8 files changed, 473 insertions, 0 deletions

diff --git a/sys-firmware/edk2/Manifest b/sys-firmware/edk2/Manifest
index 8bf04542d27b..387cceab5930 100644
--- a/sys-firmware/edk2/Manifest
+++ b/sys-firmware/edk2/Manifest
@@ -1,9 +1,13 @@
 DIST brotli-f4153a09f87cbb9c826d8fc12c74642bb2d879ea.tar.gz 512229 BLAKE2B cd86cc2cc7eefad24f87cda8006409bf764922b5f23ccfb951e7a41214b12004ce532b11f94f5fb858b3bf71f9abf8ef17ba219fa96bd5be23b51873afad0fd5 SHA512 7f48e794e738b31c2005e7cef6d8c0cc0d543f1cd8c137ae8ba14602cac2873de6299a3f32ad52be869f513e7548341353ed049609daef1063975694d9a9b80b
+DIST edk2-202408.tar.gz 17548980 BLAKE2B 12723a593d2767577f74cfa69f4a02ec784347994af6eb77aea7eb9e9e9f7fedb6b47698af2f07ef98848bbb4bf16248179cf117cf9abdf17be73157a0a03fc2 SHA512 d679d905f8b0ddbf60b1c9a0282e403bf51d0fbe55d85a8ea3e4af1778874e947d224e3671f9e82cddd5cd906c1472ff3973498d969414bdd67d0b49f5b8a251
 DIST edk2-ovmf-202202-qemu-firmware.tar.xz 664 BLAKE2B 1aa4e25804ce0f3c967c80999315de24eaef6682e42dddd81c274ce4603ec3d15186de752de49e2527c6bd5517080c002a357ed6bc389b5afd6f7a4d93edeb44 SHA512 f9a29212274a99796784673d873e0eee7d3e2a5cf9e63192453841ee3a4ef4b813c7b2357fc7000f39c71ed6c66636daab772abb51d3972a2a56ade8a4c68faf
 DIST edk2-ovmf-202202.tar.gz 14208170 BLAKE2B d8411e6808b335ccd551349a10c983b9448a357e73273fa6c30a07785e27feffed0224950ee98b668712c33f6739a9b006e5043b7dfd014f48dba9fd449b3354 SHA512 200690a4867331de06e0478869b85577bc510213ebe679f2103160efb84d94c82ac8481ef1f15c3e42c1e9f22b7c5ef0d6c8f2c655bce7702ce843551cf9bb83
 DIST edk2-ovmf-202405.tar.gz 17091190 BLAKE2B ee2f4c8674ecd7a17e4ee1b067cf1caffb46c3345f39ab15b715964b8e114d01538ae4d4152ab6a3eeebdae602128604d57c02fc0da83f46c291559fe39f49d2 SHA512 3bad4c8417b0c9b68fc6b6b85a4b15c5be8daf672177ce66d7b224b1da7a90f643021adbdd6bc96f95417fc8654c4c6b191cd39f6c1be955946360bfa8e2cb5f
 DIST libspdm-370b5944c046bab043dd8b133727b2135af7747a.tar.gz 1962880 BLAKE2B 89606315fadcf00b2909f264a6edcb2b900dfe248357ea45c37c5a9c947a4d684866627d85132cc51d44d90853d63814eaf9d2b4acdd1a9621b1d6600ca4a0a4 SHA512 07b2b376a84e86647d7a831ee6686d1cf647033ac339afb7c4ea7846cf4e9f7f529a2866bc68ea172d44f1f1efadc8bf1646c3d7fe7e6b6175286ef9c743b206
+DIST libspdm-50924a4c8145fc721e17208f55814d2b38766fe6.tar.gz 1967479 BLAKE2B fe15ac34fa65a86b13ed3a44959d860dc1bf39fd9a4bd2dcde2d2ec6ad9490f5d7d53320c481f9cf931a636527719c29eb315d178f2bd48cb905216849b633b4 SHA512 f11e748e40b66c37365175ff0ef9c0a695db2e7da50da2cf8a33267064b53e5938cfb1363d27e5ce0a174b2059533352bb8a44c48003db900c6b844167473198
