From 0cc2846c541dc54fc39b18a4b6fba47961bfbbc6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 3 Nov 2020 07:01:14 -0500 Subject: [PATCH] import edk2-20200602gitca407c7246bf-3.el8 --- .edk2.metadata | 2 +- .gitignore | 2 +- ...lLib-Update-process_files.pl-to-gene.patch | 668 ------------------ ...-CryptoPkg-Upgrade-OpenSSL-to-1.1.1d.patch | 159 ----- ...-do-not-build-BrotliCompress-RH-only.patch | 37 + ...ove-package-private-Brotli-include-p.patch | 43 ++ ...-on-TianoCore-splash-screen-boot-lo.patch} | 95 +-- ...max-debug-message-length-to-512-RHE.patch} | 10 +- ...Dxe-enable-debug-messages-in-VbeShi.patch} | 10 +- ...wCfgLib-allow-UEFI_DRIVER-client-mod.patch | 62 -- ...inalDxe-add-other-text-resolutions-.patch} | 12 +- ...inalDxe-set-xterm-resolution-on-mod.patch} | 26 +- ...esizeXterm-from-the-QEMU-command-li.patch} | 38 +- ...cdResizeXterm-from-the-QEMU-command.patch} | 144 ++-- ...lusion-of-the-shell-from-the-firmwa.patch} | 24 +- ...troduce-fixed-PCD-for-early-hello-m.patch} | 12 +- ...ePeiCore-write-early-hello-message-.patch} | 16 +- ...Pkg-set-early-hello-message-RH-only.patch} | 16 +- ...fPkg-enable-DEBUG_VERBOSE-RHEL-only.patch} | 28 +- ...EBUG_VERBOSE-0x00400000-in-QemuVide.patch} | 20 +- ...e-DEBUG_VERBOSE-0x00400000-in-QemuR.patch} | 16 +- ...Dxe-Do-not-report-DXE-failure-on-Aa.patch} | 8 +- ...FI_D_VERBOSE-0x00400000-in-NvmExpre.patch} | 20 +- ...Lib-list-RHEL8-specific-OpenSSL-fil.patch} | 42 +- ...oadImageLib-handle-EFI_ACCESS_DENIED.patch | 83 +++ ...se-generic-QEMU-image-loader-for-sec.patch | 184 +++++ ...rt-import-inet_pton.c-CVE-2019-14553.patch | 338 --------- ...tisfy-inet_pton.c-dependencies-CVE-2.patch | 188 ----- ...rn-strchr-into-a-function-CVE-2019-1.patch | 86 --- ...-Add-the-new-API-TlsSetVerifyHost-CV.patch | 134 ---- ...-TlsSetVerifyHost-parse-IP-address-l.patch | 100 --- ...ble-Disable-S3BootScript-dynamically.patch | 148 ---- ...xeS3BootScriptLib-Fix-potential-nume.patch | 182 ----- ...iBootManagerLib-log-reserved-mem-all.patch | 101 --- ...rotocol-Tls.h-Add-the-data-type-of-E.patch | 156 ---- ...xe-Set-the-HostName-for-the-verifica.patch | 99 --- ...xe-fix-32-bit-truncation-in-HTTPS-do.patch | 120 ---- ...e-Add-the-support-of-host-validation.patch | 117 --- ...emuLoadImageLib-log-Not-Found-at-INF.patch | 50 ++ ...elLoaderFsDxe-suppress-error-on-no-k.patch | 85 +++ ...oDxe-unbreak-secondary-vga-and-bochs.patch | 64 -- ...mageVerificationHandler-eliminate-St.patch | 82 --- ...mageVerificationHandler-fix-defer-vs.patch | 103 --- ...mageVerificationHandler-fix-imgexec-.patch | 87 --- ...mageVerificationHandler-fix-retval-f.patch | 64 -- ...mageVerificationHandler-fix-retval-o.patch | 71 -- ...mageVerificationHandler-keep-PE-COFF.patch | 97 --- ...mageVerificationHandler-narrow-down-.patch | 79 --- ...mageVerificationHandler-remove-else-.patch | 142 ---- ...mageVerificationHandler-remove-super.patch | 55 -- ...mageVerificationHandler-simplify-Ver.patch | 119 ---- ...mageVerificationHandler-unnest-AddIm.patch | 139 ---- ...Pkg-Fix-spelling-errors-PARTIAL-PICK.patch | 103 --- ...Dxe-suppress-error-on-no-swtpm-in-si.patch | 84 +++ ...CpuDxeSmm-fix-2M-4K-page-splitting-r.patch | 152 ---- ...CpuDxeSmm-pause-in-WaitForSemaphore-.patch | 105 +++ SPECS/edk2.spec | 134 ++-- 57 files changed, 1043 insertions(+), 4318 deletions(-) delete mode 100644 SOURCES/0001-CryptoPkg-OpensslLib-Update-process_files.pl-to-gene.patch delete mode 100644 SOURCES/0002-CryptoPkg-Upgrade-OpenSSL-to-1.1.1d.patch create mode 100644 SOURCES/0007-BaseTools-do-not-build-BrotliCompress-RH-only.patch create mode 100644 SOURCES/0008-MdeModulePkg-remove-package-private-Brotli-include-p.patch rename SOURCES/{0006-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch => 0009-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch} (91%) rename SOURCES/{0007-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch => 0010-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch} (88%) rename SOURCES/{0008-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch => 0011-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch} (97%) delete mode 100644 SOURCES/0012-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch rename SOURCES/{0009-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch => 0012-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch} (94%) rename SOURCES/{0010-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch => 0013-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch} (86%) rename SOURCES/{0011-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch => 0014-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch} (81%) rename SOURCES/{0013-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch => 0015-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch} (64%) rename SOURCES/{0014-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch => 0016-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch} (83%) rename SOURCES/{0015-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch => 0017-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch} (89%) rename SOURCES/{0016-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch => 0018-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch} (92%) rename SOURCES/{0017-ArmVirtPkg-set-early-hello-message-RH-only.patch => 0019-ArmVirtPkg-set-early-hello-message-RH-only.patch} (78%) rename SOURCES/{0018-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch => 0020-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch} (81%) rename SOURCES/{0019-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch => 0021-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch} (90%) rename SOURCES/{0020-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch => 0022-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch} (88%) rename SOURCES/{0021-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch => 0023-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch} (90%) rename SOURCES/{0022-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch => 0024-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch} (88%) rename SOURCES/{0033-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch => 0025-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch} (68%) create mode 100644 SOURCES/0026-OvmfPkg-X86QemuLoadImageLib-handle-EFI_ACCESS_DENIED.patch create mode 100644 SOURCES/0027-Revert-OvmfPkg-use-generic-QEMU-image-loader-for-sec.patch delete mode 100644 SOURCES/edk2-CryptoPkg-Crt-import-inet_pton.c-CVE-2019-14553.patch delete mode 100644 SOURCES/edk2-CryptoPkg-Crt-satisfy-inet_pton.c-dependencies-CVE-2.patch delete mode 100644 SOURCES/edk2-CryptoPkg-Crt-turn-strchr-into-a-function-CVE-2019-1.patch delete mode 100644 SOURCES/edk2-CryptoPkg-TlsLib-Add-the-new-API-TlsSetVerifyHost-CV.patch delete mode 100644 SOURCES/edk2-CryptoPkg-TlsLib-TlsSetVerifyHost-parse-IP-address-l.patch delete mode 100644 SOURCES/edk2-MdeModulePkg-Enable-Disable-S3BootScript-dynamically.patch delete mode 100644 SOURCES/edk2-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch delete mode 100644 SOURCES/edk2-MdeModulePkg-UefiBootManagerLib-log-reserved-mem-all.patch delete mode 100644 SOURCES/edk2-MdePkg-Include-Protocol-Tls.h-Add-the-data-type-of-E.patch delete mode 100644 SOURCES/edk2-NetworkPkg-HttpDxe-Set-the-HostName-for-the-verifica.patch delete mode 100644 SOURCES/edk2-NetworkPkg-HttpDxe-fix-32-bit-truncation-in-HTTPS-do.patch delete mode 100644 SOURCES/edk2-NetworkPkg-TlsDxe-Add-the-support-of-host-validation.patch create mode 100644 SOURCES/edk2-OvmfPkg-GenericQemuLoadImageLib-log-Not-Found-at-INF.patch create mode 100644 SOURCES/edk2-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch delete mode 100644 SOURCES/edk2-OvmfPkg-QemuVideoDxe-unbreak-secondary-vga-and-bochs.patch delete mode 100644 SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-eliminate-St.patch delete mode 100644 SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-fix-defer-vs.patch delete mode 100644 SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-fix-imgexec-.patch delete mode 100644 SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-f.patch delete mode 100644 SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-o.patch delete mode 100644 SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-keep-PE-COFF.patch delete mode 100644 SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-narrow-down-.patch delete mode 100644 SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-remove-else-.patch delete mode 100644 SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-remove-super.patch delete mode 100644 SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-simplify-Ver.patch delete mode 100644 SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-unnest-AddIm.patch delete mode 100644 SOURCES/edk2-SecurityPkg-Fix-spelling-errors-PARTIAL-PICK.patch create mode 100644 SOURCES/edk2-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch delete mode 100644 SOURCES/edk2-UefiCpuPkg-PiSmmCpuDxeSmm-fix-2M-4K-page-splitting-r.patch create mode 100644 SOURCES/edk2-UefiCpuPkg-PiSmmCpuDxeSmm-pause-in-WaitForSemaphore-.patch diff --git a/.edk2.metadata b/.edk2.metadata index aba6cf1..c4a8dfc 100644 --- a/.edk2.metadata +++ b/.edk2.metadata @@ -1,2 +1,2 @@ -c7ca6a13a5f9e7fe8071010c26a11ba41548308b SOURCES/edk2-37eef91017ad.tar.xz +3a531b4e8864ee52b1e128ac9742b3e9dcec49bf SOURCES/edk2-ca407c7246bf.tar.xz cb385fc348395c187db3737e532de787ca2a17c9 SOURCES/openssl-rhel-d6c0e6e28ddc793474a3f9234eed50018f6c94ba.tar.xz diff --git a/.gitignore b/.gitignore index ee17a8c..75c78a2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/edk2-37eef91017ad.tar.xz +SOURCES/edk2-ca407c7246bf.tar.xz SOURCES/openssl-rhel-d6c0e6e28ddc793474a3f9234eed50018f6c94ba.tar.xz diff --git a/SOURCES/0001-CryptoPkg-OpensslLib-Update-process_files.pl-to-gene.patch b/SOURCES/0001-CryptoPkg-OpensslLib-Update-process_files.pl-to-gene.patch deleted file mode 100644 index f7ece09..0000000 --- a/SOURCES/0001-CryptoPkg-OpensslLib-Update-process_files.pl-to-gene.patch +++ /dev/null @@ -1,668 +0,0 @@ -From ac1a0b44df858e53be9e8af499e80a459f0cef16 Mon Sep 17 00:00:00 2001 -From: Shenglei Zhang -Date: Tue, 29 Oct 2019 15:43:11 +0000 -Subject: CryptoPkg/OpensslLib: Update process_files.pl to generate .h files - -Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> -RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: - -- New patch (cherry-picked from upstream, to be dropped at the next - downstream rebase). - -- Upstream moved to OpenSSL_1.1.1b (for TianoCore#1089) in release - edk2-stable201905. As part of that OpenSSL update, "OpensslLib.inf" and - "OpensslLibCrypto.inf" failed to list some new header files. - -- As a part of edk2-stable201908, commit 8906f076de35 - ("CryptoPkg/OpensslLib: Add missing header files in INF file", - 2019-08-16) fixed up "OpensslLib.inf" and "OpensslLibCrypto.inf" with - the missing header files, but did so manually. - -- The present patch (which is going to be released in edk2-stable201911) - updates "process_files.pl" to list the subject header files - automatically. - -- This patch is being backported primarily in order to keep further - backports for the modified files conflict-free. It might also come in - handy once we adopt RHEL8's own OpenSSL version (in case we have to - re-run "process_files.pl" ourselves). - -There are missing headers added into INF files at 8906f076de35b222a.. -They are now manually added but not auto-generated. So we update the -perl script to enable this feature. -Meanwhile, update the order of the .h files in INF files, which are -auto-generated now. -https://bugzilla.tianocore.org/show_bug.cgi?id=2085 - -Cc: Jian J Wang -Cc: Xiaoyu Lu -Signed-off-by: Shenglei Zhang -Reviewed-by: Jian J Wang -Reviewed-by: Xiaoyu Lu -(cherry picked from commit 9f4fbd56d43054cc73d722c1643659f9741c0fcf) -Signed-off-by: Laszlo Ersek ---- - CryptoPkg/Library/OpensslLib/OpensslLib.inf | 103 +++++++++--------- - .../Library/OpensslLib/OpensslLibCrypto.inf | 96 ++++++++-------- - CryptoPkg/Library/OpensslLib/process_files.pl | 28 +++++ - 3 files changed, 129 insertions(+), 98 deletions(-) - -diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf -index 7432321fd4..dd873a0dcd 100644 ---- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf -+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf -@@ -34,9 +34,7 @@ - $(OPENSSL_PATH)/crypto/aes/aes_misc.c - $(OPENSSL_PATH)/crypto/aes/aes_ofb.c - $(OPENSSL_PATH)/crypto/aes/aes_wrap.c -- $(OPENSSL_PATH)/crypto/aes/aes_locl.h - $(OPENSSL_PATH)/crypto/aria/aria.c -- $(OPENSSL_PATH)/crypto/arm_arch.h - $(OPENSSL_PATH)/crypto/asn1/a_bitstr.c - $(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c - $(OPENSSL_PATH)/crypto/asn1/a_digest.c -@@ -101,21 +99,12 @@ - $(OPENSSL_PATH)/crypto/asn1/x_sig.c - $(OPENSSL_PATH)/crypto/asn1/x_spki.c - $(OPENSSL_PATH)/crypto/asn1/x_val.c -- $(OPENSSL_PATH)/crypto/asn1/standard_methods.h -- $(OPENSSL_PATH)/crypto/asn1/charmap.h -- $(OPENSSL_PATH)/crypto/asn1/tbl_standard.h -- $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h -- $(OPENSSL_PATH)/crypto/asn1/asn1_locl.h - $(OPENSSL_PATH)/crypto/async/arch/async_null.c - $(OPENSSL_PATH)/crypto/async/arch/async_posix.c - $(OPENSSL_PATH)/crypto/async/arch/async_win.c - $(OPENSSL_PATH)/crypto/async/async.c - $(OPENSSL_PATH)/crypto/async/async_err.c - $(OPENSSL_PATH)/crypto/async/async_wait.c -- $(OPENSSL_PATH)/crypto/async/arch/async_win.h -- $(OPENSSL_PATH)/crypto/async/async_locl.h -- $(OPENSSL_PATH)/crypto/async/arch/async_posix.h -- $(OPENSSL_PATH)/crypto/async/arch/async_null.h - $(OPENSSL_PATH)/crypto/bio/b_addr.c - $(OPENSSL_PATH)/crypto/bio/b_dump.c - $(OPENSSL_PATH)/crypto/bio/b_sock.c -@@ -138,7 +127,6 @@ - $(OPENSSL_PATH)/crypto/bio/bss_mem.c - $(OPENSSL_PATH)/crypto/bio/bss_null.c - $(OPENSSL_PATH)/crypto/bio/bss_sock.c -- $(OPENSSL_PATH)/crypto/bio/bio_lcl.h - $(OPENSSL_PATH)/crypto/bn/bn_add.c - $(OPENSSL_PATH)/crypto/bn/bn_asm.c - $(OPENSSL_PATH)/crypto/bn/bn_blind.c -@@ -170,9 +158,6 @@ - $(OPENSSL_PATH)/crypto/bn/bn_srp.c - $(OPENSSL_PATH)/crypto/bn/bn_word.c - $(OPENSSL_PATH)/crypto/bn/bn_x931p.c -- $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h -- $(OPENSSL_PATH)/crypto/bn/bn_prime.h -- $(OPENSSL_PATH)/crypto/bn/bn_lcl.h - $(OPENSSL_PATH)/crypto/buffer/buf_err.c - $(OPENSSL_PATH)/crypto/buffer/buffer.c - $(OPENSSL_PATH)/crypto/cmac/cm_ameth.c -@@ -181,7 +166,6 @@ - $(OPENSSL_PATH)/crypto/comp/c_zlib.c - $(OPENSSL_PATH)/crypto/comp/comp_err.c - $(OPENSSL_PATH)/crypto/comp/comp_lib.c -- $(OPENSSL_PATH)/crypto/comp/comp_lcl.h - $(OPENSSL_PATH)/crypto/conf/conf_api.c - $(OPENSSL_PATH)/crypto/conf/conf_def.c - $(OPENSSL_PATH)/crypto/conf/conf_err.c -@@ -190,8 +174,6 @@ - $(OPENSSL_PATH)/crypto/conf/conf_mod.c - $(OPENSSL_PATH)/crypto/conf/conf_sap.c - $(OPENSSL_PATH)/crypto/conf/conf_ssl.c -- $(OPENSSL_PATH)/crypto/conf/conf_lcl.h -- $(OPENSSL_PATH)/crypto/conf/conf_def.h - $(OPENSSL_PATH)/crypto/cpt_err.c - $(OPENSSL_PATH)/crypto/cryptlib.c - $(OPENSSL_PATH)/crypto/ctype.c -@@ -215,8 +197,6 @@ - $(OPENSSL_PATH)/crypto/des/set_key.c - $(OPENSSL_PATH)/crypto/des/str2key.c - $(OPENSSL_PATH)/crypto/des/xcbc_enc.c -- $(OPENSSL_PATH)/crypto/des/spr.h -- $(OPENSSL_PATH)/crypto/des/des_locl.h - $(OPENSSL_PATH)/crypto/dh/dh_ameth.c - $(OPENSSL_PATH)/crypto/dh/dh_asn1.c - $(OPENSSL_PATH)/crypto/dh/dh_check.c -@@ -231,7 +211,6 @@ - $(OPENSSL_PATH)/crypto/dh/dh_prn.c - $(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c - $(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c -- $(OPENSSL_PATH)/crypto/dh/dh_locl.h - $(OPENSSL_PATH)/crypto/dso/dso_dl.c - $(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c - $(OPENSSL_PATH)/crypto/dso/dso_err.c -@@ -239,7 +218,6 @@ - $(OPENSSL_PATH)/crypto/dso/dso_openssl.c - $(OPENSSL_PATH)/crypto/dso/dso_vms.c - $(OPENSSL_PATH)/crypto/dso/dso_win32.c -- $(OPENSSL_PATH)/crypto/dso/dso_locl.h - $(OPENSSL_PATH)/crypto/ebcdic.c - $(OPENSSL_PATH)/crypto/err/err.c - $(OPENSSL_PATH)/crypto/err/err_prn.c -@@ -304,13 +282,11 @@ - $(OPENSSL_PATH)/crypto/evp/pmeth_fn.c - $(OPENSSL_PATH)/crypto/evp/pmeth_gn.c - $(OPENSSL_PATH)/crypto/evp/pmeth_lib.c -- $(OPENSSL_PATH)/crypto/evp/evp_locl.h - $(OPENSSL_PATH)/crypto/ex_data.c - $(OPENSSL_PATH)/crypto/getenv.c - $(OPENSSL_PATH)/crypto/hmac/hm_ameth.c - $(OPENSSL_PATH)/crypto/hmac/hm_pmeth.c - $(OPENSSL_PATH)/crypto/hmac/hmac.c -- $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h - $(OPENSSL_PATH)/crypto/init.c - $(OPENSSL_PATH)/crypto/kdf/hkdf.c - $(OPENSSL_PATH)/crypto/kdf/kdf_err.c -@@ -318,13 +294,10 @@ - $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c - $(OPENSSL_PATH)/crypto/lhash/lh_stats.c - $(OPENSSL_PATH)/crypto/lhash/lhash.c -- $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h - $(OPENSSL_PATH)/crypto/md4/md4_dgst.c - $(OPENSSL_PATH)/crypto/md4/md4_one.c -- $(OPENSSL_PATH)/crypto/md4/md4_locl.h - $(OPENSSL_PATH)/crypto/md5/md5_dgst.c - $(OPENSSL_PATH)/crypto/md5/md5_one.c -- $(OPENSSL_PATH)/crypto/md5/md5_locl.h - $(OPENSSL_PATH)/crypto/mem.c - $(OPENSSL_PATH)/crypto/mem_clr.c - $(OPENSSL_PATH)/crypto/mem_dbg.c -@@ -339,7 +312,6 @@ - $(OPENSSL_PATH)/crypto/modes/ofb128.c - $(OPENSSL_PATH)/crypto/modes/wrap128.c - $(OPENSSL_PATH)/crypto/modes/xts128.c -- $(OPENSSL_PATH)/crypto/modes/modes_lcl.h - $(OPENSSL_PATH)/crypto/o_dir.c - $(OPENSSL_PATH)/crypto/o_fips.c - $(OPENSSL_PATH)/crypto/o_fopen.c -@@ -351,9 +323,6 @@ - $(OPENSSL_PATH)/crypto/objects/obj_err.c - $(OPENSSL_PATH)/crypto/objects/obj_lib.c - $(OPENSSL_PATH)/crypto/objects/obj_xref.c -- $(OPENSSL_PATH)/crypto/objects/obj_dat.h -- $(OPENSSL_PATH)/crypto/objects/obj_xref.h -- $(OPENSSL_PATH)/crypto/objects/obj_lcl.h - $(OPENSSL_PATH)/crypto/ocsp/ocsp_asn.c - $(OPENSSL_PATH)/crypto/ocsp/ocsp_cl.c - $(OPENSSL_PATH)/crypto/ocsp/ocsp_err.c -@@ -364,7 +333,6 @@ - $(OPENSSL_PATH)/crypto/ocsp/ocsp_srv.c - $(OPENSSL_PATH)/crypto/ocsp/ocsp_vfy.c - $(OPENSSL_PATH)/crypto/ocsp/v3_ocsp.c -- $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h - $(OPENSSL_PATH)/crypto/pem/pem_all.c - $(OPENSSL_PATH)/crypto/pem/pem_err.c - $(OPENSSL_PATH)/crypto/pem/pem_info.c -@@ -392,7 +360,6 @@ - $(OPENSSL_PATH)/crypto/pkcs12/p12_sbag.c - $(OPENSSL_PATH)/crypto/pkcs12/p12_utl.c - $(OPENSSL_PATH)/crypto/pkcs12/pk12err.c -- $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h - $(OPENSSL_PATH)/crypto/pkcs7/bio_pk7.c - $(OPENSSL_PATH)/crypto/pkcs7/pk7_asn1.c - $(OPENSSL_PATH)/crypto/pkcs7/pk7_attr.c -@@ -401,7 +368,6 @@ - $(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c - $(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c - $(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c -- $(OPENSSL_PATH)/crypto/ppc_arch.h - $(OPENSSL_PATH)/crypto/rand/drbg_ctr.c - $(OPENSSL_PATH)/crypto/rand/drbg_lib.c - $(OPENSSL_PATH)/crypto/rand/rand_egd.c -@@ -410,10 +376,8 @@ - $(OPENSSL_PATH)/crypto/rand/rand_unix.c - $(OPENSSL_PATH)/crypto/rand/rand_vms.c - $(OPENSSL_PATH)/crypto/rand/rand_win.c -- $(OPENSSL_PATH)/crypto/rand/rand_lcl.h - $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c - $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c -- $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h - $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c - $(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c - $(OPENSSL_PATH)/crypto/rsa/rsa_chk.c -@@ -436,24 +400,18 @@ - $(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c - $(OPENSSL_PATH)/crypto/rsa/rsa_x931.c - $(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c -- $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h -- $(OPENSSL_PATH)/crypto/s390x_arch.h - $(OPENSSL_PATH)/crypto/sha/keccak1600.c - $(OPENSSL_PATH)/crypto/sha/sha1_one.c - $(OPENSSL_PATH)/crypto/sha/sha1dgst.c - $(OPENSSL_PATH)/crypto/sha/sha256.c - $(OPENSSL_PATH)/crypto/sha/sha512.c -- $(OPENSSL_PATH)/crypto/sha/sha_locl.h - $(OPENSSL_PATH)/crypto/siphash/siphash.c - $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c - $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c -- $(OPENSSL_PATH)/crypto/siphash/siphash_local.h - $(OPENSSL_PATH)/crypto/sm3/m_sm3.c - $(OPENSSL_PATH)/crypto/sm3/sm3.c -- $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h - $(OPENSSL_PATH)/crypto/sm4/sm4.c - $(OPENSSL_PATH)/crypto/stack/stack.c -- $(OPENSSL_PATH)/crypto/sparc_arch.h - $(OPENSSL_PATH)/crypto/threads_none.c - $(OPENSSL_PATH)/crypto/threads_pthread.c - $(OPENSSL_PATH)/crypto/threads_win.c -@@ -463,8 +421,6 @@ - $(OPENSSL_PATH)/crypto/ui/ui_null.c - $(OPENSSL_PATH)/crypto/ui/ui_openssl.c - $(OPENSSL_PATH)/crypto/ui/ui_util.c -- $(OPENSSL_PATH)/crypto/ui/ui_locl.h -- $(OPENSSL_PATH)/crypto/vms_rms.h - $(OPENSSL_PATH)/crypto/uid.c - $(OPENSSL_PATH)/crypto/x509/by_dir.c - $(OPENSSL_PATH)/crypto/x509/by_file.c -@@ -502,7 +458,6 @@ - $(OPENSSL_PATH)/crypto/x509/x_req.c - $(OPENSSL_PATH)/crypto/x509/x_x509.c - $(OPENSSL_PATH)/crypto/x509/x_x509a.c -- $(OPENSSL_PATH)/crypto/x509/x509_lcl.h - $(OPENSSL_PATH)/crypto/x509v3/pcy_cache.c - $(OPENSSL_PATH)/crypto/x509v3/pcy_data.c - $(OPENSSL_PATH)/crypto/x509v3/pcy_lib.c -@@ -540,11 +495,57 @@ - $(OPENSSL_PATH)/crypto/x509v3/v3_tlsf.c - $(OPENSSL_PATH)/crypto/x509v3/v3_utl.c - $(OPENSSL_PATH)/crypto/x509v3/v3err.c -+ $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h -+ $(OPENSSL_PATH)/crypto/dh/dh_locl.h -+ $(OPENSSL_PATH)/crypto/bio/bio_lcl.h -+ $(OPENSSL_PATH)/crypto/conf/conf_def.h -+ $(OPENSSL_PATH)/crypto/conf/conf_lcl.h -+ $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h -+ $(OPENSSL_PATH)/crypto/sha/sha_locl.h -+ $(OPENSSL_PATH)/crypto/md5/md5_locl.h -+ $(OPENSSL_PATH)/crypto/store/store_locl.h -+ $(OPENSSL_PATH)/crypto/dso/dso_locl.h -+ $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h -+ $(OPENSSL_PATH)/crypto/arm_arch.h -+ $(OPENSSL_PATH)/crypto/mips_arch.h -+ $(OPENSSL_PATH)/crypto/ppc_arch.h -+ $(OPENSSL_PATH)/crypto/s390x_arch.h -+ $(OPENSSL_PATH)/crypto/sparc_arch.h -+ $(OPENSSL_PATH)/crypto/vms_rms.h -+ $(OPENSSL_PATH)/crypto/bn/bn_lcl.h -+ $(OPENSSL_PATH)/crypto/bn/bn_prime.h -+ $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h -+ $(OPENSSL_PATH)/crypto/ui/ui_locl.h -+ $(OPENSSL_PATH)/crypto/md4/md4_locl.h -+ $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h -+ $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h -+ $(OPENSSL_PATH)/crypto/asn1/asn1_locl.h -+ $(OPENSSL_PATH)/crypto/asn1/charmap.h -+ $(OPENSSL_PATH)/crypto/asn1/standard_methods.h -+ $(OPENSSL_PATH)/crypto/asn1/tbl_standard.h -+ $(OPENSSL_PATH)/crypto/evp/evp_locl.h -+ $(OPENSSL_PATH)/crypto/rand/rand_lcl.h -+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h -+ $(OPENSSL_PATH)/crypto/modes/modes_lcl.h -+ $(OPENSSL_PATH)/crypto/comp/comp_lcl.h -+ $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h -+ $(OPENSSL_PATH)/crypto/x509/x509_lcl.h -+ $(OPENSSL_PATH)/crypto/async/arch/async_null.h -+ $(OPENSSL_PATH)/crypto/async/arch/async_posix.h -+ $(OPENSSL_PATH)/crypto/async/arch/async_win.h -+ $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h -+ $(OPENSSL_PATH)/crypto/des/des_locl.h -+ $(OPENSSL_PATH)/crypto/des/spr.h -+ $(OPENSSL_PATH)/crypto/siphash/siphash_local.h -+ $(OPENSSL_PATH)/crypto/aes/aes_locl.h -+ $(OPENSSL_PATH)/crypto/async/async_locl.h -+ $(OPENSSL_PATH)/crypto/x509v3/ext_dat.h - $(OPENSSL_PATH)/crypto/x509v3/pcy_int.h -- $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h - $(OPENSSL_PATH)/crypto/x509v3/standard_exts.h -- $(OPENSSL_PATH)/crypto/x509v3/ext_dat.h -- $(OPENSSL_PATH)/ms/uplink.h -+ $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h -+ $(OPENSSL_PATH)/crypto/objects/obj_dat.h -+ $(OPENSSL_PATH)/crypto/objects/obj_lcl.h -+ $(OPENSSL_PATH)/crypto/objects/obj_xref.h - $(OPENSSL_PATH)/ssl/bio_ssl.c - $(OPENSSL_PATH)/ssl/d1_lib.c - $(OPENSSL_PATH)/ssl/d1_msg.c -@@ -589,13 +590,13 @@ - $(OPENSSL_PATH)/ssl/t1_trce.c - $(OPENSSL_PATH)/ssl/tls13_enc.c - $(OPENSSL_PATH)/ssl/tls_srp.c -- $(OPENSSL_PATH)/ssl/record/record_locl.h - $(OPENSSL_PATH)/ssl/statem/statem.h - $(OPENSSL_PATH)/ssl/statem/statem_locl.h -+ $(OPENSSL_PATH)/ssl/packet_locl.h -+ $(OPENSSL_PATH)/ssl/ssl_cert_table.h - $(OPENSSL_PATH)/ssl/ssl_locl.h - $(OPENSSL_PATH)/ssl/record/record.h -- $(OPENSSL_PATH)/ssl/ssl_cert_table.h -- $(OPENSSL_PATH)/ssl/packet_locl.h -+ $(OPENSSL_PATH)/ssl/record/record_locl.h - # Autogenerated files list ends here - - ossl_store.c -diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf -index 8134b45eda..a1bb560255 100644 ---- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf -+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf -@@ -33,9 +33,7 @@ - $(OPENSSL_PATH)/crypto/aes/aes_misc.c - $(OPENSSL_PATH)/crypto/aes/aes_ofb.c - $(OPENSSL_PATH)/crypto/aes/aes_wrap.c -- $(OPENSSL_PATH)/crypto/aes/aes_locl.h - $(OPENSSL_PATH)/crypto/aria/aria.c -- $(OPENSSL_PATH)/crypto/arm_arch.h - $(OPENSSL_PATH)/crypto/asn1/a_bitstr.c - $(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c - $(OPENSSL_PATH)/crypto/asn1/a_digest.c -@@ -100,21 +98,12 @@ - $(OPENSSL_PATH)/crypto/asn1/x_sig.c - $(OPENSSL_PATH)/crypto/asn1/x_spki.c - $(OPENSSL_PATH)/crypto/asn1/x_val.c -- $(OPENSSL_PATH)/crypto/asn1/standard_methods.h -- $(OPENSSL_PATH)/crypto/asn1/charmap.h -- $(OPENSSL_PATH)/crypto/asn1/tbl_standard.h -- $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h -- $(OPENSSL_PATH)/crypto/asn1/asn1_locl.h - $(OPENSSL_PATH)/crypto/async/arch/async_null.c - $(OPENSSL_PATH)/crypto/async/arch/async_posix.c - $(OPENSSL_PATH)/crypto/async/arch/async_win.c -- $(OPENSSL_PATH)/crypto/async/arch/async_posix.h -- $(OPENSSL_PATH)/crypto/async/arch/async_null.h -- $(OPENSSL_PATH)/crypto/async/arch/async_win.h - $(OPENSSL_PATH)/crypto/async/async.c - $(OPENSSL_PATH)/crypto/async/async_err.c - $(OPENSSL_PATH)/crypto/async/async_wait.c -- $(OPENSSL_PATH)/crypto/async/async_locl.h - $(OPENSSL_PATH)/crypto/bio/b_addr.c - $(OPENSSL_PATH)/crypto/bio/b_dump.c - $(OPENSSL_PATH)/crypto/bio/b_sock.c -@@ -137,7 +126,6 @@ - $(OPENSSL_PATH)/crypto/bio/bss_mem.c - $(OPENSSL_PATH)/crypto/bio/bss_null.c - $(OPENSSL_PATH)/crypto/bio/bss_sock.c -- $(OPENSSL_PATH)/crypto/bio/bio_lcl.h - $(OPENSSL_PATH)/crypto/bn/bn_add.c - $(OPENSSL_PATH)/crypto/bn/bn_asm.c - $(OPENSSL_PATH)/crypto/bn/bn_blind.c -@@ -169,9 +157,6 @@ - $(OPENSSL_PATH)/crypto/bn/bn_srp.c - $(OPENSSL_PATH)/crypto/bn/bn_word.c - $(OPENSSL_PATH)/crypto/bn/bn_x931p.c -- $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h -- $(OPENSSL_PATH)/crypto/bn/bn_prime.h -- $(OPENSSL_PATH)/crypto/bn/bn_lcl.h - $(OPENSSL_PATH)/crypto/buffer/buf_err.c - $(OPENSSL_PATH)/crypto/buffer/buffer.c - $(OPENSSL_PATH)/crypto/cmac/cm_ameth.c -@@ -180,7 +165,6 @@ - $(OPENSSL_PATH)/crypto/comp/c_zlib.c - $(OPENSSL_PATH)/crypto/comp/comp_err.c - $(OPENSSL_PATH)/crypto/comp/comp_lib.c -- $(OPENSSL_PATH)/crypto/comp/comp_lcl.h - $(OPENSSL_PATH)/crypto/conf/conf_api.c - $(OPENSSL_PATH)/crypto/conf/conf_def.c - $(OPENSSL_PATH)/crypto/conf/conf_err.c -@@ -189,8 +173,6 @@ - $(OPENSSL_PATH)/crypto/conf/conf_mod.c - $(OPENSSL_PATH)/crypto/conf/conf_sap.c - $(OPENSSL_PATH)/crypto/conf/conf_ssl.c -- $(OPENSSL_PATH)/crypto/conf/conf_lcl.h -- $(OPENSSL_PATH)/crypto/conf/conf_def.h - $(OPENSSL_PATH)/crypto/cpt_err.c - $(OPENSSL_PATH)/crypto/cryptlib.c - $(OPENSSL_PATH)/crypto/ctype.c -@@ -214,8 +196,6 @@ - $(OPENSSL_PATH)/crypto/des/set_key.c - $(OPENSSL_PATH)/crypto/des/str2key.c - $(OPENSSL_PATH)/crypto/des/xcbc_enc.c -- $(OPENSSL_PATH)/crypto/des/spr.h -- $(OPENSSL_PATH)/crypto/des/des_locl.h - $(OPENSSL_PATH)/crypto/dh/dh_ameth.c - $(OPENSSL_PATH)/crypto/dh/dh_asn1.c - $(OPENSSL_PATH)/crypto/dh/dh_check.c -@@ -230,7 +210,6 @@ - $(OPENSSL_PATH)/crypto/dh/dh_prn.c - $(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c - $(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c -- $(OPENSSL_PATH)/crypto/dh/dh_locl.h - $(OPENSSL_PATH)/crypto/dso/dso_dl.c - $(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c - $(OPENSSL_PATH)/crypto/dso/dso_err.c -@@ -238,7 +217,6 @@ - $(OPENSSL_PATH)/crypto/dso/dso_openssl.c - $(OPENSSL_PATH)/crypto/dso/dso_vms.c - $(OPENSSL_PATH)/crypto/dso/dso_win32.c -- $(OPENSSL_PATH)/crypto/dso/dso_locl.h - $(OPENSSL_PATH)/crypto/ebcdic.c - $(OPENSSL_PATH)/crypto/err/err.c - $(OPENSSL_PATH)/crypto/err/err_prn.c -@@ -280,7 +258,6 @@ - $(OPENSSL_PATH)/crypto/evp/evp_pkey.c - $(OPENSSL_PATH)/crypto/evp/m_md2.c - $(OPENSSL_PATH)/crypto/evp/m_md4.c -- $(OPENSSL_PATH)/crypto/md4/md4_locl.h - $(OPENSSL_PATH)/crypto/evp/m_md5.c - $(OPENSSL_PATH)/crypto/evp/m_md5_sha1.c - $(OPENSSL_PATH)/crypto/evp/m_mdc2.c -@@ -304,13 +281,11 @@ - $(OPENSSL_PATH)/crypto/evp/pmeth_fn.c - $(OPENSSL_PATH)/crypto/evp/pmeth_gn.c - $(OPENSSL_PATH)/crypto/evp/pmeth_lib.c -- $(OPENSSL_PATH)/crypto/evp/evp_locl.h - $(OPENSSL_PATH)/crypto/ex_data.c - $(OPENSSL_PATH)/crypto/getenv.c - $(OPENSSL_PATH)/crypto/hmac/hm_ameth.c - $(OPENSSL_PATH)/crypto/hmac/hm_pmeth.c - $(OPENSSL_PATH)/crypto/hmac/hmac.c -- $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h - $(OPENSSL_PATH)/crypto/init.c - $(OPENSSL_PATH)/crypto/kdf/hkdf.c - $(OPENSSL_PATH)/crypto/kdf/kdf_err.c -@@ -318,12 +293,10 @@ - $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c - $(OPENSSL_PATH)/crypto/lhash/lh_stats.c - $(OPENSSL_PATH)/crypto/lhash/lhash.c -- $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h - $(OPENSSL_PATH)/crypto/md4/md4_dgst.c - $(OPENSSL_PATH)/crypto/md4/md4_one.c - $(OPENSSL_PATH)/crypto/md5/md5_dgst.c - $(OPENSSL_PATH)/crypto/md5/md5_one.c -- $(OPENSSL_PATH)/crypto/md5/md5_locl.h - $(OPENSSL_PATH)/crypto/mem.c - $(OPENSSL_PATH)/crypto/mem_clr.c - $(OPENSSL_PATH)/crypto/mem_dbg.c -@@ -338,7 +311,6 @@ - $(OPENSSL_PATH)/crypto/modes/ofb128.c - $(OPENSSL_PATH)/crypto/modes/wrap128.c - $(OPENSSL_PATH)/crypto/modes/xts128.c -- $(OPENSSL_PATH)/crypto/modes/modes_lcl.h - $(OPENSSL_PATH)/crypto/o_dir.c - $(OPENSSL_PATH)/crypto/o_fips.c - $(OPENSSL_PATH)/crypto/o_fopen.c -@@ -350,9 +322,6 @@ - $(OPENSSL_PATH)/crypto/objects/obj_err.c - $(OPENSSL_PATH)/crypto/objects/obj_lib.c - $(OPENSSL_PATH)/crypto/objects/obj_xref.c -- $(OPENSSL_PATH)/crypto/objects/obj_dat.h -- $(OPENSSL_PATH)/crypto/objects/obj_xref.h -- $(OPENSSL_PATH)/crypto/objects/obj_lcl.h - $(OPENSSL_PATH)/crypto/ocsp/ocsp_asn.c - $(OPENSSL_PATH)/crypto/ocsp/ocsp_cl.c - $(OPENSSL_PATH)/crypto/ocsp/ocsp_err.c -@@ -363,7 +332,6 @@ - $(OPENSSL_PATH)/crypto/ocsp/ocsp_srv.c - $(OPENSSL_PATH)/crypto/ocsp/ocsp_vfy.c - $(OPENSSL_PATH)/crypto/ocsp/v3_ocsp.c -- $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h - $(OPENSSL_PATH)/crypto/pem/pem_all.c - $(OPENSSL_PATH)/crypto/pem/pem_err.c - $(OPENSSL_PATH)/crypto/pem/pem_info.c -@@ -399,8 +367,6 @@ - $(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c - $(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c - $(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c -- $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h -- $(OPENSSL_PATH)/crypto/ppc_arch.h - $(OPENSSL_PATH)/crypto/rand/drbg_ctr.c - $(OPENSSL_PATH)/crypto/rand/drbg_lib.c - $(OPENSSL_PATH)/crypto/rand/rand_egd.c -@@ -409,10 +375,8 @@ - $(OPENSSL_PATH)/crypto/rand/rand_unix.c - $(OPENSSL_PATH)/crypto/rand/rand_vms.c - $(OPENSSL_PATH)/crypto/rand/rand_win.c -- $(OPENSSL_PATH)/crypto/rand/rand_lcl.h - $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c - $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c -- $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h - $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c - $(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c - $(OPENSSL_PATH)/crypto/rsa/rsa_chk.c -@@ -435,24 +399,18 @@ - $(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c - $(OPENSSL_PATH)/crypto/rsa/rsa_x931.c - $(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c -- $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h - $(OPENSSL_PATH)/crypto/sha/keccak1600.c - $(OPENSSL_PATH)/crypto/sha/sha1_one.c - $(OPENSSL_PATH)/crypto/sha/sha1dgst.c - $(OPENSSL_PATH)/crypto/sha/sha256.c - $(OPENSSL_PATH)/crypto/sha/sha512.c -- $(OPENSSL_PATH)/crypto/sha/sha_locl.h - $(OPENSSL_PATH)/crypto/siphash/siphash.c - $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c - $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c -- $(OPENSSL_PATH)/crypto/siphash/siphash_local.h - $(OPENSSL_PATH)/crypto/sm3/m_sm3.c - $(OPENSSL_PATH)/crypto/sm3/sm3.c -- $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h - $(OPENSSL_PATH)/crypto/sm4/sm4.c - $(OPENSSL_PATH)/crypto/stack/stack.c -- $(OPENSSL_PATH)/crypto/s390x_arch.h -- $(OPENSSL_PATH)/crypto/sparc_arch.h - $(OPENSSL_PATH)/crypto/threads_none.c - $(OPENSSL_PATH)/crypto/threads_pthread.c - $(OPENSSL_PATH)/crypto/threads_win.c -@@ -462,9 +420,7 @@ - $(OPENSSL_PATH)/crypto/ui/ui_null.c - $(OPENSSL_PATH)/crypto/ui/ui_openssl.c - $(OPENSSL_PATH)/crypto/ui/ui_util.c -- $(OPENSSL_PATH)/crypto/ui/ui_locl.h - $(OPENSSL_PATH)/crypto/uid.c -- $(OPENSSL_PATH)/crypto/vms_rms.h - $(OPENSSL_PATH)/crypto/x509/by_dir.c - $(OPENSSL_PATH)/crypto/x509/by_file.c - $(OPENSSL_PATH)/crypto/x509/t_crl.c -@@ -501,7 +457,6 @@ - $(OPENSSL_PATH)/crypto/x509/x_req.c - $(OPENSSL_PATH)/crypto/x509/x_x509.c - $(OPENSSL_PATH)/crypto/x509/x_x509a.c -- $(OPENSSL_PATH)/crypto/x509/x509_lcl.h - $(OPENSSL_PATH)/crypto/x509v3/pcy_cache.c - $(OPENSSL_PATH)/crypto/x509v3/pcy_data.c - $(OPENSSL_PATH)/crypto/x509v3/pcy_lib.c -@@ -539,10 +494,57 @@ - $(OPENSSL_PATH)/crypto/x509v3/v3_tlsf.c - $(OPENSSL_PATH)/crypto/x509v3/v3_utl.c - $(OPENSSL_PATH)/crypto/x509v3/v3err.c -+ $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h -+ $(OPENSSL_PATH)/crypto/dh/dh_locl.h -+ $(OPENSSL_PATH)/crypto/bio/bio_lcl.h -+ $(OPENSSL_PATH)/crypto/conf/conf_def.h -+ $(OPENSSL_PATH)/crypto/conf/conf_lcl.h -+ $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h -+ $(OPENSSL_PATH)/crypto/sha/sha_locl.h -+ $(OPENSSL_PATH)/crypto/md5/md5_locl.h -+ $(OPENSSL_PATH)/crypto/store/store_locl.h -+ $(OPENSSL_PATH)/crypto/dso/dso_locl.h -+ $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h -+ $(OPENSSL_PATH)/crypto/arm_arch.h -+ $(OPENSSL_PATH)/crypto/mips_arch.h -+ $(OPENSSL_PATH)/crypto/ppc_arch.h -+ $(OPENSSL_PATH)/crypto/s390x_arch.h -+ $(OPENSSL_PATH)/crypto/sparc_arch.h -+ $(OPENSSL_PATH)/crypto/vms_rms.h -+ $(OPENSSL_PATH)/crypto/bn/bn_lcl.h -+ $(OPENSSL_PATH)/crypto/bn/bn_prime.h -+ $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h -+ $(OPENSSL_PATH)/crypto/ui/ui_locl.h -+ $(OPENSSL_PATH)/crypto/md4/md4_locl.h -+ $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h -+ $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h -+ $(OPENSSL_PATH)/crypto/asn1/asn1_locl.h -+ $(OPENSSL_PATH)/crypto/asn1/charmap.h -+ $(OPENSSL_PATH)/crypto/asn1/standard_methods.h -+ $(OPENSSL_PATH)/crypto/asn1/tbl_standard.h -+ $(OPENSSL_PATH)/crypto/evp/evp_locl.h -+ $(OPENSSL_PATH)/crypto/rand/rand_lcl.h -+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h -+ $(OPENSSL_PATH)/crypto/modes/modes_lcl.h -+ $(OPENSSL_PATH)/crypto/comp/comp_lcl.h -+ $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h -+ $(OPENSSL_PATH)/crypto/x509/x509_lcl.h -+ $(OPENSSL_PATH)/crypto/async/arch/async_null.h -+ $(OPENSSL_PATH)/crypto/async/arch/async_posix.h -+ $(OPENSSL_PATH)/crypto/async/arch/async_win.h -+ $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h -+ $(OPENSSL_PATH)/crypto/des/des_locl.h -+ $(OPENSSL_PATH)/crypto/des/spr.h -+ $(OPENSSL_PATH)/crypto/siphash/siphash_local.h -+ $(OPENSSL_PATH)/crypto/aes/aes_locl.h -+ $(OPENSSL_PATH)/crypto/async/async_locl.h -+ $(OPENSSL_PATH)/crypto/x509v3/ext_dat.h - $(OPENSSL_PATH)/crypto/x509v3/pcy_int.h -- $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h - $(OPENSSL_PATH)/crypto/x509v3/standard_exts.h -- $(OPENSSL_PATH)/crypto/x509v3/ext_dat.h -+ $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h -+ $(OPENSSL_PATH)/crypto/objects/obj_dat.h -+ $(OPENSSL_PATH)/crypto/objects/obj_lcl.h -+ $(OPENSSL_PATH)/crypto/objects/obj_xref.h - # Autogenerated files list ends here - buildinf.h - rand_pool_noise.h -diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl -index e13c0acb4d..4fe54cd808 100755 ---- a/CryptoPkg/Library/OpensslLib/process_files.pl -+++ b/CryptoPkg/Library/OpensslLib/process_files.pl -@@ -144,6 +144,34 @@ foreach my $product ((@{$unified_info{libraries}}, - } - } - -+ -+# -+# Update the perl script to generate the missing header files -+# -+my @dir_list = (); -+for (keys %{$unified_info{dirinfo}}){ -+ push @dir_list,$_; -+} -+ -+my $dir = getcwd(); -+my @files = (); -+my @headers = (); -+chdir ("openssl"); -+foreach(@dir_list){ -+ @files = glob($_."/*.h"); -+ push @headers, @files; -+} -+chdir ($dir); -+ -+foreach (@headers){ -+ if(/ssl/){ -+ push @sslfilelist, ' $(OPENSSL_PATH)/' . $_ . "\r\n"; -+ next; -+ } -+ push @cryptofilelist, ' $(OPENSSL_PATH)/' . $_ . "\r\n"; -+} -+ -+ - # - # Update OpensslLib.inf with autogenerated file list - # --- -2.18.1 - diff --git a/SOURCES/0002-CryptoPkg-Upgrade-OpenSSL-to-1.1.1d.patch b/SOURCES/0002-CryptoPkg-Upgrade-OpenSSL-to-1.1.1d.patch deleted file mode 100644 index 3838c15..0000000 --- a/SOURCES/0002-CryptoPkg-Upgrade-OpenSSL-to-1.1.1d.patch +++ /dev/null @@ -1,159 +0,0 @@ -From bbda3f776bfcdbcb77b82f1f7fd5dafd798d9784 Mon Sep 17 00:00:00 2001 -From: Shenglei Zhang -Date: Mon, 21 Oct 2019 15:53:42 +0800 -Subject: CryptoPkg: Upgrade OpenSSL to 1.1.1d - -Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> -RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: - -- New patch (cherry-picked from upstream, to be dropped at the next - downstream rebase). - -- Upstream OpenSSL-1.1.1c contains commit 5fba3afad017 ("Rework DSO API - conditions and configuration option", 2019-04-10). This upstream OpenSSL - change requires edk2 to #define DSO_NONE explicitly. - -- The present patch (which is going to be released in edk2-stable201911) - updates "process_files.pl" to generate "dso_conf.h" with the above - macro, and captures the result (i.e. the actual definition of the macro) - in the git tree. - -- This patch is being backported primarily for the DSO_NONE macro (OpenSSL - in RHEL-8.2.0 is based on OpenSSL-1.1.1c). The patch could also come in - handy in case we have to re-run "process_files.pl" ourselves. - -Upgrade openssl from 1.1.1b to 1.1.1d. -Something needs to be noticed is that, there is a bug existing in the -released 1_1_1d version(894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596), -which causes build failure. So we switch the code base to a usable -version, which is 2 commits later than the stable tag. -Now we use the version c3656cc594daac8167721dde7220f0e59ae146fc. -This log is to fix the build failure. -https://bugzilla.tianocore.org/show_bug.cgi?id=2226 - -Besides, the absense of "DSO_NONE" in dso_conf.h causes build failure -in OvmfPkg. So update process_files.pl to generate information from -"crypto/include/internal/dso_conf.h.in". - -shm.h and utsname.h are added to avoid GCC build failure. - -Cc: Jian J Wang -Cc: Xiaoyu Lu -Cc: Liming Gao -Signed-off-by: Shenglei Zhang -Reviewed-by: Jian J Wang -Reviewed-by: Laszlo Ersek -Tested-by: Laszlo Ersek -(cherry picked from commit 1bcc65b9a1408cf445b7b3f9499b27d9c235db71) -Signed-off-by: Laszlo Ersek ---- - CryptoPkg/Library/Include/internal/dso_conf.h | 16 ++++++++++++++++ - CryptoPkg/Library/Include/sys/shm.h | 9 +++++++++ - CryptoPkg/Library/Include/sys/utsname.h | 9 +++++++++ - CryptoPkg/Library/OpensslLib/openssl | 2 +- - CryptoPkg/Library/OpensslLib/process_files.pl | 17 +++++++++++++++-- - 5 files changed, 50 insertions(+), 3 deletions(-) - create mode 100644 CryptoPkg/Library/Include/sys/shm.h - create mode 100644 CryptoPkg/Library/Include/sys/utsname.h - -diff --git a/CryptoPkg/Library/Include/internal/dso_conf.h b/CryptoPkg/Library/Include/internal/dso_conf.h -index e69de29bb2..43c891588b 100644 ---- a/CryptoPkg/Library/Include/internal/dso_conf.h -+++ b/CryptoPkg/Library/Include/internal/dso_conf.h -@@ -0,0 +1,16 @@ -+/* WARNING: do not edit! */ -+/* Generated from crypto/include/internal/dso_conf.h.in */ -+/* -+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the OpenSSL license (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#ifndef HEADER_DSO_CONF_H -+# define HEADER_DSO_CONF_H -+# define DSO_NONE -+# define DSO_EXTENSION ".so" -+#endif -diff --git a/CryptoPkg/Library/Include/sys/shm.h b/CryptoPkg/Library/Include/sys/shm.h -new file mode 100644 -index 0000000000..dc0b8e81c8 ---- /dev/null -+++ b/CryptoPkg/Library/Include/sys/shm.h -@@ -0,0 +1,9 @@ -+/** @file -+ Include file to support building the third-party cryptographic library. -+ -+Copyright (c) 2019, Intel Corporation. All rights reserved.
-+SPDX-License-Identifier: BSD-2-Clause-Patent -+ -+**/ -+ -+#include -diff --git a/CryptoPkg/Library/Include/sys/utsname.h b/CryptoPkg/Library/Include/sys/utsname.h -new file mode 100644 -index 0000000000..dc0b8e81c8 ---- /dev/null -+++ b/CryptoPkg/Library/Include/sys/utsname.h -@@ -0,0 +1,9 @@ -+/** @file -+ Include file to support building the third-party cryptographic library. -+ -+Copyright (c) 2019, Intel Corporation. All rights reserved.
-+SPDX-License-Identifier: BSD-2-Clause-Patent -+ -+**/ -+ -+#include -diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl -index 4fe54cd808..bbcfa0d0e7 100755 ---- a/CryptoPkg/Library/OpensslLib/process_files.pl -+++ b/CryptoPkg/Library/OpensslLib/process_files.pl -@@ -2,7 +2,7 @@ - # - # This script runs the OpenSSL Configure script, then processes the - # resulting file list into our local OpensslLib[Crypto].inf and also --# takes a copy of opensslconf.h. -+# takes copies of opensslconf.h and dso_conf.h. - # - # This only needs to be done once by a developer when updating to a - # new version of OpenSSL (or changing options, etc.). Normal users -@@ -106,6 +106,14 @@ BEGIN { - ) == 0 || - die "Failed to generate opensslconf.h!\n"; - -+ # Generate dso_conf.h per config data -+ system( -+ "perl -I. -Mconfigdata util/dofile.pl " . -+ "crypto/include/internal/dso_conf.h.in " . -+ "> include/internal/dso_conf.h" -+ ) == 0 || -+ die "Failed to generate dso_conf.h!\n"; -+ - chdir($basedir) || - die "Cannot change to base directory \"" . $basedir . "\""; - -@@ -249,12 +257,17 @@ rename( $new_inf_file, $inf_file ) || - print "Done!"; - - # --# Copy opensslconf.h generated from OpenSSL Configuration -+# Copy opensslconf.h and dso_conf.h generated from OpenSSL Configuration - # - print "\n--> Duplicating opensslconf.h into Include/openssl ... "; - copy($OPENSSL_PATH . "/include/openssl/opensslconf.h", - $OPENSSL_PATH . "/../../Include/openssl/") || - die "Cannot copy opensslconf.h!"; -+print "Done!"; -+print "\n--> Duplicating dso_conf.h into Include/internal ... "; -+copy($OPENSSL_PATH . "/include/internal/dso_conf.h", -+ $OPENSSL_PATH . "/../../Include/internal/") || -+ die "Cannot copy dso_conf.h!"; - print "Done!\n"; - - print "\nProcessing Files Done!\n"; --- -2.18.1 - diff --git a/SOURCES/0007-BaseTools-do-not-build-BrotliCompress-RH-only.patch b/SOURCES/0007-BaseTools-do-not-build-BrotliCompress-RH-only.patch new file mode 100644 index 0000000..fb01acf --- /dev/null +++ b/SOURCES/0007-BaseTools-do-not-build-BrotliCompress-RH-only.patch @@ -0,0 +1,37 @@ +From db8ccca337e2c5722c1d408d2541cf653d3371a2 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Thu, 4 Jun 2020 13:34:12 +0200 +Subject: BaseTools: do not build BrotliCompress (RH only) + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- New patch. + +BrotliCompress is not used for building ArmVirtPkg or OvmfPkg platforms. +It depends on one of the upstream Brotli git submodules that we removed +earlier in this rebase series. (See patch "remove upstream edk2's Brotli +submodules (RH only"). + +Do not attempt to build BrotliCompress. + +Signed-off-by: Laszlo Ersek +--- + BaseTools/Source/C/GNUmakefile | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/BaseTools/Source/C/GNUmakefile b/BaseTools/Source/C/GNUmakefile +index df4eb64ea9..52777eaff1 100644 +--- a/BaseTools/Source/C/GNUmakefile ++++ b/BaseTools/Source/C/GNUmakefile +@@ -45,7 +45,6 @@ all: makerootdir subdirs + LIBRARIES = Common + VFRAUTOGEN = VfrCompile/VfrLexer.h + APPLICATIONS = \ +- BrotliCompress \ + VfrCompile \ + EfiRom \ + GenFfs \ +-- +2.18.1 + diff --git a/SOURCES/0008-MdeModulePkg-remove-package-private-Brotli-include-p.patch b/SOURCES/0008-MdeModulePkg-remove-package-private-Brotli-include-p.patch new file mode 100644 index 0000000..718a35f --- /dev/null +++ b/SOURCES/0008-MdeModulePkg-remove-package-private-Brotli-include-p.patch @@ -0,0 +1,43 @@ +From e05e0de713c4a2b8adb6ff9809611f222bfe50ed Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Thu, 4 Jun 2020 13:39:08 +0200 +Subject: MdeModulePkg: remove package-private Brotli include path (RH only) + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- New patch. + +Originating from upstream commit 58802e02c41b +("MdeModulePkg/BrotliCustomDecompressLib: Make brotli a submodule", +2020-04-16), "MdeModulePkg/MdeModulePkg.dec" contains a package-internal +include path into a Brotli submodule. + +The edk2 build system requires such include paths to resolve successfully, +regardless of the firmware platform being built. Because +BrotliCustomDecompressLib is not consumed by any OvmfPkg or ArmVirtPkg +platforms, and we've removed the submodule earlier in this patch set, +remove the include path too. + +Signed-off-by: Laszlo Ersek +--- + MdeModulePkg/MdeModulePkg.dec | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec +index 4f44af6948..031043ec28 100644 +--- a/MdeModulePkg/MdeModulePkg.dec ++++ b/MdeModulePkg/MdeModulePkg.dec +@@ -24,9 +24,6 @@ + [Includes] + Include + +-[Includes.Common.Private] +- Library/BrotliCustomDecompressLib/brotli/c/include +- + [LibraryClasses] + ## @libraryclass Defines a set of methods to reset whole system. + ResetSystemLib|Include/Library/ResetSystemLib.h +-- +2.18.1 + diff --git a/SOURCES/0006-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch b/SOURCES/0009-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch similarity index 91% rename from SOURCES/0006-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch rename to SOURCES/0009-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch index 5d691f5..e41f5cd 100644 --- a/SOURCES/0006-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch +++ b/SOURCES/0009-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch @@ -1,8 +1,23 @@ -From 740d239222c2656ae8eeb2d1cc4802ce5b07f3d2 Mon Sep 17 00:00:00 2001 +From cee80878b19e51d9b3c63335c681f152dcc59764 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Wed, 11 Jun 2014 23:33:33 +0200 Subject: advertise OpenSSL on TianoCore splash screen / boot logo (RHEL only) +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- Replace the open-coded BSDL with "SPDX-License-Identifier: + BSD-2-Clause-Patent" in the following files: + + - MdeModulePkg/Logo/Logo-OpenSSL.idf + - MdeModulePkg/Logo/LogoOpenSSLDxe.inf + - MdeModulePkg/Logo/LogoOpenSSLDxe.uni + + (This should have been done in the previous rebase, because the same + license block changes had been applied to MdeModulePkg/Logo/ in upstream + commit 9d510e61fcee ("MdeModulePkg: Replace BSD License with BSD+Patent + License", 2019-04-09), part of tag edk2-stable201905.) + Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: @@ -135,31 +150,32 @@ Signed-off-by: Laszlo Ersek (cherry picked from commit 0b2d90347cb016cc71c2de62e941a2a4ab0f35a3) (cherry picked from commit 8e8ea8811e269cdb31103c70fcd91d2dcfb1755d) (cherry picked from commit 727c11ecd9f34990312e14f239e6238693619849) +(cherry picked from commit 740d239222c2656ae8eeb2d1cc4802ce5b07f3d2) --- ArmVirtPkg/ArmVirtQemu.dsc | 2 +- ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 2 +- ArmVirtPkg/ArmVirtQemuKernel.dsc | 2 +- MdeModulePkg/Logo/Logo-OpenSSL.bmp | Bin 0 -> 156342 bytes - MdeModulePkg/Logo/Logo-OpenSSL.idf | 15 +++++++ - MdeModulePkg/Logo/LogoOpenSSLDxe.inf | 61 +++++++++++++++++++++++++++ - MdeModulePkg/Logo/LogoOpenSSLDxe.uni | 22 ++++++++++ + MdeModulePkg/Logo/Logo-OpenSSL.idf | 10 +++++ + MdeModulePkg/Logo/LogoOpenSSLDxe.inf | 56 +++++++++++++++++++++++++++ + MdeModulePkg/Logo/LogoOpenSSLDxe.uni | 17 ++++++++ OvmfPkg/OvmfPkgIa32.dsc | 2 +- OvmfPkg/OvmfPkgIa32.fdf | 2 +- OvmfPkg/OvmfPkgIa32X64.dsc | 2 +- OvmfPkg/OvmfPkgIa32X64.fdf | 2 +- OvmfPkg/OvmfPkgX64.dsc | 2 +- OvmfPkg/OvmfPkgX64.fdf | 2 +- - 13 files changed, 107 insertions(+), 9 deletions(-) + 13 files changed, 92 insertions(+), 9 deletions(-) create mode 100644 MdeModulePkg/Logo/Logo-OpenSSL.bmp create mode 100644 MdeModulePkg/Logo/Logo-OpenSSL.idf create mode 100644 MdeModulePkg/Logo/LogoOpenSSLDxe.inf create mode 100644 MdeModulePkg/Logo/LogoOpenSSLDxe.uni diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc -index 7ae6702ac1..a3cc3f26ec 100644 +index 3f649c91d8..360094ab6a 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc -@@ -364,7 +364,7 @@ +@@ -424,7 +424,7 @@ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf MdeModulePkg/Universal/BdsDxe/BdsDxe.inf @@ -169,10 +185,10 @@ index 7ae6702ac1..a3cc3f26ec 100644 NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc -index 31f615a9d0..57f2f625fe 100644 +index a2f4bd62c8..9b94043085 100644 --- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc -@@ -176,7 +176,7 @@ READ_LOCK_STATUS = TRUE +@@ -193,7 +193,7 @@ READ_LOCK_STATUS = TRUE # # TianoCore logo (splash screen) # @@ -182,10 +198,10 @@ index 31f615a9d0..57f2f625fe 100644 # # Ramdisk support diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc -index 3b0f04967a..27e65b7638 100644 +index 2a6fd6bc06..d186263e18 100644 --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc -@@ -348,7 +348,7 @@ +@@ -363,7 +363,7 @@ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf MdeModulePkg/Universal/BdsDxe/BdsDxe.inf @@ -416,42 +432,32 @@ HcmV?d00001 diff --git a/MdeModulePkg/Logo/Logo-OpenSSL.idf b/MdeModulePkg/Logo/Logo-OpenSSL.idf new file mode 100644 -index 0000000000..a80de29a63 +index 0000000000..2a60ac61b7 --- /dev/null +++ b/MdeModulePkg/Logo/Logo-OpenSSL.idf -@@ -0,0 +1,15 @@ +@@ -0,0 +1,10 @@ +// /** @file +// Platform Logo image definition file. +// +// Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
+// -+// This program and the accompanying materials -+// are licensed and made available under the terms and conditions of the BSD License -+// which accompanies this distribution. The full text of the license may be found at -+// http://opensource.org/licenses/bsd-license.php -+// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -+// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. ++// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + +#image IMG_LOGO Logo-OpenSSL.bmp diff --git a/MdeModulePkg/Logo/LogoOpenSSLDxe.inf b/MdeModulePkg/Logo/LogoOpenSSLDxe.inf new file mode 100644 -index 0000000000..2f79d873e2 +index 0000000000..d1207663b2 --- /dev/null +++ b/MdeModulePkg/Logo/LogoOpenSSLDxe.inf -@@ -0,0 +1,61 @@ +@@ -0,0 +1,56 @@ +## @file +# The default logo bitmap picture shown on setup screen. +# +# Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
+# -+# This program and the accompanying materials -+# are licensed and made available under the terms and conditions of the BSD License -+# which accompanies this distribution. The full text of the license may be found at -+# http://opensource.org/licenses/bsd-license.php -+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. ++# SPDX-License-Identifier: BSD-2-Clause-Patent +# +# +## @@ -504,10 +510,10 @@ index 0000000000..2f79d873e2 + LogoDxeExtra.uni diff --git a/MdeModulePkg/Logo/LogoOpenSSLDxe.uni b/MdeModulePkg/Logo/LogoOpenSSLDxe.uni new file mode 100644 -index 0000000000..7227ac3910 +index 0000000000..6439502b6a --- /dev/null +++ b/MdeModulePkg/Logo/LogoOpenSSLDxe.uni -@@ -0,0 +1,22 @@ +@@ -0,0 +1,17 @@ +// /** @file +// The logo bitmap picture (with OpenSSL advertisment) shown on setup screen. +// @@ -516,12 +522,7 @@ index 0000000000..7227ac3910 +// +// Copyright (c) 2016, Intel Corporation. All rights reserved.
