diff --git a/.edk2.metadata b/.edk2.metadata index 7a94678..f2c28cd 100644 --- a/.edk2.metadata +++ b/.edk2.metadata @@ -1,3 +1,3 @@ de143fc38b339d982079517b6f01bcec5246cf5e SOURCES/DBXUpdate-20230509.x64.bin -4b2ed0d355d3ef44e21a72573e17017630b6d33c SOURCES/edk2-8736b8fdca.tar.xz +6da44cf37c27ab03f2940769c58515b07271e047 SOURCES/edk2-3e722403cd.tar.xz 0a9cfae889c6436333fab963250b069058eec6cf SOURCES/openssl-rhel-0205b589887203b065154ddc8e8107c4ac8625a1.tar.xz diff --git a/.gitignore b/.gitignore index ececa63..59a36ae 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/DBXUpdate-20230509.x64.bin -SOURCES/edk2-8736b8fdca.tar.xz +SOURCES/edk2-3e722403cd.tar.xz SOURCES/openssl-rhel-0205b589887203b065154ddc8e8107c4ac8625a1.tar.xz diff --git a/SOURCES/0001-ignore-build-artifacts-generated-files-session-setti.patch b/SOURCES/0001-ignore-build-artifacts-generated-files-session-setti.patch deleted file mode 100644 index 1d51039..0000000 --- a/SOURCES/0001-ignore-build-artifacts-generated-files-session-setti.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 21816395a94558c8e5c97f13adbb5ffb909656b8 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Wed, 11 Jun 2014 21:55:22 +0200 -Subject: [PATCH] ignore build artifacts, generated files, session settings etc - (RHEL only) - -Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> -RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: - -- no changes - -Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> -RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: - -- refresh against upstream commit 48760409ccc8 (".gitignore: Ignore python - compiled files, extdeps, and vscode", 2019-11-11) - -- add ".AutoGenIdFile.txt" to "Conf/.gitignore", in response to upstream - commit 373298ca0d60 ("BaseTools: Fixed issue for IgnoreAutoGen", - 2019-09-10) - -Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> -RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: - -- no changes - -Notes about the RHEL-8.0/20180508-ee3198e672e2 -> -RHEL-8.1/20190308-89910a39dcfd rebase: - -- no changes - -Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> -RHEL-8.0/20180508-ee3198e672e2 rebase: - -- reorder the rebase changelog in the commit message so that it reads like - a blog: place more recent entries near the top -- no changes to the patch body - -Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: - -- no changes - -Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase: - -- Conflict resolution against upstream commit 112f4ada2e6b ("edk2: Add - .DS_Store to .gitignore for macOS", 2017-05-04), in the ".gitignore" - file. - -Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase: - -- no changes - -Notes about the 9ece15a -> c9e5618 rebase: - -- Upstream added .gitignore files in the meanwhile, we just need some - light customization. In particular the Conf/ReadMe.txt file should not - be ignored, it is not generated. - -Signed-off-by: Laszlo Ersek -(cherry picked from commit 3b9c914f2d6bff6274d5ed45fcf4c757ce27031b) -(cherry picked from commit b66c3c6d11a834dc7cb3ab326f09c6a21c0b81e8) -(cherry picked from commit c94381432988f6137de46772cbd4080d9832c9ad) -(cherry picked from commit 730cc57005e4908fcee29109672284808b21ec1c) -(cherry picked from commit 161184bcb55a670f8f7f8c4147825eb360b73794) -(cherry picked from commit 4eec2bb2176f2deda2b2c44a6f2ea167c5a43433) -(cherry picked from commit ea548c8d0c9d4cd5b8b5200eda8ff6ac220a6307) -(cherry picked from commit 4872f69df8b0460fbbfcd75950d81fdcd213f8c0) ---- - Conf/.gitignore | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/Conf/.gitignore b/Conf/.gitignore -index 5e4debcc10..8601fc0cee 100644 ---- a/Conf/.gitignore -+++ b/Conf/.gitignore -@@ -1 +1,6 @@ --* -+.AutoGenIdFile.txt -+.cache/ -+BuildEnv.sh -+build_rule.txt -+target.txt -+tools_def.txt diff --git a/SOURCES/0002-Remove-submodules.patch b/SOURCES/0002-Remove-submodules.patch deleted file mode 100644 index fc7f093..0000000 --- a/SOURCES/0002-Remove-submodules.patch +++ /dev/null @@ -1,121 +0,0 @@ -From ff10592d4710f12d601dcfcdd25f28b6941c5141 Mon Sep 17 00:00:00 2001 -From: Miroslav Rezanina -Date: Thu, 24 Mar 2022 03:23:02 -0400 -Subject: [PATCH] Remove submodules - -Rebase to edk2-stable202311: removing additional submodule: - -- CryptoPkg/Library/MbedTlsLib/mbedtls - -Signed-off-by: Gerd Hoffmann - -Rebase to edk2-stable202305: removing additional submodules: - -- MdePkg/Library/BaseFdtLib/libfdt -- MdePkg/Library/MipiSysTLib/mipisyst -- UnitTestFrameworkPkg/Library/GoogleTestLib/googletest -- UnitTestFrameworkPkg/Library/SubhookLib/subhook - -Signed-off-by: Oliver Steffen - -Upstream edk2 tracks several submodules we do not need in RHEL (removal -done by individual commits in previous RHEL versions): - -- openssl: We use RHEL specific openssl submodule later (commit 48f993088e) -- SoftFloat: required only for 32-bit ARM (commit 273787a5c2) -- cmocka: needed for UnitTestFrameworkPkg we do not use (commit a2dca9bcd2) -- oniguruma: rhel do not need this dependency (commit 73f4b42b3a) -- brotli: removed this dependency (commits fcd212ffce, cf62a90767 and ac5782e6ab) -- jansson: we do not depend on JSON parsing or formating (commit c84227659a) - -Signed-off-by: Miroslav Rezanina - -MdeModulePkg: remove package-private Brotli include path (RH only) - -Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> -RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: - -- no change - -Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> -RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: - -- New patch. - -Originating from upstream commit 58802e02c41b -("MdeModulePkg/BrotliCustomDecompressLib: Make brotli a submodule", -2020-04-16), "MdeModulePkg/MdeModulePkg.dec" contains a package-internal -include path into a Brotli submodule. - -The edk2 build system requires such include paths to resolve successfully, -regardless of the firmware platform being built. Because -BrotliCustomDecompressLib is not consumed by any OvmfPkg or ArmVirtPkg -platforms, and we've removed the submodule earlier in this patch set, -remove the include path too. - -Signed-off-by: Laszlo Ersek -(cherry picked from commit e05e0de713c4a2b8adb6ff9809611f222bfe50ed) ---- - BaseTools/Source/C/GNUmakefile | 1 - - CryptoPkg/.gitignore | 1 + - MdeModulePkg/MdeModulePkg.dec | 3 --- - MdePkg/MdePkg.dec | 5 ----- - 4 files changed, 1 insertion(+), 9 deletions(-) - create mode 100644 CryptoPkg/.gitignore - -diff --git a/BaseTools/Source/C/GNUmakefile b/BaseTools/Source/C/GNUmakefile -index 5275f657ef..39d7199753 100644 ---- a/BaseTools/Source/C/GNUmakefile -+++ b/BaseTools/Source/C/GNUmakefile -@@ -51,7 +51,6 @@ all: makerootdir subdirs - LIBRARIES = Common - VFRAUTOGEN = VfrCompile/VfrLexer.h - APPLICATIONS = \ -- BrotliCompress \ - VfrCompile \ - EfiRom \ - GenFfs \ -diff --git a/CryptoPkg/.gitignore b/CryptoPkg/.gitignore -new file mode 100644 -index 0000000000..68b83272b7 ---- /dev/null -+++ b/CryptoPkg/.gitignore -@@ -0,0 +1 @@ -+Library/OpensslLib/openssl*/ -diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec -index d2fede4f87..265dfec94f 100644 ---- a/MdeModulePkg/MdeModulePkg.dec -+++ b/MdeModulePkg/MdeModulePkg.dec -@@ -26,9 +26,6 @@ - Include - Test/Mock/Include - --[Includes.Common.Private] -- Library/BrotliCustomDecompressLib/brotli/c/include -- - [LibraryClasses] - ## @libraryclass Defines a set of methods to reset whole system. - ResetSystemLib|Include/Library/ResetSystemLib.h -diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec -index ac54338089..29f0a6e178 100644 ---- a/MdePkg/MdePkg.dec -+++ b/MdePkg/MdePkg.dec -@@ -29,7 +29,6 @@ - Include - Test/UnitTest/Include - Test/Mock/Include -- Library/MipiSysTLib/mipisyst/library/include - - [Includes.IA32] - Include/Ia32 -@@ -295,10 +294,6 @@ - # - FdtLib|Include/Library/FdtLib.h - -- ## @libraryclass Provides general mipi sys-T services. -- # -- MipiSysTLib|Include/Library/MipiSysTLib.h -- - ## @libraryclass Provides API to output Trace Hub debug message. - # - TraceHubDebugSysTLib|Include/Library/TraceHubDebugSysTLib.h diff --git a/SOURCES/0003-Remove-paths-leading-to-submodules.patch b/SOURCES/0003-Remove-paths-leading-to-submodules.patch new file mode 100644 index 0000000..d22a3b7 --- /dev/null +++ b/SOURCES/0003-Remove-paths-leading-to-submodules.patch @@ -0,0 +1,65 @@ +From de9f92d118c1374243d9d3f006088a29ec7dcf8d Mon Sep 17 00:00:00 2001 +From: Miroslav Rezanina +Date: Thu, 24 Mar 2022 03:23:02 -0400 +Subject: [PATCH] Remove paths leading to submodules + +We removed submodules used upstream. However, edk2 build system requires +such include paths to resolve successfully, regardless of the firmware +platform being built. + +Signed-off-by: Miroslav Rezanina +--- + BaseTools/Source/C/GNUmakefile | 1 - + MdeModulePkg/MdeModulePkg.dec | 3 --- + MdePkg/MdePkg.dec | 5 ----- + 3 files changed, 9 deletions(-) + +diff --git a/BaseTools/Source/C/GNUmakefile b/BaseTools/Source/C/GNUmakefile +index 5275f657ef..39d7199753 100644 +--- a/BaseTools/Source/C/GNUmakefile ++++ b/BaseTools/Source/C/GNUmakefile +@@ -51,7 +51,6 @@ all: makerootdir subdirs + LIBRARIES = Common + VFRAUTOGEN = VfrCompile/VfrLexer.h + APPLICATIONS = \ +- BrotliCompress \ + VfrCompile \ + EfiRom \ + GenFfs \ +diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec +index f7339f0aec..badb93238f 100644 +--- a/MdeModulePkg/MdeModulePkg.dec ++++ b/MdeModulePkg/MdeModulePkg.dec +@@ -26,9 +26,6 @@ + Include + Test/Mock/Include + +-[Includes.Common.Private] +- Library/BrotliCustomDecompressLib/brotli/c/include +- + [LibraryClasses] + ## @libraryclass Defines a set of methods to reset whole system. + ResetSystemLib|Include/Library/ResetSystemLib.h +diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec +index bf94549cbf..605b0f1be8 100644 +--- a/MdePkg/MdePkg.dec ++++ b/MdePkg/MdePkg.dec +@@ -29,7 +29,6 @@ + Include + Test/UnitTest/Include + Test/Mock/Include +- Library/MipiSysTLib/mipisyst/library/include + + [Includes.IA32] + Include/Ia32 +@@ -295,10 +294,6 @@ + # + FdtLib|Include/Library/FdtLib.h + +- ## @libraryclass Provides general mipi sys-T services. +- # +- MipiSysTLib|Include/Library/MipiSysTLib.h +- + ## @libraryclass Provides API to output Trace Hub debug message. + # + TraceHubDebugSysTLib|Include/Library/TraceHubDebugSysTLib.h diff --git a/SOURCES/0003-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch b/SOURCES/0004-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch similarity index 97% rename from SOURCES/0003-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch rename to SOURCES/0004-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch index 394c466..0a57269 100644 --- a/SOURCES/0003-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch +++ b/SOURCES/0004-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch @@ -1,4 +1,4 @@ -From a531e0f3c999670f54926b2579e0721d217a49e0 Mon Sep 17 00:00:00 2001 +From 5c48211bdce4b30c86e92636e852e9da4ede4c1e Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Tue, 25 Feb 2014 22:40:01 +0100 Subject: [PATCH] MdeModulePkg: TerminalDxe: set xterm resolution on mode @@ -99,10 +99,10 @@ Signed-off-by: Laszlo Ersek 3 files changed, 36 insertions(+) diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec -index 265dfec94f..092a8dee2a 100644 +index badb93238f..3a67acc090 100644 --- a/MdeModulePkg/MdeModulePkg.dec +++ b/MdeModulePkg/MdeModulePkg.dec -@@ -2158,6 +2158,10 @@ +@@ -2222,6 +2222,10 @@ # @Prompt The value is use for Usb Network rate limiting supported. gEfiMdeModulePkgTokenSpaceGuid.PcdUsbNetworkRateLimitingFactor|100|UINT32|0x10000028 diff --git a/SOURCES/0004-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch b/SOURCES/0005-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch similarity index 93% rename from SOURCES/0004-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch rename to SOURCES/0005-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch index 475cd69..16da78e 100644 --- a/SOURCES/0004-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch +++ b/SOURCES/0005-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch @@ -1,4 +1,4 @@ -From c53aae9d945648b7301efede1dc77bf7b7f4ee1c Mon Sep 17 00:00:00 2001 +From 0976965c3dd6ac841f59dc09220a6637060ba901 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Wed, 14 Oct 2015 15:59:06 +0200 Subject: [PATCH] OvmfPkg: take PcdResizeXterm from the QEMU command line (RH @@ -83,10 +83,10 @@ Signed-off-by: Laszlo Ersek 9 files changed, 21 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc -index 302c90e7c2..ef70f5f08c 100644 +index 8eb6f4f24f..627fded641 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc -@@ -486,6 +486,7 @@ +@@ -484,6 +484,7 @@ [PcdsDynamicDefault] gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0 @@ -95,10 +95,10 @@ index 302c90e7c2..ef70f5f08c 100644 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0 diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc -index c23c7eaf6c..49521ba47c 100644 +index 4996885301..51a49c09ad 100644 --- a/OvmfPkg/CloudHv/CloudHvX64.dsc +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc -@@ -576,6 +576,7 @@ +@@ -581,6 +581,7 @@ # ($(SMM_REQUIRE) == FALSE) gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0 @@ -107,10 +107,10 @@ index c23c7eaf6c..49521ba47c 100644 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0 diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc -index 182ec3705d..fd6722499a 100644 +index 0931ce061a..9f49b60ff0 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc -@@ -482,6 +482,7 @@ +@@ -477,6 +477,7 @@ # ($(SMM_REQUIRE) == FALSE) gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0 @@ -119,10 +119,10 @@ index 182ec3705d..fd6722499a 100644 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0 diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc -index ea1fa3e296..79f14b5c05 100644 +index 69de4dd3f1..fb73f2e089 100644 --- a/OvmfPkg/Microvm/MicrovmX64.dsc +++ b/OvmfPkg/Microvm/MicrovmX64.dsc -@@ -584,7 +584,7 @@ +@@ -590,7 +590,7 @@ # only set when # ($(SMM_REQUIRE) == FALSE) gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0 @@ -132,43 +132,43 @@ index ea1fa3e296..79f14b5c05 100644 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0 diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc -index ed3a19feeb..3101a3a4cf 100644 +index 2ca005d768..dddef5ed0e 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc -@@ -604,6 +604,7 @@ +@@ -599,6 +599,7 @@ # ($(SMM_REQUIRE) == FALSE) gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0 -+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE ++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE !if $(SMM_REQUIRE) == FALSE gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0 diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc -index 16ca139b29..0c174947b7 100644 +index a39070a626..933abb258f 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc -@@ -616,6 +616,7 @@ +@@ -611,6 +611,7 @@ # ($(SMM_REQUIRE) == FALSE) gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0 -+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE ++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE !if $(SMM_REQUIRE) == FALSE gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc -index dc1a0942aa..a328726d55 100644 +index 1b90aa8f57..04157ab14b 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc -@@ -634,6 +634,7 @@ +@@ -629,6 +629,7 @@ # ($(SMM_REQUIRE) == FALSE) gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0 -+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE ++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE !if $(SMM_REQUIRE) == FALSE gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0 diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c -index f5dc41c3a8..f244dcd24d 100644 +index df35726ff6..6c786bfc1e 100644 --- a/OvmfPkg/PlatformPei/Platform.c +++ b/OvmfPkg/PlatformPei/Platform.c @@ -41,6 +41,18 @@ @@ -199,10 +199,10 @@ index f5dc41c3a8..f244dcd24d 100644 InstallClearCacheCallback (); diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf -index 3934aeed95..d84aefee6d 100644 +index e036018eab..a2f59e8fc8 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf -@@ -100,6 +100,7 @@ +@@ -103,6 +103,7 @@ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved diff --git a/SOURCES/0005-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch b/SOURCES/0006-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch similarity index 98% rename from SOURCES/0005-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch rename to SOURCES/0006-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch index 29043f7..47be70d 100644 --- a/SOURCES/0005-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch +++ b/SOURCES/0006-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch @@ -1,4 +1,4 @@ -From db9d61b18715590fc8956eb5da9b036afbfd9ab9 Mon Sep 17 00:00:00 2001 +From 4c45a397402f58a67b1d4ea1348bb79f3716c7a5 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Sun, 26 Jul 2015 08:02:50 +0000 Subject: [PATCH] ArmVirtPkg: take PcdResizeXterm from the QEMU command line @@ -96,10 +96,10 @@ Signed-off-by: Laszlo Ersek create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc -index 30e3cfc8b9..7b88b7441f 100644 +index 64aa4e96e5..c37c4ba61e 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc -@@ -309,6 +309,8 @@ +@@ -311,6 +311,8 @@ gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0 !endif @@ -108,7 +108,7 @@ index 30e3cfc8b9..7b88b7441f 100644 [PcdsDynamicHii] gUefiOvmfPkgTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gOvmfVariableGuid|0x0|FALSE|NV,BS -@@ -418,7 +420,10 @@ +@@ -416,7 +418,10 @@ MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf diff --git a/SOURCES/0006-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch b/SOURCES/0007-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch similarity index 93% rename from SOURCES/0006-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch rename to SOURCES/0007-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch index 0b2c31e..c8fc3b2 100644 --- a/SOURCES/0006-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch +++ b/SOURCES/0007-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch @@ -1,4 +1,4 @@ -From ccc528cc7a9d5b0029a1ca91cb592c999e9f8c5a Mon Sep 17 00:00:00 2001 +From 3dbb4913b3e1c0413dd3016681aca3a3d12edd0d Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Tue, 21 Nov 2017 00:57:45 +0100 Subject: [PATCH] OvmfPkg: enable DEBUG_VERBOSE (RHEL only) @@ -65,10 +65,10 @@ Signed-off-by: Paolo Bonzini 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc -index ef70f5f08c..28bdc56227 100644 +index 627fded641..cef43b34b7 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc -@@ -428,7 +428,7 @@ +@@ -429,7 +429,7 @@ # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may # // significantly impact boot performance # DEBUG_ERROR 0x80000000 // Error @@ -78,41 +78,41 @@ index ef70f5f08c..28bdc56227 100644 !if $(SOURCE_DEBUG_ENABLE) == TRUE gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc -index 3101a3a4cf..c4fc79a851 100644 +index dddef5ed0e..270bd612e5 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc -@@ -537,7 +537,7 @@ +@@ -535,7 +535,7 @@ # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may # // significantly impact boot performance # DEBUG_ERROR 0x80000000 // Error - gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F !if $(SOURCE_DEBUG_ENABLE) == TRUE gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc -index 0c174947b7..1da23b5389 100644 +index 933abb258f..269a4b2b21 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc -@@ -544,7 +544,7 @@ +@@ -542,7 +542,7 @@ # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may # // significantly impact boot performance # DEBUG_ERROR 0x80000000 // Error - gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F !if $(SOURCE_DEBUG_ENABLE) == TRUE gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc -index a328726d55..4f886ba644 100644 +index 04157ab14b..9614cc1c56 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc -@@ -563,7 +563,7 @@ +@@ -561,7 +561,7 @@ # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may # // significantly impact boot performance # DEBUG_ERROR 0x80000000 // Error - gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F !if $(SOURCE_DEBUG_ENABLE) == TRUE gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 diff --git a/SOURCES/0007-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch b/SOURCES/0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch similarity index 85% rename from SOURCES/0007-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch rename to SOURCES/0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch index 332b194..d433969 100644 --- a/SOURCES/0007-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch +++ b/SOURCES/0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch @@ -1,9 +1,13 @@ -From 4bb5f3b3473da371b4db99899c1128ae4ff99f6e Mon Sep 17 00:00:00 2001 +From ac8f2a85bad100eaf42d3537b6fcb37fa3db5fd9 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Tue, 21 Nov 2017 00:57:46 +0100 Subject: [PATCH] OvmfPkg: silence DEBUG_VERBOSE (0x00400000) in QemuVideoDxe/QemuRamfbDxe (RH) +edk2-stable202402 rebase: + +- context changes due to CSM support removal. + Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: @@ -82,12 +86,12 @@ Signed-off-by: Paolo Bonzini 4 files changed, 32 insertions(+), 8 deletions(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc -index 28bdc56227..cbd48af4dc 100644 +index cef43b34b7..f53380aca2 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc -@@ -694,8 +694,14 @@ +@@ -691,8 +691,14 @@ + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf - MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf - OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf - OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf @@ -103,68 +107,65 @@ index 28bdc56227..cbd48af4dc 100644 # diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc -index c4fc79a851..75a61c88e6 100644 +index 270bd612e5..d942c7354a 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc -@@ -850,9 +850,15 @@ - MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf +@@ -828,8 +828,14 @@ + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf - !ifndef $(CSM_ENABLE) - OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf -+ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { -+ -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ } - !endif - OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf -+ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { -+ -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ } ++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf - # diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc -index 1da23b5389..e5ca067d4c 100644 +index 269a4b2b21..d915b847cb 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc -@@ -868,9 +868,15 @@ - MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf +@@ -842,8 +842,14 @@ + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf - !ifndef $(CSM_ENABLE) - OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf -+ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { -+ -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ } - !endif - OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf -+ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { -+ -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ } ++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf - # diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc -index 4f886ba644..ad314d86c6 100644 +index 9614cc1c56..12ee5510bd 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc -@@ -936,9 +936,15 @@ - MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf +@@ -910,8 +910,14 @@ + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf - !ifndef $(CSM_ENABLE) - OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf -+ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { -+ -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ } - !endif - OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf -+ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { -+ -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ } ++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf - # diff --git a/SOURCES/0008-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch b/SOURCES/0009-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch similarity index 94% rename from SOURCES/0008-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch rename to SOURCES/0009-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch index cb2dcdd..4de197b 100644 --- a/SOURCES/0008-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch +++ b/SOURCES/0009-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch @@ -1,4 +1,4 @@ -From 72830b010e7b78ef8d74cefcb5c6ad018c653ea6 Mon Sep 17 00:00:00 2001 +From 511531fe074c28dd8139f722b25979df1995e492 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Wed, 27 Jan 2016 03:05:18 +0100 Subject: [PATCH] ArmVirtPkg: silence DEBUG_VERBOSE (0x00400000) in @@ -61,10 +61,10 @@ Signed-off-by: Laszlo Ersek 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc -index 7b88b7441f..fe7b7e1d64 100644 +index c37c4ba61e..00e656d0c9 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc -@@ -547,7 +547,10 @@ +@@ -546,7 +546,10 @@ # # Video support # @@ -77,10 +77,10 @@ index 7b88b7441f..fe7b7e1d64 100644 OvmfPkg/PlatformDxe/Platform.inf diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc -index b50f8e84a3..4a43892f7d 100644 +index 2cf96accbd..c7918c8cf3 100644 --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc -@@ -447,7 +447,10 @@ +@@ -450,7 +450,10 @@ # # Video support # diff --git a/SOURCES/0009-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch b/SOURCES/0010-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch similarity index 97% rename from SOURCES/0009-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch rename to SOURCES/0010-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch index 9c217c0..08fcb0b 100644 --- a/SOURCES/0009-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch +++ b/SOURCES/0010-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch @@ -1,4 +1,4 @@ -From 2b84cf52f9a6f24f932bce5548202460f20ca9d0 Mon Sep 17 00:00:00 2001 +From 3bf394bd43a4cf00c2b52b965b47b8194a406166 Mon Sep 17 00:00:00 2001 From: Philippe Mathieu-Daude Date: Thu, 1 Aug 2019 20:43:48 +0200 Subject: [PATCH] OvmfPkg: QemuRamfbDxe: Do not report DXE failure on Aarch64 diff --git a/SOURCES/0010-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch b/SOURCES/0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch similarity index 93% rename from SOURCES/0010-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch rename to SOURCES/0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch index a7329b5..d81f03a 100644 --- a/SOURCES/0010-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch +++ b/SOURCES/0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch @@ -1,4 +1,4 @@ -From 67230df28e3861c4a7a8fb064a45ed85f015209c Mon Sep 17 00:00:00 2001 +From b9ac7e96d76caa161d1689c0436551e95728ac0e Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Tue, 21 Nov 2017 00:57:47 +0100 Subject: [PATCH] OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in NvmExpressDxe @@ -63,10 +63,10 @@ Signed-off-by: Paolo Bonzini 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc -index cbd48af4dc..a0319c1f0a 100644 +index f53380aca2..32f47704bc 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc -@@ -688,7 +688,10 @@ +@@ -686,7 +686,10 @@ MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf @@ -79,50 +79,50 @@ index cbd48af4dc..a0319c1f0a 100644 MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc -index 75a61c88e6..34ad4f2777 100644 +index d942c7354a..49540d54d0 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc -@@ -843,7 +843,10 @@ +@@ -823,7 +823,10 @@ MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf - MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf -+ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { -+ -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ } ++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc -index e5ca067d4c..4278ce5e1d 100644 +index d915b847cb..1c4e0514ed 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc -@@ -861,7 +861,10 @@ +@@ -837,7 +837,10 @@ MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf - MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf -+ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { -+ -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ } ++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc -index ad314d86c6..e41a1b976e 100644 +index 12ee5510bd..e50e63b3f6 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc -@@ -929,7 +929,10 @@ +@@ -905,7 +905,10 @@ MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf - MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf -+ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { -+ -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ } ++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf diff --git a/SOURCES/0011-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch b/SOURCES/0012-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch similarity index 97% rename from SOURCES/0011-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch rename to SOURCES/0012-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch index c5f847a..8f928ba 100644 --- a/SOURCES/0011-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch +++ b/SOURCES/0012-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch @@ -1,4 +1,4 @@ -From 9bf175beabab17dae1b5883d528ae3d9d834249b Mon Sep 17 00:00:00 2001 +From 8c67b1b96e42c39a3562c8790ae5985a240edfce Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Wed, 24 Jun 2020 11:31:36 +0200 Subject: [PATCH] OvmfPkg/QemuKernelLoaderFsDxe: suppress error on no "-kernel" diff --git a/SOURCES/0012-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch b/SOURCES/0013-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch similarity index 91% rename from SOURCES/0012-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch rename to SOURCES/0013-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch index c17c6d7..02d0290 100644 --- a/SOURCES/0012-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch +++ b/SOURCES/0013-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch @@ -1,4 +1,4 @@ -From d3d9a0ea8cdd6a8438a878a859ca0cd416c42ad6 Mon Sep 17 00:00:00 2001 +From de3d6fb999bd464f08c11b879cb4587295f3c0b1 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Wed, 24 Jun 2020 11:40:09 +0200 Subject: [PATCH] SecurityPkg/Tcg2Dxe: suppress error on no swtpm in silent @@ -31,10 +31,10 @@ Signed-off-by: Miroslav Rezanina 2 files changed, 18 insertions(+) diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c -index f6ea8b2bbf..1fd5e187fb 100644 +index b55b6c12d2..0be885c391 100644 --- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c +++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c -@@ -28,6 +28,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent +@@ -29,6 +29,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include @@ -42,7 +42,7 @@ index f6ea8b2bbf..1fd5e187fb 100644 #include #include #include -@@ -2691,6 +2692,22 @@ DriverEntry ( +@@ -2743,6 +2744,22 @@ DriverEntry ( CompareGuid (PcdGetPtr (PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid)) { DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n")); @@ -66,7 +66,7 @@ index f6ea8b2bbf..1fd5e187fb 100644 } diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf -index 7dc7a2683d..ae90070b36 100644 +index a645474bf3..dbb7a52f33 100644 --- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf @@ -55,6 +55,7 @@ diff --git a/SOURCES/0013-OvmfPkg-Remove-EbcDxe-RHEL-only.patch b/SOURCES/0014-OvmfPkg-Remove-EbcDxe-RHEL-only.patch similarity index 82% rename from SOURCES/0013-OvmfPkg-Remove-EbcDxe-RHEL-only.patch rename to SOURCES/0014-OvmfPkg-Remove-EbcDxe-RHEL-only.patch index 293e164..24bdc73 100644 --- a/SOURCES/0013-OvmfPkg-Remove-EbcDxe-RHEL-only.patch +++ b/SOURCES/0014-OvmfPkg-Remove-EbcDxe-RHEL-only.patch @@ -1,4 +1,4 @@ -From ce3ac92a202a0b845654c05449107840edf5d2f9 Mon Sep 17 00:00:00 2001 +From 3208551a4a7934a905ba33dde70bfea37c9a95af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Thu, 1 Jul 2021 20:28:49 +0200 Subject: [PATCH] OvmfPkg: Remove EbcDxe (RHEL only) @@ -29,10 +29,10 @@ Signed-off-by: Miroslav Rezanina 8 files changed, 8 deletions(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc -index a0319c1f0a..906c1a4332 100644 +index 32f47704bc..6b6e108d11 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc -@@ -613,7 +613,6 @@ +@@ -611,7 +611,6 @@ !include OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc } @@ -41,10 +41,10 @@ index a0319c1f0a..906c1a4332 100644 UefiCpuPkg/CpuDxe/CpuDxe.inf OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf -index b2ab0c7773..20d31d0e2d 100644 +index 595945181c..c176043482 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.fdf +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf -@@ -205,7 +205,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf +@@ -212,7 +212,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf @@ -53,19 +53,19 @@ index b2ab0c7773..20d31d0e2d 100644 INF UefiCpuPkg/CpuDxe/CpuDxe.inf INF OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc -index 34ad4f2777..d664b42c67 100644 +index 49540d54d0..d368aa11fe 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc -@@ -753,7 +753,6 @@ +@@ -746,7 +746,6 @@ !include OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc } - MdeModulePkg/Universal/EbcDxe/EbcDxe.inf UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf UefiCpuPkg/CpuDxe/CpuDxe.inf - !ifdef $(CSM_ENABLE) + OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf -index 383613e54b..236680dec2 100644 +index 0d4abb50a8..ef933def99 100644 --- a/OvmfPkg/OvmfPkgIa32.fdf +++ b/OvmfPkg/OvmfPkgIa32.fdf @@ -216,7 +216,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf @@ -75,21 +75,21 @@ index 383613e54b..236680dec2 100644 -INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf INF UefiCpuPkg/CpuDxe/CpuDxe.inf - !ifdef $(CSM_ENABLE) + INF OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc -index 4278ce5e1d..2e0af7698a 100644 +index 1c4e0514ed..cf09bdf785 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc -@@ -771,7 +771,6 @@ +@@ -760,7 +760,6 @@ !include OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc } - MdeModulePkg/Universal/EbcDxe/EbcDxe.inf UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf UefiCpuPkg/CpuDxe/CpuDxe.inf - !ifdef $(CSM_ENABLE) + OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf -index 3cec3d0c87..3ad2fe5eee 100644 +index 23a825a012..0cd98ada5a 100644 --- a/OvmfPkg/OvmfPkgIa32X64.fdf +++ b/OvmfPkg/OvmfPkgIa32X64.fdf @@ -217,7 +217,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf @@ -99,12 +99,12 @@ index 3cec3d0c87..3ad2fe5eee 100644 -INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf INF UefiCpuPkg/CpuDxe/CpuDxe.inf - !ifdef $(CSM_ENABLE) + INF OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc -index e41a1b976e..55f6760f4c 100644 +index e50e63b3f6..098d569381 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc -@@ -816,7 +816,6 @@ +@@ -805,7 +805,6 @@ !include OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc } @@ -113,10 +113,10 @@ index e41a1b976e..55f6760f4c 100644 UefiCpuPkg/CpuDxe/CpuDxe.inf { diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf -index 9c35b6e848..da4541d747 100644 +index 4dcd6a033c..b201505214 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf -@@ -239,7 +239,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf +@@ -245,7 +245,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf diff --git a/SOURCES/0014-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch b/SOURCES/0015-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch similarity index 77% rename from SOURCES/0014-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch rename to SOURCES/0015-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch index 08372a5..c07086a 100644 --- a/SOURCES/0014-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch +++ b/SOURCES/0015-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch @@ -1,4 +1,4 @@ -From 536709a91fe5d9bf5bb41bc0ae56cb3e3fa0cf5a Mon Sep 17 00:00:00 2001 +From 42becc4c97abe443d06bb128a4b7d5e279842715 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Thu, 1 Jul 2021 20:28:59 +0200 Subject: [PATCH] OvmfPkg: Remove VirtioGpu device driver (RHEL only) @@ -29,10 +29,10 @@ Signed-off-by: Miroslav Rezanina 8 files changed, 8 deletions(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc -index 906c1a4332..52b0d1062c 100644 +index 6b6e108d11..5461c1290d 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc -@@ -704,7 +704,6 @@ +@@ -701,7 +701,6 @@ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F } @@ -41,7 +41,7 @@ index 906c1a4332..52b0d1062c 100644 # # ISA Support diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf -index 20d31d0e2d..48cc3b00c1 100644 +index c176043482..10538a0465 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.fdf +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf @@ -300,7 +300,6 @@ INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf @@ -53,72 +53,72 @@ index 20d31d0e2d..48cc3b00c1 100644 INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc -index d664b42c67..d39d9e8c27 100644 +index d368aa11fe..40e78014c4 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc -@@ -861,7 +861,6 @@ - - gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F - } +@@ -838,7 +838,6 @@ + + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F + } - OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf # - # ISA Support diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf -index 236680dec2..381735165d 100644 +index ef933def99..68d59968ec 100644 --- a/OvmfPkg/OvmfPkgIa32.fdf +++ b/OvmfPkg/OvmfPkgIa32.fdf -@@ -334,7 +334,6 @@ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf - !endif +@@ -317,7 +317,6 @@ INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf -INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf INF OvmfPkg/PlatformDxe/Platform.inf INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf - + INF OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc -index 2e0af7698a..0e3de2ec5e 100644 +index cf09bdf785..6ade9aa0ef 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc -@@ -879,7 +879,6 @@ - - gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F - } +@@ -852,7 +852,6 @@ + + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F + } - OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf # - # ISA Support diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf -index 3ad2fe5eee..2ca10f7c5e 100644 +index 0cd98ada5a..8891d96422 100644 --- a/OvmfPkg/OvmfPkgIa32X64.fdf +++ b/OvmfPkg/OvmfPkgIa32X64.fdf -@@ -340,7 +340,6 @@ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf - !endif +@@ -323,7 +323,6 @@ INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf -INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf INF OvmfPkg/PlatformDxe/Platform.inf INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc -index 55f6760f4c..c266686361 100644 +index 098d569381..8563835ae5 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc -@@ -947,7 +947,6 @@ - - gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F - } +@@ -920,7 +920,6 @@ + + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F + } - OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf # - # ISA Support diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf -index da4541d747..00b3f9d0d8 100644 +index b201505214..06ac4423da 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf -@@ -367,7 +367,6 @@ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf - !endif +@@ -356,7 +356,6 @@ INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf -INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf INF OvmfPkg/PlatformDxe/Platform.inf diff --git a/SOURCES/0015-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch b/SOURCES/0016-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch similarity index 78% rename from SOURCES/0015-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch rename to SOURCES/0016-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch index fe65827..9aec177 100644 --- a/SOURCES/0015-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch +++ b/SOURCES/0016-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch @@ -1,4 +1,4 @@ -From ff214a87a99084bd91a04711e52ec1bffa911557 Mon Sep 17 00:00:00 2001 +From 67e5739ca9ba906914aade6b5ad84c420ad9af29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Thu, 1 Jul 2021 20:29:13 +0200 Subject: [PATCH] OvmfPkg: Remove VirtioFsDxe filesystem driver (RHEL only) @@ -27,10 +27,10 @@ Signed-off-by: Miroslav Rezanina 6 files changed, 6 deletions(-) diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc -index d39d9e8c27..12ed090eab 100644 +index 40e78014c4..afd2a3c5c0 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc -@@ -836,7 +836,6 @@ +@@ -816,7 +816,6 @@ MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf FatPkg/EnhancedFatDxe/Fat.inf MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf @@ -39,22 +39,22 @@ index d39d9e8c27..12ed090eab 100644 MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf -index 381735165d..bd69792100 100644 +index 68d59968ec..c392b96470 100644 --- a/OvmfPkg/OvmfPkgIa32.fdf +++ b/OvmfPkg/OvmfPkgIa32.fdf -@@ -296,7 +296,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour +@@ -290,7 +290,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour INF FatPkg/EnhancedFatDxe/Fat.inf INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf -INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf - !if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5" - INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF MdeModulePkg/Logo/LogoDxe.inf + diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc -index 0e3de2ec5e..821423cfe2 100644 +index 6ade9aa0ef..f5a4c57c8e 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc -@@ -854,7 +854,6 @@ +@@ -830,7 +830,6 @@ MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf FatPkg/EnhancedFatDxe/Fat.inf MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf @@ -63,22 +63,22 @@ index 0e3de2ec5e..821423cfe2 100644 MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf -index 2ca10f7c5e..4011682faf 100644 +index 8891d96422..6278daeeee 100644 --- a/OvmfPkg/OvmfPkgIa32X64.fdf +++ b/OvmfPkg/OvmfPkgIa32X64.fdf -@@ -297,7 +297,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour +@@ -291,7 +291,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour INF FatPkg/EnhancedFatDxe/Fat.inf INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf -INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf - !if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5" - INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF MdeModulePkg/Logo/LogoDxe.inf + diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc -index c266686361..ea3f8d73bc 100644 +index 8563835ae5..08b73a64c9 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc -@@ -922,7 +922,6 @@ +@@ -898,7 +898,6 @@ MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf FatPkg/EnhancedFatDxe/Fat.inf MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf @@ -87,7 +87,7 @@ index c266686361..ea3f8d73bc 100644 MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf -index 00b3f9d0d8..c53501679a 100644 +index 06ac4423da..fc4b6dd3a4 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -322,7 +322,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour @@ -96,5 +96,5 @@ index 00b3f9d0d8..c53501679a 100644 INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf -INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf - !if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5" - INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF MdeModulePkg/Logo/LogoDxe.inf + diff --git a/SOURCES/0016-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch b/SOURCES/0017-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch similarity index 87% rename from SOURCES/0016-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch rename to SOURCES/0017-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch index 4a0868b..7936459 100644 --- a/SOURCES/0016-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch +++ b/SOURCES/0017-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch @@ -1,4 +1,4 @@ -From 7478b17347f2119448467a0ce821a5c5f865a2c8 Mon Sep 17 00:00:00 2001 +From 9827ce562f432da36410ef0e9ce6d7971e502b99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Thu, 1 Jul 2021 20:29:16 +0200 Subject: [PATCH] ArmVirtPkg: Remove VirtioFsDxe filesystem driver (RHEL only) @@ -24,10 +24,10 @@ Signed-off-by: Miroslav Rezanina 3 files changed, 3 deletions(-) diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc -index fe7b7e1d64..f0946821c6 100644 +index 00e656d0c9..d1deccaadc 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc -@@ -465,7 +465,6 @@ +@@ -464,7 +464,6 @@ MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf FatPkg/EnhancedFatDxe/Fat.inf MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf @@ -36,10 +36,10 @@ index fe7b7e1d64..f0946821c6 100644 # # Bds diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc -index 9b3e37d5c9..a997063751 100644 +index 38906004d7..7205274bed 100644 --- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc -@@ -84,7 +84,6 @@ READ_LOCK_STATUS = TRUE +@@ -85,7 +85,6 @@ READ_LOCK_STATUS = TRUE INF FatPkg/EnhancedFatDxe/Fat.inf INF MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf @@ -48,10 +48,10 @@ index 9b3e37d5c9..a997063751 100644 # # Status Code Routing diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc -index 4a43892f7d..8fa801dad6 100644 +index c7918c8cf3..9643fd5427 100644 --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc -@@ -365,7 +365,6 @@ +@@ -368,7 +368,6 @@ MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf FatPkg/EnhancedFatDxe/Fat.inf MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf diff --git a/SOURCES/0017-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch b/SOURCES/0018-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch similarity index 78% rename from SOURCES/0017-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch rename to SOURCES/0018-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch index f02e369..33be900 100644 --- a/SOURCES/0017-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch +++ b/SOURCES/0018-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch @@ -1,4 +1,4 @@ -From 42c144b94db706be6f01d5fb1537a35cc803daa8 Mon Sep 17 00:00:00 2001 +From 98e35df340a8a5cd18cb386361c7da6350c54800 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Thu, 1 Jul 2021 20:29:19 +0200 Subject: [PATCH] OvmfPkg: Remove UdfDxe filesystem driver (RHEL only) @@ -29,10 +29,10 @@ Signed-off-by: Miroslav Rezanina 8 files changed, 8 deletions(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc -index 52b0d1062c..41953c119d 100644 +index 5461c1290d..cf1ad83e09 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc -@@ -681,7 +681,6 @@ +@@ -679,7 +679,6 @@ MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf FatPkg/EnhancedFatDxe/Fat.inf @@ -41,22 +41,22 @@ index 52b0d1062c..41953c119d 100644 MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf -index 48cc3b00c1..2f03c80ffd 100644 +index 10538a0465..c56c98dc85 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.fdf +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf -@@ -274,7 +274,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf +@@ -280,7 +280,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf INF FatPkg/EnhancedFatDxe/Fat.inf -INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf - !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE - INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf + INF OvmfPkg/AmdSev/Grub/Grub.inf diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc -index 12ed090eab..07176ad930 100644 +index afd2a3c5c0..d8ae542686 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc -@@ -835,7 +835,6 @@ +@@ -815,7 +815,6 @@ MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf FatPkg/EnhancedFatDxe/Fat.inf @@ -65,22 +65,22 @@ index 12ed090eab..07176ad930 100644 MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf -index bd69792100..97c808446e 100644 +index c392b96470..0ffa3be750 100644 --- a/OvmfPkg/OvmfPkgIa32.fdf +++ b/OvmfPkg/OvmfPkgIa32.fdf -@@ -295,7 +295,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf +@@ -289,7 +289,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf INF FatPkg/EnhancedFatDxe/Fat.inf -INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf - !if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5" - INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF MdeModulePkg/Logo/LogoDxe.inf + diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc -index 821423cfe2..ba7ed38412 100644 +index f5a4c57c8e..52ac2c96fc 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc -@@ -853,7 +853,6 @@ +@@ -829,7 +829,6 @@ MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf FatPkg/EnhancedFatDxe/Fat.inf @@ -89,22 +89,22 @@ index 821423cfe2..ba7ed38412 100644 MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf -index 4011682faf..6351ce645b 100644 +index 6278daeeee..c4f3ec0735 100644 --- a/OvmfPkg/OvmfPkgIa32X64.fdf +++ b/OvmfPkg/OvmfPkgIa32X64.fdf -@@ -296,7 +296,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf +@@ -290,7 +290,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf INF FatPkg/EnhancedFatDxe/Fat.inf -INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf - !if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5" - INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF MdeModulePkg/Logo/LogoDxe.inf + diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc -index ea3f8d73bc..55f3315241 100644 +index 08b73a64c9..f76d0ef7bc 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc -@@ -921,7 +921,6 @@ +@@ -897,7 +897,6 @@ MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf FatPkg/EnhancedFatDxe/Fat.inf @@ -113,7 +113,7 @@ index ea3f8d73bc..55f3315241 100644 MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf -index c53501679a..558a944f20 100644 +index fc4b6dd3a4..bedd85ef7a 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -321,7 +321,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf @@ -122,5 +122,5 @@ index c53501679a..558a944f20 100644 INF FatPkg/EnhancedFatDxe/Fat.inf -INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf - !if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5" - INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF MdeModulePkg/Logo/LogoDxe.inf + diff --git a/SOURCES/0018-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch b/SOURCES/0019-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch similarity index 88% rename from SOURCES/0018-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch rename to SOURCES/0019-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch index 7ca5b53..a0c6376 100644 --- a/SOURCES/0018-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch +++ b/SOURCES/0019-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch @@ -1,4 +1,4 @@ -From 34b2ee906d0cce11a8156105777b6ecfaca5feba Mon Sep 17 00:00:00 2001 +From 9b039f2eb195f37b724f86efc31c8a4d6abd217d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Thu, 1 Jul 2021 20:29:22 +0200 Subject: [PATCH] ArmVirtPkg: Remove UdfDxe filesystem driver (RHEL only) @@ -24,10 +24,10 @@ Signed-off-by: Miroslav Rezanina 3 files changed, 3 deletions(-) diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc -index f0946821c6..68ad5877ee 100644 +index d1deccaadc..f91bb09fa3 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc -@@ -464,7 +464,6 @@ +@@ -463,7 +463,6 @@ MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf FatPkg/EnhancedFatDxe/Fat.inf @@ -36,10 +36,10 @@ index f0946821c6..68ad5877ee 100644 # # Bds diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc -index a997063751..dcb1b793d1 100644 +index 7205274bed..24a9dac2fd 100644 --- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc -@@ -83,7 +83,6 @@ READ_LOCK_STATUS = TRUE +@@ -84,7 +84,6 @@ READ_LOCK_STATUS = TRUE INF MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf INF FatPkg/EnhancedFatDxe/Fat.inf INF MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf @@ -48,10 +48,10 @@ index a997063751..dcb1b793d1 100644 # # Status Code Routing diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc -index 8fa801dad6..87e54e682a 100644 +index 9643fd5427..c2825aa4c2 100644 --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc -@@ -364,7 +364,6 @@ +@@ -367,7 +367,6 @@ MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf FatPkg/EnhancedFatDxe/Fat.inf diff --git a/SOURCES/0019-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch b/SOURCES/0019-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch deleted file mode 100644 index 72b0598..0000000 --- a/SOURCES/0019-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch +++ /dev/null @@ -1,109 +0,0 @@ -From aac73e5f62e2305e6578c9b22ae557741bf6532a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= -Date: Thu, 1 Jul 2021 20:29:25 +0200 -Subject: [PATCH] OvmfPkg: Remove TftpDynamicCommand from shell (RHEL only) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Philippe Mathieu-Daudé -RH-MergeRequest: 3: Disable features for RHEL9 -RH-Commit: [13/19] cf9ef346386ac89fa05b29d429d8d1b27cf0e3b0 -RH-Bugzilla: 1967747 -RH-Acked-by: Laszlo Ersek - -Remove the command to download files in the shell via TFTP. - -Suggested-by: Laszlo Ersek -Signed-off-by: Philippe Mathieu-Daudé -Signed-off-by: Miroslav Rezanina ---- - OvmfPkg/OvmfPkgIa32.dsc | 4 ---- - OvmfPkg/OvmfPkgIa32.fdf | 1 - - OvmfPkg/OvmfPkgIa32X64.dsc | 4 ---- - OvmfPkg/OvmfPkgIa32X64.fdf | 1 - - OvmfPkg/OvmfPkgX64.dsc | 4 ---- - OvmfPkg/OvmfPkgX64.fdf | 1 - - 6 files changed, 15 deletions(-) - -diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc -index 07176ad930..0183511722 100644 ---- a/OvmfPkg/OvmfPkgIa32.dsc -+++ b/OvmfPkg/OvmfPkgIa32.dsc -@@ -913,10 +913,6 @@ - !endif - - !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE -- ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf { -- -- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE -- } - ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { - - gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE -diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf -index 97c808446e..cb95c842fa 100644 ---- a/OvmfPkg/OvmfPkgIa32.fdf -+++ b/OvmfPkg/OvmfPkgIa32.fdf -@@ -297,7 +297,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour - INF FatPkg/EnhancedFatDxe/Fat.inf - - !if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5" --INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf - INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf - INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf - !endif -diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc -index ba7ed38412..66554b42ed 100644 ---- a/OvmfPkg/OvmfPkgIa32X64.dsc -+++ b/OvmfPkg/OvmfPkgIa32X64.dsc -@@ -931,10 +931,6 @@ - !endif - - !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE -- ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf { -- -- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE -- } - ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { - - gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE -diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf -index 6351ce645b..592f0fed82 100644 ---- a/OvmfPkg/OvmfPkgIa32X64.fdf -+++ b/OvmfPkg/OvmfPkgIa32X64.fdf -@@ -298,7 +298,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour - INF FatPkg/EnhancedFatDxe/Fat.inf - - !if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5" --INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf - INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf - INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf - !endif -diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc -index 55f3315241..6d1d2bd39b 100644 ---- a/OvmfPkg/OvmfPkgX64.dsc -+++ b/OvmfPkg/OvmfPkgX64.dsc -@@ -999,10 +999,6 @@ - !endif - - !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE -- ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf { -- -- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE -- } - ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { - - gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE -diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf -index 558a944f20..70556f8ace 100644 ---- a/OvmfPkg/OvmfPkgX64.fdf -+++ b/OvmfPkg/OvmfPkgX64.fdf -@@ -323,7 +323,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour - INF FatPkg/EnhancedFatDxe/Fat.inf - - !if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5" --INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf - INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf - INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf - !endif diff --git a/SOURCES/0020-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch b/SOURCES/0020-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch new file mode 100644 index 0000000..5c57a7d --- /dev/null +++ b/SOURCES/0020-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch @@ -0,0 +1,55 @@ +From d417cfeb0ed76b3187b44e2491611f55d6de33b3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:29:25 +0200 +Subject: [PATCH] OvmfPkg: Remove TftpDynamicCommand from shell (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +rebase to edk2-stable202405: + +rewrite due to shell build config being moved to an include file + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [13/19] cf9ef346386ac89fa05b29d429d8d1b27cf0e3b0 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +Remove the command to download files in the shell via TFTP. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + OvmfPkg/Include/Dsc/ShellComponents.dsc.inc | 4 ---- + OvmfPkg/Include/Fdf/ShellDxe.fdf.inc | 1 - + 2 files changed, 5 deletions(-) + +diff --git a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +index 4075688e41..3663938054 100644 +--- a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc ++++ b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +@@ -6,10 +6,6 @@ + + !if $(TOOL_CHAIN_TAG) != "XCODE5" + !if $(NETWORK_ENABLE) == TRUE +- ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } + ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +diff --git a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +index 38f69747b0..1637083ff1 100644 +--- a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc ++++ b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +@@ -6,7 +6,6 @@ + + !if $(TOOL_CHAIN_TAG) != "XCODE5" + !if $(NETWORK_ENABLE) == TRUE +-INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf + !endif + INF ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf diff --git a/SOURCES/0020-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch b/SOURCES/0021-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch similarity index 90% rename from SOURCES/0020-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch rename to SOURCES/0021-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch index dd84bce..ff09c46 100644 --- a/SOURCES/0020-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch +++ b/SOURCES/0021-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch @@ -1,4 +1,4 @@ -From a3493c0945f733e395ea7444f1639a42f8a717f0 Mon Sep 17 00:00:00 2001 +From b548dd4acf23412e9266be15d65d7f8cfccbf028 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Thu, 1 Jul 2021 20:29:28 +0200 Subject: [PATCH] ArmVirtPkg: Remove TftpDynamicCommand from shell (RHEL only) @@ -23,10 +23,10 @@ Signed-off-by: Miroslav Rezanina 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc -index fe6488ee99..5677bad717 100644 +index 7044790a1e..ee98673e98 100644 --- a/ArmVirtPkg/ArmVirt.dsc.inc +++ b/ArmVirtPkg/ArmVirt.dsc.inc -@@ -385,10 +385,9 @@ +@@ -391,10 +391,9 @@ # MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf @@ -41,10 +41,10 @@ index fe6488ee99..5677bad717 100644 gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc -index dcb1b793d1..b1c3fcc66d 100644 +index 24a9dac2fd..1341de0a2f 100644 --- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc -@@ -99,7 +99,6 @@ READ_LOCK_STATUS = TRUE +@@ -100,7 +100,6 @@ READ_LOCK_STATUS = TRUE INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf INF ShellPkg/Application/Shell/Shell.inf diff --git a/SOURCES/0021-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch b/SOURCES/0021-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch deleted file mode 100644 index bca6390..0000000 --- a/SOURCES/0021-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 873a03ce289c988d822f1bb420c1e9a0eef5ca56 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= -Date: Thu, 1 Jul 2021 20:29:31 +0200 -Subject: [PATCH] OvmfPkg: Remove HttpDynamicCommand from shell (RHEL only) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Rebase to edk2-stable202311: - -Minor update, context change due to new variable policy shell command. - -RH-Author: Philippe Mathieu-Daudé -RH-MergeRequest: 3: Disable features for RHEL9 -RH-Commit: [15/19] 1911cf04f27467ef1175b1976864c1111d93d19e -RH-Bugzilla: 1967747 -RH-Acked-by: Laszlo Ersek - -Remove the command to download files in the shell via HTTP(S). - -Suggested-by: Laszlo Ersek -Signed-off-by: Philippe Mathieu-Daudé -Signed-off-by: Miroslav Rezanina ---- - OvmfPkg/OvmfPkgIa32.dsc | 4 ---- - OvmfPkg/OvmfPkgIa32.fdf | 1 - - OvmfPkg/OvmfPkgIa32X64.dsc | 4 ---- - OvmfPkg/OvmfPkgIa32X64.fdf | 1 - - OvmfPkg/OvmfPkgX64.dsc | 4 ---- - OvmfPkg/OvmfPkgX64.fdf | 1 - - 6 files changed, 15 deletions(-) - -diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc -index 0183511722..970ffbad82 100644 ---- a/OvmfPkg/OvmfPkgIa32.dsc -+++ b/OvmfPkg/OvmfPkgIa32.dsc -@@ -913,10 +913,6 @@ - !endif - - !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE -- ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { -- -- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE -- } - ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf { - - gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE -diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf -index cb95c842fa..891e0e06ef 100644 ---- a/OvmfPkg/OvmfPkgIa32.fdf -+++ b/OvmfPkg/OvmfPkgIa32.fdf -@@ -297,7 +297,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour - INF FatPkg/EnhancedFatDxe/Fat.inf - - !if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5" --INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf - INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf - !endif - !if $(BUILD_SHELL) == TRUE -diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc -index 66554b42ed..3127e3d18d 100644 ---- a/OvmfPkg/OvmfPkgIa32X64.dsc -+++ b/OvmfPkg/OvmfPkgIa32X64.dsc -@@ -931,10 +931,6 @@ - !endif - - !