diff --git a/third_party/edk2/BUILD.bazel b/third_party/edk2/BUILD.bazel
index 8809591..8e5ef36 100644
--- a/third_party/edk2/BUILD.bazel
+++ b/third_party/edk2/BUILD.bazel
@@ -1,17 +1,50 @@
-alias(
+load("@bazel_skylib//rules:select_file.bzl", "select_file")
+load("//build/utils:target_info.bzl", "target_info")
+load("//third_party/edk2:def.bzl", "edk2")
+
+edk2(
     name = "firmware",
-    actual = "@edk2//:firmware",
+    src = "@edk2//:all",
     visibility = ["//visibility:public"],
 )
 
-alias(
-    name = "OVMF_CODE.fd",
-    actual = "@edk2//:OVMF_CODE.fd",
+select_file(
+    name = "CODE.fd",
+    srcs = ":firmware",
+    subpath = "CODE.fd",
     visibility = ["//visibility:public"],
 )
 
-alias(
-    name = "OVMF_VARS.fd",
-    actual = "@edk2//:OVMF_VARS.fd",
+select_file(
+    name = "VARS.fd",
+    srcs = ":firmware",
+    subpath = "VARS.fd",
     visibility = ["//visibility:public"],
 )
+
+target_info(
+    name = "target_arch",
+    value = select({
+        "@platforms//cpu:x86_64": "X64",
+        "@platforms//cpu:aarch64": "AARCH64",
+        "@platforms//cpu:riscv64": "RISCV64",
+    }),
+    visibility = ["//visibility:private"],
+)
+
+target_info(
+    name = "compilation_mode",
+    value = select({
+        ":is_compilation_mode_dbg": "DEBUG",
+        "//conditions:default": "RELEASE",
+    }),
+    visibility = ["//visibility:private"],
+)
+
+config_setting(
+    name = "is_compilation_mode_dbg",
+    values = {
+        "compilation_mode": "dbg",
+    },
+    visibility = ["//visibility:private"],
+)
diff --git a/third_party/edk2/def.bzl b/third_party/edk2/def.bzl
new file mode 100644
index 0000000..62a0fbe
--- /dev/null
+++ b/third_party/edk2/def.bzl
@@ -0,0 +1,141 @@
+# Copyright The Monogon Project Authors.
+# SPDX-License-Identifier: Apache-2.0
+
+load("@rules_cc//cc:find_cc_toolchain.bzl", "find_cpp_toolchain", "use_cc_toolchain")
+load("@rules_cc//cc/common:cc_common.bzl", "cc_common")
+load("@rules_cc//cc/common:cc_info.bzl", "CcInfo")
+load("//build/utils:detect_root.bzl", "detect_root", "detect_roots")
+load("//build/utils:foreign_build.bzl", "generate_foreign_build_env", "merge_env")
+load("//build/utils:target_info.bzl", "TargetInfo")
+load("//osbase/build:def.bzl", "ignore_unused_configuration")
+
+TOOLCHAINS = [
+    "//build/toolchain/toolchain-bundle:make_toolchain",
+    "//build/toolchain/toolchain-bundle:nasm_toolchain",
+    "//build/toolchain/toolchain-bundle:iasl_toolchain",
+    "//build/toolchain/toolchain-bundle:strace_toolchain",
+]
+
+def _edk2_impl(ctx):
+    _, libuuid_gen = detect_roots(ctx.attr._libuuid[CcInfo].compilation_context.direct_public_headers)
+    extra_env = {
+        "HOSTLDFLAGS": " -L ".join(
+            [
+                "",  # First element empty, for force a the join prefix
+                detect_root(ctx.attr._libuuid.files.to_list()).rsplit("/", 1)[0],
+            ],
+        ),
+        "HOSTCFLAGS": " -I ".join(
+            [
+                "",  # First element empty, for force a the join prefix
+                libuuid_gen,
+            ],
+        ),
+        "CROSS_LIB_UUID_INC": libuuid_gen.rsplit("/", 1)[0],
+        "CROSS_LIB_UUID": detect_root(ctx.attr._libuuid.files.to_list()).rsplit("/", 1)[0],
+    }
+
+    inputs = depset(
+        ctx.files.src +
+        ctx.files._libuuid +
+        ctx.attr._libuuid[CcInfo].compilation_context.direct_public_headers,
+    )
+
+    # Setup the environment for the foreign build.