+// -+// This program and the accompanying materials -+// are licensed and made available under the terms and conditions of the BSD License -+// which accompanies this distribution. The full text of the license may be found at -+// http://opensource.org/licenses/bsd-license.php -+// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -+// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. ++// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + @@ -531,10 +532,10 @@ index 0000000000..7227ac3910 +#string STR_MODULE_DESCRIPTION #language en-US "This module provides the logo bitmap picture (with OpenSSL advertisment) shown on setup screen, through EDKII Platform Logo protocol." + diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc -index 66e944436a..044379e1ed 100644 +index d0df9cbbfb..f8317a4f5d 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc -@@ -688,7 +688,7 @@ +@@ -750,7 +750,7 @@ NULL|OvmfPkg/Csm/LegacyBootManagerLib/LegacyBootManagerLib.inf !endif } @@ -544,10 +545,10 @@ index 66e944436a..044379e1ed 100644 NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf -index 785affeb90..326f82384e 100644 +index e2b759aa8d..ec64551bcb 100644 --- a/OvmfPkg/OvmfPkgIa32.fdf +++ b/OvmfPkg/OvmfPkgIa32.fdf -@@ -283,7 +283,7 @@ INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf +@@ -294,7 +294,7 @@ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf !endif INF ShellPkg/Application/Shell/Shell.inf @@ -557,10 +558,10 @@ index 785affeb90..326f82384e 100644 # # Network modules diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc -index 51c2bfb44f..2ff68102d3 100644 +index b3ae62fee9..55423d356c 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc -@@ -701,7 +701,7 @@ +@@ -764,7 +764,7 @@ NULL|OvmfPkg/Csm/LegacyBootManagerLib/LegacyBootManagerLib.inf !endif } @@ -570,10 +571,10 @@ index 51c2bfb44f..2ff68102d3 100644 NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf -index 7440707256..aefb6614ad 100644 +index bfca1eff9e..2f02ac2d73 100644 --- a/OvmfPkg/OvmfPkgIa32X64.fdf +++ b/OvmfPkg/OvmfPkgIa32X64.fdf -@@ -284,7 +284,7 @@ INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf +@@ -295,7 +295,7 @@ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf !endif INF ShellPkg/Application/Shell/Shell.inf @@ -583,10 +584,10 @@ index 7440707256..aefb6614ad 100644 # # Network modules diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc -index ba7a758844..3a66d4d424 100644 +index f7fe75ebf5..17aeeed96e 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc -@@ -699,7 +699,7 @@ +@@ -760,7 +760,7 @@ NULL|OvmfPkg/Csm/LegacyBootManagerLib/LegacyBootManagerLib.inf !endif } @@ -596,10 +597,10 @@ index ba7a758844..3a66d4d424 100644 NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf -index 7440707256..aefb6614ad 100644 +index bfca1eff9e..2f02ac2d73 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf -@@ -284,7 +284,7 @@ INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf +@@ -295,7 +295,7 @@ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf !endif INF ShellPkg/Application/Shell/Shell.inf diff --git a/SOURCES/0007-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch b/SOURCES/0010-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch similarity index 88% rename from SOURCES/0007-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch rename to SOURCES/0010-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch index d7ce5a8..eceafaa 100644 --- a/SOURCES/0007-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch +++ b/SOURCES/0010-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch @@ -1,8 +1,13 @@ -From e949bab1268f83f0f5815a96cd1cb9dd3b21bfb5 Mon Sep 17 00:00:00 2001 +From a95cff0b9573bf23699551beb4786383f697ff1e Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Thu, 20 Feb 2014 22:54:45 +0100 Subject: OvmfPkg: increase max debug message length to 512 (RHEL only) +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: @@ -48,12 +53,13 @@ Signed-off-by: Laszlo Ersek (cherry picked from commit 1df2c822c996ad767f2f45570ab2686458f7604a) (cherry picked from commit 22c9b4e971c70c69b4adf8eb93133824ccb6426a) (cherry picked from commit a1260c9122c95bcbef1efc5eebe11902767813c2) +(cherry picked from commit e949bab1268f83f0f5815a96cd1cb9dd3b21bfb5) --- OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c -index 3dfa3126c3..9451c50c70 100644 +index dffb20822d..0577c43c3d 100644 --- a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c +++ b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c @@ -21,7 +21,7 @@ diff --git a/SOURCES/0008-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch b/SOURCES/0011-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch similarity index 97% rename from SOURCES/0008-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch rename to SOURCES/0011-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch index 3e3dc79..ee4a8e6 100644 --- a/SOURCES/0008-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch +++ b/SOURCES/0011-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch @@ -1,8 +1,13 @@ -From 3aa0316ea1db5416cb528179a3ba5ce37c1279b7 Mon Sep 17 00:00:00 2001 +From 99da4393139d428baf09d751af3d072229839126 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Thu, 12 Jun 2014 00:17:59 +0200 Subject: OvmfPkg: QemuVideoDxe: enable debug messages in VbeShim (RHEL only) +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no changes + Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: @@ -54,13 +59,14 @@ Signed-off-by: Laszlo Ersek (cherry picked from commit 7046d6040181bb0f76a5ebd680e0dc701c895dba) (cherry picked from commit 4dd1cc745bc9a8c8b32b5810b40743fed1e36d7e) (cherry picked from commit bd264265a99c60f45cadaa4109a9db59ae218471) +(cherry picked from commit 3aa0316ea1db5416cb528179a3ba5ce37c1279b7) --- OvmfPkg/QemuVideoDxe/VbeShim.asm | 2 +- OvmfPkg/QemuVideoDxe/VbeShim.h | 481 ++++++++++++++++++++----------- 2 files changed, 308 insertions(+), 175 deletions(-) diff --git a/OvmfPkg/QemuVideoDxe/VbeShim.asm b/OvmfPkg/QemuVideoDxe/VbeShim.asm -index cb2a60d827..26fe1bcc32 100644 +index 1d284b2641..0d5cfaf1e4 100644 --- a/OvmfPkg/QemuVideoDxe/VbeShim.asm +++ b/OvmfPkg/QemuVideoDxe/VbeShim.asm @@ -12,7 +12,7 @@ diff --git a/SOURCES/0012-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch b/SOURCES/0012-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch deleted file mode 100644 index 4972df3..0000000 --- a/SOURCES/0012-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 0dd0ad0dcdfd1189ed8aa880765403d1f587cc59 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 12 Apr 2016 20:50:25 +0200 -Subject: ArmVirtPkg: QemuFwCfgLib: allow UEFI_DRIVER client modules (RH only) - -Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> -RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: - -- no change - -Notes about the RHEL-8.0/20180508-ee3198e672e2 -> -RHEL-8.1/20190308-89910a39dcfd rebase: - -- no change - -Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> -RHEL-8.0/20180508-ee3198e672e2 rebase: - -- reorder the rebase changelog in the commit message so that it reads like - a blog: place more recent entries near the top -- no changes to the patch body - -Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: - -- no change - -Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase: - -- no changes - -Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase: - -- no changes - -Contributed-under: TianoCore Contribution Agreement 1.0 -Signed-off-by: Laszlo Ersek -(cherry picked from commit 8e2153358aa2bba2c91faa87a70beadcaae03fd8) -(cherry picked from commit 5af259a93f4bbee5515ae18638068125e170f2cd) -(cherry picked from commit 22b073005af491eef177ef5f80ffe71c1ebabb03) -(cherry picked from commit f77f1e7dd6013f918c70e089c95b8f4166085fb9) -(cherry picked from commit 762595334aa7ce88412cc77e136db9b41577a699) -(cherry picked from commit f372886be5f1c41677f168be77c484bae5841361) ---- - ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf b/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf -index 4d27d7d30b..feceed5f93 100644 ---- a/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf -+++ b/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf -@@ -15,7 +15,7 @@ - FILE_GUID = B271F41F-B841-48A9-BA8D-545B4BC2E2BF - MODULE_TYPE = BASE - VERSION_STRING = 1.0 -- LIBRARY_CLASS = QemuFwCfgLib|DXE_DRIVER -+ LIBRARY_CLASS = QemuFwCfgLib|DXE_DRIVER UEFI_DRIVER - - CONSTRUCTOR = QemuFwCfgInitialize - --- -2.18.1 - diff --git a/SOURCES/0009-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch b/SOURCES/0012-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch similarity index 94% rename from SOURCES/0009-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch rename to SOURCES/0012-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch index 5b008bb..e238edb 100644 --- a/SOURCES/0009-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch +++ b/SOURCES/0012-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch @@ -1,8 +1,13 @@ -From 12cb13a1da913912bd9148ce8f2353a75be77f18 Mon Sep 17 00:00:00 2001 +From 82b9edc5fef3a07227a45059bbe821af7b9abd69 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Tue, 25 Feb 2014 18:40:35 +0100 Subject: MdeModulePkg: TerminalDxe: add other text resolutions (RHEL only) +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no changes + Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: @@ -95,15 +100,16 @@ Signed-off-by: Laszlo Ersek (cherry picked from commit 1facdd58e946c584a3dc1e5be8f2f837b5a7c621) (cherry picked from commit 28faeb5f94b4866b9da16cf2a1e4e0fc09a26e37) (cherry picked from commit 4e4e15b80a5b2103eadd495ef4a830d46dd4ed51) +(cherry picked from commit 12cb13a1da913912bd9148ce8f2353a75be77f18) --- .../Universal/Console/TerminalDxe/Terminal.c | 41 +++++++++++++++++-- 1 file changed, 38 insertions(+), 3 deletions(-) diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c b/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c -index c76b2c5100..eff9d9787f 100644 +index a98b690c8b..ded5513c74 100644 --- a/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c +++ b/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c -@@ -107,9 +107,44 @@ TERMINAL_DEV mTerminalDevTemplate = { +@@ -115,9 +115,44 @@ TERMINAL_DEV mTerminalDevTemplate = { }; TERMINAL_CONSOLE_MODE_DATA mTerminalConsoleModeData[] = { diff --git a/SOURCES/0010-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch b/SOURCES/0013-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch similarity index 86% rename from SOURCES/0010-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch rename to SOURCES/0013-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch index 3edba86..123a180 100644 --- a/SOURCES/0010-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch +++ b/SOURCES/0013-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch @@ -1,9 +1,16 @@ -From a11602f5e2ef930be5b693ddfd0c789a1bd4c60c Mon Sep 17 00:00:00 2001 +From bc2266f20de5db1636e09a07e4a72c8dbf505f5a Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Tue, 25 Feb 2014 22:40:01 +0100 Subject: MdeModulePkg: TerminalDxe: set xterm resolution on mode change (RH only) +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- Resolve trivial conflict in "MdeModulePkg/MdeModulePkg.dec", arising + from upstream commit 166830d8f7ca ("MdeModulePkg/dec: add + PcdTcgPfpMeasurementRevision PCD", 2020-01-06). + Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: @@ -59,6 +66,7 @@ Signed-off-by: Laszlo Ersek (cherry picked from commit b7f6115b745de8cbc5214b6ede33c9a8558beb90) (cherry picked from commit 67415982afdc77922aa37496c981adeb4351acdb) (cherry picked from commit cfccb98d13e955beb0b93b4a75a973f30c273ffc) +(cherry picked from commit a11602f5e2ef930be5b693ddfd0c789a1bd4c60c) --- MdeModulePkg/MdeModulePkg.dec | 4 +++ .../Console/TerminalDxe/TerminalConOut.c | 30 +++++++++++++++++++ @@ -66,12 +74,12 @@ Signed-off-by: Laszlo Ersek 3 files changed, 36 insertions(+) diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec -index 19935c88fa..5690bbd8b3 100644 +index 031043ec28..3978a500e5 100644 --- a/MdeModulePkg/MdeModulePkg.dec +++ b/MdeModulePkg/MdeModulePkg.dec -@@ -2002,6 +2002,10 @@ - # @Prompt Capsule On Disk relocation device path. - gEfiMdeModulePkgTokenSpaceGuid.PcdCodRelocationDevPath|{0xFF}|VOID*|0x0000002f +@@ -1998,6 +1998,10 @@ + # @Prompt TCG Platform Firmware Profile revision. + gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision|0|UINT32|0x00010077 + ## Controls whether TerminalDxe outputs an XTerm resize sequence on terminal + # mode change. @@ -81,7 +89,7 @@ index 19935c88fa..5690bbd8b3 100644 ## Specify memory size with page number for PEI code when # Loading Module at Fixed Address feature is enabled. diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c -index 7ef655cca5..1113252df2 100644 +index aae470e956..26156857aa 100644 --- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c +++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c @@ -7,6 +7,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent @@ -110,7 +118,7 @@ index 7ef655cca5..1113252df2 100644 // // Body of the ConOut functions // -@@ -502,6 +514,24 @@ TerminalConOutSetMode ( +@@ -506,6 +518,24 @@ TerminalConOutSetMode ( return EFI_DEVICE_ERROR; } @@ -136,7 +144,7 @@ index 7ef655cca5..1113252df2 100644 Status = This->ClearScreen (This); diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf -index 24e164ef4d..d1160ed1c7 100644 +index b2a8aeba85..eff6253465 100644 --- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf +++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf @@ -55,6 +55,7 @@ @@ -147,7 +155,7 @@ index 24e164ef4d..d1160ed1c7 100644 [Guids] ## SOMETIMES_PRODUCES ## Variable:L"ConInDev" -@@ -83,6 +84,7 @@ +@@ -87,6 +88,7 @@ [Pcd] gEfiMdePkgTokenSpaceGuid.PcdDefaultTerminalType ## SOMETIMES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdErrorCodeSetVariable ## CONSUMES diff --git a/SOURCES/0011-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch b/SOURCES/0014-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch similarity index 81% rename from SOURCES/0011-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch rename to SOURCES/0014-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch index b42de25..5837240 100644 --- a/SOURCES/0011-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch +++ b/SOURCES/0014-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch @@ -1,8 +1,15 @@ -From 2cc462ee963d0be119bc97bfc9c70d292a40516f Mon Sep 17 00:00:00 2001 +From 51e0de961029af84b5bdbfddcc9762b1819d500f Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Wed, 14 Oct 2015 15:59:06 +0200 Subject: OvmfPkg: take PcdResizeXterm from the QEMU command line (RH only) +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- Resolve contextual conflict in the DSC files, from upstream commit + b0ed7ebdebd1 ("OvmfPkg: set fixed FlashNvStorage base addresses with -D + SMM_REQUIRE", 2020-03-12). + Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: @@ -43,6 +50,7 @@ Signed-off-by: Laszlo Ersek (cherry picked from commit 61914fb81cf624c9028d015533b400b2794e52d3) (cherry picked from commit 2ebf3cc2ae99275d63bb6efd3c22dec76251a853) (cherry picked from commit f9b73437b9b231773c1a20e0c516168817a930a2) +(cherry picked from commit 2cc462ee963d0be119bc97bfc9c70d292a40516f) --- OvmfPkg/OvmfPkgIa32.dsc | 1 + OvmfPkg/OvmfPkgIa32X64.dsc | 1 + @@ -52,47 +60,47 @@ Signed-off-by: Laszlo Ersek 5 files changed, 5 insertions(+) diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc -index 044379e1ed..accf5c0211 100644 +index f8317a4f5d..6ce8a46d4e 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc -@@ -525,6 +525,7 @@ +@@ -574,6 +574,7 @@ # ($(SMM_REQUIRE) == FALSE) gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0 + gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE + !if $(SMM_REQUIRE) == FALSE gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0 - gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0 diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc -index 2ff68102d3..8812da9943 100644 +index 55423d356c..89d414cda7 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc -@@ -531,6 +531,7 @@ +@@ -580,6 +580,7 @@ # ($(SMM_REQUIRE) == FALSE) gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0 + gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE + !if $(SMM_REQUIRE) == FALSE gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0 - gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc -index 3a66d4d424..73e1b7824f 100644 +index 17aeeed96e..e567eb76e0 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc -@@ -530,6 +530,7 @@ +@@ -578,6 +578,7 @@ # ($(SMM_REQUIRE) == FALSE) gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0 + gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE + !if $(SMM_REQUIRE) == FALSE gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0 - gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0 diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c -index 3ba2459872..bbbf1ac2a8 100644 +index 96468701e3..14efbabe39 100644 --- a/OvmfPkg/PlatformPei/Platform.c +++ b/OvmfPkg/PlatformPei/Platform.c -@@ -667,6 +667,7 @@ InitializePlatform ( - PeiFvInitialization (); +@@ -748,6 +748,7 @@ InitializePlatform ( + MemTypeInfoInitialization (); MemMapInitialization (); NoexecDxeInitialization (); + UPDATE_BOOLEAN_PCD_FROM_FW_CFG (PcdResizeXterm); @@ -100,10 +108,10 @@ index 3ba2459872..bbbf1ac2a8 100644 InstallClearCacheCallback (); diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf -index d9fd9c8f05..666803916c 100644 +index ff397b3ee9..3a012a7fa4 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf -@@ -89,6 +89,7 @@ +@@ -93,6 +93,7 @@ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved gEfiMdeModulePkgTokenSpaceGuid.PcdPciDisableBusEnumeration diff --git a/SOURCES/0013-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch b/SOURCES/0015-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch similarity index 64% rename from SOURCES/0013-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch rename to SOURCES/0015-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch index 8600508..525137d 100644 --- a/SOURCES/0013-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch +++ b/SOURCES/0015-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch @@ -1,8 +1,42 @@ -From 8338545260fbb423f796d5196faaaf8ff6e1ed99 Mon Sep 17 00:00:00 2001 +From a5f7a57bf390f1f340ff1d1f1884a73716817ef1 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Sun, 26 Jul 2015 08:02:50 +0000 Subject: ArmVirtPkg: take PcdResizeXterm from the QEMU command line (RH only) +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- Resolve leading context divergence in "ArmVirtPkg/ArmVirtQemu.dsc", + arising from upstream commits: + + - 82662a3b5f56 ("ArmVirtPkg/PlatformPeiLib: discover the TPM base + address from the DT", 2020-03-04) + + - ddd34a818315 ("ArmVirtPkg/ArmVirtQemu: enable TPM2 support in the PEI + phase", 2020-03-04) + + - cdc3fa54184a ("ArmVirtPkg: control PXEv4 / PXEv6 boot support from the + QEMU command line", 2020-04-28) + +- Rework the downstream patch quite a bit, paralleling the upstream work + done for in commit + range 64ab457d1f21..cdc3fa54184a: + + - Refresh copyright year in TerminalPcdProducerLib.{inf,c}. Also replace + open-coded BSDL with "SPDX-License-Identifier: BSD-2-Clause-Patent". + + - Simplify LIBRARY_CLASS: this lib instance is meant to be consumed only + via NULL class resolution (basically: as a plugin), so use NULL for + LIBRARY_CLASS, not "TerminalPcdProducerLib|DXE_DRIVER". + + - Sort the [Packages] section alphabetically in the INF file. + + - Replace the open-coded GetNamedFwCfgBoolean() function with a call to + QemuFwCfgParseBool(), from QemuFwCfgSimpleParserLib. + + - Add the SOMETIMES_PRODUCES usage comment in the [Pcd] section of the + INF file. + Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: @@ -45,28 +79,29 @@ Signed-off-by: Laszlo Ersek (cherry picked from commit 8e92730c8e1cdb642b3b3e680e643ff774a90c65) (cherry picked from commit 9448b6b46267d8d807fac0c648e693171bb34806) (cherry picked from commit 232fcf06f6b3048b7c2ebd6931f23186b3852f04) +(cherry picked from commit 8338545260fbb423f796d5196faaaf8ff6e1ed99) --- - ArmVirtPkg/ArmVirtQemu.dsc | 7 +- - .../TerminalPcdProducerLib.c | 87 +++++++++++++++++++ - .../TerminalPcdProducerLib.inf | 41 +++++++++ - 3 files changed, 134 insertions(+), 1 deletion(-) + ArmVirtPkg/ArmVirtQemu.dsc | 7 +++- + .../TerminalPcdProducerLib.c | 34 +++++++++++++++++++ + .../TerminalPcdProducerLib.inf | 33 ++++++++++++++++++ + 3 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc -index a3cc3f26ec..696b0b5bcd 100644 +index 360094ab6a..3345987503 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc -@@ -237,6 +237,8 @@ - gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 - gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE +@@ -272,6 +272,8 @@ + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0 + !endif + gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE + [PcdsDynamicHii] gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS -@@ -314,7 +316,10 @@ +@@ -374,7 +376,10 @@ MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf @@ -80,82 +115,29 @@ index a3cc3f26ec..696b0b5bcd 100644 MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf diff --git a/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c new file mode 100644 -index 0000000000..814ad48199 +index 0000000000..bfd3a6a535 --- /dev/null +++ b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c -@@ -0,0 +1,87 @@ +@@ -0,0 +1,34 @@ +/** @file +* Plugin library for setting up dynamic PCDs for TerminalDxe, from fw_cfg +* -+* Copyright (C) 2015-2016, Red Hat, Inc. ++* Copyright (C) 2015-2020, Red Hat, Inc. +* Copyright (c) 2014, Linaro Ltd. All rights reserved.
+* -+* This program and the accompanying materials are licensed and made available -+* under the terms and conditions of the BSD License which accompanies this -+* distribution. The full text of the license may be found at -+* http://opensource.org/licenses/bsd-license.php -+* -+* THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -+* WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR -+* IMPLIED. -+* ++* SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include +#include -+#include -+ -+STATIC -+RETURN_STATUS -+GetNamedFwCfgBoolean ( -+ IN CONST CHAR8 *FwCfgFileName, -+ OUT BOOLEAN *Setting -+ ) -+{ -+ RETURN_STATUS Status; -+ FIRMWARE_CONFIG_ITEM FwCfgItem; -+ UINTN FwCfgSize; -+ UINT8 Value[3]; -+ -+ Status = QemuFwCfgFindFile (FwCfgFileName, &FwCfgItem, &FwCfgSize); -+ if (RETURN_ERROR (Status)) { -+ return Status; -+ } -+ if (FwCfgSize > sizeof Value) { -+ return RETURN_BAD_BUFFER_SIZE; -+ } -+ QemuFwCfgSelectItem (FwCfgItem); -+ QemuFwCfgReadBytes (FwCfgSize, Value); -+ -+ if ((FwCfgSize == 1) || -+ (FwCfgSize == 2 && Value[1] == '\n') || -+ (FwCfgSize == 3 && Value[1] == '\r' && Value[2] == '\n')) { -+ switch (Value[0]) { -+ case '0': -+ case 'n': -+ case 'N': -+ *Setting = FALSE; -+ return RETURN_SUCCESS; -+ -+ case '1': -+ case 'y': -+ case 'Y': -+ *Setting = TRUE; -+ return RETURN_SUCCESS; -+ -+ default: -+ break; -+ } -+ } -+ return RETURN_PROTOCOL_ERROR; -+} ++#include + +#define UPDATE_BOOLEAN_PCD_FROM_FW_CFG(TokenName) \ + do { \ + BOOLEAN Setting; \ + RETURN_STATUS PcdStatus; \ + \ -+ if (!RETURN_ERROR (GetNamedFwCfgBoolean ( \ ++ if (!RETURN_ERROR (QemuFwCfgParseBool ( \ + "opt/org.tianocore.edk2.aavmf/" #TokenName, &Setting))) { \ + PcdStatus = PcdSetBoolS (TokenName, Setting); \ + ASSERT_RETURN_ERROR (PcdStatus); \ @@ -173,25 +155,17 @@ index 0000000000..814ad48199 +} diff --git a/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf new file mode 100644 -index 0000000000..fecb37bcdf +index 0000000000..a51dbd1670 --- /dev/null +++ b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf -@@ -0,0 +1,41 @@ +@@ -0,0 +1,33 @@ +## @file +# Plugin library for setting up dynamic PCDs for TerminalDxe, from fw_cfg +# -+# Copyright (C) 2015-2016, Red Hat, Inc. ++# Copyright (C) 2015-2020, Red Hat, Inc. +# Copyright (c) 2014, Linaro Ltd. All rights reserved.
+# -+# This program and the accompanying materials are licensed and made available -+# under the terms and conditions of the BSD License which accompanies this -+# distribution. The full text of the license may be found at -+# http://opensource.org/licenses/bsd-license.php -+# -+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR -+# IMPLIED. -+# ++# SPDX-License-Identifier: BSD-2-Clause-Patent +## + +[Defines] @@ -200,24 +174,24 @@ index 0000000000..fecb37bcdf + FILE_GUID = 4a0c5ed7-8c42-4c01-8f4c-7bf258316a96 + MODULE_TYPE = BASE + VERSION_STRING = 1.0 -+ LIBRARY_CLASS = TerminalPcdProducerLib|DXE_DRIVER ++ LIBRARY_CLASS = NULL + CONSTRUCTOR = TerminalPcdProducerLibConstructor + +[Sources] + TerminalPcdProducerLib.c + +[Packages] ++ MdeModulePkg/MdeModulePkg.dec + MdePkg/MdePkg.dec + OvmfPkg/OvmfPkg.dec -+ MdeModulePkg/MdeModulePkg.dec + +[LibraryClasses] + DebugLib + PcdLib -+ QemuFwCfgLib ++ QemuFwCfgSimpleParserLib + +[Pcd] -+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm ++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm ## SOMETIMES_PRODUCES -- 2.18.1 diff --git a/SOURCES/0014-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch b/SOURCES/0016-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch similarity index 83% rename from SOURCES/0014-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch rename to SOURCES/0016-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch index 0023ba2..456b8ce 100644 --- a/SOURCES/0014-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch +++ b/SOURCES/0016-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch @@ -1,9 +1,15 @@ -From 229c88dc3ded9baeaca8b87767dc5c41c05afd6e Mon Sep 17 00:00:00 2001 +From c2812d7189dee06c780f05a5880eb421c359a687 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Tue, 4 Nov 2014 23:02:53 +0100 Subject: OvmfPkg: allow exclusion of the shell from the firmware image (RH only) +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- context difference from upstream commit ec41733cfd10 ("OvmfPkg: add the + 'initrd' dynamic shell command", 2020-03-04) correctly auto-resolved + Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: @@ -85,6 +91,7 @@ Signed-off-by: Laszlo Ersek (cherry picked from commit f0303f71d576c51b01c4ff961b429d0e0e707245) (cherry picked from commit bbd64eb8658e9a33eab4227d9f4e51ad78d9f687) (cherry picked from commit 8628ef1b8d675ebec39d83834abbe3c8c8c42cf4) +(cherry picked from commit 229c88dc3ded9baeaca8b87767dc5c41c05afd6e) --- OvmfPkg/OvmfPkgIa32.fdf | 2 ++ OvmfPkg/OvmfPkgIa32X64.fdf | 2 ++ @@ -92,16 +99,17 @@ Signed-off-by: Laszlo Ersek 3 files changed, 6 insertions(+) diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf -index 326f82384e..dff2fcd9f6 100644 +index ec64551bcb..44178a0da7 100644 --- a/OvmfPkg/OvmfPkgIa32.fdf +++ b/OvmfPkg/OvmfPkgIa32.fdf -@@ -278,10 +278,12 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour +@@ -288,11 +288,13 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour INF FatPkg/EnhancedFatDxe/Fat.inf INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf +!ifndef $(EXCLUDE_SHELL_FROM_FD) !if $(TOOL_CHAIN_TAG) != "XCODE5" INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf !endif INF ShellPkg/Application/Shell/Shell.inf +!endif @@ -109,16 +117,17 @@ index 326f82384e..dff2fcd9f6 100644 INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf -index aefb6614ad..6684a2e799 100644 +index 2f02ac2d73..06259c43d2 100644 --- a/OvmfPkg/OvmfPkgIa32X64.fdf +++ b/OvmfPkg/OvmfPkgIa32X64.fdf -@@ -279,10 +279,12 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour +@@ -289,11 +289,13 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour INF FatPkg/EnhancedFatDxe/Fat.inf INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf +!ifndef $(EXCLUDE_SHELL_FROM_FD) !if $(TOOL_CHAIN_TAG) != "XCODE5" INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf !endif INF ShellPkg/Application/Shell/Shell.inf +!endif @@ -126,16 +135,17 @@ index aefb6614ad..6684a2e799 100644 INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf -index aefb6614ad..6684a2e799 100644 +index 2f02ac2d73..06259c43d2 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf -@@ -279,10 +279,12 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour +@@ -289,11 +289,13 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour INF FatPkg/EnhancedFatDxe/Fat.inf INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf +!ifndef $(EXCLUDE_SHELL_FROM_FD) !if $(TOOL_CHAIN_TAG) != "XCODE5" INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf !endif INF ShellPkg/Application/Shell/Shell.inf +!endif diff --git a/SOURCES/0015-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch b/SOURCES/0017-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch similarity index 89% rename from SOURCES/0015-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch rename to SOURCES/0017-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch index 7bdb27e..63c187c 100644 --- a/SOURCES/0015-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch +++ b/SOURCES/0017-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch @@ -1,8 +1,13 @@ -From 9f756c1ad83cc81f7d892cd036d59a2b567b02dc Mon Sep 17 00:00:00 2001 +From c75aea7a738ac7fb944c0695a4bfffc3985afaa9 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Wed, 14 Oct 2015 13:49:43 +0200 Subject: ArmPlatformPkg: introduce fixed PCD for early hello message (RH only) +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: @@ -54,15 +59,16 @@ Signed-off-by: Laszlo Ersek (cherry picked from commit ef77da632559e9baa1c69869e4cbea377068ef27) (cherry picked from