import edk2-20200602gitca407c7246bf-3.el8
This commit is contained in:
parent
6baa27570e
commit
0cc2846c54
@ -1,2 +1,2 @@
|
||||
c7ca6a13a5f9e7fe8071010c26a11ba41548308b SOURCES/edk2-37eef91017ad.tar.xz
|
||||
3a531b4e8864ee52b1e128ac9742b3e9dcec49bf SOURCES/edk2-ca407c7246bf.tar.xz
|
||||
cb385fc348395c187db3737e532de787ca2a17c9 SOURCES/openssl-rhel-d6c0e6e28ddc793474a3f9234eed50018f6c94ba.tar.xz
|
||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/edk2-37eef91017ad.tar.xz
|
||||
SOURCES/edk2-ca407c7246bf.tar.xz
|
||||
SOURCES/openssl-rhel-d6c0e6e28ddc793474a3f9234eed50018f6c94ba.tar.xz
|
||||
|
@ -1,668 +0,0 @@
|
||||
From ac1a0b44df858e53be9e8af499e80a459f0cef16 Mon Sep 17 00:00:00 2001
|
||||
From: Shenglei Zhang <shenglei.zhang@intel.com>
|
||||
Date: Tue, 29 Oct 2019 15:43:11 +0000
|
||||
Subject: CryptoPkg/OpensslLib: Update process_files.pl to generate .h files
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
- New patch (cherry-picked from upstream, to be dropped at the next
|
||||
downstream rebase).
|
||||
|
||||
- Upstream moved to OpenSSL_1.1.1b (for TianoCore#1089) in release
|
||||
edk2-stable201905. As part of that OpenSSL update, "OpensslLib.inf" and
|
||||
"OpensslLibCrypto.inf" failed to list some new header files.
|
||||
|
||||
- As a part of edk2-stable201908, commit 8906f076de35
|
||||
("CryptoPkg/OpensslLib: Add missing header files in INF file",
|
||||
2019-08-16) fixed up "OpensslLib.inf" and "OpensslLibCrypto.inf" with
|
||||
the missing header files, but did so manually.
|
||||
|
||||
- The present patch (which is going to be released in edk2-stable201911)
|
||||
updates "process_files.pl" to list the subject header files
|
||||
automatically.
|
||||
|
||||
- This patch is being backported primarily in order to keep further
|
||||
backports for the modified files conflict-free. It might also come in
|
||||
handy once we adopt RHEL8's own OpenSSL version (in case we have to
|
||||
re-run "process_files.pl" ourselves).
|
||||
|
||||
There are missing headers added into INF files at 8906f076de35b222a..
|
||||
They are now manually added but not auto-generated. So we update the
|
||||
perl script to enable this feature.
|
||||
Meanwhile, update the order of the .h files in INF files, which are
|
||||
auto-generated now.
|
||||
https://bugzilla.tianocore.org/show_bug.cgi?id=2085
|
||||
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
|
||||
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
|
||||
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
|
||||
Reviewed-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
|
||||
(cherry picked from commit 9f4fbd56d43054cc73d722c1643659f9741c0fcf)
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
---
|
||||
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 103 +++++++++---------
|
||||
.../Library/OpensslLib/OpensslLibCrypto.inf | 96 ++++++++--------
|
||||
CryptoPkg/Library/OpensslLib/process_files.pl | 28 +++++
|
||||
3 files changed, 129 insertions(+), 98 deletions(-)
|
||||
|
||||
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
|
||||
index 7432321fd4..dd873a0dcd 100644
|
||||
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
|
||||
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
|
||||
@@ -34,9 +34,7 @@
|
||||
$(OPENSSL_PATH)/crypto/aes/aes_misc.c
|
||||
$(OPENSSL_PATH)/crypto/aes/aes_ofb.c
|
||||
$(OPENSSL_PATH)/crypto/aes/aes_wrap.c
|
||||
- $(OPENSSL_PATH)/crypto/aes/aes_locl.h
|
||||
$(OPENSSL_PATH)/crypto/aria/aria.c
|
||||
- $(OPENSSL_PATH)/crypto/arm_arch.h
|
||||
$(OPENSSL_PATH)/crypto/asn1/a_bitstr.c
|
||||
$(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c
|
||||
$(OPENSSL_PATH)/crypto/asn1/a_digest.c
|
||||
@@ -101,21 +99,12 @@
|
||||
$(OPENSSL_PATH)/crypto/asn1/x_sig.c
|
||||
$(OPENSSL_PATH)/crypto/asn1/x_spki.c
|
||||
$(OPENSSL_PATH)/crypto/asn1/x_val.c
|
||||
- $(OPENSSL_PATH)/crypto/asn1/standard_methods.h
|
||||
- $(OPENSSL_PATH)/crypto/asn1/charmap.h
|
||||
- $(OPENSSL_PATH)/crypto/asn1/tbl_standard.h
|
||||
- $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h
|
||||
- $(OPENSSL_PATH)/crypto/asn1/asn1_locl.h
|
||||
$(OPENSSL_PATH)/crypto/async/arch/async_null.c
|
||||
$(OPENSSL_PATH)/crypto/async/arch/async_posix.c
|
||||
$(OPENSSL_PATH)/crypto/async/arch/async_win.c
|
||||
$(OPENSSL_PATH)/crypto/async/async.c
|
||||
$(OPENSSL_PATH)/crypto/async/async_err.c
|
||||
$(OPENSSL_PATH)/crypto/async/async_wait.c
|
||||
- $(OPENSSL_PATH)/crypto/async/arch/async_win.h
|
||||
- $(OPENSSL_PATH)/crypto/async/async_locl.h
|
||||
- $(OPENSSL_PATH)/crypto/async/arch/async_posix.h
|
||||
- $(OPENSSL_PATH)/crypto/async/arch/async_null.h
|
||||
$(OPENSSL_PATH)/crypto/bio/b_addr.c
|
||||
$(OPENSSL_PATH)/crypto/bio/b_dump.c
|
||||
$(OPENSSL_PATH)/crypto/bio/b_sock.c
|
||||
@@ -138,7 +127,6 @@
|
||||
$(OPENSSL_PATH)/crypto/bio/bss_mem.c
|
||||
$(OPENSSL_PATH)/crypto/bio/bss_null.c
|
||||
$(OPENSSL_PATH)/crypto/bio/bss_sock.c
|
||||
- $(OPENSSL_PATH)/crypto/bio/bio_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/bn/bn_add.c
|
||||
$(OPENSSL_PATH)/crypto/bn/bn_asm.c
|
||||
$(OPENSSL_PATH)/crypto/bn/bn_blind.c
|
||||
@@ -170,9 +158,6 @@
|
||||
$(OPENSSL_PATH)/crypto/bn/bn_srp.c
|
||||
$(OPENSSL_PATH)/crypto/bn/bn_word.c
|
||||
$(OPENSSL_PATH)/crypto/bn/bn_x931p.c
|
||||
- $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h
|
||||
- $(OPENSSL_PATH)/crypto/bn/bn_prime.h
|
||||
- $(OPENSSL_PATH)/crypto/bn/bn_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/buffer/buf_err.c
|
||||
$(OPENSSL_PATH)/crypto/buffer/buffer.c
|
||||
$(OPENSSL_PATH)/crypto/cmac/cm_ameth.c
|
||||
@@ -181,7 +166,6 @@
|
||||
$(OPENSSL_PATH)/crypto/comp/c_zlib.c
|
||||
$(OPENSSL_PATH)/crypto/comp/comp_err.c
|
||||
$(OPENSSL_PATH)/crypto/comp/comp_lib.c
|
||||
- $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/conf/conf_api.c
|
||||
$(OPENSSL_PATH)/crypto/conf/conf_def.c
|
||||
$(OPENSSL_PATH)/crypto/conf/conf_err.c
|
||||
@@ -190,8 +174,6 @@
|
||||
$(OPENSSL_PATH)/crypto/conf/conf_mod.c
|
||||
$(OPENSSL_PATH)/crypto/conf/conf_sap.c
|
||||
$(OPENSSL_PATH)/crypto/conf/conf_ssl.c
|
||||
- $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
|
||||
- $(OPENSSL_PATH)/crypto/conf/conf_def.h
|
||||
$(OPENSSL_PATH)/crypto/cpt_err.c
|
||||
$(OPENSSL_PATH)/crypto/cryptlib.c
|
||||
$(OPENSSL_PATH)/crypto/ctype.c
|
||||
@@ -215,8 +197,6 @@
|
||||
$(OPENSSL_PATH)/crypto/des/set_key.c
|
||||
$(OPENSSL_PATH)/crypto/des/str2key.c
|
||||
$(OPENSSL_PATH)/crypto/des/xcbc_enc.c
|
||||
- $(OPENSSL_PATH)/crypto/des/spr.h
|
||||
- $(OPENSSL_PATH)/crypto/des/des_locl.h
|
||||
$(OPENSSL_PATH)/crypto/dh/dh_ameth.c
|
||||
$(OPENSSL_PATH)/crypto/dh/dh_asn1.c
|
||||
$(OPENSSL_PATH)/crypto/dh/dh_check.c
|
||||
@@ -231,7 +211,6 @@
|
||||
$(OPENSSL_PATH)/crypto/dh/dh_prn.c
|
||||
$(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c
|
||||
$(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c
|
||||
- $(OPENSSL_PATH)/crypto/dh/dh_locl.h
|
||||
$(OPENSSL_PATH)/crypto/dso/dso_dl.c
|
||||
$(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c
|
||||
$(OPENSSL_PATH)/crypto/dso/dso_err.c
|
||||
@@ -239,7 +218,6 @@
|
||||
$(OPENSSL_PATH)/crypto/dso/dso_openssl.c
|
||||
$(OPENSSL_PATH)/crypto/dso/dso_vms.c
|
||||
$(OPENSSL_PATH)/crypto/dso/dso_win32.c
|
||||
- $(OPENSSL_PATH)/crypto/dso/dso_locl.h
|
||||
$(OPENSSL_PATH)/crypto/ebcdic.c
|
||||
$(OPENSSL_PATH)/crypto/err/err.c
|
||||
$(OPENSSL_PATH)/crypto/err/err_prn.c
|
||||
@@ -304,13 +282,11 @@
|
||||
$(OPENSSL_PATH)/crypto/evp/pmeth_fn.c
|
||||
$(OPENSSL_PATH)/crypto/evp/pmeth_gn.c
|
||||
$(OPENSSL_PATH)/crypto/evp/pmeth_lib.c
|
||||
- $(OPENSSL_PATH)/crypto/evp/evp_locl.h
|
||||
$(OPENSSL_PATH)/crypto/ex_data.c
|
||||
$(OPENSSL_PATH)/crypto/getenv.c
|
||||
$(OPENSSL_PATH)/crypto/hmac/hm_ameth.c
|
||||
$(OPENSSL_PATH)/crypto/hmac/hm_pmeth.c
|
||||
$(OPENSSL_PATH)/crypto/hmac/hmac.c
|
||||
- $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/init.c
|
||||
$(OPENSSL_PATH)/crypto/kdf/hkdf.c
|
||||
$(OPENSSL_PATH)/crypto/kdf/kdf_err.c
|
||||
@@ -318,13 +294,10 @@
|
||||
$(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
|
||||
$(OPENSSL_PATH)/crypto/lhash/lh_stats.c
|
||||
$(OPENSSL_PATH)/crypto/lhash/lhash.c
|
||||
- $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/md4/md4_dgst.c
|
||||
$(OPENSSL_PATH)/crypto/md4/md4_one.c
|
||||
- $(OPENSSL_PATH)/crypto/md4/md4_locl.h
|
||||
$(OPENSSL_PATH)/crypto/md5/md5_dgst.c
|
||||
$(OPENSSL_PATH)/crypto/md5/md5_one.c
|
||||
- $(OPENSSL_PATH)/crypto/md5/md5_locl.h
|
||||
$(OPENSSL_PATH)/crypto/mem.c
|
||||
$(OPENSSL_PATH)/crypto/mem_clr.c
|
||||
$(OPENSSL_PATH)/crypto/mem_dbg.c
|
||||
@@ -339,7 +312,6 @@
|
||||
$(OPENSSL_PATH)/crypto/modes/ofb128.c
|
||||
$(OPENSSL_PATH)/crypto/modes/wrap128.c
|
||||
$(OPENSSL_PATH)/crypto/modes/xts128.c
|
||||
- $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/o_dir.c
|
||||
$(OPENSSL_PATH)/crypto/o_fips.c
|
||||
$(OPENSSL_PATH)/crypto/o_fopen.c
|
||||
@@ -351,9 +323,6 @@
|
||||
$(OPENSSL_PATH)/crypto/objects/obj_err.c
|
||||
$(OPENSSL_PATH)/crypto/objects/obj_lib.c
|
||||
$(OPENSSL_PATH)/crypto/objects/obj_xref.c
|
||||
- $(OPENSSL_PATH)/crypto/objects/obj_dat.h
|
||||
- $(OPENSSL_PATH)/crypto/objects/obj_xref.h
|
||||
- $(OPENSSL_PATH)/crypto/objects/obj_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/ocsp/ocsp_asn.c
|
||||
$(OPENSSL_PATH)/crypto/ocsp/ocsp_cl.c
|
||||
$(OPENSSL_PATH)/crypto/ocsp/ocsp_err.c
|
||||
@@ -364,7 +333,6 @@
|
||||
$(OPENSSL_PATH)/crypto/ocsp/ocsp_srv.c
|
||||
$(OPENSSL_PATH)/crypto/ocsp/ocsp_vfy.c
|
||||
$(OPENSSL_PATH)/crypto/ocsp/v3_ocsp.c
|
||||
- $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/pem/pem_all.c
|
||||
$(OPENSSL_PATH)/crypto/pem/pem_err.c
|
||||
$(OPENSSL_PATH)/crypto/pem/pem_info.c
|
||||
@@ -392,7 +360,6 @@
|
||||
$(OPENSSL_PATH)/crypto/pkcs12/p12_sbag.c
|
||||
$(OPENSSL_PATH)/crypto/pkcs12/p12_utl.c
|
||||
$(OPENSSL_PATH)/crypto/pkcs12/pk12err.c
|
||||
- $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/pkcs7/bio_pk7.c
|
||||
$(OPENSSL_PATH)/crypto/pkcs7/pk7_asn1.c
|
||||
$(OPENSSL_PATH)/crypto/pkcs7/pk7_attr.c
|
||||
@@ -401,7 +368,6 @@
|
||||
$(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c
|
||||
$(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c
|
||||
$(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c
|
||||
- $(OPENSSL_PATH)/crypto/ppc_arch.h
|
||||
$(OPENSSL_PATH)/crypto/rand/drbg_ctr.c
|
||||
$(OPENSSL_PATH)/crypto/rand/drbg_lib.c
|
||||
$(OPENSSL_PATH)/crypto/rand/rand_egd.c
|
||||
@@ -410,10 +376,8 @@
|
||||
$(OPENSSL_PATH)/crypto/rand/rand_unix.c
|
||||
$(OPENSSL_PATH)/crypto/rand/rand_vms.c
|
||||
$(OPENSSL_PATH)/crypto/rand/rand_win.c
|
||||
- $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
|
||||
$(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
|
||||
- $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h
|
||||
$(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
|
||||
$(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c
|
||||
$(OPENSSL_PATH)/crypto/rsa/rsa_chk.c
|
||||
@@ -436,24 +400,18 @@
|
||||
$(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c
|
||||
$(OPENSSL_PATH)/crypto/rsa/rsa_x931.c
|
||||
$(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c
|
||||
- $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
|
||||
- $(OPENSSL_PATH)/crypto/s390x_arch.h
|
||||
$(OPENSSL_PATH)/crypto/sha/keccak1600.c
|
||||
$(OPENSSL_PATH)/crypto/sha/sha1_one.c
|
||||
$(OPENSSL_PATH)/crypto/sha/sha1dgst.c
|
||||
$(OPENSSL_PATH)/crypto/sha/sha256.c
|
||||
$(OPENSSL_PATH)/crypto/sha/sha512.c
|
||||
- $(OPENSSL_PATH)/crypto/sha/sha_locl.h
|
||||
$(OPENSSL_PATH)/crypto/siphash/siphash.c
|
||||
$(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
|
||||
$(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
|
||||
- $(OPENSSL_PATH)/crypto/siphash/siphash_local.h
|
||||
$(OPENSSL_PATH)/crypto/sm3/m_sm3.c
|
||||
$(OPENSSL_PATH)/crypto/sm3/sm3.c
|
||||
- $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h
|
||||
$(OPENSSL_PATH)/crypto/sm4/sm4.c
|
||||
$(OPENSSL_PATH)/crypto/stack/stack.c
|
||||
- $(OPENSSL_PATH)/crypto/sparc_arch.h
|
||||
$(OPENSSL_PATH)/crypto/threads_none.c
|
||||
$(OPENSSL_PATH)/crypto/threads_pthread.c
|
||||
$(OPENSSL_PATH)/crypto/threads_win.c
|
||||
@@ -463,8 +421,6 @@
|
||||
$(OPENSSL_PATH)/crypto/ui/ui_null.c
|
||||
$(OPENSSL_PATH)/crypto/ui/ui_openssl.c
|
||||
$(OPENSSL_PATH)/crypto/ui/ui_util.c
|
||||
- $(OPENSSL_PATH)/crypto/ui/ui_locl.h
|
||||
- $(OPENSSL_PATH)/crypto/vms_rms.h
|
||||
$(OPENSSL_PATH)/crypto/uid.c
|
||||
$(OPENSSL_PATH)/crypto/x509/by_dir.c
|
||||
$(OPENSSL_PATH)/crypto/x509/by_file.c
|
||||
@@ -502,7 +458,6 @@
|
||||
$(OPENSSL_PATH)/crypto/x509/x_req.c
|
||||
$(OPENSSL_PATH)/crypto/x509/x_x509.c
|
||||
$(OPENSSL_PATH)/crypto/x509/x_x509a.c
|
||||
- $(OPENSSL_PATH)/crypto/x509/x509_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/x509v3/pcy_cache.c
|
||||
$(OPENSSL_PATH)/crypto/x509v3/pcy_data.c
|
||||
$(OPENSSL_PATH)/crypto/x509v3/pcy_lib.c
|
||||
@@ -540,11 +495,57 @@
|
||||
$(OPENSSL_PATH)/crypto/x509v3/v3_tlsf.c
|
||||
$(OPENSSL_PATH)/crypto/x509v3/v3_utl.c
|
||||
$(OPENSSL_PATH)/crypto/x509v3/v3err.c
|
||||
+ $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/dh/dh_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/bio/bio_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/conf/conf_def.h
|
||||
+ $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/sha/sha_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/md5/md5_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/store/store_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/dso/dso_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/arm_arch.h
|
||||
+ $(OPENSSL_PATH)/crypto/mips_arch.h
|
||||
+ $(OPENSSL_PATH)/crypto/ppc_arch.h
|
||||
+ $(OPENSSL_PATH)/crypto/s390x_arch.h
|
||||
+ $(OPENSSL_PATH)/crypto/sparc_arch.h
|
||||
+ $(OPENSSL_PATH)/crypto/vms_rms.h
|
||||
+ $(OPENSSL_PATH)/crypto/bn/bn_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/bn/bn_prime.h
|
||||
+ $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h
|
||||
+ $(OPENSSL_PATH)/crypto/ui/ui_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/md4/md4_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h
|
||||
+ $(OPENSSL_PATH)/crypto/asn1/asn1_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/asn1/charmap.h
|
||||
+ $(OPENSSL_PATH)/crypto/asn1/standard_methods.h
|
||||
+ $(OPENSSL_PATH)/crypto/asn1/tbl_standard.h
|
||||
+ $(OPENSSL_PATH)/crypto/evp/evp_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/x509/x509_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/async/arch/async_null.h
|
||||
+ $(OPENSSL_PATH)/crypto/async/arch/async_posix.h
|
||||
+ $(OPENSSL_PATH)/crypto/async/arch/async_win.h
|
||||
+ $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/des/des_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/des/spr.h
|
||||
+ $(OPENSSL_PATH)/crypto/siphash/siphash_local.h
|
||||
+ $(OPENSSL_PATH)/crypto/aes/aes_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/async/async_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/x509v3/ext_dat.h
|
||||
$(OPENSSL_PATH)/crypto/x509v3/pcy_int.h
|
||||
- $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
|
||||
$(OPENSSL_PATH)/crypto/x509v3/standard_exts.h
|
||||
- $(OPENSSL_PATH)/crypto/x509v3/ext_dat.h
|
||||
- $(OPENSSL_PATH)/ms/uplink.h
|
||||
+ $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
|
||||
+ $(OPENSSL_PATH)/crypto/objects/obj_dat.h
|
||||
+ $(OPENSSL_PATH)/crypto/objects/obj_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/objects/obj_xref.h
|
||||
$(OPENSSL_PATH)/ssl/bio_ssl.c
|
||||
$(OPENSSL_PATH)/ssl/d1_lib.c
|
||||
$(OPENSSL_PATH)/ssl/d1_msg.c
|
||||
@@ -589,13 +590,13 @@
|
||||
$(OPENSSL_PATH)/ssl/t1_trce.c
|
||||
$(OPENSSL_PATH)/ssl/tls13_enc.c
|
||||
$(OPENSSL_PATH)/ssl/tls_srp.c
|
||||
- $(OPENSSL_PATH)/ssl/record/record_locl.h
|
||||
$(OPENSSL_PATH)/ssl/statem/statem.h
|
||||
$(OPENSSL_PATH)/ssl/statem/statem_locl.h
|
||||
+ $(OPENSSL_PATH)/ssl/packet_locl.h
|
||||
+ $(OPENSSL_PATH)/ssl/ssl_cert_table.h
|
||||
$(OPENSSL_PATH)/ssl/ssl_locl.h
|
||||
$(OPENSSL_PATH)/ssl/record/record.h
|
||||
- $(OPENSSL_PATH)/ssl/ssl_cert_table.h
|
||||
- $(OPENSSL_PATH)/ssl/packet_locl.h
|
||||
+ $(OPENSSL_PATH)/ssl/record/record_locl.h
|
||||
# Autogenerated files list ends here
|
||||
|
||||
ossl_store.c
|
||||
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
|
||||
index 8134b45eda..a1bb560255 100644
|
||||
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
|
||||
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
|
||||
@@ -33,9 +33,7 @@
|
||||
$(OPENSSL_PATH)/crypto/aes/aes_misc.c
|
||||
$(OPENSSL_PATH)/crypto/aes/aes_ofb.c
|
||||
$(OPENSSL_PATH)/crypto/aes/aes_wrap.c
|
||||
- $(OPENSSL_PATH)/crypto/aes/aes_locl.h
|
||||
$(OPENSSL_PATH)/crypto/aria/aria.c
|
||||
- $(OPENSSL_PATH)/crypto/arm_arch.h
|
||||
$(OPENSSL_PATH)/crypto/asn1/a_bitstr.c
|
||||
$(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c
|
||||
$(OPENSSL_PATH)/crypto/asn1/a_digest.c
|
||||
@@ -100,21 +98,12 @@
|
||||
$(OPENSSL_PATH)/crypto/asn1/x_sig.c
|
||||
$(OPENSSL_PATH)/crypto/asn1/x_spki.c
|
||||
$(OPENSSL_PATH)/crypto/asn1/x_val.c
|
||||
- $(OPENSSL_PATH)/crypto/asn1/standard_methods.h
|
||||
- $(OPENSSL_PATH)/crypto/asn1/charmap.h
|
||||
- $(OPENSSL_PATH)/crypto/asn1/tbl_standard.h
|
||||
- $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h
|
||||
- $(OPENSSL_PATH)/crypto/asn1/asn1_locl.h
|
||||
$(OPENSSL_PATH)/crypto/async/arch/async_null.c
|
||||
$(OPENSSL_PATH)/crypto/async/arch/async_posix.c
|
||||
$(OPENSSL_PATH)/crypto/async/arch/async_win.c
|
||||
- $(OPENSSL_PATH)/crypto/async/arch/async_posix.h
|
||||
- $(OPENSSL_PATH)/crypto/async/arch/async_null.h
|
||||
- $(OPENSSL_PATH)/crypto/async/arch/async_win.h
|
||||
$(OPENSSL_PATH)/crypto/async/async.c
|
||||
$(OPENSSL_PATH)/crypto/async/async_err.c
|
||||
$(OPENSSL_PATH)/crypto/async/async_wait.c
|
||||
- $(OPENSSL_PATH)/crypto/async/async_locl.h
|
||||
$(OPENSSL_PATH)/crypto/bio/b_addr.c
|
||||
$(OPENSSL_PATH)/crypto/bio/b_dump.c
|
||||
$(OPENSSL_PATH)/crypto/bio/b_sock.c
|
||||
@@ -137,7 +126,6 @@
|
||||
$(OPENSSL_PATH)/crypto/bio/bss_mem.c
|
||||
$(OPENSSL_PATH)/crypto/bio/bss_null.c
|
||||
$(OPENSSL_PATH)/crypto/bio/bss_sock.c
|
||||
- $(OPENSSL_PATH)/crypto/bio/bio_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/bn/bn_add.c
|
||||
$(OPENSSL_PATH)/crypto/bn/bn_asm.c
|
||||
$(OPENSSL_PATH)/crypto/bn/bn_blind.c
|
||||
@@ -169,9 +157,6 @@
|
||||
$(OPENSSL_PATH)/crypto/bn/bn_srp.c
|
||||
$(OPENSSL_PATH)/crypto/bn/bn_word.c
|
||||
$(OPENSSL_PATH)/crypto/bn/bn_x931p.c
|
||||
- $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h
|
||||
- $(OPENSSL_PATH)/crypto/bn/bn_prime.h
|
||||
- $(OPENSSL_PATH)/crypto/bn/bn_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/buffer/buf_err.c
|
||||
$(OPENSSL_PATH)/crypto/buffer/buffer.c
|
||||
$(OPENSSL_PATH)/crypto/cmac/cm_ameth.c
|
||||
@@ -180,7 +165,6 @@
|
||||
$(OPENSSL_PATH)/crypto/comp/c_zlib.c
|
||||
$(OPENSSL_PATH)/crypto/comp/comp_err.c
|
||||
$(OPENSSL_PATH)/crypto/comp/comp_lib.c
|
||||
- $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/conf/conf_api.c
|
||||
$(OPENSSL_PATH)/crypto/conf/conf_def.c
|
||||
$(OPENSSL_PATH)/crypto/conf/conf_err.c
|
||||
@@ -189,8 +173,6 @@
|
||||
$(OPENSSL_PATH)/crypto/conf/conf_mod.c
|
||||
$(OPENSSL_PATH)/crypto/conf/conf_sap.c
|
||||
$(OPENSSL_PATH)/crypto/conf/conf_ssl.c
|
||||
- $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
|
||||
- $(OPENSSL_PATH)/crypto/conf/conf_def.h
|
||||
$(OPENSSL_PATH)/crypto/cpt_err.c
|
||||
$(OPENSSL_PATH)/crypto/cryptlib.c
|
||||
$(OPENSSL_PATH)/crypto/ctype.c
|
||||
@@ -214,8 +196,6 @@
|
||||
$(OPENSSL_PATH)/crypto/des/set_key.c
|
||||
$(OPENSSL_PATH)/crypto/des/str2key.c
|
||||
$(OPENSSL_PATH)/crypto/des/xcbc_enc.c
|
||||
- $(OPENSSL_PATH)/crypto/des/spr.h
|
||||
- $(OPENSSL_PATH)/crypto/des/des_locl.h
|
||||
$(OPENSSL_PATH)/crypto/dh/dh_ameth.c
|
||||
$(OPENSSL_PATH)/crypto/dh/dh_asn1.c
|
||||
$(OPENSSL_PATH)/crypto/dh/dh_check.c
|
||||
@@ -230,7 +210,6 @@
|
||||
$(OPENSSL_PATH)/crypto/dh/dh_prn.c
|
||||
$(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c
|
||||
$(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c
|
||||
- $(OPENSSL_PATH)/crypto/dh/dh_locl.h
|
||||
$(OPENSSL_PATH)/crypto/dso/dso_dl.c
|
||||
$(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c
|
||||
$(OPENSSL_PATH)/crypto/dso/dso_err.c
|
||||
@@ -238,7 +217,6 @@
|
||||
$(OPENSSL_PATH)/crypto/dso/dso_openssl.c
|
||||
$(OPENSSL_PATH)/crypto/dso/dso_vms.c
|
||||
$(OPENSSL_PATH)/crypto/dso/dso_win32.c
|
||||
- $(OPENSSL_PATH)/crypto/dso/dso_locl.h
|
||||
$(OPENSSL_PATH)/crypto/ebcdic.c
|
||||
$(OPENSSL_PATH)/crypto/err/err.c
|
||||
$(OPENSSL_PATH)/crypto/err/err_prn.c
|
||||
@@ -280,7 +258,6 @@
|
||||
$(OPENSSL_PATH)/crypto/evp/evp_pkey.c
|
||||
$(OPENSSL_PATH)/crypto/evp/m_md2.c
|
||||
$(OPENSSL_PATH)/crypto/evp/m_md4.c
|
||||
- $(OPENSSL_PATH)/crypto/md4/md4_locl.h
|
||||
$(OPENSSL_PATH)/crypto/evp/m_md5.c
|
||||
$(OPENSSL_PATH)/crypto/evp/m_md5_sha1.c
|
||||
$(OPENSSL_PATH)/crypto/evp/m_mdc2.c
|
||||
@@ -304,13 +281,11 @@
|
||||
$(OPENSSL_PATH)/crypto/evp/pmeth_fn.c
|
||||
$(OPENSSL_PATH)/crypto/evp/pmeth_gn.c
|
||||
$(OPENSSL_PATH)/crypto/evp/pmeth_lib.c
|
||||
- $(OPENSSL_PATH)/crypto/evp/evp_locl.h
|
||||
$(OPENSSL_PATH)/crypto/ex_data.c
|
||||
$(OPENSSL_PATH)/crypto/getenv.c
|
||||
$(OPENSSL_PATH)/crypto/hmac/hm_ameth.c
|
||||
$(OPENSSL_PATH)/crypto/hmac/hm_pmeth.c
|
||||
$(OPENSSL_PATH)/crypto/hmac/hmac.c
|
||||
- $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/init.c
|
||||
$(OPENSSL_PATH)/crypto/kdf/hkdf.c
|
||||
$(OPENSSL_PATH)/crypto/kdf/kdf_err.c
|
||||
@@ -318,12 +293,10 @@
|
||||
$(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
|
||||
$(OPENSSL_PATH)/crypto/lhash/lh_stats.c
|
||||
$(OPENSSL_PATH)/crypto/lhash/lhash.c
|
||||
- $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/md4/md4_dgst.c
|
||||
$(OPENSSL_PATH)/crypto/md4/md4_one.c
|
||||
$(OPENSSL_PATH)/crypto/md5/md5_dgst.c
|
||||
$(OPENSSL_PATH)/crypto/md5/md5_one.c
|
||||
- $(OPENSSL_PATH)/crypto/md5/md5_locl.h
|
||||
$(OPENSSL_PATH)/crypto/mem.c
|
||||
$(OPENSSL_PATH)/crypto/mem_clr.c
|
||||
$(OPENSSL_PATH)/crypto/mem_dbg.c
|
||||
@@ -338,7 +311,6 @@
|
||||
$(OPENSSL_PATH)/crypto/modes/ofb128.c
|
||||
$(OPENSSL_PATH)/crypto/modes/wrap128.c
|
||||
$(OPENSSL_PATH)/crypto/modes/xts128.c
|
||||
- $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/o_dir.c
|
||||
$(OPENSSL_PATH)/crypto/o_fips.c
|
||||
$(OPENSSL_PATH)/crypto/o_fopen.c
|
||||
@@ -350,9 +322,6 @@
|
||||
$(OPENSSL_PATH)/crypto/objects/obj_err.c
|
||||
$(OPENSSL_PATH)/crypto/objects/obj_lib.c
|
||||
$(OPENSSL_PATH)/crypto/objects/obj_xref.c
|
||||
- $(OPENSSL_PATH)/crypto/objects/obj_dat.h
|
||||
- $(OPENSSL_PATH)/crypto/objects/obj_xref.h
|
||||
- $(OPENSSL_PATH)/crypto/objects/obj_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/ocsp/ocsp_asn.c
|
||||
$(OPENSSL_PATH)/crypto/ocsp/ocsp_cl.c
|
||||
$(OPENSSL_PATH)/crypto/ocsp/ocsp_err.c
|
||||
@@ -363,7 +332,6 @@
|
||||
$(OPENSSL_PATH)/crypto/ocsp/ocsp_srv.c
|
||||
$(OPENSSL_PATH)/crypto/ocsp/ocsp_vfy.c
|
||||
$(OPENSSL_PATH)/crypto/ocsp/v3_ocsp.c
|
||||
- $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/pem/pem_all.c
|
||||
$(OPENSSL_PATH)/crypto/pem/pem_err.c
|
||||
$(OPENSSL_PATH)/crypto/pem/pem_info.c
|
||||
@@ -399,8 +367,6 @@
|
||||
$(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c
|
||||
$(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c
|
||||
$(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c
|
||||
- $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
|
||||
- $(OPENSSL_PATH)/crypto/ppc_arch.h
|
||||
$(OPENSSL_PATH)/crypto/rand/drbg_ctr.c
|
||||
$(OPENSSL_PATH)/crypto/rand/drbg_lib.c
|
||||
$(OPENSSL_PATH)/crypto/rand/rand_egd.c
|
||||
@@ -409,10 +375,8 @@
|
||||
$(OPENSSL_PATH)/crypto/rand/rand_unix.c
|
||||
$(OPENSSL_PATH)/crypto/rand/rand_vms.c
|
||||
$(OPENSSL_PATH)/crypto/rand/rand_win.c
|
||||
- $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
|
||||
$(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
|
||||
- $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h
|
||||
$(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
|
||||
$(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c
|
||||
$(OPENSSL_PATH)/crypto/rsa/rsa_chk.c
|
||||
@@ -435,24 +399,18 @@
|
||||
$(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c
|
||||
$(OPENSSL_PATH)/crypto/rsa/rsa_x931.c
|
||||
$(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c
|
||||
- $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
|
||||
$(OPENSSL_PATH)/crypto/sha/keccak1600.c
|
||||
$(OPENSSL_PATH)/crypto/sha/sha1_one.c
|
||||
$(OPENSSL_PATH)/crypto/sha/sha1dgst.c
|
||||
$(OPENSSL_PATH)/crypto/sha/sha256.c
|
||||
$(OPENSSL_PATH)/crypto/sha/sha512.c
|
||||
- $(OPENSSL_PATH)/crypto/sha/sha_locl.h
|
||||
$(OPENSSL_PATH)/crypto/siphash/siphash.c
|
||||
$(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
|
||||
$(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
|
||||
- $(OPENSSL_PATH)/crypto/siphash/siphash_local.h
|
||||
$(OPENSSL_PATH)/crypto/sm3/m_sm3.c
|
||||
$(OPENSSL_PATH)/crypto/sm3/sm3.c
|
||||
- $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h
|
||||
$(OPENSSL_PATH)/crypto/sm4/sm4.c
|
||||
$(OPENSSL_PATH)/crypto/stack/stack.c
|
||||
- $(OPENSSL_PATH)/crypto/s390x_arch.h
|
||||
- $(OPENSSL_PATH)/crypto/sparc_arch.h
|
||||
$(OPENSSL_PATH)/crypto/threads_none.c
|
||||
$(OPENSSL_PATH)/crypto/threads_pthread.c
|
||||
$(OPENSSL_PATH)/crypto/threads_win.c
|
||||
@@ -462,9 +420,7 @@
|
||||
$(OPENSSL_PATH)/crypto/ui/ui_null.c
|
||||
$(OPENSSL_PATH)/crypto/ui/ui_openssl.c
|
||||
$(OPENSSL_PATH)/crypto/ui/ui_util.c
|
||||
- $(OPENSSL_PATH)/crypto/ui/ui_locl.h
|
||||
$(OPENSSL_PATH)/crypto/uid.c
|
||||
- $(OPENSSL_PATH)/crypto/vms_rms.h
|
||||
$(OPENSSL_PATH)/crypto/x509/by_dir.c
|
||||
$(OPENSSL_PATH)/crypto/x509/by_file.c
|
||||
$(OPENSSL_PATH)/crypto/x509/t_crl.c
|
||||
@@ -501,7 +457,6 @@
|
||||
$(OPENSSL_PATH)/crypto/x509/x_req.c
|
||||
$(OPENSSL_PATH)/crypto/x509/x_x509.c
|
||||
$(OPENSSL_PATH)/crypto/x509/x_x509a.c
|
||||
- $(OPENSSL_PATH)/crypto/x509/x509_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/x509v3/pcy_cache.c
|
||||
$(OPENSSL_PATH)/crypto/x509v3/pcy_data.c
|
||||
$(OPENSSL_PATH)/crypto/x509v3/pcy_lib.c
|
||||
@@ -539,10 +494,57 @@
|
||||
$(OPENSSL_PATH)/crypto/x509v3/v3_tlsf.c
|
||||
$(OPENSSL_PATH)/crypto/x509v3/v3_utl.c
|
||||
$(OPENSSL_PATH)/crypto/x509v3/v3err.c
|
||||
+ $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/dh/dh_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/bio/bio_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/conf/conf_def.h
|
||||
+ $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/sha/sha_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/md5/md5_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/store/store_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/dso/dso_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/arm_arch.h
|
||||
+ $(OPENSSL_PATH)/crypto/mips_arch.h
|
||||
+ $(OPENSSL_PATH)/crypto/ppc_arch.h
|
||||
+ $(OPENSSL_PATH)/crypto/s390x_arch.h
|
||||
+ $(OPENSSL_PATH)/crypto/sparc_arch.h
|
||||
+ $(OPENSSL_PATH)/crypto/vms_rms.h
|
||||
+ $(OPENSSL_PATH)/crypto/bn/bn_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/bn/bn_prime.h
|
||||
+ $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h
|
||||
+ $(OPENSSL_PATH)/crypto/ui/ui_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/md4/md4_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h
|
||||
+ $(OPENSSL_PATH)/crypto/asn1/asn1_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/asn1/charmap.h
|
||||
+ $(OPENSSL_PATH)/crypto/asn1/standard_methods.h
|
||||
+ $(OPENSSL_PATH)/crypto/asn1/tbl_standard.h
|
||||
+ $(OPENSSL_PATH)/crypto/evp/evp_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/x509/x509_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/async/arch/async_null.h
|
||||
+ $(OPENSSL_PATH)/crypto/async/arch/async_posix.h
|
||||
+ $(OPENSSL_PATH)/crypto/async/arch/async_win.h
|
||||
+ $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/des/des_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/des/spr.h
|
||||
+ $(OPENSSL_PATH)/crypto/siphash/siphash_local.h
|
||||
+ $(OPENSSL_PATH)/crypto/aes/aes_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/async/async_locl.h
|
||||
+ $(OPENSSL_PATH)/crypto/x509v3/ext_dat.h
|
||||
$(OPENSSL_PATH)/crypto/x509v3/pcy_int.h
|
||||
- $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
|
||||
$(OPENSSL_PATH)/crypto/x509v3/standard_exts.h
|
||||
- $(OPENSSL_PATH)/crypto/x509v3/ext_dat.h
|
||||
+ $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
|
||||
+ $(OPENSSL_PATH)/crypto/objects/obj_dat.h
|
||||
+ $(OPENSSL_PATH)/crypto/objects/obj_lcl.h
|
||||
+ $(OPENSSL_PATH)/crypto/objects/obj_xref.h
|
||||
# Autogenerated files list ends here
|
||||
buildinf.h
|
||||
rand_pool_noise.h
|
||||
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
|
||||
index e13c0acb4d..4fe54cd808 100755
|
||||
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
|
||||
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
|
||||
@@ -144,6 +144,34 @@ foreach my $product ((@{$unified_info{libraries}},
|
||||
}
|
||||
}
|
||||
|
||||
+
|
||||
+#
|
||||
+# Update the perl script to generate the missing header files
|
||||
+#
|
||||
+my @dir_list = ();
|
||||
+for (keys %{$unified_info{dirinfo}}){
|
||||
+ push @dir_list,$_;
|
||||
+}
|
||||
+
|
||||
+my $dir = getcwd();
|
||||
+my @files = ();
|
||||
+my @headers = ();
|
||||
+chdir ("openssl");
|
||||
+foreach(@dir_list){
|
||||
+ @files = glob($_."/*.h");
|
||||
+ push @headers, @files;
|
||||
+}
|
||||
+chdir ($dir);
|
||||
+
|
||||
+foreach (@headers){
|
||||
+ if(/ssl/){
|
||||
+ push @sslfilelist, ' $(OPENSSL_PATH)/' . $_ . "\r\n";
|
||||
+ next;
|
||||
+ }
|
||||
+ push @cryptofilelist, ' $(OPENSSL_PATH)/' . $_ . "\r\n";
|
||||
+}
|
||||
+
|
||||
+
|
||||
#
|
||||
# Update OpensslLib.inf with autogenerated file list
|
||||
#
|
||||
--
|
||||
2.18.1
|
||||
|
@ -1,159 +0,0 @@
|
||||
From bbda3f776bfcdbcb77b82f1f7fd5dafd798d9784 Mon Sep 17 00:00:00 2001
|
||||
From: Shenglei Zhang <shenglei.zhang@intel.com>
|
||||
Date: Mon, 21 Oct 2019 15:53:42 +0800
|
||||
Subject: CryptoPkg: Upgrade OpenSSL to 1.1.1d
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
- New patch (cherry-picked from upstream, to be dropped at the next
|
||||
downstream rebase).
