diff --git a/.edk2.metadata b/.edk2.metadata index 1e810eb..7907be7 100644 --- a/.edk2.metadata +++ b/.edk2.metadata @@ -1,4 +1,4 @@ -de143fc38b339d982079517b6f01bcec5246cf5e SOURCES/DBXUpdate-20230509.x64.bin +9bbd7d85dbb5e444b296bc8b9bd9c07019703706 SOURCES/DBXUpdate-20250610.x64.bin 19a95204dd787b4809886db15655082cb28718e9 SOURCES/dtc-1.7.0.tar.xz a0cdc45f583976eda09dd85740264e57333b3df2 SOURCES/edk2-0f3867fa6ef0.tar.xz 0a9cfae889c6436333fab963250b069058eec6cf SOURCES/openssl-rhel-0205b589887203b065154ddc8e8107c4ac8625a1.tar.xz diff --git a/.gitignore b/.gitignore index f57d711..f4fc3fe 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ -SOURCES/DBXUpdate-20230509.x64.bin +SOURCES/DBXUpdate-20250610.x64.bin SOURCES/dtc-1.7.0.tar.xz SOURCES/edk2-0f3867fa6ef0.tar.xz SOURCES/openssl-rhel-0205b589887203b065154ddc8e8107c4ac8625a1.tar.xz diff --git a/SOURCES/edk2-OvmfPkg-Use-the-OvmfPkg-version-of-CcProbeLib.patch b/SOURCES/edk2-OvmfPkg-Use-the-OvmfPkg-version-of-CcProbeLib.patch new file mode 100644 index 0000000..f486b96 --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-Use-the-OvmfPkg-version-of-CcProbeLib.patch @@ -0,0 +1,170 @@ +From 622885419f4cbfaf6e8f18431660d1aa8710e257 Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Wed, 8 Jan 2025 12:22:43 -0600 +Subject: [PATCH 1/2] OvmfPkg: Use the OvmfPkg version of CcProbeLib + +RH-Author: Oliver Steffen +RH-MergeRequest: 89: OvmfPkg: Use the OvmfPkg version of CcProbeLib +RH-Jira: RHEL-70865 +RH-Acked-by: Luigi Leonardi +RH-Acked-by: Gerd Hoffmann +RH-Commit: [1/1] f5ca606121e443ffc3f588630ca24ca07eb99319 (osteffen/edk2) + +Currently, multiple dsc files within the OvmfPkg directory use the NULL +version of the CcProbeLib library. However, these packages have support +for confidential guests (usage of CcExitLib, MemEncrypt{Sev,Tdx}Lib, etc.) +and should be using the OvmfPkg version of the CcProbeLib. + +The use of the NULL library causes the PCI option ROM to be enabled, which +can't be trusted as it originates from the hypervisor. The use of the NULL +library also causes a KVM hypervisor error when attempting to map/back the +option ROM region when running an SEV-SNP guest. + +Update the various dsc files to reference the OvmfPkg version of the +CcProbeLib library and prevent usage of PCI option ROMs. + +Signed-off-by: Tom Lendacky +(cherry picked from commit 8b87eb9dfba054331ed16204f36c4885aefc3c94) +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 5 ++++- + OvmfPkg/CloudHv/CloudHvX64.dsc | 7 ++++++- + OvmfPkg/Microvm/MicrovmX64.dsc | 5 ++++- + 3 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 4edc2a9069..e92f358c0d 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -142,7 +142,6 @@ + PciCapLib|OvmfPkg/Library/BasePciCapLib/BasePciCapLib.inf + PciCapPciSegmentLib|OvmfPkg/Library/BasePciCapPciSegmentLib/BasePciCapPciSegmentLib.inf + PciCapPciIoLib|OvmfPkg/Library/UefiPciCapPciIoLib/UefiPciCapPciIoLib.inf +- CcProbeLib|MdePkg/Library/CcProbeLibNull/CcProbeLibNull.inf + IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsicSev.inf + OemHookStatusCodeLib|MdeModulePkg/Library/OemHookStatusCodeLibNull/OemHookStatusCodeLibNull.inf + SerialPortLib|PcAtChipsetPkg/Library/SerialIoLib/SerialIoLib.inf +@@ -165,6 +164,7 @@ + VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf + LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf ++ CcProbeLib|OvmfPkg/Library/CcProbeLib/DxeCcProbeLib.inf + LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf + CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf + FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf +@@ -231,6 +231,7 @@ + CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf + CcExitLib|OvmfPkg/Library/CcExitLib/SecCcExitLib.inf + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf ++ CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf + + [LibraryClasses.common.PEI_CORE] + HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf +@@ -247,6 +248,7 @@ + DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformRomDebugLibIoPort.inf + !endif + PeCoffLib|MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf ++ CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf + + [LibraryClasses.common.PEIM] + HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf +@@ -276,6 +278,7 @@ + QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf + + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf ++ CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf + PlatformInitLib|OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf + + [LibraryClasses.common.DXE_CORE] +diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc +index 542ca013e2..b1d0d7383f 100644 +--- a/OvmfPkg/CloudHv/CloudHvX64.dsc ++++ b/OvmfPkg/CloudHv/CloudHvX64.dsc +@@ -159,7 +159,6 @@ + PciCapLib|OvmfPkg/Library/BasePciCapLib/BasePciCapLib.inf + PciCapPciSegmentLib|OvmfPkg/Library/BasePciCapPciSegmentLib/BasePciCapPciSegmentLib.inf + PciCapPciIoLib|OvmfPkg/Library/UefiPciCapPciIoLib/UefiPciCapPciIoLib.inf +- CcProbeLib|MdePkg/Library/CcProbeLibNull/CcProbeLibNull.inf + IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsicSev.inf + OemHookStatusCodeLib|MdeModulePkg/Library/OemHookStatusCodeLibNull/OemHookStatusCodeLibNull.inf + SerialPortLib|PcAtChipsetPkg/Library/SerialIoLib/SerialIoLib.inf +@@ -186,6 +185,9 @@ + ImagePropertiesRecordLib|MdeModulePkg/Library/ImagePropertiesRecordLib/ImagePropertiesRecordLib.inf + !if $(SMM_REQUIRE) == FALSE + LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf ++ CcProbeLib|OvmfPkg/Library/CcProbeLib/DxeCcProbeLib.inf ++!else ++ CcProbeLib|MdePkg/Library/CcProbeLibNull/CcProbeLibNull.inf + !endif + CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf + FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf +@@ -268,6 +270,7 @@ + CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf + CcExitLib|OvmfPkg/Library/CcExitLib/SecCcExitLib.inf + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf ++ CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf + + [LibraryClasses.common.PEI_CORE] + HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf +@@ -284,6 +287,7 @@ + DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf + !endif + PeCoffLib|MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf ++ CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf + + [LibraryClasses.common.PEIM] + HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf +@@ -312,6 +316,7 @@ + QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgLibNull.inf + + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf ++ CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf + PlatformInitLib|OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf + + [LibraryClasses.common.DXE_CORE] +diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc +index d76fa4269f..02da682ec6 100644 +--- a/OvmfPkg/Microvm/MicrovmX64.dsc ++++ b/OvmfPkg/Microvm/MicrovmX64.dsc +@@ -162,7 +162,6 @@ + PciCapLib|OvmfPkg/Library/BasePciCapLib/BasePciCapLib.inf + PciCapPciSegmentLib|OvmfPkg/Library/BasePciCapPciSegmentLib/BasePciCapPciSegmentLib.inf + PciCapPciIoLib|OvmfPkg/Library/UefiPciCapPciIoLib/UefiPciCapPciIoLib.inf +- CcProbeLib|MdePkg/Library/CcProbeLibNull/CcProbeLibNull.inf + IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsicSev.inf + OemHookStatusCodeLib|MdeModulePkg/Library/OemHookStatusCodeLibNull/OemHookStatusCodeLibNull.inf + SerialPortLib|PcAtChipsetPkg/Library/SerialIoLib/SerialIoLib.inf +@@ -185,6 +184,7 @@ + VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf + LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf ++ CcProbeLib|OvmfPkg/Library/CcProbeLib/DxeCcProbeLib.inf + LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf + CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf + FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf +@@ -276,6 +276,7 @@ + CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf + CcExitLib|OvmfPkg/Library/CcExitLib/SecCcExitLib.inf + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf ++ CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf + + [LibraryClasses.common.PEI_CORE] + HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf +@@ -292,6 +293,7 @@ + DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformRomDebugLibIoPort.inf + !endif + PeCoffLib|MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf ++ CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf + + [LibraryClasses.common.PEIM] + HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf +@@ -320,6 +322,7 @@ + QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf + + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf ++ CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf + PlatformInitLib|OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf + + [LibraryClasses.common.DXE_CORE] +-- +2.48.1 + diff --git a/SPECS/edk2.spec b/SPECS/edk2.spec index 5cd1755..5361c85 100644 --- a/SPECS/edk2.spec +++ b/SPECS/edk2.spec @@ -8,7 +8,7 @@ ExclusiveArch: x86_64 aarch64 %define OPENSSL_VER 3.0.7 %define OPENSSL_HASH 0205b589887203b065154ddc8e8107c4ac8625a1 -%define DBXDATE 20230509 +%define DBXDATE 20250610 %define build_ovmf 0 %define build_aarch64 0 @@ -21,7 +21,7 @@ ExclusiveArch: x86_64 aarch64 Name: edk2 Version: %{GITDATE} -Release: 2%{?dist} +Release: 4%{?dist} Summary: UEFI firmware for 64-bit virtual machines License: BSD-2-Clause-Patent and Apache-2.0 and MIT URL: http://www.tianocore.org @@ -87,6 +87,8 @@ Patch32: 0034-OvmfPkg-PlatformInitLib-Retry-NV-vars-FV-check-as-sh.patch Patch33: 0035-OvmfPkg-EmuVariableFvbRuntimeDxe-Issue-NV-vars-initi.patch Patch34: 0036-OvmfPkg-PlatformInitLib-enable-x2apic-mode-if-needed.patch Patch35: 0037-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch +# For RHEL-70865 - SNP guest failed to boot with SVSM using OVMF.amdsev.fd [rhel-9.7] +Patch36: edk2-OvmfPkg-Use-the-OvmfPkg-version-of-CcProbeLib.patch # python3-devel and libuuid-devel are required for building tools. # python3-devel is also needed for varstore template generation and @@ -422,6 +424,19 @@ install -m 0644 \ %changelog +* Fri Jul 04 2025 Miroslav Rezanina - 20241117-4 +- edk2-update-dbx-to-20250610.patch [RHEL-96869] +- Resolves: RHEL-96869 + ([edk2,rhel-9] dbx update 20250610) + +* Wed Mar 19 2025 Jon Maloy - 20241117-3 +- edk2-OvmfPkg-Use-the-OvmfPkg-version-of-CcProbeLib.patch [RHEL-70865] +- edk2-Update-dbx-revocation-list-to-2025-02-24-version.patch [RHEL-83019] +- Resolves: RHEL-70865 + (SNP guest failed to boot with SVSM using OVMF.amdsev.fd [rhel-9.7]) +- Resolves: RHEL-83019 + (The newer revocation file and Server 2025 required to update it [rhel-9]) + * Mon Jan 20 2025 Miroslav Rezanina - 20241117-2 - edk2-Fix-amd-sev-firmware-file-for-amd-snp.patch [RHEL-72447] - Resolves: RHEL-72447