commit 58755c51d3252312d80cbcb97928d71199c2f5e1) (cherry picked from commit c3f07e323e76856f1b42ea7b8c598ba3201c28a2) +(cherry picked from commit 9f756c1ad83cc81f7d892cd036d59a2b567b02dc) --- ArmPlatformPkg/ArmPlatformPkg.dec | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ArmPlatformPkg/ArmPlatformPkg.dec b/ArmPlatformPkg/ArmPlatformPkg.dec -index c8ea183313..bab4804a17 100644 +index 696d636aac..1553e1ae92 100644 --- a/ArmPlatformPkg/ArmPlatformPkg.dec +++ b/ArmPlatformPkg/ArmPlatformPkg.dec -@@ -108,6 +108,13 @@ +@@ -104,6 +104,13 @@ ## If set, this will swap settings for HDLCD RED_SELECT and BLUE_SELECT registers gArmPlatformTokenSpaceGuid.PcdArmHdLcdSwapBlueRedSelect|FALSE|BOOLEAN|0x00000045 diff --git a/SOURCES/0016-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch b/SOURCES/0018-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch similarity index 92% rename from SOURCES/0016-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch rename to SOURCES/0018-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch index ed0b97b..85e32b4 100644 --- a/SOURCES/0016-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch +++ b/SOURCES/0018-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch @@ -1,9 +1,14 @@ -From 8d5a8827aabc67cb2a046697e1a750ca8d9cc453 Mon Sep 17 00:00:00 2001 +From 49fe5596cd79c94d903c4d506c563d642ccd69aa Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Wed, 14 Oct 2015 13:59:20 +0200 Subject: ArmPlatformPkg: PrePeiCore: write early hello message to the serial port (RH) +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: @@ -52,6 +57,7 @@ Signed-off-by: Laszlo Ersek (cherry picked from commit 638594083b191f84f5d9333eb6147a31570f5a5a) (cherry picked from commit f4b7aae411d88b2b83f85d20ef06a4032a57e7de) (cherry picked from commit bb71490fdda3b38fa9f071d281b863f9b64363bf) +(cherry picked from commit 8d5a8827aabc67cb2a046697e1a750ca8d9cc453) --- ArmPlatformPkg/PrePeiCore/MainMPCore.c | 5 +++++ ArmPlatformPkg/PrePeiCore/MainUniCore.c | 5 +++++ @@ -105,10 +111,10 @@ index 7140c7f5b5..1d69a2b468 100644 #include #include diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf b/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf -index f2ac45d171..fc93fda965 100644 +index fb01dd1a11..a6681c1032 100644 --- a/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf +++ b/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf -@@ -67,6 +67,8 @@ +@@ -69,6 +69,8 @@ gArmPlatformTokenSpaceGuid.PcdCPUCorePrimaryStackSize gArmPlatformTokenSpaceGuid.PcdCPUCoreSecondaryStackSize @@ -118,10 +124,10 @@ index f2ac45d171..fc93fda965 100644 gArmTokenSpaceGuid.PcdGicInterruptInterfaceBase gArmTokenSpaceGuid.PcdGicSgiIntId diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf b/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf -index 84c319c367..46d1b30978 100644 +index e9eb092d3a..c98dc82f0c 100644 --- a/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf +++ b/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf -@@ -65,4 +65,6 @@ +@@ -67,4 +67,6 @@ gArmPlatformTokenSpaceGuid.PcdCPUCorePrimaryStackSize gArmPlatformTokenSpaceGuid.PcdCPUCoreSecondaryStackSize diff --git a/SOURCES/0017-ArmVirtPkg-set-early-hello-message-RH-only.patch b/SOURCES/0019-ArmVirtPkg-set-early-hello-message-RH-only.patch similarity index 78% rename from SOURCES/0017-ArmVirtPkg-set-early-hello-message-RH-only.patch rename to SOURCES/0019-ArmVirtPkg-set-early-hello-message-RH-only.patch index 9330386..8f3a510 100644 --- a/SOURCES/0017-ArmVirtPkg-set-early-hello-message-RH-only.patch +++ b/SOURCES/0019-ArmVirtPkg-set-early-hello-message-RH-only.patch @@ -1,8 +1,15 @@ -From ba73b99d5cb38f87c1a8f0936d515eaaefa3f04b Mon Sep 17 00:00:00 2001 +From 72550e12ae469012a505bf5b98a6543a754028d3 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Wed, 14 Oct 2015 14:07:17 +0200 Subject: ArmVirtPkg: set early hello message (RH only) +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- context difference from upstream commit f5cb3767038e + ("ArmVirtPkg/ArmVirtQemu: add ResetSystem PEIM for upcoming TPM2 + support", 2020-03-04) automatically resolved correctly + Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: @@ -47,16 +54,17 @@ Signed-off-by: Laszlo Ersek (cherry picked from commit c201a8e6ae28d75f7ba581828b533c3b26fa7f18) (cherry picked from commit 2d4db6ec70e004cd9ac147615d17033bee5d3b18) (cherry picked from commit fb2032bbea7e02c426855cf86a323556d493fd8a) +(cherry picked from commit ba73b99d5cb38f87c1a8f0936d515eaaefa3f04b) --- ArmVirtPkg/ArmVirtQemu.dsc | 1 + 1 file changed, 1 insertion(+) diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc -index 696b0b5bcd..08c7a36339 100644 +index 3345987503..57c5b3f898 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc -@@ -101,6 +101,7 @@ - gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE +@@ -125,6 +125,7 @@ + gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE) [PcdsFixedAtBuild.common] + gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage|"UEFI firmware starting.\r\n" diff --git a/SOURCES/0018-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch b/SOURCES/0020-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch similarity index 81% rename from SOURCES/0018-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch rename to SOURCES/0020-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch index ed65592..63b794d 100644 --- a/SOURCES/0018-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch +++ b/SOURCES/0020-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch @@ -1,8 +1,15 @@ -From 3cb92f9ba18ac79911bd5258ff4f949cc617ae89 Mon Sep 17 00:00:00 2001 +From 5ecc18badaabe774d9d0806b027ab63a30c6a2d7 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Tue, 21 Nov 2017 00:57:45 +0100 Subject: OvmfPkg: enable DEBUG_VERBOSE (RHEL only) +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- context difference from upstream commit 46bb81200742 ("OvmfPkg: Make + SOURCE_DEBUG_ENABLE actually need to be set to TRUE", 2019-10-22) + resolved automatically + Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: @@ -44,6 +51,7 @@ Signed-off-by: Paolo Bonzini (cherry picked from commit a0617a6be1a80966099ddceb010f89202a79ee76) (cherry picked from commit 759bd3f591e2db699bdef4c7ea4e97c908e7f027) (cherry picked from commit 7e6d5dc4078c64be6d55d8fc3317c59a91507a50) +(cherry picked from commit 3cb92f9ba18ac79911bd5258ff4f949cc617ae89) --- OvmfPkg/OvmfPkgIa32.dsc | 2 +- OvmfPkg/OvmfPkgIa32X64.dsc | 2 +- @@ -51,43 +59,43 @@ Signed-off-by: Paolo Bonzini 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc -index accf5c0211..759075a815 100644 +index 6ce8a46d4e..765ffff312 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc -@@ -479,7 +479,7 @@ +@@ -516,7 +516,7 @@ # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may # // significantly impact boot performance # DEBUG_ERROR 0x80000000 // Error - gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F - !ifdef $(SOURCE_DEBUG_ENABLE) + !if $(SOURCE_DEBUG_ENABLE) == TRUE gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc -index 8812da9943..634e20f09c 100644 +index 89d414cda7..277297a964 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc -@@ -484,7 +484,7 @@ +@@ -520,7 +520,7 @@ # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may # // significantly impact boot performance # DEBUG_ERROR 0x80000000 // Error - gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F - !ifdef $(SOURCE_DEBUG_ENABLE) + !if $(SOURCE_DEBUG_ENABLE) == TRUE gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc -index 73e1b7824f..bc5a345a37 100644 +index e567eb76e0..5c1597fe3c 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc -@@ -484,7 +484,7 @@ +@@ -520,7 +520,7 @@ # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may # // significantly impact boot performance # DEBUG_ERROR 0x80000000 // Error - gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F - !ifdef $(SOURCE_DEBUG_ENABLE) + !if $(SOURCE_DEBUG_ENABLE) == TRUE gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 -- 2.18.1 diff --git a/SOURCES/0019-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch b/SOURCES/0021-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch similarity index 90% rename from SOURCES/0019-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch rename to SOURCES/0021-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch index ca0d4d0..4e1464b 100644 --- a/SOURCES/0019-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch +++ b/SOURCES/0021-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch @@ -1,9 +1,14 @@ -From c8c3f893e7c3710afe45c46839e97954871536e4 Mon Sep 17 00:00:00 2001 +From 1355849ad97c1e4a5c430597a377165a5cc118f7 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Tue, 21 Nov 2017 00:57:46 +0100 Subject: OvmfPkg: silence DEBUG_VERBOSE (0x00400000) in QemuVideoDxe/QemuRamfbDxe (RH) +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: @@ -64,6 +69,7 @@ Signed-off-by: Paolo Bonzini (cherry picked from commit 7eb3be1d4ccafc26c11fe5afb95cc12b250ce6f0) (cherry picked from commit bd650684712fb840dbcda5d6eaee065bd9e91fa1) (cherry picked from commit b06b87f8ffd4fed4ef7eacb13689a9b6d111f850) +(cherry picked from commit c8c3f893e7c3710afe45c46839e97954871536e4) --- OvmfPkg/OvmfPkgIa32.dsc | 10 ++++++++-- OvmfPkg/OvmfPkgIa32X64.dsc | 10 ++++++++-- @@ -71,10 +77,10 @@ Signed-off-by: Paolo Bonzini 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc -index 759075a815..6a07a6af81 100644 +index 765ffff312..f5c6cceb4f 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc -@@ -742,9 +742,15 @@ +@@ -811,9 +811,15 @@ MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf !ifndef $(CSM_ENABLE) @@ -93,10 +99,10 @@ index 759075a815..6a07a6af81 100644 # diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc -index 634e20f09c..c7f52992e9 100644 +index 277297a964..c1e52b0acd 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc -@@ -755,9 +755,15 @@ +@@ -825,9 +825,15 @@ MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf !ifndef $(CSM_ENABLE) @@ -115,10 +121,10 @@ index 634e20f09c..c7f52992e9 100644 # diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc -index bc5a345a37..594ecb5362 100644 +index 5c1597fe3c..e65165b9f0 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc -@@ -753,9 +753,15 @@ +@@ -821,9 +821,15 @@ MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf !ifndef $(CSM_ENABLE) diff --git a/SOURCES/0020-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch b/SOURCES/0022-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch similarity index 88% rename from SOURCES/0020-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch rename to SOURCES/0022-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch index efee09b..cf0bf21 100644 --- a/SOURCES/0020-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch +++ b/SOURCES/0022-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch @@ -1,9 +1,14 @@ -From e5b8152bced2364a1ded0926dbba4d65e23e3f84 Mon Sep 17 00:00:00 2001 +From e7f57f154439c1c18ea5030b01f8d7bc492698b2 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Wed, 27 Jan 2016 03:05:18 +0100 Subject: ArmVirtPkg: silence DEBUG_VERBOSE (0x00400000) in QemuRamfbDxe (RH only) +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: @@ -43,16 +48,17 @@ Suggested-by: Laszlo Ersek Signed-off-by: Philippe Mathieu-Daude (cherry picked from commit 5a216abaa737195327235e37563b18a6bf2a74dc) Signed-off-by: Laszlo Ersek +(cherry picked from commit e5b8152bced2364a1ded0926dbba4d65e23e3f84) --- ArmVirtPkg/ArmVirtQemu.dsc | 5 ++++- ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc -index 08c7a36339..b3dcdd747b 100644 +index 57c5b3f898..dda887b2ae 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc -@@ -422,7 +422,10 @@ +@@ -494,7 +494,10 @@ # # Video support # @@ -65,10 +71,10 @@ index 08c7a36339..b3dcdd747b 100644 OvmfPkg/PlatformDxe/Platform.inf diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc -index 27e65b7638..008181055a 100644 +index d186263e18..711dd63e20 100644 --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc -@@ -400,7 +400,10 @@ +@@ -427,7 +427,10 @@ # # Video support # diff --git a/SOURCES/0021-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch b/SOURCES/0023-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch similarity index 90% rename from SOURCES/0021-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch rename to SOURCES/0023-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch index da55568..6b41eff 100644 --- a/SOURCES/0021-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch +++ b/SOURCES/0023-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch @@ -1,9 +1,14 @@ -From aa2b66b18a62d652bdbefae7b5732297294306ca Mon Sep 17 00:00:00 2001 +From deb3451034326b75fd760aba47a5171493ff055e Mon Sep 17 00:00:00 2001 From: Philippe Mathieu-Daude Date: Thu, 1 Aug 2019 20:43:48 +0200 Subject: OvmfPkg: QemuRamfbDxe: Do not report DXE failure on Aarch64 silent builds (RH only) +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: @@ -29,6 +34,7 @@ Suggested-by: Laszlo Ersek Signed-off-by: Philippe Mathieu-Daude (cherry picked from commit aaaedc1e2cfd55ef003fb1b5a37c73a196b26dc7) Signed-off-by: Laszlo Ersek +(cherry picked from commit aa2b66b18a62d652bdbefae7b5732297294306ca) --- OvmfPkg/QemuRamfbDxe/QemuRamfb.c | 14 ++++++++++++++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf | 1 + diff --git a/SOURCES/0022-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch b/SOURCES/0024-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch similarity index 88% rename from SOURCES/0022-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch rename to SOURCES/0024-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch index fd79c90..c01b00b 100644 --- a/SOURCES/0022-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch +++ b/SOURCES/0024-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch @@ -1,9 +1,14 @@ -From b8d0ebded8c2cf5b266c807519e2d8ccfd66fee6 Mon Sep 17 00:00:00 2001 +From ed89844b47f46cfe911f1bf2bda40e537a908502 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Tue, 21 Nov 2017 00:57:47 +0100 Subject: OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in NvmExpressDxe (RH only) +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: @@ -45,6 +50,7 @@ Signed-off-by: Paolo Bonzini (cherry picked from commit bd10cabcfcb1bc9a32b05062f4ee3792e27bc2d8) (cherry picked from commit 5a27af700f49e00608f232f618dedd7bf5e9b3e6) (cherry picked from commit 58bba429b9ec7b78109940ef945d0dc93f3cd958) +(cherry picked from commit b8d0ebded8c2cf5b266c807519e2d8ccfd66fee6) --- OvmfPkg/OvmfPkgIa32.dsc | 5 ++++- OvmfPkg/OvmfPkgIa32X64.dsc | 5 ++++- @@ -52,10 +58,10 @@ Signed-off-by: Paolo Bonzini 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc -index 6a07a6af81..1c56e0948a 100644 +index f5c6cceb4f..e8868136d8 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc -@@ -735,7 +735,10 @@ +@@ -804,7 +804,10 @@ OvmfPkg/SataControllerDxe/SataControllerDxe.inf MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf @@ -68,10 +74,10 @@ index 6a07a6af81..1c56e0948a 100644 MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc -index c7f52992e9..29e12c9dff 100644 +index c1e52b0acd..d05275a324 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc -@@ -748,7 +748,10 @@ +@@ -818,7 +818,10 @@ OvmfPkg/SataControllerDxe/SataControllerDxe.inf MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf @@ -84,10 +90,10 @@ index c7f52992e9..29e12c9dff 100644 MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc -index 594ecb5362..11fe9f6050 100644 +index e65165b9f0..cac4cecf18 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc -@@ -746,7 +746,10 @@ +@@ -814,7 +814,10 @@ OvmfPkg/SataControllerDxe/SataControllerDxe.inf MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf diff --git a/SOURCES/0033-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch b/SOURCES/0025-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch similarity index 68% rename from SOURCES/0033-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch rename to SOURCES/0025-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch index da424bc..2233cea 100644 --- a/SOURCES/0033-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch +++ b/SOURCES/0025-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch @@ -1,9 +1,28 @@ -From 57bd3f146590df8757865d8f2cdd1db3cf3f4d40 Mon Sep 17 00:00:00 2001 +From 56c4bb81b311dfcee6a34c81d3e4feeda7f88995 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Sat, 16 Nov 2019 17:11:27 +0100 Subject: CryptoPkg/OpensslLib: list RHEL8-specific OpenSSL files in the INFs (RH) +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- "OpensslLib.inf": + + - Automatic leading context refresh against upstream commit c72ca4666886 + ("CryptoPkg/OpensslLib: Add "sort" keyword to header file parsing + loop", 2020-03-10). + + - Manual trailing context refresh against upstream commit b49a6c8f80d9 + ("CryptoPkg/OpensslLib: improve INF file consistency", 2019-12-02). + +- "OpensslLibCrypto.inf": + + - Automatic leading context refresh against upstream commits + 8906f076de35 ("CryptoPkg/OpensslLib: Add missing header files in INF + file", 2019-08-16) and 9f4fbd56d430 ("CryptoPkg/OpensslLib: Update + process_files.pl to generate .h files", 2019-10-30). + Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: @@ -25,18 +44,19 @@ Note: "process_files.pl" is not re-run at this time manually, because and will help with future changes too. Signed-off-by: Laszlo Ersek +(cherry picked from commit 57bd3f146590df8757865d8f2cdd1db3cf3f4d40) --- CryptoPkg/Library/OpensslLib/OpensslLib.inf | 11 +++++++++++ CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf -index dd873a0dcd..d1c7602b87 100644 +index c8ec9454bd..24e790b538 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf -@@ -598,6 +598,17 @@ - $(OPENSSL_PATH)/ssl/record/record.h - $(OPENSSL_PATH)/ssl/record/record_locl.h +@@ -570,6 +570,17 @@ + $(OPENSSL_PATH)/ssl/statem/statem.h + $(OPENSSL_PATH)/ssl/statem/statem_locl.h # Autogenerated files list ends here +# RHEL8-specific OpenSSL file list starts here + $(OPENSSL_PATH)/crypto/evp/kdf_lib.c @@ -49,16 +69,16 @@ index dd873a0dcd..d1c7602b87 100644 + $(OPENSSL_PATH)/crypto/kdf/sshkdf.c + $(OPENSSL_PATH)/crypto/kdf/sskdf.c +# RHEL8-specific OpenSSL file list ends here - + buildinf.h + rand_pool_noise.h ossl_store.c - rand_pool.c diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf -index a1bb560255..0785a421dd 100644 +index 2f232e3e12..52e70a2d03 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf -@@ -546,6 +546,17 @@ - $(OPENSSL_PATH)/crypto/objects/obj_lcl.h - $(OPENSSL_PATH)/crypto/objects/obj_xref.h +@@ -519,6 +519,17 @@ + $(OPENSSL_PATH)/crypto/x509v3/standard_exts.h + $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h # Autogenerated files list ends here +# RHEL8-specific OpenSSL file list starts here + $(OPENSSL_PATH)/crypto/evp/kdf_lib.c diff --git a/SOURCES/0026-OvmfPkg-X86QemuLoadImageLib-handle-EFI_ACCESS_DENIED.patch b/SOURCES/0026-OvmfPkg-X86QemuLoadImageLib-handle-EFI_ACCESS_DENIED.patch new file mode 100644 index 0000000..4947710 --- /dev/null +++ b/SOURCES/0026-OvmfPkg-X86QemuLoadImageLib-handle-EFI_ACCESS_DENIED.patch @@ -0,0 +1,83 @@ +From bf88198555ce964377a56176de8e5e9b45e43e25 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Sat, 6 Jun 2020 01:16:09 +0200 +Subject: OvmfPkg/X86QemuLoadImageLib: handle EFI_ACCESS_DENIED from + LoadImage() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- new patch + +- the patch is being upstreamed; it's not a backport because the rebase + deadline is close + +- upstream references: + - https://bugzilla.tianocore.org/show_bug.cgi?id=2785 + - http://mid.mail-archive.com/20200605235242.32442-1-lersek@redhat.com + - https://edk2.groups.io/g/devel/message/60825 + - https://www.redhat.com/archives/edk2-devel-archive/2020-June/msg00344.html + +[downstream note ends, upstream commit message starts] + +When an image fails Secure Boot validation, LoadImage() returns +EFI_SECURITY_VIOLATION if the platform policy is +DEFER_EXECUTE_ON_SECURITY_VIOLATION. + +If the platform policy is DENY_EXECUTE_ON_SECURITY_VIOLATION, then +LoadImage() returns EFI_ACCESS_DENIED (and the image does not remain +loaded). + +(Before , this +difference would be masked, as DxeImageVerificationLib would incorrectly +return EFI_SECURITY_VIOLATION for DENY_EXECUTE_ON_SECURITY_VIOLATION as +well.) + +In X86QemuLoadImageLib, proceed to the legacy Linux/x86 Boot Protocol upon +seeing EFI_ACCESS_DENIED too. + +Cc: Ard Biesheuvel +Cc: Jordan Justen +Cc: Philippe Mathieu-Daudé +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2785 +Signed-off-by: Laszlo Ersek +--- + .../X86QemuLoadImageLib/X86QemuLoadImageLib.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c +index ef753be7ea..931553c0c1 100644 +--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c ++++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c +@@ -320,15 +320,21 @@ QemuLoadKernelImage ( + + case EFI_SECURITY_VIOLATION: + // +- // We are running with UEFI secure boot enabled, and the image failed to +- // authenticate. For compatibility reasons, we fall back to the legacy +- // loader in this case. Since the image has been loaded, we need to unload +- // it before proceeding ++ // Since the image has been loaded, we need to unload it before proceeding ++ // to the EFI_ACCESS_DENIED case below. + // + gBS->UnloadImage (KernelImageHandle); + // + // Fall through + // ++ case EFI_ACCESS_DENIED: ++ // ++ // We are running with UEFI secure boot enabled, and the image failed to ++ // authenticate. For compatibility reasons, we fall back to the legacy ++ // loader in this case. ++ // ++ // Fall through ++ // + case EFI_UNSUPPORTED: + // + // The image is not natively supported or cross-type supported. Let's try +-- +2.18.1 + diff --git a/SOURCES/0027-Revert-OvmfPkg-use-generic-QEMU-image-loader-for-sec.patch b/SOURCES/0027-Revert-OvmfPkg-use-generic-QEMU-image-loader-for-sec.patch new file mode 100644 index 0000000..21fa333 --- /dev/null +++ b/SOURCES/0027-Revert-OvmfPkg-use-generic-QEMU-image-loader-for-sec.patch @@ -0,0 +1,184 @@ +From 74e5313dfa6719f7990c7e175e035d17c9b3f657 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Fri, 5 Jun 2020 23:44:43 +0200 +Subject: Revert "OvmfPkg: use generic QEMU image loader for secure boot + enabled builds" + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- new patch (to be dropped later, hopefully) + +This reverts commit ced77332cab626f35fbdb36630be27303d289d79. + +Upstream commit ced77332cab6 ("OvmfPkg: use generic QEMU image loader for +secure boot enabled builds", 2020-03-05) changes the "Secure Boot threat +model" in a way that is incompatible with at least two use cases. + +Namely, OVMF has always considered kernel images direct-booted via fw_cfg +as trusted, bypassing Secure Boot validation. While that approach is +rooted in a technicality (namely, OVMF doesn't load such images with the +LoadImage() UEFI boot service / through the UEFI stub, but with the +Linux/x86 Boot Protocol), that doesn't mean it's wrong. The direct-booted +kernel from fw_cfg comes from the host side, and Secure Boot in the guest +is a barrier between the guest firmware and the guest operating system -- +it's not a barrier between host and guest. + +Upstream commit ced77332cab6 points out that the above (historical) OVMF +behavior differs from ArmVirtQemu's -- the latter direct-boots kernels +from fw_cfg with the LoadImage() / StartImage() boot services. While that +difference indeed exists between OVMF and ArmVirtQemu, it's not relevant +for RHEL downstream. That's because we never build the ArmVirtQemu +firmware with the Secure Boot feature, so LoadImage() can never reject the +direct-booted kernel due to a signing issue. + +Subjecting a kernel direct-booted via fw_cfg to Secure Boot verification +breaks at least two use cases with OVMF: + +- It breaks the %check stage in the SPEC file. + + In that stage, we use the "ovmf-vars-generator" utility from the + "qemu-ovmf-secureboot" project, for verifying whether the Secure Boot + operational mode is enabled. The guest kernel is supposed to boot, and + to print "Secure boot enabled". + + As guest kernel, we pick whatever host kernel is available in the Brew + build root. The kernel in question may be a publicly released RHEL + kernel, signed with "Red Hat Secure Boot (signing key 1)", or a + development build, signed for example with "Red Hat Secure Boot Signing + 3 (beta)". Either way, none of these keys are accepted by the + certificates that were enrolled by "ovmf-vars-generator" / + "EnrollDefaultKeys.efi" in the %build stage. Therefore, the %check stage + fails. + +- It breaks "virt-install --location NETWORK-URL" Linux guest + installations, if the variable store template used for the new domain + has the Secure Boot operational mode enabled. "virt-install --location" + fetches the kernel from the remote OS tree, and passes it to the guest + firmware via fw_cfg. Therefore the above symptom appears (even for + publicly released OSes). + + Importantly, if the user downloads the installer ISO of the publicly + released Fedora / RHEL OS, and exposes the ISO to the guest for example + as a virtio-scsi CD-ROM, then the installation with "virt-install" + (without "--location") does succeed. That's because that way, "shim" is + booted first, from the UEFI-bootable CD-ROM. "Shim" does pass Secure + Boot verification against the Microsoft certificates, and then it is + "shim" that accepts the "Red Hat Secure Boot (signing key 1)" signature + on the guest kernel. + +Some ways to approach this problem (without reverting upstream commit +ced77332cab6): + +- Equip "ovmf-vars-generator" / "EnrollDefaultKeys.efi" to enroll the + public half of "Red Hat Secure Boot (signing key 1)" in the %build + stage. Use a publicly released RHEL kernel in the %check stage. + + Downsides: + + - The Brew build root does not offer any particular released RHEL + kernel, so either the %check stage would have to download it, or the + SRPM would have to bundle it. However, Brew build environments do not + have unfettered network access (rightly so), so the download wouldn't + work. Furthermore, for bundling with the SRPM, such a kernel image + could be considered too large. + + - Does not solve the "virt-install --location" issue for other vendors' + signed kernels. + +- Invoke "ovmf-vars-generator" / "EnrollDefaultKeys.efi" multiple times + during %build, to create multiple varstore templates. One that would + accept publicly released RHEL kernels, and another to accept development + kernels. Don't try to use a particular guest kernel for verification; + instead, check what kernel Brew offers in the build environment, and use + the varstore template matching *that* kernel. + + Downsides: + + - It may be considered useless to perform %check with a varstore + template that is *not* the one that we ship. + + - Does not solve the "virt-install --location" issue for other vendors' + signed kernels. + +- Sign the RHEL kernels such that the currently enrolled certificates + accept them. + + Downsides: + + - Not feasible at all; it would require Microsoft to sign our kernels. + "Shim" exists exactly to eliminate such signing requirements. + +- Modify "virt-install --location NETWORK-URL" such that it download a + complete (UEFI-bootable) installer ISO image, rather than broken-out + vmlinuz / initrd files. In other words, replace direct (fw_cfg) kernel + boot with a CD-ROM / "shim" boot, internally to "virt-install". + + Downsides: + + - Defeats the goal of "virt-install --location NETWORK-URL", and defeats + the network installation method of (for example) Anaconda. + +For now, revert upstream commit ced77332cab6, in order to return to the +model we had used in RHEL-8.2 and before. The following ticket has been +filed to investigate the problem separately: +. + +Signed-off-by: Laszlo Ersek +--- + OvmfPkg/OvmfPkgIa32.dsc | 4 ---- + OvmfPkg/OvmfPkgIa32X64.dsc | 4 ---- + OvmfPkg/OvmfPkgX64.dsc | 4 ---- + 3 files changed, 12 deletions(-) + +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index e8868136d8..5b1e757cb9 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -379,11 +379,7 @@ + PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf + MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf + QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf +-!if $(SECURE_BOOT_ENABLE) == TRUE +- QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf +-!else + QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf +-!endif + !if $(TPM_ENABLE) == TRUE + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index d05275a324..5dffc32105 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -383,11 +383,7 @@ + PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf + MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf + QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf +-!if $(SECURE_BOOT_ENABLE) == TRUE +- QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf +-!else + QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf +-!endif + !if $(TPM_ENABLE) == TRUE + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index cac4cecf18..a2a76fdeea 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -383,11 +383,7 @@ + PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf + MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf + QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf +-!if $(SECURE_BOOT_ENABLE) == TRUE +- QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf +-!else + QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf +-!endif + !if $(TPM_ENABLE) == TRUE + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf +-- +2.18.1 + diff --git a/SOURCES/edk2-CryptoPkg-Crt-import-inet_pton.c-CVE-2019-14553.patch b/SOURCES/edk2-CryptoPkg-Crt-import-inet_pton.c-CVE-2019-14553.patch deleted file mode 100644 index fba10c3..0000000 --- a/SOURCES/edk2-CryptoPkg-Crt-import-inet_pton.c-CVE-2019-14553.patch +++ /dev/null @@ -1,338 +0,0 @@ -From 3c9574af677c24b969c3baa6a527dabaf97f11a2 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Mon, 2 Dec 2019 12:31:53 +0100 -Subject: [PATCH 5/9] CryptoPkg/Crt: import "inet_pton.c" (CVE-2019-14553) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20191117220052.15700-6-lersek@redhat.com> -Patchwork-id: 92461 -O-Subject: [RHEL-8.2.0 edk2 PATCH 5/9] CryptoPkg/Crt: import "inet_pton.c" (CVE-2019-14553) -Bugzilla: 1536624 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -For TianoCore BZ#1734, StdLib has been moved from the edk2 project to the -edk2-libc project, in commit 964f432b9b0a ("edk2: Remove AppPkg, StdLib, -StdLibPrivateInternalFiles", 2019-04-29). - -We'd like to use the inet_pton() function in CryptoPkg. Resurrect the -"inet_pton.c" file from just before the StdLib removal, as follows: - - $ git show \ - 964f432b9b0a^:StdLib/BsdSocketLib/inet_pton.c \ - > CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c - -The inet_pton() function is only intended for the DXE phase at this time, -therefore only the "BaseCryptLib" instance INF file receives the new file. - -Cc: David Woodhouse -Cc: Jian J Wang -Cc: Jiaxin Wu -Cc: Sivaraman Nainar -Cc: Xiaoyu Lu -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960 -CVE: CVE-2019-14553 -Signed-off-by: Laszlo Ersek -Reviewed-by: Jian J Wang -Reviewed-by: Jiaxin Wu -(cherry picked from commit 8d16ef8269b2ff373d8da674e59992adfdc032d3) ---- - CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf | 1 + - CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c | 257 +++++++++++++++++++++ - CryptoPkg/Library/Include/CrtLibSupport.h | 1 + - 3 files changed, 259 insertions(+) - create mode 100644 CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c - -diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf -index 8d4988e..b5cfd8b 100644 ---- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf -+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf -@@ -58,6 +58,7 @@ - SysCall/CrtWrapper.c - SysCall/TimerWrapper.c - SysCall/BaseMemAllocation.c -+ SysCall/inet_pton.c - - [Sources.Ia32] - Rand/CryptRandTsc.c -diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c b/CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c -new file mode 100644 -index 0000000..32e1ab8 ---- /dev/null -+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c -@@ -0,0 +1,257 @@ -+/* Copyright (c) 1996 by Internet Software Consortium. -+ * -+ * Permission to use, copy, modify, and distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS -+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE -+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL -+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR -+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS -+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS -+ * SOFTWARE. -+ */ -+ -+/* -+ * Portions copyright (c) 1999, 2000 -+ * Intel Corporation. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this software -+ * must display the following acknowledgement: -+ * -+ * This product includes software developed by Intel Corporation and -+ * its contributors. -+ * -+ * 4. Neither the name of Intel Corporation or its contributors may be -+ * used to endorse or promote products derived from this software -+ * without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION AND CONTRIBUTORS ``AS IS'' -+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR CONTRIBUTORS BE -+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF -+ * THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#if defined(LIBC_SCCS) && !defined(lint) -+static char rcsid[] = "$Id: inet_pton.c,v 1.1.1.1 2003/11/19 01:51:30 kyu3 Exp $"; -+#endif /* LIBC_SCCS and not lint */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+/* -+ * WARNING: Don't even consider trying to compile this on a system where -+ * sizeof(int) < 4. sizeof(int) > 4 is fine; all the world's not a VAX. -+ */ -+ -+static int inet_pton4 (const char *src, u_char *dst); -+static int inet_pton6 (const char *src, u_char *dst); -+ -+/* int -+ * inet_pton(af, src, dst) -+ * convert from presentation format (which usually means ASCII printable) -+ * to network format (which is usually some kind of binary format). -+ * return: -+ * 1 if the address was valid for the specified address family -+ * 0 if the address wasn't valid (`dst' is untouched in this case) -+ * -1 if some other error occurred (`dst' is untouched in this case, too) -+ * author: -+ * Paul Vixie, 1996. -+ */ -+int -+inet_pton( -+ int af, -+ const char *src, -+ void *dst -+ ) -+{ -+ switch (af) { -+ case AF_INET: -+ return (inet_pton4(src, dst)); -+ case AF_INET6: -+ return (inet_pton6(src, dst)); -+ default: -+ errno = EAFNOSUPPORT; -+ return (-1); -+ } -+ /* NOTREACHED */ -+} -+ -+/* int -+ * inet_pton4(src, dst) -+ * like inet_aton() but without all the hexadecimal and shorthand. -+ * return: -+ * 1 if `src' is a valid dotted quad, else 0. -+ * notice: -+ * does not touch `dst' unless it's returning 1. -+ * author: -+ * Paul Vixie, 1996. -+ */ -+static int -+inet_pton4( -+ const char *src, -+ u_char *dst -+ ) -+{ -+ static const char digits[] = "0123456789"; -+ int saw_digit, octets, ch; -+ u_char tmp[NS_INADDRSZ], *tp; -+ -+ saw_digit = 0; -+ octets = 0; -+ *(tp = tmp) = 0; -+ while ((ch = *src++) != '\0') { -+ const char *pch; -+ -+ if ((pch = strchr(digits, ch)) != NULL) { -+ u_int new = *tp * 10 + (u_int)(pch - digits); -+ -+ if (new > 255) -+ return (0); -+ *tp = (u_char)new; -+ if (! saw_digit) { -+ if (++octets > 4) -+ return (0); -+ saw_digit = 1; -+ } -+ } else if (ch == '.' && saw_digit) { -+ if (octets == 4) -+ return (0); -+ *++tp = 0; -+ saw_digit = 0; -+ } else -+ return (0); -+ } -+ if (octets < 4) -+ return (0); -+ -+ memcpy(dst, tmp, NS_INADDRSZ); -+ return (1); -+} -+ -+/* int -+ * inet_pton6(src, dst) -+ * convert presentation level address to network order binary form. -+ * return: -+ * 1 if `src' is a valid [RFC1884 2.2] address, else 0. -+ * notice: -+ * (1) does not touch `dst' unless it's returning 1. -+ * (2) :: in a full address is silently ignored. -+ * credit: -+ * inspired by Mark Andrews. -+ * author: -+ * Paul Vixie, 1996. -+ */ -+static int -+inet_pton6( -+ const char *src, -+ u_char *dst -+ ) -+{ -+ static const char xdigits_l[] = "0123456789abcdef", -+ xdigits_u[] = "0123456789ABCDEF"; -+ u_char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp; -+ const char *xdigits, *curtok; -+ int ch, saw_xdigit; -+ u_int val; -+ -+ memset((tp = tmp), '\0', NS_IN6ADDRSZ); -+ endp = tp + NS_IN6ADDRSZ; -+ colonp = NULL; -+ /* Leading :: requires some special handling. */ -+ if (*src == ':') -+ if (*++src != ':') -+ return (0); -+ curtok = src; -+ saw_xdigit = 0; -+ val = 0; -+ while ((ch = *src++) != '\0') { -+ const char *pch; -+ -+ if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL) -+ pch = strchr((xdigits = xdigits_u), ch); -+ if (pch != NULL) { -+ val <<= 4; -+ val |= (pch - xdigits); -+ if (val > 0xffff) -+ return (0); -+ saw_xdigit = 1; -+ continue; -+ } -+ if (ch == ':') { -+ curtok = src; -+ if (!saw_xdigit) { -+ if (colonp) -+ return (0); -+ colonp = tp; -+ continue; -+ } -+ if (tp + NS_INT16SZ > endp) -+ return (0); -+ *tp++ = (u_char) (val >> 8) & 0xff; -+ *tp++ = (u_char) val & 0xff; -+ saw_xdigit = 0; -+ val = 0; -+ continue; -+ } -+ if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) && -+ inet_pton4(curtok, tp) > 0) { -+ tp += NS_INADDRSZ; -+ saw_xdigit = 0; -+ break; /* '\0' was seen by inet_pton4(). */ -+ } -+ return (0); -+ } -+ if (saw_xdigit) { -+ if (tp + NS_INT16SZ > endp) -+ return (0); -+ *tp++ = (u_char) (val >> 8) & 0xff; -+ *tp++ = (u_char) val & 0xff; -+ } -+ if (colonp != NULL) { -+ /* -+ * Since some memmove()'s erroneously fail to handle -+ * overlapping regions, we'll do the shift by hand. -+ */ -+ const int n = (int)(tp - colonp); -+ int i; -+ -+ for (i = 1; i <= n; i++) { -+ endp[- i] = colonp[n - i]; -+ colonp[n - i] = 0; -+ } -+ tp = endp; -+ } -+ if (tp != endp) -+ return (0); -+ memcpy(dst, tmp, NS_IN6ADDRSZ); -+ return (1); -+} -diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/Include/CrtLibSupport.h -index e603fad..5a20ba6 100644 ---- a/CryptoPkg/Library/Include/CrtLibSupport.h -+++ b/CryptoPkg/Library/Include/CrtLibSupport.h -@@ -192,6 +192,7 @@ void abort (void) __attribute__((__noreturn__)); - #else - void abort (void); - #endif -+int inet_pton (int, const char *, void *); - - // - // Macros that directly map functions to BaseLib, BaseMemoryLib, and DebugLib functions --- -1.8.3.1 - diff --git a/SOURCES/edk2-CryptoPkg-Crt-satisfy-inet_pton.c-dependencies-CVE-2.patch b/SOURCES/edk2-CryptoPkg-Crt-satisfy-inet_pton.c-dependencies-CVE-2.patch deleted file mode 100644 index e38a454..0000000 --- a/SOURCES/edk2-CryptoPkg-Crt-satisfy-inet_pton.c-dependencies-CVE-2.patch +++ /dev/null @@ -1,188 +0,0 @@ -From 1ab1024f94401300fe9a1d5cdce6c15a2b091e02 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Mon, 2 Dec 2019 12:31:50 +0100 -Subject: [PATCH 4/9] CryptoPkg/Crt: satisfy "inet_pton.c" dependencies - (CVE-2019-14553) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20191117220052.15700-5-lersek@redhat.com> -Patchwork-id: 92453 -O-Subject: [RHEL-8.2.0 edk2 PATCH 4/9] CryptoPkg/Crt: satisfy "inet_pton.c" dependencies (CVE-2019-14553) -Bugzilla: 1536624 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -In a later patch in this series, we're going to resurrect "inet_pton.c" -(originally from the StdLib package). That source file has a number of -standard C and BSD socket dependencies. Provide those dependencies here: - -- The header files below will simply #include : - - - arpa/inet.h - - arpa/nameser.h - - netinet/in.h - - sys/param.h - - sys/socket.h - -- EAFNOSUPPORT comes from "StdLib/Include/errno.h", at commit - e2d3a25f1a31; which is the commit immediately preceding the removal of - StdLib from edk2 (964f432b9b0a). - - Note that the other error macro, which we alread #define, namely EINVAL, - has a value (22) that also matches "StdLib/Include/errno.h". - -- The AF_INET and AF_INET6 address family macros come from - "StdLib/Include/sys/socket.h". - -- The NS_INT16SZ, NS_INADDRSZ and NS_IN6ADDRSZ macros come from - "StdLib/Include/arpa/nameser.h". - -- The "u_int" and "u_char" types come from "StdLib/Include/sys/types.h". - -Cc: David Woodhouse -Cc: Jian J Wang -Cc: Jiaxin Wu -Cc: Sivaraman Nainar -Cc: Xiaoyu Lu -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960 -CVE: CVE-2019-14553 -Signed-off-by: Laszlo Ersek -Reviewed-by: Jian J Wang -Reviewed-by: Jiaxin Wu -(cherry picked from commit 2ac41c12c0d4b3d3ee8f905ab80da019e784de00) ---- - CryptoPkg/Library/Include/CrtLibSupport.h | 16 ++++++++++++++++ - CryptoPkg/Library/Include/arpa/inet.h | 9 +++++++++ - CryptoPkg/Library/Include/arpa/nameser.h | 9 +++++++++ - CryptoPkg/Library/Include/netinet/in.h | 9 +++++++++ - CryptoPkg/Library/Include/sys/param.h | 9 +++++++++ - CryptoPkg/Library/Include/sys/socket.h | 9 +++++++++ - 6 files changed, 61 insertions(+) - create mode 100644 CryptoPkg/Library/Include/arpa/inet.h - create mode 100644 CryptoPkg/Library/Include/arpa/nameser.h - create mode 100644 CryptoPkg/Library/Include/netinet/in.h - create mode 100644 CryptoPkg/Library/Include/sys/param.h - create mode 100644 CryptoPkg/Library/Include/sys/socket.h - -diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/Include/CrtLibSupport.h -index b90da20..e603fad 100644 ---- a/CryptoPkg/Library/Include/CrtLibSupport.h -+++ b/CryptoPkg/Library/Include/CrtLibSupport.h -@@ -74,6 +74,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent - // Definitions for global constants used by CRT library routines - // - #define EINVAL 22 /* Invalid argument */ -+#define EAFNOSUPPORT 47 /* Address family not supported by protocol family */ - #define INT_MAX 0x7FFFFFFF /* Maximum (signed) int value */ - #define LONG_MAX 0X7FFFFFFFL /* max value for a long */ - #define LONG_MIN (-LONG_MAX-1) /* min value for a long */ -@@ -81,13 +82,28 @@ SPDX-License-Identifier: BSD-2-Clause-Patent - #define CHAR_BIT 8 /* Number of bits in a char */ - - // -+// Address families. -+// -+#define AF_INET 2 /* internetwork: UDP, TCP, etc. */ -+#define AF_INET6 24 /* IP version 6 */ -+ -+// -+// Define constants based on RFC0883, RFC1034, RFC 1035 -+// -+#define NS_INT16SZ 2 /*%< #/bytes of data in a u_int16_t */ -+#define NS_INADDRSZ 4 /*%< IPv4 T_A */ -+#define NS_IN6ADDRSZ 16 /*%< IPv6 T_AAAA */ -+ -+// - // Basic types mapping - // - typedef UINTN size_t; -+typedef UINTN u_int; - typedef INTN ssize_t; - typedef INT32 time_t; - typedef UINT8 __uint8_t; - typedef UINT8 sa_family_t; -+typedef UINT8 u_char; - typedef UINT32 uid_t; - typedef UINT32 gid_t; - -diff --git a/CryptoPkg/Library/Include/arpa/inet.h b/CryptoPkg/Library/Include/arpa/inet.h -new file mode 100644 -index 0000000..988e4e0 ---- /dev/null -+++ b/CryptoPkg/Library/Include/arpa/inet.h -@@ -0,0 +1,9 @@ -+/** @file -+ Include file to support building third-party standard C / BSD sockets code. -+ -+ Copyright (C) 2019, Red Hat, Inc. -+ -+ SPDX-License-Identifier: BSD-2-Clause-Patent -+**/ -+ -+#include -diff --git a/CryptoPkg/Library/Include/arpa/nameser.h b/CryptoPkg/Library/Include/arpa/nameser.h -new file mode 100644 -index 0000000..988e4e0 ---- /dev/null -+++ b/CryptoPkg/Library/Include/arpa/nameser.h -@@ -0,0 +1,9 @@ -+/** @file -+ Include file to support building third-party standard C / BSD sockets code. -+ -+ Copyright (C) 2019, Red Hat, Inc. -+ -+ SPDX-License-Identifier: BSD-2-Clause-Patent -+**/ -+ -+#include -diff --git a/CryptoPkg/Library/Include/netinet/in.h b/CryptoPkg/Library/Include/netinet/in.h -new file mode 100644 -index 0000000..988e4e0 ---- /dev/null -+++ b/CryptoPkg/Library/Include/netinet/in.h -@@ -0,0 +1,9 @@ -+/** @file -+ Include file to support building third-party standard C / BSD sockets code. -+ -+ Copyright (C) 2019, Red Hat, Inc. -+ -+ SPDX-License-Identifier: BSD-2-Clause-Patent -+**/ -+ -+#include -diff --git a/CryptoPkg/Library/Include/sys/param.h b/CryptoPkg/Library/Include/sys/param.h -new file mode 100644 -index 0000000..988e4e0 ---- /dev/null -+++ b/CryptoPkg/Library/Include/sys/param.h -@@ -0,0 +1,9 @@ -+/** @file -+ Include file to support building third-party standard C / BSD sockets code. -+ -+ Copyright (C) 2019, Red Hat, Inc. -+ -+ SPDX-License-Identifier: BSD-2-Clause-Patent -+**/ -+ -+#include -diff --git a/CryptoPkg/Library/Include/sys/socket.h b/CryptoPkg/Library/Include/sys/socket.h -new file mode 100644 -index 0000000..988e4e0 ---- /dev/null -+++ b/CryptoPkg/Library/Include/sys/socket.h -@@ -0,0 +1,9 @@ -+/** @file -+ Include file to support building third-party standard C / BSD sockets code. -+ -+ Copyright (C) 2019, Red Hat, Inc. -+ -+ SPDX-License-Identifier: BSD-2-Clause-Patent -+**/ -+ -+#include --- -1.8.3.1 - diff --git a/SOURCES/edk2-CryptoPkg-Crt-turn-strchr-into-a-function-CVE-2019-1.patch b/SOURCES/edk2-CryptoPkg-Crt-turn-strchr-into-a-function-CVE-2019-1.patch deleted file mode 100644 index 3f4fd02..0000000 --- a/SOURCES/edk2-CryptoPkg-Crt-turn-strchr-into-a-function-CVE-2019-1.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 697cb1880b624f83bc9e926c3614d070eb365f06 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Mon, 2 Dec 2019 12:31:47 +0100 -Subject: [PATCH 3/9] CryptoPkg/Crt: turn strchr() into a function - (CVE-2019-14553) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20191117220052.15700-4-lersek@redhat.com> -Patchwork-id: 92458 -O-Subject: [RHEL-8.2.0 edk2 PATCH 3/9] CryptoPkg/Crt: turn strchr() into a function (CVE-2019-14553) -Bugzilla: 1536624 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -According to the ISO C standard, strchr() is a function. We #define it as -a macro. Unfortunately, our macro evaluates the first argument ("str") -twice. If the expression passed for "str" has side effects, the behavior -may be undefined. - -In a later patch in this series, we're going to resurrect "inet_pton.c" -(originally from the StdLib package), which calls strchr() just like that: - - strchr((xdigits = xdigits_l), ch) - strchr((xdigits = xdigits_u), ch) - -To enable this kind of function call, turn strchr() into a function. - -Cc: David Woodhouse -Cc: Jian J Wang -Cc: Jiaxin Wu -Cc: Sivaraman Nainar -Cc: Xiaoyu Lu -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960 -CVE: CVE-2019-14553 -Signed-off-by: Laszlo Ersek -Reviewed-by: Philippe Mathieu-Daude -Reviewed-by: Jian J Wang -Reviewed-by: Jiaxin Wu -(cherry picked from commit eb520d94dba7369d1886cd5522d5a2c36fb02209) ---- - CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c | 5 +++++ - CryptoPkg/Library/Include/CrtLibSupport.h | 2 +- - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c -index 71a2ef3..42235ab 100644 ---- a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c -+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c -@@ -115,6 +115,11 @@ QuickSortWorker ( - // -- String Manipulation Routines -- - // - -+char *strchr(const char *str, int ch) -+{ -+ return ScanMem8 (str, AsciiStrSize (str), (UINT8)ch); -+} -+ - /* Scan a string for the last occurrence of a character */ - char *strrchr (const char *str, int c) - { -diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/Include/CrtLibSupport.h -index 5806f50..b90da20 100644 ---- a/CryptoPkg/Library/Include/CrtLibSupport.h -+++ b/CryptoPkg/Library/Include/CrtLibSupport.h -@@ -147,6 +147,7 @@ int isupper (int); - int tolower (int); - int strcmp (const char *, const char *); - int strncasecmp (const char *, const char *, size_t); -+char *strchr (const char *, int); - char *strrchr (const char *, int); - unsigned long strtoul (const char *, char **, int); - long strtol (const char *, char **, int); -@@ -188,7 +189,6 @@ void abort (void); - #define strcpy(strDest,strSource) AsciiStrCpyS(strDest,MAX_STRING_SIZE,strSource) - #define strncpy(strDest,strSource,count) AsciiStrnCpyS(strDest,MAX_STRING_SIZE,strSource,(UINTN)count) - #define strcat(strDest,strSource) AsciiStrCatS(strDest,MAX_STRING_SIZE,strSource) --#define strchr(str,ch) ScanMem8((VOID *)(str),AsciiStrSize(str),(UINT8)ch) - #define strncmp(string1,string2,count) (int)(AsciiStrnCmp(string1,string2,(UINTN)(count))) - #define strcasecmp(str1,str2) (int)AsciiStriCmp(str1,str2) - #define sprintf(buf,...) AsciiSPrint(buf,MAX_STRING_SIZE,__VA_ARGS__) --- -1.8.3.1 - diff --git a/SOURCES/edk2-CryptoPkg-TlsLib-Add-the-new-API-TlsSetVerifyHost-CV.patch b/SOURCES/edk2-CryptoPkg-TlsLib-Add-the-new-API-TlsSetVerifyHost-CV.patch deleted file mode 100644 index bdaff30..0000000 --- a/SOURCES/edk2-CryptoPkg-TlsLib-Add-the-new-API-TlsSetVerifyHost-CV.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 3885ce313d1d06359aa76b085668c1391d8a5f50 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Mon, 2 Dec 2019 12:31:43 +0100 -Subject: [PATCH 2/9] CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost" - (CVE-2019-14553) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20191117220052.15700-3-lersek@redhat.com> -Patchwork-id: 92460 -O-Subject: [RHEL-8.2.0 edk2 PATCH 2/9] CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost" (CVE-2019-14553) -Bugzilla: 1536624 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -From: "Wu, Jiaxin" - -REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960 -CVE: CVE-2019-14553 -In the patch, we add the new API "TlsSetVerifyHost" for the TLS -protocol to set the specified host name that need to be verified. - -Signed-off-by: Wu Jiaxin -Reviewed-by: Ye Ting -Reviewed-by: Long Qin -Reviewed-by: Fu Siyuan -Acked-by: Laszlo Ersek -Message-Id: <20190927034441.3096-3-Jiaxin.wu@intel.com> -Cc: David Woodhouse -Cc: Jian J Wang -Cc: Jiaxin Wu -Cc: Sivaraman Nainar -Cc: Xiaoyu Lu -Signed-off-by: Laszlo Ersek -Reviewed-by: Philippe Mathieu-Daude -Reviewed-by: Jian J Wang -(cherry picked from commit 2ca74e1a175232cc201798e27437700adc7fb07e) ---- - CryptoPkg/Include/Library/TlsLib.h | 20 +++++++++++++++++++ - CryptoPkg/Library/TlsLib/TlsConfig.c | 38 +++++++++++++++++++++++++++++++++++- - 2 files changed, 57 insertions(+), 1 deletion(-) - -diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library/TlsLib.h -index 9875cb6..3af7d4b 100644 ---- a/CryptoPkg/Include/Library/TlsLib.h -+++ b/CryptoPkg/Include/Library/TlsLib.h -@@ -397,6 +397,26 @@ TlsSetVerify ( - ); - - /** -+ Set the specified host name to be verified. -+ -+ @param[in] Tls Pointer to the TLS object. -+ @param[in] Flags The setting flags during the validation. -+ @param[in] HostName The specified host name to be verified. -+ -+ @retval EFI_SUCCESS The HostName setting was set successfully. -+ @retval EFI_INVALID_PARAMETER The parameter is invalid. -+ @retval EFI_ABORTED Invalid HostName setting. -+ -+**/ -+EFI_STATUS -+EFIAPI -+TlsSetVerifyHost ( -+ IN VOID *Tls, -+ IN UINT32 Flags, -+ IN CHAR8 *HostName -+ ); -+ -+/** - Sets a TLS/SSL session ID to be used during TLS/SSL connect. - - This function sets a session ID to be used when the TLS/SSL connection is -diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c -index 74b577d..2bf5aee 100644 ---- a/CryptoPkg/Library/TlsLib/TlsConfig.c -+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c -@@ -1,7 +1,7 @@ - /** @file - SSL/TLS Configuration Library Wrapper Implementation over OpenSSL. - --Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
-+Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
- (C) Copyright 2016 Hewlett Packard Enterprise Development LP
- SPDX-License-Identifier: BSD-2-Clause-Patent - -@@ -498,6 +498,42 @@ TlsSetVerify ( - } - - /** -+ Set the specified host name to be verified. -+ -+ @param[in] Tls Pointer to the TLS object. -+ @param[in] Flags The setting flags during the validation. -+ @param[in] HostName The specified host name to be verified. -+ -+ @retval EFI_SUCCESS The HostName setting was set successfully. -+ @retval EFI_INVALID_PARAMETER The parameter is invalid. -+ @retval EFI_ABORTED Invalid HostName setting. -+ -+**/ -+EFI_STATUS -+EFIAPI -+TlsSetVerifyHost ( -+ IN VOID *Tls, -+ IN UINT32 Flags, -+ IN CHAR8 *HostName -+ ) -+{ -+ TLS_CONNECTION *TlsConn; -+ -+ TlsConn = (TLS_CONNECTION *) Tls; -+ if (TlsConn == NULL || TlsConn->Ssl == NULL || HostName == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ SSL_set_hostflags(TlsConn->Ssl, Flags); -+ -+ if (SSL_set1_host(TlsConn->Ssl, HostName) == 0) { -+ return EFI_ABORTED; -+ } -+ -+ return EFI_SUCCESS; -+} -+ -+/** - Sets a TLS/SSL session ID to be used during TLS/SSL connect. - - This function sets a session ID to be used when the TLS/SSL connection is --- -1.8.3.1 - diff --git a/SOURCES/edk2-CryptoPkg-TlsLib-TlsSetVerifyHost-parse-IP-address-l.patch b/SOURCES/edk2-CryptoPkg-TlsLib-TlsSetVerifyHost-parse-IP-address-l.patch deleted file mode 100644 index e9fae52..0000000 --- a/SOURCES/edk2-CryptoPkg-TlsLib-TlsSetVerifyHost-parse-IP-address-l.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 970b5f67512e00fb26765a14b4a1cb8a8a04276d Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Mon, 2 Dec 2019 12:31:57 +0100 -Subject: [PATCH 6/9] CryptoPkg/TlsLib: TlsSetVerifyHost: parse IP address - literals as such (CVE-2019-14553) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20191117220052.15700-7-lersek@redhat.com> -Patchwork-id: 92452 -O-Subject: [RHEL-8.2.0 edk2 PATCH 6/9] CryptoPkg/TlsLib: TlsSetVerifyHost: parse IP address literals as such (CVE-2019-14553) -Bugzilla: 1536624 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -Using the inet_pton() function that we imported in the previous patches, -recognize if "HostName" is an IP address literal, and then parse it into -binary representation. Passing the latter to OpenSSL for server -certificate validation is important, per RFC-2818 -: - -> In some cases, the URI is specified as an IP address rather than a -> hostname. In this case, the iPAddress subjectAltName must be present in -> the certificate and must exactly match the IP in the URI. - -Note: we cannot use X509_VERIFY_PARAM_set1_ip_asc() because in the OpenSSL -version that is currently consumed by edk2, said function depends on -sscanf() for parsing IPv4 literals. In -"CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c", we only provide an -empty -- always failing -- stub for sscanf(), however. - -Cc: David Woodhouse -Cc: Jian J Wang -Cc: Jiaxin Wu -Cc: Sivaraman Nainar -Cc: Xiaoyu Lu -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960 -CVE: CVE-2019-14553 -Suggested-by: David Woodhouse -Signed-off-by: Laszlo Ersek -Acked-by: Jian J Wang -Reviewed-by: Jiaxin Wu -(cherry picked from commit 1e72b1fb2ec597caedb5170079bb213f6d67f32a) ---- - CryptoPkg/Library/TlsLib/TlsConfig.c | 28 ++++++++++++++++++++++++---- - 1 file changed, 24 insertions(+), 4 deletions(-) - -diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c -index 2bf5aee..307eb57 100644 ---- a/CryptoPkg/Library/TlsLib/TlsConfig.c -+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c -@@ -517,7 +517,11 @@ TlsSetVerifyHost ( - IN CHAR8 *HostName - ) - { -- TLS_CONNECTION *TlsConn; -+ TLS_CONNECTION *TlsConn; -+ X509_VERIFY_PARAM *VerifyParam; -+ UINTN BinaryAddressSize; -+ UINT8 BinaryAddress[MAX (NS_INADDRSZ, NS_IN6ADDRSZ)]; -+ INTN ParamStatus; - - TlsConn = (TLS_CONNECTION *) Tls; - if (TlsConn == NULL || TlsConn->Ssl == NULL || HostName == NULL) { -@@ -526,11 +530,27 @@ TlsSetVerifyHost ( - - SSL_set_hostflags(TlsConn->Ssl, Flags); - -- if (SSL_set1_host(TlsConn->Ssl, HostName) == 0) { -- return EFI_ABORTED; -+ VerifyParam = SSL_get0_param (TlsConn->Ssl); -+ ASSERT (VerifyParam != NULL); -+ -+ BinaryAddressSize = 0; -+ if (inet_pton (AF_INET6, HostName, BinaryAddress) == 1) { -+ BinaryAddressSize = NS_IN6ADDRSZ; -+ } else if (inet_pton (AF_INET, HostName, BinaryAddress) == 1) { -+ BinaryAddressSize = NS_INADDRSZ; - } - -- return EFI_SUCCESS; -+ if (BinaryAddressSize > 0) { -+ DEBUG ((DEBUG_VERBOSE, "%a:%a: parsed \"%a\" as an IPv%c address " -+ "literal\n", gEfiCallerBaseName, __FUNCTION__, HostName, -+ (UINTN)((BinaryAddressSize == NS_IN6ADDRSZ) ? '6' : '4'))); -+ ParamStatus = X509_VERIFY_PARAM_set1_ip (VerifyParam, BinaryAddress, -+ BinaryAddressSize); -+ } else { -+ ParamStatus = X509_VERIFY_PARAM_set1_host (VerifyParam, HostName, 0); -+ } -+ -+ return (ParamStatus == 1) ? EFI_SUCCESS : EFI_ABORTED; - } - - /** --- -1.8.3.1 - diff --git a/SOURCES/edk2-MdeModulePkg-Enable-Disable-S3BootScript-dynamically.patch b/SOURCES/edk2-MdeModulePkg-Enable-Disable-S3BootScript-dynamically.patch deleted file mode 100644 index a635f82..0000000 --- a/SOURCES/edk2-MdeModulePkg-Enable-Disable-S3BootScript-dynamically.patch +++ /dev/null @@ -1,148 +0,0 @@ -From 4ef57a1e6b9411e785e00e8874bd5c67235e9134 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 11 Feb 2020 17:01:59 +0100 -Subject: [PATCH 1/2] MdeModulePkg: Enable/Disable S3BootScript dynamically. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20200211170200.12389-2-lersek@redhat.com> -Patchwork-id: 93776 -O-Subject: [RHEL-8.2.0 edk2 PATCH 1/2] MdeModulePkg: Enable/Disable S3BootScript dynamically. -Bugzilla: 1801274 -RH-Acked-by: Paolo Bonzini -RH-Acked-by: Philippe Mathieu-Daudé - -From: Chasel Chiu - ---v-- RHEL8 note start --v-- - -This patch is cherry-picked from upstream as a contextual (not semantic / -functional) pre-requisite for the next patch. - -Functionally, this patch makes no difference in OVMF, for two reasons: - -- Downstream, we don't enable S3 anyway (per QEMU default). - -- The S3-related modules that are built into OVMF (S3SaveStateDxe, - BootScriptExecutorDxe) already consider PcdAcpiS3Enable, and exit their - entry point functions with EFI_UNSUPPORTED when the PCD is FALSE. As a - consequence, the DESTRUCTOR function of the PiDxeS3BootScriptLib library - instance (which is linked into those binaries) will undo whatever the - CONSTRUCTOR function did; no resources will be leaked. - - https://edk2.groups.io/g/devel/message/47996 - http://mid.mail-archive.com/e43e3f56-d2db-7989-b6f1-03e1c810d908@redhat.com - ---^-- RHEL8 note end --^-- - -REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2212 - -In binary model the same binary may have to support both -S3 enabled and disabled scenarios, however not all DXE -drivers linking PiDxeS3BootScriptLib can return error to -invoke library DESTRUCTOR for releasing resource. - -To support this usage model below PCD is used to skip -S3BootScript functions when PCD set to FALSE: - gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable - -Test: Verified on internal platform and S3BootScript - functions can be skipped by PCD during boot time. - -Cc: Hao A Wu -Cc: Eric Dong -Cc: Nate DeSimone -Cc: Liming Gao -Cc: Laszlo Ersek -Signed-off-by: Chasel Chiu -Reviewed-by: Nate DeSimone -Reviewed-by: Eric Dong -Acked-by: Laszlo Ersek -(cherry picked from commit ed9db1b91ceba7d3a24743d4d9314c6fbe11c4b3) -Signed-off-by: Laszlo Ersek -Signed-off-by: Miroslav Rezanina ---- - .../Library/PiDxeS3BootScriptLib/BootScriptSave.c | 17 ++++++++++++++++- - .../Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf | 4 ++-- - 2 files changed, 18 insertions(+), 3 deletions(-) - -diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c -index c116727..9106e7d 100644 ---- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c -+++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c -@@ -1,7 +1,7 @@ - /** @file - Save the S3 data to S3 boot script. - -- Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.