|
||||
|
||||
- Upstream OpenSSL-1.1.1c contains commit 5fba3afad017 ("Rework DSO API
|
||||
conditions and configuration option", 2019-04-10). This upstream OpenSSL
|
||||
change requires edk2 to #define DSO_NONE explicitly.
|
||||
|
||||
- The present patch (which is going to be released in edk2-stable201911)
|
||||
updates "process_files.pl" to generate "dso_conf.h" with the above
|
||||
macro, and captures the result (i.e. the actual definition of the macro)
|
||||
in the git tree.
|
||||
|
||||
- This patch is being backported primarily for the DSO_NONE macro (OpenSSL
|
||||
in RHEL-8.2.0 is based on OpenSSL-1.1.1c). The patch could also come in
|
||||
handy in case we have to re-run "process_files.pl" ourselves.
|
||||
|
||||
Upgrade openssl from 1.1.1b to 1.1.1d.
|
||||
Something needs to be noticed is that, there is a bug existing in the
|
||||
released 1_1_1d version(894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596),
|
||||
which causes build failure. So we switch the code base to a usable
|
||||
version, which is 2 commits later than the stable tag.
|
||||
Now we use the version c3656cc594daac8167721dde7220f0e59ae146fc.
|
||||
This log is to fix the build failure.
|
||||
https://bugzilla.tianocore.org/show_bug.cgi?id=2226
|
||||
|
||||
Besides, the absense of "DSO_NONE" in dso_conf.h causes build failure
|
||||
in OvmfPkg. So update process_files.pl to generate information from
|
||||
"crypto/include/internal/dso_conf.h.in".
|
||||
|
||||
shm.h and utsname.h are added to avoid GCC build failure.
|
||||
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
|
||||
Cc: Liming Gao <liming.gao@intel.com>
|
||||
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
|
||||
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Tested-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 1bcc65b9a1408cf445b7b3f9499b27d9c235db71)
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
---
|
||||
CryptoPkg/Library/Include/internal/dso_conf.h | 16 ++++++++++++++++
|
||||
CryptoPkg/Library/Include/sys/shm.h | 9 +++++++++
|
||||
CryptoPkg/Library/Include/sys/utsname.h | 9 +++++++++
|
||||
CryptoPkg/Library/OpensslLib/openssl | 2 +-
|
||||
CryptoPkg/Library/OpensslLib/process_files.pl | 17 +++++++++++++++--
|
||||
5 files changed, 50 insertions(+), 3 deletions(-)
|
||||
create mode 100644 CryptoPkg/Library/Include/sys/shm.h
|
||||
create mode 100644 CryptoPkg/Library/Include/sys/utsname.h
|
||||
|
||||
diff --git a/CryptoPkg/Library/Include/internal/dso_conf.h b/CryptoPkg/Library/Include/internal/dso_conf.h
|
||||
index e69de29bb2..43c891588b 100644
|
||||
--- a/CryptoPkg/Library/Include/internal/dso_conf.h
|
||||
+++ b/CryptoPkg/Library/Include/internal/dso_conf.h
|
||||
@@ -0,0 +1,16 @@
|
||||
+/* WARNING: do not edit! */
|
||||
+/* Generated from crypto/include/internal/dso_conf.h.in */
|
||||
+/*
|
||||
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ *
|
||||
+ * Licensed under the OpenSSL license (the "License"). You may not use
|
||||
+ * this file except in compliance with the License. You can obtain a copy
|
||||
+ * in the file LICENSE in the source distribution or at
|
||||
+ * https://www.openssl.org/source/license.html
|
||||
+ */
|
||||
+
|
||||
+#ifndef HEADER_DSO_CONF_H
|
||||
+# define HEADER_DSO_CONF_H
|
||||
+# define DSO_NONE
|
||||
+# define DSO_EXTENSION ".so"
|
||||
+#endif
|
||||
diff --git a/CryptoPkg/Library/Include/sys/shm.h b/CryptoPkg/Library/Include/sys/shm.h
|
||||
new file mode 100644
|
||||
index 0000000000..dc0b8e81c8
|
||||
--- /dev/null
|
||||
+++ b/CryptoPkg/Library/Include/sys/shm.h
|
||||
@@ -0,0 +1,9 @@
|
||||
+/** @file
|
||||
+ Include file to support building the third-party cryptographic library.
|
||||
+
|
||||
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
|
||||
+SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+
|
||||
+**/
|
||||
+
|
||||
+#include <CrtLibSupport.h>
|
||||
diff --git a/CryptoPkg/Library/Include/sys/utsname.h b/CryptoPkg/Library/Include/sys/utsname.h
|
||||
new file mode 100644
|
||||
index 0000000000..dc0b8e81c8
|
||||
--- /dev/null
|
||||
+++ b/CryptoPkg/Library/Include/sys/utsname.h
|
||||
@@ -0,0 +1,9 @@
|
||||
+/** @file
|
||||
+ Include file to support building the third-party cryptographic library.
|
||||
+
|
||||
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
|
||||
+SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+
|
||||
+**/
|
||||
+
|
||||
+#include <CrtLibSupport.h>
|
||||
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
|
||||
index 4fe54cd808..bbcfa0d0e7 100755
|
||||
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
|
||||
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
|
||||
@@ -2,7 +2,7 @@
|
||||
#
|
||||
# This script runs the OpenSSL Configure script, then processes the
|
||||
# resulting file list into our local OpensslLib[Crypto].inf and also
|
||||
-# takes a copy of opensslconf.h.
|
||||
+# takes copies of opensslconf.h and dso_conf.h.
|
||||
#
|
||||
# This only needs to be done once by a developer when updating to a
|
||||
# new version of OpenSSL (or changing options, etc.). Normal users
|
||||
@@ -106,6 +106,14 @@ BEGIN {
|
||||
) == 0 ||
|
||||
die "Failed to generate opensslconf.h!\n";
|
||||
|
||||
+ # Generate dso_conf.h per config data
|
||||
+ system(
|
||||
+ "perl -I. -Mconfigdata util/dofile.pl " .
|
||||
+ "crypto/include/internal/dso_conf.h.in " .
|
||||
+ "> include/internal/dso_conf.h"
|
||||
+ ) == 0 ||
|
||||
+ die "Failed to generate dso_conf.h!\n";
|
||||
+
|
||||
chdir($basedir) ||
|
||||
die "Cannot change to base directory \"" . $basedir . "\"";
|
||||
|
||||
@@ -249,12 +257,17 @@ rename( $new_inf_file, $inf_file ) ||
|
||||
print "Done!";
|
||||
|
||||
#
|
||||
-# Copy opensslconf.h generated from OpenSSL Configuration
|
||||
+# Copy opensslconf.h and dso_conf.h generated from OpenSSL Configuration
|
||||
#
|
||||
print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
|
||||
copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
|
||||
$OPENSSL_PATH . "/../../Include/openssl/") ||
|
||||
die "Cannot copy opensslconf.h!";
|
||||
+print "Done!";
|
||||
+print "\n--> Duplicating dso_conf.h into Include/internal ... ";
|
||||
+copy($OPENSSL_PATH . "/include/internal/dso_conf.h",
|
||||
+ $OPENSSL_PATH . "/../../Include/internal/") ||
|
||||
+ die "Cannot copy dso_conf.h!";
|
||||
print "Done!\n";
|
||||
|
||||
print "\nProcessing Files Done!\n";
|
||||
--
|
||||
2.18.1
|
||||
|
@ -0,0 +1,37 @@
|
||||
From db8ccca337e2c5722c1d408d2541cf653d3371a2 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Thu, 4 Jun 2020 13:34:12 +0200
|
||||
Subject: BaseTools: do not build BrotliCompress (RH only)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- New patch.
|
||||
|
||||
BrotliCompress is not used for building ArmVirtPkg or OvmfPkg platforms.
|
||||
It depends on one of the upstream Brotli git submodules that we removed
|
||||
earlier in this rebase series. (See patch "remove upstream edk2's Brotli
|
||||
submodules (RH only").
|
||||
|
||||
Do not attempt to build BrotliCompress.
|
||||
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
---
|
||||
BaseTools/Source/C/GNUmakefile | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/BaseTools/Source/C/GNUmakefile b/BaseTools/Source/C/GNUmakefile
|
||||
index df4eb64ea9..52777eaff1 100644
|
||||
--- a/BaseTools/Source/C/GNUmakefile
|
||||
+++ b/BaseTools/Source/C/GNUmakefile
|
||||
@@ -45,7 +45,6 @@ all: makerootdir subdirs
|
||||
LIBRARIES = Common
|
||||
VFRAUTOGEN = VfrCompile/VfrLexer.h
|
||||
APPLICATIONS = \
|
||||
- BrotliCompress \
|
||||
VfrCompile \
|
||||
EfiRom \
|
||||
GenFfs \
|
||||
--
|
||||
2.18.1
|
||||
|
@ -0,0 +1,43 @@
|
||||
From e05e0de713c4a2b8adb6ff9809611f222bfe50ed Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Thu, 4 Jun 2020 13:39:08 +0200
|
||||
Subject: MdeModulePkg: remove package-private Brotli include path (RH only)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- New patch.
|
||||
|
||||
Originating from upstream commit 58802e02c41b
|
||||
("MdeModulePkg/BrotliCustomDecompressLib: Make brotli a submodule",
|
||||
2020-04-16), "MdeModulePkg/MdeModulePkg.dec" contains a package-internal
|
||||
include path into a Brotli submodule.
|
||||
|
||||
The edk2 build system requires such include paths to resolve successfully,
|
||||
regardless of the firmware platform being built. Because
|
||||
BrotliCustomDecompressLib is not consumed by any OvmfPkg or ArmVirtPkg
|
||||
platforms, and we've removed the submodule earlier in this patch set,
|
||||
remove the include path too.
|
||||
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
---
|
||||
MdeModulePkg/MdeModulePkg.dec | 3 ---
|
||||
1 file changed, 3 deletions(-)
|
||||
|
||||
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
|
||||
index 4f44af6948..031043ec28 100644
|
||||
--- a/MdeModulePkg/MdeModulePkg.dec
|
||||
+++ b/MdeModulePkg/MdeModulePkg.dec
|
||||
@@ -24,9 +24,6 @@
|
||||
[Includes]
|
||||
Include
|
||||
|
||||
-[Includes.Common.Private]
|
||||
- Library/BrotliCustomDecompressLib/brotli/c/include
|
||||
-
|
||||
[LibraryClasses]
|
||||
## @libraryclass Defines a set of methods to reset whole system.
|
||||
ResetSystemLib|Include/Library/ResetSystemLib.h
|
||||
--
|
||||
2.18.1
|
||||
|
@ -1,8 +1,23 @@
|
||||
From 740d239222c2656ae8eeb2d1cc4802ce5b07f3d2 Mon Sep 17 00:00:00 2001
|
||||
From cee80878b19e51d9b3c63335c681f152dcc59764 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Wed, 11 Jun 2014 23:33:33 +0200
|
||||
Subject: advertise OpenSSL on TianoCore splash screen / boot logo (RHEL only)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- Replace the open-coded BSDL with "SPDX-License-Identifier:
|
||||
BSD-2-Clause-Patent" in the following files:
|
||||
|
||||
- MdeModulePkg/Logo/Logo-OpenSSL.idf
|
||||
- MdeModulePkg/Logo/LogoOpenSSLDxe.inf
|
||||
- MdeModulePkg/Logo/LogoOpenSSLDxe.uni
|
||||
|
||||
(This should have been done in the previous rebase, because the same
|
||||
license block changes had been applied to MdeModulePkg/Logo/ in upstream
|
||||
commit 9d510e61fcee ("MdeModulePkg: Replace BSD License with BSD+Patent
|
||||
License", 2019-04-09), part of tag edk2-stable201905.)
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
@ -135,31 +150,32 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 0b2d90347cb016cc71c2de62e941a2a4ab0f35a3)
|
||||
(cherry picked from commit 8e8ea8811e269cdb31103c70fcd91d2dcfb1755d)
|
||||
(cherry picked from commit 727c11ecd9f34990312e14f239e6238693619849)
|
||||
(cherry picked from commit 740d239222c2656ae8eeb2d1cc4802ce5b07f3d2)
|
||||
---
|
||||
ArmVirtPkg/ArmVirtQemu.dsc | 2 +-
|
||||
ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 2 +-
|
||||
ArmVirtPkg/ArmVirtQemuKernel.dsc | 2 +-
|
||||
MdeModulePkg/Logo/Logo-OpenSSL.bmp | Bin 0 -> 156342 bytes
|
||||
MdeModulePkg/Logo/Logo-OpenSSL.idf | 15 +++++++
|
||||
MdeModulePkg/Logo/LogoOpenSSLDxe.inf | 61 +++++++++++++++++++++++++++
|
||||
MdeModulePkg/Logo/LogoOpenSSLDxe.uni | 22 ++++++++++
|
||||
MdeModulePkg/Logo/Logo-OpenSSL.idf | 10 +++++
|
||||
MdeModulePkg/Logo/LogoOpenSSLDxe.inf | 56 +++++++++++++++++++++++++++
|
||||
MdeModulePkg/Logo/LogoOpenSSLDxe.uni | 17 ++++++++
|
||||
OvmfPkg/OvmfPkgIa32.dsc | 2 +-
|
||||
OvmfPkg/OvmfPkgIa32.fdf | 2 +-
|
||||
OvmfPkg/OvmfPkgIa32X64.dsc | 2 +-
|
||||
OvmfPkg/OvmfPkgIa32X64.fdf | 2 +-
|
||||
OvmfPkg/OvmfPkgX64.dsc | 2 +-
|
||||
OvmfPkg/OvmfPkgX64.fdf | 2 +-
|
||||
13 files changed, 107 insertions(+), 9 deletions(-)
|
||||
13 files changed, 92 insertions(+), 9 deletions(-)
|
||||
create mode 100644 MdeModulePkg/Logo/Logo-OpenSSL.bmp
|
||||
create mode 100644 MdeModulePkg/Logo/Logo-OpenSSL.idf
|
||||
create mode 100644 MdeModulePkg/Logo/LogoOpenSSLDxe.inf
|
||||
create mode 100644 MdeModulePkg/Logo/LogoOpenSSLDxe.uni
|
||||
|
||||
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
|
||||
index 7ae6702ac1..a3cc3f26ec 100644
|
||||
index 3f649c91d8..360094ab6a 100644
|
||||
--- a/ArmVirtPkg/ArmVirtQemu.dsc
|
||||
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
|
||||
@@ -364,7 +364,7 @@
|
||||
@@ -424,7 +424,7 @@
|
||||
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
|
||||
MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
|
||||
MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
|
||||
@ -169,10 +185,10 @@ index 7ae6702ac1..a3cc3f26ec 100644
|
||||
<LibraryClasses>
|
||||
NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
|
||||
diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
|
||||
index 31f615a9d0..57f2f625fe 100644
|
||||
index a2f4bd62c8..9b94043085 100644
|
||||
--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
|
||||
+++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
|
||||
@@ -176,7 +176,7 @@ READ_LOCK_STATUS = TRUE
|
||||
@@ -193,7 +193,7 @@ READ_LOCK_STATUS = TRUE
|
||||
#
|
||||
# TianoCore logo (splash screen)
|
||||
#
|
||||
@ -182,10 +198,10 @@ index 31f615a9d0..57f2f625fe 100644
|
||||
#
|
||||
# Ramdisk support
|
||||
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
|
||||
index 3b0f04967a..27e65b7638 100644
|
||||
index 2a6fd6bc06..d186263e18 100644
|
||||
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
|
||||
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
|
||||
@@ -348,7 +348,7 @@
|
||||
@@ -363,7 +363,7 @@
|
||||
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
|
||||
MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
|
||||
MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
|
||||
@ -416,42 +432,32 @@ HcmV?d00001
|
||||
|
||||
diff --git a/MdeModulePkg/Logo/Logo-OpenSSL.idf b/MdeModulePkg/Logo/Logo-OpenSSL.idf
|
||||
new file mode 100644
|
||||
index 0000000000..a80de29a63
|
||||
index 0000000000..2a60ac61b7
|
||||
--- /dev/null
|
||||
+++ b/MdeModulePkg/Logo/Logo-OpenSSL.idf
|
||||
@@ -0,0 +1,15 @@
|
||||
@@ -0,0 +1,10 @@
|
||||
+// /** @file
|
||||
+// Platform Logo image definition file.
|
||||
+//
|
||||
+// Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
|
||||
+//
|
||||
+// This program and the accompanying materials
|
||||
+// are licensed and made available under the terms and conditions of the BSD License
|
||||
+// which accompanies this distribution. The full text of the license may be found at
|
||||
+// http://opensource.org/licenses/bsd-license.php
|
||||
+// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
||||
+// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||
+// SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+//
|
||||
+// **/
|
||||
+
|
||||
+#image IMG_LOGO Logo-OpenSSL.bmp
|
||||
diff --git a/MdeModulePkg/Logo/LogoOpenSSLDxe.inf b/MdeModulePkg/Logo/LogoOpenSSLDxe.inf
|
||||
new file mode 100644
|
||||
index 0000000000..2f79d873e2
|
||||
index 0000000000..d1207663b2
|
||||
--- /dev/null
|
||||
+++ b/MdeModulePkg/Logo/LogoOpenSSLDxe.inf
|
||||
@@ -0,0 +1,61 @@
|
||||
@@ -0,0 +1,56 @@
|
||||
+## @file
|
||||
+# The default logo bitmap picture shown on setup screen.
|
||||
+#
|
||||
+# Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
|
||||
+#
|
||||
+# This program and the accompanying materials
|
||||
+# are licensed and made available under the terms and conditions of the BSD License
|
||||
+# which accompanies this distribution. The full text of the license may be found at
|
||||
+# http://opensource.org/licenses/bsd-license.php
|
||||
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
||||
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||
+# SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+#
|
||||
+#
|
||||
+##
|
||||
@ -504,10 +510,10 @@ index 0000000000..2f79d873e2
|
||||
+ LogoDxeExtra.uni
|
||||
diff --git a/MdeModulePkg/Logo/LogoOpenSSLDxe.uni b/MdeModulePkg/Logo/LogoOpenSSLDxe.uni
|
||||
new file mode 100644
|
||||
index 0000000000..7227ac3910
|
||||
index 0000000000..6439502b6a
|
||||
--- /dev/null
|
||||
+++ b/MdeModulePkg/Logo/LogoOpenSSLDxe.uni
|
||||
@@ -0,0 +1,22 @@
|
||||
@@ -0,0 +1,17 @@
|
||||
+// /** @file
|
||||
+// The logo bitmap picture (with OpenSSL advertisment) shown on setup screen.
|
||||
+//
|
||||
@ -516,12 +522,7 @@ index 0000000000..7227ac3910
|
||||
+//
|
||||
+// Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
|
||||
+//
|
||||
+// This program and the accompanying materials
|
||||
+// are licensed and made available under the terms and conditions of the BSD License
|
||||
+// which accompanies this distribution. The full text of the license may be found at
|
||||
+// http://opensource.org/licenses/bsd-license.php
|
||||
+// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
||||
+// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||
+// SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+//
|
||||
+// **/
|
||||
+
|
||||
@ -531,10 +532,10 @@ index 0000000000..7227ac3910
|
||||
+#string STR_MODULE_DESCRIPTION #language en-US "This module provides the logo bitmap picture (with OpenSSL advertisment) shown on setup screen, through EDKII Platform Logo protocol."
|
||||
+
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
|
||||
index 66e944436a..044379e1ed 100644
|
||||
index d0df9cbbfb..f8317a4f5d 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgIa32.dsc
|
||||
@@ -688,7 +688,7 @@
|
||||
@@ -750,7 +750,7 @@
|
||||
NULL|OvmfPkg/Csm/LegacyBootManagerLib/LegacyBootManagerLib.inf
|
||||
!endif
|
||||
}
|
||||
@ -544,10 +545,10 @@ index 66e944436a..044379e1ed 100644
|
||||
<LibraryClasses>
|
||||
NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
|
||||
index 785affeb90..326f82384e 100644
|
||||
index e2b759aa8d..ec64551bcb 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32.fdf
|
||||
+++ b/OvmfPkg/OvmfPkgIa32.fdf
|
||||
@@ -283,7 +283,7 @@ INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
|
||||
@@ -294,7 +294,7 @@ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
|
||||
!endif
|
||||
INF ShellPkg/Application/Shell/Shell.inf
|
||||
|
||||
@ -557,10 +558,10 @@ index 785affeb90..326f82384e 100644
|
||||
#
|
||||
# Network modules
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
index 51c2bfb44f..2ff68102d3 100644
|
||||
index b3ae62fee9..55423d356c 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
@@ -701,7 +701,7 @@
|
||||
@@ -764,7 +764,7 @@
|
||||
NULL|OvmfPkg/Csm/LegacyBootManagerLib/LegacyBootManagerLib.inf
|
||||
!endif
|
||||
}
|
||||
@ -570,10 +571,10 @@ index 51c2bfb44f..2ff68102d3 100644
|
||||
<LibraryClasses>
|
||||
NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
|
||||
index 7440707256..aefb6614ad 100644
|
||||
index bfca1eff9e..2f02ac2d73 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
|
||||
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
|
||||
@@ -284,7 +284,7 @@ INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
|
||||
@@ -295,7 +295,7 @@ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
|
||||
!endif
|
||||
INF ShellPkg/Application/Shell/Shell.inf
|
||||
|
||||
@ -583,10 +584,10 @@ index 7440707256..aefb6614ad 100644
|
||||
#
|
||||
# Network modules
|
||||
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
|
||||
index ba7a758844..3a66d4d424 100644
|
||||
index f7fe75ebf5..17aeeed96e 100644
|
||||
--- a/OvmfPkg/OvmfPkgX64.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgX64.dsc
|
||||
@@ -699,7 +699,7 @@
|
||||
@@ -760,7 +760,7 @@
|
||||
NULL|OvmfPkg/Csm/LegacyBootManagerLib/LegacyBootManagerLib.inf
|
||||
!endif
|
||||
}
|
||||
@ -596,10 +597,10 @@ index ba7a758844..3a66d4d424 100644
|
||||
<LibraryClasses>
|
||||
NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
|
||||
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
|
||||
index 7440707256..aefb6614ad 100644
|
||||
index bfca1eff9e..2f02ac2d73 100644
|
||||
--- a/OvmfPkg/OvmfPkgX64.fdf
|
||||
+++ b/OvmfPkg/OvmfPkgX64.fdf
|
||||
@@ -284,7 +284,7 @@ INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
|
||||
@@ -295,7 +295,7 @@ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
|
||||
!endif
|
||||
INF ShellPkg/Application/Shell/Shell.inf
|
||||
|
@ -1,8 +1,13 @@
|
||||
From e949bab1268f83f0f5815a96cd1cb9dd3b21bfb5 Mon Sep 17 00:00:00 2001
|
||||
From a95cff0b9573bf23699551beb4786383f697ff1e Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Thu, 20 Feb 2014 22:54:45 +0100
|
||||
Subject: OvmfPkg: increase max debug message length to 512 (RHEL only)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- no change
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
@ -48,12 +53,13 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 1df2c822c996ad767f2f45570ab2686458f7604a)
|
||||
(cherry picked from commit 22c9b4e971c70c69b4adf8eb93133824ccb6426a)
|
||||
(cherry picked from commit a1260c9122c95bcbef1efc5eebe11902767813c2)
|
||||
(cherry picked from commit e949bab1268f83f0f5815a96cd1cb9dd3b21bfb5)
|
||||
---
|
||||
OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
|
||||
index 3dfa3126c3..9451c50c70 100644
|
||||
index dffb20822d..0577c43c3d 100644
|
||||
--- a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
|
||||
+++ b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
|
||||
@@ -21,7 +21,7 @@
|
@ -1,8 +1,13 @@
|
||||
From 3aa0316ea1db5416cb528179a3ba5ce37c1279b7 Mon Sep 17 00:00:00 2001
|
||||
From 99da4393139d428baf09d751af3d072229839126 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Thu, 12 Jun 2014 00:17:59 +0200
|
||||
Subject: OvmfPkg: QemuVideoDxe: enable debug messages in VbeShim (RHEL only)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- no changes
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
@ -54,13 +59,14 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 7046d6040181bb0f76a5ebd680e0dc701c895dba)
|
||||
(cherry picked from commit 4dd1cc745bc9a8c8b32b5810b40743fed1e36d7e)
|
||||
(cherry picked from commit bd264265a99c60f45cadaa4109a9db59ae218471)
|
||||
(cherry picked from commit 3aa0316ea1db5416cb528179a3ba5ce37c1279b7)
|
||||
---
|
||||
OvmfPkg/QemuVideoDxe/VbeShim.asm | 2 +-
|
||||
OvmfPkg/QemuVideoDxe/VbeShim.h | 481 ++++++++++++++++++++-----------
|
||||
2 files changed, 308 insertions(+), 175 deletions(-)
|
||||
|
||||
diff --git a/OvmfPkg/QemuVideoDxe/VbeShim.asm b/OvmfPkg/QemuVideoDxe/VbeShim.asm
|
||||
index cb2a60d827..26fe1bcc32 100644
|
||||
index 1d284b2641..0d5cfaf1e4 100644
|
||||
--- a/OvmfPkg/QemuVideoDxe/VbeShim.asm
|
||||
+++ b/OvmfPkg/QemuVideoDxe/VbeShim.asm
|
||||
@@ -12,7 +12,7 @@
|
@ -1,62 +0,0 @@
|
||||
From 0dd0ad0dcdfd1189ed8aa880765403d1f587cc59 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Tue, 12 Apr 2016 20:50:25 +0200
|
||||
Subject: ArmVirtPkg: QemuFwCfgLib: allow UEFI_DRIVER client modules (RH only)
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
- no change
|
||||
|
||||
Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
|
||||
RHEL-8.1/20190308-89910a39dcfd rebase:
|
||||
|
||||
- no change
|
||||
|
||||
Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
|
||||
RHEL-8.0/20180508-ee3198e672e2 rebase:
|
||||
|
||||
- reorder the rebase changelog in the commit message so that it reads like
|
||||
a blog: place more recent entries near the top
|
||||
- no changes to the patch body
|
||||
|
||||
Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
|
||||
|
||||
- no change
|
||||
|
||||
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
|
||||
|
||||
- no changes
|
||||
|
||||
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
|
||||
|
||||
- no changes
|
||||
|
||||
Contributed-under: TianoCore Contribution Agreement 1.0
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 8e2153358aa2bba2c91faa87a70beadcaae03fd8)
|
||||
(cherry picked from commit 5af259a93f4bbee5515ae18638068125e170f2cd)
|
||||
(cherry picked from commit 22b073005af491eef177ef5f80ffe71c1ebabb03)
|
||||
(cherry picked from commit f77f1e7dd6013f918c70e089c95b8f4166085fb9)
|
||||
(cherry picked from commit 762595334aa7ce88412cc77e136db9b41577a699)
|
||||
(cherry picked from commit f372886be5f1c41677f168be77c484bae5841361)
|
||||
---
|
||||
ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf b/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf
|
||||
index 4d27d7d30b..feceed5f93 100644
|
||||
--- a/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf
|
||||
+++ b/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf
|
||||
@@ -15,7 +15,7 @@
|
||||
FILE_GUID = B271F41F-B841-48A9-BA8D-545B4BC2E2BF
|
||||
MODULE_TYPE = BASE
|
||||
VERSION_STRING = 1.0
|
||||
- LIBRARY_CLASS = QemuFwCfgLib|DXE_DRIVER
|
||||
+ LIBRARY_CLASS = QemuFwCfgLib|DXE_DRIVER UEFI_DRIVER
|
||||
|
||||
CONSTRUCTOR = QemuFwCfgInitialize
|
||||
|
||||
--
|
||||
2.18.1
|
||||
|
@ -1,8 +1,13 @@
|
||||
From 12cb13a1da913912bd9148ce8f2353a75be77f18 Mon Sep 17 00:00:00 2001
|
||||
From 82b9edc5fef3a07227a45059bbe821af7b9abd69 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Tue, 25 Feb 2014 18:40:35 +0100
|
||||
Subject: MdeModulePkg: TerminalDxe: add other text resolutions (RHEL only)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- no changes
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
@ -95,15 +100,16 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 1facdd58e946c584a3dc1e5be8f2f837b5a7c621)
|
||||
(cherry picked from commit 28faeb5f94b4866b9da16cf2a1e4e0fc09a26e37)
|
||||
(cherry picked from commit 4e4e15b80a5b2103eadd495ef4a830d46dd4ed51)
|
||||
(cherry picked from commit 12cb13a1da913912bd9148ce8f2353a75be77f18)
|
||||
---
|
||||
.../Universal/Console/TerminalDxe/Terminal.c | 41 +++++++++++++++++--
|
||||
1 file changed, 38 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c b/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c
|
||||
index c76b2c5100..eff9d9787f 100644
|
||||
index a98b690c8b..ded5513c74 100644
|
||||
--- a/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c
|
||||
+++ b/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c
|
||||
@@ -107,9 +107,44 @@ TERMINAL_DEV mTerminalDevTemplate = {
|
||||
@@ -115,9 +115,44 @@ TERMINAL_DEV mTerminalDevTemplate = {
|
||||
};
|
||||
|
||||
TERMINAL_CONSOLE_MODE_DATA mTerminalConsoleModeData[] = {
|
@ -1,9 +1,16 @@
|
||||
From a11602f5e2ef930be5b693ddfd0c789a1bd4c60c Mon Sep 17 00:00:00 2001
|
||||
From bc2266f20de5db1636e09a07e4a72c8dbf505f5a Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Tue, 25 Feb 2014 22:40:01 +0100
|
||||
Subject: MdeModulePkg: TerminalDxe: set xterm resolution on mode change (RH
|
||||
only)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- Resolve trivial conflict in "MdeModulePkg/MdeModulePkg.dec", arising
|
||||
from upstream commit 166830d8f7ca ("MdeModulePkg/dec: add
|
||||
PcdTcgPfpMeasurementRevision PCD", 2020-01-06).
