rpms/edk2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import edk2-20210527gite1999b264f1f-3.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-10-06 06:07:36 -04:00 committed by Stepan Oksanichenko
parent 61bad4b6b9
commit 46352fc37f
44 changed files with 1849 additions and 1972 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.edk2.metadata
View File

@ -1,2 +1,2 @@
3a531b4e8864ee52b1e128ac9742b3e9dcec49bf SOURCES/edk2-ca407c7246bf.tar.xz
627633682f69c2c899fe6018d675faaf45e5bb33 SOURCES/openssl-rhel-bdd048e929dcfcf2f046d74e812e0e3d5fc58504.tar.xz
858fffdab12810fb170144ffe1a9c39e9fface80 SOURCES/edk2-e1999b264f1f.tar.xz
4c1a80504b0bd3ce87fd9baa30836142620af1eb SOURCES/openssl-rhel-a75722161d20fd632f8875585d3aa066ec5fea93.tar.xz

4
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/edk2-ca407c7246bf.tar.xz
SOURCES/openssl-rhel-bdd048e929dcfcf2f046d74e812e0e3d5fc58504.tar.xz
SOURCES/edk2-e1999b264f1f.tar.xz
SOURCES/openssl-rhel-a75722161d20fd632f8875585d3aa066ec5fea93.tar.xz

14
SOURCES/0007-BaseTools-do-not-build-BrotliCompress-RH-only.patch → SOURCES/0008-BaseTools-do-not-build-BrotliCompress-RH-only.patch
View File

@ -1,8 +1,13 @@
From db8ccca337e2c5722c1d408d2541cf653d3371a2 Mon Sep 17 00:00:00 2001
From dca56cf4d28bbbb1d3be029ce9a6710cb3f6cd2f Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 4 Jun 2020 13:34:12 +0200
Subject: BaseTools: do not build BrotliCompress (RH only)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- no change
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
@ -16,15 +21,16 @@ submodules (RH only").
Do not attempt to build BrotliCompress.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit db8ccca337e2c5722c1d408d2541cf653d3371a2)
---
BaseTools/Source/C/GNUmakefile | 1 -
1 file changed, 1 deletion(-)
diff --git a/BaseTools/Source/C/GNUmakefile b/BaseTools/Source/C/GNUmakefile
index df4eb64ea9..52777eaff1 100644
index 8c191e0c38..3eae824a1c 100644
--- a/BaseTools/Source/C/GNUmakefile
+++ b/BaseTools/Source/C/GNUmakefile
@@ -45,7 +45,6 @@ all: makerootdir subdirs
@@ -48,7 +48,6 @@ all: makerootdir subdirs
LIBRARIES = Common
VFRAUTOGEN = VfrCompile/VfrLexer.h
APPLICATIONS = \
@ -33,5 +39,5 @@ index df4eb64ea9..52777eaff1 100644
EfiRom \
GenFfs \
--
2.18.1
2.27.0

12
SOURCES/0008-MdeModulePkg-remove-package-private-Brotli-include-p.patch → SOURCES/0009-MdeModulePkg-remove-package-private-Brotli-include-p.patch
View File

@ -1,8 +1,13 @@
From e05e0de713c4a2b8adb6ff9809611f222bfe50ed Mon Sep 17 00:00:00 2001
From 9729dd1d6b83961d531e29777d0cc4a610b108be Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 4 Jun 2020 13:39:08 +0200
Subject: MdeModulePkg: remove package-private Brotli include path (RH only)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- no change
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
@ -20,12 +25,13 @@ platforms, and we've removed the submodule earlier in this patch set,
remove the include path too.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit e05e0de713c4a2b8adb6ff9809611f222bfe50ed)
---
MdeModulePkg/MdeModulePkg.dec | 3 ---
1 file changed, 3 deletions(-)
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 4f44af6948..031043ec28 100644
index 8d38383915..ba2d0290e7 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -24,9 +24,6 @@
@ -39,5 +45,5 @@ index 4f44af6948..031043ec28 100644
## @libraryclass Defines a set of methods to reset whole system.
ResetSystemLib|Include/Library/ResetSystemLib.h
--
2.18.1
2.27.0

87
SOURCES/0009-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch → SOURCES/0010-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
View File

@ -1,8 +1,24 @@
From cee80878b19e51d9b3c63335c681f152dcc59764 Mon Sep 17 00:00:00 2001
From 8c815e04dda7897899dfa011063f779280cd4d5d Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 11 Jun 2014 23:33:33 +0200
Subject: advertise OpenSSL on TianoCore splash screen / boot logo (RHEL only)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- Extend the DSC/FDF change to the new OvmfPkg/AmdSev platform, which has
been introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base
commit to build encrypted boot specific OVMF", 2020-12-14), for
TianoCore#3077.
We've always patched all those DSC/FDF files in OvmfPkg down-stream that
made sense at least in theory on QEMU. (For example, we've always
patched "OvmfPkgIa32.dsc" and "OvmfPkgIa32.fdf", even though we never
build or ship the pure IA32 firmware platform.) Follow suit with
"AmdSevX64.dsc" and "AmdSevX64.fdf".
"AmdSevX64.dsc" consumes OpenSSL when built with "-D TPM_ENABLE".
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
@ -151,6 +167,7 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 8e8ea8811e269cdb31103c70fcd91d2dcfb1755d)
(cherry picked from commit 727c11ecd9f34990312e14f239e6238693619849)
(cherry picked from commit 740d239222c2656ae8eeb2d1cc4802ce5b07f3d2)
(cherry picked from commit cee80878b19e51d9b3c63335c681f152dcc59764)
---
ArmVirtPkg/ArmVirtQemu.dsc | 2 +-
ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 2 +-
@ -159,23 +176,25 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
MdeModulePkg/Logo/Logo-OpenSSL.idf | 10 +++++
MdeModulePkg/Logo/LogoOpenSSLDxe.inf | 56 +++++++++++++++++++++++++++
MdeModulePkg/Logo/LogoOpenSSLDxe.uni | 17 ++++++++
OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +-
OvmfPkg/AmdSev/AmdSevX64.fdf | 2 +-
OvmfPkg/OvmfPkgIa32.dsc | 2 +-
OvmfPkg/OvmfPkgIa32.fdf | 2 +-
OvmfPkg/OvmfPkgIa32X64.dsc | 2 +-
OvmfPkg/OvmfPkgIa32X64.fdf | 2 +-
OvmfPkg/OvmfPkgX64.dsc | 2 +-
OvmfPkg/OvmfPkgX64.fdf | 2 +-
13 files changed, 92 insertions(+), 9 deletions(-)
15 files changed, 94 insertions(+), 11 deletions(-)
create mode 100644 MdeModulePkg/Logo/Logo-OpenSSL.bmp
create mode 100644 MdeModulePkg/Logo/Logo-OpenSSL.idf
create mode 100644 MdeModulePkg/Logo/LogoOpenSSLDxe.inf
create mode 100644 MdeModulePkg/Logo/LogoOpenSSLDxe.uni
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 3f649c91d8..360094ab6a 100644
index 7ef5e7297b..54d637163c 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -424,7 +424,7 @@
@@ -433,7 +433,7 @@
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
@ -185,10 +204,10 @@ index 3f649c91d8..360094ab6a 100644
<LibraryClasses>
NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
index a2f4bd62c8..9b94043085 100644
index 5b1d100575..6cdbfc39be 100644
--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
@@ -193,7 +193,7 @@ READ_LOCK_STATUS = TRUE
@@ -196,7 +196,7 @@ READ_LOCK_STATUS = TRUE
#
# TianoCore logo (splash screen)
#
@ -198,10 +217,10 @@ index a2f4bd62c8..9b94043085 100644
#
# Ramdisk support
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 2a6fd6bc06..d186263e18 100644
index a542fcb157..f598ac6a85 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -363,7 +363,7 @@
@@ -369,7 +369,7 @@
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
@ -531,11 +550,37 @@ index 0000000000..6439502b6a
+
+#string STR_MODULE_DESCRIPTION #language en-US "This module provides the logo bitmap picture (with OpenSSL advertisment) shown on setup screen, through EDKII Platform Logo protocol."
+
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 66bbbc80cd..52bcae6cf6 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -688,7 +688,7 @@
PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
- MdeModulePkg/Logo/LogoDxe.inf
+ MdeModulePkg/Logo/LogoOpenSSLDxe.inf
MdeModulePkg/Application/UiApp/UiApp.inf {
<LibraryClasses>
NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index dd0030dbf1..fa5e484e63 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -279,7 +279,7 @@ INF OvmfPkg/AmdSev/Grub/Grub.inf
INF ShellPkg/Application/Shell/Shell.inf
!endif
-INF MdeModulePkg/Logo/LogoDxe.inf
+INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
#
# Usb Support
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index d0df9cbbfb..f8317a4f5d 100644
index 33fbd76790..d8f03caa30 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -750,7 +750,7 @@
@@ -777,7 +777,7 @@
NULL|OvmfPkg/Csm/LegacyBootManagerLib/LegacyBootManagerLib.inf
!endif
}
@ -545,10 +590,10 @@ index d0df9cbbfb..f8317a4f5d 100644
<LibraryClasses>
NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index e2b759aa8d..ec64551bcb 100644
index b3c8b56f3b..e3b1d74ce2 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -294,7 +294,7 @@ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
@@ -300,7 +300,7 @@ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
INF ShellPkg/Application/Shell/Shell.inf
@ -558,10 +603,10 @@ index e2b759aa8d..ec64551bcb 100644
#
# Network modules
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index b3ae62fee9..55423d356c 100644
index b13e5cfd90..312577ebae 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -764,7 +764,7 @@
@@ -791,7 +791,7 @@
NULL|OvmfPkg/Csm/LegacyBootManagerLib/LegacyBootManagerLib.inf
!endif
}
@ -571,10 +616,10 @@ index b3ae62fee9..55423d356c 100644
<LibraryClasses>
NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index bfca1eff9e..2f02ac2d73 100644
index 86592c2364..f7732382d4 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -295,7 +295,7 @@ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
@@ -301,7 +301,7 @@ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
INF ShellPkg/Application/Shell/Shell.inf
@ -584,10 +629,10 @@ index bfca1eff9e..2f02ac2d73 100644
#
# Network modules
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index f7fe75ebf5..17aeeed96e 100644
index 999738dc39..d72a00e6b4 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -760,7 +760,7 @@
@@ -789,7 +789,7 @@
NULL|OvmfPkg/Csm/LegacyBootManagerLib/LegacyBootManagerLib.inf
!endif
}
@ -597,10 +642,10 @@ index f7fe75ebf5..17aeeed96e 100644
<LibraryClasses>
NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index bfca1eff9e..2f02ac2d73 100644
index d6be798fca..137ed6bceb 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -295,7 +295,7 @@ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
@@ -313,7 +313,7 @@ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
INF ShellPkg/Application/Shell/Shell.inf
@ -610,5 +655,5 @@ index bfca1eff9e..2f02ac2d73 100644
#
# Network modules
--
2.18.1
2.27.0