-+ Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -@@ -124,6 +124,7 @@ VOID *mRegistrationSmmReadyToLock = NULL; - BOOLEAN mS3BootScriptTableAllocated = FALSE; - BOOLEAN mS3BootScriptTableSmmAllocated = FALSE; - EFI_SMM_SYSTEM_TABLE2 *mBootScriptSmst = NULL; -+BOOLEAN mAcpiS3Enable = TRUE; - - /** - This is an internal function to add a terminate node the entry, recalculate the table -@@ -436,6 +437,12 @@ S3BootScriptLibInitialize ( - BOOLEAN InSmm; - EFI_PHYSICAL_ADDRESS Buffer; - -+ if (!PcdGetBool (PcdAcpiS3Enable)) { -+ mAcpiS3Enable = FALSE; -+ DEBUG ((DEBUG_INFO, "%a: Skip S3BootScript because ACPI S3 disabled.\n", gEfiCallerBaseName)); -+ return RETURN_SUCCESS; -+ } -+ - S3TablePtr = (SCRIPT_TABLE_PRIVATE_DATA*)(UINTN)PcdGet64(PcdS3BootScriptTablePrivateDataPtr); - // - // The Boot script private data is not be initialized. create it -@@ -562,6 +569,10 @@ S3BootScriptLibDeinitialize ( - { - EFI_STATUS Status; - -+ if (!mAcpiS3Enable) { -+ return RETURN_SUCCESS; -+ } -+ - DEBUG ((EFI_D_INFO, "%a() in %a module\n", __FUNCTION__, gEfiCallerBaseName)); - - if (mEventDxeSmmReadyToLock != NULL) { -@@ -810,6 +821,10 @@ S3BootScriptGetEntryAddAddress ( - { - UINT8* NewEntryPtr; - -+ if (!mAcpiS3Enable) { -+ return NULL; -+ } -+ - if (mS3BootScriptTablePtr->SmmLocked) { - // - // We need check InSmm, because after SmmReadyToLock, only SMM driver is allowed to write boot script. -diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf b/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf -index 517ea69..2b894c9 100644 ---- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf -+++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf -@@ -1,7 +1,7 @@ - ## @file - # DXE S3 boot script Library. - # --# Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
-+# Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
- # - # SPDX-License-Identifier: BSD-2-Clause-Patent - # -@@ -65,4 +65,4 @@ - ## SOMETIMES_PRODUCES - gEfiMdeModulePkgTokenSpaceGuid.PcdS3BootScriptTablePrivateSmmDataPtr - gEfiMdeModulePkgTokenSpaceGuid.PcdS3BootScriptRuntimeTableReservePageNumber ## CONSUMES -- -+ gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable ## CONSUMES --- -1.8.3.1 - diff --git a/SOURCES/edk2-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch b/SOURCES/edk2-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch deleted file mode 100644 index 4899f97..0000000 --- a/SOURCES/edk2-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch +++ /dev/null @@ -1,182 +0,0 @@ -From 51d2956d480fef83f765013c8aec7f7ddc14b84d Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 11 Feb 2020 17:02:00 +0100 -Subject: [PATCH 2/2] MdeModulePkg/PiDxeS3BootScriptLib: Fix potential numeric - truncation (CVE-2019-14563) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20200211170200.12389-3-lersek@redhat.com> -Patchwork-id: 93777 -O-Subject: [RHEL-8.2.0 edk2 PATCH 2/2] MdeModulePkg/PiDxeS3BootScriptLib: Fix potential numeric truncation (CVE-2019-14563) -Bugzilla: 1801274 -RH-Acked-by: Paolo Bonzini -RH-Acked-by: Philippe Mathieu-Daudé - -From: Hao A Wu - -REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2001 - -For S3BootScriptLib APIs: - -S3BootScriptSaveIoWrite -S3BootScriptSaveMemWrite -S3BootScriptSavePciCfgWrite -S3BootScriptSavePciCfg2Write -S3BootScriptSaveSmbusExecute -S3BootScriptSaveInformation -S3BootScriptSaveInformationAsciiString -S3BootScriptLabel (happen in S3BootScriptLabelInternal()) - -possible numeric truncations will happen that may lead to S3 boot script -entry with improper size being returned to store the boot script data. -This commit will add checks to prevent this kind of issue. - -Please note that the remaining S3BootScriptLib APIs: - -S3BootScriptSaveIoReadWrite -S3BootScriptSaveMemReadWrite -S3BootScriptSavePciCfgReadWrite -S3BootScriptSavePciCfg2ReadWrite -S3BootScriptSaveStall -S3BootScriptSaveDispatch2 -S3BootScriptSaveDispatch -S3BootScriptSaveMemPoll -S3BootScriptSaveIoPoll -S3BootScriptSavePciPoll -S3BootScriptSavePci2Poll -S3BootScriptCloseTable -S3BootScriptExecute -S3BootScriptMoveLastOpcode -S3BootScriptCompare - -are not affected by such numeric truncation. - -Signed-off-by: Hao A Wu -Reviewed-by: Laszlo Ersek -Reviewed-by: Eric Dong -Acked-by: Jian J Wang -(cherry picked from commit 322ac05f8bbc1bce066af1dabd1b70ccdbe28891) -Signed-off-by: Laszlo Ersek -Signed-off-by: Miroslav Rezanina ---- - .../Library/PiDxeS3BootScriptLib/BootScriptSave.c | 52 +++++++++++++++++++++- - 1 file changed, 51 insertions(+), 1 deletion(-) - -diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c -index 9106e7d..9315fc9 100644 ---- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c -+++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c -@@ -1,7 +1,7 @@ - /** @file - Save the S3 data to S3 boot script. - -- Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
-+ Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -@@ -1006,6 +1006,14 @@ S3BootScriptSaveIoWrite ( - EFI_BOOT_SCRIPT_IO_WRITE ScriptIoWrite; - - WidthInByte = (UINT8) (0x01 << (Width & 0x03)); -+ -+ // -+ // Truncation check -+ // -+ if ((Count > MAX_UINT8) || -+ (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_IO_WRITE))) { -+ return RETURN_OUT_OF_RESOURCES; -+ } - Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_IO_WRITE) + (WidthInByte * Count)); - - Script = S3BootScriptGetEntryAddAddress (Length); -@@ -1102,6 +1110,14 @@ S3BootScriptSaveMemWrite ( - EFI_BOOT_SCRIPT_MEM_WRITE ScriptMemWrite; - - WidthInByte = (UINT8) (0x01 << (Width & 0x03)); -+ -+ // -+ // Truncation check -+ // -+ if ((Count > MAX_UINT8) || -+ (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_MEM_WRITE))) { -+ return RETURN_OUT_OF_RESOURCES; -+ } - Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_MEM_WRITE) + (WidthInByte * Count)); - - Script = S3BootScriptGetEntryAddAddress (Length); -@@ -1206,6 +1222,14 @@ S3BootScriptSavePciCfgWrite ( - } - - WidthInByte = (UINT8) (0x01 << (Width & 0x03)); -+ -+ // -+ // Truncation check -+ // -+ if ((Count > MAX_UINT8) || -+ (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE))) { -+ return RETURN_OUT_OF_RESOURCES; -+ } - Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE) + (WidthInByte * Count)); - - Script = S3BootScriptGetEntryAddAddress (Length); -@@ -1324,6 +1348,14 @@ S3BootScriptSavePciCfg2Write ( - } - - WidthInByte = (UINT8) (0x01 << (Width & 0x03)); -+ -+ // -+ // Truncation check -+ // -+ if ((Count > MAX_UINT8) || -+ (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE))) { -+ return RETURN_OUT_OF_RESOURCES; -+ } - Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE) + (WidthInByte * Count)); - - Script = S3BootScriptGetEntryAddAddress (Length); -@@ -1549,6 +1581,12 @@ S3BootScriptSaveSmbusExecute ( - return Status; - } - -+ // -+ // Truncation check -+ // -+ if (BufferLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE)) { -+ return RETURN_OUT_OF_RESOURCES; -+ } - DataSize = (UINT8)(sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE) + BufferLength); - - Script = S3BootScriptGetEntryAddAddress (DataSize); -@@ -1736,6 +1774,12 @@ S3BootScriptSaveInformation ( - UINT8 *Script; - EFI_BOOT_SCRIPT_INFORMATION ScriptInformation; - -+ // -+ // Truncation check -+ // -+ if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)) { -+ return RETURN_OUT_OF_RESOURCES; -+ } - Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLength); - - Script = S3BootScriptGetEntryAddAddress (Length); -@@ -2195,6 +2239,12 @@ S3BootScriptLabelInternal ( - UINT8 *Script; - EFI_BOOT_SCRIPT_INFORMATION ScriptInformation; - -+ // -+ // Truncation check -+ // -+ if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)) { -+ return RETURN_OUT_OF_RESOURCES; -+ } - Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLength); - - Script = S3BootScriptGetEntryAddAddress (Length); --- -1.8.3.1 - diff --git a/SOURCES/edk2-MdeModulePkg-UefiBootManagerLib-log-reserved-mem-all.patch b/SOURCES/edk2-MdeModulePkg-UefiBootManagerLib-log-reserved-mem-all.patch deleted file mode 100644 index 92bb1d4..0000000 --- a/SOURCES/edk2-MdeModulePkg-UefiBootManagerLib-log-reserved-mem-all.patch +++ /dev/null @@ -1,101 +0,0 @@ -From e57f49101a66663a4f5425995e9ea97ae0858e1b Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 14 Jan 2020 12:39:05 +0100 -Subject: [PATCH 1/2] MdeModulePkg/UefiBootManagerLib: log reserved mem - allocation failure -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20200114123906.8547-2-lersek@redhat.com> -Patchwork-id: 93339 -O-Subject: [RHEL-8.2.0 edk2 PATCH 1/2] MdeModulePkg/UefiBootManagerLib: log reserved mem allocation failure -Bugzilla: 1789797 -RH-Acked-by: Vitaly Kuznetsov -RH-Acked-by: Philippe Mathieu-Daudé - -The LoadFile protocol can report such a large buffer size that we cannot -allocate enough reserved pages for. This particularly affects HTTP(S) -Boot, if the remote file is very large (for example, an ISO image). - -While the TianoCore wiki mentions this at -: - -> The maximum RAM disk image size depends on how much continuous reserved -> memory block the platform could provide. - -it's hard to remember; so log a DEBUG_ERROR message when the allocation -fails. - -This patch produces error messages such as: - -> UiApp:BmExpandLoadFile: failed to allocate reserved pages: -> BufferSize=4501536768 -> LoadFile="PciRoot(0x0)/Pci(0x3,0x0)/MAC(5254001B103E,0x1)/ -> IPv4(0.0.0.0,TCP,DHCP,192.168.124.106,192.168.124.1,255.255.255.0)/ -> Dns(192.168.124.1)/ -> Uri(https://ipv4-server/RHEL-7.7-20190723.1-Server-x86_64-dvd1.iso)" -> FilePath="" - -(Manually rewrapped here for keeping PatchCheck.py happy.) - -Cc: Hao A Wu -Cc: Jian J Wang -Cc: Ray Ni -Cc: Zhichao Gao -Signed-off-by: Laszlo Ersek -Reviewed-by: Philippe Mathieu-Daude -Reviewed-by: Siyuan Fu -Acked-by: Hao A Wu -(cherry picked from commit a56af23f066e2816c67b7c6e64de7ddefcd70780) -Signed-off-by: Miroslav Rezanina ---- - MdeModulePkg/Library/UefiBootManagerLib/BmBoot.c | 31 ++++++++++++++++++++++++ - 1 file changed, 31 insertions(+) - -diff --git a/MdeModulePkg/Library/UefiBootManagerLib/BmBoot.c b/MdeModulePkg/Library/UefiBootManagerLib/BmBoot.c -index 952033f..ded9ae9 100644 ---- a/MdeModulePkg/Library/UefiBootManagerLib/BmBoot.c -+++ b/MdeModulePkg/Library/UefiBootManagerLib/BmBoot.c -@@ -1386,6 +1386,37 @@ BmExpandLoadFile ( - // - FileBuffer = AllocateReservedPages (EFI_SIZE_TO_PAGES (BufferSize)); - if (FileBuffer == NULL) { -+ DEBUG_CODE ( -+ EFI_DEVICE_PATH *LoadFilePath; -+ CHAR16 *LoadFileText; -+ CHAR16 *FileText; -+ -+ LoadFilePath = DevicePathFromHandle (LoadFileHandle); -+ if (LoadFilePath == NULL) { -+ LoadFileText = NULL; -+ } else { -+ LoadFileText = ConvertDevicePathToText (LoadFilePath, FALSE, FALSE); -+ } -+ FileText = ConvertDevicePathToText (FilePath, FALSE, FALSE); -+ -+ DEBUG (( -+ DEBUG_ERROR, -+ "%a:%a: failed to allocate reserved pages: " -+ "BufferSize=%Lu LoadFile=\"%s\" FilePath=\"%s\"\n", -+ gEfiCallerBaseName, -+ __FUNCTION__, -+ (UINT64)BufferSize, -+ LoadFileText, -+ FileText -+ )); -+ -+ if (FileText != NULL) { -+ FreePool (FileText); -+ } -+ if (LoadFileText != NULL) { -+ FreePool (LoadFileText); -+ } -+ ); - return NULL; - } - --- -1.8.3.1 - diff --git a/SOURCES/edk2-MdePkg-Include-Protocol-Tls.h-Add-the-data-type-of-E.patch b/SOURCES/edk2-MdePkg-Include-Protocol-Tls.h-Add-the-data-type-of-E.patch deleted file mode 100644 index f1b88d3..0000000 --- a/SOURCES/edk2-MdePkg-Include-Protocol-Tls.h-Add-the-data-type-of-E.patch +++ /dev/null @@ -1,156 +0,0 @@ -From 22ebe3ff84003e9256759e230ac68da35c6d77a2 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Mon, 2 Dec 2019 12:31:37 +0100 -Subject: [PATCH 1/9] MdePkg/Include/Protocol/Tls.h: Add the data type of - EfiTlsVerifyHost (CVE-2019-14553) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20191117220052.15700-2-lersek@redhat.com> -Patchwork-id: 92457 -O-Subject: [RHEL-8.2.0 edk2 PATCH 1/9] MdePkg/Include/Protocol/Tls.h: Add the data type of EfiTlsVerifyHost (CVE-2019-14553) -Bugzilla: 1536624 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -From: "Wu, Jiaxin" - -REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960 -CVE: CVE-2019-14553 -In the patch, we add the new data type named "EfiTlsVerifyHost" and -the EFI_TLS_VERIFY_HOST_FLAG for the TLS protocol consumer (HTTP) -to enable the host name check so as to avoid the potential -Man-In-The-Middle attack. - -Signed-off-by: Wu Jiaxin -Reviewed-by: Ye Ting -Reviewed-by: Long Qin -Reviewed-by: Fu Siyuan -Acked-by: Laszlo Ersek -Message-Id: <20190927034441.3096-2-Jiaxin.wu@intel.com> -Cc: David Woodhouse -Cc: Jian J Wang -Cc: Jiaxin Wu -Cc: Sivaraman Nainar -Cc: Xiaoyu Lu -Signed-off-by: Laszlo Ersek -Reviewed-by: Liming Gao -(cherry picked from commit 31efec82796cb950e99d1622aa9c0eb8380613a0) ---- - MdePkg/Include/Protocol/Tls.h | 68 ++++++++++++++++++++++++++++++++++++------- - 1 file changed, 57 insertions(+), 11 deletions(-) - -diff --git a/MdePkg/Include/Protocol/Tls.h b/MdePkg/Include/Protocol/Tls.h -index bf1b672..af524ae 100644 ---- a/MdePkg/Include/Protocol/Tls.h -+++ b/MdePkg/Include/Protocol/Tls.h -@@ -42,10 +42,6 @@ typedef struct _EFI_TLS_PROTOCOL EFI_TLS_PROTOCOL; - /// - typedef enum { - /// -- /// Session Configuration -- /// -- -- /// - /// TLS session Version. The corresponding Data is of type EFI_TLS_VERSION. - /// - EfiTlsVersion, -@@ -86,11 +82,6 @@ typedef enum { - /// The corresponding Data is of type EFI_TLS_SESSION_STATE. - /// - EfiTlsSessionState, -- -- /// -- /// Session information -- /// -- - /// - /// TLS session data client random. - /// The corresponding Data is of type EFI_TLS_RANDOM. -@@ -106,9 +97,15 @@ typedef enum { - /// The corresponding Data is of type EFI_TLS_MASTER_SECRET. - /// - EfiTlsKeyMaterial, -+ /// -+ /// TLS session hostname for validation which is used to verify whether the name -+ /// within the peer certificate matches a given host name. -+ /// This parameter is invalid when EfiTlsVerifyMethod is EFI_TLS_VERIFY_NONE. -+ /// The corresponding Data is of type EFI_TLS_VERIFY_HOST. -+ /// -+ EfiTlsVerifyHost, - - EfiTlsSessionDataTypeMaximum -- - } EFI_TLS_SESSION_DATA_TYPE; - - /// -@@ -178,7 +175,8 @@ typedef UINT32 EFI_TLS_VERIFY; - /// - #define EFI_TLS_VERIFY_PEER 0x1 - /// --/// TLS session will fail peer certificate is absent. -+/// EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT is only meaningful in the server mode. -+/// TLS session will fail if client certificate is absent. - /// - #define EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT 0x2 - /// -@@ -188,6 +186,54 @@ typedef UINT32 EFI_TLS_VERIFY; - #define EFI_TLS_VERIFY_CLIENT_ONCE 0x4 - - /// -+/// EFI_TLS_VERIFY_HOST_FLAG -+/// -+typedef UINT32 EFI_TLS_VERIFY_HOST_FLAG; -+/// -+/// There is no additional flags set for hostname validation. -+/// Wildcards are supported and they match only in the left-most label. -+/// -+#define EFI_TLS_VERIFY_FLAG_NONE 0x00 -+/// -+/// Always check the Subject Distinguished Name (DN) in the peer certificate even if the -+/// certificate contains Subject Alternative Name (SAN). -+/// -+#define EFI_TLS_VERIFY_FLAG_ALWAYS_CHECK_SUBJECT 0x01 -+/// -+/// Disable the match of all wildcards. -+/// -+#define EFI_TLS_VERIFY_FLAG_NO_WILDCARDS 0x02 -+/// -+/// Disable the "*" as wildcard in labels that have a prefix or suffix (e.g. "www*" or "*www"). -+/// -+#define EFI_TLS_VERIFY_FLAG_NO_PARTIAL_WILDCARDS 0x04 -+/// -+/// Allow the "*" to match more than one labels. Otherwise, only matches a single label. -+/// -+#define EFI_TLS_VERIFY_FLAG_MULTI_LABEL_WILDCARDS 0x08 -+/// -+/// Restrict to only match direct child sub-domains which start with ".". -+/// For example, a name of ".example.com" would match "www.example.com" with this flag, -+/// but would not match "www.sub.example.com". -+/// -+#define EFI_TLS_VERIFY_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10 -+/// -+/// Never check the Subject Distinguished Name (DN) even there is no -+/// Subject Alternative Name (SAN) in the certificate. -+/// -+#define EFI_TLS_VERIFY_FLAG_NEVER_CHECK_SUBJECT 0x20 -+ -+/// -+/// EFI_TLS_VERIFY_HOST -+/// -+#pragma pack (1) -+typedef struct { -+ EFI_TLS_VERIFY_HOST_FLAG Flags; -+ CHAR8 *HostName; -+} EFI_TLS_VERIFY_HOST; -+#pragma pack () -+ -+/// - /// EFI_TLS_RANDOM - /// Note: The definition of EFI_TLS_RANDOM is from "RFC 5246 A.4.1. - /// Hello Messages". --- -1.8.3.1 - diff --git a/SOURCES/edk2-NetworkPkg-HttpDxe-Set-the-HostName-for-the-verifica.patch b/SOURCES/edk2-NetworkPkg-HttpDxe-Set-the-HostName-for-the-verifica.patch deleted file mode 100644 index 06caad5..0000000 --- a/SOURCES/edk2-NetworkPkg-HttpDxe-Set-the-HostName-for-the-verifica.patch +++ /dev/null @@ -1,99 +0,0 @@ -From d28c0053e94b8e721307ac1698d86e5dfb328e6d Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Mon, 2 Dec 2019 12:32:04 +0100 -Subject: [PATCH 8/9] NetworkPkg/HttpDxe: Set the HostName for the verification - (CVE-2019-14553) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20191117220052.15700-9-lersek@redhat.com> -Patchwork-id: 92459 -O-Subject: [RHEL-8.2.0 edk2 PATCH 8/9] NetworkPkg/HttpDxe: Set the HostName for the verification (CVE-2019-14553) -Bugzilla: 1536624 -RH-Acked-by: Vitaly Kuznetsov -RH-Acked-by: Philippe Mathieu-Daudé - -From: "Wu, Jiaxin" - -REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960 -CVE: CVE-2019-14553 -Set the HostName by consuming TLS protocol to enable the host name -check so as to avoid the potential Man-In-The-Middle attack. - -Signed-off-by: Wu Jiaxin -Reviewed-by: Ye Ting -Reviewed-by: Long Qin -Reviewed-by: Fu Siyuan -Acked-by: Laszlo Ersek -Message-Id: <20190927034441.3096-5-Jiaxin.wu@intel.com> -Cc: David Woodhouse -Cc: Jian J Wang -Cc: Jiaxin Wu -Cc: Sivaraman Nainar -Cc: Xiaoyu Lu -Signed-off-by: Laszlo Ersek -(cherry picked from commit e2fc50812895b17e8b23f5a9c43cde29531b200f) ---- - NetworkPkg/HttpDxe/HttpProto.h | 1 + - NetworkPkg/HttpDxe/HttpsSupport.c | 21 +++++++++++++++++---- - 2 files changed, 18 insertions(+), 4 deletions(-) - -diff --git a/NetworkPkg/HttpDxe/HttpProto.h b/NetworkPkg/HttpDxe/HttpProto.h -index 6e1f517..34308e0 100644 ---- a/NetworkPkg/HttpDxe/HttpProto.h -+++ b/NetworkPkg/HttpDxe/HttpProto.h -@@ -82,6 +82,7 @@ typedef struct { - EFI_TLS_VERSION Version; - EFI_TLS_CONNECTION_END ConnectionEnd; - EFI_TLS_VERIFY VerifyMethod; -+ EFI_TLS_VERIFY_HOST VerifyHost; - EFI_TLS_SESSION_STATE SessionState; - } TLS_CONFIG_DATA; - -diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c -index 988bbcb..5dfb13b 100644 ---- a/NetworkPkg/HttpDxe/HttpsSupport.c -+++ b/NetworkPkg/HttpDxe/HttpsSupport.c -@@ -623,13 +623,16 @@ TlsConfigureSession ( - // - // TlsConfigData initialization - // -- HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient; -- HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER; -- HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted; -+ HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient; -+ HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER; -+ HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS; -+ HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost; -+ HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted; - - // - // EfiTlsConnectionEnd, -- // EfiTlsVerifyMethod -+ // EfiTlsVerifyMethod, -+ // EfiTlsVerifyHost, - // EfiTlsSessionState - // - Status = HttpInstance->Tls->SetSessionData ( -@@ -654,6 +657,16 @@ TlsConfigureSession ( - - Status = HttpInstance->Tls->SetSessionData ( - HttpInstance->Tls, -+ EfiTlsVerifyHost, -+ &HttpInstance->TlsConfigData.VerifyHost, -+ sizeof (EFI_TLS_VERIFY_HOST) -+ ); -+ if (EFI_ERROR (Status)) { -+ return Status; -+ } -+ -+ Status = HttpInstance->Tls->SetSessionData ( -+ HttpInstance->Tls, - EfiTlsSessionState, - &(HttpInstance->TlsConfigData.SessionState), - sizeof (EFI_TLS_SESSION_STATE) --- -1.8.3.1 - diff --git a/SOURCES/edk2-NetworkPkg-HttpDxe-fix-32-bit-truncation-in-HTTPS-do.patch b/SOURCES/edk2-NetworkPkg-HttpDxe-fix-32-bit-truncation-in-HTTPS-do.patch deleted file mode 100644 index ec51be6..0000000 --- a/SOURCES/edk2-NetworkPkg-HttpDxe-fix-32-bit-truncation-in-HTTPS-do.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 555d93f2daa551dc2311b15210a918aa79ed18ff Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 14 Jan 2020 12:39:06 +0100 -Subject: [PATCH 2/2] NetworkPkg/HttpDxe: fix 32-bit truncation in HTTPS - download -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20200114123906.8547-3-lersek@redhat.com> -Patchwork-id: 93340 -O-Subject: [RHEL-8.2.0 edk2 PATCH 2/2] NetworkPkg/HttpDxe: fix 32-bit truncation in HTTPS download -Bugzilla: 1789797 -RH-Acked-by: Vitaly Kuznetsov -RH-Acked-by: Philippe Mathieu-Daudé - -When downloading over TLS, each TLS message ("APP packet") is returned as -a (decrypted) fragment table by EFI_TLS_PROTOCOL.ProcessPacket(). - -The TlsProcessMessage() function in "NetworkPkg/HttpDxe/HttpsSupport.c" -linearizes the fragment table into a single contiguous data block. The -resultant flat data block contains both TLS headers and data. - -The HttpsReceive() function parses the actual application data -- in this -case: decrypted HTTP data -- out of the flattened TLS data block, peeling -off the TLS headers. - -The HttpResponseWorker() function in "NetworkPkg/HttpDxe/HttpImpl.c" -propagates this HTTP data outwards, implementing the -EFI_HTTP_PROTOCOL.Response() function. - -Now consider the following documentation for EFI_HTTP_PROTOCOL.Response(), -quoted from "MdePkg/Include/Protocol/Http.h": - -> It is the responsibility of the caller to allocate a buffer for Body and -> specify the size in BodyLength. If the remote host provides a response -> that contains a content body, up to BodyLength bytes will be copied from -> the receive buffer into Body and BodyLength will be updated with the -> amount of bytes received and copied to Body. This allows the client to -> download a large file in chunks instead of into one contiguous block of -> memory. - -Note that, if the caller-allocated buffer is larger than the -server-provided chunk, then the transfer length is limited by the latter. -This is in fact the dominant case when downloading a huge file (for which -UefiBootManagerLib allocated a huge contiguous RAM Disk buffer) in small -TLS messages. - -For adjusting BodyLength as described above -- i.e., to the application -data chunk that has been extracted from the TLS message --, the -HttpResponseWorker() function employs the following assignment: - - HttpMsg->BodyLength = MIN (Fragment.Len, (UINT32) HttpMsg->BodyLength); - -The (UINT32) cast is motivated by the MIN() requirement -- in -"MdePkg/Include/Base.h" -- that both arguments be of the same type. - -"Fragment.Len" (NET_FRAGMENT.Len) has type UINT32, and -"HttpMsg->BodyLength" (EFI_HTTP_MESSAGE.BodyLength) has type UINTN. -Therefore a cast is indeed necessary. - -Unfortunately, the cast is done in the wrong direction. Consider the -following circumstances: - -- "Fragment.Len" happens to be consistently 16KiB, dictated by the HTTPS - Server's TLS stack, - -- the size of the file to download is 4GiB + N*16KiB, where N is a - positive integer. - -As the download progresses, each received 16KiB application data chunk -brings the *next* input value of BodyLength closer down to 4GiB. The cast -in MIN() always masks off the high-order bits from the input value of -BodyLength, but this is no problem because the low-order bits are nonzero, -therefore the MIN() always permits progress. - -However, once BodyLength reaches 4GiB exactly on input, the MIN() -invocation produces a zero value. HttpResponseWorker() adjusts the output -value of BodyLength to zero, and then passes it to HttpParseMessageBody(). - -HttpParseMessageBody() (in "NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c") -rejects the zero BodyLength with EFI_INVALID_PARAMETER, which is fully -propagated outwards, and aborts the HTTPS download. HttpBootDxe writes the -message "Error: Unexpected network error" to the UEFI console. - -For example, a file with size (4GiB + 197MiB) terminates after downloading -just 197MiB. - -Invert the direction of the cast: widen "Fragment.Len" to UINTN. - -Cc: Jiaxin Wu -Cc: Maciej Rabeda -Cc: Siyuan Fu -Signed-off-by: Laszlo Ersek -Reviewed-by: Philippe Mathieu-Daude -Reviewed-by: Siyuan Fu -Reviewed-by: Maciej Rabeda -(cherry picked from commit 4cca7923992a13f6b753782f469ee944da2db796) -Signed-off-by: Miroslav Rezanina ---- - NetworkPkg/HttpDxe/HttpImpl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/NetworkPkg/HttpDxe/HttpImpl.c b/NetworkPkg/HttpDxe/HttpImpl.c -index 6b87731..1acbb60 100644 ---- a/NetworkPkg/HttpDxe/HttpImpl.c -+++ b/NetworkPkg/HttpDxe/HttpImpl.c -@@ -1348,7 +1348,7 @@ HttpResponseWorker ( - // - // Process the received the body packet. - // -- HttpMsg->BodyLength = MIN (Fragment.Len, (UINT32) HttpMsg->BodyLength); -+ HttpMsg->BodyLength = MIN ((UINTN) Fragment.Len, HttpMsg->BodyLength); - - CopyMem (HttpMsg->Body, Fragment.Bulk, HttpMsg->BodyLength); - --- -1.8.3.1 - diff --git a/SOURCES/edk2-NetworkPkg-TlsDxe-Add-the-support-of-host-validation.patch b/SOURCES/edk2-NetworkPkg-TlsDxe-Add-the-support-of-host-validation.patch deleted file mode 100644 index 3aa8efd..0000000 --- a/SOURCES/edk2-NetworkPkg-TlsDxe-Add-the-support-of-host-validation.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 24a4a1d62ae749c197f36d72f645c7142f368e6a Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Mon, 2 Dec 2019 12:32:00 +0100 -Subject: [PATCH 7/9] NetworkPkg/TlsDxe: Add the support of host validation to - TlsDxe driver (CVE-2019-14553) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20191117220052.15700-8-lersek@redhat.com> -Patchwork-id: 92456 -O-Subject: [RHEL-8.2.0 edk2 PATCH 7/9] NetworkPkg/TlsDxe: Add the support of host validation to TlsDxe driver (CVE-2019-14553) -Bugzilla: 1536624 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -From: "Wu, Jiaxin" - -REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960 -CVE: CVE-2019-14553 -The new data type named "EfiTlsVerifyHost" and the -EFI_TLS_VERIFY_HOST_FLAG are supported in TLS protocol. - -Signed-off-by: Wu Jiaxin -Reviewed-by: Ye Ting -Reviewed-by: Long Qin -Reviewed-by: Fu Siyuan -Acked-by: Laszlo Ersek -Message-Id: <20190927034441.3096-4-Jiaxin.wu@intel.com> -Cc: David Woodhouse -Cc: Jian J Wang -Cc: Jiaxin Wu -Cc: Sivaraman Nainar -Cc: Xiaoyu Lu -Signed-off-by: Laszlo Ersek -(cherry picked from commit 703e7ab21ff8fda9ababf7751d59bd28ad5da947) ---- - NetworkPkg/TlsDxe/TlsProtocol.c | 44 ++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 41 insertions(+), 3 deletions(-) - -diff --git a/NetworkPkg/TlsDxe/TlsProtocol.c b/NetworkPkg/TlsDxe/TlsProtocol.c -index a7a993f..001e540 100644 ---- a/NetworkPkg/TlsDxe/TlsProtocol.c -+++ b/NetworkPkg/TlsDxe/TlsProtocol.c -@@ -1,7 +1,7 @@ - /** @file - Implementation of EFI TLS Protocol Interfaces. - -- Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
-+ Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -@@ -56,12 +56,16 @@ TlsSetSessionData ( - UINT16 *CipherId; - CONST EFI_TLS_CIPHER *TlsCipherList; - UINTN CipherCount; -+ CONST EFI_TLS_VERIFY_HOST *TlsVerifyHost; -+ EFI_TLS_VERIFY VerifyMethod; -+ UINTN VerifyMethodSize; - UINTN Index; - - EFI_TPL OldTpl; - -- Status = EFI_SUCCESS; -- CipherId = NULL; -+ Status = EFI_SUCCESS; -+ CipherId = NULL; -+ VerifyMethodSize = sizeof (EFI_TLS_VERIFY); - - if (This == NULL || Data == NULL || DataSize == 0) { - return EFI_INVALID_PARAMETER; -@@ -149,6 +153,40 @@ TlsSetSessionData ( - - TlsSetVerify (Instance->TlsConn, *((UINT32 *) Data)); - break; -+ case EfiTlsVerifyHost: -+ if (DataSize != sizeof (EFI_TLS_VERIFY_HOST)) { -+ Status = EFI_INVALID_PARAMETER; -+ goto ON_EXIT; -+ } -+ -+ TlsVerifyHost = (CONST EFI_TLS_VERIFY_HOST *) Data; -+ -+ if ((TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_ALWAYS_CHECK_SUBJECT) != 0 && -+ (TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_NEVER_CHECK_SUBJECT) != 0) { -+ Status = EFI_INVALID_PARAMETER; -+ goto ON_EXIT; -+ } -+ -+ if ((TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_NO_WILDCARDS) != 0 && -+ ((TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_NO_PARTIAL_WILDCARDS) != 0 || -+ (TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_MULTI_LABEL_WILDCARDS) != 0)) { -+ Status = EFI_INVALID_PARAMETER; -+ goto ON_EXIT; -+ } -+ -+ Status = This->GetSessionData (This, EfiTlsVerifyMethod, &VerifyMethod, &VerifyMethodSize); -+ if (EFI_ERROR (Status)) { -+ goto ON_EXIT; -+ } -+ -+ if ((VerifyMethod & EFI_TLS_VERIFY_PEER) == 0) { -+ Status = EFI_INVALID_PARAMETER; -+ goto ON_EXIT; -+ } -+ -+ Status = TlsSetVerifyHost (Instance->TlsConn, TlsVerifyHost->Flags, TlsVerifyHost->HostName); -+ -+ break; - case EfiTlsSessionID: - if (DataSize != sizeof (EFI_TLS_SESSION_ID)) { - Status = EFI_INVALID_PARAMETER; --- -1.8.3.1 - diff --git a/SOURCES/edk2-OvmfPkg-GenericQemuLoadImageLib-log-Not-Found-at-INF.patch b/SOURCES/edk2-OvmfPkg-GenericQemuLoadImageLib-log-Not-Found-at-INF.patch new file mode 100644 index 0000000..5183b4a --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-GenericQemuLoadImageLib-log-Not-Found-at-INF.patch @@ -0,0 +1,50 @@ +From 135d3d4b4ff12927f7b0c44e067fd42ceae83bb7 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Wed, 24 Jun 2020 11:37:50 +0200 +Subject: [PATCH 2/3] OvmfPkg/GenericQemuLoadImageLib: log "Not Found" at INFO + level +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Laszlo Ersek +Message-id: <20200615080105.11859-3-lersek@redhat.com> +Patchwork-id: 97533 +O-Subject: [RHEL-8.3.0 edk2 PATCH 2/3] OvmfPkg/GenericQemuLoadImageLib: log "Not Found" at INFO level +Bugzilla: 1844682 +RH-Acked-by: Vitaly Kuznetsov +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Philippe Mathieu-Daudé + +gBS->LoadImage() returning EFI_NOT_FOUND is an expected condition; it +means that QEMU wasn't started with "-kernel". Log this status code as +INFO rather than ERROR. + +Cc: Ard Biesheuvel +Cc: Jordan Justen +Cc: Philippe Mathieu-Daudé +Signed-off-by: Laszlo Ersek +Message-Id: <20200609105414.12474-1-lersek@redhat.com> +Acked-by: Ard Biesheuvel +(cherry picked from commit 14c7ed8b51f60097ad771277da69f74b22a7a759) +--- + .../Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c b/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c +index 14c8417d43..114db7e844 100644 +--- a/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c ++++ b/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c +@@ -106,7 +106,8 @@ QemuLoadKernelImage ( + goto UnloadImage; + + default: +- DEBUG ((DEBUG_ERROR, "%a: LoadImage(): %r\n", __FUNCTION__, Status)); ++ DEBUG ((Status == EFI_NOT_FOUND ? DEBUG_INFO : DEBUG_ERROR, ++ "%a: LoadImage(): %r\n", __FUNCTION__, Status)); + return Status; + } + +-- +2.27.0 + diff --git a/SOURCES/edk2-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch b/SOURCES/edk2-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch new file mode 100644 index 0000000..63910e8 --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch @@ -0,0 +1,85 @@ +From 9adcdf493ebbd11efb74e2905ab5f6c8996e096d Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Wed, 24 Jun 2020 11:31:36 +0200 +Subject: [PATCH 1/3] OvmfPkg/QemuKernelLoaderFsDxe: suppress error on no + "-kernel" in silent aa64 build (RH) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Laszlo Ersek +Message-id: <20200615080105.11859-2-lersek@redhat.com> +Patchwork-id: 97532 +O-Subject: [RHEL-8.3.0 edk2 PATCH 1/3] OvmfPkg/QemuKernelLoaderFsDxe: suppress error on no "-kernel" in silent aa64 build (RH) +Bugzilla: 1844682 +RH-Acked-by: Vitaly Kuznetsov +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Philippe Mathieu-Daudé + +If the "-kernel" QEMU option is not used, then QemuKernelLoaderFsDxe +should return EFI_NOT_FOUND, so that the DXE Core can unload it. However, +the associated error message, logged by the DXE Core to the serial +console, is not desired in the silent edk2-aarch64 build, given that the +absence of "-kernel" is nothing out of the ordinary. Therefore, return +success and stay resident. The wasted guest RAM still gets freed after +ExitBootServices(). + +(Inspired by RHEL-8.1.0 commit aaaedc1e2cfd.) + +Signed-off-by: Laszlo Ersek +Signed-off-by: Miroslav Rezanina +--- + .../QemuKernelLoaderFsDxe.c | 17 +++++++++++++++++ + .../QemuKernelLoaderFsDxe.inf | 1 + + 2 files changed, 18 insertions(+) + +diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +index b09ff6a359..ec0244d61b 100644 +--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c ++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1039,6 +1040,22 @@ QemuKernelLoaderFsDxeEntrypoint ( + + if (KernelBlob->Data == NULL) { + Status = EFI_NOT_FOUND; ++#if defined (MDE_CPU_AARCH64) ++ // ++ // RHBZ#1844682 ++ // ++ // If the "-kernel" QEMU option is not being used, this platform DXE driver ++ // should return EFI_NOT_FOUND, so that the DXE Core can unload it. ++ // However, the associated error message, logged by the DXE Core to the ++ // serial console, is not desired in the silent edk2-aarch64 build, given ++ // that the absence of "-kernel" is nothing out of the ordinary. Therefore, ++ // return success and stay resident. The wasted guest RAM still gets freed ++ // after ExitBootServices(). ++ // ++ if (GetDebugPrintErrorLevel () == DEBUG_ERROR) { ++ Status = EFI_SUCCESS; ++ } ++#endif + goto FreeBlobs; + } + +diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf +index 7b35adb8e0..e0331c6e2c 100644 +--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf ++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf +@@ -28,6 +28,7 @@ + BaseLib + BaseMemoryLib + DebugLib ++ DebugPrintErrorLevelLib + DevicePathLib + MemoryAllocationLib + QemuFwCfgLib +-- +2.27.0 + diff --git a/SOURCES/edk2-OvmfPkg-QemuVideoDxe-unbreak-secondary-vga-and-bochs.patch b/SOURCES/edk2-OvmfPkg-QemuVideoDxe-unbreak-secondary-vga-and-bochs.patch deleted file mode 100644 index e8167d6..0000000 --- a/SOURCES/edk2-OvmfPkg-QemuVideoDxe-unbreak-secondary-vga-and-bochs.