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE -- ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { -- -- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE -- } - ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf { - - gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE -diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf -index 592f0fed82..61a827b365 100644 ---- a/OvmfPkg/OvmfPkgIa32X64.fdf -+++ b/OvmfPkg/OvmfPkgIa32X64.fdf -@@ -298,7 +298,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour - INF FatPkg/EnhancedFatDxe/Fat.inf - - !if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5" --INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf - INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf - !endif - !if $(BUILD_SHELL) == TRUE -diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc -index 6d1d2bd39b..6f078b5b27 100644 ---- a/OvmfPkg/OvmfPkgX64.dsc -+++ b/OvmfPkg/OvmfPkgX64.dsc -@@ -999,10 +999,6 @@ - !endif - - !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE -- ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { -- -- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE -- } - ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf { - - gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE -diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf -index 70556f8ace..d2e1c2894f 100644 ---- a/OvmfPkg/OvmfPkgX64.fdf -+++ b/OvmfPkg/OvmfPkgX64.fdf -@@ -323,7 +323,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour - INF FatPkg/EnhancedFatDxe/Fat.inf - - !if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5" --INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf - INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf - !endif - !if $(BUILD_SHELL) == TRUE diff --git a/SOURCES/0022-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch b/SOURCES/0022-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch new file mode 100644 index 0000000..9e5ba58 --- /dev/null +++ b/SOURCES/0022-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch @@ -0,0 +1,63 @@ +From 8a68c775e8ba00da3d725396fd8c78f67fbc8697 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:29:31 +0200 +Subject: [PATCH] OvmfPkg: Remove HttpDynamicCommand from shell (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +rebase to edk2-stable202405: + +rewrite due to shell build config being moved to an include file + +Rebase to edk2-stable202311: + +Minor update, context change due to new variable policy shell command. + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [15/19] 1911cf04f27467ef1175b1976864c1111d93d19e +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +Remove the command to download files in the shell via HTTP(S). + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + OvmfPkg/Include/Dsc/ShellComponents.dsc.inc | 6 ------ + OvmfPkg/Include/Fdf/ShellDxe.fdf.inc | 3 --- + 2 files changed, 9 deletions(-) + +diff --git a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +index 3663938054..a568f1ecc5 100644 +--- a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc ++++ b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +@@ -5,12 +5,6 @@ + !if $(BUILD_SHELL) == TRUE + + !if $(TOOL_CHAIN_TAG) != "XCODE5" +-!if $(NETWORK_ENABLE) == TRUE +- ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } +-!endif + ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +diff --git a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +index 1637083ff1..c0118a46e2 100644 +--- a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc ++++ b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +@@ -5,9 +5,6 @@ + !if $(BUILD_SHELL) == TRUE && $(SECURE_BOOT_ENABLE) == FALSE + + !if $(TOOL_CHAIN_TAG) != "XCODE5" +-!if $(NETWORK_ENABLE) == TRUE +-INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf +-!endif + INF ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf + INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + !endif diff --git a/SOURCES/0022-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch b/SOURCES/0023-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch similarity index 90% rename from SOURCES/0022-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch rename to SOURCES/0023-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch index 9693c1d..331cf73 100644 --- a/SOURCES/0022-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch +++ b/SOURCES/0023-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch @@ -1,4 +1,4 @@ -From 4b212f0b5f5d2dbe595e53bc0b553abb90ee288a Mon Sep 17 00:00:00 2001 +From 1f15cf34691e2f9604ee6efe142c2d710aad579c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Thu, 1 Jul 2021 20:29:34 +0200 Subject: [PATCH] ArmVirtPkg: Remove HttpDynamicCommand from shell (RHEL only) @@ -27,10 +27,10 @@ Signed-off-by: Miroslav Rezanina 2 files changed, 5 deletions(-) diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc -index 5677bad717..d4c001e1bd 100644 +index ee98673e98..996b4ddfc4 100644 --- a/ArmVirtPkg/ArmVirt.dsc.inc +++ b/ArmVirtPkg/ArmVirt.dsc.inc -@@ -388,10 +388,6 @@ +@@ -394,10 +394,6 @@ # # UEFI application (Shell Embedded Boot Loader) # @@ -42,10 +42,10 @@ index 5677bad717..d4c001e1bd 100644 gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc -index b1c3fcc66d..8153558686 100644 +index 1341de0a2f..b49bf7ad4e 100644 --- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc -@@ -99,7 +99,6 @@ READ_LOCK_STATUS = TRUE +@@ -100,7 +100,6 @@ READ_LOCK_STATUS = TRUE INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf INF ShellPkg/Application/Shell/Shell.inf diff --git a/SOURCES/0023-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch b/SOURCES/0023-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch deleted file mode 100644 index 1f53b26..0000000 --- a/SOURCES/0023-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch +++ /dev/null @@ -1,315 +0,0 @@ -From 3635ecb975af26d0d4886b862f8cf812b891eb37 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= -Date: Thu, 1 Jul 2021 20:29:39 +0200 -Subject: [PATCH] OvmfPkg: Remove LinuxInitrdDynamicShellCommand (RHEL only) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Rebase to edk2-stable202311: - -Minor update, context change due to new variable policy shell command. - -RH-Author: Philippe Mathieu-Daudé -RH-MergeRequest: 3: Disable features for RHEL9 -RH-Commit: [17/19] 491fe1301ea29c7cb56c20272e45614d5fcb6f14 -RH-Bugzilla: 1967747 -RH-Acked-by: Laszlo Ersek - -Remove the command to register a file in the shell as the -initial ramdisk for a UEFI stubbed kernel, to be booted next. - -Note: as further dynamic shell commands might show up upstream, -we intentionally preserve the empty !ifdef'ry context to ease -future downstream rebases. - -Suggested-by: Laszlo Ersek -Signed-off-by: Philippe Mathieu-Daudé -Signed-off-by: Miroslav Rezanina ---- - OvmfPkg/AmdSev/AmdSevX64.dsc | 4 ---- - OvmfPkg/AmdSev/AmdSevX64.fdf | 1 - - OvmfPkg/OvmfPkgIa32.dsc | 32 ++++++++++++++------------------ - OvmfPkg/OvmfPkgIa32.fdf | 1 - - OvmfPkg/OvmfPkgIa32X64.dsc | 32 ++++++++++++++------------------ - OvmfPkg/OvmfPkgIa32X64.fdf | 1 - - OvmfPkg/OvmfPkgX64.dsc | 32 ++++++++++++++------------------ - OvmfPkg/OvmfPkgX64.fdf | 1 - - 8 files changed, 42 insertions(+), 62 deletions(-) - -diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc -index 41953c119d..7bb6ffb3f0 100644 ---- a/OvmfPkg/AmdSev/AmdSevX64.dsc -+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc -@@ -740,10 +740,6 @@ - MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf - - !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE -- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { -- -- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE -- } - !endif - OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf - OvmfPkg/AmdSev/Grub/Grub.inf -diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf -index 2f03c80ffd..0e3d7bea2b 100644 ---- a/OvmfPkg/AmdSev/AmdSevX64.fdf -+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf -@@ -276,7 +276,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour - INF FatPkg/EnhancedFatDxe/Fat.inf - - !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE --INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf - !endif - INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf - INF OvmfPkg/AmdSev/Grub/Grub.inf -diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc -index 970ffbad82..83adecc374 100644 ---- a/OvmfPkg/OvmfPkgIa32.dsc -+++ b/OvmfPkg/OvmfPkgIa32.dsc -@@ -537,7 +537,7 @@ - # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may - # // significantly impact boot performance - # DEBUG_ERROR 0x80000000 // Error -- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F - - !if $(SOURCE_DEBUG_ENABLE) == TRUE - gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 -@@ -604,7 +604,7 @@ - # ($(SMM_REQUIRE) == FALSE) - gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0 - -- gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE -+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE - !if $(SMM_REQUIRE) == FALSE - gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0 - gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0 -@@ -840,25 +840,25 @@ - MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf - MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf - MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf -- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { -- -- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -- } -+ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { -+ -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ } - MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf - MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf - MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf - MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf - - !ifndef $(CSM_ENABLE) -- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { -- -- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -- } -+ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { -+ -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ } - !endif -- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { -- -- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -- } -+ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { -+ -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ } - - # - # ISA Support -@@ -917,10 +917,6 @@ - - gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE - } -- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { -- -- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE -- } - !endif - !if $(BUILD_SHELL) == TRUE - ShellPkg/Application/Shell/Shell.inf { -diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf -index 891e0e06ef..88c57ff5ff 100644 ---- a/OvmfPkg/OvmfPkgIa32.fdf -+++ b/OvmfPkg/OvmfPkgIa32.fdf -@@ -297,7 +297,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour - INF FatPkg/EnhancedFatDxe/Fat.inf - - !if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5" --INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf - !endif - !if $(BUILD_SHELL) == TRUE - INF ShellPkg/Application/Shell/Shell.inf -diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc -index 3127e3d18d..b47cdf63e7 100644 ---- a/OvmfPkg/OvmfPkgIa32X64.dsc -+++ b/OvmfPkg/OvmfPkgIa32X64.dsc -@@ -544,7 +544,7 @@ - # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may - # // significantly impact boot performance - # DEBUG_ERROR 0x80000000 // Error -- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F - - !if $(SOURCE_DEBUG_ENABLE) == TRUE - gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 -@@ -616,7 +616,7 @@ - # ($(SMM_REQUIRE) == FALSE) - gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0 - -- gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE -+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE - !if $(SMM_REQUIRE) == FALSE - gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0 - gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0 -@@ -858,25 +858,25 @@ - MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf - MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf - MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf -- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { -- -- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -- } -+ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { -+ -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ } - MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf - MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf - MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf - MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf - - !ifndef $(CSM_ENABLE) -- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { -- -- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -- } -+ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { -+ -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ } - !endif -- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { -- -- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -- } -+ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { -+ -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ } - - # - # ISA Support -@@ -935,10 +935,6 @@ - - gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE - } -- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { -- -- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE -- } - !endif - !if $(BUILD_SHELL) == TRUE - ShellPkg/Application/Shell/Shell.inf { -diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf -index 61a827b365..ab5a9bc306 100644 ---- a/OvmfPkg/OvmfPkgIa32X64.fdf -+++ b/OvmfPkg/OvmfPkgIa32X64.fdf -@@ -298,7 +298,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour - INF FatPkg/EnhancedFatDxe/Fat.inf - - !if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5" --INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf - !endif - !if $(BUILD_SHELL) == TRUE - INF ShellPkg/Application/Shell/Shell.inf -diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc -index 6f078b5b27..be3824ec1e 100644 ---- a/OvmfPkg/OvmfPkgX64.dsc -+++ b/OvmfPkg/OvmfPkgX64.dsc -@@ -563,7 +563,7 @@ - # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may - # // significantly impact boot performance - # DEBUG_ERROR 0x80000000 // Error -- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F - - !if $(SOURCE_DEBUG_ENABLE) == TRUE - gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 -@@ -634,7 +634,7 @@ - # ($(SMM_REQUIRE) == FALSE) - gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0 - -- gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE -+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE - !if $(SMM_REQUIRE) == FALSE - gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0 - gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0 -@@ -926,25 +926,25 @@ - MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf - MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf - MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf -- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { -- -- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -- } -+ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { -+ -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ } - MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf - MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf - MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf - MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf - - !ifndef $(CSM_ENABLE) -- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { -- -- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -- } -+ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { -+ -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ } - !endif -- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { -- -- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -- } -+ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { -+ -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F -+ } - - # - # ISA Support -@@ -1003,10 +1003,6 @@ - - gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE - } -- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { -- -- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE -- } - !endif - !if $(BUILD_SHELL) == TRUE - ShellPkg/Application/Shell/Shell.inf { -diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf -index d2e1c2894f..851399888f 100644 ---- a/OvmfPkg/OvmfPkgX64.fdf -+++ b/OvmfPkg/OvmfPkgX64.fdf -@@ -323,7 +323,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour - INF FatPkg/EnhancedFatDxe/Fat.inf - - !if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5" --INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf - !endif - !if $(BUILD_SHELL) == TRUE - INF ShellPkg/Application/Shell/Shell.inf diff --git a/SOURCES/0024-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch b/SOURCES/0024-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch new file mode 100644 index 0000000..c457ccc --- /dev/null +++ b/SOURCES/0024-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch @@ -0,0 +1,64 @@ +From cd1746c9920e93bf40994172881bc13cf185991c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:29:39 +0200 +Subject: [PATCH] OvmfPkg: Remove LinuxInitrdDynamicShellCommand (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +rebase to edk2-stable202405: + +rewrite due to shell build config being moved to an include file + +Rebase to edk2-stable202311: + +Minor update, context change due to new variable policy shell command. + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [17/19] 491fe1301ea29c7cb56c20272e45614d5fcb6f14 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +Remove the command to register a file in the shell as the +initial ramdisk for a UEFI stubbed kernel, to be booted next. + +Note: as further dynamic shell commands might show up upstream, +we intentionally preserve the empty !ifdef'ry context to ease +future downstream rebases. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + OvmfPkg/Include/Dsc/ShellComponents.dsc.inc | 4 ---- + OvmfPkg/Include/Fdf/ShellDxe.fdf.inc | 1 - + 2 files changed, 5 deletions(-) + +diff --git a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +index a568f1ecc5..f7e0f5e90e 100644 +--- a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc ++++ b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +@@ -9,10 +9,6 @@ + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE + } +- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } + !endif + + ShellPkg/Application/Shell/Shell.inf { +diff --git a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +index c0118a46e2..dced75e388 100644 +--- a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc ++++ b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +@@ -6,7 +6,6 @@ + + !if $(TOOL_CHAIN_TAG) != "XCODE5" + INF ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf +-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + !endif + + INF ShellPkg/Application/Shell/Shell.inf diff --git a/SOURCES/0024-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch b/SOURCES/0025-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch similarity index 90% rename from SOURCES/0024-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch rename to SOURCES/0025-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch index 70e80af..2eb4418 100644 --- a/SOURCES/0024-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch +++ b/SOURCES/0025-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch @@ -1,4 +1,4 @@ -From b91bdc055499a46d825b3c6a2613de5c77e3a66d Mon Sep 17 00:00:00 2001 +From ec9c5e512252964f28c493d10b9f484b88c87c13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Thu, 1 Jul 2021 20:29:46 +0200 Subject: [PATCH] ArmVirtPkg: Remove LinuxInitrdDynamicShellCommand (RHEL only) @@ -28,10 +28,10 @@ Signed-off-by: Miroslav Rezanina 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc -index d4c001e1bd..fee6e5b17f 100644 +index 996b4ddfc4..2561e10ff5 100644 --- a/ArmVirtPkg/ArmVirt.dsc.inc +++ b/ArmVirtPkg/ArmVirt.dsc.inc -@@ -385,17 +385,13 @@ +@@ -391,17 +391,13 @@ # MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf @@ -53,10 +53,10 @@ index d4c001e1bd..fee6e5b17f 100644 ShellCommandLib|ShellPkg/Library/UefiShellCommandLib/UefiShellCommandLib.inf diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc -index 8153558686..4cd53995d2 100644 +index b49bf7ad4e..753afd799b 100644 --- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc -@@ -100,7 +100,6 @@ READ_LOCK_STATUS = TRUE +@@ -101,7 +101,6 @@ READ_LOCK_STATUS = TRUE INF ShellPkg/Application/Shell/Shell.inf INF ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf diff --git a/SOURCES/0025-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch b/SOURCES/0026-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch similarity index 89% rename from SOURCES/0025-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch rename to SOURCES/0026-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch index 38cbdbd..97dd035 100644 --- a/SOURCES/0025-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch +++ b/SOURCES/0026-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch @@ -1,4 +1,4 @@ -From 41089770963055b4bc9662ba4204d8ee7907fbcd Mon Sep 17 00:00:00 2001 +From 3d02fb6da82331176952e480160223136679ce74 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 28 Feb 2023 15:47:00 +0100 Subject: [PATCH] UefiCpuPkg/MpInitLib: fix apic mode for cpu hotplug @@ -22,10 +22,10 @@ location_in_specfile: 38 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpInitLib/MpLib.c -index 9a6ec5db5c..14ecc62f2b 100644 +index d724456502..c478878bb0 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.c +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c -@@ -527,7 +527,9 @@ CollectProcessorCount ( +@@ -534,7 +534,9 @@ CollectProcessorCount ( // // Enable x2APIC mode if // 1. Number of CPU is greater than 255; or @@ -36,7 +36,7 @@ index 9a6ec5db5c..14ecc62f2b 100644 // X2Apic = FALSE; if (CpuMpData->CpuCount > 255) { -@@ -535,6 +537,10 @@ CollectProcessorCount ( +@@ -542,6 +544,10 @@ CollectProcessorCount ( // If there are more than 255 processor found, force to enable X2APIC // X2Apic = TRUE; diff --git a/SOURCES/0026-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch b/SOURCES/0027-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch similarity index 94% rename from SOURCES/0026-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch rename to SOURCES/0027-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch index 7d0e99a..8148351 100644 --- a/SOURCES/0026-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch +++ b/SOURCES/0027-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch @@ -1,4 +1,4 @@ -From 5870362631ee204936f495b8e60eb2611bb05c3b Mon Sep 17 00:00:00 2001 +From c916516d37fb50c187020bd01da21cca85c8e83a Mon Sep 17 00:00:00 2001 From: Oliver Steffen Date: Wed, 16 Aug 2023 12:09:40 +0200 Subject: [PATCH] OvmfPkg/AmdSevDxe: Shim Reboot workaround (RHEL only) @@ -27,7 +27,7 @@ location_in_specfile: 44 2 files changed, 44 insertions(+) diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c -index db3675ae86..f639c093a2 100644 +index d497a343d3..0eb88e50ff 100644 --- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c +++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c @@ -19,6 +19,7 @@ @@ -36,7 +36,7 @@ index db3675ae86..f639c093a2 100644 #include +#include #include - #include + #include #include @@ -28,6 +29,10 @@ // Present, initialized, tested bits defined in MdeModulePkg/Core/Dxe/DxeMain.h diff --git a/SOURCES/0027-recreate-import-.distro-directory.patch b/SOURCES/0027-recreate-import-.distro-directory.patch deleted file mode 100644 index ae5c67e..0000000 --- a/SOURCES/0027-recreate-import-.distro-directory.