580
SOURCES/0011-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch
View File

@ -1,580 +0,0 @@
From 99da4393139d428baf09d751af3d072229839126 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 12 Jun 2014 00:17:59 +0200
Subject: OvmfPkg: QemuVideoDxe: enable debug messages in VbeShim (RHEL only)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- no changes
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
- no changes
Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
RHEL-8.1/20190308-89910a39dcfd rebase:
- no changes
Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
RHEL-8.0/20180508-ee3198e672e2 rebase:
- reorder the rebase changelog in the commit message so that it reads like
a blog: place more recent entries near the top
- no changes to the patch body
Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
- update commit message as requested in
<https://bugzilla.redhat.com/show_bug.cgi?id=1503316#c0>
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
- no changes
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
- no changes
The Int10h VBE Shim is capable of emitting short debug messages when the
win2k8r2 UEFI guest uses (emulates) the Video BIOS. In upstream the quiet
version is preferred; for us debug messages are important as a default.
For this patch, the DEBUG macro is enabled in the assembly file, and then
the header file is regenerated from the assembly, by running
"OvmfPkg/QemuVideoDxe/VbeShim.sh".
"VbeShim.h" is not auto-generated; it is manually generated. The patch
does not add "VbeShim.h", it just updates both "VbeShim.asm" and (the
manually re-generated) "VbeShim.h" atomically. Doing so helps with local
downstream builds, with bisection, and also keeps redhat/README a bit
simpler.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit ccda46526bb2e573d9b54f0db75d27e442b4566f)
(cherry picked from commit ed45b26dbeadd63dd8f2edf627290957d8bbb3b2)
(cherry picked from commit 9a8a034ebc082f86fdbb54dc1303a5059508e14c)
(cherry picked from commit 7046d6040181bb0f76a5ebd680e0dc701c895dba)
(cherry picked from commit 4dd1cc745bc9a8c8b32b5810b40743fed1e36d7e)
(cherry picked from commit bd264265a99c60f45cadaa4109a9db59ae218471)
(cherry picked from commit 3aa0316ea1db5416cb528179a3ba5ce37c1279b7)
---
OvmfPkg/QemuVideoDxe/VbeShim.asm | 2 +-
OvmfPkg/QemuVideoDxe/VbeShim.h | 481 ++++++++++++++++++++-----------
2 files changed, 308 insertions(+), 175 deletions(-)
diff --git a/OvmfPkg/QemuVideoDxe/VbeShim.asm b/OvmfPkg/QemuVideoDxe/VbeShim.asm
index 1d284b2641..0d5cfaf1e4 100644
--- a/OvmfPkg/QemuVideoDxe/VbeShim.asm
+++ b/OvmfPkg/QemuVideoDxe/VbeShim.asm
@@ -12,7 +12,7 @@
;------------------------------------------------------------------------------
; enable this macro for debug messages
-;%define DEBUG
+%define DEBUG
%macro DebugLog 1
%ifdef DEBUG
diff --git a/OvmfPkg/QemuVideoDxe/VbeShim.h b/OvmfPkg/QemuVideoDxe/VbeShim.h
index cc9b6e14cd..325d6478a1 100644
--- a/OvmfPkg/QemuVideoDxe/VbeShim.h
+++ b/OvmfPkg/QemuVideoDxe/VbeShim.h
@@ -517,185 +517,318 @@ STATIC CONST UINT8 mVbeShim[] = {
/* 000001FE nop */ 0x90,
/* 000001FF nop */ 0x90,
/* 00000200 cmp ax,0x4f00 */ 0x3D, 0x00, 0x4F,
- /* 00000203 jz 0x22d */ 0x74, 0x28,
+ /* 00000203 jz 0x235 */ 0x74, 0x30,
/* 00000205 cmp ax,0x4f01 */ 0x3D, 0x01, 0x4F,
- /* 00000208 jz 0x245 */ 0x74, 0x3B,
+ /* 00000208 jz 0x255 */ 0x74, 0x4B,
/* 0000020A cmp ax,0x4f02 */ 0x3D, 0x02, 0x4F,
- /* 0000020D jz 0x269 */ 0x74, 0x5A,
+ /* 0000020D jz 0x289 */ 0x74, 0x7A,
/* 0000020F cmp ax,0x4f03 */ 0x3D, 0x03, 0x4F,
- /* 00000212 jz word 0x331 */ 0x0F, 0x84, 0x1B, 0x01,
+ /* 00000212 jz word 0x361 */ 0x0F, 0x84, 0x4B, 0x01,
/* 00000216 cmp ax,0x4f10 */ 0x3D, 0x10, 0x4F,
- /* 00000219 jz word 0x336 */ 0x0F, 0x84, 0x19, 0x01,
+ /* 00000219 jz word 0x36e */ 0x0F, 0x84, 0x51, 0x01,
/* 0000021D cmp ax,0x4f15 */ 0x3D, 0x15, 0x4F,
- /* 00000220 jz word 0x338 */ 0x0F, 0x84, 0x14, 0x01,
+ /* 00000220 jz word 0x378 */ 0x0F, 0x84, 0x54, 0x01,
/* 00000224 cmp ah,0x0 */ 0x80, 0xFC, 0x00,
- /* 00000227 jz word 0x33a */ 0x0F, 0x84, 0x0F, 0x01,
- /* 0000022B jmp short 0x22b */ 0xEB, 0xFE,
- /* 0000022D push es */ 0x06,
- /* 0000022E push di */ 0x57,
- /* 0000022F push ds */ 0x1E,
- /* 00000230 push si */ 0x56,
- /* 00000231 push cx */ 0x51,
- /* 00000232 push cs */ 0x0E,
- /* 00000233 pop ds */ 0x1F,
- /* 00000234 mov si,0x0 */ 0xBE, 0x00, 0x00,
- /* 00000237 mov cx,0x100 */ 0xB9, 0x00, 0x01,
- /* 0000023A cld */ 0xFC,
- /* 0000023B rep movsb */ 0xF3, 0xA4,
- /* 0000023D pop cx */ 0x59,
- /* 0000023E pop si */ 0x5E,
- /* 0000023F pop ds */ 0x1F,
- /* 00000240 pop di */ 0x5F,
- /* 00000241 pop es */ 0x07,
- /* 00000242 jmp word 0x34c */ 0xE9, 0x07, 0x01,
- /* 00000245 push es */ 0x06,
- /* 00000246 push di */ 0x57,
- /* 00000247 push ds */ 0x1E,
- /* 00000248 push si */ 0x56,
- /* 00000249 push cx */ 0x51,
- /* 0000024A and cx,0xbfff */ 0x81, 0xE1, 0xFF, 0xBF,
- /* 0000024E cmp cx,0xf1 */ 0x81, 0xF9, 0xF1, 0x00,
- /* 00000252 jz 0x256 */ 0x74, 0x02,
- /* 00000254 jmp short 0x22b */ 0xEB, 0xD5,
- /* 00000256 push cs */ 0x0E,
- /* 00000257 pop ds */ 0x1F,
- /* 00000258 mov si,0x100 */ 0xBE, 0x00, 0x01,
- /* 0000025B mov cx,0x100 */ 0xB9, 0x00, 0x01,
- /* 0000025E cld */ 0xFC,
- /* 0000025F rep movsb */ 0xF3, 0xA4,
- /* 00000261 pop cx */ 0x59,
- /* 00000262 pop si */ 0x5E,
- /* 00000263 pop ds */ 0x1F,
- /* 00000264 pop di */ 0x5F,
- /* 00000265 pop es */ 0x07,
- /* 00000266 jmp word 0x34c */ 0xE9, 0xE3, 0x00,
- /* 00000269 push dx */ 0x52,
- /* 0000026A push ax */ 0x50,
- /* 0000026B cmp bx,0x40f1 */ 0x81, 0xFB, 0xF1, 0x40,
- /* 0000026F jz 0x273 */ 0x74, 0x02,
- /* 00000271 jmp short 0x22b */ 0xEB, 0xB8,
- /* 00000273 mov dx,0x3c0 */ 0xBA, 0xC0, 0x03,
- /* 00000276 mov al,0x20 */ 0xB0, 0x20,
- /* 00000278 out dx,al */ 0xEE,
- /* 00000279 push dx */ 0x52,
- /* 0000027A push ax */ 0x50,
- /* 0000027B mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
- /* 0000027E mov ax,0x4 */ 0xB8, 0x04, 0x00,
- /* 00000281 out dx,ax */ 0xEF,
- /* 00000282 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
- /* 00000285 mov ax,0x0 */ 0xB8, 0x00, 0x00,
- /* 00000288 out dx,ax */ 0xEF,
- /* 00000289 pop ax */ 0x58,
- /* 0000028A pop dx */ 0x5A,
- /* 0000028B push dx */ 0x52,
- /* 0000028C push ax */ 0x50,
- /* 0000028D mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
- /* 00000290 mov ax,0x5 */ 0xB8, 0x05, 0x00,
- /* 00000293 out dx,ax */ 0xEF,
- /* 00000294 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
- /* 00000297 mov ax,0x0 */ 0xB8, 0x00, 0x00,
- /* 0000029A out dx,ax */ 0xEF,
- /* 0000029B pop ax */ 0x58,
- /* 0000029C pop dx */ 0x5A,
- /* 0000029D push dx */ 0x52,
- /* 0000029E push ax */ 0x50,
- /* 0000029F mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
- /* 000002A2 mov ax,0x8 */ 0xB8, 0x08, 0x00,
- /* 000002A5 out dx,ax */ 0xEF,
- /* 000002A6 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
- /* 000002A9 mov ax,0x0 */ 0xB8, 0x00, 0x00,
- /* 000002AC out dx,ax */ 0xEF,
- /* 000002AD pop ax */ 0x58,
- /* 000002AE pop dx */ 0x5A,
- /* 000002AF push dx */ 0x52,
- /* 000002B0 push ax */ 0x50,
- /* 000002B1 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
- /* 000002B4 mov ax,0x9 */ 0xB8, 0x09, 0x00,
- /* 000002B7 out dx,ax */ 0xEF,
- /* 000002B8 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
- /* 000002BB mov ax,0x0 */ 0xB8, 0x00, 0x00,
- /* 000002BE out dx,ax */ 0xEF,
- /* 000002BF pop ax */ 0x58,
- /* 000002C0 pop dx */ 0x5A,
- /* 000002C1 push dx */ 0x52,
- /* 000002C2 push ax */ 0x50,
- /* 000002C3 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
- /* 000002C6 mov ax,0x3 */ 0xB8, 0x03, 0x00,
- /* 000002C9 out dx,ax */ 0xEF,
- /* 000002CA mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
- /* 000002CD mov ax,0x20 */ 0xB8, 0x20, 0x00,
- /* 000002D0 out dx,ax */ 0xEF,
- /* 000002D1 pop ax */ 0x58,
- /* 000002D2 pop dx */ 0x5A,
- /* 000002D3 push dx */ 0x52,
- /* 000002D4 push ax */ 0x50,
- /* 000002D5 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
- /* 000002D8 mov ax,0x1 */ 0xB8, 0x01, 0x00,
- /* 000002DB out dx,ax */ 0xEF,
- /* 000002DC mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
- /* 000002DF mov ax,0x400 */ 0xB8, 0x00, 0x04,
- /* 000002E2 out dx,ax */ 0xEF,
- /* 000002E3 pop ax */ 0x58,
- /* 000002E4 pop dx */ 0x5A,
- /* 000002E5 push dx */ 0x52,
- /* 000002E6 push ax */ 0x50,
- /* 000002E7 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
- /* 000002EA mov ax,0x6 */ 0xB8, 0x06, 0x00,
- /* 000002ED out dx,ax */ 0xEF,
- /* 000002EE mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
- /* 000002F1 mov ax,0x400 */ 0xB8, 0x00, 0x04,
- /* 000002F4 out dx,ax */ 0xEF,
- /* 000002F5 pop ax */ 0x58,
- /* 000002F6 pop dx */ 0x5A,
- /* 000002F7 push dx */ 0x52,
- /* 000002F8 push ax */ 0x50,
- /* 000002F9 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
- /* 000002FC mov ax,0x2 */ 0xB8, 0x02, 0x00,
- /* 000002FF out dx,ax */ 0xEF,
- /* 00000300 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
- /* 00000303 mov ax,0x300 */ 0xB8, 0x00, 0x03,
- /* 00000306 out dx,ax */ 0xEF,
- /* 00000307 pop ax */ 0x58,
- /* 00000308 pop dx */ 0x5A,
- /* 00000309 push dx */ 0x52,
- /* 0000030A push ax */ 0x50,
- /* 0000030B mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
- /* 0000030E mov ax,0x7 */ 0xB8, 0x07, 0x00,
- /* 00000311 out dx,ax */ 0xEF,
- /* 00000312 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
- /* 00000315 mov ax,0x300 */ 0xB8, 0x00, 0x03,
- /* 00000318 out dx,ax */ 0xEF,
- /* 00000319 pop ax */ 0x58,
- /* 0000031A pop dx */ 0x5A,
- /* 0000031B push dx */ 0x52,
- /* 0000031C push ax */ 0x50,
- /* 0000031D mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
- /* 00000320 mov ax,0x4 */ 0xB8, 0x04, 0x00,
- /* 00000323 out dx,ax */ 0xEF,
- /* 00000324 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
- /* 00000327 mov ax,0x41 */ 0xB8, 0x41, 0x00,
- /* 0000032A out dx,ax */ 0xEF,
- /* 0000032B pop ax */ 0x58,
- /* 0000032C pop dx */ 0x5A,
- /* 0000032D pop ax */ 0x58,
- /* 0000032E pop dx */ 0x5A,
- /* 0000032F jmp short 0x34c */ 0xEB, 0x1B,
- /* 00000331 mov bx,0x40f1 */ 0xBB, 0xF1, 0x40,
- /* 00000334 jmp short 0x34c */ 0xEB, 0x16,
- /* 00000336 jmp short 0x350 */ 0xEB, 0x18,
- /* 00000338 jmp short 0x350 */ 0xEB, 0x16,
- /* 0000033A cmp al,0x3 */ 0x3C, 0x03,
- /* 0000033C jz 0x345 */ 0x74, 0x07,
- /* 0000033E cmp al,0x12 */ 0x3C, 0x12,
- /* 00000340 jz 0x349 */ 0x74, 0x07,
- /* 00000342 jmp word 0x22b */ 0xE9, 0xE6, 0xFE,
- /* 00000345 mov al,0x30 */ 0xB0, 0x30,
- /* 00000347 jmp short 0x34b */ 0xEB, 0x02,
- /* 00000349 mov al,0x20 */ 0xB0, 0x20,
- /* 0000034B iretw */ 0xCF,
- /* 0000034C mov ax,0x4f */ 0xB8, 0x4F, 0x00,
- /* 0000034F iretw */ 0xCF,
- /* 00000350 mov ax,0x14f */ 0xB8, 0x4F, 0x01,
- /* 00000353 iretw */ 0xCF,
+ /* 00000227 jz word 0x382 */ 0x0F, 0x84, 0x57, 0x01,
+ /* 0000022B push si */ 0x56,
+ /* 0000022C mov si,0x3e9 */ 0xBE, 0xE9, 0x03,
+ /* 0000022F call word 0x3c4 */ 0xE8, 0x92, 0x01,
+ /* 00000232 pop si */ 0x5E,
+ /* 00000233 jmp short 0x233 */ 0xEB, 0xFE,
+ /* 00000235 push es */ 0x06,
+ /* 00000236 push di */ 0x57,
+ /* 00000237 push ds */ 0x1E,
+ /* 00000238 push si */ 0x56,
+ /* 00000239 push cx */ 0x51,
+ /* 0000023A push si */ 0x56,
+ /* 0000023B mov si,0x3fb */ 0xBE, 0xFB, 0x03,
+ /* 0000023E call word 0x3c4 */ 0xE8, 0x83, 0x01,
+ /* 00000241 pop si */ 0x5E,
+ /* 00000242 push cs */ 0x0E,
+ /* 00000243 pop ds */ 0x1F,
+ /* 00000244 mov si,0x0 */ 0xBE, 0x00, 0x00,
+ /* 00000247 mov cx,0x100 */ 0xB9, 0x00, 0x01,
+ /* 0000024A cld */ 0xFC,
+ /* 0000024B rep movsb */ 0xF3, 0xA4,
+ /* 0000024D pop cx */ 0x59,
+ /* 0000024E pop si */ 0x5E,
+ /* 0000024F pop ds */ 0x1F,
+ /* 00000250 pop di */ 0x5F,
+ /* 00000251 pop es */ 0x07,
+ /* 00000252 jmp word 0x3ac */ 0xE9, 0x57, 0x01,
+ /* 00000255 push es */ 0x06,
+ /* 00000256 push di */ 0x57,
+ /* 00000257 push ds */ 0x1E,
+ /* 00000258 push si */ 0x56,
+ /* 00000259 push cx */ 0x51,
+ /* 0000025A push si */ 0x56,
+ /* 0000025B mov si,0x404 */ 0xBE, 0x04, 0x04,
+ /* 0000025E call word 0x3c4 */ 0xE8, 0x63, 0x01,
+ /* 00000261 pop si */ 0x5E,
+ /* 00000262 and cx,0xbfff */ 0x81, 0xE1, 0xFF, 0xBF,
+ /* 00000266 cmp cx,0xf1 */ 0x81, 0xF9, 0xF1, 0x00,
+ /* 0000026A jz 0x276 */ 0x74, 0x0A,
+ /* 0000026C push si */ 0x56,
+ /* 0000026D mov si,0x432 */ 0xBE, 0x32, 0x04,
+ /* 00000270 call word 0x3c4 */ 0xE8, 0x51, 0x01,
+ /* 00000273 pop si */ 0x5E,
+ /* 00000274 jmp short 0x233 */ 0xEB, 0xBD,
+ /* 00000276 push cs */ 0x0E,
+ /* 00000277 pop ds */ 0x1F,
+ /* 00000278 mov si,0x100 */ 0xBE, 0x00, 0x01,
+ /* 0000027B mov cx,0x100 */ 0xB9, 0x00, 0x01,
+ /* 0000027E cld */ 0xFC,
+ /* 0000027F rep movsb */ 0xF3, 0xA4,
+ /* 00000281 pop cx */ 0x59,
+ /* 00000282 pop si */ 0x5E,
+ /* 00000283 pop ds */ 0x1F,
+ /* 00000284 pop di */ 0x5F,
+ /* 00000285 pop es */ 0x07,
+ /* 00000286 jmp word 0x3ac */ 0xE9, 0x23, 0x01,
+ /* 00000289 push dx */ 0x52,
+ /* 0000028A push ax */ 0x50,
+ /* 0000028B push si */ 0x56,
+ /* 0000028C mov si,0x41a */ 0xBE, 0x1A, 0x04,
+ /* 0000028F call word 0x3c4 */ 0xE8, 0x32, 0x01,
+ /* 00000292 pop si */ 0x5E,
+ /* 00000293 cmp bx,0x40f1 */ 0x81, 0xFB, 0xF1, 0x40,
+ /* 00000297 jz 0x2a3 */ 0x74, 0x0A,
+ /* 00000299 push si */ 0x56,
+ /* 0000029A mov si,0x432 */ 0xBE, 0x32, 0x04,
+ /* 0000029D call word 0x3c4 */ 0xE8, 0x24, 0x01,
+ /* 000002A0 pop si */ 0x5E,
+ /* 000002A1 jmp short 0x233 */ 0xEB, 0x90,
+ /* 000002A3 mov dx,0x3c0 */ 0xBA, 0xC0, 0x03,
+ /* 000002A6 mov al,0x20 */ 0xB0, 0x20,
+ /* 000002A8 out dx,al */ 0xEE,
+ /* 000002A9 push dx */ 0x52,
+ /* 000002AA push ax */ 0x50,
+ /* 000002AB mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+ /* 000002AE mov ax,0x4 */ 0xB8, 0x04, 0x00,
+ /* 000002B1 out dx,ax */ 0xEF,
+ /* 000002B2 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+ /* 000002B5 mov ax,0x0 */ 0xB8, 0x00, 0x00,
+ /* 000002B8 out dx,ax */ 0xEF,
+ /* 000002B9 pop ax */ 0x58,
+ /* 000002BA pop dx */ 0x5A,
+ /* 000002BB push dx */ 0x52,
+ /* 000002BC push ax */ 0x50,
+ /* 000002BD mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+ /* 000002C0 mov ax,0x5 */ 0xB8, 0x05, 0x00,
+ /* 000002C3 out dx,ax */ 0xEF,
+ /* 000002C4 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+ /* 000002C7 mov ax,0x0 */ 0xB8, 0x00, 0x00,
+ /* 000002CA out dx,ax */ 0xEF,
+ /* 000002CB pop ax */ 0x58,
+ /* 000002CC pop dx */ 0x5A,
+ /* 000002CD push dx */ 0x52,
+ /* 000002CE push ax */ 0x50,
+ /* 000002CF mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+ /* 000002D2 mov ax,0x8 */ 0xB8, 0x08, 0x00,
+ /* 000002D5 out dx,ax */ 0xEF,
+ /* 000002D6 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+ /* 000002D9 mov ax,0x0 */ 0xB8, 0x00, 0x00,
+ /* 000002DC out dx,ax */ 0xEF,
+ /* 000002DD pop ax */ 0x58,
+ /* 000002DE pop dx */ 0x5A,
+ /* 000002DF push dx */ 0x52,
+ /* 000002E0 push ax */ 0x50,
+ /* 000002E1 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+ /* 000002E4 mov ax,0x9 */ 0xB8, 0x09, 0x00,
+ /* 000002E7 out dx,ax */ 0xEF,
+ /* 000002E8 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+ /* 000002EB mov ax,0x0 */ 0xB8, 0x00, 0x00,
+ /* 000002EE out dx,ax */ 0xEF,
+ /* 000002EF pop ax */ 0x58,
+ /* 000002F0 pop dx */ 0x5A,
+ /* 000002F1 push dx */ 0x52,
+ /* 000002F2 push ax */ 0x50,
+ /* 000002F3 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+ /* 000002F6 mov ax,0x3 */ 0xB8, 0x03, 0x00,
+ /* 000002F9 out dx,ax */ 0xEF,
+ /* 000002FA mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+ /* 000002FD mov ax,0x20 */ 0xB8, 0x20, 0x00,
+ /* 00000300 out dx,ax */ 0xEF,
+ /* 00000301 pop ax */ 0x58,
+ /* 00000302 pop dx */ 0x5A,
+ /* 00000303 push dx */ 0x52,
+ /* 00000304 push ax */ 0x50,
+ /* 00000305 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+ /* 00000308 mov ax,0x1 */ 0xB8, 0x01, 0x00,
+ /* 0000030B out dx,ax */ 0xEF,
+ /* 0000030C mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+ /* 0000030F mov ax,0x400 */ 0xB8, 0x00, 0x04,
+ /* 00000312 out dx,ax */ 0xEF,
+ /* 00000313 pop ax */ 0x58,
+ /* 00000314 pop dx */ 0x5A,
+ /* 00000315 push dx */ 0x52,
+ /* 00000316 push ax */ 0x50,
+ /* 00000317 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+ /* 0000031A mov ax,0x6 */ 0xB8, 0x06, 0x00,
+ /* 0000031D out dx,ax */ 0xEF,
+ /* 0000031E mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+ /* 00000321 mov ax,0x400 */ 0xB8, 0x00, 0x04,
+ /* 00000324 out dx,ax */ 0xEF,
+ /* 00000325 pop ax */ 0x58,
+ /* 00000326 pop dx */ 0x5A,
+ /* 00000327 push dx */ 0x52,
+ /* 00000328 push ax */ 0x50,
+ /* 00000329 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+ /* 0000032C mov ax,0x2 */ 0xB8, 0x02, 0x00,
+ /* 0000032F out dx,ax */ 0xEF,
+ /* 00000330 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+ /* 00000333 mov ax,0x300 */ 0xB8, 0x00, 0x03,
+ /* 00000336 out dx,ax */ 0xEF,
+ /* 00000337 pop ax */ 0x58,
+ /* 00000338 pop dx */ 0x5A,
+ /* 00000339 push dx */ 0x52,
+ /* 0000033A push ax */ 0x50,
+ /* 0000033B mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+ /* 0000033E mov ax,0x7 */ 0xB8, 0x07, 0x00,
+ /* 00000341 out dx,ax */ 0xEF,
+ /* 00000342 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+ /* 00000345 mov ax,0x300 */ 0xB8, 0x00, 0x03,
+ /* 00000348 out dx,ax */ 0xEF,
+ /* 00000349 pop ax */ 0x58,
+ /* 0000034A pop dx */ 0x5A,
+ /* 0000034B push dx */ 0x52,
+ /* 0000034C push ax */ 0x50,
+ /* 0000034D mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+ /* 00000350 mov ax,0x4 */ 0xB8, 0x04, 0x00,
+ /* 00000353 out dx,ax */ 0xEF,
+ /* 00000354 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+ /* 00000357 mov ax,0x41 */ 0xB8, 0x41, 0x00,
+ /* 0000035A out dx,ax */ 0xEF,
+ /* 0000035B pop ax */ 0x58,
+ /* 0000035C pop dx */ 0x5A,
+ /* 0000035D pop ax */ 0x58,
+ /* 0000035E pop dx */ 0x5A,
+ /* 0000035F jmp short 0x3ac */ 0xEB, 0x4B,
+ /* 00000361 push si */ 0x56,
+ /* 00000362 mov si,0x411 */ 0xBE, 0x11, 0x04,
+ /* 00000365 call word 0x3c4 */ 0xE8, 0x5C, 0x00,
+ /* 00000368 pop si */ 0x5E,
+ /* 00000369 mov bx,0x40f1 */ 0xBB, 0xF1, 0x40,
+ /* 0000036C jmp short 0x3ac */ 0xEB, 0x3E,
+ /* 0000036E push si */ 0x56,
+ /* 0000036F mov si,0x43f */ 0xBE, 0x3F, 0x04,
+ /* 00000372 call word 0x3c4 */ 0xE8, 0x4F, 0x00,
+ /* 00000375 pop si */ 0x5E,
+ /* 00000376 jmp short 0x3b8 */ 0xEB, 0x40,
+ /* 00000378 push si */ 0x56,
+ /* 00000379 mov si,0x452 */ 0xBE, 0x52, 0x04,
+ /* 0000037C call word 0x3c4 */ 0xE8, 0x45, 0x00,
+ /* 0000037F pop si */ 0x5E,
+ /* 00000380 jmp short 0x3b8 */ 0xEB, 0x36,
+ /* 00000382 push si */ 0x56,
+ /* 00000383 mov si,0x423 */ 0xBE, 0x23, 0x04,
+ /* 00000386 call word 0x3c4 */ 0xE8, 0x3B, 0x00,
+ /* 00000389 pop si */ 0x5E,
+ /* 0000038A cmp al,0x3 */ 0x3C, 0x03,
+ /* 0000038C jz 0x39d */ 0x74, 0x0F,
+ /* 0000038E cmp al,0x12 */ 0x3C, 0x12,
+ /* 00000390 jz 0x3a1 */ 0x74, 0x0F,
+ /* 00000392 push si */ 0x56,
+ /* 00000393 mov si,0x432 */ 0xBE, 0x32, 0x04,
+ /* 00000396 call word 0x3c4 */ 0xE8, 0x2B, 0x00,
+ /* 00000399 pop si */ 0x5E,
+ /* 0000039A jmp word 0x233 */ 0xE9, 0x96, 0xFE,
+ /* 0000039D mov al,0x30 */ 0xB0, 0x30,
+ /* 0000039F jmp short 0x3a3 */ 0xEB, 0x02,
+ /* 000003A1 mov al,0x20 */ 0xB0, 0x20,
+ /* 000003A3 push si */ 0x56,
+ /* 000003A4 mov si,0x3d6 */ 0xBE, 0xD6, 0x03,
+ /* 000003A7 call word 0x3c4 */ 0xE8, 0x1A, 0x00,
+ /* 000003AA pop si */ 0x5E,
+ /* 000003AB iretw */ 0xCF,
+ /* 000003AC push si */ 0x56,
+ /* 000003AD mov si,0x3d6 */ 0xBE, 0xD6, 0x03,
+ /* 000003B0 call word 0x3c4 */ 0xE8, 0x11, 0x00,
+ /* 000003B3 pop si */ 0x5E,
+ /* 000003B4 mov ax,0x4f */ 0xB8, 0x4F, 0x00,
+ /* 000003B7 iretw */ 0xCF,
+ /* 000003B8 push si */ 0x56,
+ /* 000003B9 mov si,0x3dc */ 0xBE, 0xDC, 0x03,
+ /* 000003BC call word 0x3c4 */ 0xE8, 0x05, 0x00,
+ /* 000003BF pop si */ 0x5E,
+ /* 000003C0 mov ax,0x14f */ 0xB8, 0x4F, 0x01,
+ /* 000003C3 iretw */ 0xCF,
+ /* 000003C4 pushaw */ 0x60,
+ /* 000003C5 push ds */ 0x1E,
+ /* 000003C6 push cs */ 0x0E,
+ /* 000003C7 pop ds */ 0x1F,
+ /* 000003C8 mov dx,0x402 */ 0xBA, 0x02, 0x04,
+ /* 000003CB lodsb */ 0xAC,
+ /* 000003CC cmp al,0x0 */ 0x3C, 0x00,
+ /* 000003CE jz 0x3d3 */ 0x74, 0x03,
+ /* 000003D0 out dx,al */ 0xEE,
+ /* 000003D1 jmp short 0x3cb */ 0xEB, 0xF8,
+ /* 000003D3 pop ds */ 0x1F,
+ /* 000003D4 popaw */ 0x61,
+ /* 000003D5 ret */ 0xC3,
+ /* 000003D6 inc bp */ 0x45,
+ /* 000003D7 js 0x442 */ 0x78, 0x69,
+ /* 000003D9 jz 0x3e5 */ 0x74, 0x0A,
+ /* 000003DB add [di+0x6e],dl */ 0x00, 0x55, 0x6E,
+ /* 000003DE jnc 0x455 */ 0x73, 0x75,
+ /* 000003E0 jo 0x452 */ 0x70, 0x70,
+ /* 000003E2 outsw */ 0x6F,
+ /* 000003E3 jc 0x459 */ 0x72, 0x74,
+ /* 000003E5 or al,[fs:bx+si] */ 0x65, 0x64, 0x0A, 0x00,
+ /* 000003E9 push bp */ 0x55,
+ /* 000003EA outsb */ 0x6E,
+ /* 000003EB imul bp,[bp+0x6f],byte +0x77 */ 0x6B, 0x6E, 0x6F, 0x77,
+ /* 000003EF outsb */ 0x6E,
+ /* 000003F0 and [bp+0x75],al */ 0x20, 0x46, 0x75,
+ /* 000003F3 outsb */ 0x6E,
+ /* 000003F4 arpl [si+0x69],si */ 0x63, 0x74, 0x69,
+ /* 000003F7 outsw */ 0x6F,
+ /* 000003F8 outsb */ 0x6E,
+ /* 000003F9 or al,[bx+si] */ 0x0A, 0x00,
+ /* 000003FB inc di */ 0x47,
+ /* 000003FC gs jz 0x448 */ 0x65, 0x74, 0x49,
+ /* 000003FF outsb */ 0x6E,
+ /* 00000400 outsd */ 0x66, 0x6F,
+ /* 00000402 or al,[bx+si] */ 0x0A, 0x00,
+ /* 00000404 inc di */ 0x47,
+ /* 00000405 gs jz 0x455 */ 0x65, 0x74, 0x4D,
+ /* 00000408 outsw */ 0x6F,
+ /* 00000409 gs dec cx */ 0x64, 0x65, 0x49,
+ /* 0000040C outsb */ 0x6E,
+ /* 0000040D outsd */ 0x66, 0x6F,
+ /* 0000040F or al,[bx+si] */ 0x0A, 0x00,
+ /* 00000411 inc di */ 0x47,
+ /* 00000412 gs jz 0x462 */ 0x65, 0x74, 0x4D,
+ /* 00000415 outsw */ 0x6F,
+ /* 00000416 or al,[gs:bx+si] */ 0x64, 0x65, 0x0A, 0x00,
+ /* 0000041A push bx */ 0x53,
+ /* 0000041B gs jz 0x46b */ 0x65, 0x74, 0x4D,
+ /* 0000041E outsw */ 0x6F,
+ /* 0000041F or al,[gs:bx+si] */ 0x64, 0x65, 0x0A, 0x00,
+ /* 00000423 push bx */ 0x53,
+ /* 00000424 gs jz 0x474 */ 0x65, 0x74, 0x4D,
+ /* 00000427 outsw */ 0x6F,
+ /* 00000428 gs dec sp */ 0x64, 0x65, 0x4C,
+ /* 0000042B gs a32 popaw */ 0x65, 0x67, 0x61,
+ /* 0000042E arpl [bx+di+0xa],di */ 0x63, 0x79, 0x0A,
+ /* 00000431 add [di+0x6e],dl */ 0x00, 0x55, 0x6E,
+ /* 00000434 imul bp,[bx+0x77],byte +0x6e */ 0x6B, 0x6F, 0x77, 0x6E,
+ /* 00000438 and [di+0x6f],cl */ 0x20, 0x4D, 0x6F,
+ /* 0000043B or al,[gs:bx+si] */ 0x64, 0x65, 0x0A, 0x00,
+ /* 0000043F inc di */ 0x47,
+ /* 00000440 gs jz 0x493 */ 0x65, 0x74, 0x50,
+ /* 00000443 insw */ 0x6D,
+ /* 00000444 inc bx */ 0x43,
+ /* 00000445 popaw */ 0x61,
+ /* 00000446 jo 0x4a9 */ 0x70, 0x61,
+ /* 00000448 bound bp,[bx+di+0x6c] */ 0x62, 0x69, 0x6C,
+ /* 0000044B imul si,[si+0x69],word 0x7365 */ 0x69, 0x74, 0x69, 0x65, 0x73,
+ /* 00000450 or al,[bx+si] */ 0x0A, 0x00,
+ /* 00000452 push dx */ 0x52,
+ /* 00000453 gs popaw */ 0x65, 0x61,
+ /* 00000455 fs inc bp */ 0x64, 0x45,
+ /* 00000457 fs */ 0x64,
+ /* 00000458 db 0x69 */ 0x69,
+ /* 00000459 or al,[fs:bx+si] */ 0x64, 0x0A, 0x00,
};
#endif
--
2.18.1