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
@ -59,6 +66,7 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit b7f6115b745de8cbc5214b6ede33c9a8558beb90)
|
||||
(cherry picked from commit 67415982afdc77922aa37496c981adeb4351acdb)
|
||||
(cherry picked from commit cfccb98d13e955beb0b93b4a75a973f30c273ffc)
|
||||
(cherry picked from commit a11602f5e2ef930be5b693ddfd0c789a1bd4c60c)
|
||||
---
|
||||
MdeModulePkg/MdeModulePkg.dec | 4 +++
|
||||
.../Console/TerminalDxe/TerminalConOut.c | 30 +++++++++++++++++++
|
||||
@ -66,12 +74,12 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
3 files changed, 36 insertions(+)
|
||||
|
||||
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
|
||||
index 19935c88fa..5690bbd8b3 100644
|
||||
index 031043ec28..3978a500e5 100644
|
||||
--- a/MdeModulePkg/MdeModulePkg.dec
|
||||
+++ b/MdeModulePkg/MdeModulePkg.dec
|
||||
@@ -2002,6 +2002,10 @@
|
||||
# @Prompt Capsule On Disk relocation device path.
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdCodRelocationDevPath|{0xFF}|VOID*|0x0000002f
|
||||
@@ -1998,6 +1998,10 @@
|
||||
# @Prompt TCG Platform Firmware Profile revision.
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision|0|UINT32|0x00010077
|
||||
|
||||
+ ## Controls whether TerminalDxe outputs an XTerm resize sequence on terminal
|
||||
+ # mode change.
|
||||
@ -81,7 +89,7 @@ index 19935c88fa..5690bbd8b3 100644
|
||||
## Specify memory size with page number for PEI code when
|
||||
# Loading Module at Fixed Address feature is enabled.
|
||||
diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
|
||||
index 7ef655cca5..1113252df2 100644
|
||||
index aae470e956..26156857aa 100644
|
||||
--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
|
||||
+++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
|
||||
@@ -7,6 +7,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
@ -110,7 +118,7 @@ index 7ef655cca5..1113252df2 100644
|
||||
//
|
||||
// Body of the ConOut functions
|
||||
//
|
||||
@@ -502,6 +514,24 @@ TerminalConOutSetMode (
|
||||
@@ -506,6 +518,24 @@ TerminalConOutSetMode (
|
||||
return EFI_DEVICE_ERROR;
|
||||
}
|
||||
|
||||
@ -136,7 +144,7 @@ index 7ef655cca5..1113252df2 100644
|
||||
|
||||
Status = This->ClearScreen (This);
|
||||
diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
|
||||
index 24e164ef4d..d1160ed1c7 100644
|
||||
index b2a8aeba85..eff6253465 100644
|
||||
--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
|
||||
+++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
|
||||
@@ -55,6 +55,7 @@
|
||||
@ -147,7 +155,7 @@ index 24e164ef4d..d1160ed1c7 100644
|
||||
|
||||
[Guids]
|
||||
## SOMETIMES_PRODUCES ## Variable:L"ConInDev"
|
||||
@@ -83,6 +84,7 @@
|
||||
@@ -87,6 +88,7 @@
|
||||
[Pcd]
|
||||
gEfiMdePkgTokenSpaceGuid.PcdDefaultTerminalType ## SOMETIMES_CONSUMES
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdErrorCodeSetVariable ## CONSUMES
|
@ -1,8 +1,15 @@
|
||||
From 2cc462ee963d0be119bc97bfc9c70d292a40516f Mon Sep 17 00:00:00 2001
|
||||
From 51e0de961029af84b5bdbfddcc9762b1819d500f Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Wed, 14 Oct 2015 15:59:06 +0200
|
||||
Subject: OvmfPkg: take PcdResizeXterm from the QEMU command line (RH only)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- Resolve contextual conflict in the DSC files, from upstream commit
|
||||
b0ed7ebdebd1 ("OvmfPkg: set fixed FlashNvStorage base addresses with -D
|
||||
SMM_REQUIRE", 2020-03-12).
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
@ -43,6 +50,7 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 61914fb81cf624c9028d015533b400b2794e52d3)
|
||||
(cherry picked from commit 2ebf3cc2ae99275d63bb6efd3c22dec76251a853)
|
||||
(cherry picked from commit f9b73437b9b231773c1a20e0c516168817a930a2)
|
||||
(cherry picked from commit 2cc462ee963d0be119bc97bfc9c70d292a40516f)
|
||||
---
|
||||
OvmfPkg/OvmfPkgIa32.dsc | 1 +
|
||||
OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
|
||||
@ -52,47 +60,47 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
5 files changed, 5 insertions(+)
|
||||
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
|
||||
index 044379e1ed..accf5c0211 100644
|
||||
index f8317a4f5d..6ce8a46d4e 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgIa32.dsc
|
||||
@@ -525,6 +525,7 @@
|
||||
@@ -574,6 +574,7 @@
|
||||
# ($(SMM_REQUIRE) == FALSE)
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
|
||||
|
||||
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
|
||||
!if $(SMM_REQUIRE) == FALSE
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
index 2ff68102d3..8812da9943 100644
|
||||
index 55423d356c..89d414cda7 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
@@ -531,6 +531,7 @@
|
||||
@@ -580,6 +580,7 @@
|
||||
# ($(SMM_REQUIRE) == FALSE)
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
|
||||
|
||||
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
|
||||
!if $(SMM_REQUIRE) == FALSE
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0
|
||||
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
|
||||
index 3a66d4d424..73e1b7824f 100644
|
||||
index 17aeeed96e..e567eb76e0 100644
|
||||
--- a/OvmfPkg/OvmfPkgX64.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgX64.dsc
|
||||
@@ -530,6 +530,7 @@
|
||||
@@ -578,6 +578,7 @@
|
||||
# ($(SMM_REQUIRE) == FALSE)
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
|
||||
|
||||
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
|
||||
!if $(SMM_REQUIRE) == FALSE
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0
|
||||
diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c
|
||||
index 3ba2459872..bbbf1ac2a8 100644
|
||||
index 96468701e3..14efbabe39 100644
|
||||
--- a/OvmfPkg/PlatformPei/Platform.c
|
||||
+++ b/OvmfPkg/PlatformPei/Platform.c
|
||||
@@ -667,6 +667,7 @@ InitializePlatform (
|
||||
PeiFvInitialization ();
|
||||
@@ -748,6 +748,7 @@ InitializePlatform (
|
||||
MemTypeInfoInitialization ();
|
||||
MemMapInitialization ();
|
||||
NoexecDxeInitialization ();
|
||||
+ UPDATE_BOOLEAN_PCD_FROM_FW_CFG (PcdResizeXterm);
|
||||
@ -100,10 +108,10 @@ index 3ba2459872..bbbf1ac2a8 100644
|
||||
|
||||
InstallClearCacheCallback ();
|
||||
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
|
||||
index d9fd9c8f05..666803916c 100644
|
||||
index ff397b3ee9..3a012a7fa4 100644
|
||||
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
|
||||
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
|
||||
@@ -89,6 +89,7 @@
|
||||
@@ -93,6 +93,7 @@
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdPciDisableBusEnumeration
|
@ -1,8 +1,42 @@
|
||||
From 8338545260fbb423f796d5196faaaf8ff6e1ed99 Mon Sep 17 00:00:00 2001
|
||||
From a5f7a57bf390f1f340ff1d1f1884a73716817ef1 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Sun, 26 Jul 2015 08:02:50 +0000
|
||||
Subject: ArmVirtPkg: take PcdResizeXterm from the QEMU command line (RH only)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- Resolve leading context divergence in "ArmVirtPkg/ArmVirtQemu.dsc",
|
||||
arising from upstream commits:
|
||||
|
||||
- 82662a3b5f56 ("ArmVirtPkg/PlatformPeiLib: discover the TPM base
|
||||
address from the DT", 2020-03-04)
|
||||
|
||||
- ddd34a818315 ("ArmVirtPkg/ArmVirtQemu: enable TPM2 support in the PEI
|
||||
phase", 2020-03-04)
|
||||
|
||||
- cdc3fa54184a ("ArmVirtPkg: control PXEv4 / PXEv6 boot support from the
|
||||
QEMU command line", 2020-04-28)
|
||||
|
||||
- Rework the downstream patch quite a bit, paralleling the upstream work
|
||||
done for <https://bugzilla.tianocore.org/show_bug.cgi?id=2681> in commit
|
||||
range 64ab457d1f21..cdc3fa54184a:
|
||||
|
||||
- Refresh copyright year in TerminalPcdProducerLib.{inf,c}. Also replace
|
||||
open-coded BSDL with "SPDX-License-Identifier: BSD-2-Clause-Patent".
|
||||
|
||||
- Simplify LIBRARY_CLASS: this lib instance is meant to be consumed only
|
||||
via NULL class resolution (basically: as a plugin), so use NULL for
|
||||
LIBRARY_CLASS, not "TerminalPcdProducerLib|DXE_DRIVER".
|
||||
|
||||
- Sort the [Packages] section alphabetically in the INF file.
|
||||
|
||||
- Replace the open-coded GetNamedFwCfgBoolean() function with a call to
|
||||
QemuFwCfgParseBool(), from QemuFwCfgSimpleParserLib.
|
||||
|
||||
- Add the SOMETIMES_PRODUCES usage comment in the [Pcd] section of the
|
||||
INF file.
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
@ -45,28 +79,29 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 8e92730c8e1cdb642b3b3e680e643ff774a90c65)
|
||||
(cherry picked from commit 9448b6b46267d8d807fac0c648e693171bb34806)
|
||||
(cherry picked from commit 232fcf06f6b3048b7c2ebd6931f23186b3852f04)
|
||||
(cherry picked from commit 8338545260fbb423f796d5196faaaf8ff6e1ed99)
|
||||
---
|
||||
ArmVirtPkg/ArmVirtQemu.dsc | 7 +-
|
||||
.../TerminalPcdProducerLib.c | 87 +++++++++++++++++++
|
||||
.../TerminalPcdProducerLib.inf | 41 +++++++++
|
||||
3 files changed, 134 insertions(+), 1 deletion(-)
|
||||
ArmVirtPkg/ArmVirtQemu.dsc | 7 +++-
|
||||
.../TerminalPcdProducerLib.c | 34 +++++++++++++++++++
|
||||
.../TerminalPcdProducerLib.inf | 33 ++++++++++++++++++
|
||||
3 files changed, 73 insertions(+), 1 deletion(-)
|
||||
create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c
|
||||
create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
|
||||
|
||||
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
|
||||
index a3cc3f26ec..696b0b5bcd 100644
|
||||
index 360094ab6a..3345987503 100644
|
||||
--- a/ArmVirtPkg/ArmVirtQemu.dsc
|
||||
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
|
||||
@@ -237,6 +237,8 @@
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0
|
||||
gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE
|
||||
@@ -272,6 +272,8 @@
|
||||
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0
|
||||
!endif
|
||||
|
||||
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
|
||||
+
|
||||
[PcdsDynamicHii]
|
||||
gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS
|
||||
|
||||
@@ -314,7 +316,10 @@
|
||||
@@ -374,7 +376,10 @@
|
||||
MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf
|
||||
MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf
|
||||
MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
|
||||
@ -80,82 +115,29 @@ index a3cc3f26ec..696b0b5bcd 100644
|
||||
MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
|
||||
diff --git a/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c
|
||||
new file mode 100644
|
||||
index 0000000000..814ad48199
|
||||
index 0000000000..bfd3a6a535
|
||||
--- /dev/null
|
||||
+++ b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c
|
||||
@@ -0,0 +1,87 @@
|
||||
@@ -0,0 +1,34 @@
|
||||
+/** @file
|
||||
+* Plugin library for setting up dynamic PCDs for TerminalDxe, from fw_cfg
|
||||
+*
|
||||
+* Copyright (C) 2015-2016, Red Hat, Inc.
|
||||
+* Copyright (C) 2015-2020, Red Hat, Inc.
|
||||
+* Copyright (c) 2014, Linaro Ltd. All rights reserved.<BR>
|
||||
+*
|
||||
+* This program and the accompanying materials are licensed and made available
|
||||
+* under the terms and conditions of the BSD License which accompanies this
|
||||
+* distribution. The full text of the license may be found at
|
||||
+* http://opensource.org/licenses/bsd-license.php
|
||||
+*
|
||||
+* THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
||||
+* WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
|
||||
+* IMPLIED.
|
||||
+*
|
||||
+* SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+**/
|
||||
+
|
||||
+#include <Library/DebugLib.h>
|
||||
+#include <Library/PcdLib.h>
|
||||
+#include <Library/QemuFwCfgLib.h>
|
||||
+
|
||||
+STATIC
|
||||
+RETURN_STATUS
|
||||
+GetNamedFwCfgBoolean (
|
||||
+ IN CONST CHAR8 *FwCfgFileName,
|
||||
+ OUT BOOLEAN *Setting
|
||||
+ )
|
||||
+{
|
||||
+ RETURN_STATUS Status;
|
||||
+ FIRMWARE_CONFIG_ITEM FwCfgItem;
|
||||
+ UINTN FwCfgSize;
|
||||
+ UINT8 Value[3];
|
||||
+
|
||||
+ Status = QemuFwCfgFindFile (FwCfgFileName, &FwCfgItem, &FwCfgSize);
|
||||
+ if (RETURN_ERROR (Status)) {
|
||||
+ return Status;
|
||||
+ }
|
||||
+ if (FwCfgSize > sizeof Value) {
|
||||
+ return RETURN_BAD_BUFFER_SIZE;
|
||||
+ }
|
||||
+ QemuFwCfgSelectItem (FwCfgItem);
|
||||
+ QemuFwCfgReadBytes (FwCfgSize, Value);
|
||||
+
|
||||
+ if ((FwCfgSize == 1) ||
|
||||
+ (FwCfgSize == 2 && Value[1] == '\n') ||
|
||||
+ (FwCfgSize == 3 && Value[1] == '\r' && Value[2] == '\n')) {
|
||||
+ switch (Value[0]) {
|
||||
+ case '0':
|
||||
+ case 'n':
|
||||
+ case 'N':
|
||||
+ *Setting = FALSE;
|
||||
+ return RETURN_SUCCESS;
|
||||
+
|
||||
+ case '1':
|
||||
+ case 'y':
|
||||
+ case 'Y':
|
||||
+ *Setting = TRUE;
|
||||
+ return RETURN_SUCCESS;
|
||||
+
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ return RETURN_PROTOCOL_ERROR;
|
||||
+}
|
||||
+#include <Library/QemuFwCfgSimpleParserLib.h>
|
||||
+
|
||||
+#define UPDATE_BOOLEAN_PCD_FROM_FW_CFG(TokenName) \
|
||||
+ do { \
|
||||
+ BOOLEAN Setting; \
|
||||
+ RETURN_STATUS PcdStatus; \
|
||||
+ \
|
||||
+ if (!RETURN_ERROR (GetNamedFwCfgBoolean ( \
|
||||
+ if (!RETURN_ERROR (QemuFwCfgParseBool ( \
|
||||
+ "opt/org.tianocore.edk2.aavmf/" #TokenName, &Setting))) { \
|
||||
+ PcdStatus = PcdSetBoolS (TokenName, Setting); \
|
||||
+ ASSERT_RETURN_ERROR (PcdStatus); \
|
||||
@ -173,25 +155,17 @@ index 0000000000..814ad48199
|
||||
+}
|
||||
diff --git a/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
|
||||
new file mode 100644
|
||||
index 0000000000..fecb37bcdf
|
||||
index 0000000000..a51dbd1670
|
||||
--- /dev/null
|
||||
+++ b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
|
||||
@@ -0,0 +1,41 @@
|
||||
@@ -0,0 +1,33 @@
|
||||
+## @file
|
||||
+# Plugin library for setting up dynamic PCDs for TerminalDxe, from fw_cfg
|
||||
+#
|
||||
+# Copyright (C) 2015-2016, Red Hat, Inc.
|
||||
+# Copyright (C) 2015-2020, Red Hat, Inc.
|
||||
+# Copyright (c) 2014, Linaro Ltd. All rights reserved.<BR>
|
||||
+#
|
||||
+# This program and the accompanying materials are licensed and made available
|
||||
+# under the terms and conditions of the BSD License which accompanies this
|
||||
+# distribution. The full text of the license may be found at
|
||||
+# http://opensource.org/licenses/bsd-license.php
|
||||
+#
|
||||
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
||||
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
|
||||
+# IMPLIED.
|
||||
+#
|
||||
+# SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+##
|
||||
+
|
||||
+[Defines]
|
||||
@ -200,24 +174,24 @@ index 0000000000..fecb37bcdf
|
||||
+ FILE_GUID = 4a0c5ed7-8c42-4c01-8f4c-7bf258316a96
|
||||
+ MODULE_TYPE = BASE
|
||||
+ VERSION_STRING = 1.0
|
||||
+ LIBRARY_CLASS = TerminalPcdProducerLib|DXE_DRIVER
|
||||
+ LIBRARY_CLASS = NULL
|
||||
+ CONSTRUCTOR = TerminalPcdProducerLibConstructor
|
||||
+
|
||||
+[Sources]
|
||||
+ TerminalPcdProducerLib.c
|
||||
+
|
||||
+[Packages]
|
||||
+ MdeModulePkg/MdeModulePkg.dec
|
||||
+ MdePkg/MdePkg.dec
|
||||
+ OvmfPkg/OvmfPkg.dec
|
||||
+ MdeModulePkg/MdeModulePkg.dec
|
||||
+
|
||||
+[LibraryClasses]
|
||||
+ DebugLib
|
||||
+ PcdLib
|
||||
+ QemuFwCfgLib
|
||||
+ QemuFwCfgSimpleParserLib
|
||||
+
|
||||
+[Pcd]
|
||||
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm
|
||||
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm ## SOMETIMES_PRODUCES
|
||||
--
|
||||
2.18.1
|
||||
|
@ -1,9 +1,15 @@
|
||||
From 229c88dc3ded9baeaca8b87767dc5c41c05afd6e Mon Sep 17 00:00:00 2001
|
||||
From c2812d7189dee06c780f05a5880eb421c359a687 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Tue, 4 Nov 2014 23:02:53 +0100
|
||||
Subject: OvmfPkg: allow exclusion of the shell from the firmware image (RH
|
||||
only)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- context difference from upstream commit ec41733cfd10 ("OvmfPkg: add the
|
||||
'initrd' dynamic shell command", 2020-03-04) correctly auto-resolved
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
@ -85,6 +91,7 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit f0303f71d576c51b01c4ff961b429d0e0e707245)
|
||||
(cherry picked from commit bbd64eb8658e9a33eab4227d9f4e51ad78d9f687)
|
||||
(cherry picked from commit 8628ef1b8d675ebec39d83834abbe3c8c8c42cf4)
|
||||
(cherry picked from commit 229c88dc3ded9baeaca8b87767dc5c41c05afd6e)
|
||||
---
|
||||
OvmfPkg/OvmfPkgIa32.fdf | 2 ++
|
||||
OvmfPkg/OvmfPkgIa32X64.fdf | 2 ++
|
||||
@ -92,16 +99,17 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
3 files changed, 6 insertions(+)
|
||||
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
|
||||
index 326f82384e..dff2fcd9f6 100644
|
||||
index ec64551bcb..44178a0da7 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32.fdf
|
||||
+++ b/OvmfPkg/OvmfPkgIa32.fdf
|
||||
@@ -278,10 +278,12 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
|
||||
@@ -288,11 +288,13 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
|
||||
INF FatPkg/EnhancedFatDxe/Fat.inf
|
||||
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
|
||||
|
||||
+!ifndef $(EXCLUDE_SHELL_FROM_FD)
|
||||
!if $(TOOL_CHAIN_TAG) != "XCODE5"
|
||||
INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
|
||||
INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
|
||||
!endif
|
||||
INF ShellPkg/Application/Shell/Shell.inf
|
||||
+!endif
|
||||
@ -109,16 +117,17 @@ index 326f82384e..dff2fcd9f6 100644
|
||||
INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
|
||||
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
|
||||
index aefb6614ad..6684a2e799 100644
|
||||
index 2f02ac2d73..06259c43d2 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
|
||||
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
|
||||
@@ -279,10 +279,12 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
|
||||
@@ -289,11 +289,13 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
|
||||
INF FatPkg/EnhancedFatDxe/Fat.inf
|
||||
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
|
||||
|
||||
+!ifndef $(EXCLUDE_SHELL_FROM_FD)
|
||||
!if $(TOOL_CHAIN_TAG) != "XCODE5"
|
||||
INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
|
||||
INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
|
||||
!endif
|
||||
INF ShellPkg/Application/Shell/Shell.inf
|
||||
+!endif
|
||||
@ -126,16 +135,17 @@ index aefb6614ad..6684a2e799 100644
|
||||
INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
|
||||
|
||||
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
|
||||
index aefb6614ad..6684a2e799 100644
|
||||
index 2f02ac2d73..06259c43d2 100644
|
||||
--- a/OvmfPkg/OvmfPkgX64.fdf
|
||||
+++ b/OvmfPkg/OvmfPkgX64.fdf
|
||||
@@ -279,10 +279,12 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
|
||||
@@ -289,11 +289,13 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
|
||||
INF FatPkg/EnhancedFatDxe/Fat.inf
|
||||
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
|
||||
|
||||
+!ifndef $(EXCLUDE_SHELL_FROM_FD)
|
||||
!if $(TOOL_CHAIN_TAG) != "XCODE5"
|
||||
INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
|
||||
INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
|
||||
!endif
|
||||
INF ShellPkg/Application/Shell/Shell.inf
|
||||
+!endif
|
@ -1,8 +1,13 @@
|
||||
From 9f756c1ad83cc81f7d892cd036d59a2b567b02dc Mon Sep 17 00:00:00 2001
|
||||
From c75aea7a738ac7fb944c0695a4bfffc3985afaa9 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Wed, 14 Oct 2015 13:49:43 +0200
|
||||
Subject: ArmPlatformPkg: introduce fixed PCD for early hello message (RH only)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- no change
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
@ -54,15 +59,16 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit ef77da632559e9baa1c69869e4cbea377068ef27)
|
||||
(cherry picked from commit 58755c51d3252312d80cbcb97928d71199c2f5e1)
|
||||
(cherry picked from commit c3f07e323e76856f1b42ea7b8c598ba3201c28a2)
|
||||
(cherry picked from commit 9f756c1ad83cc81f7d892cd036d59a2b567b02dc)
|
||||
---
|
||||
ArmPlatformPkg/ArmPlatformPkg.dec | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/ArmPlatformPkg/ArmPlatformPkg.dec b/ArmPlatformPkg/ArmPlatformPkg.dec
|
||||
index c8ea183313..bab4804a17 100644
|
||||
index 696d636aac..1553e1ae92 100644
|
||||
--- a/ArmPlatformPkg/ArmPlatformPkg.dec
|
||||
+++ b/ArmPlatformPkg/ArmPlatformPkg.dec
|
||||
@@ -108,6 +108,13 @@
|
||||
@@ -104,6 +104,13 @@
|
||||
## If set, this will swap settings for HDLCD RED_SELECT and BLUE_SELECT registers
|
||||
gArmPlatformTokenSpaceGuid.PcdArmHdLcdSwapBlueRedSelect|FALSE|BOOLEAN|0x00000045
|
||||
|
@ -1,9 +1,14 @@
|
||||
From 8d5a8827aabc67cb2a046697e1a750ca8d9cc453 Mon Sep 17 00:00:00 2001
|
||||
From 49fe5596cd79c94d903c4d506c563d642ccd69aa Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Wed, 14 Oct 2015 13:59:20 +0200
|
||||
Subject: ArmPlatformPkg: PrePeiCore: write early hello message to the serial
|
||||
port (RH)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- no change
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
@ -52,6 +57,7 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 638594083b191f84f5d9333eb6147a31570f5a5a)
|
||||
(cherry picked from commit f4b7aae411d88b2b83f85d20ef06a4032a57e7de)
|
||||
(cherry picked from commit bb71490fdda3b38fa9f071d281b863f9b64363bf)
|
||||
(cherry picked from commit 8d5a8827aabc67cb2a046697e1a750ca8d9cc453)
|
||||
---
|
||||
ArmPlatformPkg/PrePeiCore/MainMPCore.c | 5 +++++
|
||||
ArmPlatformPkg/PrePeiCore/MainUniCore.c | 5 +++++
|
||||
@ -105,10 +111,10 @@ index 7140c7f5b5..1d69a2b468 100644
|
||||
#include <PiPei.h>
|
||||
#include <Ppi/TemporaryRamSupport.h>
|
||||
diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf b/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
|
||||
index f2ac45d171..fc93fda965 100644
|
||||
index fb01dd1a11..a6681c1032 100644
|
||||
--- a/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
|
||||
+++ b/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
|
||||
@@ -67,6 +67,8 @@
|
||||
@@ -69,6 +69,8 @@
|
||||
gArmPlatformTokenSpaceGuid.PcdCPUCorePrimaryStackSize
|
||||
gArmPlatformTokenSpaceGuid.PcdCPUCoreSecondaryStackSize
|
||||
|
||||
@ -118,10 +124,10 @@ index f2ac45d171..fc93fda965 100644
|
||||
gArmTokenSpaceGuid.PcdGicInterruptInterfaceBase
|
||||
gArmTokenSpaceGuid.PcdGicSgiIntId
|
||||
diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf b/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
|
||||
index 84c319c367..46d1b30978 100644
|
||||
index e9eb092d3a..c98dc82f0c 100644
|
||||
--- a/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
|
||||
+++ b/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
|
||||
@@ -65,4 +65,6 @@
|
||||
@@ -67,4 +67,6 @@
|
||||
gArmPlatformTokenSpaceGuid.PcdCPUCorePrimaryStackSize
|
||||
gArmPlatformTokenSpaceGuid.PcdCPUCoreSecondaryStackSize
|
||||
|
@ -1,8 +1,15 @@
|
||||
From ba73b99d5cb38f87c1a8f0936d515eaaefa3f04b Mon Sep 17 00:00:00 2001
|
||||
From 72550e12ae469012a505bf5b98a6543a754028d3 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Wed, 14 Oct 2015 14:07:17 +0200
|
||||
Subject: ArmVirtPkg: set early hello message (RH only)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- context difference from upstream commit f5cb3767038e
|
||||
("ArmVirtPkg/ArmVirtQemu: add ResetSystem PEIM for upcoming TPM2
|
||||
support", 2020-03-04) automatically resolved correctly
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
@ -47,16 +54,17 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit c201a8e6ae28d75f7ba581828b533c3b26fa7f18)
|
||||
(cherry picked from commit 2d4db6ec70e004cd9ac147615d17033bee5d3b18)
|
||||
(cherry picked from commit fb2032bbea7e02c426855cf86a323556d493fd8a)
|
||||
(cherry picked from commit ba73b99d5cb38f87c1a8f0936d515eaaefa3f04b)
|
||||
---
|
||||
ArmVirtPkg/ArmVirtQemu.dsc | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
|
||||
index 696b0b5bcd..08c7a36339 100644
|
||||
index 3345987503..57c5b3f898 100644
|
||||
--- a/ArmVirtPkg/ArmVirtQemu.dsc
|
||||
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
|
||||
@@ -101,6 +101,7 @@
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE
|
||||
@@ -125,6 +125,7 @@
|
||||
gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE)
|
||||
|
||||
[PcdsFixedAtBuild.common]
|
||||
+ gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage|"UEFI firmware starting.\r\n"
|
@ -1,8 +1,15 @@
|
||||
From 3cb92f9ba18ac79911bd5258ff4f949cc617ae89 Mon Sep 17 00:00:00 2001
|
||||
From 5ecc18badaabe774d9d0806b027ab63a30c6a2d7 Mon Sep 17 00:00:00 2001
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Tue, 21 Nov 2017 00:57:45 +0100
|
||||
Subject: OvmfPkg: enable DEBUG_VERBOSE (RHEL only)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- context difference from upstream commit 46bb81200742 ("OvmfPkg: Make
|
||||
SOURCE_DEBUG_ENABLE actually need to be set to TRUE", 2019-10-22)
|
||||
resolved automatically
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
@ -44,6 +51,7 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit a0617a6be1a80966099ddceb010f89202a79ee76)
|
||||
(cherry picked from commit 759bd3f591e2db699bdef4c7ea4e97c908e7f027)
|
||||
(cherry picked from commit 7e6d5dc4078c64be6d55d8fc3317c59a91507a50)
|
||||
(cherry picked from commit 3cb92f9ba18ac79911bd5258ff4f949cc617ae89)
|
||||
---
|
||||
OvmfPkg/OvmfPkgIa32.dsc | 2 +-
|
||||
OvmfPkg/OvmfPkgIa32X64.dsc | 2 +-
|
||||
@ -51,43 +59,43 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
|
||||
index accf5c0211..759075a815 100644
|
||||
index 6ce8a46d4e..765ffff312 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgIa32.dsc
|
||||
@@ -479,7 +479,7 @@
|
||||
@@ -516,7 +516,7 @@
|
||||
# DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
|
||||
# // significantly impact boot performance
|
||||
# DEBUG_ERROR 0x80000000 // Error
|
||||
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
|
||||
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
|
||||
|
||||
!ifdef $(SOURCE_DEBUG_ENABLE)
|
||||
!if $(SOURCE_DEBUG_ENABLE) == TRUE
|
||||
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
index 8812da9943..634e20f09c 100644
|
||||
index 89d414cda7..277297a964 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
@@ -484,7 +484,7 @@
|
||||
@@ -520,7 +520,7 @@
|
||||
# DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
|
||||
# // significantly impact boot performance
|
||||
# DEBUG_ERROR 0x80000000 // Error
|
||||
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
|
||||
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
|
||||
|
||||
!ifdef $(SOURCE_DEBUG_ENABLE)
|
||||
!if $(SOURCE_DEBUG_ENABLE) == TRUE
|
||||
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
|
||||
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
|
||||
index 73e1b7824f..bc5a345a37 100644
|
||||
index e567eb76e0..5c1597fe3c 100644
|
||||
--- a/OvmfPkg/OvmfPkgX64.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgX64.dsc
|
||||
@@ -484,7 +484,7 @@
|
||||
@@ -520,7 +520,7 @@
|
||||
# DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
|
||||
# // significantly impact boot performance
|
||||
# DEBUG_ERROR 0x80000000 // Error
|
||||
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
|
||||
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
|
||||
|
||||
!ifdef $(SOURCE_DEBUG_ENABLE)
|
||||
!if $(SOURCE_DEBUG_ENABLE) == TRUE
|
||||
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
|
||||
--
|
||||
2.18.1
|
@ -1,9 +1,14 @@
|
||||
From c8c3f893e7c3710afe45c46839e97954871536e4 Mon Sep 17 00:00:00 2001
|
||||
From 1355849ad97c1e4a5c430597a377165a5cc118f7 Mon Sep 17 00:00:00 2001
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Tue, 21 Nov 2017 00:57:46 +0100
|
||||
Subject: OvmfPkg: silence DEBUG_VERBOSE (0x00400000) in
|
||||
QemuVideoDxe/QemuRamfbDxe (RH)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- no change
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
@ -64,6 +69,7 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 7eb3be1d4ccafc26c11fe5afb95cc12b250ce6f0)
|
||||
(cherry picked from commit bd650684712fb840dbcda5d6eaee065bd9e91fa1)
|
||||
(cherry picked from commit b06b87f8ffd4fed4ef7eacb13689a9b6d111f850)
|
||||
(cherry picked from commit c8c3f893e7c3710afe45c46839e97954871536e4)
|
||||
---
|
||||
OvmfPkg/OvmfPkgIa32.dsc | 10 ++++++++--
|
||||
OvmfPkg/OvmfPkgIa32X64.dsc | 10 ++++++++--
|
||||
@ -71,10 +77,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
3 files changed, 24 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
|
||||
index 759075a815..6a07a6af81 100644
|
||||
index 765ffff312..f5c6cceb4f 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgIa32.dsc
|
||||
@@ -742,9 +742,15 @@
|
||||
@@ -811,9 +811,15 @@
|
||||
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
|
||||
|
||||
!ifndef $(CSM_ENABLE)
|
||||
@ -93,10 +99,10 @@ index 759075a815..6a07a6af81 100644
|
||||
|
||||
#
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
index 634e20f09c..c7f52992e9 100644
|
||||
index 277297a964..c1e52b0acd 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
@@ -755,9 +755,15 @@
|
||||
@@ -825,9 +825,15 @@
|
||||
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
|
||||
|
||||
!ifndef $(CSM_ENABLE)
|
||||
@ -115,10 +121,10 @@ index 634e20f09c..c7f52992e9 100644
|
||||
|
||||
#
|
||||
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
|
||||
index bc5a345a37..594ecb5362 100644
|
||||
index 5c1597fe3c..e65165b9f0 100644
|
||||
--- a/OvmfPkg/OvmfPkgX64.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgX64.dsc
|
||||
@@ -753,9 +753,15 @@
|
||||
@@ -821,9 +821,15 @@
|
||||
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
|
||||
|
||||
!ifndef $(CSM_ENABLE)
|
@ -1,9 +1,14 @@
|
||||
From e5b8152bced2364a1ded0926dbba4d65e23e3f84 Mon Sep 17 00:00:00 2001
|
||||
From e7f57f154439c1c18ea5030b01f8d7bc492698b2 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Wed, 27 Jan 2016 03:05:18 +0100
|
||||
Subject: ArmVirtPkg: silence DEBUG_VERBOSE (0x00400000) in QemuRamfbDxe (RH
|
||||
only)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- no change
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
@ -43,16 +48,17 @@ Suggested-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
|
||||
(cherry picked from commit 5a216abaa737195327235e37563b18a6bf2a74dc)
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit e5b8152bced2364a1ded0926dbba4d65e23e3f84)
|
||||
---
|
||||
ArmVirtPkg/ArmVirtQemu.dsc | 5 ++++-
|
||||
ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 ++++-
|
||||
2 files changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
|
||||
index 08c7a36339..b3dcdd747b 100644
|
||||
index 57c5b3f898..dda887b2ae 100644
|
||||
--- a/ArmVirtPkg/ArmVirtQemu.dsc
|
||||
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
|
||||
@@ -422,7 +422,10 @@
|
||||
@@ -494,7 +494,10 @@
|
||||
#
|
||||
# Video support
|
||||
#
|
||||
@ -65,10 +71,10 @@ index 08c7a36339..b3dcdd747b 100644
|
||||
OvmfPkg/PlatformDxe/Platform.inf
|
||||
|
||||
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
|
||||
index 27e65b7638..008181055a 100644
|
||||
index d186263e18..711dd63e20 100644
|
||||
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
|
||||
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
|
||||
@@ -400,7 +400,10 @@
|
||||
@@ -427,7 +427,10 @@
|
||||
#
|
||||
# Video support
|
||||
#
|
@ -1,9 +1,14 @@
|
||||
From aa2b66b18a62d652bdbefae7b5732297294306ca Mon Sep 17 00:00:00 2001
|
||||
From deb3451034326b75fd760aba47a5171493ff055e Mon Sep 17 00:00:00 2001
|
||||
From: Philippe Mathieu-Daude <philmd@redhat.com>
|
||||
Date: Thu, 1 Aug 2019 20:43:48 +0200
|
||||
Subject: OvmfPkg: QemuRamfbDxe: Do not report DXE failure on Aarch64 silent
|
||||
builds (RH only)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- no change
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
@ -29,6 +34,7 @@ Suggested-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
|
||||
(cherry picked from commit aaaedc1e2cfd55ef003fb1b5a37c73a196b26dc7)
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit aa2b66b18a62d652bdbefae7b5732297294306ca)
|
||||
---
|
||||
OvmfPkg/QemuRamfbDxe/QemuRamfb.c | 14 ++++++++++++++
|
||||
OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf | 1 +
|
@ -1,9 +1,14 @@
|
||||
From b8d0ebded8c2cf5b266c807519e2d8ccfd66fee6 Mon Sep 17 00:00:00 2001
|
||||
From ed89844b47f46cfe911f1bf2bda40e537a908502 Mon Sep 17 00:00:00 2001
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Tue, 21 Nov 2017 00:57:47 +0100
|
||||
Subject: OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in NvmExpressDxe (RH
|
||||
only)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- no change
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
@ -45,6 +50,7 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit bd10cabcfcb1bc9a32b05062f4ee3792e27bc2d8)
|
||||
(cherry picked from commit 5a27af700f49e00608f232f618dedd7bf5e9b3e6)
|
||||
(cherry picked from commit 58bba429b9ec7b78109940ef945d0dc93f3cd958)
|
||||
(cherry picked from commit b8d0ebded8c2cf5b266c807519e2d8ccfd66fee6)
|
||||
---
|
||||
OvmfPkg/OvmfPkgIa32.dsc | 5 ++++-
|
||||
OvmfPkg/OvmfPkgIa32X64.dsc | 5 ++++-
|
||||
@ -52,10 +58,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
3 files changed, 12 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
|
||||
index 6a07a6af81..1c56e0948a 100644
|
||||
index f5c6cceb4f..e8868136d8 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgIa32.dsc
|
||||
@@ -735,7 +735,10 @@
|
||||
@@ -804,7 +804,10 @@
|
||||
OvmfPkg/SataControllerDxe/SataControllerDxe.inf
|
||||
MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
|
||||
MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
|
||||
@ -68,10 +74,10 @@ index 6a07a6af81..1c56e0948a 100644
|
||||
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
|
||||
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
index c7f52992e9..29e12c9dff 100644
|
||||
index c1e52b0acd..d05275a324 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
@@ -748,7 +748,10 @@
|
||||
@@ -818,7 +818,10 @@
|
||||
OvmfPkg/SataControllerDxe/SataControllerDxe.inf
|
||||
MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
|
||||
MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
|
||||
@ -84,10 +90,10 @@ index c7f52992e9..29e12c9dff 100644
|
||||
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
|
||||
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
|
||||
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
|
||||
index 594ecb5362..11fe9f6050 100644
|
||||
index e65165b9f0..cac4cecf18 100644
|
||||
--- a/OvmfPkg/OvmfPkgX64.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgX64.dsc
|
||||
@@ -746,7 +746,10 @@
|
||||
@@ -814,7 +814,10 @@
|
||||
OvmfPkg/SataControllerDxe/SataControllerDxe.inf
|
||||
MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
|
||||
MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
|
@ -1,9 +1,28 @@
|
||||
From 57bd3f146590df8757865d8f2cdd1db3cf3f4d40 Mon Sep 17 00:00:00 2001
|
||||
From 56c4bb81b311dfcee6a34c81d3e4feeda7f88995 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Sat, 16 Nov 2019 17:11:27 +0100
|
||||
Subject: CryptoPkg/OpensslLib: list RHEL8-specific OpenSSL files in the INFs
|
||||
(RH)
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- "OpensslLib.inf":
|
||||
|
||||
- Automatic leading context refresh against upstream commit c72ca4666886
|
||||
("CryptoPkg/OpensslLib: Add "sort" keyword to header file parsing
|
||||
loop", 2020-03-10).