 DIST mbedtls-370b5944c046bab043dd8b133727b2135af7747a.tar.gz 4587796 BLAKE2B c28df5c52ac3ed5ef6a2b9eba29f3894d3f5f11083869e8b137cd66d4f72b2a0971c91636ce4626869bd06eeb5e661d90160021f92564b9449fb13001b8e379f SHA512 a421c03c740867210f9e30457bc951928cafec3622e1e304f8c18ce5c5e27c5c8e6c7715180ecb74c6a997e4b91ee160e52b357e1bb65ff76ce8414a87ec4889
+DIST mbedtls-8c89224991adff88d53cd380f42a2baa36f91454.tar.gz 4587796 BLAKE2B c28df5c52ac3ed5ef6a2b9eba29f3894d3f5f11083869e8b137cd66d4f72b2a0971c91636ce4626869bd06eeb5e661d90160021f92564b9449fb13001b8e379f SHA512 a421c03c740867210f9e30457bc951928cafec3622e1e304f8c18ce5c5e27c5c8e6c7715180ecb74c6a997e4b91ee160e52b357e1bb65ff76ce8414a87ec4889
 DIST mipi-sys-t-370b5944c046bab043dd8b133727b2135af7747a.tar.gz 378522 BLAKE2B d3f1033e78ad814ebb991e66d8c1437aa3583e91481af9785b97b6021c7c45fb9dcb8d2d58d0a0fe84fbd9f108d24a27234df298eb8a2ba2340e5c9c85c89c40 SHA512 de6888577ceab7ab6915d792f3c48248cfa53357ccd310fc7f7eae4d25a932de8c7c23e5b898c9ebf61cf86cb538277273f2eb131a628b3bf0d46c9a3b9b6686
 DIST openssl-d82e959e621a3d597f1e0d50ff8c2d8b96915fd7.tar.gz 10034310 BLAKE2B 6996979dc12a523d565830e7b0943feb682a376f71ddb6f20cb8b9976bb7f12e39f088abaa45d514933ef79c0e4a2933dc6f1af4774fedaa16e74c0081c358e7 SHA512 a89bc652dc4318c5e8a9c594a43d890ca05dfc1acd6b15e2a8ab8b5628b5f33994143ff8024230e07b9e67556b28ea3a5e36763aa72dec20b52022ca8c6f2a7e
 DIST openssl-de90e54bbe82e5be4fb9608b6f5c308bb837d355.tar.gz 15337569 BLAKE2B bb0b2f4ee7838178e8e23317b6c63048611d805e20c81d6c875d9b515e6dbcf981cda38f031965c9ec45bcab3ac4725cfa793718b0212e92bf53b4c7fc3f4e32 SHA512 4bba15075dacc8c1772a95759cfe8620ff3a9d535e5d3d29bb15e4790cc543555ab45f0b239195361e534eca26249ae1b491b63cbf6b7ecda6f0840c7f6253ac
+DIST x64_DBXUpdate_05092023.bin 21170 BLAKE2B 9b74945ef441e65c50116122bc24578c22c8f5f7af94e46322a96bd15035b79c0af4c1fd5366017b347b9aaf3f5791b9d6ea84ef141500700ccf69f708f91389 SHA512 71fb6e8cd6918126b3acd78b95651913336df372e13fdfdfdd20d5d23f0e509050c6c88c8a2c43f8ac44f987df86bd45174bb3065d5a7a8c7e3b8772fd06d624
diff --git a/sys-firmware/edk2/edk2-202408.ebuild b/sys-firmware/edk2/edk2-202408.ebuild
new file mode 100644
index 000000000000..383d695f5ac4
--- /dev/null
+++ b/sys-firmware/edk2/edk2-202408.ebuild
@@ -0,0 +1,255 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_REQ_USE="sqlite"
+PYTHON_COMPAT=( python3_{12..13} )
+
+inherit edo prefix python-any-r1 readme.gentoo-r1 secureboot toolchain-funcs