10
SOURCES/0010-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch → SOURCES/0011-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch
View File

@ -1,8 +1,13 @@
From a95cff0b9573bf23699551beb4786383f697ff1e Mon Sep 17 00:00:00 2001
From ed975a4db7c55e49ab9de1a0919baafdce9661e3 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 20 Feb 2014 22:54:45 +0100
Subject: OvmfPkg: increase max debug message length to 512 (RHEL only)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- no change
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
@ -54,6 +59,7 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 22c9b4e971c70c69b4adf8eb93133824ccb6426a)
(cherry picked from commit a1260c9122c95bcbef1efc5eebe11902767813c2)
(cherry picked from commit e949bab1268f83f0f5815a96cd1cb9dd3b21bfb5)
(cherry picked from commit a95cff0b9573bf23699551beb4786383f697ff1e)
---
OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
@ -72,5 +78,5 @@ index dffb20822d..0577c43c3d 100644
//
// VA_LIST can not initialize to NULL for all compiler, so we use this to
--
2.18.1
2.27.0

10
SOURCES/0012-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch
View File

@ -1,8 +1,13 @@
From 82b9edc5fef3a07227a45059bbe821af7b9abd69 Mon Sep 17 00:00:00 2001
From 6901201d2cd1d943ebd41f3d65102f787540d3c4 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 25 Feb 2014 18:40:35 +0100
Subject: MdeModulePkg: TerminalDxe: add other text resolutions (RHEL only)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- no change
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
@ -101,6 +106,7 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 28faeb5f94b4866b9da16cf2a1e4e0fc09a26e37)
(cherry picked from commit 4e4e15b80a5b2103eadd495ef4a830d46dd4ed51)
(cherry picked from commit 12cb13a1da913912bd9148ce8f2353a75be77f18)
(cherry picked from commit 82b9edc5fef3a07227a45059bbe821af7b9abd69)
---
.../Universal/Console/TerminalDxe/Terminal.c | 41 +++++++++++++++++--
1 file changed, 38 insertions(+), 3 deletions(-)
@ -158,5 +164,5 @@ index a98b690c8b..ded5513c74 100644
// New modes can be added here.
//
--
2.18.1
2.27.0

25
SOURCES/0013-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
View File

@ -1,9 +1,21 @@
From bc2266f20de5db1636e09a07e4a72c8dbf505f5a Mon Sep 17 00:00:00 2001
From 9485b38e5dbfd2e23ea6ad0585e773d7842a1903 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 25 Feb 2014 22:40:01 +0100
Subject: MdeModulePkg: TerminalDxe: set xterm resolution on mode change (RH
only)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- Resolve harmless conflict in "MdeModulePkg/MdeModulePkg.dec",
originating from new upstream commits
- 45bc28172fbf ("MdeModulePkg.dec: Change PCDs for status code.",
2020-06-18),
- 0785c619a58a ("MdeModulePkg/Bus/Pci/PciBusDxe: Support PCIe Resizable
BAR Capability", 2021-01-04),
- ef23012e5439 ("MdeModulePkg: Change default value of
PcdPcieResizableBarSupport to FALSE", 2021-01-14).
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
@ -67,6 +79,7 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 67415982afdc77922aa37496c981adeb4351acdb)
(cherry picked from commit cfccb98d13e955beb0b93b4a75a973f30c273ffc)
(cherry picked from commit a11602f5e2ef930be5b693ddfd0c789a1bd4c60c)
(cherry picked from commit bc2266f20de5db1636e09a07e4a72c8dbf505f5a)
---
MdeModulePkg/MdeModulePkg.dec | 4 +++
.../Console/TerminalDxe/TerminalConOut.c | 30 +++++++++++++++++++
@ -74,12 +87,12 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
3 files changed, 36 insertions(+)
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 031043ec28..3978a500e5 100644
index ba2d0290e7..ff70d6e6eb 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -1998,6 +1998,10 @@
# @Prompt TCG Platform Firmware Profile revision.
gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision|0|UINT32|0x00010077
@@ -2046,6 +2046,10 @@
# @Prompt Enable PCIe Resizable BAR Capability support.
gEfiMdeModulePkgTokenSpaceGuid.PcdPcieResizableBarSupport|FALSE|BOOLEAN|0x10000024
+ ## Controls whether TerminalDxe outputs an XTerm resize sequence on terminal
+ # mode change.
@ -164,5 +177,5 @@ index b2a8aeba85..eff6253465 100644
# [Event]
# # Relative timer event set by UnicodeToEfiKey(), used to be one 2 seconds input timeout.
--
2.18.1
2.27.0

49
SOURCES/0014-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
View File

@ -1,8 +1,21 @@
From 51e0de961029af84b5bdbfddcc9762b1819d500f Mon Sep 17 00:00:00 2001
From 1165bbcec94a97cf1d1509df8210feb2e1db00c5 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 14 Oct 2015 15:59:06 +0200
Subject: OvmfPkg: take PcdResizeXterm from the QEMU command line (RH only)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been
introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit
to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077.
We've always patched all those DSC/FDF files in OvmfPkg down-stream that
made sense at least in theory on QEMU. (For example, we've always
patched "OvmfPkgIa32.dsc" and "OvmfPkgIa32.fdf", even though we never
build or ship the pure IA32 firmware platform.) Follow suit with
"AmdSevX64.dsc".
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
@ -51,19 +64,33 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 2ebf3cc2ae99275d63bb6efd3c22dec76251a853)
(cherry picked from commit f9b73437b9b231773c1a20e0c516168817a930a2)
(cherry picked from commit 2cc462ee963d0be119bc97bfc9c70d292a40516f)
(cherry picked from commit 51e0de961029af84b5bdbfddcc9762b1819d500f)
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 1 +
OvmfPkg/OvmfPkgIa32.dsc | 1 +
OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
OvmfPkg/OvmfPkgX64.dsc | 1 +
OvmfPkg/PlatformPei/Platform.c | 1 +
OvmfPkg/PlatformPei/PlatformPei.inf | 1 +
5 files changed, 5 insertions(+)
6 files changed, 6 insertions(+)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 52bcae6cf6..0a8cb7fd3b 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -534,6 +534,7 @@
[PcdsDynamicDefault]
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index f8317a4f5d..6ce8a46d4e 100644
index d8f03caa30..e6df324c7c 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -574,6 +574,7 @@
@@ -594,6 +594,7 @@
# ($(SMM_REQUIRE) == FALSE)
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
@ -72,10 +99,10 @@ index f8317a4f5d..6ce8a46d4e 100644
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 55423d356c..89d414cda7 100644
index 312577ebae..8104fe0218 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -580,6 +580,7 @@
@@ -600,6 +600,7 @@
# ($(SMM_REQUIRE) == FALSE)
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
@ -84,10 +111,10 @@ index 55423d356c..89d414cda7 100644
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 17aeeed96e..e567eb76e0 100644
index d72a00e6b4..3c8b2649a8 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -578,6 +578,7 @@
@@ -600,6 +600,7 @@
# ($(SMM_REQUIRE) == FALSE)
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
@ -108,10 +135,10 @@ index 96468701e3..14efbabe39 100644
InstallClearCacheCallback ();
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index ff397b3ee9..3a012a7fa4 100644
index 6ef77ba7bb..22425d34c0 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -93,6 +93,7 @@
@@ -97,6 +97,7 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
gEfiMdeModulePkgTokenSpaceGuid.PcdPciDisableBusEnumeration
@ -120,5 +147,5 @@ index ff397b3ee9..3a012a7fa4 100644
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable
gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack
--
2.18.1
2.27.0

16
SOURCES/0015-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
View File

@ -1,8 +1,13 @@
From a5f7a57bf390f1f340ff1d1f1884a73716817ef1 Mon Sep 17 00:00:00 2001
From 3f9662c435278564640be672f0c4e17e535f1765 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Sun, 26 Jul 2015 08:02:50 +0000
Subject: ArmVirtPkg: take PcdResizeXterm from the QEMU command line (RH only)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- no change
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
@ -80,6 +85,7 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 9448b6b46267d8d807fac0c648e693171bb34806)
(cherry picked from commit 232fcf06f6b3048b7c2ebd6931f23186b3852f04)
(cherry picked from commit 8338545260fbb423f796d5196faaaf8ff6e1ed99)
(cherry picked from commit a5f7a57bf390f1f340ff1d1f1884a73716817ef1)
---
ArmVirtPkg/ArmVirtQemu.dsc | 7 +++-
.../TerminalPcdProducerLib.c | 34 +++++++++++++++++++
@ -89,10 +95,10 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 360094ab6a..3345987503 100644
index 54d637163c..41a26c8d18 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -272,6 +272,8 @@
@@ -280,6 +280,8 @@
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0
!endif
@ -101,7 +107,7 @@ index 360094ab6a..3345987503 100644
[PcdsDynamicHii]
gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS
@@ -374,7 +376,10 @@
@@ -382,7 +384,10 @@
MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf
MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf
MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
@ -193,5 +199,5 @@ index 0000000000..a51dbd1670
+[Pcd]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm ## SOMETIMES_PRODUCES
--
2.18.1
2.27.0

51
SOURCES/0016-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch
View File

@ -1,9 +1,27 @@
From c2812d7189dee06c780f05a5880eb421c359a687 Mon Sep 17 00:00:00 2001
From e9d9e73c317b256c0bdc6530b82a6a625d7d54db Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 4 Nov 2014 23:02:53 +0100
Subject: OvmfPkg: allow exclusion of the shell from the firmware image (RH
only)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- No manual / explicit code change is necessary, because the newly
inherited OvmfPkg/AmdSev platform already has its own BUILD_SHELL
build-time macro (feature test flag), with default value FALSE -- from
upstream commit b261a30c900a ("OvmfPkg/AmdSev: add Grub Firmware Volume
Package", 2020-12-14).
- Contextual differences from new upstream commits 2d8ca4f90eae ("OvmfPkg:
enable HttpDynamicCommand", 2020-10-01) and 5ab6a0e1c8e9 ("OvmfPkg:
introduce VirtioFsDxe", 2020-12-21) have been auto-resolved by
git-cherry-pick.
- Remove obsolete commit message tags related to downstream patch
management: Message-id, Patchwork-id, O-Subject, Acked-by
(RHBZ#1846481).
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
@ -42,14 +60,7 @@ Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
- no changes
Message-id: <1415138578-27173-14-git-send-email-lersek@redhat.com>
Patchwork-id: 62119
O-Subject: [RHEL-7.1 ovmf PATCH v2 13/18] OvmfPkg: allow exclusion of the shell
from the firmware image (RH only)
Bugzilla: 1147592
Acked-by: Andrew Jones <drjones@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
When '-D EXCLUDE_SHELL_FROM_FD' is passed to 'build', exclude the shell
binary from the firmware image.
@ -92,6 +103,7 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit bbd64eb8658e9a33eab4227d9f4e51ad78d9f687)
(cherry picked from commit 8628ef1b8d675ebec39d83834abbe3c8c8c42cf4)
(cherry picked from commit 229c88dc3ded9baeaca8b87767dc5c41c05afd6e)
(cherry picked from commit c2812d7189dee06c780f05a5880eb421c359a687)
---
OvmfPkg/OvmfPkgIa32.fdf | 2 ++
OvmfPkg/OvmfPkgIa32X64.fdf | 2 ++
@ -99,16 +111,17 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
3 files changed, 6 insertions(+)
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index ec64551bcb..44178a0da7 100644
index e3b1d74ce2..969524cf3b 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -288,11 +288,13 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
@@ -293,12 +293,14 @@ INF FatPkg/EnhancedFatDxe/Fat.inf
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+!ifndef $(EXCLUDE_SHELL_FROM_FD)
!if $(TOOL_CHAIN_TAG) != "XCODE5"
INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
INF ShellPkg/Application/Shell/Shell.inf
@ -117,16 +130,17 @@ index ec64551bcb..44178a0da7 100644
INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 2f02ac2d73..06259c43d2 100644
index f7732382d4..36f078556f 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -289,11 +289,13 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
@@ -294,12 +294,14 @@ INF FatPkg/EnhancedFatDxe/Fat.inf
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+!ifndef $(EXCLUDE_SHELL_FROM_FD)
!if $(TOOL_CHAIN_TAG) != "XCODE5"
INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
INF ShellPkg/Application/Shell/Shell.inf
@ -135,16 +149,17 @@ index 2f02ac2d73..06259c43d2 100644
INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 2f02ac2d73..06259c43d2 100644
index 137ed6bceb..a5900d8377 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -289,11 +289,13 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
@@ -306,12 +306,14 @@ INF FatPkg/EnhancedFatDxe/Fat.inf
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+!ifndef $(EXCLUDE_SHELL_FROM_FD)
!if $(TOOL_CHAIN_TAG) != "XCODE5"
INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
INF ShellPkg/Application/Shell/Shell.inf
@ -153,5 +168,5 @@ index 2f02ac2d73..06259c43d2 100644
INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
--
2.18.1
2.27.0

14
SOURCES/0017-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
View File

@ -1,8 +1,13 @@
From c75aea7a738ac7fb944c0695a4bfffc3985afaa9 Mon Sep 17 00:00:00 2001
From 6d968342cbfa40a8192cee7c685e1c794e6053df Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 14 Oct 2015 13:49:43 +0200
Subject: ArmPlatformPkg: introduce fixed PCD for early hello message (RH only)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- no change
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
@ -60,15 +65,16 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 58755c51d3252312d80cbcb97928d71199c2f5e1)
(cherry picked from commit c3f07e323e76856f1b42ea7b8c598ba3201c28a2)
(cherry picked from commit 9f756c1ad83cc81f7d892cd036d59a2b567b02dc)
(cherry picked from commit c75aea7a738ac7fb944c0695a4bfffc3985afaa9)
---
ArmPlatformPkg/ArmPlatformPkg.dec | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/ArmPlatformPkg/ArmPlatformPkg.dec b/ArmPlatformPkg/ArmPlatformPkg.dec
index 696d636aac..1553e1ae92 100644
index 3a25ddcdc8..b2b58553c7 100644
--- a/ArmPlatformPkg/ArmPlatformPkg.dec
+++ b/ArmPlatformPkg/ArmPlatformPkg.dec
@@ -104,6 +104,13 @@
@@ -121,6 +121,13 @@
## If set, this will swap settings for HDLCD RED_SELECT and BLUE_SELECT registers
gArmPlatformTokenSpaceGuid.PcdArmHdLcdSwapBlueRedSelect|FALSE|BOOLEAN|0x00000045
@ -83,5 +89,5 @@ index 696d636aac..1553e1ae92 100644
## PL031 RealTimeClock
gArmPlatformTokenSpaceGuid.PcdPL031RtcBase|0x0|UINT32|0x00000024
--
2.18.1
2.27.0

16
SOURCES/0018-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
View File

@ -1,9 +1,14 @@
From 49fe5596cd79c94d903c4d506c563d642ccd69aa Mon Sep 17 00:00:00 2001
From e46d1e3f4c9b301acfa15fa4089661947e8742a4 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 14 Oct 2015 13:59:20 +0200
Subject: ArmPlatformPkg: PrePeiCore: write early hello message to the serial
port (RH)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- no change
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
@ -58,6 +63,7 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit f4b7aae411d88b2b83f85d20ef06a4032a57e7de)
(cherry picked from commit bb71490fdda3b38fa9f071d281b863f9b64363bf)
(cherry picked from commit 8d5a8827aabc67cb2a046697e1a750ca8d9cc453)
(cherry picked from commit 49fe5596cd79c94d903c4d506c563d642ccd69aa)
---
ArmPlatformPkg/PrePeiCore/MainMPCore.c | 5 +++++
ArmPlatformPkg/PrePeiCore/MainUniCore.c | 5 +++++
@ -67,7 +73,7 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
5 files changed, 15 insertions(+)
diff --git a/ArmPlatformPkg/PrePeiCore/MainMPCore.c b/ArmPlatformPkg/PrePeiCore/MainMPCore.c
index d379ad8b7a..ff1672f94d 100644
index 859f1adf20..cf9e65bb7c 100644
--- a/ArmPlatformPkg/PrePeiCore/MainMPCore.c
+++ b/ArmPlatformPkg/PrePeiCore/MainMPCore.c
@@ -111,6 +111,11 @@ PrimaryMain (
@ -83,7 +89,7 @@ index d379ad8b7a..ff1672f94d 100644
// Enable the GIC Distributor
diff --git a/ArmPlatformPkg/PrePeiCore/MainUniCore.c b/ArmPlatformPkg/PrePeiCore/MainUniCore.c
index 1500d2bd51..5b0790beac 100644
index 220f9b5680..158cc34c77 100644
--- a/ArmPlatformPkg/PrePeiCore/MainUniCore.c
+++ b/ArmPlatformPkg/PrePeiCore/MainUniCore.c
@@ -29,6 +29,11 @@ PrimaryMain (
@ -99,7 +105,7 @@ index 1500d2bd51..5b0790beac 100644
// Adjust the Temporary Ram as the new Ppi List (Common + Platform Ppi Lists) is created at
diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCore.h b/ArmPlatformPkg/PrePeiCore/PrePeiCore.h
index 7140c7f5b5..1d69a2b468 100644
index 7b155a8a61..e9e283f9ec 100644
--- a/ArmPlatformPkg/PrePeiCore/PrePeiCore.h
+++ b/ArmPlatformPkg/PrePeiCore/PrePeiCore.h
@@ -15,6 +15,7 @@
@ -135,5 +141,5 @@ index e9eb092d3a..c98dc82f0c 100644
+
gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack
--
2.18.1
2.27.0

14
SOURCES/0019-ArmVirtPkg-set-early-hello-message-RH-only.patch
View File

@ -1,8 +1,13 @@
From 72550e12ae469012a505bf5b98a6543a754028d3 Mon Sep 17 00:00:00 2001
From b14a92fafb171ad4a47598076bd028e5cf33ac28 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 14 Oct 2015 14:07:17 +0200
Subject: ArmVirtPkg: set early hello message (RH only)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- no change
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
@ -55,15 +60,16 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 2d4db6ec70e004cd9ac147615d17033bee5d3b18)
(cherry picked from commit fb2032bbea7e02c426855cf86a323556d493fd8a)
(cherry picked from commit ba73b99d5cb38f87c1a8f0936d515eaaefa3f04b)
(cherry picked from commit 72550e12ae469012a505bf5b98a6543a754028d3)
---
ArmVirtPkg/ArmVirtQemu.dsc | 1 +
1 file changed, 1 insertion(+)
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 3345987503..57c5b3f898 100644
index 41a26c8d18..971422411d 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -125,6 +125,7 @@
@@ -132,6 +132,7 @@
gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE)
[PcdsFixedAtBuild.common]
@ -72,5 +78,5 @@ index 3345987503..57c5b3f898 100644
gArmTokenSpaceGuid.PcdVFPEnabled|1
!endif
--
2.18.1
2.27.0

57
SOURCES/0020-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch
View File

@ -1,8 +1,19 @@
From 5ecc18badaabe774d9d0806b027ab63a30c6a2d7 Mon Sep 17 00:00:00 2001
From 1771ff7479664c05884dab5a34d128cf8b01086f Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 21 Nov 2017 00:57:45 +0100
Subject: OvmfPkg: enable DEBUG_VERBOSE (RHEL only)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been
introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit
to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077.
- Remove obsolete commit message tags related to downstream patch
management: Message-id, Patchwork-id, O-Subject, Acked-by, From
(RHBZ#1846481).
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
@ -31,14 +42,7 @@ Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
- no changes
Message-id: <20171120235748.29669-5-pbonzini@redhat.com>
Patchwork-id: 77760
O-Subject: [PATCH 4/7] OvmfPkg: enable DEBUG_VERBOSE (RHEL only)
Bugzilla: 1488247
Acked-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Thomas Huth <thuth@redhat.com>
From: Laszlo Ersek <lersek@redhat.com>
Set the DEBUG_VERBOSE bit (0x00400000) in the log mask. We want detailed
debug messages, and code in OvmfPkg logs many messages on the
@ -52,17 +56,32 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 759bd3f591e2db699bdef4c7ea4e97c908e7f027)
(cherry picked from commit 7e6d5dc4078c64be6d55d8fc3317c59a91507a50)
(cherry picked from commit 3cb92f9ba18ac79911bd5258ff4f949cc617ae89)
(cherry picked from commit 5ecc18badaabe774d9d0806b027ab63a30c6a2d7)
---
OvmfPkg/OvmfPkgIa32.dsc | 2 +-
OvmfPkg/OvmfPkgIa32X64.dsc | 2 +-
OvmfPkg/OvmfPkgX64.dsc | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +-
OvmfPkg/OvmfPkgIa32.dsc | 2 +-
OvmfPkg/OvmfPkgIa32X64.dsc | 2 +-
OvmfPkg/OvmfPkgX64.dsc | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 0a8cb7fd3b..6e8defe5c7 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -486,7 +486,7 @@
# DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
# // significantly impact boot performance
# DEBUG_ERROR 0x80000000 // Error
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
!if $(SOURCE_DEBUG_ENABLE) == TRUE
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 6ce8a46d4e..765ffff312 100644
index e6df324c7c..52cd87f698 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -516,7 +516,7 @@
@@ -534,7 +534,7 @@
# DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
# // significantly impact boot performance
# DEBUG_ERROR 0x80000000 // Error
@ -72,10 +91,10 @@ index 6ce8a46d4e..765ffff312 100644
!if $(SOURCE_DEBUG_ENABLE) == TRUE
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 89d414cda7..277297a964 100644
index 8104fe0218..214195a594 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -520,7 +520,7 @@
@@ -538,7 +538,7 @@
# DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
# // significantly impact boot performance
# DEBUG_ERROR 0x80000000 // Error
@ -85,10 +104,10 @@ index 89d414cda7..277297a964 100644
!if $(SOURCE_DEBUG_ENABLE) == TRUE
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index e567eb76e0..5c1597fe3c 100644
index 3c8b2649a8..02aad65b00 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -520,7 +520,7 @@
@@ -540,7 +540,7 @@
# DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
# // significantly impact boot performance
# DEBUG_ERROR 0x80000000 // Error
@ -98,5 +117,5 @@ index e567eb76e0..5c1597fe3c 100644
!if $(SOURCE_DEBUG_ENABLE) == TRUE
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
--
2.18.1
2.27.0

