* Thu Mar 20 2025 Jon Maloy <jmaloy@redhat.com> - 20241117-4

- edk2-OvmfPkg-Use-the-OvmfPkg-version-of-CcProbeLib.patch [RHEL-70865] - edk2-Update-dbx-revocation-list-to-2025-02-24-version.patch [RHEL-83019] - Resolves: RHEL-70865 (SNP guest failed to boot with SVSM using OVMF.amdsev.fd [rhel-9.7]) - Resolves: RHEL-83019 (The newer revocation file and Server 2025 required to update it [rhel-9])
2025-03-20 00:24:13 -04:00 · 2025-03-20 00:24:13 -04:00 · 3bb744e818
commit 3bb744e818
parent 7dd07c3b60
3 changed files with 183 additions and 3 deletions
--- a/edk2-OvmfPkg-Use-the-OvmfPkg-version-of-CcProbeLib.patch
+++ b/edk2-OvmfPkg-Use-the-OvmfPkg-version-of-CcProbeLib.patch
@ -0,0 +1,170 @@
+From 622885419f4cbfaf6e8f18431660d1aa8710e257 Mon Sep 17 00:00:00 2001
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Wed, 8 Jan 2025 12:22:43 -0600
+Subject: [PATCH 1/2] OvmfPkg: Use the OvmfPkg version of CcProbeLib
+
+RH-Author: Oliver Steffen <osteffen@redhat.com>
+RH-MergeRequest: 89: OvmfPkg: Use the OvmfPkg version of CcProbeLib
+RH-Jira: RHEL-70865
+RH-Acked-by: Luigi Leonardi <None>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Commit: [1/1] f5ca606121e443ffc3f588630ca24ca07eb99319 (osteffen/edk2)
+
+Currently, multiple dsc files within the OvmfPkg directory use the NULL
+version of the CcProbeLib library. However, these packages have support
+for confidential guests (usage of CcExitLib, MemEncrypt{Sev,Tdx}Lib, etc.)
+and should be using the OvmfPkg version of the CcProbeLib.
+
+The use of the NULL library causes the PCI option ROM to be enabled, which
+can't be trusted as it originates from the hypervisor. The use of the NULL
+library also causes a KVM hypervisor error when attempting to map/back the
+option ROM region when running an SEV-SNP guest.
+
+Update the various dsc files to reference the OvmfPkg version of the
+CcProbeLib library and prevent usage of PCI option ROMs.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+(cherry picked from commit 8b87eb9dfba054331ed16204f36c4885aefc3c94)
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc   | 5 ++++-
+ OvmfPkg/CloudHv/CloudHvX64.dsc | 7 ++++++-
+ OvmfPkg/Microvm/MicrovmX64.dsc | 5 ++++-
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 4edc2a9069..e92f358c0d 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -142,7 +142,6 @@
+   PciCapLib|OvmfPkg/Library/BasePciCapLib/BasePciCapLib.inf
+   PciCapPciSegmentLib|OvmfPkg/Library/BasePciCapPciSegmentLib/BasePciCapPciSegmentLib.inf
+   PciCapPciIoLib|OvmfPkg/Library/UefiPciCapPciIoLib/UefiPciCapPciIoLib.inf
+-  CcProbeLib|MdePkg/Library/CcProbeLibNull/CcProbeLibNull.inf
+   IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsicSev.inf
+   OemHookStatusCodeLib|MdeModulePkg/Library/OemHookStatusCodeLibNull/OemHookStatusCodeLibNull.inf
+   SerialPortLib|PcAtChipsetPkg/Library/SerialIoLib/SerialIoLib.inf
+@@ -165,6 +164,7 @@
+   VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf
+   LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/DxeCcProbeLib.inf
+   LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf
+   CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf
+   FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf
+@@ -231,6 +231,7 @@
+   CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf
+   CcExitLib|OvmfPkg/Library/CcExitLib/SecCcExitLib.inf
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+ 
+ [LibraryClasses.common.PEI_CORE]
+   HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf
+@@ -247,6 +248,7 @@
+   DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformRomDebugLibIoPort.inf
+ !endif
+   PeCoffLib|MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+ 
+ [LibraryClasses.common.PEIM]
+   HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf
+@@ -276,6 +278,7 @@
+   QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
+ 
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+   PlatformInitLib|OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf
+ 
+ [LibraryClasses.common.DXE_CORE]
+diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc
+index 542ca013e2..b1d0d7383f 100644
+--- a/OvmfPkg/CloudHv/CloudHvX64.dsc
+++ b/OvmfPkg/CloudHv/CloudHvX64.dsc
+@@ -159,7 +159,6 @@
+   PciCapLib|OvmfPkg/Library/BasePciCapLib/BasePciCapLib.inf
+   PciCapPciSegmentLib|OvmfPkg/Library/BasePciCapPciSegmentLib/BasePciCapPciSegmentLib.inf
+   PciCapPciIoLib|OvmfPkg/Library/UefiPciCapPciIoLib/UefiPciCapPciIoLib.inf
+-  CcProbeLib|MdePkg/Library/CcProbeLibNull/CcProbeLibNull.inf
+   IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsicSev.inf
+   OemHookStatusCodeLib|MdeModulePkg/Library/OemHookStatusCodeLibNull/OemHookStatusCodeLibNull.inf
+   SerialPortLib|PcAtChipsetPkg/Library/SerialIoLib/SerialIoLib.inf
+@@ -186,6 +185,9 @@
+   ImagePropertiesRecordLib|MdeModulePkg/Library/ImagePropertiesRecordLib/ImagePropertiesRecordLib.inf
+ !if $(SMM_REQUIRE) == FALSE
+   LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/DxeCcProbeLib.inf
+!else
+  CcProbeLib|MdePkg/Library/CcProbeLibNull/CcProbeLibNull.inf
+ !endif
+   CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf
+   FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf
+@@ -268,6 +270,7 @@
+   CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf
+   CcExitLib|OvmfPkg/Library/CcExitLib/SecCcExitLib.inf
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+ 
+ [LibraryClasses.common.PEI_CORE]
+   HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf
+@@ -284,6 +287,7 @@
+   DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
+ !endif
+   PeCoffLib|MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+ 
+ [LibraryClasses.common.PEIM]
+   HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf
+@@ -312,6 +316,7 @@
+   QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgLibNull.inf
+ 
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+   PlatformInitLib|OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf
+ 
+ [LibraryClasses.common.DXE_CORE]
+diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc
+index d76fa4269f..02da682ec6 100644
+--- a/OvmfPkg/Microvm/MicrovmX64.dsc
+++ b/OvmfPkg/Microvm/MicrovmX64.dsc
+@@ -162,7 +162,6 @@
+   PciCapLib|OvmfPkg/Library/BasePciCapLib/BasePciCapLib.inf
+   PciCapPciSegmentLib|OvmfPkg/Library/BasePciCapPciSegmentLib/BasePciCapPciSegmentLib.inf
+   PciCapPciIoLib|OvmfPkg/Library/UefiPciCapPciIoLib/UefiPciCapPciIoLib.inf
+-  CcProbeLib|MdePkg/Library/CcProbeLibNull/CcProbeLibNull.inf
+   IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsicSev.inf
+   OemHookStatusCodeLib|MdeModulePkg/Library/OemHookStatusCodeLibNull/OemHookStatusCodeLibNull.inf
+   SerialPortLib|PcAtChipsetPkg/Library/SerialIoLib/SerialIoLib.inf
+@@ -185,6 +184,7 @@
+   VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf
+   LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/DxeCcProbeLib.inf
+   LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf
+   CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf
+   FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf
+@@ -276,6 +276,7 @@
+   CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf
+   CcExitLib|OvmfPkg/Library/CcExitLib/SecCcExitLib.inf
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+ 
+ [LibraryClasses.common.PEI_CORE]
+   HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf
+@@ -292,6 +293,7 @@
+   DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformRomDebugLibIoPort.inf
+ !endif
+   PeCoffLib|MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+ 
+ [LibraryClasses.common.PEIM]
+   HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf
+@@ -320,6 +322,7 @@
+   QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
+ 
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
+  CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+   PlatformInitLib|OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf
+ 
+ [LibraryClasses.common.DXE_CORE]
+-- 
+2.48.1
+
--- a/edk2.spec
+++ b/edk2.spec
@ -8,7 +8,7 @@ ExclusiveArch: x86_64 aarch64
 %define OPENSSL_VER    3.0.7
 %define OPENSSL_HASH   0205b589887203b065154ddc8e8107c4ac8625a1