+
+DESCRIPTION="TianoCore EDK II UEFI firmware for virtual machines"
+HOMEPAGE="https://github.com/tianocore/edk2"
+
+DBXDATE="05092023" # MMDDYYYY
+BUNDLED_BROTLI_SUBMODULE_SHA="f4153a09f87cbb9c826d8fc12c74642bb2d879ea"
+BUNDLED_LIBSPDM_SUBMODULE_SHA="50924a4c8145fc721e17208f55814d2b38766fe6"
+BUNDLED_MBEDTLS_SUBMODULE_SHA="8c89224991adff88d53cd380f42a2baa36f91454"
+BUNDLED_MIPI_SYS_T_SUBMODULE_SHA="370b5944c046bab043dd8b133727b2135af7747a"
+BUNDLED_OPENSSL_SUBMODULE_SHA="de90e54bbe82e5be4fb9608b6f5c308bb837d355"
+
+SRC_URI="
+	https://github.com/tianocore/${PN}/archive/${PN}-stable${PV}.tar.gz
+		-> ${P}.tar.gz
+	https://github.com/google/brotli/archive/${BUNDLED_BROTLI_SUBMODULE_SHA}.tar.gz
+		-> brotli-${BUNDLED_BROTLI_SUBMODULE_SHA}.tar.gz
+	https://github.com/DMTF/libspdm/archive/${BUNDLED_LIBSPDM_SUBMODULE_SHA}.tar.gz
+		-> libspdm-${BUNDLED_LIBSPDM_SUBMODULE_SHA}.tar.gz
+	https://github.com/Mbed-TLS/mbedtls/archive/${BUNDLED_MBEDTLS_SUBMODULE_SHA}.tar.gz
+		-> mbedtls-${BUNDLED_MBEDTLS_SUBMODULE_SHA}.tar.gz
+	https://github.com/MIPI-Alliance/public-mipi-sys-t/archive/${BUNDLED_MIPI_SYS_T_SUBMODULE_SHA}.tar.gz
+		-> mipi-sys-t-${BUNDLED_MIPI_SYS_T_SUBMODULE_SHA}.tar.gz
+	https://github.com/openssl/openssl/archive/${BUNDLED_OPENSSL_SUBMODULE_SHA}.tar.gz
+		-> openssl-${BUNDLED_OPENSSL_SUBMODULE_SHA}.tar.gz
+
+	amd64? (
+		https://uefi.org/sites/default/files/resources/x64_DBXUpdate_${DBXDATE}.bin
+		https://uefi.org/sites/default/files/resources/x64_DBXUpdate.bin -> x64_DBXUpdate_${DBXDATE}.bin
+	)
+"
+
+S="${WORKDIR}/${PN}-${PN}-stable${PV}"
+LICENSE="BSD-2 MIT"
+SLOT="0"
+KEYWORDS="-* ~amd64"
+
+BDEPEND="
+	${PYTHON_DEPS}
+	app-emulation/qemu
+	app-emulation/virt-firmware
+	>=sys-power/iasl-20160729
+	amd64? ( >=dev-lang/nasm-2.0.7 )
+"
+
+RDEPEND="
+	!sys-firmware/edk2-ovmf-bin
+"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-202408-werror.patch"
+	"${FILESDIR}/${PN}-202408-binutils-2.41-textrels.patch"
+)
+
+DISABLE_AUTOFORMATTING="true"
+DIR="/usr/share/${PN}"
+
+pkg_setup() {
+	python-any-r1_pkg_setup
+	secureboot_pkg_setup
+
+	local QEMU_ARCH ARCH_DIRS UNIT0 UNIT1 FMT
+
+	case "${ARCH}" in
+	amd64)
+		TARGET_ARCH="X64"
+		QEMU_ARCH="x86_64"
+		ARCH_DIRS="${DIR}/OvmfX64"
+		UNIT0="OVMF_CODE.fd"
+		UNIT1="OVMF_VARS.fd"
+		FMT="raw"
+		;;
+	esac
+
+	DOC_CONTENTS="This package includes the TianoCore EDK II UEFI firmware for ${QEMU_ARCH}
+virtual machines. The firmware is located under ${ARCH_DIRS}.