66
SOURCES/0021-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch
View File

@ -1,9 +1,20 @@
From 1355849ad97c1e4a5c430597a377165a5cc118f7 Mon Sep 17 00:00:00 2001
From 4b2a35ab1d659068d47baaf1dd5b2918ba8a2573 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 21 Nov 2017 00:57:46 +0100
Subject: OvmfPkg: silence DEBUG_VERBOSE (0x00400000) in
QemuVideoDxe/QemuRamfbDxe (RH)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been
introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit
to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077.
- Remove obsolete commit message tags related to downstream patch
management: Message-id, Patchwork-id, O-Subject, Acked-by, From
(RHBZ#1846481).
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
@ -39,15 +50,7 @@ Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
- no changes
Message-id: <20171120235748.29669-6-pbonzini@redhat.com>
Patchwork-id: 77761
O-Subject: [PATCH 5/7] OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in
QemuVideoDxe (RH only)
Bugzilla: 1488247
Acked-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Thomas Huth <thuth@redhat.com>
From: Laszlo Ersek <lersek@redhat.com>
In commit 5b2291f9567a ("OvmfPkg: QemuVideoDxe uses
MdeModulePkg/FrameBufferLib"), QemuVideoDxe was rebased to
@ -70,17 +73,40 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit bd650684712fb840dbcda5d6eaee065bd9e91fa1)
(cherry picked from commit b06b87f8ffd4fed4ef7eacb13689a9b6d111f850)
(cherry picked from commit c8c3f893e7c3710afe45c46839e97954871536e4)
(cherry picked from commit 1355849ad97c1e4a5c430597a377165a5cc118f7)
---
OvmfPkg/OvmfPkgIa32.dsc | 10 ++++++++--
OvmfPkg/OvmfPkgIa32X64.dsc | 10 ++++++++--
OvmfPkg/OvmfPkgX64.dsc | 10 ++++++++--
3 files changed, 24 insertions(+), 6 deletions(-)
OvmfPkg/AmdSev/AmdSevX64.dsc | 10 ++++++++--
OvmfPkg/OvmfPkgIa32.dsc | 10 ++++++++--
OvmfPkg/OvmfPkgIa32X64.dsc | 10 ++++++++--
OvmfPkg/OvmfPkgX64.dsc | 10 ++++++++--
4 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 6e8defe5c7..568ca369e6 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -747,8 +747,14 @@
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
+ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
#
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 765ffff312..f5c6cceb4f 100644
index 52cd87f698..52fd057c90 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -811,9 +811,15 @@
@@ -842,9 +842,15 @@
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
!ifndef $(CSM_ENABLE)
@ -99,10 +125,10 @@ index 765ffff312..f5c6cceb4f 100644
#
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 277297a964..c1e52b0acd 100644
index 214195a594..653849cc7a 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -825,9 +825,15 @@
@@ -856,9 +856,15 @@
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
!ifndef $(CSM_ENABLE)
@ -121,10 +147,10 @@ index 277297a964..c1e52b0acd 100644
#
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 5c1597fe3c..e65165b9f0 100644
index 02aad65b00..5275f2502b 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -821,9 +821,15 @@
@@ -854,9 +854,15 @@
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
!ifndef $(CSM_ENABLE)
@ -143,5 +169,5 @@ index 5c1597fe3c..e65165b9f0 100644
#
--
2.18.1
2.27.0

18
SOURCES/0022-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch
View File

@ -1,9 +1,14 @@
From e7f57f154439c1c18ea5030b01f8d7bc492698b2 Mon Sep 17 00:00:00 2001
From 251653ccf48a973481bb8c90161cccde50c78ad5 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 27 Jan 2016 03:05:18 +0100
Subject: ArmVirtPkg: silence DEBUG_VERBOSE (0x00400000) in QemuRamfbDxe (RH
only)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- no change
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
@ -49,16 +54,17 @@ Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
(cherry picked from commit 5a216abaa737195327235e37563b18a6bf2a74dc)
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit e5b8152bced2364a1ded0926dbba4d65e23e3f84)
(cherry picked from commit e7f57f154439c1c18ea5030b01f8d7bc492698b2)
---
ArmVirtPkg/ArmVirtQemu.dsc | 5 ++++-
ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 ++++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 57c5b3f898..dda887b2ae 100644
index 971422411d..d2a2fdac8e 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -494,7 +494,10 @@
@@ -504,7 +504,10 @@
#
# Video support
#
@ -71,10 +77,10 @@ index 57c5b3f898..dda887b2ae 100644
OvmfPkg/PlatformDxe/Platform.inf
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index d186263e18..711dd63e20 100644
index f598ac6a85..7e50ce8b3b 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -427,7 +427,10 @@
@@ -434,7 +434,10 @@
#
# Video support
#
@ -87,5 +93,5 @@ index d186263e18..711dd63e20 100644
OvmfPkg/PlatformDxe/Platform.inf
--
2.18.1
2.27.0

10
SOURCES/0023-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch
View File

@ -1,9 +1,14 @@
From deb3451034326b75fd760aba47a5171493ff055e Mon Sep 17 00:00:00 2001
From bacf42ebf768aebb8c2b36fb52d154daf19c0c74 Mon Sep 17 00:00:00 2001
From: Philippe Mathieu-Daude <philmd@redhat.com>
Date: Thu, 1 Aug 2019 20:43:48 +0200
Subject: OvmfPkg: QemuRamfbDxe: Do not report DXE failure on Aarch64 silent
builds (RH only)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- no change
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
@ -35,6 +40,7 @@ Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
(cherry picked from commit aaaedc1e2cfd55ef003fb1b5a37c73a196b26dc7)
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit aa2b66b18a62d652bdbefae7b5732297294306ca)
(cherry picked from commit deb3451034326b75fd760aba47a5171493ff055e)
---
OvmfPkg/QemuRamfbDxe/QemuRamfb.c | 14 ++++++++++++++
OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf | 1 +
@ -85,5 +91,5 @@ index e3890b8c20..6ffee5acb2 100644
FrameBufferBltLib
MemoryAllocationLib
--
2.18.1
2.27.0

61
SOURCES/0024-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
View File

@ -1,9 +1,20 @@
From ed89844b47f46cfe911f1bf2bda40e537a908502 Mon Sep 17 00:00:00 2001
From 41c61737a6ead56c36edabd1b2e685a04c2e81c6 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 21 Nov 2017 00:57:47 +0100
Subject: OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in NvmExpressDxe (RH
only)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been
introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit
to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077.
- Remove obsolete commit message tags related to downstream patch
management: Message-id, Patchwork-id, O-Subject, Acked-by, From
(RHBZ#1846481).
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
@ -30,15 +41,7 @@ Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
- no changes
Message-id: <20171120235748.29669-7-pbonzini@redhat.com>
Patchwork-id: 77759
O-Subject: [PATCH 6/7] OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in
NvmExpressDxe (RH only)
Bugzilla: 1488247
Acked-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Thomas Huth <thuth@redhat.com>
From: Laszlo Ersek <lersek@redhat.com>
NvmExpressDxe logs all BlockIo read & write calls on the EFI_D_VERBOSE
level.
@ -51,17 +54,35 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 5a27af700f49e00608f232f618dedd7bf5e9b3e6)
(cherry picked from commit 58bba429b9ec7b78109940ef945d0dc93f3cd958)
(cherry picked from commit b8d0ebded8c2cf5b266c807519e2d8ccfd66fee6)
(cherry picked from commit ed89844b47f46cfe911f1bf2bda40e537a908502)
---
OvmfPkg/OvmfPkgIa32.dsc | 5 ++++-
OvmfPkg/OvmfPkgIa32X64.dsc | 5 ++++-
OvmfPkg/OvmfPkgX64.dsc | 5 ++++-
3 files changed, 12 insertions(+), 3 deletions(-)
OvmfPkg/AmdSev/AmdSevX64.dsc | 5 ++++-
OvmfPkg/OvmfPkgIa32.dsc | 5 ++++-
OvmfPkg/OvmfPkgIa32X64.dsc | 5 ++++-
OvmfPkg/OvmfPkgX64.dsc | 5 ++++-
4 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 568ca369e6..fb00b12f8c 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -741,7 +741,10 @@
OvmfPkg/SataControllerDxe/SataControllerDxe.inf
MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
+ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index f5c6cceb4f..e8868136d8 100644
index 52fd057c90..119267e3c8 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -804,7 +804,10 @@
@@ -835,7 +835,10 @@
OvmfPkg/SataControllerDxe/SataControllerDxe.inf
MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
@ -74,10 +95,10 @@ index f5c6cceb4f..e8868136d8 100644
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index c1e52b0acd..d05275a324 100644
index 653849cc7a..166c9f1fef 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -818,7 +818,10 @@
@@ -849,7 +849,10 @@
OvmfPkg/SataControllerDxe/SataControllerDxe.inf
MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
@ -90,10 +111,10 @@ index c1e52b0acd..d05275a324 100644
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index e65165b9f0..cac4cecf18 100644
index 5275f2502b..19d0944a72 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -814,7 +814,10 @@
@@ -847,7 +847,10 @@
OvmfPkg/SataControllerDxe/SataControllerDxe.inf
MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
@ -106,5 +127,5 @@ index e65165b9f0..cac4cecf18 100644
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
--
2.18.1
2.27.0

94
SOURCES/0025-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch
View File

@ -1,9 +1,88 @@
From 56c4bb81b311dfcee6a34c81d3e4feeda7f88995 Mon Sep 17 00:00:00 2001
From 7e6817e96a15f9ce32f0c9cf6326bb682672724c Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Sat, 16 Nov 2019 17:11:27 +0100
Subject: CryptoPkg/OpensslLib: list RHEL8-specific OpenSSL files in the INFs
(RH)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1938257
- Recreate the patch based on downstream commits:
- 56c4bb81b311 ("CryptoPkg/OpensslLib: list RHEL8-specific OpenSSL files
in the INFs (RH)", 2020-06-05),
- e81751a1c303 ("CryptoPkg/OpensslLib: Upgrade OpenSSL to 1.1.1g",
2020-11-23),
- 3e3fe5e62079 ("redhat: bump OpenSSL dist-git submodule to 1.1.1g+ /
RHEL-8.4", 2020-11-23).
(1) At e81751a1c303, downstream edk2 was in sync with upstream edk2
consuming OpenSSL 1.1.1g (upstream edk2 commit 8c30327debb2
("CryptoPkg/OpensslLib: Upgrade OpenSSL to 1.1.1g", 2020-07-25)).
Since commit 8c30327debb2, upstream edk2 modified the OpensslLib INF
files, namely
- CryptoPkg/Library/OpensslLib/OpensslLib.inf
- CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
in the following commits only:
- be01087e0780 ("CryptoPkg/Library: Remove the redundant build
option", 2020-08-12), which did not affect the source file list at
all,
- b5701a4c7a0f ("CryptoPkg: OpensslLib: Use RngLib to generate
entropy in rand_pool", 2020-09-18), which replaced some of the
*edk2-specific* "rand_pool_noise" source files with an RngLib
dependency.
This means that the list of required, actual OpenSSL source files
has not changed in upstream edk2 since our downstream edk2 commit
e81751a1c303.
(2) At commit 3e3fe5e62079 (the direct child of e81751a1c303),
downstream edk2's OpenSSL dependency was satisfied with RHEL-8
OpenSSL at dist-git commit bdd048e929dc ("Two fixes that will be
shipped in RHEL-8.3.0.z", 2020-10-23).
Since commit bdd048e929dc, RHEL-8 OpenSSL dist-git advanced
(fast-forwarded) to commit a75722161d20 ("Update to version 1.1.1k",
2021-05-25), which is the current head of the rhel-8.5.0 branch.
(See also <https://bugzilla.redhat.com/show_bug.cgi?id=1938257#c6>.)
At both dist-git bdd048e929dc and dist-git a75722161d20, I built the
respective RHEL-8 OpenSSL *source* RPM, and prepped the respective
source tree, with "rpmbuild -bp". Subsequently I compared the
prepped source trees recursively.
- The following files disappeared:
- 29 backup files created by "patch",
- the assembly generator perl script called
"ecp_nistz256-avx2.pl", which is not used during the build.
- The following new files appeared:
- 18 files directly or indirectly under the "test" subdirectory,
which are not used during the build,
- 5 backup files created by "patch",
- 2 DCL scripts used when building OpenSSL on OpenVMS.
This means that the total list of RHEL-8 OpenSSL source files has
not changed in RHEL-8 OpenSSL dist-git since our downstream edk2
commit 3e3fe5e62079.
As a result, copy the "RHEL8-specific OpenSSL file list" sections
verbatim from the INF files, at downstream commit e81751a1c303. (I used
the "git checkout -p e81751a1c303 -- Library/OpensslLib/OpensslLib.inf
CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf" command.)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
@ -45,18 +124,19 @@ Note: "process_files.pl" is not re-run at this time manually, because
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 57bd3f146590df8757865d8f2cdd1db3cf3f4d40)
(cherry picked from commit 56c4bb81b311dfcee6a34c81d3e4feeda7f88995)
---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 11 +++++++++++
CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 11 +++++++++++
2 files changed, 22 insertions(+)
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index c8ec9454bd..24e790b538 100644
index b00bb74ce6..71e32f26ea 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -570,6 +570,17 @@
$(OPENSSL_PATH)/ssl/statem/statem.h
$(OPENSSL_PATH)/ssl/statem/statem_locl.h
$(OPENSSL_PATH)/ssl/statem/statem_local.h
# Autogenerated files list ends here
+# RHEL8-specific OpenSSL file list starts here
+ $(OPENSSL_PATH)/crypto/evp/kdf_lib.c
@ -70,10 +150,10 @@ index c8ec9454bd..24e790b538 100644
+ $(OPENSSL_PATH)/crypto/kdf/sskdf.c
+# RHEL8-specific OpenSSL file list ends here
buildinf.h
rand_pool_noise.h
ossl_store.c
rand_pool.c
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 2f232e3e12..52e70a2d03 100644
index 3557711bd8..003dcbad7a 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -519,6 +519,17 @@
@ -92,8 +172,8 @@ index 2f232e3e12..52e70a2d03 100644
+ $(OPENSSL_PATH)/crypto/kdf/sskdf.c
+# RHEL8-specific OpenSSL file list ends here
buildinf.h
rand_pool_noise.h
ossl_store.c
rand_pool.c
--
2.18.1
2.27.0

24
SOURCES/edk2-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch → SOURCES/0026-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch
View File

@ -1,20 +1,17 @@
From 9adcdf493ebbd11efb74e2905ab5f6c8996e096d Mon Sep 17 00:00:00 2001
From 29be717a1ae0a2617a7ae95698940286201d1612 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 24 Jun 2020 11:31:36 +0200
Subject: [PATCH 1/3] OvmfPkg/QemuKernelLoaderFsDxe: suppress error on no
"-kernel" in silent aa64 build (RH)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Subject: OvmfPkg/QemuKernelLoaderFsDxe: suppress error on no "-kernel" in
silent aa64 build (RH)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- Remove obsolete commit message tags related to downstream patch
management: Message-id, Patchwork-id, O-Subject, Acked-by, From,
RH-Acked-by, RH-Author (RHBZ#1846481).
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <20200615080105.11859-2-lersek@redhat.com>
Patchwork-id: 97532
O-Subject: [RHEL-8.3.0 edk2 PATCH 1/3] OvmfPkg/QemuKernelLoaderFsDxe: suppress error on no "-kernel" in silent aa64 build (RH)
Bugzilla: 1844682
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
If the "-kernel" QEMU option is not used, then QemuKernelLoaderFsDxe
should return EFI_NOT_FOUND, so that the DXE Core can unload it. However,
@ -28,6 +25,7 @@ ExitBootServices().
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
(cherry picked from commit 9adcdf493ebbd11efb74e2905ab5f6c8996e096d)
---
.../QemuKernelLoaderFsDxe.c | 17 +++++++++++++++++
.../QemuKernelLoaderFsDxe.inf | 1 +

83
SOURCES/0026-OvmfPkg-X86QemuLoadImageLib-handle-EFI_ACCESS_DENIED.patch
View File

@ -1,83 +0,0 @@
From bf88198555ce964377a56176de8e5e9b45e43e25 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Sat, 6 Jun 2020 01:16:09 +0200
Subject: OvmfPkg/X86QemuLoadImageLib: handle EFI_ACCESS_DENIED from
LoadImage()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- new patch
- the patch is being upstreamed; it's not a backport because the rebase
deadline is close
- upstream references:
- https://bugzilla.tianocore.org/show_bug.cgi?id=2785
- http://mid.mail-archive.com/20200605235242.32442-1-lersek@redhat.com
- https://edk2.groups.io/g/devel/message/60825
- https://www.redhat.com/archives/edk2-devel-archive/2020-June/msg00344.html
[downstream note ends, upstream commit message starts]
When an image fails Secure Boot validation, LoadImage() returns
EFI_SECURITY_VIOLATION if the platform policy is
DEFER_EXECUTE_ON_SECURITY_VIOLATION.
If the platform policy is DENY_EXECUTE_ON_SECURITY_VIOLATION, then
LoadImage() returns EFI_ACCESS_DENIED (and the image does not remain
loaded).
(Before <https://bugzilla.tianocore.org/show_bug.cgi?id=2129>, this
difference would be masked, as DxeImageVerificationLib would incorrectly
return EFI_SECURITY_VIOLATION for DENY_EXECUTE_ON_SECURITY_VIOLATION as
well.)
In X86QemuLoadImageLib, proceed to the legacy Linux/x86 Boot Protocol upon
seeing EFI_ACCESS_DENIED too.
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2785
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
.../X86QemuLoadImageLib/X86QemuLoadImageLib.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
index ef753be7ea..931553c0c1 100644
--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
+++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
@@ -320,15 +320,21 @@ QemuLoadKernelImage (
case EFI_SECURITY_VIOLATION:
//
- // We are running with UEFI secure boot enabled, and the image failed to
- // authenticate. For compatibility reasons, we fall back to the legacy
- // loader in this case. Since the image has been loaded, we need to unload
- // it before proceeding
+ // Since the image has been loaded, we need to unload it before proceeding
+ // to the EFI_ACCESS_DENIED case below.
//
gBS->UnloadImage (KernelImageHandle);
//
// Fall through
//
+ case EFI_ACCESS_DENIED:
+ //
+ // We are running with UEFI secure boot enabled, and the image failed to
+ // authenticate. For compatibility reasons, we fall back to the legacy
+ // loader in this case.
+ //
+ // Fall through
+ //
case EFI_UNSUPPORTED:
//
// The image is not natively supported or cross-type supported. Let's try
--
2.18.1

184
SOURCES/0027-Revert-OvmfPkg-use-generic-QEMU-image-loader-for-sec.patch
View File

@ -1,184 +0,0 @@
From 74e5313dfa6719f7990c7e175e035d17c9b3f657 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Fri, 5 Jun 2020 23:44:43 +0200
Subject: Revert "OvmfPkg: use generic QEMU image loader for secure boot
enabled builds"
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- new patch (to be dropped later, hopefully)
This reverts commit ced77332cab626f35fbdb36630be27303d289d79.
Upstream commit ced77332cab6 ("OvmfPkg: use generic QEMU image loader for
secure boot enabled builds", 2020-03-05) changes the "Secure Boot threat
model" in a way that is incompatible with at least two use cases.
Namely, OVMF has always considered kernel images direct-booted via fw_cfg
as trusted, bypassing Secure Boot validation. While that approach is
rooted in a technicality (namely, OVMF doesn't load such images with the
LoadImage() UEFI boot service / through the UEFI stub, but with the
Linux/x86 Boot Protocol), that doesn't mean it's wrong. The direct-booted
kernel from fw_cfg comes from the host side, and Secure Boot in the guest
is a barrier between the guest firmware and the guest operating system --
it's not a barrier between host and guest.
Upstream commit ced77332cab6 points out that the above (historical) OVMF
behavior differs from ArmVirtQemu's -- the latter direct-boots kernels
from fw_cfg with the LoadImage() / StartImage() boot services. While that
difference indeed exists between OVMF and ArmVirtQemu, it's not relevant
for RHEL downstream. That's because we never build the ArmVirtQemu
firmware with the Secure Boot feature, so LoadImage() can never reject the
direct-booted kernel due to a signing issue.
Subjecting a kernel direct-booted via fw_cfg to Secure Boot verification
breaks at least two use cases with OVMF:
- It breaks the %check stage in the SPEC file.
In that stage, we use the "ovmf-vars-generator" utility from the
"qemu-ovmf-secureboot" project, for verifying whether the Secure Boot
operational mode is enabled. The guest kernel is supposed to boot, and
to print "Secure boot enabled".
As guest kernel, we pick whatever host kernel is available in the Brew
build root. The kernel in question may be a publicly released RHEL
kernel, signed with "Red Hat Secure Boot (signing key 1)", or a
development build, signed for example with "Red Hat Secure Boot Signing
3 (beta)". Either way, none of these keys are accepted by the
certificates that were enrolled by "ovmf-vars-generator" /
"EnrollDefaultKeys.efi" in the %build stage. Therefore, the %check stage
fails.
- It breaks "virt-install --location NETWORK-URL" Linux guest
installations, if the variable store template used for the new domain
has the Secure Boot operational mode enabled. "virt-install --location"
fetches the kernel from the remote OS tree, and passes it to the guest
firmware via fw_cfg. Therefore the above symptom appears (even for
publicly released OSes).
Importantly, if the user downloads the installer ISO of the publicly
released Fedora / RHEL OS, and exposes the ISO to the guest for example
as a virtio-scsi CD-ROM, then the installation with "virt-install"
(without "--location") does succeed. That's because that way, "shim" is
booted first, from the UEFI-bootable CD-ROM. "Shim" does pass Secure
Boot verification against the Microsoft certificates, and then it is
"shim" that accepts the "Red Hat Secure Boot (signing key 1)" signature
on the guest kernel.
Some ways to approach this problem (without reverting upstream commit
ced77332cab6):
- Equip "ovmf-vars-generator" / "EnrollDefaultKeys.efi" to enroll the
public half of "Red Hat Secure Boot (signing key 1)" in the %build
stage. Use a publicly released RHEL kernel in the %check stage.
Downsides:
- The Brew build root does not offer any particular released RHEL
kernel, so either the %check stage would have to download it, or the
SRPM would have to bundle it. However, Brew build environments do not
have unfettered network access (rightly so), so the download wouldn't
work. Furthermore, for bundling with the SRPM, such a kernel image
could be considered too large.
- Does not solve the "virt-install --location" issue for other vendors'
signed kernels.
- Invoke "ovmf-vars-generator" / "EnrollDefaultKeys.efi" multiple times
during %build, to create multiple varstore templates. One that would
accept publicly released RHEL kernels, and another to accept development
kernels. Don't try to use a particular guest kernel for verification;
instead, check what kernel Brew offers in the build environment, and use
the varstore template matching *that* kernel.
Downsides:
- It may be considered useless to perform %check with a varstore
template that is *not* the one that we ship.
- Does not solve the "virt-install --location" issue for other vendors'
signed kernels.
- Sign the RHEL kernels such that the currently enrolled certificates
accept them.
Downsides:
- Not feasible at all; it would require Microsoft to sign our kernels.
"Shim" exists exactly to eliminate such signing requirements.
- Modify "virt-install --location NETWORK-URL" such that it download a
complete (UEFI-bootable) installer ISO image, rather than broken-out
vmlinuz / initrd files. In other words, replace direct (fw_cfg) kernel
boot with a CD-ROM / "shim" boot, internally to "virt-install".
Downsides:
- Defeats the goal of "virt-install --location NETWORK-URL", and defeats
the network installation method of (for example) Anaconda.
For now, revert upstream commit ced77332cab6, in order to return to the
model we had used in RHEL-8.2 and before. The following ticket has been
filed to investigate the problem separately:
<https://bugzilla.redhat.com/show_bug.cgi?id=1844653>.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/OvmfPkgIa32.dsc | 4 ----
OvmfPkg/OvmfPkgIa32X64.dsc | 4 ----
OvmfPkg/OvmfPkgX64.dsc | 4 ----
3 files changed, 12 deletions(-)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index e8868136d8..5b1e757cb9 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -379,11 +379,7 @@
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
- QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
-!else
QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
-!endif
!if $(TPM_ENABLE) == TRUE
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index d05275a324..5dffc32105 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -383,11 +383,7 @@
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
- QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
-!else
QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
-!endif
!if $(TPM_ENABLE) == TRUE
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index cac4cecf18..a2a76fdeea 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -383,11 +383,7 @@
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
- QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
-!else
QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
-!endif
!if $(TPM_ENABLE) == TRUE
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
--
2.18.1