|
||||
|
||||
- Manual trailing context refresh against upstream commit b49a6c8f80d9
|
||||
("CryptoPkg/OpensslLib: improve INF file consistency", 2019-12-02).
|
||||
|
||||
- "OpensslLibCrypto.inf":
|
||||
|
||||
- Automatic leading context refresh against upstream commits
|
||||
8906f076de35 ("CryptoPkg/OpensslLib: Add missing header files in INF
|
||||
file", 2019-08-16) and 9f4fbd56d430 ("CryptoPkg/OpensslLib: Update
|
||||
process_files.pl to generate .h files", 2019-10-30).
|
||||
|
||||
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
|
||||
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
|
||||
|
||||
@ -25,18 +44,19 @@ Note: "process_files.pl" is not re-run at this time manually, because
|
||||
and will help with future changes too.
|
||||
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 57bd3f146590df8757865d8f2cdd1db3cf3f4d40)
|
||||
---
|
||||
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 11 +++++++++++
|
||||
CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 11 +++++++++++
|
||||
2 files changed, 22 insertions(+)
|
||||
|
||||
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
|
||||
index dd873a0dcd..d1c7602b87 100644
|
||||
index c8ec9454bd..24e790b538 100644
|
||||
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
|
||||
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
|
||||
@@ -598,6 +598,17 @@
|
||||
$(OPENSSL_PATH)/ssl/record/record.h
|
||||
$(OPENSSL_PATH)/ssl/record/record_locl.h
|
||||
@@ -570,6 +570,17 @@
|
||||
$(OPENSSL_PATH)/ssl/statem/statem.h
|
||||
$(OPENSSL_PATH)/ssl/statem/statem_locl.h
|
||||
# Autogenerated files list ends here
|
||||
+# RHEL8-specific OpenSSL file list starts here
|
||||
+ $(OPENSSL_PATH)/crypto/evp/kdf_lib.c
|
||||
@ -49,16 +69,16 @@ index dd873a0dcd..d1c7602b87 100644
|
||||
+ $(OPENSSL_PATH)/crypto/kdf/sshkdf.c
|
||||
+ $(OPENSSL_PATH)/crypto/kdf/sskdf.c
|
||||
+# RHEL8-specific OpenSSL file list ends here
|
||||
|
||||
buildinf.h
|
||||
rand_pool_noise.h
|
||||
ossl_store.c
|
||||
rand_pool.c
|
||||
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
|
||||
index a1bb560255..0785a421dd 100644
|
||||
index 2f232e3e12..52e70a2d03 100644
|
||||
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
|
||||
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
|
||||
@@ -546,6 +546,17 @@
|
||||
$(OPENSSL_PATH)/crypto/objects/obj_lcl.h
|
||||
$(OPENSSL_PATH)/crypto/objects/obj_xref.h
|
||||
@@ -519,6 +519,17 @@
|
||||
$(OPENSSL_PATH)/crypto/x509v3/standard_exts.h
|
||||
$(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
|
||||
# Autogenerated files list ends here
|
||||
+# RHEL8-specific OpenSSL file list starts here
|
||||
+ $(OPENSSL_PATH)/crypto/evp/kdf_lib.c
|
@ -0,0 +1,83 @@
|
||||
From bf88198555ce964377a56176de8e5e9b45e43e25 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Sat, 6 Jun 2020 01:16:09 +0200
|
||||
Subject: OvmfPkg/X86QemuLoadImageLib: handle EFI_ACCESS_DENIED from
|
||||
LoadImage()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- new patch
|
||||
|
||||
- the patch is being upstreamed; it's not a backport because the rebase
|
||||
deadline is close
|
||||
|
||||
- upstream references:
|
||||
- https://bugzilla.tianocore.org/show_bug.cgi?id=2785
|
||||
- http://mid.mail-archive.com/20200605235242.32442-1-lersek@redhat.com
|
||||
- https://edk2.groups.io/g/devel/message/60825
|
||||
- https://www.redhat.com/archives/edk2-devel-archive/2020-June/msg00344.html
|
||||
|
||||
[downstream note ends, upstream commit message starts]
|
||||
|
||||
When an image fails Secure Boot validation, LoadImage() returns
|
||||
EFI_SECURITY_VIOLATION if the platform policy is
|
||||
DEFER_EXECUTE_ON_SECURITY_VIOLATION.
|
||||
|
||||
If the platform policy is DENY_EXECUTE_ON_SECURITY_VIOLATION, then
|
||||
LoadImage() returns EFI_ACCESS_DENIED (and the image does not remain
|
||||
loaded).
|
||||
|
||||
(Before <https://bugzilla.tianocore.org/show_bug.cgi?id=2129>, this
|
||||
difference would be masked, as DxeImageVerificationLib would incorrectly
|
||||
return EFI_SECURITY_VIOLATION for DENY_EXECUTE_ON_SECURITY_VIOLATION as
|
||||
well.)
|
||||
|
||||
In X86QemuLoadImageLib, proceed to the legacy Linux/x86 Boot Protocol upon
|
||||
seeing EFI_ACCESS_DENIED too.
|
||||
|
||||
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
|
||||
Cc: Jordan Justen <jordan.l.justen@intel.com>
|
||||
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2785
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
---
|
||||
.../X86QemuLoadImageLib/X86QemuLoadImageLib.c | 14 ++++++++++----
|
||||
1 file changed, 10 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
|
||||
index ef753be7ea..931553c0c1 100644
|
||||
--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
|
||||
+++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
|
||||
@@ -320,15 +320,21 @@ QemuLoadKernelImage (
|
||||
|
||||
case EFI_SECURITY_VIOLATION:
|
||||
//
|
||||
- // We are running with UEFI secure boot enabled, and the image failed to
|
||||
- // authenticate. For compatibility reasons, we fall back to the legacy
|
||||
- // loader in this case. Since the image has been loaded, we need to unload
|
||||
- // it before proceeding
|
||||
+ // Since the image has been loaded, we need to unload it before proceeding
|
||||
+ // to the EFI_ACCESS_DENIED case below.
|
||||
//
|
||||
gBS->UnloadImage (KernelImageHandle);
|
||||
//
|
||||
// Fall through
|
||||
//
|
||||
+ case EFI_ACCESS_DENIED:
|
||||
+ //
|
||||
+ // We are running with UEFI secure boot enabled, and the image failed to
|
||||
+ // authenticate. For compatibility reasons, we fall back to the legacy
|
||||
+ // loader in this case.
|
||||
+ //
|
||||
+ // Fall through
|
||||
+ //
|
||||
case EFI_UNSUPPORTED:
|
||||
//
|
||||
// The image is not natively supported or cross-type supported. Let's try
|
||||
--
|
||||
2.18.1
|
||||
|
@ -0,0 +1,184 @@
|
||||
From 74e5313dfa6719f7990c7e175e035d17c9b3f657 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Fri, 5 Jun 2020 23:44:43 +0200
|
||||
Subject: Revert "OvmfPkg: use generic QEMU image loader for secure boot
|
||||
enabled builds"
|
||||
|
||||
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
|
||||
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
|
||||
|
||||
- new patch (to be dropped later, hopefully)
|
||||
|
||||
This reverts commit ced77332cab626f35fbdb36630be27303d289d79.
|
||||
|
||||
Upstream commit ced77332cab6 ("OvmfPkg: use generic QEMU image loader for
|
||||
secure boot enabled builds", 2020-03-05) changes the "Secure Boot threat
|
||||
model" in a way that is incompatible with at least two use cases.
|
||||
|
||||
Namely, OVMF has always considered kernel images direct-booted via fw_cfg
|
||||
as trusted, bypassing Secure Boot validation. While that approach is
|
||||
rooted in a technicality (namely, OVMF doesn't load such images with the
|
||||
LoadImage() UEFI boot service / through the UEFI stub, but with the
|
||||
Linux/x86 Boot Protocol), that doesn't mean it's wrong. The direct-booted
|
||||
kernel from fw_cfg comes from the host side, and Secure Boot in the guest
|
||||
is a barrier between the guest firmware and the guest operating system --
|
||||
it's not a barrier between host and guest.
|
||||
|
||||
Upstream commit ced77332cab6 points out that the above (historical) OVMF
|
||||
behavior differs from ArmVirtQemu's -- the latter direct-boots kernels
|
||||
from fw_cfg with the LoadImage() / StartImage() boot services. While that
|
||||
difference indeed exists between OVMF and ArmVirtQemu, it's not relevant
|
||||
for RHEL downstream. That's because we never build the ArmVirtQemu
|
||||
firmware with the Secure Boot feature, so LoadImage() can never reject the
|
||||
direct-booted kernel due to a signing issue.
|
||||
|
||||
Subjecting a kernel direct-booted via fw_cfg to Secure Boot verification
|
||||
breaks at least two use cases with OVMF:
|
||||
|
||||
- It breaks the %check stage in the SPEC file.
|
||||
|
||||
In that stage, we use the "ovmf-vars-generator" utility from the
|
||||
"qemu-ovmf-secureboot" project, for verifying whether the Secure Boot
|
||||
operational mode is enabled. The guest kernel is supposed to boot, and
|
||||
to print "Secure boot enabled".
|
||||
|
||||
As guest kernel, we pick whatever host kernel is available in the Brew
|
||||
build root. The kernel in question may be a publicly released RHEL
|
||||
kernel, signed with "Red Hat Secure Boot (signing key 1)", or a
|
||||
development build, signed for example with "Red Hat Secure Boot Signing
|
||||
3 (beta)". Either way, none of these keys are accepted by the
|
||||
certificates that were enrolled by "ovmf-vars-generator" /
|
||||
"EnrollDefaultKeys.efi" in the %build stage. Therefore, the %check stage
|
||||
fails.
|
||||
|
||||
- It breaks "virt-install --location NETWORK-URL" Linux guest
|
||||
installations, if the variable store template used for the new domain
|
||||
has the Secure Boot operational mode enabled. "virt-install --location"
|
||||
fetches the kernel from the remote OS tree, and passes it to the guest
|
||||
firmware via fw_cfg. Therefore the above symptom appears (even for
|
||||
publicly released OSes).
|
||||
|
||||
Importantly, if the user downloads the installer ISO of the publicly
|
||||
released Fedora / RHEL OS, and exposes the ISO to the guest for example
|
||||
as a virtio-scsi CD-ROM, then the installation with "virt-install"
|
||||
(without "--location") does succeed. That's because that way, "shim" is
|
||||
booted first, from the UEFI-bootable CD-ROM. "Shim" does pass Secure
|
||||
Boot verification against the Microsoft certificates, and then it is
|
||||
"shim" that accepts the "Red Hat Secure Boot (signing key 1)" signature
|
||||
on the guest kernel.
|
||||
|
||||
Some ways to approach this problem (without reverting upstream commit
|
||||
ced77332cab6):
|
||||
|
||||
- Equip "ovmf-vars-generator" / "EnrollDefaultKeys.efi" to enroll the
|
||||
public half of "Red Hat Secure Boot (signing key 1)" in the %build
|
||||
stage. Use a publicly released RHEL kernel in the %check stage.
|
||||
|
||||
Downsides:
|
||||
|
||||
- The Brew build root does not offer any particular released RHEL
|
||||
kernel, so either the %check stage would have to download it, or the
|
||||
SRPM would have to bundle it. However, Brew build environments do not
|
||||
have unfettered network access (rightly so), so the download wouldn't
|
||||
work. Furthermore, for bundling with the SRPM, such a kernel image
|
||||
could be considered too large.
|
||||
|
||||
- Does not solve the "virt-install --location" issue for other vendors'
|
||||
signed kernels.
|
||||
|
||||
- Invoke "ovmf-vars-generator" / "EnrollDefaultKeys.efi" multiple times
|
||||
during %build, to create multiple varstore templates. One that would
|
||||
accept publicly released RHEL kernels, and another to accept development
|
||||
kernels. Don't try to use a particular guest kernel for verification;
|
||||
instead, check what kernel Brew offers in the build environment, and use
|
||||
the varstore template matching *that* kernel.
|
||||
|
||||
Downsides:
|
||||
|
||||
- It may be considered useless to perform %check with a varstore
|
||||
template that is *not* the one that we ship.
|
||||
|
||||
- Does not solve the "virt-install --location" issue for other vendors'
|
||||
signed kernels.
|
||||
|
||||
- Sign the RHEL kernels such that the currently enrolled certificates
|
||||
accept them.
|
||||
|
||||
Downsides:
|
||||
|
||||
- Not feasible at all; it would require Microsoft to sign our kernels.
|
||||
"Shim" exists exactly to eliminate such signing requirements.
|
||||
|
||||
- Modify "virt-install --location NETWORK-URL" such that it download a
|
||||
complete (UEFI-bootable) installer ISO image, rather than broken-out
|
||||
vmlinuz / initrd files. In other words, replace direct (fw_cfg) kernel
|
||||
boot with a CD-ROM / "shim" boot, internally to "virt-install".
|
||||
|
||||
Downsides:
|
||||
|
||||
- Defeats the goal of "virt-install --location NETWORK-URL", and defeats
|
||||
the network installation method of (for example) Anaconda.
|
||||
|
||||
For now, revert upstream commit ced77332cab6, in order to return to the
|
||||
model we had used in RHEL-8.2 and before. The following ticket has been
|
||||
filed to investigate the problem separately:
|
||||
<https://bugzilla.redhat.com/show_bug.cgi?id=1844653>.
|
||||
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
---
|
||||
OvmfPkg/OvmfPkgIa32.dsc | 4 ----
|
||||
OvmfPkg/OvmfPkgIa32X64.dsc | 4 ----
|
||||
OvmfPkg/OvmfPkgX64.dsc | 4 ----
|
||||
3 files changed, 12 deletions(-)
|
||||
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
|
||||
index e8868136d8..5b1e757cb9 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgIa32.dsc
|
||||
@@ -379,11 +379,7 @@
|
||||
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
|
||||
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
|
||||
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
|
||||
-!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
- QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
|
||||
-!else
|
||||
QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
|
||||
-!endif
|
||||
!if $(TPM_ENABLE) == TRUE
|
||||
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
|
||||
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
|
||||
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
index d05275a324..5dffc32105 100644
|
||||
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
|
||||
@@ -383,11 +383,7 @@
|
||||
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
|
||||
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
|
||||
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
|
||||
-!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
- QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
|
||||
-!else
|
||||
QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
|
||||
-!endif
|
||||
!if $(TPM_ENABLE) == TRUE
|
||||
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
|
||||
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
|
||||
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
|
||||
index cac4cecf18..a2a76fdeea 100644
|
||||
--- a/OvmfPkg/OvmfPkgX64.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgX64.dsc
|
||||
@@ -383,11 +383,7 @@
|
||||
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
|
||||
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
|
||||
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
|
||||
-!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
- QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
|
||||
-!else
|
||||
QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
|
||||
-!endif
|
||||
!if $(TPM_ENABLE) == TRUE
|
||||
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
|
||||
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
|
||||
--
|
||||
2.18.1
|
||||
|
@ -1,338 +0,0 @@
|
||||
From 3c9574af677c24b969c3baa6a527dabaf97f11a2 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Mon, 2 Dec 2019 12:31:53 +0100
|
||||
Subject: [PATCH 5/9] CryptoPkg/Crt: import "inet_pton.c" (CVE-2019-14553)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20191117220052.15700-6-lersek@redhat.com>
|
||||
Patchwork-id: 92461
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 5/9] CryptoPkg/Crt: import "inet_pton.c" (CVE-2019-14553)
|
||||
Bugzilla: 1536624
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
For TianoCore BZ#1734, StdLib has been moved from the edk2 project to the
|
||||
edk2-libc project, in commit 964f432b9b0a ("edk2: Remove AppPkg, StdLib,
|
||||
StdLibPrivateInternalFiles", 2019-04-29).
|
||||
|
||||
We'd like to use the inet_pton() function in CryptoPkg. Resurrect the
|
||||
"inet_pton.c" file from just before the StdLib removal, as follows:
|
||||
|
||||
$ git show \
|
||||
964f432b9b0a^:StdLib/BsdSocketLib/inet_pton.c \
|
||||
> CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c
|
||||
|
||||
The inet_pton() function is only intended for the DXE phase at this time,
|
||||
therefore only the "BaseCryptLib" instance INF file receives the new file.
|
||||
|
||||
Cc: David Woodhouse <dwmw2@infradead.org>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
|
||||
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
|
||||
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
|
||||
CVE: CVE-2019-14553
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
|
||||
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||
(cherry picked from commit 8d16ef8269b2ff373d8da674e59992adfdc032d3)
|
||||
---
|
||||
CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf | 1 +
|
||||
CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c | 257 +++++++++++++++++++++
|
||||
CryptoPkg/Library/Include/CrtLibSupport.h | 1 +
|
||||
3 files changed, 259 insertions(+)
|
||||
create mode 100644 CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c
|
||||
|
||||
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
|
||||
index 8d4988e..b5cfd8b 100644
|
||||
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
|
||||
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
|
||||
@@ -58,6 +58,7 @@
|
||||
SysCall/CrtWrapper.c
|
||||
SysCall/TimerWrapper.c
|
||||
SysCall/BaseMemAllocation.c
|
||||
+ SysCall/inet_pton.c
|
||||
|
||||
[Sources.Ia32]
|
||||
Rand/CryptRandTsc.c
|
||||
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c b/CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c
|
||||
new file mode 100644
|
||||
index 0000000..32e1ab8
|
||||
--- /dev/null
|
||||
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c
|
||||
@@ -0,0 +1,257 @@
|
||||
+/* Copyright (c) 1996 by Internet Software Consortium.
|
||||
+ *
|
||||
+ * Permission to use, copy, modify, and distribute this software for any
|
||||
+ * purpose with or without fee is hereby granted, provided that the above
|
||||
+ * copyright notice and this permission notice appear in all copies.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
|
||||
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
|
||||
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
|
||||
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
|
||||
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
|
||||
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
|
||||
+ * SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * Portions copyright (c) 1999, 2000
|
||||
+ * Intel Corporation.
|
||||
+ * All rights reserved.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ *
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer.
|
||||
+ *
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ *
|
||||
+ * 3. All advertising materials mentioning features or use of this software
|
||||
+ * must display the following acknowledgement:
|
||||
+ *
|
||||
+ * This product includes software developed by Intel Corporation and
|
||||
+ * its contributors.
|
||||
+ *
|
||||
+ * 4. Neither the name of Intel Corporation or its contributors may be
|
||||
+ * used to endorse or promote products derived from this software
|
||||
+ * without specific prior written permission.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION AND CONTRIBUTORS ``AS IS''
|
||||
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
+ * ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR CONTRIBUTORS BE
|
||||
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
|
||||
+ * THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ *
|
||||
+ */
|
||||
+
|
||||
+#if defined(LIBC_SCCS) && !defined(lint)
|
||||
+static char rcsid[] = "$Id: inet_pton.c,v 1.1.1.1 2003/11/19 01:51:30 kyu3 Exp $";
|
||||
+#endif /* LIBC_SCCS and not lint */
|
||||
+
|
||||
+#include <sys/param.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/socket.h>
|
||||
+#include <netinet/in.h>
|
||||
+#include <arpa/inet.h>
|
||||
+#include <arpa/nameser.h>
|
||||
+#include <string.h>
|
||||
+#include <errno.h>
|
||||
+
|
||||
+/*
|
||||
+ * WARNING: Don't even consider trying to compile this on a system where
|
||||
+ * sizeof(int) < 4. sizeof(int) > 4 is fine; all the world's not a VAX.
|
||||
+ */
|
||||
+
|
||||
+static int inet_pton4 (const char *src, u_char *dst);
|
||||
+static int inet_pton6 (const char *src, u_char *dst);
|
||||
+
|
||||
+/* int
|
||||
+ * inet_pton(af, src, dst)
|
||||
+ * convert from presentation format (which usually means ASCII printable)
|
||||
+ * to network format (which is usually some kind of binary format).
|
||||
+ * return:
|
||||
+ * 1 if the address was valid for the specified address family
|
||||
+ * 0 if the address wasn't valid (`dst' is untouched in this case)
|
||||
+ * -1 if some other error occurred (`dst' is untouched in this case, too)
|
||||
+ * author:
|
||||
+ * Paul Vixie, 1996.
|
||||
+ */
|
||||
+int
|
||||
+inet_pton(
|
||||
+ int af,
|
||||
+ const char *src,
|
||||
+ void *dst
|
||||
+ )
|
||||
+{
|
||||
+ switch (af) {
|
||||
+ case AF_INET:
|
||||
+ return (inet_pton4(src, dst));
|
||||
+ case AF_INET6:
|
||||
+ return (inet_pton6(src, dst));
|
||||
+ default:
|
||||
+ errno = EAFNOSUPPORT;
|
||||
+ return (-1);
|
||||
+ }
|
||||
+ /* NOTREACHED */
|
||||
+}
|
||||
+
|
||||
+/* int
|
||||
+ * inet_pton4(src, dst)
|
||||
+ * like inet_aton() but without all the hexadecimal and shorthand.
|
||||
+ * return:
|
||||
+ * 1 if `src' is a valid dotted quad, else 0.
|
||||
+ * notice:
|
||||
+ * does not touch `dst' unless it's returning 1.
|
||||
+ * author:
|
||||
+ * Paul Vixie, 1996.
|
||||
+ */
|
||||
+static int
|
||||
+inet_pton4(
|
||||
+ const char *src,
|
||||
+ u_char *dst
|
||||
+ )
|
||||
+{
|
||||
+ static const char digits[] = "0123456789";
|
||||
+ int saw_digit, octets, ch;
|
||||
+ u_char tmp[NS_INADDRSZ], *tp;
|
||||
+
|
||||
+ saw_digit = 0;
|
||||
+ octets = 0;
|
||||
+ *(tp = tmp) = 0;
|
||||
+ while ((ch = *src++) != '\0') {
|
||||
+ const char *pch;
|
||||
+
|
||||
+ if ((pch = strchr(digits, ch)) != NULL) {
|
||||
+ u_int new = *tp * 10 + (u_int)(pch - digits);
|
||||
+
|
||||
+ if (new > 255)
|
||||
+ return (0);
|
||||
+ *tp = (u_char)new;
|
||||
+ if (! saw_digit) {
|
||||
+ if (++octets > 4)
|
||||
+ return (0);
|
||||
+ saw_digit = 1;
|
||||
+ }
|
||||
+ } else if (ch == '.' && saw_digit) {
|
||||
+ if (octets == 4)
|
||||
+ return (0);
|
||||
+ *++tp = 0;
|
||||
+ saw_digit = 0;
|
||||
+ } else
|
||||
+ return (0);
|
||||
+ }
|
||||
+ if (octets < 4)
|
||||
+ return (0);
|
||||
+
|
||||
+ memcpy(dst, tmp, NS_INADDRSZ);
|
||||
+ return (1);
|
||||
+}
|
||||
+
|
||||
+/* int
|
||||
+ * inet_pton6(src, dst)
|
||||
+ * convert presentation level address to network order binary form.
|
||||
+ * return:
|
||||
+ * 1 if `src' is a valid [RFC1884 2.2] address, else 0.
|
||||
+ * notice:
|
||||
+ * (1) does not touch `dst' unless it's returning 1.
|
||||
+ * (2) :: in a full address is silently ignored.
|
||||
+ * credit:
|
||||
+ * inspired by Mark Andrews.
|
||||
+ * author:
|
||||
+ * Paul Vixie, 1996.
|
||||
+ */
|
||||
+static int
|
||||
+inet_pton6(
|
||||
+ const char *src,
|
||||
+ u_char *dst
|
||||
+ )
|
||||
+{
|
||||
+ static const char xdigits_l[] = "0123456789abcdef",
|
||||
+ xdigits_u[] = "0123456789ABCDEF";
|
||||
+ u_char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
|
||||
+ const char *xdigits, *curtok;
|
||||
+ int ch, saw_xdigit;
|
||||
+ u_int val;
|
||||
+
|
||||
+ memset((tp = tmp), '\0', NS_IN6ADDRSZ);
|
||||
+ endp = tp + NS_IN6ADDRSZ;
|
||||
+ colonp = NULL;
|
||||
+ /* Leading :: requires some special handling. */
|
||||
+ if (*src == ':')
|
||||
+ if (*++src != ':')
|
||||
+ return (0);
|
||||
+ curtok = src;
|
||||
+ saw_xdigit = 0;
|
||||
+ val = 0;
|
||||
+ while ((ch = *src++) != '\0') {
|
||||
+ const char *pch;
|
||||
+
|
||||
+ if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
|
||||
+ pch = strchr((xdigits = xdigits_u), ch);
|
||||
+ if (pch != NULL) {
|
||||
+ val <<= 4;
|
||||
+ val |= (pch - xdigits);
|
||||
+ if (val > 0xffff)
|
||||
+ return (0);
|
||||
+ saw_xdigit = 1;
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (ch == ':') {
|
||||
+ curtok = src;
|
||||
+ if (!saw_xdigit) {
|
||||
+ if (colonp)
|
||||
+ return (0);
|
||||
+ colonp = tp;
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (tp + NS_INT16SZ > endp)
|
||||
+ return (0);
|
||||
+ *tp++ = (u_char) (val >> 8) & 0xff;
|
||||
+ *tp++ = (u_char) val & 0xff;
|
||||
+ saw_xdigit = 0;
|
||||
+ val = 0;
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
|
||||
+ inet_pton4(curtok, tp) > 0) {
|
||||
+ tp += NS_INADDRSZ;
|
||||
+ saw_xdigit = 0;
|
||||
+ break; /* '\0' was seen by inet_pton4(). */
|
||||
+ }
|
||||
+ return (0);
|
||||
+ }
|
||||
+ if (saw_xdigit) {
|
||||
+ if (tp + NS_INT16SZ > endp)
|
||||
+ return (0);
|
||||
+ *tp++ = (u_char) (val >> 8) & 0xff;
|
||||
+ *tp++ = (u_char) val & 0xff;
|
||||
+ }
|
||||
+ if (colonp != NULL) {
|
||||
+ /*
|
||||
+ * Since some memmove()'s erroneously fail to handle
|
||||
+ * overlapping regions, we'll do the shift by hand.
|
||||
+ */
|
||||
+ const int n = (int)(tp - colonp);
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = 1; i <= n; i++) {
|
||||
+ endp[- i] = colonp[n - i];
|
||||
+ colonp[n - i] = 0;
|
||||
+ }
|
||||
+ tp = endp;
|
||||
+ }
|
||||
+ if (tp != endp)
|
||||
+ return (0);
|
||||
+ memcpy(dst, tmp, NS_IN6ADDRSZ);
|
||||
+ return (1);
|
||||
+}
|
||||
diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/Include/CrtLibSupport.h
|
||||
index e603fad..5a20ba6 100644
|
||||
--- a/CryptoPkg/Library/Include/CrtLibSupport.h
|
||||
+++ b/CryptoPkg/Library/Include/CrtLibSupport.h
|
||||
@@ -192,6 +192,7 @@ void abort (void) __attribute__((__noreturn__));
|
||||
#else
|
||||
void abort (void);
|
||||
#endif
|
||||
+int inet_pton (int, const char *, void *);
|
||||
|
||||
//
|
||||
// Macros that directly map functions to BaseLib, BaseMemoryLib, and DebugLib functions
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,188 +0,0 @@
|
||||
From 1ab1024f94401300fe9a1d5cdce6c15a2b091e02 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Mon, 2 Dec 2019 12:31:50 +0100
|
||||
Subject: [PATCH 4/9] CryptoPkg/Crt: satisfy "inet_pton.c" dependencies
|
||||
(CVE-2019-14553)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20191117220052.15700-5-lersek@redhat.com>
|
||||
Patchwork-id: 92453
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 4/9] CryptoPkg/Crt: satisfy "inet_pton.c" dependencies (CVE-2019-14553)
|
||||
Bugzilla: 1536624
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
In a later patch in this series, we're going to resurrect "inet_pton.c"
|
||||
(originally from the StdLib package). That source file has a number of
|
||||
standard C and BSD socket dependencies. Provide those dependencies here:
|
||||
|
||||
- The header files below will simply #include <CrtLibSupport.h>:
|
||||
|
||||
- arpa/inet.h
|
||||
- arpa/nameser.h
|
||||
- netinet/in.h
|
||||
- sys/param.h
|
||||
- sys/socket.h
|
||||
|
||||
- EAFNOSUPPORT comes from "StdLib/Include/errno.h", at commit
|
||||
e2d3a25f1a31; which is the commit immediately preceding the removal of
|
||||
StdLib from edk2 (964f432b9b0a).
|
||||
|
||||
Note that the other error macro, which we alread #define, namely EINVAL,
|
||||
has a value (22) that also matches "StdLib/Include/errno.h".
|
||||
|
||||
- The AF_INET and AF_INET6 address family macros come from
|
||||
"StdLib/Include/sys/socket.h".
|
||||
|
||||
- The NS_INT16SZ, NS_INADDRSZ and NS_IN6ADDRSZ macros come from
|
||||
"StdLib/Include/arpa/nameser.h".
|
||||
|
||||
- The "u_int" and "u_char" types come from "StdLib/Include/sys/types.h".
|
||||
|
||||
Cc: David Woodhouse <dwmw2@infradead.org>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
|
||||
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
|
||||
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
|
||||
CVE: CVE-2019-14553
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
|
||||
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||
(cherry picked from commit 2ac41c12c0d4b3d3ee8f905ab80da019e784de00)
|
||||
---
|
||||
CryptoPkg/Library/Include/CrtLibSupport.h | 16 ++++++++++++++++
|
||||
CryptoPkg/Library/Include/arpa/inet.h | 9 +++++++++
|
||||
CryptoPkg/Library/Include/arpa/nameser.h | 9 +++++++++
|
||||
CryptoPkg/Library/Include/netinet/in.h | 9 +++++++++
|
||||
CryptoPkg/Library/Include/sys/param.h | 9 +++++++++
|
||||
CryptoPkg/Library/Include/sys/socket.h | 9 +++++++++
|
||||
6 files changed, 61 insertions(+)
|
||||
create mode 100644 CryptoPkg/Library/Include/arpa/inet.h
|
||||
create mode 100644 CryptoPkg/Library/Include/arpa/nameser.h
|
||||
create mode 100644 CryptoPkg/Library/Include/netinet/in.h
|
||||
create mode 100644 CryptoPkg/Library/Include/sys/param.h
|
||||
create mode 100644 CryptoPkg/Library/Include/sys/socket.h
|
||||
|
||||
diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/Include/CrtLibSupport.h
|
||||
index b90da20..e603fad 100644
|
||||
--- a/CryptoPkg/Library/Include/CrtLibSupport.h
|
||||
+++ b/CryptoPkg/Library/Include/CrtLibSupport.h
|
||||
@@ -74,6 +74,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
// Definitions for global constants used by CRT library routines
|
||||
//
|
||||
#define EINVAL 22 /* Invalid argument */
|
||||
+#define EAFNOSUPPORT 47 /* Address family not supported by protocol family */
|
||||
#define INT_MAX 0x7FFFFFFF /* Maximum (signed) int value */
|
||||
#define LONG_MAX 0X7FFFFFFFL /* max value for a long */
|
||||
#define LONG_MIN (-LONG_MAX-1) /* min value for a long */
|
||||
@@ -81,13 +82,28 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
#define CHAR_BIT 8 /* Number of bits in a char */
|
||||
|
||||
//
|
||||
+// Address families.