-%define DBXDATE        20230509
+%define DBXDATE        20250224

 %define build_ovmf 0
 %define build_aarch64 0
@ -21,7 +21,7 @@ ExclusiveArch: x86_64 aarch64

 Name:       edk2
 Version:    %{GITDATE}
-Release:    2%{?dist}
+Release:    3%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    BSD-2-Clause-Patent and Apache-2.0 and MIT
 URL:        http://www.tianocore.org
@ -87,6 +87,8 @@ Patch32: 0034-OvmfPkg-PlatformInitLib-Retry-NV-vars-FV-check-as-sh.patch
 Patch33: 0035-OvmfPkg-EmuVariableFvbRuntimeDxe-Issue-NV-vars-initi.patch
 Patch34: 0036-OvmfPkg-PlatformInitLib-enable-x2apic-mode-if-needed.patch
 Patch35: 0037-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch
+# For RHEL-70865 - SNP guest failed to boot with SVSM using OVMF.amdsev.fd [rhel-9.7]
+Patch36: edk2-OvmfPkg-Use-the-OvmfPkg-version-of-CcProbeLib.patch

 # python3-devel and libuuid-devel are required for building tools.
 # python3-devel is also needed for varstore template generation and
@ -422,6 +424,14 @@ install -m 0644 \


 %changelog
+* Wed Mar 19 2025 Jon Maloy <jmaloy@redhat.com> - 20241117-3
+- edk2-OvmfPkg-Use-the-OvmfPkg-version-of-CcProbeLib.patch [RHEL-70865]
+- edk2-Update-dbx-revocation-list-to-2025-02-24-version.patch [RHEL-83019]
+- Resolves: RHEL-70865
+  (SNP guest failed to boot with SVSM using OVMF.amdsev.fd [rhel-9.7])
+- Resolves: RHEL-83019
+  (The newer revocation file and Server 2025 required to update it [rhel-9])
+
 * Mon Jan 20 2025 Miroslav Rezanina <mrezanin@redhat.com> - 20241117-2
 - edk2-Fix-amd-sev-firmware-file-for-amd-snp.patch [RHEL-72447]
 - Resolves: RHEL-72447
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-SHA512 (DBXUpdate-20230509.x64.bin) = 71fb6e8cd6918126b3acd78b95651913336df372e13fdfdfdd20d5d23f0e509050c6c88c8a2c43f8ac44f987df86bd45174bb3065d5a7a8c7e3b8772fd06d624
+SHA512 (DBXUpdate-20250224.x64.bin) = 05640ada78ce94132670ade66676aacdb6cdc311b992769f2ae0413554aa535b9c15213a513355d5e763bef908b961f1ff1d2226081240a6ebd5d4aef7148828
 SHA512 (dtc-1.7.0.tar.xz) = d3ba6902a9a2f2cdbaff55f12fca3cfe4a1ec5779074a38e3d8b88097c7abc981835957e8ce72971e10c131e05fde0b1b961768e888ff96d89e42c75edb53afb
 SHA512 (edk2-0f3867fa6ef0.tar.xz) = 256280ea6f777d1c0f6b803ec791b28955d6568128f303bbf1447f512dc808c5a72f1e8074d9cebb89605c330569fcdcf2d5fdf5611bf3c442c72c67a5a100e0
 SHA512 (openssl-rhel-0205b589887203b065154ddc8e8107c4ac8625a1.tar.xz) = 07db9535df29873a3884a411e6ab5c3ea6783b9773cd0923f5b2be1273c0e3e984a2f3a80bd1a637995eda018fa6372b6d1eb41000be07cdf5972938c74f51e9