28
SOURCES/edk2-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch → SOURCES/0027-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch
View File

@ -1,20 +1,17 @@
From cbce29f7749477e271f9764fed82de94724af5df Mon Sep 17 00:00:00 2001
From dc27035d2a8ca09dc5b0113c97a643341f286c08 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 24 Jun 2020 11:40:09 +0200
Subject: [PATCH 3/3] SecurityPkg/Tcg2Dxe: suppress error on no swtpm in silent
aa64 build (RH)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Subject: SecurityPkg/Tcg2Dxe: suppress error on no swtpm in silent aa64 build
(RH)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- Remove obsolete commit message tags related to downstream patch
management: Message-id, Patchwork-id, O-Subject, Acked-by, From,
RH-Acked-by, RH-Author (RHBZ#1846481).
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <20200615080105.11859-4-lersek@redhat.com>
Patchwork-id: 97534
O-Subject: [RHEL-8.3.0 edk2 PATCH 3/3] SecurityPkg/Tcg2Dxe: suppress error on no swtpm in silent aa64 build (RH)
Bugzilla: 1844682
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
If swtpm / vTPM2 is not being used, Tcg2Dxe should return EFI_UNSUPPORTED,
so that the DXE Core can unload it. However, the associated error message,
@ -27,13 +24,14 @@ guest RAM still gets freed after ExitBootServices().
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
(cherry picked from commit cbce29f7749477e271f9764fed82de94724af5df)
---
SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c | 17 +++++++++++++++++
SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf | 1 +
2 files changed, 18 insertions(+)
diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
index 9a5f987e68..da2153cb25 100644
index 6d17616c1c..f1a97d4b2d 100644
--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
+++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
@@ -28,6 +28,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
@ -68,7 +66,7 @@ index 9a5f987e68..da2153cb25 100644
}
diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
index 576cf80d06..851471afb7 100644
index 7dc7a2683d..3bc8833931 100644
--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
@@ -55,6 +55,7 @@

386
SOURCES/edk2-CryptoPkg-OpensslLib-Upgrade-OpenSSL-to-1.1.1g.patch
View File

@ -1,386 +0,0 @@
From e81751a1c303f5cd4bcae0ed1a38c60c38a0cf38 Mon Sep 17 00:00:00 2001
From: Guomin Jiang <guomin.jiang@intel.com>
Date: Fri, 10 Jul 2020 09:47:31 +0800
Subject: [PATCH 4/5] CryptoPkg/OpensslLib: Upgrade OpenSSL to 1.1.1g
RH-Author: Laszlo Ersek (lersek)
RH-MergeRequest: 2: [RHEL-8.4.0] bump OpenSSL dist-git submodule to 1.1.1g
RH-Commit: [1/2] 36d4bc34a3b5c421819e94c58ff84fd779a93bae (lersek/edk2)
RH-Bugzilla: 1893806
--v-- RHEL8 notes --v--
- The "CryptoPkg/Library/OpensslLib/openssl" hunk, advancing upstream
edk2's OpenSSL submodule reference, has been stripped from this
backport. (Refer to downstream commit c5d729df70f8 ("remove upstream
edk2's openssl submodule (RH only)", 2020-06-05), as basis.) The
corresponding RHEL8 OpenSSL dist-git bump is implemented in a subsequent
patch in this series.
This cherry-pick and the RHEL8 OpenSSL dist-git submodule bump are kept
separate for easing the next rebase, even at the cost of introducing a
brief interval in the git history where the downstream exploded tree
does not build.
- Contextual difference in "OpensslLib.inf" due to downstream commit
56c4bb81b311 ("CryptoPkg/OpensslLib: list RHEL8-specific OpenSSL files
in the INFs (RH)", 2020-06-05); automatically resolved by
git-cherry-pick.
--^-- RHEL8 notes --^--
Upgrade openssl to 1.1.1g. the directory have been reorganized,
openssl moved crypto/include/internal to include/crypto folder.
So we change directory to match the re-organization.
The dso_conf.h and opensslconf.h will generated in UNIX format,
change process_files.pl to covent the EOL automatically.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
(cherry picked from commit 8c30327debb28c0b6cfa2106b736774e0b20daac)
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
CryptoPkg/CryptoPkg.dec | 1 -
.../Library/BaseCryptLib/Hash/CryptSm3.c | 2 +-
.../BaseCryptLib/Pk/CryptPkcs7VerifyEku.c | 4 +-
.../Include/{internal => crypto}/dso_conf.h | 32 +++++-----
.../Library/Include/openssl/opensslconf.h | 3 -
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 58 +++++++++----------
.../Library/OpensslLib/OpensslLibCrypto.inf | 50 ++++++++--------
CryptoPkg/Library/OpensslLib/process_files.pl | 25 +++++---
CryptoPkg/Library/OpensslLib/rand_pool.c | 2 +-
9 files changed, 90 insertions(+), 87 deletions(-)
rename CryptoPkg/Library/Include/{internal => crypto}/dso_conf.h (76%)
diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec
index 4d1a1368a8..5888941bab 100644
--- a/CryptoPkg/CryptoPkg.dec
+++ b/CryptoPkg/CryptoPkg.dec
@@ -23,7 +23,6 @@
Private
Library/Include
Library/OpensslLib/openssl/include
- Library/OpensslLib/openssl/crypto/include
[LibraryClasses]
## @libraryclass Provides basic library functions for cryptographic primitives.
diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3.c
index eacf4826c4..235331c2a0 100644
--- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3.c
+++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3.c
@@ -7,7 +7,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "InternalCryptLib.h"
-#include "internal/sm3.h"
+#include "crypto/sm3.h"
/**
Retrieves the size, in bytes, of the context buffer required for SM3 hash operations.
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c
index 229c244b26..c9fdb65b99 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c
@@ -15,13 +15,13 @@
#include <openssl/asn1.h>
#include <openssl/x509.h>
#include <openssl/bio.h>
-#include <internal/x509_int.h>
+#include <crypto/x509.h>
#include <openssl/pkcs7.h>
#include <openssl/bn.h>
#include <openssl/x509_vfy.h>
#include <openssl/pem.h>
#include <openssl/evp.h>
-#include <internal/asn1_int.h>
+#include <crypto/asn1.h>
/**
This function will return the leaf signer certificate in a chain. This is
diff --git a/CryptoPkg/Library/Include/internal/dso_conf.h b/CryptoPkg/Library/Include/crypto/dso_conf.h
similarity index 76%
rename from CryptoPkg/Library/Include/internal/dso_conf.h
rename to CryptoPkg/Library/Include/crypto/dso_conf.h
index 43c891588b..95f4db2b15 100644
--- a/CryptoPkg/Library/Include/internal/dso_conf.h
+++ b/CryptoPkg/Library/Include/crypto/dso_conf.h
@@ -1,16 +1,16 @@
-/* WARNING: do not edit! */
-/* Generated from crypto/include/internal/dso_conf.h.in */
-/*
- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef HEADER_DSO_CONF_H
-# define HEADER_DSO_CONF_H
-# define DSO_NONE
-# define DSO_EXTENSION ".so"
-#endif
+/* WARNING: do not edit! */
+/* Generated from include/crypto/dso_conf.h.in */
+/*
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_DSO_CONF_H
+# define OSSL_CRYPTO_DSO_CONF_H
+# define DSO_NONE
+# define DSO_EXTENSION ".so"
+#endif
diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
index 62c2736cb0..3a2544ea5c 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -247,9 +247,6 @@ extern "C" {
#ifndef OPENSSL_NO_DYNAMIC_ENGINE
# define OPENSSL_NO_DYNAMIC_ENGINE
#endif
-#ifndef OPENSSL_NO_AFALGENG
-# define OPENSSL_NO_AFALGENG
-#endif
/*
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 24e790b538..4c21b11d0a 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -477,45 +477,45 @@
$(OPENSSL_PATH)/crypto/s390x_arch.h
$(OPENSSL_PATH)/crypto/sparc_arch.h
$(OPENSSL_PATH)/crypto/vms_rms.h
- $(OPENSSL_PATH)/crypto/aes/aes_locl.h
+ $(OPENSSL_PATH)/crypto/aes/aes_local.h
$(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h
- $(OPENSSL_PATH)/crypto/asn1/asn1_locl.h
+ $(OPENSSL_PATH)/crypto/asn1/asn1_local.h
$(OPENSSL_PATH)/crypto/asn1/charmap.h
$(OPENSSL_PATH)/crypto/asn1/standard_methods.h
$(OPENSSL_PATH)/crypto/asn1/tbl_standard.h
- $(OPENSSL_PATH)/crypto/async/async_locl.h
+ $(OPENSSL_PATH)/crypto/async/async_local.h
$(OPENSSL_PATH)/crypto/async/arch/async_null.h
$(OPENSSL_PATH)/crypto/async/arch/async_posix.h
$(OPENSSL_PATH)/crypto/async/arch/async_win.h
- $(OPENSSL_PATH)/crypto/bio/bio_lcl.h
- $(OPENSSL_PATH)/crypto/bn/bn_lcl.h
+ $(OPENSSL_PATH)/crypto/bio/bio_local.h
+ $(OPENSSL_PATH)/crypto/bn/bn_local.h
$(OPENSSL_PATH)/crypto/bn/bn_prime.h
$(OPENSSL_PATH)/crypto/bn/rsaz_exp.h
- $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
+ $(OPENSSL_PATH)/crypto/comp/comp_local.h
$(OPENSSL_PATH)/crypto/conf/conf_def.h
- $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
- $(OPENSSL_PATH)/crypto/dh/dh_locl.h
- $(OPENSSL_PATH)/crypto/dso/dso_locl.h
- $(OPENSSL_PATH)/crypto/evp/evp_locl.h
- $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
- $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
- $(OPENSSL_PATH)/crypto/md5/md5_locl.h
- $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
+ $(OPENSSL_PATH)/crypto/conf/conf_local.h
+ $(OPENSSL_PATH)/crypto/dh/dh_local.h
+ $(OPENSSL_PATH)/crypto/dso/dso_local.h
+ $(OPENSSL_PATH)/crypto/evp/evp_local.h
+ $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
+ $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
+ $(OPENSSL_PATH)/crypto/md5/md5_local.h
+ $(OPENSSL_PATH)/crypto/modes/modes_local.h
$(OPENSSL_PATH)/crypto/objects/obj_dat.h
- $(OPENSSL_PATH)/crypto/objects/obj_lcl.h
+ $(OPENSSL_PATH)/crypto/objects/obj_local.h
$(OPENSSL_PATH)/crypto/objects/obj_xref.h
- $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
- $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
- $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
- $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
- $(OPENSSL_PATH)/crypto/sha/sha_locl.h
+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_local.h
+ $(OPENSSL_PATH)/crypto/pkcs12/p12_local.h
+ $(OPENSSL_PATH)/crypto/rand/rand_local.h
+ $(OPENSSL_PATH)/crypto/rsa/rsa_local.h
+ $(OPENSSL_PATH)/crypto/sha/sha_local.h
$(OPENSSL_PATH)/crypto/siphash/siphash_local.h
- $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h
- $(OPENSSL_PATH)/crypto/store/store_locl.h
- $(OPENSSL_PATH)/crypto/ui/ui_locl.h
- $(OPENSSL_PATH)/crypto/x509/x509_lcl.h
+ $(OPENSSL_PATH)/crypto/sm3/sm3_local.h
+ $(OPENSSL_PATH)/crypto/store/store_local.h
+ $(OPENSSL_PATH)/crypto/ui/ui_local.h
+ $(OPENSSL_PATH)/crypto/x509/x509_local.h
$(OPENSSL_PATH)/crypto/x509v3/ext_dat.h
- $(OPENSSL_PATH)/crypto/x509v3/pcy_int.h
+ $(OPENSSL_PATH)/crypto/x509v3/pcy_local.h
$(OPENSSL_PATH)/crypto/x509v3/standard_exts.h
$(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
$(OPENSSL_PATH)/ssl/bio_ssl.c
@@ -562,13 +562,13 @@
$(OPENSSL_PATH)/ssl/t1_trce.c
$(OPENSSL_PATH)/ssl/tls13_enc.c
$(OPENSSL_PATH)/ssl/tls_srp.c
- $(OPENSSL_PATH)/ssl/packet_locl.h
+ $(OPENSSL_PATH)/ssl/packet_local.h
$(OPENSSL_PATH)/ssl/ssl_cert_table.h
- $(OPENSSL_PATH)/ssl/ssl_locl.h
+ $(OPENSSL_PATH)/ssl/ssl_local.h
$(OPENSSL_PATH)/ssl/record/record.h
- $(OPENSSL_PATH)/ssl/record/record_locl.h
+ $(OPENSSL_PATH)/ssl/record/record_local.h
$(OPENSSL_PATH)/ssl/statem/statem.h
- $(OPENSSL_PATH)/ssl/statem/statem_locl.h
+ $(OPENSSL_PATH)/ssl/statem/statem_local.h
# Autogenerated files list ends here
# RHEL8-specific OpenSSL file list starts here
$(OPENSSL_PATH)/crypto/evp/kdf_lib.c
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 52e70a2d03..0c3b210d6a 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -477,45 +477,45 @@
$(OPENSSL_PATH)/crypto/s390x_arch.h
$(OPENSSL_PATH)/crypto/sparc_arch.h
$(OPENSSL_PATH)/crypto/vms_rms.h
- $(OPENSSL_PATH)/crypto/aes/aes_locl.h
+ $(OPENSSL_PATH)/crypto/aes/aes_local.h
$(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h
- $(OPENSSL_PATH)/crypto/asn1/asn1_locl.h
+ $(OPENSSL_PATH)/crypto/asn1/asn1_local.h
$(OPENSSL_PATH)/crypto/asn1/charmap.h
$(OPENSSL_PATH)/crypto/asn1/standard_methods.h
$(OPENSSL_PATH)/crypto/asn1/tbl_standard.h
- $(OPENSSL_PATH)/crypto/async/async_locl.h
+ $(OPENSSL_PATH)/crypto/async/async_local.h
$(OPENSSL_PATH)/crypto/async/arch/async_null.h
$(OPENSSL_PATH)/crypto/async/arch/async_posix.h
$(OPENSSL_PATH)/crypto/async/arch/async_win.h
- $(OPENSSL_PATH)/crypto/bio/bio_lcl.h
- $(OPENSSL_PATH)/crypto/bn/bn_lcl.h
+ $(OPENSSL_PATH)/crypto/bio/bio_local.h
+ $(OPENSSL_PATH)/crypto/bn/bn_local.h
$(OPENSSL_PATH)/crypto/bn/bn_prime.h
$(OPENSSL_PATH)/crypto/bn/rsaz_exp.h
- $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
+ $(OPENSSL_PATH)/crypto/comp/comp_local.h
$(OPENSSL_PATH)/crypto/conf/conf_def.h
- $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
- $(OPENSSL_PATH)/crypto/dh/dh_locl.h
- $(OPENSSL_PATH)/crypto/dso/dso_locl.h
- $(OPENSSL_PATH)/crypto/evp/evp_locl.h
- $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
- $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
- $(OPENSSL_PATH)/crypto/md5/md5_locl.h
- $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
+ $(OPENSSL_PATH)/crypto/conf/conf_local.h
+ $(OPENSSL_PATH)/crypto/dh/dh_local.h
+ $(OPENSSL_PATH)/crypto/dso/dso_local.h
+ $(OPENSSL_PATH)/crypto/evp/evp_local.h
+ $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
+ $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
+ $(OPENSSL_PATH)/crypto/md5/md5_local.h
+ $(OPENSSL_PATH)/crypto/modes/modes_local.h
$(OPENSSL_PATH)/crypto/objects/obj_dat.h
- $(OPENSSL_PATH)/crypto/objects/obj_lcl.h
+ $(OPENSSL_PATH)/crypto/objects/obj_local.h
$(OPENSSL_PATH)/crypto/objects/obj_xref.h
- $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
- $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
- $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
- $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
- $(OPENSSL_PATH)/crypto/sha/sha_locl.h
+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_local.h
+ $(OPENSSL_PATH)/crypto/pkcs12/p12_local.h
+ $(OPENSSL_PATH)/crypto/rand/rand_local.h
+ $(OPENSSL_PATH)/crypto/rsa/rsa_local.h
+ $(OPENSSL_PATH)/crypto/sha/sha_local.h
$(OPENSSL_PATH)/crypto/siphash/siphash_local.h
- $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h
- $(OPENSSL_PATH)/crypto/store/store_locl.h
- $(OPENSSL_PATH)/crypto/ui/ui_locl.h
- $(OPENSSL_PATH)/crypto/x509/x509_lcl.h
+ $(OPENSSL_PATH)/crypto/sm3/sm3_local.h
+ $(OPENSSL_PATH)/crypto/store/store_local.h
+ $(OPENSSL_PATH)/crypto/ui/ui_local.h
+ $(OPENSSL_PATH)/crypto/x509/x509_local.h
$(OPENSSL_PATH)/crypto/x509v3/ext_dat.h
- $(OPENSSL_PATH)/crypto/x509v3/pcy_int.h
+ $(OPENSSL_PATH)/crypto/x509v3/pcy_local.h
$(OPENSSL_PATH)/crypto/x509v3/standard_exts.h
$(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
# Autogenerated files list ends here
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
index 65d07a2aed..57ce195394 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -111,8 +111,8 @@ BEGIN {
# Generate dso_conf.h per config data
system(
"perl -I. -Mconfigdata util/dofile.pl " .
- "crypto/include/internal/dso_conf.h.in " .
- "> include/internal/dso_conf.h"
+ "include/crypto/dso_conf.h.in " .
+ "> include/crypto/dso_conf.h"
) == 0 ||
die "Failed to generate dso_conf.h!\n";
@@ -263,14 +263,21 @@ print "Done!";
# Copy opensslconf.h and dso_conf.h generated from OpenSSL Configuration
#
print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
-copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
- $OPENSSL_PATH . "/../../Include/openssl/") ||
- die "Cannot copy opensslconf.h!";
+system(
+ "perl -pe 's/\\n/\\r\\n/' " .
+ "< " . $OPENSSL_PATH . "/include/openssl/opensslconf.h " .
+ "> " . $OPENSSL_PATH . "/../../Include/openssl/opensslconf.h"
+ ) == 0 ||
+ die "Cannot copy opensslconf.h!";
print "Done!";
-print "\n--> Duplicating dso_conf.h into Include/internal ... ";
-copy($OPENSSL_PATH . "/include/internal/dso_conf.h",
- $OPENSSL_PATH . "/../../Include/internal/") ||
- die "Cannot copy dso_conf.h!";
+
+print "\n--> Duplicating dso_conf.h into Include/crypto ... ";
+system(
+ "perl -pe 's/\\n/\\r\\n/' " .
+ "< " . $OPENSSL_PATH . "/include/crypto/dso_conf.h" .
+ "> " . $OPENSSL_PATH . "/../../Include/crypto/dso_conf.h"
+ ) == 0 ||
+ die "Cannot copy dso_conf.h!";
print "Done!\n";
print "\nProcessing Files Done!\n";
diff --git a/CryptoPkg/Library/OpensslLib/rand_pool.c b/CryptoPkg/Library/OpensslLib/rand_pool.c
index 9f3983f7c3..9e0179b034 100644
--- a/CryptoPkg/Library/OpensslLib/rand_pool.c
+++ b/CryptoPkg/Library/OpensslLib/rand_pool.c
@@ -7,7 +7,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
-#include "internal/rand_int.h"
+#include "crypto/rand.h"
#include <openssl/aes.h>
#include <Uefi.h>
--
2.27.0

73
SOURCES/edk2-MdeModulePkg-PartitionDxe-Ignore-PMBR-BootIndicator-.patch Normal file
View File

@ -0,0 +1,73 @@
From 9596c779a27b4ae2261aadd91b8dac8ed7546f38 Mon Sep 17 00:00:00 2001
From: Neal Gompa <ngompa@fedoraproject.org>
Date: Mon, 5 Jul 2021 05:36:03 -0400
Subject: [PATCH] MdeModulePkg/PartitionDxe: Ignore PMBR BootIndicator per UEFI
spec
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-MergeRequest: 6: MdeModulePkg/PartitionDxe: Ignore PMBR BootIndicator per UEFI spec [rhel-8.5.0, post-rebase]
RH-Commit: [1/1] 1fef74489947c81e26e5afb7c933c80beb641751
RH-Bugzilla: 1988762
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
Per UEFI Spec 2.8 (UEFI_Spec_2_8_final.pdf, page 114)
5.2.3 Protective MBR
Table 20. Protective MBR Partition Record protecting the entire disk
The description for BootIndicator states the following:
> Set to 0x00 to indicate a non-bootable partition. If set to any
> value other than 0x00 the behavior of this flag on non-UEFI
> systems is undefined. Must be ignored by UEFI implementations.
Unfortunately, we have been incorrectly assuming that the
BootIndicator value must be 0x00, which leads to problems
when the 'pmbr_boot' flag is set on a disk containing a GPT
(such as with GNU parted). When the flag is set, the value
changes to 0x01, causing this check to fail and the system
is rendered unbootable despite it being valid from the
perspective of the UEFI spec.
To resolve this, we drop the check for the BootIndicator
so that we stop caring about the value set there, which
restores the capability to boot such disks.
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3474
Cc: Chris Murphy <chrismurphy@fedoraproject.org>
Cc: David Duncan <davdunc@amazon.com>
Cc: Lazlo Ersek <lersek@redhat.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Zhichao Gao <zhichao.gao@intel.com>
Signed-off-by: Neal Gompa <ngompa@fedoraproject.org>
Message-Id: <20210705093603.575707-1-ngompa@fedoraproject.org>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Hao A Wu <hao.a.wu@intel.com>
(cherry picked from commit b3db0cb1f8d163f22b769c205c6347376a315dcd)
Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
---
MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
index aefb2d6ecb..efaff5e080 100644
--- a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
+++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
@@ -264,8 +264,7 @@ PartitionInstallGptChildHandles (
// Verify that the Protective MBR is valid
//
for (Index = 0; Index < MAX_MBR_PARTITIONS; Index++) {
- if (ProtectiveMbr->Partition[Index].BootIndicator == 0x00 &&
- ProtectiveMbr->Partition[Index].OSIndicator == PMBR_GPT_PARTITION &&
+ if (ProtectiveMbr->Partition[Index].OSIndicator == PMBR_GPT_PARTITION &&
UNPACK_UINT32 (ProtectiveMbr->Partition[Index].StartingLBA) == 1
) {
break;
--
2.27.0