|
||||
+//
|
||||
+#define AF_INET 2 /* internetwork: UDP, TCP, etc. */
|
||||
+#define AF_INET6 24 /* IP version 6 */
|
||||
+
|
||||
+//
|
||||
+// Define constants based on RFC0883, RFC1034, RFC 1035
|
||||
+//
|
||||
+#define NS_INT16SZ 2 /*%< #/bytes of data in a u_int16_t */
|
||||
+#define NS_INADDRSZ 4 /*%< IPv4 T_A */
|
||||
+#define NS_IN6ADDRSZ 16 /*%< IPv6 T_AAAA */
|
||||
+
|
||||
+//
|
||||
// Basic types mapping
|
||||
//
|
||||
typedef UINTN size_t;
|
||||
+typedef UINTN u_int;
|
||||
typedef INTN ssize_t;
|
||||
typedef INT32 time_t;
|
||||
typedef UINT8 __uint8_t;
|
||||
typedef UINT8 sa_family_t;
|
||||
+typedef UINT8 u_char;
|
||||
typedef UINT32 uid_t;
|
||||
typedef UINT32 gid_t;
|
||||
|
||||
diff --git a/CryptoPkg/Library/Include/arpa/inet.h b/CryptoPkg/Library/Include/arpa/inet.h
|
||||
new file mode 100644
|
||||
index 0000000..988e4e0
|
||||
--- /dev/null
|
||||
+++ b/CryptoPkg/Library/Include/arpa/inet.h
|
||||
@@ -0,0 +1,9 @@
|
||||
+/** @file
|
||||
+ Include file to support building third-party standard C / BSD sockets code.
|
||||
+
|
||||
+ Copyright (C) 2019, Red Hat, Inc.
|
||||
+
|
||||
+ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+**/
|
||||
+
|
||||
+#include <CrtLibSupport.h>
|
||||
diff --git a/CryptoPkg/Library/Include/arpa/nameser.h b/CryptoPkg/Library/Include/arpa/nameser.h
|
||||
new file mode 100644
|
||||
index 0000000..988e4e0
|
||||
--- /dev/null
|
||||
+++ b/CryptoPkg/Library/Include/arpa/nameser.h
|
||||
@@ -0,0 +1,9 @@
|
||||
+/** @file
|
||||
+ Include file to support building third-party standard C / BSD sockets code.
|
||||
+
|
||||
+ Copyright (C) 2019, Red Hat, Inc.
|
||||
+
|
||||
+ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+**/
|
||||
+
|
||||
+#include <CrtLibSupport.h>
|
||||
diff --git a/CryptoPkg/Library/Include/netinet/in.h b/CryptoPkg/Library/Include/netinet/in.h
|
||||
new file mode 100644
|
||||
index 0000000..988e4e0
|
||||
--- /dev/null
|
||||
+++ b/CryptoPkg/Library/Include/netinet/in.h
|
||||
@@ -0,0 +1,9 @@
|
||||
+/** @file
|
||||
+ Include file to support building third-party standard C / BSD sockets code.
|
||||
+
|
||||
+ Copyright (C) 2019, Red Hat, Inc.
|
||||
+
|
||||
+ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+**/
|
||||
+
|
||||
+#include <CrtLibSupport.h>
|
||||
diff --git a/CryptoPkg/Library/Include/sys/param.h b/CryptoPkg/Library/Include/sys/param.h
|
||||
new file mode 100644
|
||||
index 0000000..988e4e0
|
||||
--- /dev/null
|
||||
+++ b/CryptoPkg/Library/Include/sys/param.h
|
||||
@@ -0,0 +1,9 @@
|
||||
+/** @file
|
||||
+ Include file to support building third-party standard C / BSD sockets code.
|
||||
+
|
||||
+ Copyright (C) 2019, Red Hat, Inc.
|
||||
+
|
||||
+ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+**/
|
||||
+
|
||||
+#include <CrtLibSupport.h>
|
||||
diff --git a/CryptoPkg/Library/Include/sys/socket.h b/CryptoPkg/Library/Include/sys/socket.h
|
||||
new file mode 100644
|
||||
index 0000000..988e4e0
|
||||
--- /dev/null
|
||||
+++ b/CryptoPkg/Library/Include/sys/socket.h
|
||||
@@ -0,0 +1,9 @@
|
||||
+/** @file
|
||||
+ Include file to support building third-party standard C / BSD sockets code.
|
||||
+
|
||||
+ Copyright (C) 2019, Red Hat, Inc.
|
||||
+
|
||||
+ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+**/
|
||||
+
|
||||
+#include <CrtLibSupport.h>
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,86 +0,0 @@
|
||||
From 697cb1880b624f83bc9e926c3614d070eb365f06 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Mon, 2 Dec 2019 12:31:47 +0100
|
||||
Subject: [PATCH 3/9] CryptoPkg/Crt: turn strchr() into a function
|
||||
(CVE-2019-14553)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20191117220052.15700-4-lersek@redhat.com>
|
||||
Patchwork-id: 92458
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 3/9] CryptoPkg/Crt: turn strchr() into a function (CVE-2019-14553)
|
||||
Bugzilla: 1536624
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
According to the ISO C standard, strchr() is a function. We #define it as
|
||||
a macro. Unfortunately, our macro evaluates the first argument ("str")
|
||||
twice. If the expression passed for "str" has side effects, the behavior
|
||||
may be undefined.
|
||||
|
||||
In a later patch in this series, we're going to resurrect "inet_pton.c"
|
||||
(originally from the StdLib package), which calls strchr() just like that:
|
||||
|
||||
strchr((xdigits = xdigits_l), ch)
|
||||
strchr((xdigits = xdigits_u), ch)
|
||||
|
||||
To enable this kind of function call, turn strchr() into a function.
|
||||
|
||||
Cc: David Woodhouse <dwmw2@infradead.org>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
|
||||
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
|
||||
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
|
||||
CVE: CVE-2019-14553
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
|
||||
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
|
||||
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||
(cherry picked from commit eb520d94dba7369d1886cd5522d5a2c36fb02209)
|
||||
---
|
||||
CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c | 5 +++++
|
||||
CryptoPkg/Library/Include/CrtLibSupport.h | 2 +-
|
||||
2 files changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
|
||||
index 71a2ef3..42235ab 100644
|
||||
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
|
||||
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
|
||||
@@ -115,6 +115,11 @@ QuickSortWorker (
|
||||
// -- String Manipulation Routines --
|
||||
//
|
||||
|
||||
+char *strchr(const char *str, int ch)
|
||||
+{
|
||||
+ return ScanMem8 (str, AsciiStrSize (str), (UINT8)ch);
|
||||
+}
|
||||
+
|
||||
/* Scan a string for the last occurrence of a character */
|
||||
char *strrchr (const char *str, int c)
|
||||
{
|
||||
diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/Include/CrtLibSupport.h
|
||||
index 5806f50..b90da20 100644
|
||||
--- a/CryptoPkg/Library/Include/CrtLibSupport.h
|
||||
+++ b/CryptoPkg/Library/Include/CrtLibSupport.h
|
||||
@@ -147,6 +147,7 @@ int isupper (int);
|
||||
int tolower (int);
|
||||
int strcmp (const char *, const char *);
|
||||
int strncasecmp (const char *, const char *, size_t);
|
||||
+char *strchr (const char *, int);
|
||||
char *strrchr (const char *, int);
|
||||
unsigned long strtoul (const char *, char **, int);
|
||||
long strtol (const char *, char **, int);
|
||||
@@ -188,7 +189,6 @@ void abort (void);
|
||||
#define strcpy(strDest,strSource) AsciiStrCpyS(strDest,MAX_STRING_SIZE,strSource)
|
||||
#define strncpy(strDest,strSource,count) AsciiStrnCpyS(strDest,MAX_STRING_SIZE,strSource,(UINTN)count)
|
||||
#define strcat(strDest,strSource) AsciiStrCatS(strDest,MAX_STRING_SIZE,strSource)
|
||||
-#define strchr(str,ch) ScanMem8((VOID *)(str),AsciiStrSize(str),(UINT8)ch)
|
||||
#define strncmp(string1,string2,count) (int)(AsciiStrnCmp(string1,string2,(UINTN)(count)))
|
||||
#define strcasecmp(str1,str2) (int)AsciiStriCmp(str1,str2)
|
||||
#define sprintf(buf,...) AsciiSPrint(buf,MAX_STRING_SIZE,__VA_ARGS__)
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,134 +0,0 @@
|
||||
From 3885ce313d1d06359aa76b085668c1391d8a5f50 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Mon, 2 Dec 2019 12:31:43 +0100
|
||||
Subject: [PATCH 2/9] CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost"
|
||||
(CVE-2019-14553)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20191117220052.15700-3-lersek@redhat.com>
|
||||
Patchwork-id: 92460
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 2/9] CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost" (CVE-2019-14553)
|
||||
Bugzilla: 1536624
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
|
||||
|
||||
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960
|
||||
CVE: CVE-2019-14553
|
||||
In the patch, we add the new API "TlsSetVerifyHost" for the TLS
|
||||
protocol to set the specified host name that need to be verified.
|
||||
|
||||
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
|
||||
Reviewed-by: Ye Ting <ting.ye@intel.com>
|
||||
Reviewed-by: Long Qin <qin.long@intel.com>
|
||||
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
|
||||
Acked-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20190927034441.3096-3-Jiaxin.wu@intel.com>
|
||||
Cc: David Woodhouse <dwmw2@infradead.org>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
|
||||
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
|
||||
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
|
||||
(cherry picked from commit 2ca74e1a175232cc201798e27437700adc7fb07e)
|
||||
---
|
||||
CryptoPkg/Include/Library/TlsLib.h | 20 +++++++++++++++++++
|
||||
CryptoPkg/Library/TlsLib/TlsConfig.c | 38 +++++++++++++++++++++++++++++++++++-
|
||||
2 files changed, 57 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library/TlsLib.h
|
||||
index 9875cb6..3af7d4b 100644
|
||||
--- a/CryptoPkg/Include/Library/TlsLib.h
|
||||
+++ b/CryptoPkg/Include/Library/TlsLib.h
|
||||
@@ -397,6 +397,26 @@ TlsSetVerify (
|
||||
);
|
||||
|
||||
/**
|
||||
+ Set the specified host name to be verified.
|
||||
+
|
||||
+ @param[in] Tls Pointer to the TLS object.
|
||||
+ @param[in] Flags The setting flags during the validation.
|
||||
+ @param[in] HostName The specified host name to be verified.
|
||||
+
|
||||
+ @retval EFI_SUCCESS The HostName setting was set successfully.
|
||||
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
|
||||
+ @retval EFI_ABORTED Invalid HostName setting.
|
||||
+
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+TlsSetVerifyHost (
|
||||
+ IN VOID *Tls,
|
||||
+ IN UINT32 Flags,
|
||||
+ IN CHAR8 *HostName
|
||||
+ );
|
||||
+
|
||||
+/**
|
||||
Sets a TLS/SSL session ID to be used during TLS/SSL connect.
|
||||
|
||||
This function sets a session ID to be used when the TLS/SSL connection is
|
||||
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c
|
||||
index 74b577d..2bf5aee 100644
|
||||
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
|
||||
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
|
||||
@@ -1,7 +1,7 @@
|
||||
/** @file
|
||||
SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.
|
||||
|
||||
-Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
|
||||
+Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
|
||||
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
|
||||
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
|
||||
@@ -498,6 +498,42 @@ TlsSetVerify (
|
||||
}
|
||||
|
||||
/**
|
||||
+ Set the specified host name to be verified.
|
||||
+
|
||||
+ @param[in] Tls Pointer to the TLS object.
|
||||
+ @param[in] Flags The setting flags during the validation.
|
||||
+ @param[in] HostName The specified host name to be verified.
|
||||
+
|
||||
+ @retval EFI_SUCCESS The HostName setting was set successfully.
|
||||
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
|
||||
+ @retval EFI_ABORTED Invalid HostName setting.
|
||||
+
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+TlsSetVerifyHost (
|
||||
+ IN VOID *Tls,
|
||||
+ IN UINT32 Flags,
|
||||
+ IN CHAR8 *HostName
|
||||
+ )
|
||||
+{
|
||||
+ TLS_CONNECTION *TlsConn;
|
||||
+
|
||||
+ TlsConn = (TLS_CONNECTION *) Tls;
|
||||
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || HostName == NULL) {
|
||||
+ return EFI_INVALID_PARAMETER;
|
||||
+ }
|
||||
+
|
||||
+ SSL_set_hostflags(TlsConn->Ssl, Flags);
|
||||
+
|
||||
+ if (SSL_set1_host(TlsConn->Ssl, HostName) == 0) {
|
||||
+ return EFI_ABORTED;
|
||||
+ }
|
||||
+
|
||||
+ return EFI_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
Sets a TLS/SSL session ID to be used during TLS/SSL connect.
|
||||
|
||||
This function sets a session ID to be used when the TLS/SSL connection is
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,100 +0,0 @@
|
||||
From 970b5f67512e00fb26765a14b4a1cb8a8a04276d Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Mon, 2 Dec 2019 12:31:57 +0100
|
||||
Subject: [PATCH 6/9] CryptoPkg/TlsLib: TlsSetVerifyHost: parse IP address
|
||||
literals as such (CVE-2019-14553)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20191117220052.15700-7-lersek@redhat.com>
|
||||
Patchwork-id: 92452
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 6/9] CryptoPkg/TlsLib: TlsSetVerifyHost: parse IP address literals as such (CVE-2019-14553)
|
||||
Bugzilla: 1536624
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
Using the inet_pton() function that we imported in the previous patches,
|
||||
recognize if "HostName" is an IP address literal, and then parse it into
|
||||
binary representation. Passing the latter to OpenSSL for server
|
||||
certificate validation is important, per RFC-2818
|
||||
<https://tools.ietf.org/html/rfc2818#section-3.1>:
|
||||
|
||||
> In some cases, the URI is specified as an IP address rather than a
|
||||
> hostname. In this case, the iPAddress subjectAltName must be present in
|
||||
> the certificate and must exactly match the IP in the URI.
|
||||
|
||||
Note: we cannot use X509_VERIFY_PARAM_set1_ip_asc() because in the OpenSSL
|
||||
version that is currently consumed by edk2, said function depends on
|
||||
sscanf() for parsing IPv4 literals. In
|
||||
"CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c", we only provide an
|
||||
empty -- always failing -- stub for sscanf(), however.
|
||||
|
||||
Cc: David Woodhouse <dwmw2@infradead.org>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
|
||||
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
|
||||
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
|
||||
CVE: CVE-2019-14553
|
||||
Suggested-by: David Woodhouse <dwmw2@infradead.org>
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Acked-by: Jian J Wang <jian.j.wang@intel.com>
|
||||
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||
(cherry picked from commit 1e72b1fb2ec597caedb5170079bb213f6d67f32a)
|
||||
---
|
||||
CryptoPkg/Library/TlsLib/TlsConfig.c | 28 ++++++++++++++++++++++++----
|
||||
1 file changed, 24 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c
|
||||
index 2bf5aee..307eb57 100644
|
||||
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
|
||||
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
|
||||
@@ -517,7 +517,11 @@ TlsSetVerifyHost (
|
||||
IN CHAR8 *HostName
|
||||
)
|
||||
{
|
||||
- TLS_CONNECTION *TlsConn;
|
||||
+ TLS_CONNECTION *TlsConn;
|
||||
+ X509_VERIFY_PARAM *VerifyParam;
|
||||
+ UINTN BinaryAddressSize;
|
||||
+ UINT8 BinaryAddress[MAX (NS_INADDRSZ, NS_IN6ADDRSZ)];
|
||||
+ INTN ParamStatus;
|
||||
|
||||
TlsConn = (TLS_CONNECTION *) Tls;
|
||||
if (TlsConn == NULL || TlsConn->Ssl == NULL || HostName == NULL) {
|
||||
@@ -526,11 +530,27 @@ TlsSetVerifyHost (
|
||||
|
||||
SSL_set_hostflags(TlsConn->Ssl, Flags);
|
||||
|
||||
- if (SSL_set1_host(TlsConn->Ssl, HostName) == 0) {
|
||||
- return EFI_ABORTED;
|
||||
+ VerifyParam = SSL_get0_param (TlsConn->Ssl);
|
||||
+ ASSERT (VerifyParam != NULL);
|
||||
+
|
||||
+ BinaryAddressSize = 0;
|
||||
+ if (inet_pton (AF_INET6, HostName, BinaryAddress) == 1) {
|
||||
+ BinaryAddressSize = NS_IN6ADDRSZ;
|
||||
+ } else if (inet_pton (AF_INET, HostName, BinaryAddress) == 1) {
|
||||
+ BinaryAddressSize = NS_INADDRSZ;
|
||||
}
|
||||
|
||||
- return EFI_SUCCESS;
|
||||
+ if (BinaryAddressSize > 0) {
|
||||
+ DEBUG ((DEBUG_VERBOSE, "%a:%a: parsed \"%a\" as an IPv%c address "
|
||||
+ "literal\n", gEfiCallerBaseName, __FUNCTION__, HostName,
|
||||
+ (UINTN)((BinaryAddressSize == NS_IN6ADDRSZ) ? '6' : '4')));
|
||||
+ ParamStatus = X509_VERIFY_PARAM_set1_ip (VerifyParam, BinaryAddress,
|
||||
+ BinaryAddressSize);
|
||||
+ } else {
|
||||
+ ParamStatus = X509_VERIFY_PARAM_set1_host (VerifyParam, HostName, 0);
|
||||
+ }
|
||||
+
|
||||
+ return (ParamStatus == 1) ? EFI_SUCCESS : EFI_ABORTED;
|
||||
}
|
||||
|
||||
/**
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,148 +0,0 @@
|
||||
From 4ef57a1e6b9411e785e00e8874bd5c67235e9134 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Tue, 11 Feb 2020 17:01:59 +0100
|
||||
Subject: [PATCH 1/2] MdeModulePkg: Enable/Disable S3BootScript dynamically.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200211170200.12389-2-lersek@redhat.com>
|
||||
Patchwork-id: 93776
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 1/2] MdeModulePkg: Enable/Disable S3BootScript dynamically.
|
||||
Bugzilla: 1801274
|
||||
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
|
||||
From: Chasel Chiu <chasel.chiu@intel.com>
|
||||
|
||||
--v-- RHEL8 note start --v--
|
||||
|
||||
This patch is cherry-picked from upstream as a contextual (not semantic /
|
||||
functional) pre-requisite for the next patch.
|
||||
|
||||
Functionally, this patch makes no difference in OVMF, for two reasons:
|
||||
|
||||
- Downstream, we don't enable S3 anyway (per QEMU default).
|
||||
|
||||
- The S3-related modules that are built into OVMF (S3SaveStateDxe,
|
||||
BootScriptExecutorDxe) already consider PcdAcpiS3Enable, and exit their
|
||||
entry point functions with EFI_UNSUPPORTED when the PCD is FALSE. As a
|
||||
consequence, the DESTRUCTOR function of the PiDxeS3BootScriptLib library
|
||||
instance (which is linked into those binaries) will undo whatever the
|
||||
CONSTRUCTOR function did; no resources will be leaked.
|
||||
|
||||
https://edk2.groups.io/g/devel/message/47996
|
||||
http://mid.mail-archive.com/e43e3f56-d2db-7989-b6f1-03e1c810d908@redhat.com
|
||||
|
||||
--^-- RHEL8 note end --^--
|
||||
|
||||
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2212
|
||||
|
||||
In binary model the same binary may have to support both
|
||||
S3 enabled and disabled scenarios, however not all DXE
|
||||
drivers linking PiDxeS3BootScriptLib can return error to
|
||||
invoke library DESTRUCTOR for releasing resource.
|
||||
|
||||
To support this usage model below PCD is used to skip
|
||||
S3BootScript functions when PCD set to FALSE:
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable
|
||||
|
||||
Test: Verified on internal platform and S3BootScript
|
||||
functions can be skipped by PCD during boot time.
|
||||
|
||||
Cc: Hao A Wu <hao.a.wu@intel.com>
|
||||
Cc: Eric Dong <eric.dong@intel.com>
|
||||
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
|
||||
Cc: Liming Gao <liming.gao@intel.com>
|
||||
Cc: Laszlo Ersek <lersek@redhat.com>
|
||||
Signed-off-by: Chasel Chiu <chasel.chiu@intel.com>
|
||||
Reviewed-by: Nate DeSimone <nathaniel.l.desimone@intel.com>
|
||||
Reviewed-by: Eric Dong <eric.dong@intel.com>
|
||||
Acked-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit ed9db1b91ceba7d3a24743d4d9314c6fbe11c4b3)
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
.../Library/PiDxeS3BootScriptLib/BootScriptSave.c | 17 ++++++++++++++++-
|
||||
.../Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf | 4 ++--
|
||||
2 files changed, 18 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
|
||||
index c116727..9106e7d 100644
|
||||
--- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
|
||||
+++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
|
||||
@@ -1,7 +1,7 @@
|
||||
/** @file
|
||||
Save the S3 data to S3 boot script.
|
||||
|
||||
- Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
|
||||
+ Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
|
||||
|
||||
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
|
||||
@@ -124,6 +124,7 @@ VOID *mRegistrationSmmReadyToLock = NULL;
|
||||
BOOLEAN mS3BootScriptTableAllocated = FALSE;
|
||||
BOOLEAN mS3BootScriptTableSmmAllocated = FALSE;
|
||||
EFI_SMM_SYSTEM_TABLE2 *mBootScriptSmst = NULL;
|
||||
+BOOLEAN mAcpiS3Enable = TRUE;
|
||||
|
||||
/**
|
||||
This is an internal function to add a terminate node the entry, recalculate the table
|
||||
@@ -436,6 +437,12 @@ S3BootScriptLibInitialize (
|
||||
BOOLEAN InSmm;
|
||||
EFI_PHYSICAL_ADDRESS Buffer;
|
||||
|
||||
+ if (!PcdGetBool (PcdAcpiS3Enable)) {
|
||||
+ mAcpiS3Enable = FALSE;
|
||||
+ DEBUG ((DEBUG_INFO, "%a: Skip S3BootScript because ACPI S3 disabled.\n", gEfiCallerBaseName));
|
||||
+ return RETURN_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
S3TablePtr = (SCRIPT_TABLE_PRIVATE_DATA*)(UINTN)PcdGet64(PcdS3BootScriptTablePrivateDataPtr);
|
||||
//
|
||||
// The Boot script private data is not be initialized. create it
|
||||
@@ -562,6 +569,10 @@ S3BootScriptLibDeinitialize (
|
||||
{
|
||||
EFI_STATUS Status;
|
||||
|
||||
+ if (!mAcpiS3Enable) {
|
||||
+ return RETURN_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
DEBUG ((EFI_D_INFO, "%a() in %a module\n", __FUNCTION__, gEfiCallerBaseName));
|
||||
|
||||
if (mEventDxeSmmReadyToLock != NULL) {
|
||||
@@ -810,6 +821,10 @@ S3BootScriptGetEntryAddAddress (
|
||||
{
|
||||
UINT8* NewEntryPtr;
|
||||
|
||||
+ if (!mAcpiS3Enable) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
if (mS3BootScriptTablePtr->SmmLocked) {
|
||||
//
|
||||
// We need check InSmm, because after SmmReadyToLock, only SMM driver is allowed to write boot script.
|
||||
diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf b/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
|
||||
index 517ea69..2b894c9 100644
|
||||
--- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
|
||||
+++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
|
||||
@@ -1,7 +1,7 @@
|
||||
## @file
|
||||
# DXE S3 boot script Library.
|
||||
#
|
||||
-# Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
|
||||
+# Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
|
||||
#
|
||||
# SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
#
|
||||
@@ -65,4 +65,4 @@
|
||||
## SOMETIMES_PRODUCES
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdS3BootScriptTablePrivateSmmDataPtr
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdS3BootScriptRuntimeTableReservePageNumber ## CONSUMES
|
||||
-
|
||||
+ gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable ## CONSUMES
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,182 +0,0 @@
|
||||
From 51d2956d480fef83f765013c8aec7f7ddc14b84d Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Tue, 11 Feb 2020 17:02:00 +0100
|
||||
Subject: [PATCH 2/2] MdeModulePkg/PiDxeS3BootScriptLib: Fix potential numeric
|
||||
truncation (CVE-2019-14563)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200211170200.12389-3-lersek@redhat.com>
|
||||
Patchwork-id: 93777
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 2/2] MdeModulePkg/PiDxeS3BootScriptLib: Fix potential numeric truncation (CVE-2019-14563)
|
||||
Bugzilla: 1801274
|
||||
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
|
||||
From: Hao A Wu <hao.a.wu@intel.com>
|
||||
|
||||
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2001
|
||||
|
||||
For S3BootScriptLib APIs:
|
||||
|
||||
S3BootScriptSaveIoWrite
|
||||
S3BootScriptSaveMemWrite
|
||||
S3BootScriptSavePciCfgWrite
|
||||
S3BootScriptSavePciCfg2Write
|
||||
S3BootScriptSaveSmbusExecute
|
||||
S3BootScriptSaveInformation
|
||||
S3BootScriptSaveInformationAsciiString
|
||||
S3BootScriptLabel (happen in S3BootScriptLabelInternal())
|
||||
|
||||
possible numeric truncations will happen that may lead to S3 boot script
|
||||
entry with improper size being returned to store the boot script data.
|
||||
This commit will add checks to prevent this kind of issue.
|
||||
|
||||
Please note that the remaining S3BootScriptLib APIs:
|
||||
|
||||
S3BootScriptSaveIoReadWrite
|
||||
S3BootScriptSaveMemReadWrite
|
||||
S3BootScriptSavePciCfgReadWrite
|
||||
S3BootScriptSavePciCfg2ReadWrite
|
||||
S3BootScriptSaveStall
|
||||
S3BootScriptSaveDispatch2
|
||||
S3BootScriptSaveDispatch
|
||||
S3BootScriptSaveMemPoll
|
||||
S3BootScriptSaveIoPoll
|
||||
S3BootScriptSavePciPoll
|
||||
S3BootScriptSavePci2Poll
|
||||
S3BootScriptCloseTable
|
||||
S3BootScriptExecute
|
||||
S3BootScriptMoveLastOpcode
|
||||
S3BootScriptCompare
|
||||
|
||||
are not affected by such numeric truncation.
|
||||
|
||||
Signed-off-by: Hao A Wu <hao.a.wu@intel.com>
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Reviewed-by: Eric Dong <eric.dong@intel.com>
|
||||
Acked-by: Jian J Wang <jian.j.wang@intel.com>
|
||||
(cherry picked from commit 322ac05f8bbc1bce066af1dabd1b70ccdbe28891)
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
.../Library/PiDxeS3BootScriptLib/BootScriptSave.c | 52 +++++++++++++++++++++-
|
||||
1 file changed, 51 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
|
||||
index 9106e7d..9315fc9 100644
|
||||
--- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
|
||||
+++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
|
||||
@@ -1,7 +1,7 @@
|
||||
/** @file
|
||||
Save the S3 data to S3 boot script.
|
||||
|
||||
- Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
|
||||
+ Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR>
|
||||
|
||||
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
|
||||
@@ -1006,6 +1006,14 @@ S3BootScriptSaveIoWrite (
|
||||
EFI_BOOT_SCRIPT_IO_WRITE ScriptIoWrite;
|
||||
|
||||
WidthInByte = (UINT8) (0x01 << (Width & 0x03));
|
||||
+
|
||||
+ //
|
||||
+ // Truncation check
|
||||
+ //
|
||||
+ if ((Count > MAX_UINT8) ||
|
||||
+ (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_IO_WRITE))) {
|
||||
+ return RETURN_OUT_OF_RESOURCES;
|
||||
+ }
|
||||
Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_IO_WRITE) + (WidthInByte * Count));
|
||||
|
||||
Script = S3BootScriptGetEntryAddAddress (Length);
|
||||
@@ -1102,6 +1110,14 @@ S3BootScriptSaveMemWrite (
|
||||
EFI_BOOT_SCRIPT_MEM_WRITE ScriptMemWrite;
|
||||
|
||||
WidthInByte = (UINT8) (0x01 << (Width & 0x03));
|
||||
+
|
||||
+ //
|
||||
+ // Truncation check
|
||||
+ //
|
||||
+ if ((Count > MAX_UINT8) ||
|
||||
+ (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_MEM_WRITE))) {
|
||||
+ return RETURN_OUT_OF_RESOURCES;
|
||||
+ }
|
||||
Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_MEM_WRITE) + (WidthInByte * Count));
|
||||
|
||||
Script = S3BootScriptGetEntryAddAddress (Length);
|
||||
@@ -1206,6 +1222,14 @@ S3BootScriptSavePciCfgWrite (
|
||||
}
|
||||
|
||||
WidthInByte = (UINT8) (0x01 << (Width & 0x03));
|
||||
+
|
||||
+ //
|
||||
+ // Truncation check
|
||||
+ //
|
||||
+ if ((Count > MAX_UINT8) ||
|
||||
+ (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE))) {
|
||||
+ return RETURN_OUT_OF_RESOURCES;
|
||||
+ }
|
||||
Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE) + (WidthInByte * Count));
|
||||
|
||||
Script = S3BootScriptGetEntryAddAddress (Length);
|
||||
@@ -1324,6 +1348,14 @@ S3BootScriptSavePciCfg2Write (
|
||||
}
|
||||
|
||||
WidthInByte = (UINT8) (0x01 << (Width & 0x03));
|
||||
+
|
||||
+ //
|
||||
+ // Truncation check
|
||||
+ //
|
||||
+ if ((Count > MAX_UINT8) ||
|
||||
+ (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE))) {
|
||||
+ return RETURN_OUT_OF_RESOURCES;
|
||||
+ }
|
||||
Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE) + (WidthInByte * Count));
|
||||
|
||||
Script = S3BootScriptGetEntryAddAddress (Length);
|
||||
@@ -1549,6 +1581,12 @@ S3BootScriptSaveSmbusExecute (
|
||||
return Status;
|
||||
}
|
||||
|
||||
+ //
|
||||
+ // Truncation check
|
||||
+ //
|
||||
+ if (BufferLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE)) {
|
||||
+ return RETURN_OUT_OF_RESOURCES;
|
||||
+ }
|
||||
DataSize = (UINT8)(sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE) + BufferLength);
|
||||
|
||||
Script = S3BootScriptGetEntryAddAddress (DataSize);
|
||||
@@ -1736,6 +1774,12 @@ S3BootScriptSaveInformation (
|
||||
UINT8 *Script;
|
||||
EFI_BOOT_SCRIPT_INFORMATION ScriptInformation;
|
||||
|
||||
+ //
|
||||
+ // Truncation check
|
||||
+ //
|
||||
+ if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)) {
|
||||
+ return RETURN_OUT_OF_RESOURCES;
|
||||
+ }
|
||||
Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLength);
|
||||
|
||||
Script = S3BootScriptGetEntryAddAddress (Length);
|
||||
@@ -2195,6 +2239,12 @@ S3BootScriptLabelInternal (
|
||||
UINT8 *Script;
|
||||
EFI_BOOT_SCRIPT_INFORMATION ScriptInformation;
|
||||
|
||||
+ //
|
||||
+ // Truncation check
|
||||
+ //
|
||||
+ if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)) {
|
||||
+ return RETURN_OUT_OF_RESOURCES;
|
||||
+ }
|
||||
Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLength);
|
||||
|
||||
Script = S3BootScriptGetEntryAddAddress (Length);
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,101 +0,0 @@
|
||||
From e57f49101a66663a4f5425995e9ea97ae0858e1b Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Tue, 14 Jan 2020 12:39:05 +0100
|
||||
Subject: [PATCH 1/2] MdeModulePkg/UefiBootManagerLib: log reserved mem
|
||||
allocation failure
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200114123906.8547-2-lersek@redhat.com>
|
||||
Patchwork-id: 93339
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 1/2] MdeModulePkg/UefiBootManagerLib: log reserved mem allocation failure
|
||||
Bugzilla: 1789797
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
|
||||
The LoadFile protocol can report such a large buffer size that we cannot
|
||||
allocate enough reserved pages for. This particularly affects HTTP(S)
|
||||
Boot, if the remote file is very large (for example, an ISO image).
|
||||
|
||||
While the TianoCore wiki mentions this at
|
||||
<https://github.com/tianocore/tianocore.github.io/wiki/HTTP-Boot#ram-disk-image-size>:
|
||||
|
||||
> The maximum RAM disk image size depends on how much continuous reserved
|
||||
> memory block the platform could provide.
|
||||
|
||||
it's hard to remember; so log a DEBUG_ERROR message when the allocation
|
||||
fails.
|
||||
|
||||
This patch produces error messages such as:
|
||||
|
||||
> UiApp:BmExpandLoadFile: failed to allocate reserved pages:
|
||||
> BufferSize=4501536768
|
||||
> LoadFile="PciRoot(0x0)/Pci(0x3,0x0)/MAC(5254001B103E,0x1)/
|
||||
> IPv4(0.0.0.0,TCP,DHCP,192.168.124.106,192.168.124.1,255.255.255.0)/
|
||||
> Dns(192.168.124.1)/
|
||||
> Uri(https://ipv4-server/RHEL-7.7-20190723.1-Server-x86_64-dvd1.iso)"
|
||||
> FilePath=""
|
||||
|
||||
(Manually rewrapped here for keeping PatchCheck.py happy.)