+    toolchain_env, toolchain_inputs, toolchain_cmd = generate_foreign_build_env(
+        ctx = ctx,
+        target_toolchain = find_cpp_toolchain(ctx),
+        exec_toolchain = ctx.attr._exec_toolchain[cc_common.CcToolchainInfo],
+        toolchain_bundle_tools = TOOLCHAINS,
+    )
+
+    target_arch = ctx.attr._target_arch[TargetInfo].value
+    target_path = None
+    export_script = None
+    if target_arch == "X64":
+        target_path = "OvmfPkg/OvmfPkgX64.dsc"
+        export_script = """
+            cp {src}/Build/OvmfX64/{release_type}_"$TOOLCHAIN"/FV/OVMF_CODE.fd {code}
+            cp {src}/Build/OvmfX64/{release_type}_"$TOOLCHAIN"/FV/OVMF_VARS.fd {vars}
+        """
+    elif target_arch == "AARCH64":
+        target_path = "ArmVirtPkg/ArmVirtQemu.dsc"
+        export_script = """
+            dd of="{code}" if=/dev/zero bs=1M count=64
+            dd of="{code}" if={src}/Build/ArmVirtQemu-AARCH64/{release_type}_"$TOOLCHAIN"/FV/QEMU_EFI.fd conv=notrunc
+            dd of="{vars}" if=/dev/zero bs=1M count=64
+            dd of="{vars}" if={src}/Build/ArmVirtQemu-AARCH64/{release_type}_"$TOOLCHAIN"/FV/QEMU_VARS.fd conv=notrunc
+        """
+    else:
+        fail("Unsupported target architecture: %s" % target_arch)
+
+    code = ctx.actions.declare_file("CODE.fd")
+    vars = ctx.actions.declare_file("VARS.fd")
+    ctx.actions.run_shell(
+        outputs = [code, vars],
+        inputs = depset(transitive = [inputs, toolchain_inputs]),
+        env = merge_env(toolchain_env, extra_env),
+        progress_message = "Building EDK2 firmware",
+        mnemonic = "BuildEDK2Firmware",
+        command = toolchain_cmd + ("""
+            TOOLCHAIN=CLANGDWARF
+            export CLANG_BIN="$CC_PATH/"
+
+            (
+                cd {src}
+                . edksetup.sh
+                make \
+                BUILD_OPTFLAGS="$HOSTCFLAGS" EXTRA_LDFLAGS="$HOSTLDFLAGS" \
+                -C BaseTools/Source/C
+
+                build -DTPM2_ENABLE -DSECURE_BOOT_ENABLE \
+                -t $TOOLCHAIN -a {target_arch} -b {release_type} \
+                -p $PWD/{target_path}
+            ) > /dev/null
+            """ + export_script).format(
+            src = detect_root(ctx.attr.src.files.to_list()),
+            code = code.path,
+            vars = vars.path,
+            target_arch = target_arch,
+            target_path = target_path,
+            release_type = ctx.attr._compilation_mode[TargetInfo].value,
+        ),
+        use_default_shell_env = True,
+    )
+
+    return [
+        DefaultInfo(
+            files = depset([code, vars]),
+            runfiles = ctx.runfiles(files = [code, vars]),
+        ),
+    ]
+
+edk2 = rule(
+    doc = """
+        Build EDK2 hermetically.
+    """,
+    implementation = _edk2_impl,
+    cfg = ignore_unused_configuration,
+    attrs = {
+        "src": attr.label(
+            doc = """
+                Filegroup containing EDK2 sources.
+            """,
+        ),
+        "_libuuid": attr.label(
+            default = "@libuuid//:uuid",
+        ),
+        "_exec_toolchain": attr.label(
+            default = "@rules_cc//cc:current_cc_toolchain",
+            cfg = "exec",
+        ),
+        "_target_arch": attr.label(
+            default = "//third_party/edk2:target_arch",
+        ),
+        "_compilation_mode": attr.label(
+            default = "//third_party/edk2:compilation_mode",
+        ),
+    },
+    fragments = ["cpp"],
+    toolchains = TOOLCHAINS + use_cc_toolchain(),
+)
diff --git a/third_party/edk2/edk2.bzl b/third_party/edk2/edk2.bzl
index 43effe5..24ebf0f 100644
--- a/third_party/edk2/edk2.bzl
+++ b/third_party/edk2/edk2.bzl
@@ -7,28 +7,5 @@
             "CryptoPkg/Library/OpensslLib/openssl/fuzz/corpora/**",
         ],
     ),
-)
-
-genrule(
-    name = "firmware",
-    srcs = [":all"],
-    outs = [
-        "OVMF_CODE.fd",
-        "OVMF_VARS.fd",
-    ],
-    cmd = """
-    (
-        # The edk2 build does not like Bazel's default genrule environment.
-        set +u
-
-        cd {path}
-        . edksetup.sh
-        make -C BaseTools/Source/C
-        build -DTPM2_ENABLE -DSECURE_BOOT_ENABLE -t GCC5 -a X64 -b RELEASE -p $$PWD/OvmfPkg/OvmfPkgX64.dsc
-    ) > /dev/null
-
-    cp {path}/Build/OvmfX64/RELEASE_GCC5/FV/OVMF_CODE.fd $(RULEDIR)
-    cp {path}/Build/OvmfX64/RELEASE_GCC5/FV/OVMF_VARS.fd $(RULEDIR)
-    """.format(path = package_relative_label(":all").workspace_root),
     visibility = ["//visibility:public"],
 )
diff --git a/third_party/edk2/patches/fix-build.patch b/third_party/edk2/patches/fix-build.patch
new file mode 100644
index 0000000..3f9ebd9
--- /dev/null
+++ b/third_party/edk2/patches/fix-build.patch
@@ -0,0 +1,62 @@
+EDK2 doens't respect HOSTCFLAGS and HOSTLDFLAGS which we need to pass the sysroot
+and target flags to the compiler and linker.