95
SOURCES/edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch Normal file
View File

@ -0,0 +1,95 @@
From 1e6a8c43241febbec56ffc2141c55d8de34e13e6 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 8 Jun 2021 14:12:55 +0200
Subject: [PATCH 06/10] NetworkPkg/IScsiDxe: assert that IScsiBinToHex() always
succeeds
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
RH-MergeRequest: 5: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.5.0, post-rebase]
RH-Commit: [6/10] 2f697819ce0731f99f95f29a3b30c777b754db37
RH-Bugzilla: 1956408
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
IScsiBinToHex() is called for encoding:
- the answer to the target's challenge; that is, CHAP_R;
- the challenge for the target, in case mutual authentication is enabled;
that is, CHAP_C.
The initiator controls the size of both blobs, the sizes of their hex
encodings are correctly calculated in "RspLen" and "ChallengeLen".
Therefore the IScsiBinToHex() calls never fail; assert that.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Message-Id: <20210608121259.32451-7-lersek@redhat.com>
(cherry picked from commit d90fff40cb2502b627370a77f5608c8a178c3f78)
---
NetworkPkg/IScsiDxe/IScsiCHAP.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
index 9e192ce292..dbe3c8ef46 100644
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
@@ -391,6 +391,7 @@ IScsiCHAPToSendReq (
UINT32 RspLen;
CHAR8 *Challenge;
UINT32 ChallengeLen;
+ EFI_STATUS BinToHexStatus;
ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);
@@ -471,12 +472,13 @@ IScsiCHAPToSendReq (
//
// CHAP_R=<R>
//
- IScsiBinToHex (
- (UINT8 *) AuthData->CHAPResponse,
- ISCSI_CHAP_RSP_LEN,
- Response,
- &RspLen
- );
+ BinToHexStatus = IScsiBinToHex (
+ (UINT8 *) AuthData->CHAPResponse,
+ ISCSI_CHAP_RSP_LEN,
+ Response,
+ &RspLen
+ );
+ ASSERT_EFI_ERROR (BinToHexStatus);
IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);
if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) {
@@ -490,12 +492,13 @@ IScsiCHAPToSendReq (
// CHAP_C=<C>
//
IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);
- IScsiBinToHex (
- (UINT8 *) AuthData->OutChallenge,
- ISCSI_CHAP_RSP_LEN,
- Challenge,
- &ChallengeLen
- );
+ BinToHexStatus = IScsiBinToHex (
+ (UINT8 *) AuthData->OutChallenge,
+ ISCSI_CHAP_RSP_LEN,
+ Challenge,
+ &ChallengeLen
+ );
+ ASSERT_EFI_ERROR (BinToHexStatus);
IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);
Conn->AuthStep = ISCSI_CHAP_STEP_FOUR;
--
2.27.0

91
SOURCES/edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch Normal file
View File

@ -0,0 +1,91 @@
From 5171f67062e606a4e606780ff5a5787bde7198eb Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 8 Jun 2021 14:12:59 +0200
Subject: [PATCH 10/10] NetworkPkg/IScsiDxe: check IScsiHexToBin() return
values
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
RH-MergeRequest: 5: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.5.0, post-rebase]
RH-Commit: [10/10] 1c65763fef57cfd9b1bd55779ec6eba4e086e100
RH-Bugzilla: 1956408
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
IScsiDxe (that is, the initiator) receives two hex-encoded strings from
the iSCSI target:
- CHAP_C, where the target challenges the initiator,
- CHAP_R, where the target answers the challenge from the initiator (in
case the initiator wants mutual authentication).
Accordingly, we have two IScsiHexToBin() call sites:
- At the CHAP_C decoding site, check whether the decoding succeeds. The
decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes,
which is a permissible restriction on the target, per
<https://tools.ietf.org/html/rfc7143#section-12.1.3>. Shorter challenges
from the target are acceptable.
- At the CHAP_R decoding site, enforce that the decoding both succeed, and
provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest
calculated by the target, therefore it must be of fixed size. We may
only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Message-Id: <20210608121259.32451-11-lersek@redhat.com>
(cherry picked from commit b8649cf2a3e673a4a8cb6c255e394b354b771550)
---
NetworkPkg/IScsiDxe/IScsiCHAP.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
index dbe3c8ef46..7e930c0d1e 100644
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
@@ -290,11 +290,15 @@ IScsiCHAPOnRspReceived (
AuthData->InIdentifier = (UINT32) Result;
AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
- IScsiHexToBin (
- (UINT8 *) AuthData->InChallenge,
- &AuthData->InChallengeLength,
- Challenge
- );
+ Status = IScsiHexToBin (
+ (UINT8 *) AuthData->InChallenge,
+ &AuthData->InChallengeLength,
+ Challenge
+ );
+ if (EFI_ERROR (Status)) {
+ Status = EFI_PROTOCOL_ERROR;
+ goto ON_EXIT;
+ }
Status = IScsiCHAPCalculateResponse (
AuthData->InIdentifier,
AuthData->AuthConfig->CHAPSecret,
@@ -337,7 +341,11 @@ IScsiCHAPOnRspReceived (
}
RspLen = ISCSI_CHAP_RSP_LEN;
- IScsiHexToBin (TargetRsp, &RspLen, Response);
+ Status = IScsiHexToBin (TargetRsp, &RspLen, Response);
+ if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) {
+ Status = EFI_PROTOCOL_ERROR;
+ goto ON_EXIT;
+ }
//
// Check the CHAP Name and Response replied by Target.
--
2.27.0

102
SOURCES/edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch Normal file
View File

@ -0,0 +1,102 @@
From fca7e61fa3ba21cbf6e89d75b23fea03af5d517e Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 8 Jun 2021 14:12:52 +0200
Subject: [PATCH 03/10] NetworkPkg/IScsiDxe: clean up
"ISCSI_CHAP_AUTH_DATA.OutChallengeLength"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
RH-MergeRequest: 5: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.5.0, post-rebase]
RH-Commit: [3/10] cc7118399f64979f2d81fe9fc381ed22c3815f9e
RH-Bugzilla: 1956408
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
The "ISCSI_CHAP_AUTH_DATA.OutChallenge" field is declared as a UINT8 array
with ISCSI_CHAP_AUTH_MAX_LEN (1024) elements. However, when the challenge
is generated and formatted, only ISCSI_CHAP_RSP_LEN (16) octets are used
in the array.
Change the array size to ISCSI_CHAP_RSP_LEN, and remove the (now unused)
ISCSI_CHAP_AUTH_MAX_LEN macro.
Remove the "ISCSI_CHAP_AUTH_DATA.OutChallengeLength" field, which is
superfluous too.
Most importantly, explain in a new comment *why* tying the challenge size
to the digest size (ISCSI_CHAP_RSP_LEN) has always made sense. (See also
Linux kernel commit 19f5f88ed779, "scsi: target: iscsi: tie the challenge
length to the hash digest size", 2019-11-06.) For sure, the motivation
that the new comment now explains has always been there, and has always
been the same, for IScsiDxe; it's just that now we spell it out too.
No change in peer-visible behavior.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daud <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daud <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Message-Id: <20210608121259.32451-4-lersek@redhat.com>
(cherry picked from commit 95616b866187b00355042953efa5c198df07250f)
---
NetworkPkg/IScsiDxe/IScsiCHAP.c | 3 +--
NetworkPkg/IScsiDxe/IScsiCHAP.h | 9 ++++++---
2 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
index df3c2eb120..9e192ce292 100644
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
@@ -122,7 +122,7 @@ IScsiCHAPAuthTarget (
AuthData->AuthConfig->ReverseCHAPSecret,
SecretSize,
AuthData->OutChallenge,
- AuthData->OutChallengeLength,
+ ISCSI_CHAP_RSP_LEN, // ChallengeLength
VerifyRsp
);
@@ -490,7 +490,6 @@ IScsiCHAPToSendReq (
// CHAP_C=<C>
//
IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);
- AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN;
IScsiBinToHex (
(UINT8 *) AuthData->OutChallenge,
ISCSI_CHAP_RSP_LEN,
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h
index 1fc1d96ea3..35d5d6ec29 100644
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h
@@ -19,7 +19,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#define ISCSI_CHAP_ALGORITHM_MD5 5
-#define ISCSI_CHAP_AUTH_MAX_LEN 1024
///
/// MD5_HASHSIZE
///
@@ -59,9 +58,13 @@ typedef struct _ISCSI_CHAP_AUTH_DATA {
//
// Auth-data to be sent out for mutual authentication.
//
+ // While the challenge size is technically independent of the hashing
+ // algorithm, it is good practice to avoid hashing *fewer bytes* than the
+ // digest size. In other words, it's good practice to feed *at least as many
+ // bytes* to the hashing algorithm as the hashing algorithm will output.
+ //
UINT32 OutIdentifier;
- UINT8 OutChallenge[ISCSI_CHAP_AUTH_MAX_LEN];
- UINT32 OutChallengeLength;
+ UINT8 OutChallenge[ISCSI_CHAP_RSP_LEN];
} ISCSI_CHAP_AUTH_DATA;
/**
--
2.27.0

101
SOURCES/edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch Normal file
View File

@ -0,0 +1,101 @@
From 176366aba5680537ee8249e9b3b182677d95feb8 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 8 Jun 2021 14:12:53 +0200
Subject: [PATCH 04/10] NetworkPkg/IScsiDxe: clean up library class
dependencies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
RH-MergeRequest: 5: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.5.0, post-rebase]
RH-Commit: [4/10] 77ab82d2308848613325317c267bf5954d2c7a7c
RH-Bugzilla: 1956408
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Sort the library class dependencies in the #include directives and in the
INF file. Remove the DpcLib class from the #include directives -- it is
not listed in the INF file, and IScsiDxe doesn't call either DpcLib API
(QueueDpc(), DispatchDpc()). No functional changes.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daud <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daud <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Message-Id: <20210608121259.32451-5-lersek@redhat.com>
(cherry picked from commit e8f28b09e63dfdbb4169969a43c65f86c44b035a)
---
NetworkPkg/IScsiDxe/IScsiDxe.inf | 6 +++---
NetworkPkg/IScsiDxe/IScsiImpl.h | 17 ++++++++---------
2 files changed, 11 insertions(+), 12 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf
index 0ffb340ce0..543c408302 100644
--- a/NetworkPkg/IScsiDxe/IScsiDxe.inf
+++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf
@@ -65,6 +65,7 @@
NetworkPkg/NetworkPkg.dec
[LibraryClasses]
+ BaseCryptLib
BaseLib
BaseMemoryLib
DebugLib
@@ -72,14 +73,13 @@
HiiLib
MemoryAllocationLib
NetLib
- TcpIoLib
PrintLib
+ TcpIoLib
UefiBootServicesTableLib
UefiDriverEntryPoint
+ UefiHiiServicesLib
UefiLib
UefiRuntimeServicesTableLib
- UefiHiiServicesLib
- BaseCryptLib
[Protocols]
gEfiAcpiTableProtocolGuid ## SOMETIMES_CONSUMES ## SystemTable
diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h
index 387ab9765e..d895c7feb9 100644
--- a/NetworkPkg/IScsiDxe/IScsiImpl.h
+++ b/NetworkPkg/IScsiDxe/IScsiImpl.h
@@ -35,21 +35,20 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Protocol/AdapterInformation.h>
#include <Protocol/NetworkInterfaceIdentifier.h>
-#include <Library/HiiLib.h>
-#include <Library/UefiHiiServicesLib.h>
-#include <Library/DevicePathLib.h>
-#include <Library/DebugLib.h>
+#include <Library/BaseCryptLib.h>
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/DevicePathLib.h>
+#include <Library/HiiLib.h>
#include <Library/MemoryAllocationLib.h>
+#include <Library/NetLib.h>
#include <Library/PrintLib.h>
+#include <Library/TcpIoLib.h>
#include <Library/UefiBootServicesTableLib.h>
-#include <Library/UefiRuntimeServicesTableLib.h>
+#include <Library/UefiHiiServicesLib.h>
#include <Library/UefiLib.h>
-#include <Library/DpcLib.h>
-#include <Library/NetLib.h>
-#include <Library/TcpIoLib.h>
-#include <Library/BaseCryptLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
#include <Guid/MdeModuleHii.h>
#include <Guid/EventGroup.h>
--
2.27.0

113
SOURCES/edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch Normal file
View File

@ -0,0 +1,113 @@
From f423b7078d291b84952464aca6930a9d772319b0 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 8 Jun 2021 14:12:58 +0200
Subject: [PATCH 09/10] NetworkPkg/IScsiDxe: fix IScsiHexToBin() buffer
overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
RH-MergeRequest: 5: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.5.0, post-rebase]
RH-Commit: [9/10] acf102203198d575a12e5257c12b8e43ccdfc589
RH-Bugzilla: 1956408
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
The IScsiHexToBin() function documents the EFI_BUFFER_TOO_SMALL return
condition, but never actually checks whether the decoded buffer fits into
the caller-provided room (i.e., the input value of "BinLength"), and
EFI_BUFFER_TOO_SMALL is never returned. The decoding of "HexStr" can
overflow "BinBuffer".
This is remotely exploitable, as shown in a subsequent patch, which adds
error checking to the IScsiHexToBin() call sites. This issue allows the
target to compromise the initiator.
Introduce EFI_BAD_BUFFER_SIZE, in addition to the existent
EFI_BUFFER_TOO_SMALL, for reporting a special case of the buffer overflow,
plus actually catch the buffer overflow.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210608121259.32451-10-lersek@redhat.com>
(cherry picked from commit 54e90edaed0d7c15230902ac4d74f4304bad2ebd)
---
NetworkPkg/IScsiDxe/IScsiMisc.c | 20 +++++++++++++++++---
NetworkPkg/IScsiDxe/IScsiMisc.h | 3 +++
2 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
index f0f4992b07..4069547867 100644
--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
@@ -377,6 +377,9 @@ IScsiBinToHex (
@retval EFI_SUCCESS The hexadecimal string is converted into a
binary encoded buffer.
@retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
+ @retval EFI_BAD_BUFFER_SIZE The length of HexStr is too large for decoding:
+ the decoded size cannot be expressed in
+ BinLength on output.
@retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
converted data.
**/
@@ -387,6 +390,8 @@ IScsiHexToBin (
IN CHAR8 *HexStr
)
{
+ UINTN BinLengthMin;
+ UINT32 BinLengthProvided;
UINTN Index;
UINTN Length;
UINT8 Digit;
@@ -409,6 +414,18 @@ IScsiHexToBin (
if (Length == 0 || Length % 2 != 0) {
return EFI_INVALID_PARAMETER;
}
+ //
+ // Check if the caller provides enough room for the decoded blob.
+ //
+ BinLengthMin = Length / 2;
+ if (BinLengthMin > MAX_UINT32) {
+ return EFI_BAD_BUFFER_SIZE;
+ }
+ BinLengthProvided = *BinLength;
+ *BinLength = (UINT32)BinLengthMin;
+ if (BinLengthProvided < BinLengthMin) {
+ return EFI_BUFFER_TOO_SMALL;
+ }
for (Index = 0; Index < Length; Index ++) {
TemStr[0] = HexStr[Index];
@@ -425,9 +442,6 @@ IScsiHexToBin (
BinBuffer [Index/2] = (UINT8) ((BinBuffer [Index/2] << 4) + Digit);
}
}
-
- *BinLength = (UINT32) ((Index + 1)/2);
-
return EFI_SUCCESS;
}
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
index 404a482e57..fddef4f466 100644
--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
@@ -172,6 +172,9 @@ IScsiBinToHex (
@retval EFI_SUCCESS The hexadecimal string is converted into a
binary encoded buffer.
@retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
+ @retval EFI_BAD_BUFFER_SIZE The length of HexStr is too large for decoding:
+ the decoded size cannot be expressed in
+ BinLength on output.
@retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
converted data.
**/
--
2.27.0

104
SOURCES/edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch Normal file
View File

@ -0,0 +1,104 @@
From 2f0e51dcfea6d9101c4694636a948eb4b6e6d4d4 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 8 Jun 2021 14:12:57 +0200
Subject: [PATCH 08/10] NetworkPkg/IScsiDxe: fix IScsiHexToBin() hex parsing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
RH-MergeRequest: 5: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.5.0, post-rebase]
RH-Commit: [8/10] febb96c07dbd0e4a191e855742cb47fc6e39dfba
RH-Bugzilla: 1956408
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
The IScsiHexToBin() function has the following parser issues:
(1) If the *subject sequence* in "HexStr" is empty, the function returns
EFI_SUCCESS (with "BinLength" set to 0 on output). Such inputs should
be rejected.
(2) The function mis-handles a "HexStr" that ends with a stray nibble. For
example, if "HexStr" is "0xABC", the function decodes it to the bytes
{0xAB, 0x0C}, sets "BinLength" to 2 on output, and returns
EFI_SUCCESS. Such inputs should be rejected.
(3) If an invalid hex char is found in "HexStr", the function treats it as
end-of-hex-string, and returns EFI_SUCCESS. Such inputs should be
rejected.
All of the above cases are remotely triggerable, as shown in a subsequent
patch, which adds error checking to the IScsiHexToBin() call sites. While
the initiator is not immediately compromised, incorrectly parsing CHAP_R
from the target, in case of mutual authentication, is not great.
Extend the interface contract of IScsiHexToBin() with
EFI_INVALID_PARAMETER, for reporting issues (1) through (3), and implement
the new checks.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210608121259.32451-9-lersek@redhat.com>
(cherry picked from commit 47b76780b487dbfde4efb6843b16064c4a97e94d)
---
NetworkPkg/IScsiDxe/IScsiMisc.c | 12 ++++++++++--
NetworkPkg/IScsiDxe/IScsiMisc.h | 1 +
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
index 014700e87a..f0f4992b07 100644
--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
@@ -376,6 +376,7 @@ IScsiBinToHex (
@retval EFI_SUCCESS The hexadecimal string is converted into a
binary encoded buffer.
+ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
@retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
converted data.
**/
@@ -402,14 +403,21 @@ IScsiHexToBin (
Length = AsciiStrLen (HexStr);
+ //
+ // Reject an empty hex string; reject a stray nibble.
+ //
+ if (Length == 0 || Length % 2 != 0) {
+ return EFI_INVALID_PARAMETER;
+ }
+
for (Index = 0; Index < Length; Index ++) {
TemStr[0] = HexStr[Index];
Digit = (UINT8) AsciiStrHexToUint64 (TemStr);
if (Digit == 0 && TemStr[0] != '0') {
//
- // Invalid Lun Char.
+ // Invalid Hex Char.
//
- break;
+ return EFI_INVALID_PARAMETER;
}
if ((Index & 1) == 0) {
BinBuffer [Index/2] = Digit;
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
index 28cf408cd5..404a482e57 100644
--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
@@ -171,6 +171,7 @@ IScsiBinToHex (
@retval EFI_SUCCESS The hexadecimal string is converted into a
binary encoded buffer.
+ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
@retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
converted data.
**/
--
2.27.0

154
SOURCES/edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch Normal file
View File

@ -0,0 +1,154 @@
From 4171bd515a2dcfec59513d3a83adce7ed2903d50 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 8 Jun 2021 14:12:54 +0200
Subject: [PATCH 05/10] NetworkPkg/IScsiDxe: fix potential integer overflow in
IScsiBinToHex()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
RH-MergeRequest: 5: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.5.0, post-rebase]
RH-Commit: [5/10] f52aaaa03b15280eb4a821eeb378d8051ea5ec2a
RH-Bugzilla: 1956408
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Considering IScsiBinToHex():
> if (((*HexLength) - 3) < BinLength * 2) {
> *HexLength = BinLength * 2 + 3;
> }
the following subexpressions are problematic:
(*HexLength) - 3
BinLength * 2
BinLength * 2 + 3
The first one may wrap under zero, the latter two may wrap over
MAX_UINT32.
Rewrite the calculation using SafeIntLib.
While at it, change the type of the "Index" variable from UINTN to UINT32.
The largest "Index"-based value that we calculate is
Index * 2 + 2 (with (Index == BinLength))
Because the patch makes
BinLength * 2 + 3
safe to calculate in UINT32, using UINT32 for
Index * 2 + 2 (with (Index == BinLength))
is safe too. Consistently using UINT32 improves readability.
This patch is best reviewed with "git show -W".
The integer overflows that this patch fixes are theoretical; a subsequent
patch in the series will audit the IScsiBinToHex() call sites, and show
that none of them can fail.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210608121259.32451-6-lersek@redhat.com>
(cherry picked from commit cf01b2dc8fc3ff9cf49fb891af5703dc03e3193e)
---
NetworkPkg/IScsiDxe/IScsiDxe.inf | 1 +
NetworkPkg/IScsiDxe/IScsiImpl.h | 1 +
NetworkPkg/IScsiDxe/IScsiMisc.c | 19 +++++++++++++++----
NetworkPkg/IScsiDxe/IScsiMisc.h | 1 +
4 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf
index 543c408302..1dde56d00c 100644
--- a/NetworkPkg/IScsiDxe/IScsiDxe.inf
+++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf
@@ -74,6 +74,7 @@
MemoryAllocationLib
NetLib
PrintLib
+ SafeIntLib
TcpIoLib
UefiBootServicesTableLib
UefiDriverEntryPoint
diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h
index d895c7feb9..ac3a25730e 100644
--- a/NetworkPkg/IScsiDxe/IScsiImpl.h
+++ b/NetworkPkg/IScsiDxe/IScsiImpl.h
@@ -44,6 +44,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/MemoryAllocationLib.h>
#include <Library/NetLib.h>
#include <Library/PrintLib.h>
+#include <Library/SafeIntLib.h>
#include <Library/TcpIoLib.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/UefiHiiServicesLib.h>
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
index b8fef3ff6f..42988e15cb 100644
--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
@@ -316,6 +316,7 @@ IScsiMacAddrToStr (
@retval EFI_SUCCESS The binary data is converted to the hexadecimal string
and the length of the string is updated.
@retval EFI_BUFFER_TOO_SMALL The string is too small.
+ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding.
@retval EFI_INVALID_PARAMETER The IP string is malformatted.
**/
@@ -327,18 +328,28 @@ IScsiBinToHex (
IN OUT UINT32 *HexLength
)
{
- UINTN Index;
+ UINT32 HexLengthMin;
+ UINT32 HexLengthProvided;
+ UINT32 Index;
if ((HexStr == NULL) || (BinBuffer == NULL) || (BinLength == 0)) {
return EFI_INVALID_PARAMETER;
}
- if (((*HexLength) - 3) < BinLength * 2) {
- *HexLength = BinLength * 2 + 3;
+ //
+ // Safely calculate: HexLengthMin := BinLength * 2 + 3.
+ //
+ if (RETURN_ERROR (SafeUint32Mult (BinLength, 2, &HexLengthMin)) ||
+ RETURN_ERROR (SafeUint32Add (HexLengthMin, 3, &HexLengthMin))) {
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ HexLengthProvided = *HexLength;
+ *HexLength = HexLengthMin;
+ if (HexLengthProvided < HexLengthMin) {
return EFI_BUFFER_TOO_SMALL;
}
- *HexLength = BinLength * 2 + 3;
//
// Prefix for Hex String.
//
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
index 46c725aab3..231413993b 100644
--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
@@ -150,6 +150,7 @@ IScsiAsciiStrToIp (
@retval EFI_SUCCESS The binary data is converted to the hexadecimal string
and the length of the string is updated.
@retval EFI_BUFFER_TOO_SMALL The string is too small.
+ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding.
@retval EFI_INVALID_PARAMETER The IP string is malformatted.
**/
--
2.27.0