|
||||
|
||||
Cc: Hao A Wu <hao.a.wu@intel.com>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Ray Ni <ray.ni@intel.com>
|
||||
Cc: Zhichao Gao <zhichao.gao@intel.com>
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
|
||||
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
|
||||
Acked-by: Hao A Wu <hao.a.wu@intel.com>
|
||||
(cherry picked from commit a56af23f066e2816c67b7c6e64de7ddefcd70780)
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
MdeModulePkg/Library/UefiBootManagerLib/BmBoot.c | 31 ++++++++++++++++++++++++
|
||||
1 file changed, 31 insertions(+)
|
||||
|
||||
diff --git a/MdeModulePkg/Library/UefiBootManagerLib/BmBoot.c b/MdeModulePkg/Library/UefiBootManagerLib/BmBoot.c
|
||||
index 952033f..ded9ae9 100644
|
||||
--- a/MdeModulePkg/Library/UefiBootManagerLib/BmBoot.c
|
||||
+++ b/MdeModulePkg/Library/UefiBootManagerLib/BmBoot.c
|
||||
@@ -1386,6 +1386,37 @@ BmExpandLoadFile (
|
||||
//
|
||||
FileBuffer = AllocateReservedPages (EFI_SIZE_TO_PAGES (BufferSize));
|
||||
if (FileBuffer == NULL) {
|
||||
+ DEBUG_CODE (
|
||||
+ EFI_DEVICE_PATH *LoadFilePath;
|
||||
+ CHAR16 *LoadFileText;
|
||||
+ CHAR16 *FileText;
|
||||
+
|
||||
+ LoadFilePath = DevicePathFromHandle (LoadFileHandle);
|
||||
+ if (LoadFilePath == NULL) {
|
||||
+ LoadFileText = NULL;
|
||||
+ } else {
|
||||
+ LoadFileText = ConvertDevicePathToText (LoadFilePath, FALSE, FALSE);
|
||||
+ }
|
||||
+ FileText = ConvertDevicePathToText (FilePath, FALSE, FALSE);
|
||||
+
|
||||
+ DEBUG ((
|
||||
+ DEBUG_ERROR,
|
||||
+ "%a:%a: failed to allocate reserved pages: "
|
||||
+ "BufferSize=%Lu LoadFile=\"%s\" FilePath=\"%s\"\n",
|
||||
+ gEfiCallerBaseName,
|
||||
+ __FUNCTION__,
|
||||
+ (UINT64)BufferSize,
|
||||
+ LoadFileText,
|
||||
+ FileText
|
||||
+ ));
|
||||
+
|
||||
+ if (FileText != NULL) {
|
||||
+ FreePool (FileText);
|
||||
+ }
|
||||
+ if (LoadFileText != NULL) {
|
||||
+ FreePool (LoadFileText);
|
||||
+ }
|
||||
+ );
|
||||
return NULL;
|
||||
}
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,156 +0,0 @@
|
||||
From 22ebe3ff84003e9256759e230ac68da35c6d77a2 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Mon, 2 Dec 2019 12:31:37 +0100
|
||||
Subject: [PATCH 1/9] MdePkg/Include/Protocol/Tls.h: Add the data type of
|
||||
EfiTlsVerifyHost (CVE-2019-14553)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20191117220052.15700-2-lersek@redhat.com>
|
||||
Patchwork-id: 92457
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 1/9] MdePkg/Include/Protocol/Tls.h: Add the data type of EfiTlsVerifyHost (CVE-2019-14553)
|
||||
Bugzilla: 1536624
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
|
||||
|
||||
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960
|
||||
CVE: CVE-2019-14553
|
||||
In the patch, we add the new data type named "EfiTlsVerifyHost" and
|
||||
the EFI_TLS_VERIFY_HOST_FLAG for the TLS protocol consumer (HTTP)
|
||||
to enable the host name check so as to avoid the potential
|
||||
Man-In-The-Middle attack.
|
||||
|
||||
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
|
||||
Reviewed-by: Ye Ting <ting.ye@intel.com>
|
||||
Reviewed-by: Long Qin <qin.long@intel.com>
|
||||
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
|
||||
Acked-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20190927034441.3096-2-Jiaxin.wu@intel.com>
|
||||
Cc: David Woodhouse <dwmw2@infradead.org>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
|
||||
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Reviewed-by: Liming Gao <liming.gao@intel.com>
|
||||
(cherry picked from commit 31efec82796cb950e99d1622aa9c0eb8380613a0)
|
||||
---
|
||||
MdePkg/Include/Protocol/Tls.h | 68 ++++++++++++++++++++++++++++++++++++-------
|
||||
1 file changed, 57 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/MdePkg/Include/Protocol/Tls.h b/MdePkg/Include/Protocol/Tls.h
|
||||
index bf1b672..af524ae 100644
|
||||
--- a/MdePkg/Include/Protocol/Tls.h
|
||||
+++ b/MdePkg/Include/Protocol/Tls.h
|
||||
@@ -42,10 +42,6 @@ typedef struct _EFI_TLS_PROTOCOL EFI_TLS_PROTOCOL;
|
||||
///
|
||||
typedef enum {
|
||||
///
|
||||
- /// Session Configuration
|
||||
- ///
|
||||
-
|
||||
- ///
|
||||
/// TLS session Version. The corresponding Data is of type EFI_TLS_VERSION.
|
||||
///
|
||||
EfiTlsVersion,
|
||||
@@ -86,11 +82,6 @@ typedef enum {
|
||||
/// The corresponding Data is of type EFI_TLS_SESSION_STATE.
|
||||
///
|
||||
EfiTlsSessionState,
|
||||
-
|
||||
- ///
|
||||
- /// Session information
|
||||
- ///
|
||||
-
|
||||
///
|
||||
/// TLS session data client random.
|
||||
/// The corresponding Data is of type EFI_TLS_RANDOM.
|
||||
@@ -106,9 +97,15 @@ typedef enum {
|
||||
/// The corresponding Data is of type EFI_TLS_MASTER_SECRET.
|
||||
///
|
||||
EfiTlsKeyMaterial,
|
||||
+ ///
|
||||
+ /// TLS session hostname for validation which is used to verify whether the name
|
||||
+ /// within the peer certificate matches a given host name.
|
||||
+ /// This parameter is invalid when EfiTlsVerifyMethod is EFI_TLS_VERIFY_NONE.
|
||||
+ /// The corresponding Data is of type EFI_TLS_VERIFY_HOST.
|
||||
+ ///
|
||||
+ EfiTlsVerifyHost,
|
||||
|
||||
EfiTlsSessionDataTypeMaximum
|
||||
-
|
||||
} EFI_TLS_SESSION_DATA_TYPE;
|
||||
|
||||
///
|
||||
@@ -178,7 +175,8 @@ typedef UINT32 EFI_TLS_VERIFY;
|
||||
///
|
||||
#define EFI_TLS_VERIFY_PEER 0x1
|
||||
///
|
||||
-/// TLS session will fail peer certificate is absent.
|
||||
+/// EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT is only meaningful in the server mode.
|
||||
+/// TLS session will fail if client certificate is absent.
|
||||
///
|
||||
#define EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT 0x2
|
||||
///
|
||||
@@ -188,6 +186,54 @@ typedef UINT32 EFI_TLS_VERIFY;
|
||||
#define EFI_TLS_VERIFY_CLIENT_ONCE 0x4
|
||||
|
||||
///
|
||||
+/// EFI_TLS_VERIFY_HOST_FLAG
|
||||
+///
|
||||
+typedef UINT32 EFI_TLS_VERIFY_HOST_FLAG;
|
||||
+///
|
||||
+/// There is no additional flags set for hostname validation.
|
||||
+/// Wildcards are supported and they match only in the left-most label.
|
||||
+///
|
||||
+#define EFI_TLS_VERIFY_FLAG_NONE 0x00
|
||||
+///
|
||||
+/// Always check the Subject Distinguished Name (DN) in the peer certificate even if the
|
||||
+/// certificate contains Subject Alternative Name (SAN).
|
||||
+///
|
||||
+#define EFI_TLS_VERIFY_FLAG_ALWAYS_CHECK_SUBJECT 0x01
|
||||
+///
|
||||
+/// Disable the match of all wildcards.
|
||||
+///
|
||||
+#define EFI_TLS_VERIFY_FLAG_NO_WILDCARDS 0x02
|
||||
+///
|
||||
+/// Disable the "*" as wildcard in labels that have a prefix or suffix (e.g. "www*" or "*www").
|
||||
+///
|
||||
+#define EFI_TLS_VERIFY_FLAG_NO_PARTIAL_WILDCARDS 0x04
|
||||
+///
|
||||
+/// Allow the "*" to match more than one labels. Otherwise, only matches a single label.
|
||||
+///
|
||||
+#define EFI_TLS_VERIFY_FLAG_MULTI_LABEL_WILDCARDS 0x08
|
||||
+///
|
||||
+/// Restrict to only match direct child sub-domains which start with ".".
|
||||
+/// For example, a name of ".example.com" would match "www.example.com" with this flag,
|
||||
+/// but would not match "www.sub.example.com".
|
||||
+///
|
||||
+#define EFI_TLS_VERIFY_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
|
||||
+///
|
||||
+/// Never check the Subject Distinguished Name (DN) even there is no
|
||||
+/// Subject Alternative Name (SAN) in the certificate.
|
||||
+///
|
||||
+#define EFI_TLS_VERIFY_FLAG_NEVER_CHECK_SUBJECT 0x20
|
||||
+
|
||||
+///
|
||||
+/// EFI_TLS_VERIFY_HOST
|
||||
+///
|
||||
+#pragma pack (1)
|
||||
+typedef struct {
|
||||
+ EFI_TLS_VERIFY_HOST_FLAG Flags;
|
||||
+ CHAR8 *HostName;
|
||||
+} EFI_TLS_VERIFY_HOST;
|
||||
+#pragma pack ()
|
||||
+
|
||||
+///
|
||||
/// EFI_TLS_RANDOM
|
||||
/// Note: The definition of EFI_TLS_RANDOM is from "RFC 5246 A.4.1.
|
||||
/// Hello Messages".
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,99 +0,0 @@
|
||||
From d28c0053e94b8e721307ac1698d86e5dfb328e6d Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Mon, 2 Dec 2019 12:32:04 +0100
|
||||
Subject: [PATCH 8/9] NetworkPkg/HttpDxe: Set the HostName for the verification
|
||||
(CVE-2019-14553)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20191117220052.15700-9-lersek@redhat.com>
|
||||
Patchwork-id: 92459
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 8/9] NetworkPkg/HttpDxe: Set the HostName for the verification (CVE-2019-14553)
|
||||
Bugzilla: 1536624
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
|
||||
From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
|
||||
|
||||
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960
|
||||
CVE: CVE-2019-14553
|
||||
Set the HostName by consuming TLS protocol to enable the host name
|
||||
check so as to avoid the potential Man-In-The-Middle attack.
|
||||
|
||||
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
|
||||
Reviewed-by: Ye Ting <ting.ye@intel.com>
|
||||
Reviewed-by: Long Qin <qin.long@intel.com>
|
||||
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
|
||||
Acked-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20190927034441.3096-5-Jiaxin.wu@intel.com>
|
||||
Cc: David Woodhouse <dwmw2@infradead.org>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
|
||||
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit e2fc50812895b17e8b23f5a9c43cde29531b200f)
|
||||
---
|
||||
NetworkPkg/HttpDxe/HttpProto.h | 1 +
|
||||
NetworkPkg/HttpDxe/HttpsSupport.c | 21 +++++++++++++++++----
|
||||
2 files changed, 18 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/NetworkPkg/HttpDxe/HttpProto.h b/NetworkPkg/HttpDxe/HttpProto.h
|
||||
index 6e1f517..34308e0 100644
|
||||
--- a/NetworkPkg/HttpDxe/HttpProto.h
|
||||
+++ b/NetworkPkg/HttpDxe/HttpProto.h
|
||||
@@ -82,6 +82,7 @@ typedef struct {
|
||||
EFI_TLS_VERSION Version;
|
||||
EFI_TLS_CONNECTION_END ConnectionEnd;
|
||||
EFI_TLS_VERIFY VerifyMethod;
|
||||
+ EFI_TLS_VERIFY_HOST VerifyHost;
|
||||
EFI_TLS_SESSION_STATE SessionState;
|
||||
} TLS_CONFIG_DATA;
|
||||
|
||||
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
|
||||
index 988bbcb..5dfb13b 100644
|
||||
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
|
||||
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
|
||||
@@ -623,13 +623,16 @@ TlsConfigureSession (
|
||||
//
|
||||
// TlsConfigData initialization
|
||||
//
|
||||
- HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
|
||||
- HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
|
||||
- HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
|
||||
+ HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
|
||||
+ HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
|
||||
+ HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
|
||||
+ HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
|
||||
+ HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
|
||||
|
||||
//
|
||||
// EfiTlsConnectionEnd,
|
||||
- // EfiTlsVerifyMethod
|
||||
+ // EfiTlsVerifyMethod,
|
||||
+ // EfiTlsVerifyHost,
|
||||
// EfiTlsSessionState
|
||||
//
|
||||
Status = HttpInstance->Tls->SetSessionData (
|
||||
@@ -654,6 +657,16 @@ TlsConfigureSession (
|
||||
|
||||
Status = HttpInstance->Tls->SetSessionData (
|
||||
HttpInstance->Tls,
|
||||
+ EfiTlsVerifyHost,
|
||||
+ &HttpInstance->TlsConfigData.VerifyHost,
|
||||
+ sizeof (EFI_TLS_VERIFY_HOST)
|
||||
+ );
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ return Status;
|
||||
+ }
|
||||
+
|
||||
+ Status = HttpInstance->Tls->SetSessionData (
|
||||
+ HttpInstance->Tls,
|
||||
EfiTlsSessionState,
|
||||
&(HttpInstance->TlsConfigData.SessionState),
|
||||
sizeof (EFI_TLS_SESSION_STATE)
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,120 +0,0 @@
|
||||
From 555d93f2daa551dc2311b15210a918aa79ed18ff Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Tue, 14 Jan 2020 12:39:06 +0100
|
||||
Subject: [PATCH 2/2] NetworkPkg/HttpDxe: fix 32-bit truncation in HTTPS
|
||||
download
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200114123906.8547-3-lersek@redhat.com>
|
||||
Patchwork-id: 93340
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 2/2] NetworkPkg/HttpDxe: fix 32-bit truncation in HTTPS download
|
||||
Bugzilla: 1789797
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
|
||||
When downloading over TLS, each TLS message ("APP packet") is returned as
|
||||
a (decrypted) fragment table by EFI_TLS_PROTOCOL.ProcessPacket().
|
||||
|
||||
The TlsProcessMessage() function in "NetworkPkg/HttpDxe/HttpsSupport.c"
|
||||
linearizes the fragment table into a single contiguous data block. The
|
||||
resultant flat data block contains both TLS headers and data.
|
||||
|
||||
The HttpsReceive() function parses the actual application data -- in this
|
||||
case: decrypted HTTP data -- out of the flattened TLS data block, peeling
|
||||
off the TLS headers.
|
||||
|
||||
The HttpResponseWorker() function in "NetworkPkg/HttpDxe/HttpImpl.c"
|
||||
propagates this HTTP data outwards, implementing the
|
||||
EFI_HTTP_PROTOCOL.Response() function.
|
||||
|
||||
Now consider the following documentation for EFI_HTTP_PROTOCOL.Response(),
|
||||
quoted from "MdePkg/Include/Protocol/Http.h":
|
||||
|
||||
> It is the responsibility of the caller to allocate a buffer for Body and
|
||||
> specify the size in BodyLength. If the remote host provides a response
|
||||
> that contains a content body, up to BodyLength bytes will be copied from
|
||||
> the receive buffer into Body and BodyLength will be updated with the
|
||||
> amount of bytes received and copied to Body. This allows the client to
|
||||
> download a large file in chunks instead of into one contiguous block of
|
||||
> memory.
|
||||
|
||||
Note that, if the caller-allocated buffer is larger than the
|
||||
server-provided chunk, then the transfer length is limited by the latter.
|
||||
This is in fact the dominant case when downloading a huge file (for which
|
||||
UefiBootManagerLib allocated a huge contiguous RAM Disk buffer) in small
|
||||
TLS messages.
|
||||
|
||||
For adjusting BodyLength as described above -- i.e., to the application
|
||||
data chunk that has been extracted from the TLS message --, the
|
||||
HttpResponseWorker() function employs the following assignment:
|
||||
|
||||
HttpMsg->BodyLength = MIN (Fragment.Len, (UINT32) HttpMsg->BodyLength);
|
||||
|
||||
The (UINT32) cast is motivated by the MIN() requirement -- in
|
||||
"MdePkg/Include/Base.h" -- that both arguments be of the same type.
|
||||
|
||||
"Fragment.Len" (NET_FRAGMENT.Len) has type UINT32, and
|
||||
"HttpMsg->BodyLength" (EFI_HTTP_MESSAGE.BodyLength) has type UINTN.
|
||||
Therefore a cast is indeed necessary.
|
||||
|
||||
Unfortunately, the cast is done in the wrong direction. Consider the
|
||||
following circumstances:
|
||||
|
||||
- "Fragment.Len" happens to be consistently 16KiB, dictated by the HTTPS
|
||||
Server's TLS stack,
|
||||
|
||||
- the size of the file to download is 4GiB + N*16KiB, where N is a
|
||||
positive integer.
|
||||
|
||||
As the download progresses, each received 16KiB application data chunk
|
||||
brings the *next* input value of BodyLength closer down to 4GiB. The cast
|
||||
in MIN() always masks off the high-order bits from the input value of
|
||||
BodyLength, but this is no problem because the low-order bits are nonzero,
|
||||
therefore the MIN() always permits progress.
|
||||
|
||||
However, once BodyLength reaches 4GiB exactly on input, the MIN()
|
||||
invocation produces a zero value. HttpResponseWorker() adjusts the output
|
||||
value of BodyLength to zero, and then passes it to HttpParseMessageBody().
|
||||
|
||||
HttpParseMessageBody() (in "NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c")
|
||||
rejects the zero BodyLength with EFI_INVALID_PARAMETER, which is fully
|
||||
propagated outwards, and aborts the HTTPS download. HttpBootDxe writes the
|
||||
message "Error: Unexpected network error" to the UEFI console.
|
||||
|
||||
For example, a file with size (4GiB + 197MiB) terminates after downloading
|
||||
just 197MiB.
|
||||
|
||||
Invert the direction of the cast: widen "Fragment.Len" to UINTN.
|
||||
|
||||
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||
Cc: Siyuan Fu <siyuan.fu@intel.com>
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
|
||||
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
|
||||
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
|
||||
(cherry picked from commit 4cca7923992a13f6b753782f469ee944da2db796)
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
NetworkPkg/HttpDxe/HttpImpl.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/NetworkPkg/HttpDxe/HttpImpl.c b/NetworkPkg/HttpDxe/HttpImpl.c
|
||||
index 6b87731..1acbb60 100644
|
||||
--- a/NetworkPkg/HttpDxe/HttpImpl.c
|
||||
+++ b/NetworkPkg/HttpDxe/HttpImpl.c
|
||||
@@ -1348,7 +1348,7 @@ HttpResponseWorker (
|
||||
//
|
||||
// Process the received the body packet.
|
||||
//
|
||||
- HttpMsg->BodyLength = MIN (Fragment.Len, (UINT32) HttpMsg->BodyLength);
|
||||
+ HttpMsg->BodyLength = MIN ((UINTN) Fragment.Len, HttpMsg->BodyLength);
|
||||
|
||||
CopyMem (HttpMsg->Body, Fragment.Bulk, HttpMsg->BodyLength);
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,117 +0,0 @@
|
||||
From 24a4a1d62ae749c197f36d72f645c7142f368e6a Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Mon, 2 Dec 2019 12:32:00 +0100
|
||||
Subject: [PATCH 7/9] NetworkPkg/TlsDxe: Add the support of host validation to
|
||||
TlsDxe driver (CVE-2019-14553)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20191117220052.15700-8-lersek@redhat.com>
|
||||
Patchwork-id: 92456
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 7/9] NetworkPkg/TlsDxe: Add the support of host validation to TlsDxe driver (CVE-2019-14553)
|
||||
Bugzilla: 1536624
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
|
||||
|
||||
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960
|
||||
CVE: CVE-2019-14553
|
||||
The new data type named "EfiTlsVerifyHost" and the
|
||||
EFI_TLS_VERIFY_HOST_FLAG are supported in TLS protocol.
|
||||
|
||||
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
|
||||
Reviewed-by: Ye Ting <ting.ye@intel.com>
|
||||
Reviewed-by: Long Qin <qin.long@intel.com>
|
||||
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
|
||||
Acked-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20190927034441.3096-4-Jiaxin.wu@intel.com>
|
||||
Cc: David Woodhouse <dwmw2@infradead.org>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
|
||||
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 703e7ab21ff8fda9ababf7751d59bd28ad5da947)
|
||||
---
|
||||
NetworkPkg/TlsDxe/TlsProtocol.c | 44 ++++++++++++++++++++++++++++++++++++++---
|
||||
1 file changed, 41 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/NetworkPkg/TlsDxe/TlsProtocol.c b/NetworkPkg/TlsDxe/TlsProtocol.c
|
||||
index a7a993f..001e540 100644
|
||||
--- a/NetworkPkg/TlsDxe/TlsProtocol.c
|
||||
+++ b/NetworkPkg/TlsDxe/TlsProtocol.c
|
||||
@@ -1,7 +1,7 @@
|
||||
/** @file
|
||||
Implementation of EFI TLS Protocol Interfaces.
|
||||
|
||||
- Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
|
||||
+ Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
|
||||
|
||||
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
|
||||
@@ -56,12 +56,16 @@ TlsSetSessionData (
|
||||
UINT16 *CipherId;
|
||||
CONST EFI_TLS_CIPHER *TlsCipherList;
|
||||
UINTN CipherCount;
|
||||
+ CONST EFI_TLS_VERIFY_HOST *TlsVerifyHost;
|
||||
+ EFI_TLS_VERIFY VerifyMethod;
|
||||
+ UINTN VerifyMethodSize;
|
||||
UINTN Index;
|
||||
|
||||
EFI_TPL OldTpl;
|
||||
|
||||
- Status = EFI_SUCCESS;
|
||||
- CipherId = NULL;
|
||||
+ Status = EFI_SUCCESS;
|
||||
+ CipherId = NULL;
|
||||
+ VerifyMethodSize = sizeof (EFI_TLS_VERIFY);
|
||||
|
||||
if (This == NULL || Data == NULL || DataSize == 0) {
|
||||
return EFI_INVALID_PARAMETER;
|
||||
@@ -149,6 +153,40 @@ TlsSetSessionData (
|
||||
|
||||
TlsSetVerify (Instance->TlsConn, *((UINT32 *) Data));
|
||||
break;
|
||||
+ case EfiTlsVerifyHost:
|
||||
+ if (DataSize != sizeof (EFI_TLS_VERIFY_HOST)) {
|
||||
+ Status = EFI_INVALID_PARAMETER;
|
||||
+ goto ON_EXIT;
|
||||
+ }
|
||||
+
|
||||
+ TlsVerifyHost = (CONST EFI_TLS_VERIFY_HOST *) Data;
|
||||
+
|
||||
+ if ((TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_ALWAYS_CHECK_SUBJECT) != 0 &&
|
||||
+ (TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_NEVER_CHECK_SUBJECT) != 0) {
|
||||
+ Status = EFI_INVALID_PARAMETER;
|
||||
+ goto ON_EXIT;
|
||||
+ }
|
||||
+
|
||||
+ if ((TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_NO_WILDCARDS) != 0 &&
|
||||
+ ((TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_NO_PARTIAL_WILDCARDS) != 0 ||
|
||||
+ (TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_MULTI_LABEL_WILDCARDS) != 0)) {
|
||||
+ Status = EFI_INVALID_PARAMETER;
|
||||
+ goto ON_EXIT;
|
||||
+ }
|
||||
+
|
||||
+ Status = This->GetSessionData (This, EfiTlsVerifyMethod, &VerifyMethod, &VerifyMethodSize);
|
||||
+ if (EFI_ERROR (Status)) {
|
||||
+ goto ON_EXIT;
|
||||
+ }
|
||||
+
|
||||
+ if ((VerifyMethod & EFI_TLS_VERIFY_PEER) == 0) {
|
||||
+ Status = EFI_INVALID_PARAMETER;
|
||||
+ goto ON_EXIT;
|
||||
+ }
|
||||
+
|
||||
+ Status = TlsSetVerifyHost (Instance->TlsConn, TlsVerifyHost->Flags, TlsVerifyHost->HostName);
|
||||
+
|
||||
+ break;
|
||||
case EfiTlsSessionID:
|
||||
if (DataSize != sizeof (EFI_TLS_SESSION_ID)) {
|
||||
Status = EFI_INVALID_PARAMETER;
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -0,0 +1,50 @@
|
||||
From 135d3d4b4ff12927f7b0c44e067fd42ceae83bb7 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Wed, 24 Jun 2020 11:37:50 +0200
|
||||
Subject: [PATCH 2/3] OvmfPkg/GenericQemuLoadImageLib: log "Not Found" at INFO
|
||||
level
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200615080105.11859-3-lersek@redhat.com>
|
||||
Patchwork-id: 97533
|
||||
O-Subject: [RHEL-8.3.0 edk2 PATCH 2/3] OvmfPkg/GenericQemuLoadImageLib: log "Not Found" at INFO level
|
||||
Bugzilla: 1844682
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
|
||||
gBS->LoadImage() returning EFI_NOT_FOUND is an expected condition; it
|
||||
means that QEMU wasn't started with "-kernel". Log this status code as
|
||||
INFO rather than ERROR.
|
||||
|
||||
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
|
||||
Cc: Jordan Justen <jordan.l.justen@intel.com>
|
||||
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20200609105414.12474-1-lersek@redhat.com>
|
||||
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
|
||||
(cherry picked from commit 14c7ed8b51f60097ad771277da69f74b22a7a759)
|
||||
---
|
||||
.../Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c b/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c
|
||||
index 14c8417d43..114db7e844 100644
|
||||
--- a/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c
|
||||
+++ b/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c
|
||||
@@ -106,7 +106,8 @@ QemuLoadKernelImage (
|
||||
goto UnloadImage;
|
||||
|
||||
default:
|
||||
- DEBUG ((DEBUG_ERROR, "%a: LoadImage(): %r\n", __FUNCTION__, Status));
|
||||
+ DEBUG ((Status == EFI_NOT_FOUND ? DEBUG_INFO : DEBUG_ERROR,
|
||||
+ "%a: LoadImage(): %r\n", __FUNCTION__, Status));
|
||||
return Status;
|
||||
}
|
||||
|
||||
--
|
||||
2.27.0
|
||||
|
@ -0,0 +1,85 @@
|
||||
From 9adcdf493ebbd11efb74e2905ab5f6c8996e096d Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Wed, 24 Jun 2020 11:31:36 +0200
|
||||
Subject: [PATCH 1/3] OvmfPkg/QemuKernelLoaderFsDxe: suppress error on no
|
||||
"-kernel" in silent aa64 build (RH)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200615080105.11859-2-lersek@redhat.com>
|
||||
Patchwork-id: 97532
|
||||
O-Subject: [RHEL-8.3.0 edk2 PATCH 1/3] OvmfPkg/QemuKernelLoaderFsDxe: suppress error on no "-kernel" in silent aa64 build (RH)
|
||||
Bugzilla: 1844682
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
|
||||
If the "-kernel" QEMU option is not used, then QemuKernelLoaderFsDxe
|
||||
should return EFI_NOT_FOUND, so that the DXE Core can unload it. However,
|
||||
the associated error message, logged by the DXE Core to the serial
|
||||
console, is not desired in the silent edk2-aarch64 build, given that the
|
||||
absence of "-kernel" is nothing out of the ordinary. Therefore, return
|
||||
success and stay resident. The wasted guest RAM still gets freed after
|
||||
ExitBootServices().
|
||||
|
||||
(Inspired by RHEL-8.1.0 commit aaaedc1e2cfd.)
|
||||
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
.../QemuKernelLoaderFsDxe.c | 17 +++++++++++++++++
|
||||
.../QemuKernelLoaderFsDxe.inf | 1 +
|
||||
2 files changed, 18 insertions(+)
|
||||
|
||||
diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
|
||||
index b09ff6a359..ec0244d61b 100644
|
||||
--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
|
||||
+++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
|
||||
@@ -18,6 +18,7 @@
|
||||
#include <Library/BaseLib.h>
|
||||
#include <Library/BaseMemoryLib.h>
|
||||
#include <Library/DebugLib.h>
|
||||
+#include <Library/DebugPrintErrorLevelLib.h>
|
||||
#include <Library/DevicePathLib.h>
|
||||
#include <Library/MemoryAllocationLib.h>
|
||||
#include <Library/QemuFwCfgLib.h>
|
||||
@@ -1039,6 +1040,22 @@ QemuKernelLoaderFsDxeEntrypoint (
|
||||
|
||||
if (KernelBlob->Data == NULL) {
|
||||
Status = EFI_NOT_FOUND;
|
||||
+#if defined (MDE_CPU_AARCH64)
|
||||
+ //
|
||||
+ // RHBZ#1844682
|
||||
+ //
|
||||
+ // If the "-kernel" QEMU option is not being used, this platform DXE driver
|
||||
+ // should return EFI_NOT_FOUND, so that the DXE Core can unload it.
|
||||
+ // However, the associated error message, logged by the DXE Core to the
|
||||
+ // serial console, is not desired in the silent edk2-aarch64 build, given
|
||||
+ // that the absence of "-kernel" is nothing out of the ordinary. Therefore,
|
||||
+ // return success and stay resident. The wasted guest RAM still gets freed
|
||||
+ // after ExitBootServices().
|
||||
+ //
|
||||
+ if (GetDebugPrintErrorLevel () == DEBUG_ERROR) {
|
||||
+ Status = EFI_SUCCESS;
|
||||
+ }
|
||||
+#endif
|
||||
goto FreeBlobs;
|
||||
}
|
||||
|
||||
diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
|
||||
index 7b35adb8e0..e0331c6e2c 100644
|
||||
--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
|
||||
+++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
|
||||
@@ -28,6 +28,7 @@
|
||||
BaseLib
|
||||
BaseMemoryLib
|
||||
DebugLib
|
||||
+ DebugPrintErrorLevelLib
|
||||
DevicePathLib
|
||||
MemoryAllocationLib
|
||||
QemuFwCfgLib
|
||||
--
|
||||
2.27.0
|
||||
|
@ -1,64 +0,0 @@
|
||||
From 78cfb461bedb0e0491b267528b2ebd30adc1d87c Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Fri, 27 Mar 2020 07:01:18 +0100
|
||||
Subject: [PATCH] OvmfPkg/QemuVideoDxe: unbreak "secondary-vga" and
|
||||
"bochs-display" support
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Message-id: <20200226173820.16398-2-lersek@redhat.com>
|
||||
Patchwork-id: 94054
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 1/1] OvmfPkg/QemuVideoDxe: unbreak "secondary-vga" and "bochs-display" support
|
||||
Bugzilla: 1806359
|
||||
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
|
||||
In edk2 commit 333f32ec23dd, QemuVideoDxe gained support for QEMU's
|
||||
"secondary-vga" device model (originally introduced in QEMU commit
|
||||
63e3e24db2e9).
|
||||
|
||||
In QEMU commit 765c94290863, the "bochs-display" device was introduced,
|
||||
which would work with QemuVideoDxe out of the box, reusing the
|
||||
"secondary-vga" logic.
|
||||
|
||||
Support for both models has been broken since edk2 commit 662bd0da7fd7.
|
||||
Said patch ended up requiring VGA IO Ports -- i.e., at least one of
|
||||
EFI_PCI_IO_ATTRIBUTE_VGA_IO and EFI_PCI_IO_ATTRIBUTE_VGA_IO_16 -- even if
|
||||
the device wasn't actually VGA compatible.
|
||||
|
||||
Restrict the IO Ports requirement to VGA compatible devices.
|
||||
|
||||
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
|
||||
Cc: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Cc: Jordan Justen <jordan.l.justen@intel.com>
|
||||
Cc: Marc W Chen <marc.w.chen@intel.com>
|
||||
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
Fixes: 662bd0da7fd77e4d2cf9ef4a78015af5cad7d9db
|
||||
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2555
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20200224171741.7494-1-lersek@redhat.com>
|
||||
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
|
||||
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
(cherry picked from commit edfe16a6d9f8c6830d7ad93ee7616225fe4e9c13)
|
||||
---
|
||||
OvmfPkg/QemuVideoDxe/Driver.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/OvmfPkg/QemuVideoDxe/Driver.c b/OvmfPkg/QemuVideoDxe/Driver.c
|
||||
index 522110e..902dd1b 100644
|
||||
--- a/OvmfPkg/QemuVideoDxe/Driver.c
|
||||
+++ b/OvmfPkg/QemuVideoDxe/Driver.c
|
||||
@@ -292,7 +292,7 @@ QemuVideoControllerDriverStart (
|
||||
}
|
||||
|
||||
SupportedVgaIo &= (UINT64)(EFI_PCI_IO_ATTRIBUTE_VGA_IO | EFI_PCI_IO_ATTRIBUTE_VGA_IO_16);
|
||||
- if (SupportedVgaIo == 0) {
|
||||
+ if (SupportedVgaIo == 0 && IS_PCI_VGA (&Pci)) {
|
||||
Status = EFI_UNSUPPORTED;
|
||||
goto ClosePciIo;
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,82 +0,0 @@
|
||||
From b68d6a626977f48ac4d05396edcb70a73b12c66c Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Fri, 31 Jan 2020 12:42:45 +0100
|
||||
Subject: [PATCH 09/12] SecurityPkg/DxeImageVerificationHandler: eliminate
|
||||
"Status" variable
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200131124248.22369-10-lersek@redhat.com>
|
||||
Patchwork-id: 93619
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 09/12] SecurityPkg/DxeImageVerificationHandler: eliminate "Status" variable
|
||||
Bugzilla: 1751993
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
The "Status" variable is set to EFI_ACCESS_DENIED at the top of the
|
||||
function. Then it is overwritten with EFI_SECURITY_VIOLATION under the
|
||||
"Failed" (earlier: "Done") label. We finally return "Status".
|
||||
|
||||
The above covers the complete usage of "Status" in
|
||||
DxeImageVerificationHandler(). Remove the variable, and simply return
|
||||
EFI_SECURITY_VIOLATION in the end.
|
||||
|
||||
This patch is a no-op, regarding behavior.
|
||||
|
||||
Cc: Chao Zhang <chao.b.zhang@intel.com>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20200116190705.18816-9-lersek@redhat.com>
|
||||
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
|
||||
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
|
||||
Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
|
||||
<d3fbb76dabed4e1987c512c328c82810@intel.com>]
|
||||
(cherry picked from commit fb02f5b2cd0b2a2d413a4f4fc41e085be2ede089)
|
||||
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
.../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 5 +----
|
||||
1 file changed, 1 insertion(+), 4 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
index 51968bd..b49fe87 100644
|
||||
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
@@ -1560,7 +1560,6 @@ DxeImageVerificationHandler (
|
||||
IN BOOLEAN BootPolicy
|
||||
)
|
||||
{
|
||||
- EFI_STATUS Status;
|
||||
EFI_IMAGE_DOS_HEADER *DosHdr;
|
||||
BOOLEAN IsVerified;
|
||||
EFI_SIGNATURE_LIST *SignatureList;
|
||||
@@ -1588,7 +1587,6 @@ DxeImageVerificationHandler (
|
||||
SecDataDir = NULL;
|
||||
PkcsCertData = NULL;
|
||||
Action = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
|
||||
- Status = EFI_ACCESS_DENIED;
|
||||
IsVerified = FALSE;
|
||||
|
||||
|
||||
@@ -1880,13 +1878,12 @@ Failed:
|
||||
DEBUG ((DEBUG_INFO, "The image doesn't pass verification: %s\n", NameStr));
|
||||
FreePool(NameStr);
|
||||
}
|
||||
- Status = EFI_SECURITY_VIOLATION;
|
||||
|
||||
if (SignatureList != NULL) {
|
||||
FreePool (SignatureList);
|
||||
}
|
||||
|
||||
- return Status;
|
||||
+ return EFI_SECURITY_VIOLATION;
|
||||
}
|
||||
|
||||
/**
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,103 +0,0 @@
|
||||
From ff8b6134756fca6b0c55fedc76aeb5000f783875 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Fri, 31 Jan 2020 12:42:48 +0100
|
||||
Subject: [PATCH 12/12] SecurityPkg/DxeImageVerificationHandler: fix "defer"
|
||||
vs. "deny" policies
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200131124248.22369-13-lersek@redhat.com>
|
||||
Patchwork-id: 93620
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 12/12] SecurityPkg/DxeImageVerificationHandler: fix "defer" vs. "deny" policies
|
||||
Bugzilla: 1751993
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
In DxeImageVerificationHandler(), we should return EFI_SECURITY_VIOLATION
|
||||
for a rejected image only if the platform sets
|
||||
DEFER_EXECUTE_ON_SECURITY_VIOLATION as the policy for the image's source.