+
+In order to use the firmware, you can run QEMU like so:
+
+	$ qemu-system-${QEMU_ARCH} \\
+		-drive file=${EPREFIX}${ARCH_DIRS%% *}/${UNIT0},if=pflash,format=${FMT},unit=0,readonly=on \\
+		-drive file=/path/to/the/copy/of/${UNIT1},if=pflash,format=${FMT},unit=1 \\
+		..."
+
+	case "${ARCH}" in
+	amd64) DOC_CONTENTS+="
+
+The firmware does not support CSM due to the lack of a free
+implementation. If you need a firmware with CSM support, you have to
+download one for yourself. Firmware blobs are commonly labelled:
+
+	OVMF_CODE-with-csm.fd
+	OVMF_VARS-with-csm.fd"
+		;;
+	esac
+}
+
+link_mod() {
+	rmdir "$2" && ln -sfT "$1" "$2" || die "linking ${2##*/} failed"
+}
+
+src_prepare() {
+	# Bundled submodules
+	link_mod "${WORKDIR}/brotli-${BUNDLED_BROTLI_SUBMODULE_SHA}" \
+		BaseTools/Source/C/BrotliCompress/brotli
+	link_mod "${WORKDIR}/brotli-${BUNDLED_BROTLI_SUBMODULE_SHA}" \
+		MdeModulePkg/Library/BrotliCustomDecompressLib/brotli
+	link_mod "${WORKDIR}/libspdm-${BUNDLED_LIBSPDM_SUBMODULE_SHA}" \
+		SecurityPkg/DeviceSecurity/SpdmLib/libspdm
+	link_mod "${WORKDIR}/mbedtls-${BUNDLED_MBEDTLS_SUBMODULE_SHA}" \
+		CryptoPkg/Library/MbedTlsLib/mbedtls
+	link_mod "${WORKDIR}/public-mipi-sys-t-${BUNDLED_MIPI_SYS_T_SUBMODULE_SHA}" \
+		MdePkg/Library/MipiSysTLib/mipisyst
+	link_mod "${WORKDIR}/openssl-${BUNDLED_OPENSSL_SUBMODULE_SHA}" \
+		CryptoPkg/Library/OpensslLib/openssl
+
+	default
+
+	# Fix descriptor paths for prefix.
+	hprefixify "${FILESDIR}"/descriptors/*.json
+}
+
+mybuild() {
+	edo build \
+		-t "${TOOLCHAIN}" \
+		-b "${BUILD_TARGET}" \
+		-D NETWORK_HTTP_BOOT_ENABLE \
+		-D NETWORK_IP6_ENABLE \
+		-D NETWORK_TLS_ENABLE \
+		-D TPM1_ENABLE \
+		-D TPM2_ENABLE \
+		-D TPM2_CONFIG_ENABLE \
+		"${BUILD_ARGS[@]}" \
+		"${@}"
+}
+
+# Add the MS and Red Hat Secure Boot certificates and update the revocation list
+# for the given architecture in the given raw variables image.
+mk_fw_vars() {
+	edo virt-fw-vars \
+		--set-dbx "${DISTDIR}/$1_DBXUpdate_${DBXDATE}.bin" \
+		--secure-boot --enroll-redhat --inplace "$2"
+}
+
+# Convert the given images from raw to QCOW2 and resize them to the amount given
+# as the first argument. Specify 0 to not resize.
