmware/Makefile
+index b840c6a..a5a6802 100644
+--- a/tools/firmware/Makefile
++++ b/tools/firmware/Makefile
+@@ -17,6 +17,8 @@ LD32BIT-$(CONFIG_FreeBSD) := LD32BIT_FLAG=-melf_i386_fbsd
+
+ ovmf-dir:
+ GIT=$(GIT) $(XEN_ROOT)/scripts/git-checkout.sh $(OVMF_UPSTREAM_URL) $(OVMF_UPSTREAM_REVISION) ovmf-dir
++ sed 's|python |python2 |g' -i "ovmf-dir/BaseTools/BinWrappers/PosixLike"/* || true
++ sed 's|python |python2 |g' -i "ovmf-dir/BaseTools/Tests/GNUmakefile"
+ cp ovmf-makefile ovmf-dir/Makefile;
+
+ seabios-dir:
+--
+2.13.0
+
diff --git a/pcr-testing/xen/tmpfiles.d-xen.conf b/pcr-testing/xen/tmpfiles.d-xen.conf
new file mode 100644
index 000000000..a55258b0f
--- /dev/null
+++ b/pcr-testing/xen/tmpfiles.d-xen.conf
@@ -0,0 +1,2 @@
+d /run/xen 0755 root root -
+d /run/xenstored 0755 root root -
diff --git a/pcr-testing/xen/xen.conf b/pcr-testing/xen/xen.conf
new file mode 100644
index 000000000..37a5b59f7
--- /dev/null
+++ b/pcr-testing/xen/xen.conf
@@ -0,0 +1,19 @@
+xen-evtchn
+xen-gntdev
+xen-gntalloc
+xen-blkback
+xen-netback
+xen-pciback
+xen-acpi-processor
+## xen-acpi-processor: This module may not work on all machines; try removing this first if it causes issues.
+
+## The following were included in xencommons, but were not inserted by systemd:
+# evtchn
+# gntdev
+# netbk
+# blkbk
+# xen-scsibk
+# usbbk
+# pciback
+# blktap2
+# blktap
diff --git a/pcr-testing/xen/xen.install b/pcr-testing/xen/xen.install
new file mode 100644
index 000000000..f629e6643
--- /dev/null
+++ b/pcr-testing/xen/xen.install
@@ -0,0 +1,140 @@
+xen_boot() {
+ cat << __EOF__
+You are not running xen unless you boot xen.
+Possible Xen boot paths:
+EFI boot -> grubx64.efi -> multiboot2 -> [xen.gz, vmlinuz, ramdisk]
+BIOS boot -> grub -> multiboot(2) -> [xen.gz, vmlinuz, ramdisk]
+
+EFI boot -> xen.efi
+
+##########
+grub multiboot2 preparation:
+Install grub: https://wiki.parabola.nu/index.php/GRUB
+
+At this time, some modifications are needed to 20_linux_xen.
+These are included in this package as 21_linux_xen
+
+Set the values needed for your configuration in /etc/default/grub
+Detailed here: https://www.gnu.org/software/grub/manual/html_node/Simple-configuration.html
+Needed:
+GRUB_CMDLINE_XEN
+GRUB_CMDLINE_LINUX_XEN_REPLACE
+These values are not required but can be used; they are appended to the previous values, then this is used for the non-recovery (default) entry:
+GRUB_CMDLINE_XEN_DEFAULT
+GRUB_CMDLINE_LINUX_XEN_REPLACE_DEFAULT
+
+run grub-mkconfig
+
+To boot xen as default:
+suggested: inspect and use this config to boot with. Check if the xen entry works as expected
+find the id of the xen entry and set this as DEFAULT in /etc/default/grub.
+This may look something like:
+GRUB_DEFAULT="xen-gnulinux-simple-a-unique-id-from-your-grub-goes-here"
+
+run grub-mkconfig
+
+##########
+
+Direct EFI boot preperation:
+Create a xen.cfg file in the same directory as xen.efi.
+These need to be in ESP, or in a directory accessible from you EFI bootloader.
+Put settings relevant to your system into xen.cfg
+Detailed here: https://xenbits.xen.org/docs/4.9-testing/misc/efi.html
+Needed:
+kernel
+ramdisk
+Add the xen.efi file to your EFI bootloader (such as Refind).
+And / or add the xen.efi file to you EFI boot options (efibootmgr).
+__EOF__
+}
+
+install_msg() {
+ cat << __EOF__
+===> IMPORTANT NOTICES:
+
+In order to complete the installation, and enable Xen,
+at the very least you must:
+1. Configure your bootloader to boot Xen:
+__EOF__
+ xen_boot
+ cat << __EOF__
+2. Issue the following commands to allow you to create and start VMs:
+
+ systemctl enable xen-qemu-dom0-disk-backend.service
+ systemctl enable xen-init-dom0.service
+ systemctl enable xenconsoled.service
+
+ Other optional services are:
+ systemctl enable xen-watchdog.service
+
+3. If you want some domains to automatically start up/shutdown, run the following:
+ systemctl enable xendomains.service
+
+For more information refer to the Wiki:
+ https://wiki.parabola.nu/index.php/Xen
+
+__EOF__
+}
+
+upgrade_msg() {
+ cat << __EOF__
+Xen 4.9
+Release notes
+http://wiki.xen.org/wiki/Xen_Project_4.9_Release_Notes
+Feature list
+http://wiki.xen.org/wiki/Xen_Project_4.9_Feature_List
+__EOF__
+}
+
+upgrade_msg_grub_multiboot2() {
+ cat << __EOF__
+##########
+Xen 4.9 can now use grub>=2.02 multiboot2.
+If you previously booted using xen.efi, you have an alternative.
+If you previously relied on the packaged 09_xen for grub-mkconfig:
+It is now removed.
+You will need to do the following under grub multiboot2 preparation:
+##########
+__EOF__
+ xen_boot
+}
+
+post_install() {
+ install_msg
+ upgrade_msg
+ systemd-tmpfiles --create
+}
+
+post_upgrade() {
+ if [[ "$2" < 4.9.0 || "$2" == *'4.9.0rc'* ]]; then
+ upgrade_msg
+ fi
+ if [[ "$2" < 4.9.0 || "$2" == *'4.9.0rc'* ]]; then
+ upgrade_msg_grub_multiboot2
+ fi
+ systemd-tmpfiles --create
+}
+
+pre_remove() {
+ systemctl stop xendomains.service
+ systemctl stop xen-watchdog.service
+ systemctl stop xenconsoled.service
+ systemctl stop xen-init-dom0.service
+ systemctl stop xen-qemu-dom0-disk-backend.service
+
+ systemctl disable xendomains.service
+ systemctl disable xen-watchdog.service
+ systemctl disable xenconsoled.service
+ systemctl disable xen-init-dom0.service
+ systemctl disable xen-qemu-dom0-disk-backend.service
+}
+
+post_remove() {
+ cat << __EOF__
+===> IMPORTANT NOTICE:
+
+In order to finish removing Xen, you will need to modify
+your bootloader configuration files to load your Linux-libre
+kernel instead of Xen kernel.
+__EOF__
+}