|
||||
Otherwise, EFI_ACCESS_DENIED must be returned.
|
||||
|
||||
Right now, EFI_SECURITY_VIOLATION is returned for all rejected images,
|
||||
which is wrong -- it causes LoadImage() to hold on to rejected images (in
|
||||
untrusted state), for further platform actions. However, if a platform
|
||||
already set DENY_EXECUTE_ON_SECURITY_VIOLATION, the platform will not
|
||||
expect the rejected image to stick around in memory (regardless of its
|
||||
untrusted state).
|
||||
|
||||
Therefore, adhere to the platform policy in the return value of the
|
||||
DxeImageVerificationHandler() function.
|
||||
|
||||
Furthermore, according to "32.4.2 Image Execution Information Table" in
|
||||
the UEFI v2.8 spec, and considering that edk2 only supports (AuditMode==0)
|
||||
at the moment:
|
||||
|
||||
> When AuditMode==0, if the image's signature is not found in the
|
||||
> authorized database, or is found in the forbidden database, the image
|
||||
> will not be started and instead, information about it will be placed in
|
||||
> this table.
|
||||
|
||||
we have to store an EFI_IMAGE_EXECUTION_INFO record in both the "defer"
|
||||
case and the "deny" case. Thus, the AddImageExeInfo() call is not being
|
||||
made conditional on (Policy == DEFER_EXECUTE_ON_SECURITY_VIOLATION); the
|
||||
documentation is updated instead.
|
||||
|
||||
Cc: Chao Zhang <chao.b.zhang@intel.com>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
|
||||
Fixes: 5db28a6753d307cdfb1cfdeb2f63739a9f959837
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20200116190705.18816-12-lersek@redhat.com>
|
||||
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
|
||||
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
|
||||
Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
|
||||
<d3fbb76dabed4e1987c512c328c82810@intel.com>]
|
||||
(cherry picked from commit 8b0932c19f31cbf9da26d3b8d4e8d954bdbb5269)
|
||||
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
.../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 11 ++++++++---
|
||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
index 015a5b6..dbfbfcb 100644
|
||||
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
@@ -1548,7 +1548,8 @@ Done:
|
||||
execution table.
|
||||
@retval EFI_ACCESS_DENIED The file specified by File and FileBuffer did not
|
||||
authenticate, and the platform policy dictates that the DXE
|
||||
- Foundation many not use File.
|
||||
+ Foundation may not use File. The image has
|
||||
+ been added to the file execution table.
|
||||
|
||||
**/
|
||||
EFI_STATUS
|
||||
@@ -1872,7 +1873,8 @@ DxeImageVerificationHandler (
|
||||
|
||||
Failed:
|
||||
//
|
||||
- // Policy decides to defer or reject the image; add its information in image executable information table.
|
||||
+ // Policy decides to defer or reject the image; add its information in image
|
||||
+ // executable information table in either case.
|
||||
//
|
||||
NameStr = ConvertDevicePathToText (File, FALSE, TRUE);
|
||||
AddImageExeInfo (Action, NameStr, File, SignatureList, SignatureListSize);
|
||||
@@ -1885,7 +1887,10 @@ Failed:
|
||||
FreePool (SignatureList);
|
||||
}
|
||||
|
||||
- return EFI_SECURITY_VIOLATION;
|
||||
+ if (Policy == DEFER_EXECUTE_ON_SECURITY_VIOLATION) {
|
||||
+ return EFI_SECURITY_VIOLATION;
|
||||
+ }
|
||||
+ return EFI_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
/**
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,87 +0,0 @@
|
||||
From d9f12d175da2d203be078d03c9127293ea6fe86b Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Fri, 31 Jan 2020 12:42:47 +0100
|
||||
Subject: [PATCH 11/12] SecurityPkg/DxeImageVerificationHandler: fix imgexec
|
||||
info on memalloc fail
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200131124248.22369-12-lersek@redhat.com>
|
||||
Patchwork-id: 93618
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 11/12] SecurityPkg/DxeImageVerificationHandler: fix imgexec info on memalloc fail
|
||||
Bugzilla: 1751993
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
It makes no sense to call AddImageExeInfo() with (Signature == NULL) and
|
||||
(SignatureSize > 0). AddImageExeInfo() does not crash in such a case -- it
|
||||
avoids the CopyMem() call --, but it creates an invalid
|
||||
EFI_IMAGE_EXECUTION_INFO record. Namely, the
|
||||
"EFI_IMAGE_EXECUTION_INFO.InfoSize" field includes "SignatureSize", but
|
||||
the actual signature bytes are not filled in.
|
||||
|
||||
Document and ASSERT() this condition in AddImageExeInfo().
|
||||
|
||||
In DxeImageVerificationHandler(), zero out "SignatureListSize" if we set
|
||||
"SignatureList" to NULL due to AllocateZeroPool() failure.
|
||||
|
||||
(Another approach could be to avoid calling AddImageExeInfo() completely,
|
||||
in case AllocateZeroPool() fails. Unfortunately, the UEFI v2.8 spec does
|
||||
not seem to state clearly whether a signature is mandatory in
|
||||
EFI_IMAGE_EXECUTION_INFO, if the "Action" field is
|
||||
EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED or EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND.
|
||||
|
||||
For now, the EFI_IMAGE_EXECUTION_INFO addition logic is not changed; we
|
||||
only make sure that the record we add is not malformed.)
|
||||
|
||||
Cc: Chao Zhang <chao.b.zhang@intel.com>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20200116190705.18816-11-lersek@redhat.com>
|
||||
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
|
||||
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
|
||||
Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
|
||||
<d3fbb76dabed4e1987c512c328c82810@intel.com>]
|
||||
(cherry picked from commit 6aa31db5ebebe18b55aa5359142223a03592416f)
|
||||
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
index c98b9e4..015a5b6 100644
|
||||
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
@@ -704,7 +704,7 @@ GetImageExeInfoTableSize (
|
||||
@param[in] Name Input a null-terminated, user-friendly name.
|
||||
@param[in] DevicePath Input device path pointer.
|
||||
@param[in] Signature Input signature info in EFI_SIGNATURE_LIST data structure.
|
||||
- @param[in] SignatureSize Size of signature.
|
||||
+ @param[in] SignatureSize Size of signature. Must be zero if Signature is NULL.
|
||||
|
||||
**/
|
||||
VOID
|
||||
@@ -761,6 +761,7 @@ AddImageExeInfo (
|
||||
//
|
||||
// Signature size can be odd. Pad after signature to ensure next EXECUTION_INFO entry align
|
||||
//
|
||||
+ ASSERT (Signature != NULL || SignatureSize == 0);
|
||||
NewImageExeInfoEntrySize = sizeof (EFI_IMAGE_EXECUTION_INFO) + NameStringLen + DevicePathSize + SignatureSize;
|
||||
|
||||
NewImageExeInfoTable = (EFI_IMAGE_EXECUTION_INFO_TABLE *) AllocateRuntimePool (ImageExeInfoTableSize + NewImageExeInfoEntrySize);
|
||||
@@ -1858,6 +1859,7 @@ DxeImageVerificationHandler (
|
||||
SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize;
|
||||
SignatureList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SignatureListSize);
|
||||
if (SignatureList == NULL) {
|
||||
+ SignatureListSize = 0;
|
||||
goto Failed;
|
||||
}
|
||||
SignatureList->SignatureHeaderSize = 0;
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,64 +0,0 @@
|
||||
From e2efec69c63703c324099b987204a38fdb0d9d6f Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Fri, 31 Jan 2020 12:42:46 +0100
|
||||
Subject: [PATCH 10/12] SecurityPkg/DxeImageVerificationHandler: fix retval for
|
||||
(FileBuffer==NULL)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200131124248.22369-11-lersek@redhat.com>
|
||||
Patchwork-id: 93613
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 10/12] SecurityPkg/DxeImageVerificationHandler: fix retval for (FileBuffer==NULL)
|
||||
Bugzilla: 1751993
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
"FileBuffer" is a non-optional input (pointer) parameter to
|
||||
DxeImageVerificationHandler(). Normally, when an edk2 function receives a
|
||||
NULL argument for such a parameter, we return EFI_INVALID_PARAMETER or
|
||||
RETURN_INVALID_PARAMETER. However, those don't conform to the
|
||||
SECURITY2_FILE_AUTHENTICATION_HANDLER prototype.
|
||||
|
||||
Return EFI_ACCESS_DENIED when "FileBuffer" is NULL; it means that no image
|
||||
has been loaded.
|
||||
|
||||
This patch does not change the control flow in the function, it only
|
||||
changes the "Status" outcome from API-incompatible error codes to
|
||||
EFI_ACCESS_DENIED, under some circumstances.
|
||||
|
||||
Cc: Chao Zhang <chao.b.zhang@intel.com>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
|
||||
Fixes: 570b3d1a7278df29878da87990e8366bd42d0ec5
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20200116190705.18816-10-lersek@redhat.com>
|
||||
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
|
||||
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
|
||||
Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
|
||||
<d3fbb76dabed4e1987c512c328c82810@intel.com>]
|
||||
(cherry picked from commit 6d57592740cdd0b6868baeef7929d6e6fef7a8e3)
|
||||
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
index b49fe87..c98b9e4 100644
|
||||
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
@@ -1655,7 +1655,7 @@ DxeImageVerificationHandler (
|
||||
// Read the Dos header.
|
||||
//
|
||||
if (FileBuffer == NULL) {
|
||||
- return EFI_INVALID_PARAMETER;
|
||||
+ return EFI_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
mImageBase = (UINT8 *) FileBuffer;
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,71 +0,0 @@
|
||||
From 58902877128851f628fe644a5c71600866317fac Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Fri, 31 Jan 2020 12:42:42 +0100
|
||||
Subject: [PATCH 06/12] SecurityPkg/DxeImageVerificationHandler: fix retval on
|
||||
memalloc failure
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200131124248.22369-7-lersek@redhat.com>
|
||||
Patchwork-id: 93616
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 06/12] SecurityPkg/DxeImageVerificationHandler: fix retval on memalloc failure
|
||||
Bugzilla: 1751993
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
A SECURITY2_FILE_AUTHENTICATION_HANDLER function is not expected to return
|
||||
EFI_OUT_OF_RESOURCES. We should only return EFI_SUCCESS,
|
||||
EFI_SECURITY_VIOLATION, or EFI_ACCESS_DENIED.
|
||||
|
||||
In case we run out of memory while preparing "SignatureList" for
|
||||
AddImageExeInfo(), we should simply stick with the EFI_ACCESS_DENIED value
|
||||
that is already in "Status" -- from just before the "Action" condition --,
|
||||
and not suppress it with EFI_OUT_OF_RESOURCES.
|
||||
|
||||
This patch does not change the control flow in the function, it only
|
||||
changes the "Status" outcome from API-incompatible error codes to
|
||||
EFI_ACCESS_DENIED, under some circumstances.
|
||||
|
||||
Cc: Chao Zhang <chao.b.zhang@intel.com>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
|
||||
Fixes: 570b3d1a7278df29878da87990e8366bd42d0ec5
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20200116190705.18816-6-lersek@redhat.com>
|
||||
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
|
||||
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
|
||||
Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
|
||||
<d3fbb76dabed4e1987c512c328c82810@intel.com>]
|
||||
(cherry picked from commit f891b052c5ec13c1032fb9d340d5262ac1a7e7e1)
|
||||
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
index 5cc82c1..5f09a66 100644
|
||||
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
@@ -1541,7 +1541,6 @@ Done:
|
||||
and non-NULL FileBuffer did authenticate, and the platform
|
||||
policy dictates that the DXE Foundation may execute the image in
|
||||
FileBuffer.
|
||||
- @retval EFI_OUT_RESOURCE Fail to allocate memory.
|
||||
@retval EFI_SECURITY_VIOLATION The file specified by File did not authenticate, and
|
||||
the platform policy dictates that File should be placed
|
||||
in the untrusted state. The image has been added to the file
|
||||
@@ -1862,7 +1861,6 @@ DxeImageVerificationHandler (
|
||||
SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize;
|
||||
SignatureList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SignatureListSize);
|
||||
if (SignatureList == NULL) {
|
||||
- Status = EFI_OUT_OF_RESOURCES;
|
||||
goto Done;
|
||||
}
|
||||
SignatureList->SignatureHeaderSize = 0;
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,97 +0,0 @@
|
||||
From 37b5981bf7eb94314b62810da495d724873d904a Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Fri, 31 Jan 2020 12:42:40 +0100
|
||||
Subject: [PATCH 04/12] SecurityPkg/DxeImageVerificationHandler: keep PE/COFF
|
||||
info status internal
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200131124248.22369-5-lersek@redhat.com>
|
||||
Patchwork-id: 93609
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 04/12] SecurityPkg/DxeImageVerificationHandler: keep PE/COFF info status internal
|
||||
Bugzilla: 1751993
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
The PeCoffLoaderGetImageInfo() function may return various error codes,
|
||||
such as RETURN_INVALID_PARAMETER and RETURN_UNSUPPORTED.
|
||||
|
||||
Such error values should not be assigned to our "Status" variable in the
|
||||
DxeImageVerificationHandler() function, because "Status" generally stands
|
||||
for the main exit value of the function. And
|
||||
SECURITY2_FILE_AUTHENTICATION_HANDLER functions are expected to return one
|
||||
of EFI_SUCCESS, EFI_SECURITY_VIOLATION, and EFI_ACCESS_DENIED only.
|
||||
|
||||
Introduce the "PeCoffStatus" helper variable for keeping the return value
|
||||
of PeCoffLoaderGetImageInfo() internal to the function. If
|
||||
PeCoffLoaderGetImageInfo() fails, we'll jump to the "Done" label with
|
||||
"Status" being EFI_ACCESS_DENIED, inherited from the top of the function.
|
||||
|
||||
Note that this is consistent with the subsequent PE/COFF Signature check,
|
||||
where we jump to the "Done" label with "Status" having been re-set to
|
||||
EFI_ACCESS_DENIED.
|
||||
|
||||
As a consequence, we can at once remove the
|
||||
|
||||
Status = EFI_ACCESS_DENIED;
|
||||
|
||||
assignment right after the "PeCoffStatus" check.
|
||||
|
||||
This patch does not change the control flow in the function, it only
|
||||
changes the "Status" outcome from API-incompatible error codes to
|
||||
EFI_ACCESS_DENIED, under some circumstances.
|
||||
|
||||
Cc: Chao Zhang <chao.b.zhang@intel.com>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20200116190705.18816-4-lersek@redhat.com>
|
||||
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
|
||||
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
|
||||
Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
|
||||
<d3fbb76dabed4e1987c512c328c82810@intel.com>]
|
||||
(cherry picked from commit 61a9fa589a15e9005bec293f9766c78b60fbc9fc)
|
||||
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
.../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 7 +++----
|
||||
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
index 8204c9c..e6c8a54 100644
|
||||
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
@@ -1580,6 +1580,7 @@ DxeImageVerificationHandler (
|
||||
EFI_IMAGE_DATA_DIRECTORY *SecDataDir;
|
||||
UINT32 OffSet;
|
||||
CHAR16 *NameStr;
|
||||
+ RETURN_STATUS PeCoffStatus;
|
||||
|
||||
SignatureList = NULL;
|
||||
SignatureListSize = 0;
|
||||
@@ -1669,8 +1670,8 @@ DxeImageVerificationHandler (
|
||||
//
|
||||
// Get information about the image being loaded
|
||||
//
|
||||
- Status = PeCoffLoaderGetImageInfo (&ImageContext);
|
||||
- if (EFI_ERROR (Status)) {
|
||||
+ PeCoffStatus = PeCoffLoaderGetImageInfo (&ImageContext);
|
||||
+ if (RETURN_ERROR (PeCoffStatus)) {
|
||||
//
|
||||
// The information can't be got from the invalid PeImage
|
||||
//
|
||||
@@ -1678,8 +1679,6 @@ DxeImageVerificationHandler (
|
||||
goto Done;
|
||||
}
|
||||
|
||||
- Status = EFI_ACCESS_DENIED;
|
||||
-
|
||||
DosHdr = (EFI_IMAGE_DOS_HEADER *) mImageBase;
|
||||
if (DosHdr->e_magic == EFI_IMAGE_DOS_SIGNATURE) {
|
||||
//
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,79 +0,0 @@
|
||||
From 73de814a5f30c2c6d82736082c1114a028d12115 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Fri, 31 Jan 2020 12:42:41 +0100
|
||||
Subject: [PATCH 05/12] SecurityPkg/DxeImageVerificationHandler: narrow down
|
||||
PE/COFF hash status
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200131124248.22369-6-lersek@redhat.com>
|
||||
Patchwork-id: 93615
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 05/12] SecurityPkg/DxeImageVerificationHandler: narrow down PE/COFF hash status
|
||||
Bugzilla: 1751993
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
Inside the "for" loop that scans the signatures of the image, we call
|
||||
HashPeImageByType(), and assign its return value to "Status".
|
||||
|
||||
Beyond the immediate retval check, this assignment is useless (never
|
||||
consumed). That's because a subsequent access to "Status" may only be one
|
||||
of the following:
|
||||
|
||||
- the "Status" assignment when we call HashPeImageByType() in the next
|
||||
iteration of the loop,
|
||||
|
||||
- the "Status = EFI_ACCESS_DENIED" assignment right after the final
|
||||
"IsVerified" check.
|
||||
|
||||
To make it clear that the assignment is only useful for the immediate
|
||||
HashPeImageByType() retval check, introduce a specific helper variable,
|
||||
called "HashStatus".
|
||||
|
||||
This patch is a no-op, functionally.
|
||||
|
||||
Cc: Chao Zhang <chao.b.zhang@intel.com>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20200116190705.18816-5-lersek@redhat.com>
|
||||
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
|
||||
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
|
||||
Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
|
||||
<d3fbb76dabed4e1987c512c328c82810@intel.com>]
|
||||
(cherry picked from commit 47650a5cab608e07c31d66bdb9b4cc6e58bdf22f)
|
||||
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
.../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
index e6c8a54..5cc82c1 100644
|
||||
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
@@ -1581,6 +1581,7 @@ DxeImageVerificationHandler (
|
||||
UINT32 OffSet;
|
||||
CHAR16 *NameStr;
|
||||
RETURN_STATUS PeCoffStatus;
|
||||
+ EFI_STATUS HashStatus;
|
||||
|
||||
SignatureList = NULL;
|
||||
SignatureListSize = 0;
|
||||
@@ -1802,8 +1803,8 @@ DxeImageVerificationHandler (
|
||||
continue;
|
||||
}
|
||||
|
||||
- Status = HashPeImageByType (AuthData, AuthDataSize);
|
||||
- if (EFI_ERROR (Status)) {
|
||||
+ HashStatus = HashPeImageByType (AuthData, AuthDataSize);
|
||||
+ if (EFI_ERROR (HashStatus)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,142 +0,0 @@
|
||||
From 5aa2d52451b7890480d31a3437a0024bfd9e1a57 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Fri, 31 Jan 2020 12:42:39 +0100
|
||||
Subject: [PATCH 03/12] SecurityPkg/DxeImageVerificationHandler: remove "else"
|
||||
after return/break
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200131124248.22369-4-lersek@redhat.com>
|
||||
Patchwork-id: 93614
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 03/12] SecurityPkg/DxeImageVerificationHandler: remove "else" after return/break
|
||||
Bugzilla: 1751993
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
In the code structure
|
||||
|
||||
if (condition) {
|
||||
//
|
||||
// block1
|
||||
//
|
||||
return;
|
||||
} else {
|
||||
//
|
||||
// block2
|
||||
//
|
||||
}
|
||||
|
||||
nesting "block2" in an "else" branch is superfluous, and harms
|
||||
readability. It can be transformed to:
|
||||
|
||||
if (condition) {
|
||||
//
|
||||
// block1
|
||||
//
|
||||
return;
|
||||
}
|
||||
//
|
||||
// block2
|
||||
//
|
||||
|
||||
with identical behavior, and improved readability (less nesting).
|
||||
|
||||
The same applies to "break" (instead of "return") in a loop body.
|
||||
|
||||
Perform these transformations on DxeImageVerificationHandler().
|
||||
|
||||
This patch is a no-op for behavior. Use
|
||||
|
||||
git show -b -W
|
||||
|
||||
for reviewing it more easily.
|
||||
|
||||
Cc: Chao Zhang <chao.b.zhang@intel.com>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20200116190705.18816-3-lersek@redhat.com>
|
||||
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
|
||||
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
|
||||
Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
|
||||
<d3fbb76dabed4e1987c512c328c82810@intel.com>]
|
||||
(cherry picked from commit eccb856f013aec700234211e7371f03454ef9d52)
|
||||
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
.../DxeImageVerificationLib.c | 41 +++++++++++-----------
|
||||
1 file changed, 21 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
index 5afd723..8204c9c 100644
|
||||
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
@@ -1621,7 +1621,8 @@ DxeImageVerificationHandler (
|
||||
//
|
||||
if (Policy == ALWAYS_EXECUTE) {
|
||||
return EFI_SUCCESS;
|
||||
- } else if (Policy == NEVER_EXECUTE) {
|
||||
+ }
|
||||
+ if (Policy == NEVER_EXECUTE) {
|
||||
return EFI_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
@@ -1833,7 +1834,8 @@ DxeImageVerificationHandler (
|
||||
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but %s hash of image is found in DBX.\n", mHashTypeStr));
|
||||
IsVerified = FALSE;
|
||||
break;
|
||||
- } else if (!IsVerified) {
|
||||
+ }
|
||||
+ if (!IsVerified) {
|
||||
if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) {
|
||||
IsVerified = TRUE;
|
||||
} else {
|
||||
@@ -1851,25 +1853,24 @@ DxeImageVerificationHandler (
|
||||
|
||||
if (IsVerified) {
|
||||
return EFI_SUCCESS;
|
||||
- } else {
|
||||
- Status = EFI_ACCESS_DENIED;
|
||||
- if (Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED || Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND) {
|
||||
- //
|
||||
- // Get image hash value as signature of executable.
|
||||
- //
|
||||
- SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize;
|
||||
- SignatureList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SignatureListSize);
|
||||
- if (SignatureList == NULL) {
|
||||
- Status = EFI_OUT_OF_RESOURCES;
|
||||
- goto Done;
|
||||
- }
|
||||
- SignatureList->SignatureHeaderSize = 0;
|
||||
- SignatureList->SignatureListSize = (UINT32) SignatureListSize;
|
||||
- SignatureList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize);
|
||||
- CopyMem (&SignatureList->SignatureType, &mCertType, sizeof (EFI_GUID));
|
||||
- Signature = (EFI_SIGNATURE_DATA *) ((UINT8 *) SignatureList + sizeof (EFI_SIGNATURE_LIST));
|
||||
- CopyMem (Signature->SignatureData, mImageDigest, mImageDigestSize);
|
||||
+ }
|
||||
+ Status = EFI_ACCESS_DENIED;
|
||||
+ if (Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED || Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND) {
|
||||
+ //
|
||||
+ // Get image hash value as signature of executable.
|
||||
+ //
|
||||
+ SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize;
|
||||
+ SignatureList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SignatureListSize);
|
||||
+ if (SignatureList == NULL) {
|
||||
+ Status = EFI_OUT_OF_RESOURCES;
|
||||
+ goto Done;
|
||||
}
|
||||
+ SignatureList->SignatureHeaderSize = 0;
|
||||
+ SignatureList->SignatureListSize = (UINT32) SignatureListSize;
|
||||
+ SignatureList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize);
|
||||
+ CopyMem (&SignatureList->SignatureType, &mCertType, sizeof (EFI_GUID));
|
||||
+ Signature = (EFI_SIGNATURE_DATA *) ((UINT8 *) SignatureList + sizeof (EFI_SIGNATURE_LIST));
|
||||
+ CopyMem (Signature->SignatureData, mImageDigest, mImageDigestSize);
|
||||
}
|
||||
|
||||
Done:
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,55 +0,0 @@
|
||||
From d25dc10aa262b33794f16b75a0ada3aad507abe7 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Fri, 31 Jan 2020 12:42:43 +0100
|
||||
Subject: [PATCH 07/12] SecurityPkg/DxeImageVerificationHandler: remove
|
||||
superfluous Status setting
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200131124248.22369-8-lersek@redhat.com>
|
||||
Patchwork-id: 93617
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 07/12] SecurityPkg/DxeImageVerificationHandler: remove superfluous Status setting
|
||||
Bugzilla: 1751993
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
After the final "IsVerified" check, we set "Status" to EFI_ACCESS_DENIED.
|
||||
This is superfluous, as "Status" already carries EFI_ACCESS_DENIED value
|
||||
there, from the top of the function. Remove the assignment.
|
||||
|
||||
Functionally, this change is a no-op.
|
||||
|
||||
Cc: Chao Zhang <chao.b.zhang@intel.com>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20200116190705.18816-7-lersek@redhat.com>
|
||||
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
|
||||
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
|
||||
Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
|
||||
<d3fbb76dabed4e1987c512c328c82810@intel.com>]
|
||||
(cherry picked from commit 12a4ef58a8b1f8610f6f7cd3ffb973f924f175fb)
|
||||
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
index 5f09a66..6ccce1f 100644
|
||||
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
@@ -1853,7 +1853,6 @@ DxeImageVerificationHandler (
|
||||
if (IsVerified) {
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
- Status = EFI_ACCESS_DENIED;
|
||||
if (Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED || Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND) {
|
||||
//
|
||||
// Get image hash value as signature of executable.
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,119 +0,0 @@
|
||||
From cd4f4b384857f4295d336d66fc8693348ef08a33 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Fri, 31 Jan 2020 12:42:38 +0100
|
||||
Subject: [PATCH 02/12] SecurityPkg/DxeImageVerificationHandler: simplify
|
||||
"VerifyStatus"
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200131124248.22369-3-lersek@redhat.com>
|
||||
Patchwork-id: 93611
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 02/12] SecurityPkg/DxeImageVerificationHandler: simplify "VerifyStatus"
|
||||
Bugzilla: 1751993
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
In the DxeImageVerificationHandler() function, the "VerifyStatus" variable
|
||||
can only contain one of two values: EFI_SUCCESS and EFI_ACCESS_DENIED.
|
||||
Furthermore, the variable is only consumed with EFI_ERROR().
|
||||
|
||||
Therefore, using the EFI_STATUS type for the variable is unnecessary.
|
||||
Worse, given the complex meanings of the function's return values, using
|
||||
EFI_STATUS for "VerifyStatus" is actively confusing.
|
||||
|
||||
Rename the variable to "IsVerified", and make it a simple BOOLEAN.
|
||||
|
||||
This patch is a no-op, regarding behavior.
|
||||
|
||||
Cc: Chao Zhang <chao.b.zhang@intel.com>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20200116190705.18816-2-lersek@redhat.com>
|
||||
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
|
||||
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
|
||||
Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
|
||||
<d3fbb76dabed4e1987c512c328c82810@intel.com>]
|
||||
(cherry picked from commit 1e0f973b65c34841288c25fd441a37eec8a30ac7)
|
||||
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
.../DxeImageVerificationLib.c | 20 ++++++++++----------
|
||||
1 file changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
index a0a12b5..5afd723 100644
|
||||
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
@@ -1563,7 +1563,7 @@ DxeImageVerificationHandler (
|
||||
{
|
||||
EFI_STATUS Status;
|
||||
EFI_IMAGE_DOS_HEADER *DosHdr;
|
||||
- EFI_STATUS VerifyStatus;
|
||||
+ BOOLEAN IsVerified;
|
||||
EFI_SIGNATURE_LIST *SignatureList;
|
||||
UINTN SignatureListSize;
|
||||
EFI_SIGNATURE_DATA *Signature;
|
||||
@@ -1588,7 +1588,7 @@ DxeImageVerificationHandler (
|
||||
PkcsCertData = NULL;
|
||||
Action = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
|
||||
Status = EFI_ACCESS_DENIED;
|
||||
- VerifyStatus = EFI_ACCESS_DENIED;
|
||||
+ IsVerified = FALSE;
|
||||
|
||||
|
||||
//
|
||||
@@ -1812,16 +1812,16 @@ DxeImageVerificationHandler (
|
||||
//
|
||||
if (IsForbiddenByDbx (AuthData, AuthDataSize)) {
|
||||
Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
|
||||
- VerifyStatus = EFI_ACCESS_DENIED;
|
||||
+ IsVerified = FALSE;
|
||||
break;
|
||||
}
|
||||
|
||||
//
|
||||
// Check the digital signature against the valid certificate in allowed database (db).
|
||||
//
|
||||
- if (EFI_ERROR (VerifyStatus)) {
|
||||
+ if (!IsVerified) {
|
||||
if (IsAllowedByDb (AuthData, AuthDataSize)) {
|
||||
- VerifyStatus = EFI_SUCCESS;
|
||||
+ IsVerified = TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1831,11 +1831,11 @@ DxeImageVerificationHandler (
|
||||
if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) {
|
||||
Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;
|
||||
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but %s hash of image is found in DBX.\n", mHashTypeStr));
|
||||
- VerifyStatus = EFI_ACCESS_DENIED;
|
||||
+ IsVerified = FALSE;
|
||||
break;
|
||||
- } else if (EFI_ERROR (VerifyStatus)) {
|
||||
+ } else if (!IsVerified) {
|
||||
if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) {
|
||||
- VerifyStatus = EFI_SUCCESS;
|
||||
+ IsVerified = TRUE;
|
||||
} else {
|
||||
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));
|
||||
}
|
||||
@@ -1846,10 +1846,10 @@ DxeImageVerificationHandler (
|
||||
//
|
||||
// The Size in Certificate Table or the attribute certificate table is corrupted.
|
||||
//
|
||||
- VerifyStatus = EFI_ACCESS_DENIED;
|
||||
+ IsVerified = FALSE;
|
||||
}
|
||||
|
||||
- if (!EFI_ERROR (VerifyStatus)) {
|
||||
+ if (IsVerified) {
|
||||
return EFI_SUCCESS;
|
||||
} else {
|
||||
Status = EFI_ACCESS_DENIED;
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,139 +0,0 @@
|
||||
From 3e06fe42d63856e48c6457dbb7e816b82416c9ca Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Fri, 31 Jan 2020 12:42:44 +0100
|
||||
Subject: [PATCH 08/12] SecurityPkg/DxeImageVerificationHandler: unnest
|
||||
AddImageExeInfo() call
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200131124248.22369-9-lersek@redhat.com>
|
||||
Patchwork-id: 93610
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 08/12] SecurityPkg/DxeImageVerificationHandler: unnest AddImageExeInfo() call
|
||||
Bugzilla: 1751993
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
Before the "Done" label at the end of DxeImageVerificationHandler(), we
|
||||
now have a single access to "Status": we set "Status" to EFI_ACCESS_DENIED
|
||||
at the top of the function. Therefore, the (Status != EFI_SUCCESS)
|
||||
condition is always true under the "Done" label.
|
||||
|
||||
Accordingly, unnest the AddImageExeInfo() call dependent on that
|
||||
condition, remove the condition, and also rename the "Done" label to
|
||||
"Failed".
|
||||
|
||||
Functionally, this patch is a no-op. It's easier to review with:
|
||||
|
||||
git show -b -W
|
||||
|
||||
Cc: Chao Zhang <chao.b.zhang@intel.com>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20200116190705.18816-8-lersek@redhat.com>
|
||||
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
|
||||
[lersek@redhat.com: replace EFI_D_INFO w/ DEBUG_INFO for PatchCheck.py]
|
||||
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
|
||||
Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
|
||||
<d3fbb76dabed4e1987c512c328c82810@intel.com>]
|
||||
(cherry picked from commit c602e97446a8e818bf09182f5dc9f3fa409ece95)
|
||||
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
.../DxeImageVerificationLib.c | 34 ++++++++++------------
|
||||
1 file changed, 16 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
index 6ccce1f..51968bd 100644
|
||||
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
@@ -1676,7 +1676,7 @@ DxeImageVerificationHandler (
|
||||
// The information can't be got from the invalid PeImage
|
||||
//
|
||||
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: PeImage invalid. Cannot retrieve image information.\n"));
|
||||
- goto Done;
|
||||
+ goto Failed;
|
||||
}
|
||||
|
||||
DosHdr = (EFI_IMAGE_DOS_HEADER *) mImageBase;
|
||||
@@ -1698,7 +1698,7 @@ DxeImageVerificationHandler (
|
||||
// It is not a valid Pe/Coff file.
|
||||
//
|
||||
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Not a valid PE/COFF image.\n"));
|
||||
- goto Done;
|
||||
+ goto Failed;
|
||||
}
|
||||
|
||||
if (mNtHeader.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
|
||||
@@ -1729,7 +1729,7 @@ DxeImageVerificationHandler (
|
||||
//
|
||||
if (!HashPeImage (HASHALG_SHA256)) {
|
||||
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image using %s.\n", mHashTypeStr));
|
||||
- goto Done;
|
||||
+ goto Failed;
|
||||
}
|
||||
|
||||
if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) {
|
||||
@@ -1737,7 +1737,7 @@ DxeImageVerificationHandler (
|
||||
// Image Hash is in forbidden database (DBX).
|
||||
//
|
||||
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
|
||||
- goto Done;
|
||||
+ goto Failed;
|
||||
}
|
||||
|
||||
if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) {
|
||||
@@ -1751,7 +1751,7 @@ DxeImageVerificationHandler (
|
||||
// Image Hash is not found in both forbidden and allowed database.
|
||||
//
|
||||
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));
|
||||
- goto Done;
|
||||
+ goto Failed;
|
||||
}
|
||||
|
||||
//
|
||||
@@ -1860,7 +1860,7 @@ DxeImageVerificationHandler (
|
||||
SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize;
|
||||
SignatureList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SignatureListSize);
|
||||
if (SignatureList == NULL) {
|
||||
- goto Done;
|
||||
+ goto Failed;
|
||||
}
|
||||
SignatureList->SignatureHeaderSize = 0;
|
||||
SignatureList->SignatureListSize = (UINT32) SignatureListSize;
|
||||
@@ -1870,19 +1870,17 @@ DxeImageVerificationHandler (
|
||||
CopyMem (Signature->SignatureData, mImageDigest, mImageDigestSize);
|
||||
}
|
||||
|
||||
-Done:
|
||||
- if (Status != EFI_SUCCESS) {
|
||||
- //
|
||||
- // Policy decides to defer or reject the image; add its information in image executable information table.