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 78cfb461bedb0e0491b267528b2ebd30adc1d87c Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Fri, 27 Mar 2020 07:01:18 +0100 -Subject: [PATCH] OvmfPkg/QemuVideoDxe: unbreak "secondary-vga" and - "bochs-display" support -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Message-id: <20200226173820.16398-2-lersek@redhat.com> -Patchwork-id: 94054 -O-Subject: [RHEL-8.2.0 edk2 PATCH 1/1] OvmfPkg/QemuVideoDxe: unbreak "secondary-vga" and "bochs-display" support -Bugzilla: 1806359 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Philippe Mathieu-Daudé - -In edk2 commit 333f32ec23dd, QemuVideoDxe gained support for QEMU's -"secondary-vga" device model (originally introduced in QEMU commit -63e3e24db2e9). - -In QEMU commit 765c94290863, the "bochs-display" device was introduced, -which would work with QemuVideoDxe out of the box, reusing the -"secondary-vga" logic. - -Support for both models has been broken since edk2 commit 662bd0da7fd7. -Said patch ended up requiring VGA IO Ports -- i.e., at least one of -EFI_PCI_IO_ATTRIBUTE_VGA_IO and EFI_PCI_IO_ATTRIBUTE_VGA_IO_16 -- even if -the device wasn't actually VGA compatible. - -Restrict the IO Ports requirement to VGA compatible devices. - -Cc: Ard Biesheuvel -Cc: Gerd Hoffmann -Cc: Jordan Justen -Cc: Marc W Chen -Cc: Philippe Mathieu-Daudé -Fixes: 662bd0da7fd77e4d2cf9ef4a78015af5cad7d9db -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2555 -Signed-off-by: Laszlo Ersek -Message-Id: <20200224171741.7494-1-lersek@redhat.com> -Acked-by: Ard Biesheuvel -Reviewed-by: Gerd Hoffmann -Reviewed-by: Philippe Mathieu-Daudé -(cherry picked from commit edfe16a6d9f8c6830d7ad93ee7616225fe4e9c13) ---- - OvmfPkg/QemuVideoDxe/Driver.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/OvmfPkg/QemuVideoDxe/Driver.c b/OvmfPkg/QemuVideoDxe/Driver.c -index 522110e..902dd1b 100644 ---- a/OvmfPkg/QemuVideoDxe/Driver.c -+++ b/OvmfPkg/QemuVideoDxe/Driver.c -@@ -292,7 +292,7 @@ QemuVideoControllerDriverStart ( - } - - SupportedVgaIo &= (UINT64)(EFI_PCI_IO_ATTRIBUTE_VGA_IO | EFI_PCI_IO_ATTRIBUTE_VGA_IO_16); -- if (SupportedVgaIo == 0) { -+ if (SupportedVgaIo == 0 && IS_PCI_VGA (&Pci)) { - Status = EFI_UNSUPPORTED; - goto ClosePciIo; - } --- -1.8.3.1 - diff --git a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-eliminate-St.patch b/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-eliminate-St.patch deleted file mode 100644 index c57efd8..0000000 --- a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-eliminate-St.patch +++ /dev/null @@ -1,82 +0,0 @@ -From b68d6a626977f48ac4d05396edcb70a73b12c66c Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Fri, 31 Jan 2020 12:42:45 +0100 -Subject: [PATCH 09/12] SecurityPkg/DxeImageVerificationHandler: eliminate - "Status" variable -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20200131124248.22369-10-lersek@redhat.com> -Patchwork-id: 93619 -O-Subject: [RHEL-8.2.0 edk2 PATCH 09/12] SecurityPkg/DxeImageVerificationHandler: eliminate "Status" variable -Bugzilla: 1751993 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -The "Status" variable is set to EFI_ACCESS_DENIED at the top of the -function. Then it is overwritten with EFI_SECURITY_VIOLATION under the -"Failed" (earlier: "Done") label. We finally return "Status". - -The above covers the complete usage of "Status" in -DxeImageVerificationHandler(). Remove the variable, and simply return -EFI_SECURITY_VIOLATION in the end. - -This patch is a no-op, regarding behavior. - -Cc: Chao Zhang -Cc: Jian J Wang -Cc: Jiewen Yao -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 -Signed-off-by: Laszlo Ersek -Message-Id: <20200116190705.18816-9-lersek@redhat.com> -Reviewed-by: Michael D Kinney -[lersek@redhat.com: push with Mike's R-b due to Chinese New Year - Holiday: ; msgid - ] -(cherry picked from commit fb02f5b2cd0b2a2d413a4f4fc41e085be2ede089) - -Signed-off-by: Miroslav Rezanina ---- - .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -index 51968bd..b49fe87 100644 ---- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -@@ -1560,7 +1560,6 @@ DxeImageVerificationHandler ( - IN BOOLEAN BootPolicy - ) - { -- EFI_STATUS Status; - EFI_IMAGE_DOS_HEADER *DosHdr; - BOOLEAN IsVerified; - EFI_SIGNATURE_LIST *SignatureList; -@@ -1588,7 +1587,6 @@ DxeImageVerificationHandler ( - SecDataDir = NULL; - PkcsCertData = NULL; - Action = EFI_IMAGE_EXECUTION_AUTH_UNTESTED; -- Status = EFI_ACCESS_DENIED; - IsVerified = FALSE; - - -@@ -1880,13 +1878,12 @@ Failed: - DEBUG ((DEBUG_INFO, "The image doesn't pass verification: %s\n", NameStr)); - FreePool(NameStr); - } -- Status = EFI_SECURITY_VIOLATION; - - if (SignatureList != NULL) { - FreePool (SignatureList); - } - -- return Status; -+ return EFI_SECURITY_VIOLATION; - } - - /** --- -1.8.3.1 - diff --git a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-fix-defer-vs.patch b/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-fix-defer-vs.patch deleted file mode 100644 index 9c7a572..0000000 --- a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-fix-defer-vs.patch +++ /dev/null @@ -1,103 +0,0 @@ -From ff8b6134756fca6b0c55fedc76aeb5000f783875 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Fri, 31 Jan 2020 12:42:48 +0100 -Subject: [PATCH 12/12] SecurityPkg/DxeImageVerificationHandler: fix "defer" - vs. "deny" policies -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20200131124248.22369-13-lersek@redhat.com> -Patchwork-id: 93620 -O-Subject: [RHEL-8.2.0 edk2 PATCH 12/12] SecurityPkg/DxeImageVerificationHandler: fix "defer" vs. "deny" policies -Bugzilla: 1751993 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -In DxeImageVerificationHandler(), we should return EFI_SECURITY_VIOLATION -for a rejected image only if the platform sets -DEFER_EXECUTE_ON_SECURITY_VIOLATION as the policy for the image's source. -Otherwise, EFI_ACCESS_DENIED must be returned. - -Right now, EFI_SECURITY_VIOLATION is returned for all rejected images, -which is wrong -- it causes LoadImage() to hold on to rejected images (in -untrusted state), for further platform actions. However, if a platform -already set DENY_EXECUTE_ON_SECURITY_VIOLATION, the platform will not -expect the rejected image to stick around in memory (regardless of its -untrusted state). - -Therefore, adhere to the platform policy in the return value of the -DxeImageVerificationHandler() function. - -Furthermore, according to "32.4.2 Image Execution Information Table" in -the UEFI v2.8 spec, and considering that edk2 only supports (AuditMode==0) -at the moment: - -> When AuditMode==0, if the image's signature is not found in the -> authorized database, or is found in the forbidden database, the image -> will not be started and instead, information about it will be placed in -> this table. - -we have to store an EFI_IMAGE_EXECUTION_INFO record in both the "defer" -case and the "deny" case. Thus, the AddImageExeInfo() call is not being -made conditional on (Policy == DEFER_EXECUTE_ON_SECURITY_VIOLATION); the -documentation is updated instead. - -Cc: Chao Zhang -Cc: Jian J Wang -Cc: Jiewen Yao -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 -Fixes: 5db28a6753d307cdfb1cfdeb2f63739a9f959837 -Signed-off-by: Laszlo Ersek -Message-Id: <20200116190705.18816-12-lersek@redhat.com> -Reviewed-by: Michael D Kinney -[lersek@redhat.com: push with Mike's R-b due to Chinese New Year - Holiday: ; msgid - ] -(cherry picked from commit 8b0932c19f31cbf9da26d3b8d4e8d954bdbb5269) - -Signed-off-by: Miroslav Rezanina ---- - .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -index 015a5b6..dbfbfcb 100644 ---- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -@@ -1548,7 +1548,8 @@ Done: - execution table. - @retval EFI_ACCESS_DENIED The file specified by File and FileBuffer did not - authenticate, and the platform policy dictates that the DXE -- Foundation many not use File. -+ Foundation may not use File. The image has -+ been added to the file execution table. - - **/ - EFI_STATUS -@@ -1872,7 +1873,8 @@ DxeImageVerificationHandler ( - - Failed: - // -- // Policy decides to defer or reject the image; add its information in image executable information table. -+ // Policy decides to defer or reject the image; add its information in image -+ // executable information table in either case. - // - NameStr = ConvertDevicePathToText (File, FALSE, TRUE); - AddImageExeInfo (Action, NameStr, File, SignatureList, SignatureListSize); -@@ -1885,7 +1887,10 @@ Failed: - FreePool (SignatureList); - } - -- return EFI_SECURITY_VIOLATION; -+ if (Policy == DEFER_EXECUTE_ON_SECURITY_VIOLATION) { -+ return EFI_SECURITY_VIOLATION; -+ } -+ return EFI_ACCESS_DENIED; - } - - /** --- -1.8.3.1 - diff --git a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-fix-imgexec-.patch b/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-fix-imgexec-.patch deleted file mode 100644 index 396f1c0..0000000 --- a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-fix-imgexec-.patch +++ /dev/null @@ -1,87 +0,0 @@ -From d9f12d175da2d203be078d03c9127293ea6fe86b Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Fri, 31 Jan 2020 12:42:47 +0100 -Subject: [PATCH 11/12] SecurityPkg/DxeImageVerificationHandler: fix imgexec - info on memalloc fail -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20200131124248.22369-12-lersek@redhat.com> -Patchwork-id: 93618 -O-Subject: [RHEL-8.2.0 edk2 PATCH 11/12] SecurityPkg/DxeImageVerificationHandler: fix imgexec info on memalloc fail -Bugzilla: 1751993 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -It makes no sense to call AddImageExeInfo() with (Signature == NULL) and -(SignatureSize > 0). AddImageExeInfo() does not crash in such a case -- it -avoids the CopyMem() call --, but it creates an invalid -EFI_IMAGE_EXECUTION_INFO record. Namely, the -"EFI_IMAGE_EXECUTION_INFO.InfoSize" field includes "SignatureSize", but -the actual signature bytes are not filled in. - -Document and ASSERT() this condition in AddImageExeInfo(). - -In DxeImageVerificationHandler(), zero out "SignatureListSize" if we set -"SignatureList" to NULL due to AllocateZeroPool() failure. - -(Another approach could be to avoid calling AddImageExeInfo() completely, -in case AllocateZeroPool() fails. Unfortunately, the UEFI v2.8 spec does -not seem to state clearly whether a signature is mandatory in -EFI_IMAGE_EXECUTION_INFO, if the "Action" field is -EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED or EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND. - -For now, the EFI_IMAGE_EXECUTION_INFO addition logic is not changed; we -only make sure that the record we add is not malformed.) - -Cc: Chao Zhang -Cc: Jian J Wang -Cc: Jiewen Yao -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 -Signed-off-by: Laszlo Ersek -Message-Id: <20200116190705.18816-11-lersek@redhat.com> -Reviewed-by: Michael D Kinney -[lersek@redhat.com: push with Mike's R-b due to Chinese New Year - Holiday: ; msgid - ] -(cherry picked from commit 6aa31db5ebebe18b55aa5359142223a03592416f) - -Signed-off-by: Miroslav Rezanina ---- - SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -index c98b9e4..015a5b6 100644 ---- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -@@ -704,7 +704,7 @@ GetImageExeInfoTableSize ( - @param[in] Name Input a null-terminated, user-friendly name. - @param[in] DevicePath Input device path pointer. - @param[in] Signature Input signature info in EFI_SIGNATURE_LIST data structure. -- @param[in] SignatureSize Size of signature. -+ @param[in] SignatureSize Size of signature. Must be zero if Signature is NULL. - - **/ - VOID -@@ -761,6 +761,7 @@ AddImageExeInfo ( - // - // Signature size can be odd. Pad after signature to ensure next EXECUTION_INFO entry align - // -+ ASSERT (Signature != NULL || SignatureSize == 0); - NewImageExeInfoEntrySize = sizeof (EFI_IMAGE_EXECUTION_INFO) + NameStringLen + DevicePathSize + SignatureSize; - - NewImageExeInfoTable = (EFI_IMAGE_EXECUTION_INFO_TABLE *) AllocateRuntimePool (ImageExeInfoTableSize + NewImageExeInfoEntrySize); -@@ -1858,6 +1859,7 @@ DxeImageVerificationHandler ( - SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize; - SignatureList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SignatureListSize); - if (SignatureList == NULL) { -+ SignatureListSize = 0; - goto Failed; - } - SignatureList->SignatureHeaderSize = 0; --- -1.8.3.1 - diff --git a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-f.patch b/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-f.patch deleted file mode 100644 index 926cc90..0000000 --- a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-f.patch +++ /dev/null @@ -1,64 +0,0 @@ -From e2efec69c63703c324099b987204a38fdb0d9d6f Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Fri, 31 Jan 2020 12:42:46 +0100 -Subject: [PATCH 10/12] SecurityPkg/DxeImageVerificationHandler: fix retval for - (FileBuffer==NULL) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20200131124248.22369-11-lersek@redhat.com> -Patchwork-id: 93613 -O-Subject: [RHEL-8.2.0 edk2 PATCH 10/12] SecurityPkg/DxeImageVerificationHandler: fix retval for (FileBuffer==NULL) -Bugzilla: 1751993 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -"FileBuffer" is a non-optional input (pointer) parameter to -DxeImageVerificationHandler(). Normally, when an edk2 function receives a -NULL argument for such a parameter, we return EFI_INVALID_PARAMETER or -RETURN_INVALID_PARAMETER. However, those don't conform to the -SECURITY2_FILE_AUTHENTICATION_HANDLER prototype. - -Return EFI_ACCESS_DENIED when "FileBuffer" is NULL; it means that no image -has been loaded. - -This patch does not change the control flow in the function, it only -changes the "Status" outcome from API-incompatible error codes to -EFI_ACCESS_DENIED, under some circumstances. - -Cc: Chao Zhang -Cc: Jian J Wang -Cc: Jiewen Yao -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 -Fixes: 570b3d1a7278df29878da87990e8366bd42d0ec5 -Signed-off-by: Laszlo Ersek -Message-Id: <20200116190705.18816-10-lersek@redhat.com> -Reviewed-by: Michael D Kinney -[lersek@redhat.com: push with Mike's R-b due to Chinese New Year - Holiday: ; msgid - ] -(cherry picked from commit 6d57592740cdd0b6868baeef7929d6e6fef7a8e3) - -Signed-off-by: Miroslav Rezanina ---- - SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -index b49fe87..c98b9e4 100644 ---- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -@@ -1655,7 +1655,7 @@ DxeImageVerificationHandler ( - // Read the Dos header. - // - if (FileBuffer == NULL) { -- return EFI_INVALID_PARAMETER; -+ return EFI_ACCESS_DENIED; - } - - mImageBase = (UINT8 *) FileBuffer; --- -1.8.3.1 - diff --git a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-o.patch b/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-o.patch deleted file mode 100644 index 04bcd90..0000000 --- a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-o.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 58902877128851f628fe644a5c71600866317fac Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Fri, 31 Jan 2020 12:42:42 +0100 -Subject: [PATCH 06/12] SecurityPkg/DxeImageVerificationHandler: fix retval on - memalloc failure -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20200131124248.22369-7-lersek@redhat.com> -Patchwork-id: 93616 -O-Subject: [RHEL-8.2.0 edk2 PATCH 06/12] SecurityPkg/DxeImageVerificationHandler: fix retval on memalloc failure -Bugzilla: 1751993 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -A SECURITY2_FILE_AUTHENTICATION_HANDLER function is not expected to return -EFI_OUT_OF_RESOURCES. We should only return EFI_SUCCESS, -EFI_SECURITY_VIOLATION, or EFI_ACCESS_DENIED. - -In case we run out of memory while preparing "SignatureList" for -AddImageExeInfo(), we should simply stick with the EFI_ACCESS_DENIED value -that is already in "Status" -- from just before the "Action" condition --, -and not suppress it with EFI_OUT_OF_RESOURCES. - -This patch does not change the control flow in the function, it only -changes the "Status" outcome from API-incompatible error codes to -EFI_ACCESS_DENIED, under some circumstances. - -Cc: Chao Zhang -Cc: Jian J Wang -Cc: Jiewen Yao -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 -Fixes: 570b3d1a7278df29878da87990e8366bd42d0ec5 -Signed-off-by: Laszlo Ersek -Message-Id: <20200116190705.18816-6-lersek@redhat.com> -Reviewed-by: Michael D Kinney -[lersek@redhat.com: push with Mike's R-b due to Chinese New Year - Holiday: ; msgid - ] -(cherry picked from commit f891b052c5ec13c1032fb9d340d5262ac1a7e7e1) - -Signed-off-by: Miroslav Rezanina ---- - SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -index 5cc82c1..5f09a66 100644 ---- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -@@ -1541,7 +1541,6 @@ Done: - and non-NULL FileBuffer did authenticate, and the platform - policy dictates that the DXE Foundation may execute the image in - FileBuffer. -- @retval EFI_OUT_RESOURCE Fail to allocate memory. - @retval EFI_SECURITY_VIOLATION The file specified by File did not authenticate, and - the platform policy dictates that File should be placed - in the untrusted state. The image has been added to the file -@@ -1862,7 +1861,6 @@ DxeImageVerificationHandler ( - SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize; - SignatureList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SignatureListSize); - if (SignatureList == NULL) { -- Status = EFI_OUT_OF_RESOURCES; - goto Done; - } - SignatureList->SignatureHeaderSize = 0; --- -1.8.3.1 - diff --git a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-keep-PE-COFF.patch b/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-keep-PE-COFF.patch deleted file mode 100644 index 3719f4e..0000000 --- a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-keep-PE-COFF.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 37b5981bf7eb94314b62810da495d724873d904a Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Fri, 31 Jan 2020 12:42:40 +0100 -Subject: [PATCH 04/12] SecurityPkg/DxeImageVerificationHandler: keep PE/COFF - info status internal -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20200131124248.22369-5-lersek@redhat.com> -Patchwork-id: 93609 -O-Subject: [RHEL-8.2.0 edk2 PATCH 04/12] SecurityPkg/DxeImageVerificationHandler: keep PE/COFF info status internal -Bugzilla: 1751993 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -The PeCoffLoaderGetImageInfo() function may return various error codes, -such as RETURN_INVALID_PARAMETER and RETURN_UNSUPPORTED. - -Such error values should not be assigned to our "Status" variable in the -DxeImageVerificationHandler() function, because "Status" generally stands -for the main exit value of the function. And -SECURITY2_FILE_AUTHENTICATION_HANDLER functions are expected to return one -of EFI_SUCCESS, EFI_SECURITY_VIOLATION, and EFI_ACCESS_DENIED only. - -Introduce the "PeCoffStatus" helper variable for keeping the return value -of PeCoffLoaderGetImageInfo() internal to the function. If -PeCoffLoaderGetImageInfo() fails, we'll jump to the "Done" label with -"Status" being EFI_ACCESS_DENIED, inherited from the top of the function. - -Note that this is consistent with the subsequent PE/COFF Signature check, -where we jump to the "Done" label with "Status" having been re-set to -EFI_ACCESS_DENIED. - -As a consequence, we can at once remove the - - Status = EFI_ACCESS_DENIED; - -assignment right after the "PeCoffStatus" check. - -This patch does not change the control flow in the function, it only -changes the "Status" outcome from API-incompatible error codes to -EFI_ACCESS_DENIED, under some circumstances. - -Cc: Chao Zhang -Cc: Jian J Wang -Cc: Jiewen Yao -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 -Signed-off-by: Laszlo Ersek -Message-Id: <20200116190705.18816-4-lersek@redhat.com> -Reviewed-by: Michael D Kinney -[lersek@redhat.com: push with Mike's R-b due to Chinese New Year - Holiday: ; msgid - ] -(cherry picked from commit 61a9fa589a15e9005bec293f9766c78b60fbc9fc) - -Signed-off-by: Miroslav Rezanina ---- - .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -index 8204c9c..e6c8a54 100644 ---- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -@@ -1580,6 +1580,7 @@ DxeImageVerificationHandler ( - EFI_IMAGE_DATA_DIRECTORY *SecDataDir; - UINT32 OffSet; - CHAR16 *NameStr; -+ RETURN_STATUS PeCoffStatus; - - SignatureList = NULL; - SignatureListSize = 0; -@@ -1669,8 +1670,8 @@ DxeImageVerificationHandler ( - // - // Get information about the image being loaded - // -- Status = PeCoffLoaderGetImageInfo (&ImageContext); -- if (EFI_ERROR (Status)) { -+ PeCoffStatus = PeCoffLoaderGetImageInfo (&ImageContext); -+ if (RETURN_ERROR (PeCoffStatus)) { - // - // The information can't be got from the invalid PeImage - // -@@ -1678,8 +1679,6 @@ DxeImageVerificationHandler ( - goto Done; - } - -- Status = EFI_ACCESS_DENIED; -- - DosHdr = (EFI_IMAGE_DOS_HEADER *) mImageBase; - if (DosHdr->e_magic == EFI_IMAGE_DOS_SIGNATURE) { - // --- -1.8.3.1 - diff --git a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-narrow-down-.patch b/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-narrow-down-.patch deleted file mode 100644 index 2365eb8..0000000 --- a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-narrow-down-.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 73de814a5f30c2c6d82736082c1114a028d12115 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Fri, 31 Jan 2020 12:42:41 +0100 -Subject: [PATCH 05/12] SecurityPkg/DxeImageVerificationHandler: narrow down - PE/COFF hash status -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20200131124248.22369-6-lersek@redhat.com> -Patchwork-id: 93615 -O-Subject: [RHEL-8.2.0 edk2 PATCH 05/12] SecurityPkg/DxeImageVerificationHandler: narrow down PE/COFF hash status -Bugzilla: 1751993 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -Inside the "for" loop that scans the signatures of the image, we call -HashPeImageByType(), and assign its return value to "Status". - -Beyond the immediate retval check, this assignment is useless (never -consumed). That's because a subsequent access to "Status" may only be one -of the following: - -- the "Status" assignment when we call HashPeImageByType() in the next - iteration of the loop, - -- the "Status = EFI_ACCESS_DENIED" assignment right after the final - "IsVerified" check. - -To make it clear that the assignment is only useful for the immediate -HashPeImageByType() retval check, introduce a specific helper variable, -called "HashStatus". - -This patch is a no-op, functionally. - -Cc: Chao Zhang -Cc: Jian J Wang -Cc: Jiewen Yao -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 -Signed-off-by: Laszlo Ersek -Message-Id: <20200116190705.18816-5-lersek@redhat.com> -Reviewed-by: Michael D Kinney -[lersek@redhat.com: push with Mike's R-b due to Chinese New Year - Holiday: ; msgid - ] -(cherry picked from commit 47650a5cab608e07c31d66bdb9b4cc6e58bdf22f) - -Signed-off-by: Miroslav Rezanina ---- - .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -index e6c8a54..5cc82c1 100644 ---- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -@@ -1581,6 +1581,7 @@ DxeImageVerificationHandler ( - UINT32 OffSet; - CHAR16 *NameStr; - RETURN_STATUS PeCoffStatus; -+ EFI_STATUS HashStatus; - - SignatureList = NULL; - SignatureListSize = 0; -@@ -1802,8 +1803,8 @@ DxeImageVerificationHandler ( - continue; - } - -- Status = HashPeImageByType (AuthData, AuthDataSize); -- if (EFI_ERROR (Status)) { -+ HashStatus = HashPeImageByType (AuthData, AuthDataSize); -+ if (EFI_ERROR (HashStatus)) { - continue; - } - --- -1.8.3.1 - diff --git a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-remove-else-.patch b/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-remove-else-.patch deleted file mode 100644 index e48ebd5..0000000 --- a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-remove-else-.patch +++ /dev/null @@ -1,142 +0,0 @@ -From 5aa2d52451b7890480d31a3437a0024bfd9e1a57 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Fri, 31 Jan 2020 12:42:39 +0100 -Subject: [PATCH 03/12] SecurityPkg/DxeImageVerificationHandler: remove "else" - after return/break -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20200131124248.22369-4-lersek@redhat.com> -Patchwork-id: 93614 -O-Subject: [RHEL-8.2.0 edk2 PATCH 03/12] SecurityPkg/DxeImageVerificationHandler: remove "else" after return/break -Bugzilla: 1751993 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -In the code structure - - if (condition) { - // - // block1 - // - return; - } else { - // - // block2 - // - } - -nesting "block2" in an "else" branch is superfluous, and harms -readability. It can be transformed to: - - if (condition) { - // - // block1 - // - return; - } - // - // block2 - // - -with identical behavior, and improved readability (less nesting). - -The same applies to "break" (instead of "return") in a loop body. - -Perform these transformations on DxeImageVerificationHandler(). - -This patch is a no-op for behavior. Use - - git show -b -W - -for reviewing it more easily. - -Cc: Chao Zhang -Cc: Jian J Wang -Cc: Jiewen Yao -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 -Signed-off-by: Laszlo Ersek -Message-Id: <20200116190705.18816-3-lersek@redhat.com> -Reviewed-by: Michael D Kinney -[lersek@redhat.com: push with Mike's R-b due to Chinese New Year - Holiday: ; msgid - ] -(cherry picked from commit eccb856f013aec700234211e7371f03454ef9d52) - -Signed-off-by: Miroslav Rezanina ---- - .../DxeImageVerificationLib.c | 41 +++++++++++----------- - 1 file changed, 21 insertions(+), 20 deletions(-) - -diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -index 5afd723..8204c9c 100644 ---- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -@@ -1621,7 +1621,8 @@ DxeImageVerificationHandler ( - // - if (Policy == ALWAYS_EXECUTE) { - return EFI_SUCCESS; -- } else if (Policy == NEVER_EXECUTE) { -+ } -+ if (Policy == NEVER_EXECUTE) { - return EFI_ACCESS_DENIED; - } - -@@ -1833,7 +1834,8 @@ DxeImageVerificationHandler ( - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but %s hash of image is found in DBX.\n", mHashTypeStr)); - IsVerified = FALSE; - break; -- } else if (!IsVerified) { -+ } -+ if (!IsVerified) { - if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) { - IsVerified = TRUE; - } else { -@@ -1851,25 +1853,24 @@ DxeImageVerificationHandler ( - - if (IsVerified) { - return EFI_SUCCESS; -- } else { -- Status = EFI_ACCESS_DENIED; -- if (Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED || Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND) { -- // -- // Get image hash value as signature of executable. -- // -- SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize; -- SignatureList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SignatureListSize); -- if (SignatureList == NULL) { -- Status = EFI_OUT_OF_RESOURCES; -- goto Done; -- } -- SignatureList->SignatureHeaderSize = 0; -- SignatureList->SignatureListSize = (UINT32) SignatureListSize; -- SignatureList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize); -- CopyMem (&SignatureList->SignatureType, &mCertType, sizeof (EFI_GUID)); -- Signature = (EFI_SIGNATURE_DATA *) ((UINT8 *) SignatureList + sizeof (EFI_SIGNATURE_LIST)); -- CopyMem (Signature->SignatureData, mImageDigest, mImageDigestSize); -+ } -+ Status = EFI_ACCESS_DENIED; -+ if (Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED || Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND) { -+ // -+ // Get image hash value as signature of executable. -+ // -+ SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize; -+ SignatureList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SignatureListSize); -+ if (SignatureList == NULL) { -+ Status = EFI_OUT_OF_RESOURCES; -+ goto Done; - } -+ SignatureList->SignatureHeaderSize = 0; -+ SignatureList->SignatureListSize = (UINT32) SignatureListSize; -+ SignatureList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize); -+ CopyMem (&SignatureList->SignatureType, &mCertType, sizeof (EFI_GUID)); -+ Signature = (EFI_SIGNATURE_DATA *) ((UINT8 *) SignatureList + sizeof (EFI_SIGNATURE_LIST)); -+ CopyMem (Signature->SignatureData, mImageDigest, mImageDigestSize); - } - - Done: --- -1.8.3.1 - diff --git a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-remove-super.patch b/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-remove-super.patch deleted file mode 100644 index def2524..0000000 --- a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-remove-super.patch +++ /dev/null @@ -1,55 +0,0 @@ -From d25dc10aa262b33794f16b75a0ada3aad507abe7 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Fri, 31 Jan 2020 12:42:43 +0100 -Subject: [PATCH 07/12] SecurityPkg/DxeImageVerificationHandler: remove - superfluous Status setting -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20200131124248.22369-8-lersek@redhat.com> -Patchwork-id: 93617 -O-Subject: [RHEL-8.2.0 edk2 PATCH 07/12] SecurityPkg/DxeImageVerificationHandler: remove superfluous Status setting -Bugzilla: 1751993 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -After the final "IsVerified" check, we set "Status" to EFI_ACCESS_DENIED. -This is superfluous, as "Status" already carries EFI_ACCESS_DENIED value -there, from the top of the function. Remove the assignment. - -Functionally, this change is a no-op. - -Cc: Chao Zhang -Cc: Jian J Wang -Cc: Jiewen Yao -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 -Signed-off-by: Laszlo Ersek -Message-Id: <20200116190705.18816-7-lersek@redhat.com> -Reviewed-by: Michael D Kinney -[lersek@redhat.com: push with Mike's R-b due to Chinese New Year - Holiday: ; msgid - ] -(cherry picked from commit 12a4ef58a8b1f8610f6f7cd3ffb973f924f175fb) - -Signed-off-by: Miroslav Rezanina ---- - SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -index 5f09a66..6ccce1f 100644 ---- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -@@ -1853,7 +1853,6 @@ DxeImageVerificationHandler ( - if (IsVerified) { - return EFI_SUCCESS; - } -- Status = EFI_ACCESS_DENIED; - if (Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED || Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND) { - // - // Get image hash value as signature of executable. --- -1.8.3.1 - diff --git a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-simplify-Ver.patch b/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-simplify-Ver.patch deleted file mode 100644 index e045894..0000000 --- a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-simplify-Ver.patch +++ /dev/null @@ -1,119 +0,0 @@ -From cd4f4b384857f4295d336d66fc8693348ef08a33 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Fri, 31 Jan 2020 12:42:38 +0100 -Subject: [PATCH 02/12] SecurityPkg/DxeImageVerificationHandler: simplify - "VerifyStatus" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20200131124248.22369-3-lersek@redhat.com> -Patchwork-id: 93611 -O-Subject: [RHEL-8.2.0 edk2 PATCH 02/12] SecurityPkg/DxeImageVerificationHandler: simplify "VerifyStatus" -Bugzilla: 1751993 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -In the DxeImageVerificationHandler() function, the "VerifyStatus" variable -can only contain one of two values: EFI_SUCCESS and EFI_ACCESS_DENIED. -Furthermore, the variable is only consumed with EFI_ERROR(). - -Therefore, using the EFI_STATUS type for the variable is unnecessary. -Worse, given the complex meanings of the function's return values, using -EFI_STATUS for "VerifyStatus" is actively confusing. - -Rename the variable to "IsVerified", and make it a simple BOOLEAN. - -This patch is a no-op, regarding behavior. - -Cc: Chao Zhang -Cc: Jian J Wang -Cc: Jiewen Yao -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 -Signed-off-by: Laszlo Ersek -Message-Id: <20200116190705.18816-2-lersek@redhat.com> -Reviewed-by: Michael D Kinney -[lersek@redhat.com: push with Mike's R-b due to Chinese New Year - Holiday: ; msgid - ] -(cherry picked from commit 1e0f973b65c34841288c25fd441a37eec8a30ac7) - -Signed-off-by: Miroslav Rezanina ---- - .../DxeImageVerificationLib.c | 20 ++++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) - -diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -index a0a12b5..5afd723 100644 ---- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -@@ -1563,7 +1563,7 @@ DxeImageVerificationHandler ( - { - EFI_STATUS Status; - EFI_IMAGE_DOS_HEADER *DosHdr; -- EFI_STATUS VerifyStatus; -+ BOOLEAN IsVerified; - EFI_SIGNATURE_LIST *SignatureList; - UINTN SignatureListSize; - EFI_SIGNATURE_DATA *Signature; -@@ -1588,7 +1588,7 @@ DxeImageVerificationHandler ( - PkcsCertData = NULL; - Action = EFI_IMAGE_EXECUTION_AUTH_UNTESTED; - Status = EFI_ACCESS_DENIED; -- VerifyStatus = EFI_ACCESS_DENIED; -+ IsVerified = FALSE; - - - // -@@ -1812,16 +1812,16 @@ DxeImageVerificationHandler ( - // - if (IsForbiddenByDbx (AuthData, AuthDataSize)) { - Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED; -- VerifyStatus = EFI_ACCESS_DENIED; -+ IsVerified = FALSE; - break; - } - - // - // Check the digital signature against the valid certificate in allowed database (db). - // -- if (EFI_ERROR (VerifyStatus)) { -+ if (!IsVerified) { - if (IsAllowedByDb (AuthData, AuthDataSize)) { -- VerifyStatus = EFI_SUCCESS; -+ IsVerified = TRUE; - } - } - -@@ -1831,11 +1831,11 @@ DxeImageVerificationHandler ( - if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) { - Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND; - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but %s hash of image is found in DBX.