import CS edk2-20241117-4.el9

2025-09-15 11:54:54 +00:00 · 2025-09-15 11:54:54 +00:00 · 1c978f3470
commit 1c978f3470
parent c8ec3d1542
4 changed files with 189 additions and 4 deletions
--- a/.edk2.metadata
+++ b/.edk2.metadata
@ -1,4 +1,4 @@
-de143fc38b339d982079517b6f01bcec5246cf5e SOURCES/DBXUpdate-20230509.x64.bin
+9bbd7d85dbb5e444b296bc8b9bd9c07019703706 SOURCES/DBXUpdate-20250610.x64.bin
 19a95204dd787b4809886db15655082cb28718e9 SOURCES/dtc-1.7.0.tar.xz
 a0cdc45f583976eda09dd85740264e57333b3df2 SOURCES/edk2-0f3867fa6ef0.tar.xz
 0a9cfae889c6436333fab963250b069058eec6cf SOURCES/openssl-rhel-0205b589887203b065154ddc8e8107c4ac8625a1.tar.xz
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,4 @@
-SOURCES/DBXUpdate-20230509.x64.bin
+SOURCES/DBXUpdate-20250610.x64.bin
 SOURCES/dtc-1.7.0.tar.xz
 SOURCES/edk2-0f3867fa6ef0.tar.xz
 SOURCES/openssl-rhel-0205b589887203b065154ddc8e8107c4ac8625a1.tar.xz
--- a/SOURCES/edk2-OvmfPkg-Use-the-OvmfPkg-version-of-CcProbeLib.patch
+++ b/SOURCES/edk2-OvmfPkg-Use-the-OvmfPkg-version-of-CcProbeLib.patch
@ -0,0 +1,170 @@
+From 622885419f4cbfaf6e8f18431660d1aa8710e257 Mon Sep 17 00:00:00 2001
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Wed, 8 Jan 2025 12:22:43 -0600
+Subject: [PATCH 1/2] OvmfPkg: Use the OvmfPkg version of CcProbeLib
+
+RH-Author: Oliver Steffen <osteffen@redhat.com>
+RH-MergeRequest: 89: OvmfPkg: Use the OvmfPkg version of CcProbeLib
+RH-Jira: RHEL-70865
+RH-Acked-by: Luigi Leonardi <None>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Commit: [1/1] f5ca606121e443ffc3f588630ca24ca07eb99319 (osteffen/edk2)
+
+Currently, multiple dsc files within the OvmfPkg directory use the NULL
+version of the CcProbeLib library. However, these packages have support
+for confidential guests (usage of CcExitLib, MemEncrypt{Sev,Tdx}Lib, etc.)
+and should be using the OvmfPkg version of the CcProbeLib.
+
+The use of the NULL library causes the PCI option ROM to be enabled, which
+can't be trusted as it originates from the hypervisor. The use of the NULL
+library also causes a KVM hypervisor error when attempting to map/back the
+option ROM region when running an SEV-SNP guest.
+
+Update the various dsc files to reference the OvmfPkg version of the
+CcProbeLib library and prevent usage of PCI option ROMs.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+(cherry picked from commit 8b87eb9dfba054331ed16204f36c4885aefc3c94)
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc   | 5 ++++-
+ OvmfPkg/CloudHv/CloudHvX64.dsc | 7 ++++++-
+ OvmfPkg/Microvm/MicrovmX64.dsc | 5 ++++-
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 4edc2a9069..e92f358c0d 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -142,7 +142,6 @@
+   PciCapLib|OvmfPkg/Library/BasePciCapLib/BasePciCapLib.inf
+   PciCapPciSegmentLib|OvmfPkg/Library/BasePciCapPciSegmentLib/BasePciCapPciSegmentLib.inf
+   PciCapPciIoLib|OvmfPkg/Library/UefiPciCapPciIoLib/UefiPciCapPciIoLib.inf
+-  CcProbeLib|MdePkg/Library/CcProbeLibNull/CcProbeLibNull.inf
+   IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsicSev.inf
+   OemHookStatusCodeLib|MdeModulePkg/Library/OemHookStatusCodeLibNull/OemHookStatusCodeLibNull.inf
+   SerialPortLib|PcAtChipsetPkg/Library/SerialIoLib/SerialIoLib.inf
+@@ -165,6 +164,7 @@
+   VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf
+   LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/DxeCcProbeLib.inf
+   LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf
+   CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf
+   FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf
+@@ -231,6 +231,7 @@
+   CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf
+   CcExitLib|OvmfPkg/Library/CcExitLib/SecCcExitLib.inf
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+ 
+ [LibraryClasses.common.PEI_CORE]
+   HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf
+@@ -247,6 +248,7 @@
+   DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformRomDebugLibIoPort.inf
+ !endif
+   PeCoffLib|MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+ 
+ [LibraryClasses.common.PEIM]
+   HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf
+@@ -276,6 +278,7 @@
+   QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