+ 
+diff --git a/BaseTools/Source/C/VfrCompile/Pccts/dlg/makefile b/BaseTools/Source/C/VfrCompile/Pccts/dlg/makefile
+--- a/BaseTools/Source/C/VfrCompile/Pccts/dlg/makefile
++++ b/BaseTools/Source/C/VfrCompile/Pccts/dlg/makefile
+@@ -131,16 +131,17 @@
+ COPT=-O
+ ANTLR=${BIN_DIR}/antlr
+ DLG=${BIN_DIR}/dlg
+ CFLAGS= $(COPT) -I. -I$(SET) -I$(PCCTS_H) -DUSER_ZZSYN -DZZLEXBUFSIZE=65536 -std=gnu11
++CFLAGS += $(HOSTCFLAGS)
+ CPPFLAGS=
+ OBJ_EXT=o
+ OUT_OBJ = -o
+ OBJ = dlg_p.o dlg_a.o main.o err.o set.o support.o output.o \
+         relabel.o automata.o
+ 
+ $(BIN_DIR)/dlg : $(OBJ) $(SRC)
+-		$(CC) $(CFLAGS) -o $(BIN_DIR)/dlg $(OBJ)
++		$(CC) $(HOSTLDFLAGS) -o $(BIN_DIR)/dlg $(OBJ)
+ 
+ SRC = dlg_p.c dlg_a.c main.c err.c $(SET)/set.c support.c output.c \
+         relabel.c automata.c
+ 
+diff --git a/BaseTools/Source/C/VfrCompile/Pccts/antlr/makefile b/BaseTools/Source/C/VfrCompile/Pccts/antlr/makefile
+--- a/BaseTools/Source/C/VfrCompile/Pccts/antlr/makefile
++++ b/BaseTools/Source/C/VfrCompile/Pccts/antlr/makefile
+@@ -176,8 +176,9 @@
+ DLG=${BIN_DIR}/dlg
+ OBJ_EXT=o
+ OUT_OBJ = -o
+ CFLAGS= $(COPT) -I. -I$(SET) -I$(PCCTS_H) -DUSER_ZZSYN $(COTHER) -DZZLEXBUFSIZE=65536 -std=gnu11
++CFLAGS += $(HOSTCFLAGS)
+ CPPFLAGS=
+ #
+ # SGI Users, use this CFLAGS
+ #
+@@ -185,9 +186,9 @@
+ OBJ=antlr.o scan.o err.o bits.o build.o fset2.o fset.o gen.o  \
+         globals.o hash.o lex.o main.o misc.o set.o pred.o egman.o mrhoist.o fcache.o
+ 
+ $(BIN_DIR)/antlr : $(OBJ) $(SRC)
+-		$(CC) $(CFLAGS) -o $(BIN_DIR)/antlr $(OBJ)
++		$(CC) $(HOSTLDFLAGS) -o $(BIN_DIR)/antlr $(OBJ)
+ 
+ # what files does PCCTS generate (both ANTLR and DLG)
+ PCCTS_GEN=antlr.c scan.c err.c tokens.h mode.h parser.dlg stdpccts.h remap.h
+ 
+diff --git a/BaseTools/Source/C/GNUmakefile b/BaseTools/Source/C/GNUmakefile
+--- a/BaseTools/Source/C/GNUmakefile
++++ b/BaseTools/Source/C/GNUmakefile
+@@ -50,9 +50,8 @@
+ 
+ LIBRARIES = Common
+ VFRAUTOGEN = VfrCompile/VfrLexer.h
+ APPLICATIONS = \
+-  BrotliCompress \
+   VfrCompile \
+   EfiRom \
+   GenFfs \
+   GenFv \
diff --git a/third_party/edk2/patches/fix-uuid-flag.patch b/third_party/edk2/patches/fix-uuid-flag.patch
new file mode 100644
index 0000000..5051623
--- /dev/null
+++ b/third_party/edk2/patches/fix-uuid-flag.patch
@@ -0,0 +1,13 @@
+diff --git a/BaseTools/Source/C/GenFv/GNUmakefile b/BaseTools/Source/C/GenFv/GNUmakefile
+--- a/BaseTools/Source/C/GenFv/GNUmakefile
++++ b/BaseTools/Source/C/GenFv/GNUmakefile
+@@ -21,8 +21,8 @@
+ ifndef CROSS_LIB_UUID
+   LIBS += -luuid
+ else
+   LIBS += -L$(CROSS_LIB_UUID)
+-  BUILD_CFLAGS += -D__CROSS_LIB_UUID__ -I $(CROSS_LIB_UUID_INC)
++  CFLAGS += -D__CROSS_LIB_UUID__ -I $(CROSS_LIB_UUID_INC)
+ endif
+ endif
+