+raw_to_qcow2() {
+	local SIZE=$1 RAW
+	shift
+
+	for RAW in "${@}"; do
+		edo qemu-img convert -f raw -O qcow2 -o cluster_size=4096 -S 4096 "${RAW}" "${RAW%.fd}.qcow2"
+		[[ ${SIZE} != 0 ]] && edo qemu-img resize -f qcow2 "${RAW%.fd}.qcow2" "${SIZE}"
+		rm "${RAW}" || die
+	done
+}
+
+src_compile() {
+	TOOLCHAIN="GCC5"
+	BUILD_TARGET="RELEASE"
+	BUILD_DIR="${BUILD_TARGET}_${TOOLCHAIN}"
+	BUILD_ARGS=()
+
+	tc-export_build_env
+	emake -C BaseTools \
+		CC="$(tc-getBUILD_CC)" \
+		CXX="$(tc-getBUILD_CXX)" \
+		EXTRA_OPTFLAGS="${BUILD_CFLAGS}" \
+		EXTRA_LDFLAGS="${BUILD_LDFLAGS}"
+
+	export \
+		"${TOOLCHAIN}_${TARGET_ARCH}_PREFIX=${CHOST}-" \
+		"${TOOLCHAIN}_BIN=${CHOST}-"
+
+	. ./edksetup.sh
+
+	# DO NOT enable the shell with Secure Boot as it can be used as a bypass!
+
+	case "${ARCH}" in
+	amd64)
+		local SIZE
+		for SIZE in _2M _4M; do
+			mybuild -a X64 -p OvmfPkg/OvmfPkgX64.dsc \
+				-D FD_SIZE${SIZE}B \
+				-D BUILD_SHELL=FALSE \
+				-D SECURE_BOOT_ENABLE \
+				-D SMM_REQUIRE
+
+			mv -T Build/OvmfX64 Build/OvmfX64${SIZE}.secboot || die
+
+			mybuild -a X64 -p OvmfPkg/OvmfPkgX64.dsc \
+				-D FD_SIZE${SIZE}B
+
+			mv -T Build/OvmfX64 Build/OvmfX64${SIZE} || die
+
+			mk_fw_vars x64 Build/OvmfX64${SIZE}.secboot/"${BUILD_DIR}"/FV/OVMF_VARS.fd
+		done
+
+		# Fedora only converts newer images to QCOW2. 2MB images are raw.
+		raw_to_qcow2 0 Build/OvmfX64_4M*/"${BUILD_DIR}"/FV/OVMF_{CODE,VARS}.fd
+		;;
+	esac
+}
+
+src_install() {
+	local SIZE TYPE FMT
+
+	case "${ARCH}" in
+	amd64)
+		insinto ${DIR}/OvmfX64
+		doins Build/OvmfX64_2M/"${BUILD_DIR}"/X64/Shell.efi
+
+		for SIZE in _2M _4M; do
+			for TYPE in "" .secboot; do
+				[[ ${SIZE} = _4M ]] && FMT=qcow2 || FMT=fd
+				newins Build/OvmfX64${SIZE}${TYPE}/"${BUILD_DIR}"/FV/OVMF_CODE.${FMT} OVMF_CODE${SIZE#_2M}${TYPE}.${FMT}
+				newins Build/OvmfX64${SIZE}${TYPE}/"${BUILD_DIR}"/FV/OVMF_VARS.${FMT} OVMF_VARS${SIZE#_2M}${TYPE}.${FMT}
+			done
+		done
+
+		# Compatibility with older package versions.