+ 
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+   PlatformInitLib|OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf
+ 
+ [LibraryClasses.common.DXE_CORE]
+diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc
+index 542ca013e2..b1d0d7383f 100644
+--- a/OvmfPkg/CloudHv/CloudHvX64.dsc
+++ b/OvmfPkg/CloudHv/CloudHvX64.dsc
+@@ -159,7 +159,6 @@
+   PciCapLib|OvmfPkg/Library/BasePciCapLib/BasePciCapLib.inf
+   PciCapPciSegmentLib|OvmfPkg/Library/BasePciCapPciSegmentLib/BasePciCapPciSegmentLib.inf
+   PciCapPciIoLib|OvmfPkg/Library/UefiPciCapPciIoLib/UefiPciCapPciIoLib.inf
+-  CcProbeLib|MdePkg/Library/CcProbeLibNull/CcProbeLibNull.inf
+   IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsicSev.inf
+   OemHookStatusCodeLib|MdeModulePkg/Library/OemHookStatusCodeLibNull/OemHookStatusCodeLibNull.inf
+   SerialPortLib|PcAtChipsetPkg/Library/SerialIoLib/SerialIoLib.inf
+@@ -186,6 +185,9 @@
+   ImagePropertiesRecordLib|MdeModulePkg/Library/ImagePropertiesRecordLib/ImagePropertiesRecordLib.inf
+ !if $(SMM_REQUIRE) == FALSE
+   LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/DxeCcProbeLib.inf
+!else
+  CcProbeLib|MdePkg/Library/CcProbeLibNull/CcProbeLibNull.inf
+ !endif
+   CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf
+   FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf
+@@ -268,6 +270,7 @@
+   CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf
+   CcExitLib|OvmfPkg/Library/CcExitLib/SecCcExitLib.inf
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+ 
+ [LibraryClasses.common.PEI_CORE]
+   HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf
+@@ -284,6 +287,7 @@
+   DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
+ !endif
+   PeCoffLib|MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+ 
+ [LibraryClasses.common.PEIM]
+   HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf
+@@ -312,6 +316,7 @@
+   QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgLibNull.inf
+ 
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+   PlatformInitLib|OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf
+ 
+ [LibraryClasses.common.DXE_CORE]
+diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc
+index d76fa4269f..02da682ec6 100644
+--- a/OvmfPkg/Microvm/MicrovmX64.dsc
+++ b/OvmfPkg/Microvm/MicrovmX64.dsc
+@@ -162,7 +162,6 @@
+   PciCapLib|OvmfPkg/Library/BasePciCapLib/BasePciCapLib.inf
+   PciCapPciSegmentLib|OvmfPkg/Library/BasePciCapPciSegmentLib/BasePciCapPciSegmentLib.inf
+   PciCapPciIoLib|OvmfPkg/Library/UefiPciCapPciIoLib/UefiPciCapPciIoLib.inf
+-  CcProbeLib|MdePkg/Library/CcProbeLibNull/CcProbeLibNull.inf
+   IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsicSev.inf
+   OemHookStatusCodeLib|MdeModulePkg/Library/OemHookStatusCodeLibNull/OemHookStatusCodeLibNull.inf
+   SerialPortLib|PcAtChipsetPkg/Library/SerialIoLib/SerialIoLib.inf
+@@ -185,6 +184,7 @@
+   VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf
+   LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/DxeCcProbeLib.inf
+   LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf
+   CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf
+   FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf
+@@ -276,6 +276,7 @@
+   CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf
+   CcExitLib|OvmfPkg/Library/CcExitLib/SecCcExitLib.inf
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+ 
+ [LibraryClasses.common.PEI_CORE]
+   HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf
+@@ -292,6 +293,7 @@
+   DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformRomDebugLibIoPort.inf
+ !endif
+   PeCoffLib|MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+ 
+ [LibraryClasses.common.PEIM]
+   HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf
+@@ -320,6 +322,7 @@
+   QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
+ 
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+   PlatformInitLib|OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf
+ 
+ [LibraryClasses.common.DXE_CORE]
+-- 
+2.48.1
+
--- a/SPECS/edk2.spec
+++ b/SPECS/edk2.spec
@ -8,7 +8,7 @@ ExclusiveArch: x86_64 aarch64
 %define OPENSSL_VER    3.0.7
 %define OPENSSL_HASH   0205b589887203b065154ddc8e8107c4ac8625a1