|
||||
- //
|
||||
- NameStr = ConvertDevicePathToText (File, FALSE, TRUE);
|
||||
- AddImageExeInfo (Action, NameStr, File, SignatureList, SignatureListSize);
|
||||
- if (NameStr != NULL) {
|
||||
- DEBUG((EFI_D_INFO, "The image doesn't pass verification: %s\n", NameStr));
|
||||
- FreePool(NameStr);
|
||||
- }
|
||||
- Status = EFI_SECURITY_VIOLATION;
|
||||
+Failed:
|
||||
+ //
|
||||
+ // Policy decides to defer or reject the image; add its information in image executable information table.
|
||||
+ //
|
||||
+ NameStr = ConvertDevicePathToText (File, FALSE, TRUE);
|
||||
+ AddImageExeInfo (Action, NameStr, File, SignatureList, SignatureListSize);
|
||||
+ if (NameStr != NULL) {
|
||||
+ DEBUG ((DEBUG_INFO, "The image doesn't pass verification: %s\n", NameStr));
|
||||
+ FreePool(NameStr);
|
||||
}
|
||||
+ Status = EFI_SECURITY_VIOLATION;
|
||||
|
||||
if (SignatureList != NULL) {
|
||||
FreePool (SignatureList);
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,103 +0,0 @@
|
||||
From 7f364d9a95905efee0a8b46e4108042aaebe7849 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Fri, 31 Jan 2020 12:42:37 +0100
|
||||
Subject: [PATCH 01/12] SecurityPkg: Fix spelling errors [PARTIAL PICK]
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200131124248.22369-2-lersek@redhat.com>
|
||||
Patchwork-id: 93612
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 01/12] SecurityPkg: Fix spelling errors [PARTIAL PICK]
|
||||
Bugzilla: 1751993
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
From: Sean Brogan <sean.brogan@microsoft.com>
|
||||
|
||||
--v-- RHEL-8 note start --v--
|
||||
|
||||
This is a partial cherry-pick, restricted to
|
||||
"SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c".
|
||||
|
||||
The upstream patch has a super-ugly diffstat (81 files changed, 205
|
||||
insertions(+), 205 deletions(-)), fixing spelling errors all over
|
||||
SecurityPkg in one go. It doesn't apply cleanly down-stream, and I don't
|
||||
want to pick more (unrelated) SecurityPkg dependencies for this backport
|
||||
series.
|
||||
|
||||
Thus, the only alternative to this partial cherry-pick would be resolving
|
||||
conflicts over the rest of this series. That's obviously worse than a
|
||||
partial typo fix backport. At the next rebase, we're going to drop this
|
||||
patch and the rest of the backport series alike, anyway.
|
||||
|
||||
--^-- RHEL-8 note end --^--
|
||||
|
||||
https://bugzilla.tianocore.org/show_bug.cgi?id=2265
|
||||
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Cc: Jian J Wang <jian.j.wang@intel.com>
|
||||
Cc: Chao Zhang <chao.b.zhang@intel.com>
|
||||
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
|
||||
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
|
||||
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
|
||||
(cherry picked from commit d6b926e76e3d639ac37610e97d33ff9e3a6281eb)
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
.../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
index fe4cdcc..a0a12b5 100644
|
||||
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
@@ -745,7 +745,7 @@ AddImageExeInfo (
|
||||
if (ImageExeInfoTable != NULL) {
|
||||
//
|
||||
// The table has been found!
|
||||
- // We must enlarge the table to accomodate the new exe info entry.
|
||||
+ // We must enlarge the table to accommodate the new exe info entry.
|
||||
//
|
||||
ImageExeInfoTableSize = GetImageExeInfoTableSize (ImageExeInfoTable);
|
||||
} else {
|
||||
@@ -947,7 +947,7 @@ Done:
|
||||
|
||||
@param[in] VariableName Name of database variable that is searched in.
|
||||
@param[in] Signature Pointer to signature that is searched for.
|
||||
- @param[in] CertType Pointer to hash algrithom.
|
||||
+ @param[in] CertType Pointer to hash algorithm.
|
||||
@param[in] SignatureSize Size of Signature.
|
||||
|
||||
@return TRUE Found the signature in the variable database.
|
||||
@@ -992,7 +992,7 @@ IsSignatureFoundInDatabase (
|
||||
goto Done;
|
||||
}
|
||||
//
|
||||
- // Enumerate all signature data in SigDB to check if executable's signature exists.
|
||||
+ // Enumerate all signature data in SigDB to check if signature exists for executable.
|
||||
//
|
||||
CertList = (EFI_SIGNATURE_LIST *) Data;
|
||||
while ((DataSize > 0) && (DataSize >= CertList->SignatureListSize)) {
|
||||
@@ -1844,7 +1844,7 @@ DxeImageVerificationHandler (
|
||||
|
||||
if (OffSet != (SecDataDir->VirtualAddress + SecDataDir->Size)) {
|
||||
//
|
||||
- // The Size in Certificate Table or the attribute certicate table is corrupted.
|
||||
+ // The Size in Certificate Table or the attribute certificate table is corrupted.
|
||||
//
|
||||
VerifyStatus = EFI_ACCESS_DENIED;
|
||||
}
|
||||
@@ -1855,7 +1855,7 @@ DxeImageVerificationHandler (
|
||||
Status = EFI_ACCESS_DENIED;
|
||||
if (Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED || Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND) {
|
||||
//
|
||||
- // Get image hash value as executable's signature.
|
||||
+ // Get image hash value as signature of executable.
|
||||
//
|
||||
SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize;
|
||||
SignatureList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SignatureListSize);
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -0,0 +1,84 @@
|
||||
From cbce29f7749477e271f9764fed82de94724af5df Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Wed, 24 Jun 2020 11:40:09 +0200
|
||||
Subject: [PATCH 3/3] SecurityPkg/Tcg2Dxe: suppress error on no swtpm in silent
|
||||
aa64 build (RH)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200615080105.11859-4-lersek@redhat.com>
|
||||
Patchwork-id: 97534
|
||||
O-Subject: [RHEL-8.3.0 edk2 PATCH 3/3] SecurityPkg/Tcg2Dxe: suppress error on no swtpm in silent aa64 build (RH)
|
||||
Bugzilla: 1844682
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
|
||||
If swtpm / vTPM2 is not being used, Tcg2Dxe should return EFI_UNSUPPORTED,
|
||||
so that the DXE Core can unload it. However, the associated error message,
|
||||
logged by the DXE Core to the serial console, is not desired in the silent
|
||||
edk2-aarch64 build, given that the absence of swtpm / vTPM2 is nothing out
|
||||
of the ordinary. Therefore, return success and stay resident. The wasted
|
||||
guest RAM still gets freed after ExitBootServices().
|
||||
|
||||
(Inspired by RHEL-8.1.0 commit aaaedc1e2cfd.)
|
||||
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c | 17 +++++++++++++++++
|
||||
SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf | 1 +
|
||||
2 files changed, 18 insertions(+)
|
||||
|
||||
diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
|
||||
index 9a5f987e68..da2153cb25 100644
|
||||
--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
|
||||
+++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
|
||||
@@ -28,6 +28,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
#include <Protocol/ResetNotification.h>
|
||||
|
||||
#include <Library/DebugLib.h>
|
||||
+#include <Library/DebugPrintErrorLevelLib.h>
|
||||
#include <Library/BaseMemoryLib.h>
|
||||
#include <Library/UefiRuntimeServicesTableLib.h>
|
||||
#include <Library/UefiDriverEntryPoint.h>
|
||||
@@ -2642,6 +2643,22 @@ DriverEntry (
|
||||
if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceNoneGuid) ||
|
||||
CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid)){
|
||||
DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n"));
|
||||
+#if defined (MDE_CPU_AARCH64)
|
||||
+ //
|
||||
+ // RHBZ#1844682
|
||||
+ //
|
||||
+ // If swtpm / vTPM2 is not being used, this driver should return
|
||||
+ // EFI_UNSUPPORTED, so that the DXE Core can unload it. However, the
|
||||
+ // associated error message, logged by the DXE Core to the serial console,
|
||||
+ // is not desired in the silent edk2-aarch64 build, given that the absence
|
||||
+ // of swtpm / vTPM2 is nothing out of the ordinary. Therefore, return
|
||||
+ // success and stay resident. The wasted guest RAM still gets freed after
|
||||
+ // ExitBootServices().
|
||||
+ //
|
||||
+ if (GetDebugPrintErrorLevel () == DEBUG_ERROR) {
|
||||
+ return EFI_SUCCESS;
|
||||
+ }
|
||||
+#endif
|
||||
return EFI_UNSUPPORTED;
|
||||
}
|
||||
|
||||
diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
|
||||
index 576cf80d06..851471afb7 100644
|
||||
--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
|
||||
+++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
|
||||
@@ -55,6 +55,7 @@
|
||||
UefiRuntimeServicesTableLib
|
||||
BaseMemoryLib
|
||||
DebugLib
|
||||
+ DebugPrintErrorLevelLib
|
||||
Tpm2CommandLib
|
||||
PrintLib
|
||||
UefiLib
|
||||
--
|
||||
2.27.0
|
||||
|
@ -1,152 +0,0 @@
|
||||
From 2613601640be75f79e9dd8d2db21ad45d227d907 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Fri, 17 Jan 2020 11:33:43 +0100
|
||||
Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: fix 2M->4K page splitting
|
||||
regression for PDEs
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200117113343.30392-2-lersek@redhat.com>
|
||||
Patchwork-id: 93389
|
||||
O-Subject: [RHEL-8.2.0 edk2 PATCH 1/1] UefiCpuPkg/PiSmmCpuDxeSmm: fix 2M->4K page splitting regression for PDEs
|
||||
Bugzilla: 1789335
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
|
||||
In commit 4eee0cc7cc0d ("UefiCpuPkg/PiSmmCpu: Enable 5 level paging when
|
||||
CPU supports", 2019-07-12), the Page Directory Entry setting was regressed
|
||||
(corrupted) when splitting a 2MB page to 512 4KB pages, in the
|
||||
InitPaging() function.
|
||||
|
||||
Consider the following hunk, displayed with
|
||||
|
||||
$ git show --function-context --ignore-space-change 4eee0cc7cc0db
|
||||
|
||||
> //
|
||||
> // If it is 2M page, check IsAddressSplit()
|
||||
> //
|
||||
> if (((*Pd & IA32_PG_PS) != 0) && IsAddressSplit (Address)) {
|
||||
> //
|
||||
> // Based on current page table, create 4KB page table for split area.
|
||||
> //
|
||||
> ASSERT (Address == (*Pd & PHYSICAL_ADDRESS_MASK));
|
||||
>
|
||||
> Pt = AllocatePageTableMemory (1);
|
||||
> ASSERT (Pt != NULL);
|
||||
>
|
||||
> + *Pd = (UINTN) Pt | IA32_PG_RW | IA32_PG_P;
|
||||
> +
|
||||
> // Split it
|
||||
> - for (PtIndex = 0; PtIndex < SIZE_4KB / sizeof(*Pt); PtIndex++) {
|
||||
> - Pt[PtIndex] = Address + ((PtIndex << 12) | mAddressEncMask | PAGE_ATTRIBUTE_BITS);
|
||||
> + for (PtIndex = 0; PtIndex < SIZE_4KB / sizeof(*Pt); PtIndex++, Pt++) {
|
||||
> + *Pt = Address + ((PtIndex << 12) | mAddressEncMask | PAGE_ATTRIBUTE_BITS);
|
||||
> } // end for PT
|
||||
> *Pd = (UINT64)(UINTN)Pt | mAddressEncMask | PAGE_ATTRIBUTE_BITS;
|
||||
> } // end if IsAddressSplit
|
||||
> } // end for PD
|
||||
|
||||
First, the new assignment to the Page Directory Entry (*Pd) is
|
||||
superfluous. That's because (a) we set (*Pd) after the Page Table Entry
|
||||
loop anyway, and (b) here we do not attempt to access the memory starting
|
||||
at "Address" (which is mapped by the original value of the Page Directory
|
||||
Entry).
|
||||
|
||||
Second, appending "Pt++" to the incrementing expression of the PTE loop is
|
||||
a bug. It causes "Pt" to point *right past* the just-allocated Page Table,
|
||||
once we finish the loop. But the PDE assignment that immediately follows
|
||||
the loop assumes that "Pt" still points to the *start* of the new Page
|
||||
Table.
|
||||
|
||||
The result is that the originally mapped 2MB page disappears from the
|
||||
processor's view. The PDE now points to a "Page Table" that is filled with
|
||||
garbage. The random entries in that "Page Table" will cause some virtual
|
||||
addresses in the original 2MB area to fault. Other virtual addresses in
|
||||
the same range will no longer have a 1:1 physical mapping, but be
|
||||
scattered over random physical page frames.
|
||||
|
||||
The second phase of the InitPaging() function ("Go through page table and
|
||||
set several page table entries to absent or execute-disable") already
|
||||
manipulates entries in wrong Page Tables, for such PDEs that got split in
|
||||
the first phase.
|
||||
|
||||
This issue has been caught as follows:
|
||||
|
||||
- OVMF is started with 2001 MB of guest RAM.
|
||||
|
||||
- This places the main SMRAM window at 0x7C10_1000.
|
||||
|
||||
- The SMRAM management in the SMM Core links this SMRAM window into
|
||||
"mSmmMemoryMap", with a FREE_PAGE_LIST record placed at the start of the
|
||||
area.
|
||||
|
||||
- At "SMM Ready To Lock" time, PiSmmCpuDxeSmm calls InitPaging(). The
|
||||
first phase (quoted above) decides to split the 2MB page at 0x7C00_0000
|
||||
into 512 4KB pages, and corrupts the PDE. The new Page Table is
|
||||
allocated at 0x7CE0_D000, but the PDE is set to 0x7CE0_E000 (plus
|
||||
attributes 0x67).
|
||||
|
||||
- Due to the corrupted PDE, the second phase of InitPaging() already looks
|
||||
up the PTE for Address=0x7C10_1000 in the wrong place. The second phase
|
||||
goes on to mark bogus PTEs as "NX".
|
||||
|
||||
- PiSmmCpuDxeSmm calls SetMemMapAttributes(). Address 0x7C10_1000 is at
|
||||
the base of the SMRAM window, therefore it happens to be listed in the
|
||||
SMRAM map as an EfiConventionalMemory region. SetMemMapAttributes()
|
||||
calls SmmSetMemoryAttributes() to mark the region as XP. However,
|
||||
GetPageTableEntry() in ConvertMemoryPageAttributes() fails -- address
|
||||
0x7C10_1000 is no longer mapped by anything! -- and so the attribute
|
||||
setting fails with RETURN_UNSUPPORTED. This error goes unnoticed, as
|
||||
SetMemMapAttributes() ignores the return value of
|
||||
SmmSetMemoryAttributes().
|
||||
|
||||
- When SetMemMapAttributes() reaches another entry in the SMRAM map,
|
||||
ConvertMemoryPageAttributes() decides it needs to split a 2MB page, and
|
||||
calls SplitPage().
|
||||
|
||||
- SplitPage() calls AllocatePageTableMemory() for the new Page Table,
|
||||
which takes us to InternalAllocMaxAddress() in the SMM Core.
|
||||
|
||||
- The SMM core attempts to read the FREE_PAGE_LIST record at 0x7C10_1000.
|
||||
Because this virtual address is no longer mapped, the firmware crashes
|
||||
in InternalAllocMaxAddress(), when accessing (Pages->NumberOfPages).
|
||||
|
||||
Remove the useless assignment to (*Pd) from before the loop. Revert the
|
||||
loop incrementing and the PTE assignment to the known good version.
|
||||
|
||||
Cc: Eric Dong <eric.dong@intel.com>
|
||||
Cc: Ray Ni <ray.ni@intel.com>
|
||||
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1789335
|
||||
Fixes: 4eee0cc7cc0db74489b99c19eba056b53eda6358
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
|
||||
Reviewed-by: Ray Ni <ray.ni@intel.com>
|
||||
(cherry picked from commit a5235562444021e9c5aff08f45daa6b5b7952c7a)
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c | 6 ++----
|
||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c
|
||||
index c513152..c47b557 100644
|
||||
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c
|
||||
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c
|
||||
@@ -657,11 +657,9 @@ InitPaging (
|
||||
Pt = AllocatePageTableMemory (1);
|
||||
ASSERT (Pt != NULL);
|
||||
|
||||
- *Pd = (UINTN) Pt | IA32_PG_RW | IA32_PG_P;
|
||||
-
|
||||
// Split it
|
||||
- for (PtIndex = 0; PtIndex < SIZE_4KB / sizeof(*Pt); PtIndex++, Pt++) {
|
||||
- *Pt = Address + ((PtIndex << 12) | mAddressEncMask | PAGE_ATTRIBUTE_BITS);
|
||||
+ for (PtIndex = 0; PtIndex < SIZE_4KB / sizeof(*Pt); PtIndex++) {
|
||||
+ Pt[PtIndex] = Address + ((PtIndex << 12) | mAddressEncMask | PAGE_ATTRIBUTE_BITS);
|
||||
} // end for PT
|
||||
*Pd = (UINT64)(UINTN)Pt | mAddressEncMask | PAGE_ATTRIBUTE_BITS;
|
||||
} // end if IsAddressSplit
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -0,0 +1,105 @@
|
||||
From 70c9d989107c6ac964bb437c5a4ea6ffe3214e45 Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
Date: Mon, 10 Aug 2020 07:52:28 +0200
|
||||
Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: pause in WaitForSemaphore() before
|
||||
re-fetch
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-id: <20200731141037.1941-2-lersek@redhat.com>
|
||||
Patchwork-id: 98121
|
||||
O-Subject: [RHEL-8.3.0 edk2 PATCH 1/1] UefiCpuPkg/PiSmmCpuDxeSmm: pause in WaitForSemaphore() before re-fetch
|
||||
Bugzilla: 1861718
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
|
||||
|
||||
Most busy waits (spinlocks) in "UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c"
|
||||
already call CpuPause() in their loop bodies; see SmmWaitForApArrival(),
|
||||
APHandler(), and SmiRendezvous(). However, the "main wait" within
|
||||
APHandler():
|
||||
|
||||
> //
|
||||
> // Wait for something to happen
|
||||
> //
|
||||
> WaitForSemaphore (mSmmMpSyncData->CpuData[CpuIndex].Run);
|
||||
|
||||
doesn't do so, as WaitForSemaphore() keeps trying to acquire the semaphore
|
||||
without pausing.
|
||||
|
||||
The performance impact is especially notable in QEMU/KVM + OVMF
|
||||
virtualization with CPU overcommit (that is, when the guest has
|
||||
significantly more VCPUs than the host has physical CPUs). The guest BSP
|
||||
is working heavily in:
|
||||
|
||||
BSPHandler() [MpService.c]
|
||||
PerformRemainingTasks() [PiSmmCpuDxeSmm.c]
|
||||
SetUefiMemMapAttributes() [SmmCpuMemoryManagement.c]
|
||||
|
||||
while the many guest APs are spinning in the "Wait for something to
|
||||
happen" semaphore acquisition, in APHandler(). The guest APs are
|
||||
generating useless memory traffic and saturating host CPUs, hindering the
|
||||
guest BSP's progress in SetUefiMemMapAttributes().
|
||||
|
||||
Rework the loop in WaitForSemaphore(): call CpuPause() in every iteration
|
||||
after the first check fails. Due to Pause Loop Exiting (known as Pause
|
||||
Filter on AMD), the host scheduler can favor the guest BSP over the guest
|
||||
APs.
|
||||
|
||||
Running a 16 GB RAM + 512 VCPU guest on a 448 PCPU host, this patch
|
||||
reduces OVMF boot time (counted until reaching grub) from 20-30 minutes to
|
||||
less than 4 minutes.
|
||||
|
||||
The patch should benefit physical machines as well -- according to the
|
||||
Intel SDM, PAUSE "Improves the performance of spin-wait loops". Adding
|
||||
PAUSE to the generic WaitForSemaphore() function is considered a general
|
||||
improvement.
|
||||
|
||||
Cc: Eric Dong <eric.dong@intel.com>
|
||||
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
Cc: Rahul Kumar <rahul1.kumar@intel.com>
|
||||
Cc: Ray Ni <ray.ni@intel.com>
|
||||
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1861718
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20200729185217.10084-1-lersek@redhat.com>
|
||||
Reviewed-by: Eric Dong <eric.dong@intel.com>
|
||||
(cherry picked from commit 9001b750df64b25b14ec45a2efa1361a7b96c00a)
|
||||
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
---
|
||||
UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c | 18 +++++++++++-------
|
||||
1 file changed, 11 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c b/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c
|
||||
index 57e788c..4bcd217 100644
|
||||
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c
|
||||
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c
|
||||
@@ -40,14 +40,18 @@ WaitForSemaphore (
|
||||
{
|
||||
UINT32 Value;
|
||||
|
||||
- do {
|
||||
+ for (;;) {
|
||||
Value = *Sem;
|
||||
- } while (Value == 0 ||
|
||||
- InterlockedCompareExchange32 (
|
||||
- (UINT32*)Sem,
|
||||
- Value,
|
||||
- Value - 1
|
||||
- ) != Value);
|
||||
+ if (Value != 0 &&
|
||||
+ InterlockedCompareExchange32 (
|
||||
+ (UINT32*)Sem,
|
||||
+ Value,
|
||||
+ Value - 1
|
||||
+ ) == Value) {
|
||||
+ break;
|
||||
+ }
|
||||
+ CpuPause ();
|
||||
+ }
|
||||
return Value - 1;
|
||||
}
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
134
SPECS/edk2.spec
134
SPECS/edk2.spec
@ -1,13 +1,13 @@
|
||||
ExclusiveArch: x86_64 aarch64
|
||||
|
||||
%define GITDATE 20190829
|
||||
%define GITCOMMIT 37eef91017ad
|
||||
%define GITDATE 20200602
|
||||
%define GITCOMMIT ca407c7246bf
|
||||
%define TOOLCHAIN GCC5
|
||||
%define OPENSSL_VER 1.1.1c
|
||||
|
||||
Name: edk2
|
||||
Version: %{GITDATE}git%{GITCOMMIT}
|
||||
Release: 9%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: UEFI firmware for 64-bit virtual machines
|
||||
Group: Applications/Emulators
|
||||
License: BSD-2-Clause-Patent and OpenSSL and MIT
|
||||
@ -29,78 +29,35 @@ Source11: edk2-aarch64.json
|
||||
Source12: edk2-ovmf-sb.json
|
||||
Source13: edk2-ovmf.json
|
||||
|
||||
Patch0001: 0001-CryptoPkg-OpensslLib-Update-process_files.pl-to-gene.patch
|
||||
Patch0002: 0002-CryptoPkg-Upgrade-OpenSSL-to-1.1.1d.patch
|
||||
Patch0006: 0006-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
|
||||
Patch0007: 0007-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch
|
||||
Patch0008: 0008-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch
|
||||
Patch0009: 0009-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch
|
||||
Patch0010: 0010-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
|
||||
Patch0011: 0011-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
|
||||
Patch0012: 0012-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch
|
||||
Patch0013: 0013-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
|
||||
Patch0014: 0014-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch
|
||||
Patch0015: 0015-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
|
||||
Patch0016: 0016-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
|
||||
Patch0017: 0017-ArmVirtPkg-set-early-hello-message-RH-only.patch
|
||||
Patch0018: 0018-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch
|
||||
Patch0019: 0019-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch
|
||||
Patch0020: 0020-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch
|
||||
Patch0021: 0021-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch
|
||||
Patch0022: 0022-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
|
||||
Patch0033: 0033-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch
|
||||
# For bz#1536624 - HTTPS enablement in OVMF
|
||||
Patch34: edk2-MdePkg-Include-Protocol-Tls.h-Add-the-data-type-of-E.patch
|
||||
# For bz#1536624 - HTTPS enablement in OVMF
|
||||
Patch35: edk2-CryptoPkg-TlsLib-Add-the-new-API-TlsSetVerifyHost-CV.patch
|
||||
# For bz#1536624 - HTTPS enablement in OVMF
|
||||
Patch36: edk2-CryptoPkg-Crt-turn-strchr-into-a-function-CVE-2019-1.patch
|
||||
# For bz#1536624 - HTTPS enablement in OVMF
|
||||
Patch37: edk2-CryptoPkg-Crt-satisfy-inet_pton.c-dependencies-CVE-2.patch
|
||||
# For bz#1536624 - HTTPS enablement in OVMF
|
||||
Patch38: edk2-CryptoPkg-Crt-import-inet_pton.c-CVE-2019-14553.patch
|
||||
# For bz#1536624 - HTTPS enablement in OVMF
|
||||
Patch39: edk2-CryptoPkg-TlsLib-TlsSetVerifyHost-parse-IP-address-l.patch
|
||||
# For bz#1536624 - HTTPS enablement in OVMF
|
||||
Patch40: edk2-NetworkPkg-TlsDxe-Add-the-support-of-host-validation.patch
|
||||
# For bz#1536624 - HTTPS enablement in OVMF
|
||||
Patch41: edk2-NetworkPkg-HttpDxe-Set-the-HostName-for-the-verifica.patch
|
||||
# For bz#1789797 - Backport upstream patch series: "UefiBootManagerLib, HttpDxe: tweaks for large HTTP(S) downloads" to improve HTTP(S) Boot experience with large (4GiB+) files
|
||||
Patch42: edk2-MdeModulePkg-UefiBootManagerLib-log-reserved-mem-all.patch
|
||||
# For bz#1789797 - Backport upstream patch series: "UefiBootManagerLib, HttpDxe: tweaks for large HTTP(S) downloads" to improve HTTP(S) Boot experience with large (4GiB+) files
|
||||
Patch43: edk2-NetworkPkg-HttpDxe-fix-32-bit-truncation-in-HTTPS-do.patch
|
||||
# For bz#1789335 - VM with edk2 can't boot when setting memory with '-m 2001'
|
||||
Patch44: edk2-UefiCpuPkg-PiSmmCpuDxeSmm-fix-2M-4K-page-splitting-r.patch
|
||||
# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8]
|
||||
Patch45: edk2-SecurityPkg-Fix-spelling-errors-PARTIAL-PICK.patch
|
||||
# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8]
|
||||
Patch46: edk2-SecurityPkg-DxeImageVerificationHandler-simplify-Ver.patch
|
||||
# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8]
|
||||
Patch47: edk2-SecurityPkg-DxeImageVerificationHandler-remove-else-.patch
|
||||
# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8]
|
||||
Patch48: edk2-SecurityPkg-DxeImageVerificationHandler-keep-PE-COFF.patch
|
||||
# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8]
|
||||
Patch49: edk2-SecurityPkg-DxeImageVerificationHandler-narrow-down-.patch
|
||||
# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8]
|
||||
Patch50: edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-o.patch
|
||||
# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8]
|
||||
Patch51: edk2-SecurityPkg-DxeImageVerificationHandler-remove-super.patch
|
||||
# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8]
|
||||
Patch52: edk2-SecurityPkg-DxeImageVerificationHandler-unnest-AddIm.patch
|
||||
# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8]
|
||||
Patch53: edk2-SecurityPkg-DxeImageVerificationHandler-eliminate-St.patch
|
||||
# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8]
|
||||
Patch54: edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-f.patch
|
||||
# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8]
|
||||
Patch55: edk2-SecurityPkg-DxeImageVerificationHandler-fix-imgexec-.patch
|
||||
# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8]
|
||||
Patch56: edk2-SecurityPkg-DxeImageVerificationHandler-fix-defer-vs.patch
|
||||
# For bz#1801274 - CVE-2019-14563 edk2: numeric truncation in MdeModulePkg/PiDxeS3BootScriptLib [rhel-8]
|
||||
Patch57: edk2-MdeModulePkg-Enable-Disable-S3BootScript-dynamically.patch
|
||||
# For bz#1801274 - CVE-2019-14563 edk2: numeric truncation in MdeModulePkg/PiDxeS3BootScriptLib [rhel-8]
|
||||
Patch58: edk2-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch
|
||||
# For bz#1806359 - bochs-display cannot show graphic wihout driver attach
|
||||
Patch59: edk2-OvmfPkg-QemuVideoDxe-unbreak-secondary-vga-and-bochs.patch
|
||||
Patch0007: 0007-BaseTools-do-not-build-BrotliCompress-RH-only.patch
|
||||
Patch0008: 0008-MdeModulePkg-remove-package-private-Brotli-include-p.patch
|
||||
Patch0009: 0009-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
|
||||
Patch0010: 0010-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch
|
||||
Patch0011: 0011-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch
|
||||
Patch0012: 0012-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch
|
||||
Patch0013: 0013-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
|
||||
Patch0014: 0014-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
|
||||
Patch0015: 0015-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
|
||||
Patch0016: 0016-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch
|
||||
Patch0017: 0017-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
|
||||
Patch0018: 0018-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
|
||||
Patch0019: 0019-ArmVirtPkg-set-early-hello-message-RH-only.patch
|
||||
Patch0020: 0020-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch
|
||||
Patch0021: 0021-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch
|
||||
Patch0022: 0022-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch
|
||||
Patch0023: 0023-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch
|
||||
Patch0024: 0024-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
|
||||
Patch0025: 0025-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch
|
||||
Patch0026: 0026-OvmfPkg-X86QemuLoadImageLib-handle-EFI_ACCESS_DENIED.patch
|
||||
Patch0027: 0027-Revert-OvmfPkg-use-generic-QEMU-image-loader-for-sec.patch
|
||||
# For bz#1844682 - silent build of edk2-aarch64 logs DEBUG_ERROR messages that don't actually report serious errors
|
||||
Patch28: edk2-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch
|
||||
# For bz#1844682 - silent build of edk2-aarch64 logs DEBUG_ERROR messages that don't actually report serious errors
|
||||
Patch29: edk2-OvmfPkg-GenericQemuLoadImageLib-log-Not-Found-at-INF.patch
|
||||
# For bz#1844682 - silent build of edk2-aarch64 logs DEBUG_ERROR messages that don't actually report serious errors
|
||||
Patch30: edk2-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch
|
||||
# For bz#1861718 - Very slow boot when overcommitting CPU
|
||||
Patch31: edk2-UefiCpuPkg-PiSmmCpuDxeSmm-pause-in-WaitForSemaphore-.patch
|
||||
|
||||
|
||||
# python3-devel and libuuid-devel are required for building tools.
|
||||
@ -254,6 +211,7 @@ chmod -Rf a+rX,u+w,g-w,o-w .
|
||||
export PYTHON_COMMAND=%{__python3}
|
||||
source ./edksetup.sh
|
||||
make -C "$EDK_TOOLS_PATH" \
|
||||
%{?_smp_mflags} \
|
||||
EXTRA_OPTFLAGS="%{optflags}" \
|
||||
EXTRA_LDFLAGS="%{__global_ldflags}"
|
||||
|
||||
@ -270,13 +228,15 @@ CC_FLAGS="$CC_FLAGS -D NETWORK_HTTP_BOOT_ENABLE -D NETWORK_TLS_ENABLE"
|
||||
|
||||
%ifarch x86_64
|
||||
# Build with neither SB nor SMM; include UEFI shell.
|
||||
build ${CC_FLAGS} -D TPM2_ENABLE -D FD_SIZE_4MB -a X64 \
|
||||
build ${CC_FLAGS} -D TPM_ENABLE -D FD_SIZE_4MB -a X64 \
|
||||
-D PVSCSI_ENABLE=FALSE -D MPT_SCSI_ENABLE=FALSE \
|
||||
-p OvmfPkg/OvmfPkgX64.dsc
|
||||
|
||||
# Build with SB and SMM; exclude UEFI shell.
|
||||
build -D SECURE_BOOT_ENABLE -D EXCLUDE_SHELL_FROM_FD ${CC_FLAGS} \
|
||||
-a IA32 -a X64 -p OvmfPkg/OvmfPkgIa32X64.dsc -D SMM_REQUIRE \
|
||||
-D TPM2_ENABLE -D FD_SIZE_4MB
|
||||
-D PVSCSI_ENABLE=FALSE -D MPT_SCSI_ENABLE=FALSE \
|
||||
-D TPM_ENABLE -D FD_SIZE_4MB
|
||||
|
||||
# Sanity check: the varstore templates must be identical.
|
||||
cmp Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \
|
||||
@ -330,6 +290,7 @@ cmp Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \
|
||||
# Build with a verbose debug mask first, and stash the binary.
|
||||
build ${CC_FLAGS} -a AARCH64 \
|
||||
-p ArmVirtPkg/ArmVirtQemu.dsc \
|
||||
-D TPM2_ENABLE \
|
||||
-D DEBUG_PRINT_ERROR_LEVEL=0x8040004F
|
||||
cp -a Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.fd \
|
||||
QEMU_EFI.verbose.fd
|
||||
@ -337,6 +298,7 @@ cp -a Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.fd \
|
||||
# Rebuild with a silent (errors only) debug mask.
|
||||
build ${CC_FLAGS} -a AARCH64 \
|
||||
-p ArmVirtPkg/ArmVirtQemu.dsc \
|
||||
-D TPM2_ENABLE \
|
||||
-D DEBUG_PRINT_ERROR_LEVEL=0x80000000
|
||||
%endif
|
||||
|
||||
@ -500,7 +462,6 @@ install BaseTools/Scripts/GccBase.lds \
|
||||
%files tools
|
||||
%license License.txt
|
||||
%license License-History.txt
|
||||
%{_bindir}/Brotli
|
||||
%{_bindir}/DevicePath
|
||||
%{_bindir}/EfiRom
|
||||
%{_bindir}/GenCrc32
|
||||
@ -546,6 +507,23 @@ true
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Aug 10 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-3.el8
|
||||
- edk2-UefiCpuPkg-PiSmmCpuDxeSmm-pause-in-WaitForSemaphore-.patch [bz#1861718]
|
||||
- Resolves: bz#1861718
|
||||
(Very slow boot when overcommitting CPU)
|
||||
|
||||
* Wed Jun 24 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-2.el8
|
||||
- edk2-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch [bz#1844682]
|
||||
- edk2-OvmfPkg-GenericQemuLoadImageLib-log-Not-Found-at-INF.patch [bz#1844682]
|
||||
- edk2-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch [bz#1844682]
|
||||
- Resolves: bz#1844682
|
||||
(silent build of edk2-aarch64 logs DEBUG_ERROR messages that don't actually report serious errors)
|
||||
|
||||
* Sat Jun 13 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-1.el8
|
||||
- Rebase to edk2-stable202005 [bz#1817035]
|
||||
- Resolves: bz#1817035
|
||||
((edk2-rebase-rhel-8.3) - rebase edk2 to upstream tag edk2-stable202005 for RHEL-8.3)
|
||||
|
||||
* Fri Mar 27 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-9.el8
|
||||
- edk2-OvmfPkg-QemuVideoDxe-unbreak-secondary-vga-and-bochs.patch [bz#1806359]
|
||||
- Resolves: bz#1806359
|
||||
|
Loading…
Reference in New Issue
Block a user