+		dosym ${PN}/OvmfX64 /usr/share/edk2-ovmf
+		;;
+	esac
+
+	insinto /usr/share/qemu/firmware
+	doins "${FILESDIR}"/descriptors/*"${TARGET_ARCH,,}"*.json
+
+	secureboot_auto_sign --in-place
+	readme.gentoo_create_doc
+}
+
+pkg_preinst() {
+	local OLD=${EROOT}/usr/share/edk2-ovmf NEW=${EROOT}/${DIR}/OvmfX64
+	if [[ -d ${OLD} && ! -L ${OLD} ]]; then
+		{
+			rm -vf "${OLD}"/{OVMF_{CODE,CODE.secboot,VARS}.fd,EnrollDefaultKeys.efi,Shell.efi,UefiShell.img} &&
+			mkdir -p "${NEW}" &&
+			find "${OLD}" -mindepth 1 -maxdepth 1 -execdir mv --update=none-fail -vt "${NEW}"/ {} + &&
+			rmdir "${OLD}"
+		} || die "unable to replace old directory with compatibility symlink"
+	fi
+}
+
+pkg_postinst() {
+	readme.gentoo_print_elog
+}
diff --git a/sys-firmware/edk2/files/descriptors/30-edk2-ovmf-4m-qcow2-x64-sb-enrolled.json b/sys-firmware/edk2/files/descriptors/30-edk2-ovmf-4m-qcow2-x64-sb-enrolled.json
new file mode 100644
index 000000000000..b11c77b5680d
--- /dev/null
+++ b/sys-firmware/edk2/files/descriptors/30-edk2-ovmf-4m-qcow2-x64-sb-enrolled.json
@@ -0,0 +1,36 @@
+{
+    "description": "OVMF with SB+SMM, SB enabled, MS certs enrolled",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "flash",
+        "mode" : "split",
+        "executable": {
+            "filename": "/usr/share/edk2/OvmfX64/OVMF_CODE_4M.secboot.qcow2",
+            "format": "qcow2"
+        },
+        "nvram-template": {
+            "filename": "/usr/share/edk2/OvmfX64/OVMF_VARS_4M.secboot.qcow2",
+            "format": "qcow2"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "x86_64",
+            "machines": [
+                "pc-q35-*"
+            ]
+        }
+    ],
+    "features": [
+        "acpi-s3",
+        "enrolled-keys",
+        "requires-smm",
+        "secure-boot",
+        "verbose-dynamic"
+    ],
+    "tags": [
+
+    ]
+}
diff --git a/sys-firmware/edk2/files/descriptors/31-edk2-ovmf-2m-raw-x64-sb-enrolled.json b/sys-firmware/edk2/files/descriptors/31-edk2-ovmf-2m-raw-x64-sb-enrolled.json
new file mode 100644
index 000000000000..ffa28c209905
--- /dev/null
+++ b/sys-firmware/edk2/files/descriptors/31-edk2-ovmf-2m-raw-x64-sb-enrolled.json
@@ -0,0 +1,36 @@
+{
+    "description": "OVMF for x86_64, with SB+SMM, SB enabled, MS certs enrolled",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "flash",
+        "mode" : "split",
+        "executable": {
+            "filename": "/usr/share/edk2/OvmfX64/OVMF_CODE.secboot.fd",
+            "format": "raw"
+        },
+        "nvram-template": {
+            "filename": "/usr/share/edk2/OvmfX64/OVMF_VARS.secboot.fd",
+            "format": "raw"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "x86_64",
+            "machines": [
+                "pc-q35-*"
+            ]
+        }
+    ],
+    "features": [
+        "acpi-s3",
+        "enrolled-keys",
+        "requires-smm",
+        "secure-boot",
+        "verbose-dynamic"
+    ],
+    "tags": [
+
+    ]
+}
diff --git a/sys-firmware/edk2/files/descriptors/40-edk2-ovmf-4m-qcow2-x64-sb.json b/sys-firmware/edk2/files/descriptors/40-edk2-ovmf-4m-qcow2-x64-sb.json
new file mode 100644
index 000000000000..52daef98cf66
--- /dev/null
+++ b/sys-firmware/edk2/files/descriptors/40-edk2-ovmf-4m-qcow2-x64-sb.json
@@ -0,0 +1,35 @@
+{
+    "description": "OVMF for x86_64, with SB+SMM, empty varstore",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "flash",
+        "mode" : "split",
+        "executable": {
+            "filename": "/usr/share/edk2/OvmfX64/OVMF_CODE_4M.secboot.qcow2",
+            "format": "qcow2"
+        },