-%define DBXDATE        20230509
+%define DBXDATE        20250610

 %define build_ovmf 0
 %define build_aarch64 0
@ -21,7 +21,7 @@ ExclusiveArch: x86_64 aarch64

 Name:       edk2
 Version:    %{GITDATE}
-Release:    2%{?dist}
+Release:    4%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    BSD-2-Clause-Patent and Apache-2.0 and MIT
 URL:        http://www.tianocore.org
@ -87,6 +87,8 @@ Patch32: 0034-OvmfPkg-PlatformInitLib-Retry-NV-vars-FV-check-as-sh.patch
 Patch33: 0035-OvmfPkg-EmuVariableFvbRuntimeDxe-Issue-NV-vars-initi.patch
 Patch34: 0036-OvmfPkg-PlatformInitLib-enable-x2apic-mode-if-needed.patch
 Patch35: 0037-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch
+# For RHEL-70865 - SNP guest failed to boot with SVSM using OVMF.amdsev.fd [rhel-9.7]
+Patch36: edk2-OvmfPkg-Use-the-OvmfPkg-version-of-CcProbeLib.patch

 # python3-devel and libuuid-devel are required for building tools.
 # python3-devel is also needed for varstore template generation and
@ -422,6 +424,19 @@ install -m 0644 \


 %changelog
+* Fri Jul 04 2025 Miroslav Rezanina <mrezanin@redhat.com> - 20241117-4
+- edk2-update-dbx-to-20250610.patch [RHEL-96869]
+- Resolves: RHEL-96869
+  ([edk2,rhel-9] dbx update 20250610)
+
+* Wed Mar 19 2025 Jon Maloy <jmaloy@redhat.com> - 20241117-3
+- edk2-OvmfPkg-Use-the-OvmfPkg-version-of-CcProbeLib.patch [RHEL-70865]
+- edk2-Update-dbx-revocation-list-to-2025-02-24-version.patch [RHEL-83019]
+- Resolves: RHEL-70865
+  (SNP guest failed to boot with SVSM using OVMF.amdsev.fd [rhel-9.7])
+- Resolves: RHEL-83019
+  (The newer revocation file and Server 2025 required to update it [rhel-9])
+
 * Mon Jan 20 2025 Miroslav Rezanina <mrezanin@redhat.com> - 20241117-2
 - edk2-Fix-amd-sev-firmware-file-for-amd-snp.patch [RHEL-72447]
 - Resolves: RHEL-72447