\n", mHashTypeStr)); -- VerifyStatus = EFI_ACCESS_DENIED; -+ IsVerified = FALSE; - break; -- } else if (EFI_ERROR (VerifyStatus)) { -+ } else if (!IsVerified) { - if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) { -- VerifyStatus = EFI_SUCCESS; -+ IsVerified = TRUE; - } else { - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr)); - } -@@ -1846,10 +1846,10 @@ DxeImageVerificationHandler ( - // - // The Size in Certificate Table or the attribute certificate table is corrupted. - // -- VerifyStatus = EFI_ACCESS_DENIED; -+ IsVerified = FALSE; - } - -- if (!EFI_ERROR (VerifyStatus)) { -+ if (IsVerified) { - return EFI_SUCCESS; - } else { - Status = EFI_ACCESS_DENIED; --- -1.8.3.1 - diff --git a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-unnest-AddIm.patch b/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-unnest-AddIm.patch deleted file mode 100644 index ef9d48e..0000000 --- a/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-unnest-AddIm.patch +++ /dev/null @@ -1,139 +0,0 @@ -From 3e06fe42d63856e48c6457dbb7e816b82416c9ca Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Fri, 31 Jan 2020 12:42:44 +0100 -Subject: [PATCH 08/12] SecurityPkg/DxeImageVerificationHandler: unnest - AddImageExeInfo() call -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20200131124248.22369-9-lersek@redhat.com> -Patchwork-id: 93610 -O-Subject: [RHEL-8.2.0 edk2 PATCH 08/12] SecurityPkg/DxeImageVerificationHandler: unnest AddImageExeInfo() call -Bugzilla: 1751993 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -Before the "Done" label at the end of DxeImageVerificationHandler(), we -now have a single access to "Status": we set "Status" to EFI_ACCESS_DENIED -at the top of the function. Therefore, the (Status != EFI_SUCCESS) -condition is always true under the "Done" label. - -Accordingly, unnest the AddImageExeInfo() call dependent on that -condition, remove the condition, and also rename the "Done" label to -"Failed". - -Functionally, this patch is a no-op. It's easier to review with: - - git show -b -W - -Cc: Chao Zhang -Cc: Jian J Wang -Cc: Jiewen Yao -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 -Signed-off-by: Laszlo Ersek -Message-Id: <20200116190705.18816-8-lersek@redhat.com> -Reviewed-by: Michael D Kinney -[lersek@redhat.com: replace EFI_D_INFO w/ DEBUG_INFO for PatchCheck.py] -[lersek@redhat.com: push with Mike's R-b due to Chinese New Year - Holiday: ; msgid - ] -(cherry picked from commit c602e97446a8e818bf09182f5dc9f3fa409ece95) - -Signed-off-by: Miroslav Rezanina ---- - .../DxeImageVerificationLib.c | 34 ++++++++++------------ - 1 file changed, 16 insertions(+), 18 deletions(-) - -diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -index 6ccce1f..51968bd 100644 ---- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -@@ -1676,7 +1676,7 @@ DxeImageVerificationHandler ( - // The information can't be got from the invalid PeImage - // - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: PeImage invalid. Cannot retrieve image information.\n")); -- goto Done; -+ goto Failed; - } - - DosHdr = (EFI_IMAGE_DOS_HEADER *) mImageBase; -@@ -1698,7 +1698,7 @@ DxeImageVerificationHandler ( - // It is not a valid Pe/Coff file. - // - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Not a valid PE/COFF image.\n")); -- goto Done; -+ goto Failed; - } - - if (mNtHeader.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { -@@ -1729,7 +1729,7 @@ DxeImageVerificationHandler ( - // - if (!HashPeImage (HASHALG_SHA256)) { - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image using %s.\n", mHashTypeStr)); -- goto Done; -+ goto Failed; - } - - if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) { -@@ -1737,7 +1737,7 @@ DxeImageVerificationHandler ( - // Image Hash is in forbidden database (DBX). - // - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is forbidden by DBX.\n", mHashTypeStr)); -- goto Done; -+ goto Failed; - } - - if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) { -@@ -1751,7 +1751,7 @@ DxeImageVerificationHandler ( - // Image Hash is not found in both forbidden and allowed database. - // - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is not found in DB/DBX.\n", mHashTypeStr)); -- goto Done; -+ goto Failed; - } - - // -@@ -1860,7 +1860,7 @@ DxeImageVerificationHandler ( - SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize; - SignatureList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SignatureListSize); - if (SignatureList == NULL) { -- goto Done; -+ goto Failed; - } - SignatureList->SignatureHeaderSize = 0; - SignatureList->SignatureListSize = (UINT32) SignatureListSize; -@@ -1870,19 +1870,17 @@ DxeImageVerificationHandler ( - CopyMem (Signature->SignatureData, mImageDigest, mImageDigestSize); - } - --Done: -- if (Status != EFI_SUCCESS) { -- // -- // Policy decides to defer or reject the image; add its information in image executable information table. -- // -- NameStr = ConvertDevicePathToText (File, FALSE, TRUE); -- AddImageExeInfo (Action, NameStr, File, SignatureList, SignatureListSize); -- if (NameStr != NULL) { -- DEBUG((EFI_D_INFO, "The image doesn't pass verification: %s\n", NameStr)); -- FreePool(NameStr); -- } -- Status = EFI_SECURITY_VIOLATION; -+Failed: -+ // -+ // Policy decides to defer or reject the image; add its information in image executable information table. -+ // -+ NameStr = ConvertDevicePathToText (File, FALSE, TRUE); -+ AddImageExeInfo (Action, NameStr, File, SignatureList, SignatureListSize); -+ if (NameStr != NULL) { -+ DEBUG ((DEBUG_INFO, "The image doesn't pass verification: %s\n", NameStr)); -+ FreePool(NameStr); - } -+ Status = EFI_SECURITY_VIOLATION; - - if (SignatureList != NULL) { - FreePool (SignatureList); --- -1.8.3.1 - diff --git a/SOURCES/edk2-SecurityPkg-Fix-spelling-errors-PARTIAL-PICK.patch b/SOURCES/edk2-SecurityPkg-Fix-spelling-errors-PARTIAL-PICK.patch deleted file mode 100644 index 578487c..0000000 --- a/SOURCES/edk2-SecurityPkg-Fix-spelling-errors-PARTIAL-PICK.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 7f364d9a95905efee0a8b46e4108042aaebe7849 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Fri, 31 Jan 2020 12:42:37 +0100 -Subject: [PATCH 01/12] SecurityPkg: Fix spelling errors [PARTIAL PICK] -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20200131124248.22369-2-lersek@redhat.com> -Patchwork-id: 93612 -O-Subject: [RHEL-8.2.0 edk2 PATCH 01/12] SecurityPkg: Fix spelling errors [PARTIAL PICK] -Bugzilla: 1751993 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -From: Sean Brogan - ---v-- RHEL-8 note start --v-- - -This is a partial cherry-pick, restricted to -"SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c". - -The upstream patch has a super-ugly diffstat (81 files changed, 205 -insertions(+), 205 deletions(-)), fixing spelling errors all over -SecurityPkg in one go. It doesn't apply cleanly down-stream, and I don't -want to pick more (unrelated) SecurityPkg dependencies for this backport -series. - -Thus, the only alternative to this partial cherry-pick would be resolving -conflicts over the rest of this series. That's obviously worse than a -partial typo fix backport. At the next rebase, we're going to drop this -patch and the rest of the backport series alike, anyway. - ---^-- RHEL-8 note end --^-- - -https://bugzilla.tianocore.org/show_bug.cgi?id=2265 - -Cc: Jiewen Yao -Cc: Jian J Wang -Cc: Chao Zhang -Signed-off-by: Michael D Kinney -Reviewed-by: Jiewen Yao -Reviewed-by: Jian J Wang -(cherry picked from commit d6b926e76e3d639ac37610e97d33ff9e3a6281eb) -Signed-off-by: Laszlo Ersek -Signed-off-by: Miroslav Rezanina ---- - .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -index fe4cdcc..a0a12b5 100644 ---- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c -@@ -745,7 +745,7 @@ AddImageExeInfo ( - if (ImageExeInfoTable != NULL) { - // - // The table has been found! -- // We must enlarge the table to accomodate the new exe info entry. -+ // We must enlarge the table to accommodate the new exe info entry. - // - ImageExeInfoTableSize = GetImageExeInfoTableSize (ImageExeInfoTable); - } else { -@@ -947,7 +947,7 @@ Done: - - @param[in] VariableName Name of database variable that is searched in. - @param[in] Signature Pointer to signature that is searched for. -- @param[in] CertType Pointer to hash algrithom. -+ @param[in] CertType Pointer to hash algorithm. - @param[in] SignatureSize Size of Signature. - - @return TRUE Found the signature in the variable database. -@@ -992,7 +992,7 @@ IsSignatureFoundInDatabase ( - goto Done; - } - // -- // Enumerate all signature data in SigDB to check if executable's signature exists. -+ // Enumerate all signature data in SigDB to check if signature exists for executable. - // - CertList = (EFI_SIGNATURE_LIST *) Data; - while ((DataSize > 0) && (DataSize >= CertList->SignatureListSize)) { -@@ -1844,7 +1844,7 @@ DxeImageVerificationHandler ( - - if (OffSet != (SecDataDir->VirtualAddress + SecDataDir->Size)) { - // -- // The Size in Certificate Table or the attribute certicate table is corrupted. -+ // The Size in Certificate Table or the attribute certificate table is corrupted. - // - VerifyStatus = EFI_ACCESS_DENIED; - } -@@ -1855,7 +1855,7 @@ DxeImageVerificationHandler ( - Status = EFI_ACCESS_DENIED; - if (Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED || Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND) { - // -- // Get image hash value as executable's signature. -+ // Get image hash value as signature of executable. - // - SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize; - SignatureList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SignatureListSize); --- -1.8.3.1 - diff --git a/SOURCES/edk2-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch b/SOURCES/edk2-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch new file mode 100644 index 0000000..7586124 --- /dev/null +++ b/SOURCES/edk2-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch @@ -0,0 +1,84 @@ +From cbce29f7749477e271f9764fed82de94724af5df Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Wed, 24 Jun 2020 11:40:09 +0200 +Subject: [PATCH 3/3] SecurityPkg/Tcg2Dxe: suppress error on no swtpm in silent + aa64 build (RH) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Laszlo Ersek +Message-id: <20200615080105.11859-4-lersek@redhat.com> +Patchwork-id: 97534 +O-Subject: [RHEL-8.3.0 edk2 PATCH 3/3] SecurityPkg/Tcg2Dxe: suppress error on no swtpm in silent aa64 build (RH) +Bugzilla: 1844682 +RH-Acked-by: Vitaly Kuznetsov +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Philippe Mathieu-Daudé + +If swtpm / vTPM2 is not being used, Tcg2Dxe should return EFI_UNSUPPORTED, +so that the DXE Core can unload it. However, the associated error message, +logged by the DXE Core to the serial console, is not desired in the silent +edk2-aarch64 build, given that the absence of swtpm / vTPM2 is nothing out +of the ordinary. Therefore, return success and stay resident. The wasted +guest RAM still gets freed after ExitBootServices(). + +(Inspired by RHEL-8.1.0 commit aaaedc1e2cfd.) + +Signed-off-by: Laszlo Ersek +Signed-off-by: Miroslav Rezanina +--- + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c | 17 +++++++++++++++++ + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf | 1 + + 2 files changed, 18 insertions(+) + +diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c +index 9a5f987e68..da2153cb25 100644 +--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c ++++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c +@@ -28,6 +28,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + #include + + #include ++#include + #include + #include + #include +@@ -2642,6 +2643,22 @@ DriverEntry ( + if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceNoneGuid) || + CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid)){ + DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n")); ++#if defined (MDE_CPU_AARCH64) ++ // ++ // RHBZ#1844682 ++ // ++ // If swtpm / vTPM2 is not being used, this driver should return ++ // EFI_UNSUPPORTED, so that the DXE Core can unload it. However, the ++ // associated error message, logged by the DXE Core to the serial console, ++ // is not desired in the silent edk2-aarch64 build, given that the absence ++ // of swtpm / vTPM2 is nothing out of the ordinary. Therefore, return ++ // success and stay resident. The wasted guest RAM still gets freed after ++ // ExitBootServices(). ++ // ++ if (GetDebugPrintErrorLevel () == DEBUG_ERROR) { ++ return EFI_SUCCESS; ++ } ++#endif + return EFI_UNSUPPORTED; + } + +diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +index 576cf80d06..851471afb7 100644 +--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf ++++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +@@ -55,6 +55,7 @@ + UefiRuntimeServicesTableLib + BaseMemoryLib + DebugLib ++ DebugPrintErrorLevelLib + Tpm2CommandLib + PrintLib + UefiLib +-- +2.27.0 + diff --git a/SOURCES/edk2-UefiCpuPkg-PiSmmCpuDxeSmm-fix-2M-4K-page-splitting-r.patch b/SOURCES/edk2-UefiCpuPkg-PiSmmCpuDxeSmm-fix-2M-4K-page-splitting-r.patch deleted file mode 100644 index 627d458..0000000 --- a/SOURCES/edk2-UefiCpuPkg-PiSmmCpuDxeSmm-fix-2M-4K-page-splitting-r.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 2613601640be75f79e9dd8d2db21ad45d227d907 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Fri, 17 Jan 2020 11:33:43 +0100 -Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: fix 2M->4K page splitting - regression for PDEs -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Laszlo Ersek -Message-id: <20200117113343.30392-2-lersek@redhat.com> -Patchwork-id: 93389 -O-Subject: [RHEL-8.2.0 edk2 PATCH 1/1] UefiCpuPkg/PiSmmCpuDxeSmm: fix 2M->4K page splitting regression for PDEs -Bugzilla: 1789335 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Vitaly Kuznetsov - -In commit 4eee0cc7cc0d ("UefiCpuPkg/PiSmmCpu: Enable 5 level paging when -CPU supports", 2019-07-12), the Page Directory Entry setting was regressed -(corrupted) when splitting a 2MB page to 512 4KB pages, in the -InitPaging() function. - -Consider the following hunk, displayed with - -$ git show --function-context --ignore-space-change 4eee0cc7cc0db - -> // -> // If it is 2M page, check IsAddressSplit() -> // -> if (((*Pd & IA32_PG_PS) != 0) && IsAddressSplit (Address)) { -> // -> // Based on current page table, create 4KB page table for split area. -> // -> ASSERT (Address == (*Pd & PHYSICAL_ADDRESS_MASK)); -> -> Pt = AllocatePageTableMemory (1); -> ASSERT (Pt != NULL); -> -> + *Pd = (UINTN) Pt | IA32_PG_RW | IA32_PG_P; -> + -> // Split it -> - for (PtIndex = 0; PtIndex < SIZE_4KB / sizeof(*Pt); PtIndex++) { -> - Pt[PtIndex] = Address + ((PtIndex << 12) | mAddressEncMask | PAGE_ATTRIBUTE_BITS); -> + for (PtIndex = 0; PtIndex < SIZE_4KB / sizeof(*Pt); PtIndex++, Pt++) { -> + *Pt = Address + ((PtIndex << 12) | mAddressEncMask | PAGE_ATTRIBUTE_BITS); -> } // end for PT -> *Pd = (UINT64)(UINTN)Pt | mAddressEncMask | PAGE_ATTRIBUTE_BITS; -> } // end if IsAddressSplit -> } // end for PD - -First, the new assignment to the Page Directory Entry (*Pd) is -superfluous. That's because (a) we set (*Pd) after the Page Table Entry -loop anyway, and (b) here we do not attempt to access the memory starting -at "Address" (which is mapped by the original value of the Page Directory -Entry). - -Second, appending "Pt++" to the incrementing expression of the PTE loop is -a bug. It causes "Pt" to point *right past* the just-allocated Page Table, -once we finish the loop. But the PDE assignment that immediately follows -the loop assumes that "Pt" still points to the *start* of the new Page -Table. - -The result is that the originally mapped 2MB page disappears from the -processor's view. The PDE now points to a "Page Table" that is filled with -garbage. The random entries in that "Page Table" will cause some virtual -addresses in the original 2MB area to fault. Other virtual addresses in -the same range will no longer have a 1:1 physical mapping, but be -scattered over random physical page frames. - -The second phase of the InitPaging() function ("Go through page table and -set several page table entries to absent or execute-disable") already -manipulates entries in wrong Page Tables, for such PDEs that got split in -the first phase. - -This issue has been caught as follows: - -- OVMF is started with 2001 MB of guest RAM. - -- This places the main SMRAM window at 0x7C10_1000. - -- The SMRAM management in the SMM Core links this SMRAM window into - "mSmmMemoryMap", with a FREE_PAGE_LIST record placed at the start of the - area. - -- At "SMM Ready To Lock" time, PiSmmCpuDxeSmm calls InitPaging(). The - first phase (quoted above) decides to split the 2MB page at 0x7C00_0000 - into 512 4KB pages, and corrupts the PDE. The new Page Table is - allocated at 0x7CE0_D000, but the PDE is set to 0x7CE0_E000 (plus - attributes 0x67). - -- Due to the corrupted PDE, the second phase of InitPaging() already looks - up the PTE for Address=0x7C10_1000 in the wrong place. The second phase - goes on to mark bogus PTEs as "NX". - -- PiSmmCpuDxeSmm calls SetMemMapAttributes(). Address 0x7C10_1000 is at - the base of the SMRAM window, therefore it happens to be listed in the - SMRAM map as an EfiConventionalMemory region. SetMemMapAttributes() - calls SmmSetMemoryAttributes() to mark the region as XP. However, - GetPageTableEntry() in ConvertMemoryPageAttributes() fails -- address - 0x7C10_1000 is no longer mapped by anything! -- and so the attribute - setting fails with RETURN_UNSUPPORTED. This error goes unnoticed, as - SetMemMapAttributes() ignores the return value of - SmmSetMemoryAttributes(). - -- When SetMemMapAttributes() reaches another entry in the SMRAM map, - ConvertMemoryPageAttributes() decides it needs to split a 2MB page, and - calls SplitPage(). - -- SplitPage() calls AllocatePageTableMemory() for the new Page Table, - which takes us to InternalAllocMaxAddress() in the SMM Core. - -- The SMM core attempts to read the FREE_PAGE_LIST record at 0x7C10_1000. - Because this virtual address is no longer mapped, the firmware crashes - in InternalAllocMaxAddress(), when accessing (Pages->NumberOfPages). - -Remove the useless assignment to (*Pd) from before the loop. Revert the -loop incrementing and the PTE assignment to the known good version. - -Cc: Eric Dong -Cc: Ray Ni -Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1789335 -Fixes: 4eee0cc7cc0db74489b99c19eba056b53eda6358 -Signed-off-by: Laszlo Ersek -Reviewed-by: Philippe Mathieu-Daude -Reviewed-by: Ray Ni -(cherry picked from commit a5235562444021e9c5aff08f45daa6b5b7952c7a) -Signed-off-by: Miroslav Rezanina ---- - UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c -index c513152..c47b557 100644 ---- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c -+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c -@@ -657,11 +657,9 @@ InitPaging ( - Pt = AllocatePageTableMemory (1); - ASSERT (Pt != NULL); - -- *Pd = (UINTN) Pt | IA32_PG_RW | IA32_PG_P; -- - // Split it -- for (PtIndex = 0; PtIndex < SIZE_4KB / sizeof(*Pt); PtIndex++, Pt++) { -- *Pt = Address + ((PtIndex << 12) | mAddressEncMask | PAGE_ATTRIBUTE_BITS); -+ for (PtIndex = 0; PtIndex < SIZE_4KB / sizeof(*Pt); PtIndex++) { -+ Pt[PtIndex] = Address + ((PtIndex << 12) | mAddressEncMask | PAGE_ATTRIBUTE_BITS); - } // end for PT - *Pd = (UINT64)(UINTN)Pt | mAddressEncMask | PAGE_ATTRIBUTE_BITS; - } // end if IsAddressSplit --- -1.8.3.1 - diff --git a/SOURCES/edk2-UefiCpuPkg-PiSmmCpuDxeSmm-pause-in-WaitForSemaphore-.patch b/SOURCES/edk2-UefiCpuPkg-PiSmmCpuDxeSmm-pause-in-WaitForSemaphore-.patch new file mode 100644 index 0000000..a1700de --- /dev/null +++ b/SOURCES/edk2-UefiCpuPkg-PiSmmCpuDxeSmm-pause-in-WaitForSemaphore-.patch @@ -0,0 +1,105 @@ +From 70c9d989107c6ac964bb437c5a4ea6ffe3214e45 Mon Sep 17 00:00:00 2001 +From: Miroslav Rezanina +Date: Mon, 10 Aug 2020 07:52:28 +0200 +Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: pause in WaitForSemaphore() before + re-fetch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Laszlo Ersek +Message-id: <20200731141037.1941-2-lersek@redhat.com> +Patchwork-id: 98121 +O-Subject: [RHEL-8.3.0 edk2 PATCH 1/1] UefiCpuPkg/PiSmmCpuDxeSmm: pause in WaitForSemaphore() before re-fetch +Bugzilla: 1861718 +RH-Acked-by: Vitaly Kuznetsov +RH-Acked-by: Eduardo Habkost + +Most busy waits (spinlocks) in "UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c" +already call CpuPause() in their loop bodies; see SmmWaitForApArrival(), +APHandler(), and SmiRendezvous(). However, the "main wait" within +APHandler(): + +> // +> // Wait for something to happen +> // +> WaitForSemaphore (mSmmMpSyncData->CpuData[CpuIndex].Run); + +doesn't do so, as WaitForSemaphore() keeps trying to acquire the semaphore +without pausing. + +The performance impact is especially notable in QEMU/KVM + OVMF +virtualization with CPU overcommit (that is, when the guest has +significantly more VCPUs than the host has physical CPUs). The guest BSP +is working heavily in: + + BSPHandler() [MpService.c] + PerformRemainingTasks() [PiSmmCpuDxeSmm.c] + SetUefiMemMapAttributes() [SmmCpuMemoryManagement.c] + +while the many guest APs are spinning in the "Wait for something to +happen" semaphore acquisition, in APHandler(). The guest APs are +generating useless memory traffic and saturating host CPUs, hindering the +guest BSP's progress in SetUefiMemMapAttributes(). + +Rework the loop in WaitForSemaphore(): call CpuPause() in every iteration +after the first check fails. Due to Pause Loop Exiting (known as Pause +Filter on AMD), the host scheduler can favor the guest BSP over the guest +APs. + +Running a 16 GB RAM + 512 VCPU guest on a 448 PCPU host, this patch +reduces OVMF boot time (counted until reaching grub) from 20-30 minutes to +less than 4 minutes. + +The patch should benefit physical machines as well -- according to the +Intel SDM, PAUSE "Improves the performance of spin-wait loops". Adding +PAUSE to the generic WaitForSemaphore() function is considered a general +improvement. + +Cc: Eric Dong +Cc: Philippe Mathieu-Daudé +Cc: Rahul Kumar +Cc: Ray Ni +Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1861718 +Signed-off-by: Laszlo Ersek +Message-Id: <20200729185217.10084-1-lersek@redhat.com> +Reviewed-by: Eric Dong +(cherry picked from commit 9001b750df64b25b14ec45a2efa1361a7b96c00a) +Signed-off-by: Miroslav Rezanina +--- + UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c b/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c +index 57e788c..4bcd217 100644 +--- a/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c ++++ b/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c +@@ -40,14 +40,18 @@ WaitForSemaphore ( + { + UINT32 Value; + +- do { ++ for (;;) { + Value = *Sem; +- } while (Value == 0 || +- InterlockedCompareExchange32 ( +- (UINT32*)Sem, +- Value, +- Value - 1 +- ) != Value); ++ if (Value != 0 && ++ InterlockedCompareExchange32 ( ++ (UINT32*)Sem, ++ Value, ++ Value - 1 ++ ) == Value) { ++ break; ++ } ++ CpuPause (); ++ } + return Value - 1; + } + +-- +1.8.3.1 + diff --git a/SPECS/edk2.spec b/SPECS/edk2.spec index 562882d..b64298f 100644 --- a/SPECS/edk2.spec +++ b/SPECS/edk2.spec @@ -1,13 +1,13 @@ ExclusiveArch: x86_64 aarch64 -%define GITDATE 20190829 -%define GITCOMMIT 37eef91017ad +%define GITDATE 20200602 +%define GITCOMMIT ca407c7246bf %define TOOLCHAIN GCC5 %define OPENSSL_VER 1.1.1c Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 9%{?dist} +Release: 3%{?dist} Summary: UEFI firmware for 64-bit virtual machines Group: Applications/Emulators License: BSD-2-Clause-Patent and OpenSSL and MIT @@ -29,78 +29,35 @@ Source11: edk2-aarch64.json Source12: edk2-ovmf-sb.json Source13: edk2-ovmf.json -Patch0001: 0001-CryptoPkg-OpensslLib-Update-process_files.pl-to-gene.patch -Patch0002: 0002-CryptoPkg-Upgrade-OpenSSL-to-1.1.1d.patch -Patch0006: 0006-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch -Patch0007: 0007-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch -Patch0008: 0008-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch -Patch0009: 0009-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch -Patch0010: 0010-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch -Patch0011: 0011-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch -Patch0012: 0012-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch -Patch0013: 0013-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch -Patch0014: 0014-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch -Patch0015: 0015-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch -Patch0016: 0016-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch -Patch0017: 0017-ArmVirtPkg-set-early-hello-message-RH-only.patch -Patch0018: 0018-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch -Patch0019: 0019-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch -Patch0020: 0020-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch -Patch0021: 0021-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch -Patch0022: 0022-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch -Patch0033: 0033-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch -# For bz#1536624 - HTTPS enablement in OVMF -Patch34: edk2-MdePkg-Include-Protocol-Tls.h-Add-the-data-type-of-E.patch -# For bz#1536624 - HTTPS enablement in OVMF -Patch35: edk2-CryptoPkg-TlsLib-Add-the-new-API-TlsSetVerifyHost-CV.patch -# For bz#1536624 - HTTPS enablement in OVMF -Patch36: edk2-CryptoPkg-Crt-turn-strchr-into-a-function-CVE-2019-1.patch -# For bz#1536624 - HTTPS enablement in OVMF -Patch37: edk2-CryptoPkg-Crt-satisfy-inet_pton.c-dependencies-CVE-2.patch -# For bz#1536624 - HTTPS enablement in OVMF -Patch38: edk2-CryptoPkg-Crt-import-inet_pton.c-CVE-2019-14553.patch -# For bz#1536624 - HTTPS enablement in OVMF -Patch39: edk2-CryptoPkg-TlsLib-TlsSetVerifyHost-parse-IP-address-l.patch -# For bz#1536624 - HTTPS enablement in OVMF -Patch40: edk2-NetworkPkg-TlsDxe-Add-the-support-of-host-validation.patch -# For bz#1536624 - HTTPS enablement in OVMF -Patch41: edk2-NetworkPkg-HttpDxe-Set-the-HostName-for-the-verifica.patch -# For bz#1789797 - Backport upstream patch series: "UefiBootManagerLib, HttpDxe: tweaks for large HTTP(S) downloads" to improve HTTP(S) Boot experience with large (4GiB+) files -Patch42: edk2-MdeModulePkg-UefiBootManagerLib-log-reserved-mem-all.patch -# For bz#1789797 - Backport upstream patch series: "UefiBootManagerLib, HttpDxe: tweaks for large HTTP(S) downloads" to improve HTTP(S) Boot experience with large (4GiB+) files -Patch43: edk2-NetworkPkg-HttpDxe-fix-32-bit-truncation-in-HTTPS-do.patch -# For bz#1789335 - VM with edk2 can't boot when setting memory with '-m 2001' -Patch44: edk2-UefiCpuPkg-PiSmmCpuDxeSmm-fix-2M-4K-page-splitting-r.patch -# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8] -Patch45: edk2-SecurityPkg-Fix-spelling-errors-PARTIAL-PICK.patch -# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8] -Patch46: edk2-SecurityPkg-DxeImageVerificationHandler-simplify-Ver.patch -# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8] -Patch47: edk2-SecurityPkg-DxeImageVerificationHandler-remove-else-.patch -# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8] -Patch48: edk2-SecurityPkg-DxeImageVerificationHandler-keep-PE-COFF.patch -# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8] -Patch49: edk2-SecurityPkg-DxeImageVerificationHandler-narrow-down-.patch -# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8] -Patch50: edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-o.patch -# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8] -Patch51: edk2-SecurityPkg-DxeImageVerificationHandler-remove-super.patch -# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8] -Patch52: edk2-SecurityPkg-DxeImageVerificationHandler-unnest-AddIm.patch -# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8] -Patch53: edk2-SecurityPkg-DxeImageVerificationHandler-eliminate-St.patch -# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8] -Patch54: edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-f.patch -# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8] -Patch55: edk2-SecurityPkg-DxeImageVerificationHandler-fix-imgexec-.patch -# For bz#1751993 - DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8] -Patch56: edk2-SecurityPkg-DxeImageVerificationHandler-fix-defer-vs.patch -# For bz#1801274 - CVE-2019-14563 edk2: numeric truncation in MdeModulePkg/PiDxeS3BootScriptLib [rhel-8] -Patch57: edk2-MdeModulePkg-Enable-Disable-S3BootScript-dynamically.patch -# For bz#1801274 - CVE-2019-14563 edk2: numeric truncation in MdeModulePkg/PiDxeS3BootScriptLib [rhel-8] -Patch58: edk2-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch -# For bz#1806359 - bochs-display cannot show graphic wihout driver attach -Patch59: edk2-OvmfPkg-QemuVideoDxe-unbreak-secondary-vga-and-bochs.patch +Patch0007: 0007-BaseTools-do-not-build-BrotliCompress-RH-only.patch +Patch0008: 0008-MdeModulePkg-remove-package-private-Brotli-include-p.patch +Patch0009: 0009-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch +Patch0010: 0010-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch +Patch0011: 0011-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch +Patch0012: 0012-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch +Patch0013: 0013-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch +Patch0014: 0014-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch +Patch0015: 0015-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch +Patch0016: 0016-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch +Patch0017: 0017-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch +Patch0018: 0018-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch +Patch0019: 0019-ArmVirtPkg-set-early-hello-message-RH-only.patch +Patch0020: 0020-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch +Patch0021: 0021-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch +Patch0022: 0022-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch +Patch0023: 0023-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch +Patch0024: 0024-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch +Patch0025: 0025-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch +Patch0026: 0026-OvmfPkg-X86QemuLoadImageLib-handle-EFI_ACCESS_DENIED.patch +Patch0027: 0027-Revert-OvmfPkg-use-generic-QEMU-image-loader-for-sec.patch +# For bz#1844682 - silent build of edk2-aarch64 logs DEBUG_ERROR messages that don't actually report serious errors +Patch28: edk2-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch +# For bz#1844682 - silent build of edk2-aarch64 logs DEBUG_ERROR messages that don't actually report serious errors +Patch29: edk2-OvmfPkg-GenericQemuLoadImageLib-log-Not-Found-at-INF.patch +# For bz#1844682 - silent build of edk2-aarch64 logs DEBUG_ERROR messages that don't actually report serious errors +Patch30: edk2-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch +# For bz#1861718 - Very slow boot when overcommitting CPU +Patch31: edk2-UefiCpuPkg-PiSmmCpuDxeSmm-pause-in-WaitForSemaphore-.patch # python3-devel and libuuid-devel are required for building tools. @@ -254,6 +211,7 @@ chmod -Rf a+rX,u+w,g-w,o-w . export PYTHON_COMMAND=%{__python3} source ./edksetup.sh make -C "$EDK_TOOLS_PATH" \ + %{?_smp_mflags} \ EXTRA_OPTFLAGS="%{optflags}" \ EXTRA_LDFLAGS="%{__global_ldflags}" @@ -270,13 +228,15 @@ CC_FLAGS="$CC_FLAGS -D NETWORK_HTTP_BOOT_ENABLE -D NETWORK_TLS_ENABLE" %ifarch x86_64 # Build with neither SB nor SMM; include UEFI shell. -build ${CC_FLAGS} -D TPM2_ENABLE -D FD_SIZE_4MB -a X64 \ +build ${CC_FLAGS} -D TPM_ENABLE -D FD_SIZE_4MB -a X64 \ + -D PVSCSI_ENABLE=FALSE -D MPT_SCSI_ENABLE=FALSE \ -p OvmfPkg/OvmfPkgX64.dsc # Build with SB and SMM; exclude UEFI shell. build -D SECURE_BOOT_ENABLE -D EXCLUDE_SHELL_FROM_FD ${CC_FLAGS} \ -a IA32 -a X64 -p OvmfPkg/OvmfPkgIa32X64.dsc -D SMM_REQUIRE \ - -D TPM2_ENABLE -D FD_SIZE_4MB + -D PVSCSI_ENABLE=FALSE -D MPT_SCSI_ENABLE=FALSE \ + -D TPM_ENABLE -D FD_SIZE_4MB # Sanity check: the varstore templates must be identical. cmp Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \ @@ -330,6 +290,7 @@ cmp Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \ # Build with a verbose debug mask first, and stash the binary. build ${CC_FLAGS} -a AARCH64 \ -p ArmVirtPkg/ArmVirtQemu.dsc \ + -D TPM2_ENABLE \ -D DEBUG_PRINT_ERROR_LEVEL=0x8040004F cp -a Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.fd \ QEMU_EFI.verbose.fd @@ -337,6 +298,7 @@ cp -a Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.fd \ # Rebuild with a silent (errors only) debug mask. build ${CC_FLAGS} -a AARCH64 \ -p ArmVirtPkg/ArmVirtQemu.dsc \ + -D TPM2_ENABLE \ -D DEBUG_PRINT_ERROR_LEVEL=0x80000000 %endif @@ -500,7 +462,6 @@ install BaseTools/Scripts/GccBase.lds \ %files tools %license License.txt %license License-History.txt -%{_bindir}/Brotli %{_bindir}/DevicePath %{_bindir}/EfiRom %{_bindir}/GenCrc32 @@ -546,6 +507,23 @@ true %endif %changelog +* Mon Aug 10 2020 Miroslav Rezanina - 20200602gitca407c7246bf-3.el8 +- edk2-UefiCpuPkg-PiSmmCpuDxeSmm-pause-in-WaitForSemaphore-.patch [bz#1861718] +- Resolves: bz#1861718 + (Very slow boot when overcommitting CPU) + +* Wed Jun 24 2020 Miroslav Rezanina - 20200602gitca407c7246bf-2.el8 +- edk2-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch [bz#1844682] +- edk2-OvmfPkg-GenericQemuLoadImageLib-log-Not-Found-at-INF.patch [bz#1844682] +- edk2-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch [bz#1844682] +- Resolves: bz#1844682 + (silent build of edk2-aarch64 logs DEBUG_ERROR messages that don't actually report serious errors) + +* Sat Jun 13 2020 Miroslav Rezanina - 20200602gitca407c7246bf-1.el8 +- Rebase to edk2-stable202005 [bz#1817035] +- Resolves: bz#1817035 + ((edk2-rebase-rhel-8.3) - rebase edk2 to upstream tag edk2-stable202005 for RHEL-8.3) + * Fri Mar 27 2020 Miroslav Rezanina - 20190829git37eef91017ad-9.el8 - edk2-OvmfPkg-QemuVideoDxe-unbreak-secondary-vga-and-bochs.patch [bz#1806359] - Resolves: bz#1806359