+        "nvram-template": {
+            "filename": "/usr/share/edk2/OvmfX64/OVMF_VARS_4M.qcow2",
+            "format": "qcow2"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "x86_64",
+            "machines": [
+                "pc-q35-*"
+            ]
+        }
+    ],
+    "features": [
+        "acpi-s3",
+        "requires-smm",
+        "secure-boot",
+        "verbose-dynamic"
+    ],
+    "tags": [
+
+    ]
+}
diff --git a/sys-firmware/edk2/files/descriptors/41-edk2-ovmf-2m-raw-x64-sb.json b/sys-firmware/edk2/files/descriptors/41-edk2-ovmf-2m-raw-x64-sb.json
new file mode 100644
index 000000000000..358f05927653
--- /dev/null
+++ b/sys-firmware/edk2/files/descriptors/41-edk2-ovmf-2m-raw-x64-sb.json
@@ -0,0 +1,35 @@
+{
+    "description": "OVMF for x86_64, with SB+SMM, empty varstore",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "flash",
+        "mode" : "split",
+        "executable": {
+            "filename": "/usr/share/edk2/OvmfX64/OVMF_CODE.secboot.fd",
+            "format": "raw"
+        },
+        "nvram-template": {
+            "filename": "/usr/share/edk2/OvmfX64/OVMF_VARS.fd",
+            "format": "raw"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "x86_64",
+            "machines": [
+                "pc-q35-*"
+            ]
+        }
+    ],
+    "features": [
+        "acpi-s3",
+        "requires-smm",
+        "secure-boot",
+        "verbose-dynamic"
+    ],
+    "tags": [
+
+    ]
+}
diff --git a/sys-firmware/edk2/files/descriptors/50-edk2-ovmf-4m-qcow2-x64-nosb.json b/sys-firmware/edk2/files/descriptors/50-edk2-ovmf-4m-qcow2-x64-nosb.json
new file mode 100644
index 000000000000..efd4ddbfb632
--- /dev/null
+++ b/sys-firmware/edk2/files/descriptors/50-edk2-ovmf-4m-qcow2-x64-nosb.json
@@ -0,0 +1,36 @@
+{
+    "description": "OVMF for x86_64, without SB+SMM, empty varstore",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "flash",
+        "mode" : "split",
+        "executable": {
+            "filename": "/usr/share/edk2/OvmfX64/OVMF_CODE_4M.qcow2",
+            "format": "qcow2"
+        },
+        "nvram-template": {
+            "filename": "/usr/share/edk2/OvmfX64/OVMF_VARS_4M.qcow2",
+            "format": "qcow2"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "x86_64",
+            "machines": [
+                "pc-i440fx-*",
+                "pc-q35-*"
+            ]
+        }
+    ],
+    "features": [
+        "acpi-s3",
+        "amd-sev",
+        "amd-sev-es",
+        "verbose-dynamic"
+    ],
+    "tags": [
+
+    ]
+}
diff --git a/sys-firmware/edk2/files/descriptors/51-edk2-ovmf-2m-raw-x64-nosb.json b/sys-firmware/edk2/files/descriptors/51-edk2-ovmf-2m-raw-x64-nosb.json
new file mode 100644
index 000000000000..309ba626b940
--- /dev/null
+++ b/sys-firmware/edk2/files/descriptors/51-edk2-ovmf-2m-raw-x64-nosb.json
@@ -0,0 +1,36 @@
+{
+    "description": "OVMF for x86_64, without SB+SMM, empty varstore",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "flash",
+        "mode" : "split",
+        "executable": {
+            "filename": "/usr/share/edk2/OvmfX64/OVMF_CODE.fd",
+            "format": "raw"
+        },
+        "nvram-template": {
+            "filename": "/usr/share/edk2/OvmfX64/OVMF_VARS.fd",
+            "format": "raw"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "x86_64",
+            "machines": [
+                "pc-i440fx-*",
+                "pc-q35-*"
+            ]
+        }
+    ],
+    "features": [
+        "acpi-s3",
+        "amd-sev",
+        "amd-sev-es",
+        "verbose-dynamic"
+    ],
+    "tags": [
+
+    ]
+}