93
SOURCES/edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch Normal file
View File

@ -0,0 +1,93 @@
From 172b2928c24c0ab955127afcdc9e3a52b3913ba5 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 8 Jun 2021 14:12:56 +0200
Subject: [PATCH 07/10] NetworkPkg/IScsiDxe: reformat IScsiHexToBin() leading
comment block
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
RH-MergeRequest: 5: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.5.0, post-rebase]
RH-Commit: [7/10] 4f867fa4ad8f7305961b83224107c1452a7d44ed
RH-Bugzilla: 1956408
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
We'll need further return values for IScsiHexToBin() in a subsequent
patch; make room for them in the leading comment block of the function.
While at it, rewrap the comment block to 80 characters width.
No functional changes.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daud <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Reviewed-by: Philippe Mathieu-Daud <philmd@redhat.com>
Message-Id: <20210608121259.32451-8-lersek@redhat.com>
(cherry picked from commit dc469f137110fe79704b8b92c552972c739bb915)
---
NetworkPkg/IScsiDxe/IScsiMisc.c | 16 ++++++++--------
NetworkPkg/IScsiDxe/IScsiMisc.h | 16 ++++++++--------
2 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
index 42988e15cb..014700e87a 100644
--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
@@ -370,14 +370,14 @@ IScsiBinToHex (
/**
Convert the hexadecimal string into a binary encoded buffer.
- @param[in, out] BinBuffer The binary buffer.
- @param[in, out] BinLength Length of the binary buffer.
- @param[in] HexStr The hexadecimal string.
-
- @retval EFI_SUCCESS The hexadecimal string is converted into a binary
- encoded buffer.
- @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data.
-
+ @param[in, out] BinBuffer The binary buffer.
+ @param[in, out] BinLength Length of the binary buffer.
+ @param[in] HexStr The hexadecimal string.
+
+ @retval EFI_SUCCESS The hexadecimal string is converted into a
+ binary encoded buffer.
+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
+ converted data.
**/
EFI_STATUS
IScsiHexToBin (
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
index 231413993b..28cf408cd5 100644
--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
@@ -165,14 +165,14 @@ IScsiBinToHex (
/**
Convert the hexadecimal string into a binary encoded buffer.
- @param[in, out] BinBuffer The binary buffer.
- @param[in, out] BinLength Length of the binary buffer.
- @param[in] HexStr The hexadecimal string.
-
- @retval EFI_SUCCESS The hexadecimal string is converted into a binary
- encoded buffer.
- @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data.
-
+ @param[in, out] BinBuffer The binary buffer.
+ @param[in, out] BinLength Length of the binary buffer.
+ @param[in] HexStr The hexadecimal string.
+
+ @retval EFI_SUCCESS The hexadecimal string is converted into a
+ binary encoded buffer.
+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
+ converted data.
**/
EFI_STATUS
IScsiHexToBin (
--
2.27.0

71
SOURCES/edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch Normal file
View File

@ -0,0 +1,71 @@
From 0dac937f2845a1bc4943a0cfed3392d35afba733 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 8 Jun 2021 14:12:51 +0200
Subject: [PATCH 02/10] NetworkPkg/IScsiDxe: simplify
"ISCSI_CHAP_AUTH_DATA.InChallenge" size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
RH-MergeRequest: 5: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.5.0, post-rebase]
RH-Commit: [2/10] 8b57211651e13185a636daa5369993054bd7334b
RH-Bugzilla: 1956408
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
The ISCSI_CHAP_AUTH_MAX_LEN macro is defined with value 1024.
The usage of this macro currently involves a semantic (not functional)
bug, which we're going to fix in a subsequent patch, eliminating
ISCSI_CHAP_AUTH_MAX_LEN altogether.
For now, remove the macro's usage from all
"ISCSI_CHAP_AUTH_DATA.InChallenge" contexts. This is doable without
duplicating open-coded constants.
No changes in functionality.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daud <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daud <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Message-Id: <20210608121259.32451-3-lersek@redhat.com>
(cherry picked from commit 29cab43bb7912a12efa5a78dac15394aee866e4c)
---
NetworkPkg/IScsiDxe/IScsiCHAP.c | 2 +-
NetworkPkg/IScsiDxe/IScsiCHAP.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
index cbbc56ae5b..df3c2eb120 100644
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
@@ -289,7 +289,7 @@ IScsiCHAPOnRspReceived (
}
AuthData->InIdentifier = (UINT32) Result;
- AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN;
+ AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
IScsiHexToBin (
(UINT8 *) AuthData->InChallenge,
&AuthData->InChallengeLength,
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h
index 5e59fb678b..1fc1d96ea3 100644
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h
@@ -49,7 +49,7 @@ typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA {
typedef struct _ISCSI_CHAP_AUTH_DATA {
ISCSI_CHAP_AUTH_CONFIG_NVDATA *AuthConfig;
UINT32 InIdentifier;
- UINT8 InChallenge[ISCSI_CHAP_AUTH_MAX_LEN];
+ UINT8 InChallenge[1024];
UINT32 InChallengeLength;
//
// Calculated CHAP Response (CHAP_R) value.
--
2.27.0

251
SOURCES/edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch Normal file
View File

@ -0,0 +1,251 @@
From 28e260828557340709ef14e8132e96b54128c5a3 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 8 Jun 2021 14:12:50 +0200
Subject: [PATCH 01/10] NetworkPkg/IScsiDxe: wrap IScsiCHAP source files to 80
characters
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
RH-MergeRequest: 5: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.5.0, post-rebase]
RH-Commit: [1/10] 7ae9c45fbc0ffd807a95fad802619cd838257cc8
RH-Bugzilla: 1956408
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Working with overlong lines is difficult for me; rewrap the CHAP-related
source files in IScsiDxe to 80 characters width. No functional changes.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daud <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Reviewed-by: Philippe Mathieu-Daud <philmd@redhat.com>
Message-Id: <20210608121259.32451-2-lersek@redhat.com>
(cherry picked from commit 83761337ec91fbd459c55d7d956fcc25df3bfa50)
---
NetworkPkg/IScsiDxe/IScsiCHAP.c | 90 +++++++++++++++++++++++++--------
NetworkPkg/IScsiDxe/IScsiCHAP.h | 3 +-
2 files changed, 71 insertions(+), 22 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
index 355c6f129f..cbbc56ae5b 100644
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
@@ -1,5 +1,6 @@
/** @file
- This file is for Challenge-Handshake Authentication Protocol (CHAP) Configuration.
+ This file is for Challenge-Handshake Authentication Protocol (CHAP)
+ Configuration.
Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -18,9 +19,11 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
@param[in] ChallengeLength The length of iSCSI CHAP challenge message.
@param[out] ChapResponse The calculation of the expected hash value.
- @retval EFI_SUCCESS The expected hash value was calculatedly successfully.
- @retval EFI_PROTOCOL_ERROR The length of the secret should be at least the
- length of the hash value for the hashing algorithm chosen.
+ @retval EFI_SUCCESS The expected hash value was calculatedly
+ successfully.
+ @retval EFI_PROTOCOL_ERROR The length of the secret should be at least
+ the length of the hash value for the hashing
+ algorithm chosen.
@retval EFI_PROTOCOL_ERROR MD5 hash operation fail.
@retval EFI_OUT_OF_RESOURCES Fail to allocate resource to complete MD5.
@@ -94,8 +97,10 @@ Exit:
@param[in] AuthData iSCSI CHAP authentication data.
@param[in] TargetResponse The response from target.
- @retval EFI_SUCCESS The response from target passed authentication.
- @retval EFI_SECURITY_VIOLATION The response from target was not expected value.
+ @retval EFI_SUCCESS The response from target passed
+ authentication.
+ @retval EFI_SECURITY_VIOLATION The response from target was not expected
+ value.
@retval Others Other errors as indicated.
**/
@@ -193,7 +198,10 @@ IScsiCHAPOnRspReceived (
//
// The first Login Response.
//
- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_TARGET_PORTAL_GROUP_TAG);
+ Value = IScsiGetValueByKeyFromList (
+ KeyValueList,
+ ISCSI_KEY_TARGET_PORTAL_GROUP_TAG
+ );
if (Value == NULL) {
goto ON_EXIT;
}
@@ -205,13 +213,17 @@ IScsiCHAPOnRspReceived (
Session->TargetPortalGroupTag = (UINT16) Result;
- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_AUTH_METHOD);
+ Value = IScsiGetValueByKeyFromList (
+ KeyValueList,
+ ISCSI_KEY_AUTH_METHOD
+ );
if (Value == NULL) {
goto ON_EXIT;
}
//
- // Initiator mandates CHAP authentication but target replies without "CHAP", or
- // initiator suggets "None" but target replies with some kind of auth method.
+ // Initiator mandates CHAP authentication but target replies without
+ // "CHAP", or initiator suggets "None" but target replies with some kind of
+ // auth method.
//
if (Session->AuthType == ISCSI_AUTH_TYPE_NONE) {
if (AsciiStrCmp (Value, ISCSI_KEY_VALUE_NONE) != 0) {
@@ -236,7 +248,10 @@ IScsiCHAPOnRspReceived (
//
// The Target replies with CHAP_A=<A> CHAP_I=<I> CHAP_C=<C>
//
- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_ALGORITHM);
+ Value = IScsiGetValueByKeyFromList (
+ KeyValueList,
+ ISCSI_KEY_CHAP_ALGORITHM
+ );
if (Value == NULL) {
goto ON_EXIT;
}
@@ -249,12 +264,18 @@ IScsiCHAPOnRspReceived (
goto ON_EXIT;
}
- Identifier = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_IDENTIFIER);
+ Identifier = IScsiGetValueByKeyFromList (
+ KeyValueList,
+ ISCSI_KEY_CHAP_IDENTIFIER
+ );
if (Identifier == NULL) {
goto ON_EXIT;
}
- Challenge = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_CHALLENGE);
+ Challenge = IScsiGetValueByKeyFromList (
+ KeyValueList,
+ ISCSI_KEY_CHAP_CHALLENGE
+ );
if (Challenge == NULL) {
goto ON_EXIT;
}
@@ -269,7 +290,11 @@ IScsiCHAPOnRspReceived (
AuthData->InIdentifier = (UINT32) Result;
AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN;
- IScsiHexToBin ((UINT8 *) AuthData->InChallenge, &AuthData->InChallengeLength, Challenge);
+ IScsiHexToBin (
+ (UINT8 *) AuthData->InChallenge,
+ &AuthData->InChallengeLength,
+ Challenge
+ );
Status = IScsiCHAPCalculateResponse (
AuthData->InIdentifier,
AuthData->AuthConfig->CHAPSecret,
@@ -303,7 +328,10 @@ IScsiCHAPOnRspReceived (
goto ON_EXIT;
}
- Response = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_RESPONSE);
+ Response = IScsiGetValueByKeyFromList (
+ KeyValueList,
+ ISCSI_KEY_CHAP_RESPONSE
+ );
if (Response == NULL) {
goto ON_EXIT;
}
@@ -341,7 +369,8 @@ ON_EXIT:
@param[in, out] Pdu The PDU to send out.
@retval EFI_SUCCESS All check passed and the phase-related CHAP
- authentication info is filled into the iSCSI PDU.
+ authentication info is filled into the iSCSI
+ PDU.
@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
@retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
@@ -392,7 +421,11 @@ IScsiCHAPToSendReq (
// It's the initial Login Request. Fill in the key=value pairs mandatory
// for the initial Login Request.
//
- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_INITIATOR_NAME, mPrivate->InitiatorName);
+ IScsiAddKeyValuePair (
+ Pdu,
+ ISCSI_KEY_INITIATOR_NAME,
+ mPrivate->InitiatorName
+ );
IScsiAddKeyValuePair (Pdu, ISCSI_KEY_SESSION_TYPE, "Normal");
IScsiAddKeyValuePair (
Pdu,
@@ -413,7 +446,8 @@ IScsiCHAPToSendReq (
case ISCSI_CHAP_STEP_ONE:
//
- // First step, send the Login Request with CHAP_A=<A1,A2...> key-value pair.
+ // First step, send the Login Request with CHAP_A=<A1,A2...> key-value
+ // pair.
//
AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", ISCSI_CHAP_ALGORITHM_MD5);
IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_ALGORITHM, ValueStr);
@@ -429,11 +463,20 @@ IScsiCHAPToSendReq (
//
// CHAP_N=<N>
//
- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_NAME, (CHAR8 *) &AuthData->AuthConfig->CHAPName);
+ IScsiAddKeyValuePair (
+ Pdu,
+ ISCSI_KEY_CHAP_NAME,
+ (CHAR8 *) &AuthData->AuthConfig->CHAPName
+ );
//
// CHAP_R=<R>
//
- IScsiBinToHex ((UINT8 *) AuthData->CHAPResponse, ISCSI_CHAP_RSP_LEN, Response, &RspLen);
+ IScsiBinToHex (
+ (UINT8 *) AuthData->CHAPResponse,
+ ISCSI_CHAP_RSP_LEN,
+ Response,
+ &RspLen
+ );
IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);
if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) {
@@ -448,7 +491,12 @@ IScsiCHAPToSendReq (
//
IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);
AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN;
- IScsiBinToHex ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN, Challenge, &ChallengeLen);
+ IScsiBinToHex (
+ (UINT8 *) AuthData->OutChallenge,
+ ISCSI_CHAP_RSP_LEN,
+ Challenge,
+ &ChallengeLen
+ );
IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);
Conn->AuthStep = ISCSI_CHAP_STEP_FOUR;
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h
index 140bba0dcd..5e59fb678b 100644
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h
@@ -88,7 +88,8 @@ IScsiCHAPOnRspReceived (
@param[in, out] Pdu The PDU to send out.
@retval EFI_SUCCESS All check passed and the phase-related CHAP
- authentication info is filled into the iSCSI PDU.
+ authentication info is filled into the iSCSI
+ PDU.
@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
@retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
--
2.27.0

120
SOURCES/edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-afte.patch
View File

@ -1,120 +0,0 @@
From 08a95c3541cbe2b3a1c671fa683bd6214ad996f0 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 27 Aug 2020 00:21:29 +0200
Subject: [PATCH 3/5] OvmfPkg/CpuHotplugSmm: fix CPU hotplug race just after
SMI broadcast
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek (lersek)
RH-MergeRequest: 1: [RHEL-8.4.0] complete the "VCPU hotplug with SMI" OVMF feature
RH-Commit: [3/3] 40521ea89725b8b0ff8ca3f0a610ff45431e610e (lersek/edk2)
RH-Bugzilla: 1849177
The "virsh setvcpus" (plural) command may hot-plug several VCPUs in quick
succession -- it means a series of "device_add" QEMU monitor commands,
back-to-back.
If a "device_add" occurs *just after* ACPI raises the broadcast SMI, then:
- the CPU_FOREACH() loop in QEMU's ich9_apm_ctrl_changed() cannot make the
SMI pending for the new CPU -- at that time, the new CPU doesn't even
exist yet,
- OVMF will find the new CPU however (in the CPU hotplug register block),
in QemuCpuhpCollectApicIds().
As a result, when the firmware sends an INIT-SIPI-SIPI to the new CPU in
SmbaseRelocate(), expecting it to boot into SMM (due to the pending SMI),
the new CPU instead boots straight into the post-RSM (normal mode) "pen",
skipping its initial SMI handler.
The CPU halts nicely in the pen, but its SMBASE is never relocated, and
the SMRAM message exchange with the BSP falls apart -- the BSP gets stuck
in the following loop:
//
// Wait until the hot-added CPU is just about to execute RSM.
//
while (Context->AboutToLeaveSmm == 0) {
CpuPause ();
}
because the new CPU's initial SMI handler never sets the flag to nonzero.
Fix this by sending a directed SMI to the new CPU just before sending it
the INIT-SIPI-SIPI. The various scenarios are documented in the code --
the cases affected by the patch are documented under point (2).
Note that this is not considered a security patch, as for a malicious
guest OS, the issue is not exploitable -- the symptom is a hang on the
BSP, in the above-noted loop in SmbaseRelocate(). Instead, the patch fixes
behavior for a benign guest OS.
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Igor Mammedov <imammedo@redhat.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Fixes: 51a6fb41181529e4b50ea13377425bda6bb69ba6
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2929
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20200826222129.25798-3-lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
(cherry picked from commit cbccf995920a28071f5403b847f29ebf8b732fa9)
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/CpuHotplugSmm/Smbase.c | 35 ++++++++++++++++++++++++++++------
1 file changed, 29 insertions(+), 6 deletions(-)
diff --git a/OvmfPkg/CpuHotplugSmm/Smbase.c b/OvmfPkg/CpuHotplugSmm/Smbase.c
index 170571221d..d8f45c4313 100644
--- a/OvmfPkg/CpuHotplugSmm/Smbase.c
+++ b/OvmfPkg/CpuHotplugSmm/Smbase.c
@@ -220,14 +220,37 @@ SmbaseRelocate (
//
// Boot the hot-added CPU.
//
- // If the OS is benign, and so the hot-added CPU is still in RESET state,
- // then the broadcast SMI is still pending for it; it will now launch
- // directly into SMM.
+ // There are 2*2 cases to consider:
//
- // If the OS is malicious, the hot-added CPU has been booted already, and so
- // it is already spinning on the APIC ID gate. In that case, the
- // INIT-SIPI-SIPI below will be ignored.
+ // (1) The CPU was hot-added before the SMI was broadcast.
//
+ // (1.1) The OS is benign.
+ //
+ // The hot-added CPU is in RESET state, with the broadcast SMI pending
+ // for it. The directed SMI below will be ignored (it's idempotent),
+ // and the INIT-SIPI-SIPI will launch the CPU directly into SMM.
+ //
+ // (1.2) The OS is malicious.
+ //
+ // The hot-added CPU has been booted, by the OS. Thus, the hot-added
+ // CPU is spinning on the APIC ID gate. In that case, both the SMI and
+ // the INIT-SIPI-SIPI below will be ignored.
+ //
+ // (2) The CPU was hot-added after the SMI was broadcast.
+ //
+ // (2.1) The OS is benign.
+ //
+ // The hot-added CPU is in RESET state, with no SMI pending for it. The
+ // directed SMI will latch the SMI for the CPU. Then the INIT-SIPI-SIPI
+ // will launch the CPU into SMM.
+ //
+ // (2.2) The OS is malicious.
+ //
+ // The hot-added CPU is executing OS code. The directed SMI will pull
+ // the hot-added CPU into SMM, where it will start spinning on the APIC
+ // ID gate. The INIT-SIPI-SIPI will be ignored.
+ //
+ SendSmiIpi (ApicId);
SendInitSipiSipi (ApicId, PenAddress);
//
--
2.27.0

91
SOURCES/edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch
View File

@ -1,91 +0,0 @@
From 4e5edfcdf5986d9e0801a976a3aa558b5f370099 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 27 Aug 2020 00:21:28 +0200
Subject: [PATCH 2/5] OvmfPkg/CpuHotplugSmm: fix CPU hotplug race just before
SMI broadcast
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek (lersek)
RH-MergeRequest: 1: [RHEL-8.4.0] complete the "VCPU hotplug with SMI" OVMF feature
RH-Commit: [2/3] ea3ff703dfb7bd4f77b6807f06c89e754cc9d980 (lersek/edk2)
RH-Bugzilla: 1849177
The "virsh setvcpus" (plural) command may hot-plug several VCPUs in quick
succession -- it means a series of "device_add" QEMU monitor commands,
back-to-back.
If a "device_add" occurs *just before* ACPI raises the broadcast SMI,
then:
- OVMF processes the hot-added CPU well.
- However, QEMU's post-SMI ACPI loop -- which clears the pending events
for the hot-added CPUs that were collected before raising the SMI -- is
unaware of the stray CPU. Thus, the pending event is not cleared for it.
As a result of the stuck event, at the next hot-plug, OVMF tries to re-add
(relocate for the 2nd time) the already-known CPU. At that time, the AP is
already in the normal edk2 SMM busy-wait however, so it doesn't respond to
the exchange that the BSP intends to do in SmbaseRelocate(). Thus the VM
gets stuck in SMM.
(Because of the above symptom, this is not considered a security patch; it
doesn't seem exploitable by a malicious guest OS.)
In CpuHotplugMmi(), skip the supposedly hot-added CPU if it's already
known. The post-SMI ACPI loop will clear the pending event for it this
time.
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Igor Mammedov <imammedo@redhat.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Fixes: bc498ac4ca7590479cfd91ad1bb8a36286b0dc21
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2929
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20200826222129.25798-2-lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
(cherry picked from commit 020bb4b46d6f6708bb3358e1c738109b7908f0de)
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/CpuHotplugSmm/CpuHotplug.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/OvmfPkg/CpuHotplugSmm/CpuHotplug.c b/OvmfPkg/CpuHotplugSmm/CpuHotplug.c
index 20e6bec04f..cfe698ed2b 100644
--- a/OvmfPkg/CpuHotplugSmm/CpuHotplug.c
+++ b/OvmfPkg/CpuHotplugSmm/CpuHotplug.c
@@ -193,9 +193,28 @@ CpuHotplugMmi (
NewSlot = 0;
while (PluggedIdx < PluggedCount) {
APIC_ID NewApicId;
+ UINT32 CheckSlot;
UINTN NewProcessorNumberByProtocol;
NewApicId = mPluggedApicIds[PluggedIdx];
+
+ //
+ // Check if the supposedly hot-added CPU is already known to us.
+ //
+ for (CheckSlot = 0;
+ CheckSlot < mCpuHotPlugData->ArrayLength;
+ CheckSlot++) {
+ if (mCpuHotPlugData->ApicId[CheckSlot] == NewApicId) {
+ break;
+ }
+ }
+ if (CheckSlot < mCpuHotPlugData->ArrayLength) {
+ DEBUG ((DEBUG_VERBOSE, "%a: APIC ID " FMT_APIC_ID " was hot-plugged "
+ "before; ignoring it\n", __FUNCTION__, NewApicId));
+ PluggedIdx++;
+ continue;
+ }
+
//
// Find the first empty slot in CPU_HOT_PLUG_DATA.
//
--
2.27.0

50
SOURCES/edk2-OvmfPkg-GenericQemuLoadImageLib-log-Not-Found-at-INF.patch
View File

@ -1,50 +0,0 @@
From 135d3d4b4ff12927f7b0c44e067fd42ceae83bb7 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 24 Jun 2020 11:37:50 +0200
Subject: [PATCH 2/3] OvmfPkg/GenericQemuLoadImageLib: log "Not Found" at INFO
level
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <20200615080105.11859-3-lersek@redhat.com>
Patchwork-id: 97533
O-Subject: [RHEL-8.3.0 edk2 PATCH 2/3] OvmfPkg/GenericQemuLoadImageLib: log "Not Found" at INFO level
Bugzilla: 1844682
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
gBS->LoadImage() returning EFI_NOT_FOUND is an expected condition; it
means that QEMU wasn't started with "-kernel". Log this status code as
INFO rather than ERROR.
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20200609105414.12474-1-lersek@redhat.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
(cherry picked from commit 14c7ed8b51f60097ad771277da69f74b22a7a759)
---
.../Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c b/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c
index 14c8417d43..114db7e844 100644
--- a/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c
+++ b/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c
@@ -106,7 +106,8 @@ QemuLoadKernelImage (
goto UnloadImage;
default:
- DEBUG ((DEBUG_ERROR, "%a: LoadImage(): %r\n", __FUNCTION__, Status));
+ DEBUG ((Status == EFI_NOT_FOUND ? DEBUG_INFO : DEBUG_ERROR,
+ "%a: LoadImage(): %r\n", __FUNCTION__, Status));
return Status;
}
--
2.27.0

140
SOURCES/edk2-OvmfPkg-SmmControl2Dxe-negotiate-ICH9_LPC_SMI_F_CPU_.patch
View File

@ -1,140 +0,0 @@
From a5efebddb858c739d4a67865a4f8d836ba989d30 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 14 Jul 2020 20:43:05 +0200
Subject: [PATCH 1/5] OvmfPkg/SmmControl2Dxe: negotiate
ICH9_LPC_SMI_F_CPU_HOTPLUG
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek (lersek)
RH-MergeRequest: 1: [RHEL-8.4.0] complete the "VCPU hotplug with SMI" OVMF feature
RH-Commit: [1/3] 33d820d43a1be2ece09044b0cf105275f3fcc9ce (lersek/edk2)
RH-Bugzilla: 1849177
The ICH9_LPC_SMI_F_BROADCAST and ICH9_LPC_SMI_F_CPU_HOTPLUG feature flags
cause QEMU to behave as follows:
BROADCAST CPU_HOTPLUG use case / behavior
--------- ----------- ------------------------------------------------
clear clear OVMF built without SMM_REQUIRE; or very old OVMF
(from before commit a316d7ac91d3 / 2017-02-07).
QEMU permits CPU hotplug operations, and does
not cause the OS to inject an SMI upon hotplug.
Firmware is not expected to be aware of hotplug
events.
clear set Invalid feature set; QEMU rejects the feature
negotiation.
set clear OVMF after a316d7ac91d3 / 2017-02-07, built with
SMM_REQUIRE, but no support for CPU hotplug.
QEMU gracefully refuses hotplug operations.
set set OVMF after a316d7ac91d3 / 2017-02-07, built with
SMM_REQUIRE, and supporting CPU hotplug. QEMU
permits CPU hotplug operations, and causes the
OS to inject an SMI upon hotplug. Firmware is
expected to deal with hotplug events.
Negotiate ICH9_LPC_SMI_F_CPU_HOTPLUG -- but only if SEV is disabled, as
OvmfPkg/CpuHotplugSmm can't deal with SEV yet.
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Igor Mammedov <imammedo@redhat.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Liran Alon <liran.alon@oracle.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20200714184305.9814-1-lersek@redhat.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
(cherry picked from commit 5ba203b54e5953572e279e5505cd65e4cc360e34)
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/SmmControl2Dxe/SmiFeatures.c | 26 +++++++++++++++++++++--
OvmfPkg/SmmControl2Dxe/SmmControl2Dxe.inf | 1 +
2 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/OvmfPkg/SmmControl2Dxe/SmiFeatures.c b/OvmfPkg/SmmControl2Dxe/SmiFeatures.c
index 6210b7515e..c9d8755432 100644
--- a/OvmfPkg/SmmControl2Dxe/SmiFeatures.c
+++ b/OvmfPkg/SmmControl2Dxe/SmiFeatures.c
@@ -9,6 +9,7 @@
#include <Library/BaseLib.h>
#include <Library/DebugLib.h>
+#include <Library/MemEncryptSevLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/PcdLib.h>
#include <Library/QemuFwCfgLib.h>
@@ -21,6 +22,12 @@
// "etc/smi/supported-features" and "etc/smi/requested-features" fw_cfg files.
//
#define ICH9_LPC_SMI_F_BROADCAST BIT0
+//
+// The following bit value stands for "enable CPU hotplug, and inject an SMI
+// with control value ICH9_APM_CNT_CPU_HOTPLUG upon hotplug", in the
+// "etc/smi/supported-features" and "etc/smi/requested-features" fw_cfg files.
+//
+#define ICH9_LPC_SMI_F_CPU_HOTPLUG BIT1
//
// Provides a scratch buffer (allocated in EfiReservedMemoryType type memory)
@@ -67,6 +74,7 @@ NegotiateSmiFeatures (
UINTN SupportedFeaturesSize;
UINTN RequestedFeaturesSize;
UINTN FeaturesOkSize;
+ UINT64 RequestedFeaturesMask;
//
// Look up the fw_cfg files used for feature negotiation. The selector keys
@@ -104,9 +112,16 @@ NegotiateSmiFeatures (
QemuFwCfgReadBytes (sizeof mSmiFeatures, &mSmiFeatures);
//
- // We want broadcast SMI and nothing else.
+ // We want broadcast SMI, SMI on CPU hotplug, and nothing else.
//
- mSmiFeatures &= ICH9_LPC_SMI_F_BROADCAST;
+ RequestedFeaturesMask = ICH9_LPC_SMI_F_BROADCAST;
+ if (!MemEncryptSevIsEnabled ()) {
+ //
+ // For now, we only support hotplug with SEV disabled.
+ //
+ RequestedFeaturesMask |= ICH9_LPC_SMI_F_CPU_HOTPLUG;
+ }
+ mSmiFeatures &= RequestedFeaturesMask;
QemuFwCfgSelectItem (mRequestedFeaturesItem);
QemuFwCfgWriteBytes (sizeof mSmiFeatures, &mSmiFeatures);
@@ -144,6 +159,13 @@ NegotiateSmiFeatures (
DEBUG ((DEBUG_INFO, "%a: using SMI broadcast\n", __FUNCTION__));
}
+ if ((mSmiFeatures & ICH9_LPC_SMI_F_CPU_HOTPLUG) == 0) {
+ DEBUG ((DEBUG_INFO, "%a: CPU hotplug not negotiated\n", __FUNCTION__));
+ } else {
+ DEBUG ((DEBUG_INFO, "%a: CPU hotplug with SMI negotiated\n",
+ __FUNCTION__));
+ }
+
//
// Negotiation successful (although we may not have gotten the optimal
// feature set).
diff --git a/OvmfPkg/SmmControl2Dxe/SmmControl2Dxe.inf b/OvmfPkg/SmmControl2Dxe/SmmControl2Dxe.inf
index 3abed141e6..b8fdea8deb 100644
--- a/OvmfPkg/SmmControl2Dxe/SmmControl2Dxe.inf
+++ b/OvmfPkg/SmmControl2Dxe/SmmControl2Dxe.inf
@@ -46,6 +46,7 @@
BaseLib
DebugLib
IoLib
+ MemEncryptSevLib
MemoryAllocationLib
PcdLib
PciLib
--
2.27.0

105
SOURCES/edk2-UefiCpuPkg-PiSmmCpuDxeSmm-pause-in-WaitForSemaphore-.patch
View File

@ -1,105 +0,0 @@
From 70c9d989107c6ac964bb437c5a4ea6ffe3214e45 Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Mon, 10 Aug 2020 07:52:28 +0200
Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: pause in WaitForSemaphore() before
re-fetch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <20200731141037.1941-2-lersek@redhat.com>
Patchwork-id: 98121
O-Subject: [RHEL-8.3.0 edk2 PATCH 1/1] UefiCpuPkg/PiSmmCpuDxeSmm: pause in WaitForSemaphore() before re-fetch
Bugzilla: 1861718
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
Most busy waits (spinlocks) in "UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c"
already call CpuPause() in their loop bodies; see SmmWaitForApArrival(),
APHandler(), and SmiRendezvous(). However, the "main wait" within
APHandler():
> //
> // Wait for something to happen
> //
> WaitForSemaphore (mSmmMpSyncData->CpuData[CpuIndex].Run);
doesn't do so, as WaitForSemaphore() keeps trying to acquire the semaphore
without pausing.
The performance impact is especially notable in QEMU/KVM + OVMF
virtualization with CPU overcommit (that is, when the guest has
significantly more VCPUs than the host has physical CPUs). The guest BSP
is working heavily in:
BSPHandler() [MpService.c]
PerformRemainingTasks() [PiSmmCpuDxeSmm.c]
SetUefiMemMapAttributes() [SmmCpuMemoryManagement.c]
while the many guest APs are spinning in the "Wait for something to
happen" semaphore acquisition, in APHandler(). The guest APs are
generating useless memory traffic and saturating host CPUs, hindering the
guest BSP's progress in SetUefiMemMapAttributes().
Rework the loop in WaitForSemaphore(): call CpuPause() in every iteration
after the first check fails. Due to Pause Loop Exiting (known as Pause
Filter on AMD), the host scheduler can favor the guest BSP over the guest
APs.
Running a 16 GB RAM + 512 VCPU guest on a 448 PCPU host, this patch
reduces OVMF boot time (counted until reaching grub) from 20-30 minutes to
less than 4 minutes.
The patch should benefit physical machines as well -- according to the
Intel SDM, PAUSE "Improves the performance of spin-wait loops". Adding
PAUSE to the generic WaitForSemaphore() function is considered a general
improvement.
Cc: Eric Dong <eric.dong@intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1861718
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20200729185217.10084-1-lersek@redhat.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
(cherry picked from commit 9001b750df64b25b14ec45a2efa1361a7b96c00a)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c b/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c
index 57e788c..4bcd217 100644
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c
@@ -40,14 +40,18 @@ WaitForSemaphore (
{
UINT32 Value;
- do {
+ for (;;) {
Value = *Sem;
- } while (Value == 0 ||
- InterlockedCompareExchange32 (
- (UINT32*)Sem,
- Value,
- Value - 1
- ) != Value);
+ if (Value != 0 &&
+ InterlockedCompareExchange32 (
+ (UINT32*)Sem,
+ Value,
+ Value - 1
+ ) == Value) {
+ break;
+ }
+ CpuPause ();
+ }
return Value - 1;
}
--
1.8.3.1

33
SOURCES/edk2-ovmf-cc.json Normal file
View File

@ -0,0 +1,33 @@
{
"description": "OVMF with SEV-ES support",
"interface-types": [
"uefi"
],
"mapping": {
"device": "flash",
"executable": {
"filename": "/usr/share/edk2/ovmf/OVMF_CODE.cc.fd",
"format": "raw"
},
"nvram-template": {
"filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd",
"format": "raw"
}
},
"targets": [
{
"architecture": "x86_64",
"machines": [
"pc-q35-rhel8.5.0"
]
}
],
"features": [
"amd-sev",
"amd-sev-es",
"verbose-dynamic"
],
"tags": [
]
}

117
SPECS/edk2.spec
View File

@ -1,25 +1,25 @@
ExclusiveArch: x86_64 aarch64
%define GITDATE 20200602
%define GITCOMMIT ca407c7246bf
%define GITDATE 20210527
%define GITCOMMIT e1999b264f1f
%define TOOLCHAIN GCC5
%define OPENSSL_VER 1.1.1g
%define OPENSSL_VER 1.1.1k
Name: edk2
Version: %{GITDATE}git%{GITCOMMIT}
Release: 4%{?dist}
Release: 3%{?dist}
Summary: UEFI firmware for 64-bit virtual machines
Group: Applications/Emulators
License: BSD-2-Clause-Patent and OpenSSL and MIT
URL: http://www.tianocore.org
# The source tarball is created using following commands:
# COMMIT=%{GITCOMMIT}
# COMMIT=e1999b264f1f
# git archive --format=tar --prefix=edk2-$COMMIT/ $COMMIT \
# | xz -9ev >/tmp/edk2-$COMMIT.tar.xz
Source0: http://batcave.lab.eng.brq.redhat.com/www/edk2-%{GITCOMMIT}.tar.xz
Source1: ovmf-whitepaper-c770f8c.txt
Source2: openssl-rhel-bdd048e929dcfcf2f046d74e812e0e3d5fc58504.tar.xz
Source2: openssl-rhel-a75722161d20fd632f8875585d3aa066ec5fea93.tar.xz
Source3: ovmf-vars-generator
Source4: LICENSE.qosb
Source5: RedHatSecureBootPkKek1.pem
@ -28,12 +28,12 @@ Source10: edk2-aarch64-verbose.json
Source11: edk2-aarch64.json
Source12: edk2-ovmf-sb.json
Source13: edk2-ovmf.json
Source14: edk2-ovmf-cc.json
Patch0007: 0007-BaseTools-do-not-build-BrotliCompress-RH-only.patch
Patch0008: 0008-MdeModulePkg-remove-package-private-Brotli-include-p.patch
Patch0009: 0009-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
Patch0010: 0010-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch
Patch0011: 0011-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch
Patch0008: 0008-BaseTools-do-not-build-BrotliCompress-RH-only.patch
Patch0009: 0009-MdeModulePkg-remove-package-private-Brotli-include-p.patch
Patch0010: 0010-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
Patch0011: 0011-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch
Patch0012: 0012-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch
Patch0013: 0013-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
Patch0014: 0014-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
@ -48,24 +48,30 @@ Patch0022: 0022-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch
Patch0023: 0023-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch
Patch0024: 0024-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
Patch0025: 0025-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch
Patch0026: 0026-OvmfPkg-X86QemuLoadImageLib-handle-EFI_ACCESS_DENIED.patch
Patch0027: 0027-Revert-OvmfPkg-use-generic-QEMU-image-loader-for-sec.patch
# For bz#1844682 - silent build of edk2-aarch64 logs DEBUG_ERROR messages that don't actually report serious errors
Patch28: edk2-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch
# For bz#1844682 - silent build of edk2-aarch64 logs DEBUG_ERROR messages that don't actually report serious errors
Patch29: edk2-OvmfPkg-GenericQemuLoadImageLib-log-Not-Found-at-INF.patch
# For bz#1844682 - silent build of edk2-aarch64 logs DEBUG_ERROR messages that don't actually report serious errors
Patch30: edk2-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch
# For bz#1861718 - Very slow boot when overcommitting CPU
Patch31: edk2-UefiCpuPkg-PiSmmCpuDxeSmm-pause-in-WaitForSemaphore-.patch
# For bz#1849177 - OVMF: negotiate "SMI on VCPU hotplug" with QEMU
Patch32: edk2-OvmfPkg-SmmControl2Dxe-negotiate-ICH9_LPC_SMI_F_CPU_.patch
# For bz#1849177 - OVMF: negotiate "SMI on VCPU hotplug" with QEMU
Patch33: edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch
# For bz#1849177 - OVMF: negotiate "SMI on VCPU hotplug" with QEMU
Patch34: edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-afte.patch
# For bz#1893806 - attempt advancing RHEL8 edk2's OpenSSL submodule to RHEL8 OpenSSL 1.1.1g (or later)
Patch35: edk2-CryptoPkg-OpensslLib-Upgrade-OpenSSL-to-1.1.1g.patch
Patch0026: 0026-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch
Patch0027: 0027-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch
# For bz#1956408 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.5.0]
Patch28: edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch
# For bz#1956408 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.5.0]
Patch29: edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch
# For bz#1956408 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.5.0]
Patch30: edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch
# For bz#1956408 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.5.0]
Patch31: edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch
# For bz#1956408 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.5.0]
Patch32: edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch
# For bz#1956408 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.5.0]
Patch33: edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch
# For bz#1956408 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.5.0]
Patch34: edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch
# For bz#1956408 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.5.0]
Patch35: edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch
# For bz#1956408 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.5.0]
Patch36: edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch
# For bz#1956408 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.5.0]
Patch37: edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch
# For bz#1988762 - edk2 does not ignore PMBR protective record BootIndicator as required by UEFI spec
Patch38: edk2-MdeModulePkg-PartitionDxe-Ignore-PMBR-BootIndicator-.patch
# python3-devel and libuuid-devel are required for building tools.
@ -87,8 +93,8 @@ BuildRequires: mtools
BuildRequires: genisoimage
# For generating the variable store template with the default certificates
# enrolled, we need qemu-kvm.
BuildRequires: qemu-kvm >= 2.12.0-89
# enrolled, we need the qemu-kvm executable.
BuildRequires: qemu-kvm-core >= 2.12.0-89
# For verifying SB enablement in the above variable store template, we need a
# guest kernel that prints "Secure boot enabled".
@ -197,7 +203,7 @@ echo "Applied $COUNT patches"
rm -f $PATCHLIST
cp -a -- %{SOURCE1} %{SOURCE3} .
cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} .
cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} .
tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x
# Format the Red Hat-issued certificate that is to be enrolled as both Platform
@ -320,12 +326,8 @@ mkdir -p \
$RPM_BUILD_ROOT%{_datadir}/OVMF \
$RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf
# We don't ship the SB-less, SMM-less binary.
%if 0
install -m 0644 Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \
$RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/OVMF_CODE.fd
ln -s ../%{name}/ovmf/OVMF_CODE.fd $RPM_BUILD_ROOT%{_datadir}/OVMF/
%endif
$RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/OVMF_CODE.cc.fd
install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \
$RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd
@ -350,6 +352,8 @@ install -m 0644 edk2-ovmf-sb.json \
$RPM_BUILD_ROOT%{_datadir}/qemu/firmware/40-edk2-ovmf-sb.json
install -m 0644 edk2-ovmf.json \
$RPM_BUILD_ROOT%{_datadir}/qemu/firmware/50-edk2-ovmf.json
install -m 0644 edk2-ovmf-cc.json \
$RPM_BUILD_ROOT%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json
%else
mkdir -p \
@ -434,10 +438,7 @@ install BaseTools/Scripts/GccBase.lds \
%doc ovmf-whitepaper-c770f8c.txt
%dir %{_datadir}/OVMF/
%dir %{_datadir}/%{name}/ovmf/
%if 0
%{_datadir}/%{name}/ovmf/OVMF_CODE.fd
%{_datadir}/OVMF/OVMF_CODE.fd
%endif
%{_datadir}/%{name}/ovmf/OVMF_CODE.cc.fd
%{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd
%{_datadir}/%{name}/ovmf/OVMF_VARS.fd
%{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd
@ -449,6 +450,7 @@ install BaseTools/Scripts/GccBase.lds \
%{_datadir}/%{name}/ovmf/Shell.efi
%{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi
%{_datadir}/qemu/firmware/40-edk2-ovmf-sb.json
%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json
%{_datadir}/qemu/firmware/50-edk2-ovmf.json
%else
@ -479,7 +481,6 @@ install BaseTools/Scripts/GccBase.lds \
%{_bindir}/GenSec
%{_bindir}/LzmaCompress
%{_bindir}/LzmaF86Compress
%{_bindir}/Split
%{_bindir}/TianoCompress
%{_bindir}/VfrCompile
%{_bindir}/VolInfo
@ -515,6 +516,38 @@ true
%endif
%changelog
* Fri Aug 06 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-3
- edk2-MdeModulePkg-PartitionDxe-Ignore-PMBR-BootIndicator-.patch [bz#1988762]
- Resolves: bz#1988762
(edk2 does not ignore PMBR protective record BootIndicator as required by UEFI spec)
* Fri Jul 02 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-2
- edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch [bz#1956408]
- edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch [bz#1956408]
- edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch [bz#1956408]
- edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch [bz#1956408]
- edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch [bz#1956408]
- edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch [bz#1956408]
- edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch [bz#1956408]
- edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch [bz#1956408]
- edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch [bz#1956408]
- edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch [bz#1956408]
- Resolves: bz#1956408
(edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-8.5.0])
* Wed Jun 23 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-1
- Rebase to edk2-stable202105 [bz#1938238]
- Resolves: bz#1938238
((edk2-rebase-rhel-8.5) - rebase edk2 to edk2-stable202105 for RHEL-8.5)
* Wed May 12 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-5.el8
- edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch [bz#1892318]
- edk2-redhat-add-OVMF-binary-that-will-support-SEV-ES.patch [bz#1956837]
- Resolves: bz#1892318
(edk2: possible heap corruption with LzmaUefiDecompressGetInfo [rhel-8])
- Resolves: bz#1956837
(Additional build of edk2 without SMM (dual build / sub-package) for SEV-ES)
* Mon Nov 23 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-4.el8
- edk2-OvmfPkg-SmmControl2Dxe-negotiate-ICH9_LPC_SMI_F_CPU_.patch [bz#1849177]
- edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch [bz#1849177]