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 771ce5bae1eb03240b04dde05a7a40dcec3c8a10 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Wed, 11 Jun 2014 20:45:26 +0200 -Subject: [PATCH] recreate / import ".distro/" directory - -This patch now unites the following downstream commits: - -- 18bd1193e7 .distro: simplify WORKSPACE setup -- b00f3398c8 fix tpm build options -- e032ab1675 spec: Centralize non-firmware %install files at the top -- 8501863acc spec: Don't put build output in the top directory -- e6ec0363d3 spec: Factor out OVMF_FLAGS and OVMF_SB_FLAGS -- 596f34c8b6 spec: Use %make_build macro -- 55169e466d spec: Replace RPM_BUILD_ROOT with %{buildroot} -- 69c4c60920 spec: Split out build_iso() function -- ed67da8c85 spec: Add %{qosb_testing} macro -- 44519f5b94 spec: Move %check to between %install and %files -- b37b334dc7 spec: Remove extra 'true' at end of %check -- dd11149c3a spec: Add %{qemu_package} and %{qemu_binary} -- 0f5d4ae0d5 spec: Move -D TPM_ENABLE to common CC_FLAGS -- 84b3fd93f9 spec: Replace ifarch+else conditionals with build_XXX variables -- e97f79e744 spec: Use %autosetup with our required git config options -- 45a347a759 spec: don't conditionalize %package definitions -- acfcfaea1e spec: Add BuildRequires: make -- d917a93f6f spec: remove Group: and %defattr -- f2d3be3ae3 redhat: build UefiShell.iso with xorriso rather than genisoimage -- 3fb4a20f30 redhat: narrow the "qemu-kvm" BuildRequires down to "qemu-kvm-core" -- bfb89c4ae5 redhat: drop Split tool from the edk2-tools subpackage -- ac8be2e0ef redhat: refresh "Makefile.common" for the 8.5 rebase -- 2bd2d18864 redhat: filter out jansson submodule removal hunks -- f13d7899ed recreate / import "redhat/" directory - -Merged patches (edk2-stable202202): -- 1a7b1c3b72 spec: adapt specfile to build option changes, disable tpm1 -- 96eb388be3 spec: build amdsev variant -- ea34352d41 redhat: bump OpenSSL dist-git submodule to a75722161d20 / RHEL-8.5 - -Merged patches (edk2-stable202208): -- a60bf3fd10 Adding support for CentOS 9 build -- d3f25d438c OvmfPkg: Update target machines config -- d63f783930 openssl: jump to 8.7.0 branch (2022-07-22) -- 39882ce96d qemu-ovmf-secureboot: Do not use submodule -- 283ef4a67d ovmf-vars-generator: Use max cpu -- b6887ef7e1 Update build target to RHEL 9.2.0 - -Signed-off-by: Miroslav Rezanina - -Merged patches (edk2-stable202305): -- 5eef16bd65 remove amd-sev feature flag from secure boot builds (rh only) -- cc9e1b6eaa build script update -- 046c1f08e6 PcdDxeNxMemoryProtectionPolicy update -- b9dc1b5365 add aarch64 qcow2 images -- f4e2d6bf41 update json files -- be03b42128 add libvirt version conflict -- dce699b61d add dbx update blob (rh only) -- d8b2407343 spec: apply dbx update (rh only) -- a8a5ef95b5 dbx update, 2023-05-09, black lotus edition -- 310e179053 json descriptors: explicitly set mode = split -- additionally - - update frh.py, add new upstream submodules - - replace egrep with grep -E and fgrep with grep -F in downstream - scripts - - remove git commit sha from package version string - -Signed-off-by: Oliver Steffen - -Rebase to edk2-stable202311: squash commits: - -- 5b833f0c8d Update TargetRelease to support 9.4.0 -- 20024b4cbe Use fixed length for short hash for Makefile -- 8618f7367e Updated TargetRelease content to support 9.4.0 only. - -Signed-off-by: Gerd Hoffmann ---- - sources | 1 + - 1 file changed, 1 insertion(+) - create mode 100644 sources - -diff --git a/sources b/sources -new file mode 100644 -index 0000000000..ea8c8ad50b ---- /dev/null -+++ b/sources -@@ -0,0 +1 @@ -+SHA512 (edk2-ba91d0292e.tar.xz) = 3b21cc39671d28bfeb059da3683751cc5277c63a894b2a05bdfbd2bbe53545c34f04c229becf44f1563f89a738f37ae8f2333076d126a7e94d234bc4bb25454c diff --git a/SOURCES/0029-CryptoPkg-CrtLib-add-stat.h-include-file.patch b/SOURCES/0028-CryptoPkg-CrtLib-add-stat.h-include-file.patch similarity index 92% rename from SOURCES/0029-CryptoPkg-CrtLib-add-stat.h-include-file.patch rename to SOURCES/0028-CryptoPkg-CrtLib-add-stat.h-include-file.patch index 6dc5aba..8b0a962 100644 --- a/SOURCES/0029-CryptoPkg-CrtLib-add-stat.h-include-file.patch +++ b/SOURCES/0028-CryptoPkg-CrtLib-add-stat.h-include-file.patch @@ -1,4 +1,4 @@ -From 192cc2b49dbccc59f5731e2abc120bed3e06cc32 Mon Sep 17 00:00:00 2001 +From 7a07b2f16eabf460891a21c05b30cd9c2f875a2a Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Mon, 28 Aug 2023 13:11:02 +0200 Subject: [PATCH] CryptoPkg/CrtLib: add stat.h include file. diff --git a/SOURCES/0028-distro-apply-git-diff-c9s-new_c9s-by-mirek.patch b/SOURCES/0028-distro-apply-git-diff-c9s-new_c9s-by-mirek.patch deleted file mode 100644 index 05681df..0000000 --- a/SOURCES/0028-distro-apply-git-diff-c9s-new_c9s-by-mirek.patch +++ /dev/null @@ -1,27 +0,0 @@ -From c0347206c55c9d4d69b46725e9edbb21448f7494 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Tue, 28 Nov 2023 12:11:55 +0100 -Subject: [PATCH] distro: apply 'git diff c9s new_c9s' by mirek - -Bring .distro toi latest standards for more automatic support. ---- - CryptoPkg/.gitignore | 1 - - sources | 1 - - 2 files changed, 2 deletions(-) - delete mode 100644 CryptoPkg/.gitignore - delete mode 100644 sources - -diff --git a/CryptoPkg/.gitignore b/CryptoPkg/.gitignore -deleted file mode 100644 -index 68b83272b7..0000000000 ---- a/CryptoPkg/.gitignore -+++ /dev/null -@@ -1 +0,0 @@ --Library/OpensslLib/openssl*/ -diff --git a/sources b/sources -deleted file mode 100644 -index ea8c8ad50b..0000000000 ---- a/sources -+++ /dev/null -@@ -1 +0,0 @@ --SHA512 (edk2-ba91d0292e.tar.xz) = 3b21cc39671d28bfeb059da3683751cc5277c63a894b2a05bdfbd2bbe53545c34f04c229becf44f1563f89a738f37ae8f2333076d126a7e94d234bc4bb25454c diff --git a/SOURCES/0030-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch b/SOURCES/0029-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch similarity index 93% rename from SOURCES/0030-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch rename to SOURCES/0029-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch index ea93ae7..b32c5bd 100644 --- a/SOURCES/0030-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch +++ b/SOURCES/0029-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch @@ -1,4 +1,4 @@ -From 09ccd0ffae512d7f0a7548cdfbc60e1482153796 Mon Sep 17 00:00:00 2001 +From 168cfe83b250d3166817549c1e96e6b1f02bcab4 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Mon, 28 Aug 2023 13:27:09 +0200 Subject: [PATCH] CryptoPkg/CrtLib: add access/open/read/write/close syscalls diff --git a/SOURCES/edk2-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch b/SOURCES/0030-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch similarity index 89% rename from SOURCES/edk2-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch rename to SOURCES/0030-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch index 4a44211..63facbb 100644 --- a/SOURCES/edk2-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch +++ b/SOURCES/0030-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch @@ -1,7 +1,7 @@ -From 7b1298045185749369115719317dc92f58af92d7 Mon Sep 17 00:00:00 2001 +From 4c49c1bcb2db128cc4d2ebb29b1ac53fe3ef6b18 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 30 Jan 2024 14:04:38 +0100 -Subject: [PATCH 6/9] OvmfPkg/Sec: Setup MTRR early in the boot process. +Subject: [PATCH] OvmfPkg/Sec: Setup MTRR early in the boot process. RH-Author: Gerd Hoffmann RH-MergeRequest: 55: OvmfPkg/Sec: Setup MTRR early in the boot process. @@ -40,6 +40,10 @@ Message-ID: <20240130130441.772484-2-kraxel@redhat.com> due to chinese holidays and rhel-9.4 deadlines are close. QE regression testing passed. So go with upstream posted series v3 ] + +patch_name: edk2-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch +present_in_specfile: true +location_in_specfile: 49 --- OvmfPkg/IntelTdx/Sec/SecMain.c | 32 +++++++++++++++++++++ OvmfPkg/Library/PlatformInitLib/MemDetect.c | 10 +++---- @@ -47,10 +51,10 @@ Message-ID: <20240130130441.772484-2-kraxel@redhat.com> 3 files changed, 69 insertions(+), 5 deletions(-) diff --git a/OvmfPkg/IntelTdx/Sec/SecMain.c b/OvmfPkg/IntelTdx/Sec/SecMain.c -index 42a587adfa..0daddac0a0 100644 +index 4e750755bf..7094d86159 100644 --- a/OvmfPkg/IntelTdx/Sec/SecMain.c +++ b/OvmfPkg/IntelTdx/Sec/SecMain.c -@@ -27,6 +27,8 @@ +@@ -26,6 +26,8 @@ #include #include #include @@ -59,7 +63,7 @@ index 42a587adfa..0daddac0a0 100644 #define SEC_IDT_ENTRY_COUNT 34 -@@ -48,6 +50,31 @@ IA32_IDT_GATE_DESCRIPTOR mIdtEntryTemplate = { +@@ -47,6 +49,31 @@ IA32_IDT_GATE_DESCRIPTOR mIdtEntryTemplate = { } }; @@ -91,7 +95,7 @@ index 42a587adfa..0daddac0a0 100644 VOID EFIAPI SecCoreStartupWithStack ( -@@ -204,6 +231,11 @@ SecCoreStartupWithStack ( +@@ -203,6 +230,11 @@ SecCoreStartupWithStack ( InitializeApicTimer (0, MAX_UINT32, TRUE, 5); DisableApicTimerInterrupt (); @@ -104,10 +108,10 @@ index 42a587adfa..0daddac0a0 100644 ASSERT (FALSE); diff --git a/OvmfPkg/Library/PlatformInitLib/MemDetect.c b/OvmfPkg/Library/PlatformInitLib/MemDetect.c -index 662e7e85bb..f8d7f5bf1c 100644 +index e64c0ee324..b6ba63ef95 100644 --- a/OvmfPkg/Library/PlatformInitLib/MemDetect.c +++ b/OvmfPkg/Library/PlatformInitLib/MemDetect.c -@@ -1035,18 +1035,18 @@ PlatformQemuInitializeRam ( +@@ -1164,18 +1164,18 @@ PlatformQemuInitializeRam ( MtrrGetAllMtrrs (&MtrrSettings); // @@ -132,10 +136,10 @@ index 662e7e85bb..f8d7f5bf1c 100644 // diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c -index 31da5d0ace..3b7dc7205d 100644 +index 60dfa61842..725b57e2fa 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c -@@ -30,6 +30,8 @@ +@@ -29,6 +29,8 @@ #include #include #include @@ -144,7 +148,7 @@ index 31da5d0ace..3b7dc7205d 100644 #include "AmdSev.h" #define SEC_IDT_ENTRY_COUNT 34 -@@ -744,6 +746,31 @@ FindAndReportEntryPoints ( +@@ -743,6 +745,31 @@ FindAndReportEntryPoints ( return; } @@ -188,6 +192,3 @@ index 31da5d0ace..3b7dc7205d 100644 // // Initialize Debug Agent to support source level debug in SEC/PEI phases before memory ready. // --- -2.39.3 - diff --git a/SOURCES/0031-ArmVirtQemu-Allow-EFI-memory-attributes-protocol-to-.patch b/SOURCES/0031-ArmVirtQemu-Allow-EFI-memory-attributes-protocol-to-.patch deleted file mode 100644 index a5d2820..0000000 --- a/SOURCES/0031-ArmVirtQemu-Allow-EFI-memory-attributes-protocol-to-.patch +++ /dev/null @@ -1,169 +0,0 @@ -From 0120fb7b5877ab40537fd17e64772f53bc89cd07 Mon Sep 17 00:00:00 2001 -From: Ard Biesheuvel -Date: Mon, 4 Dec 2023 10:41:08 +0100 -Subject: [PATCH] ArmVirtQemu: Allow EFI memory attributes protocol to be - disabled - -Shim's PE loader uses the EFI memory attributes protocol in a way that -results in an immediate crash when invoking the loaded image, unless the -base and size of its executable segment are both aligned to 4k. - -If this is not the case, it will strip the memory allocation of its -executable permissions, but fail to add them back for the executable -region, resulting in non-executable code. Unfortunately, the PE loader -does not even bother invoking the protocol in this case (as it notices -the misalignment), making it very hard for system firmware to work -around this by attempting to infer the intent of the caller. - -So let's introduce a QEMU command line option to indicate that the -protocol should not be exposed at all, and a PCD to set the default for -this option when it is omitted. - -Reviewed-by: Laszlo Ersek -Tested-by: Gerd Hoffmann -Reviewed-by: Gerd Hoffmann -Link: https://gitlab.com/qemu-project/qemu/-/issues/1990 -Signed-off-by: Ard Biesheuvel -(cherry picked from commit cee7ba349c0c1ce489001a338a4e28555728b573) ---- - ArmVirtPkg/ArmVirtPkg.dec | 6 ++ - .../PlatformBootManagerLib/PlatformBm.c | 64 +++++++++++++++++++ - .../PlatformBootManagerLib.inf | 3 + - 3 files changed, 73 insertions(+) - -diff --git a/ArmVirtPkg/ArmVirtPkg.dec b/ArmVirtPkg/ArmVirtPkg.dec -index 0f2d787327..313aebda90 100644 ---- a/ArmVirtPkg/ArmVirtPkg.dec -+++ b/ArmVirtPkg/ArmVirtPkg.dec -@@ -68,3 +68,9 @@ - # Cloud Hypervisor has no other way to pass Rsdp address to the guest except use a PCD. - # - gArmVirtTokenSpaceGuid.PcdCloudHvAcpiRsdpBaseAddress|0x0|UINT64|0x00000005 -+ -+ ## -+ # Whether the EFI memory attributes protocol should be uninstalled before -+ # invoking the OS loader. This may be needed to work around problematic -+ # builds of shim that use the protocol incorrectly. -+ gArmVirtTokenSpaceGuid.PcdUninstallMemAttrProtocol|FALSE|BOOLEAN|0x00000006 -diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c -index 85c01351b0..8e93f3cfed 100644 ---- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c -+++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c -@@ -16,6 +16,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -1111,6 +1112,49 @@ PlatformBootManagerBeforeConsole ( - FilterAndProcess (&gEfiPciIoProtocolGuid, IsVirtioPciSerial, SetupVirtioSerial); - } - -+/** -+ Uninstall the EFI memory attribute protocol if it exists. -+**/ -+STATIC -+VOID -+UninstallEfiMemoryAttributesProtocol ( -+ VOID -+ ) -+{ -+ EFI_STATUS Status; -+ EFI_HANDLE Handle; -+ UINTN Size; -+ VOID *MemoryAttributeProtocol; -+ -+ Size = sizeof (Handle); -+ Status = gBS->LocateHandle ( -+ ByProtocol, -+ &gEfiMemoryAttributeProtocolGuid, -+ NULL, -+ &Size, -+ &Handle -+ ); -+ -+ if (EFI_ERROR (Status)) { -+ ASSERT (Status == EFI_NOT_FOUND); -+ return; -+ } -+ -+ Status = gBS->HandleProtocol ( -+ Handle, -+ &gEfiMemoryAttributeProtocolGuid, -+ &MemoryAttributeProtocol -+ ); -+ ASSERT_EFI_ERROR (Status); -+ -+ Status = gBS->UninstallProtocolInterface ( -+ Handle, -+ &gEfiMemoryAttributeProtocolGuid, -+ MemoryAttributeProtocol -+ ); -+ ASSERT_EFI_ERROR (Status); -+} -+ - /** - Do the platform specific action after the console is ready - Possible things that can be done in PlatformBootManagerAfterConsole: -@@ -1129,12 +1173,32 @@ PlatformBootManagerAfterConsole ( - ) - { - RETURN_STATUS Status; -+ BOOLEAN Uninstall; - - // - // Show the splash screen. - // - BootLogoEnableLogo (); - -+ // -+ // Work around shim's terminally broken use of the EFI memory attributes -+ // protocol, by uninstalling it if requested on the QEMU command line. -+ // -+ // E.g., -+ // -fw_cfg opt/org.tianocore/UninstallMemAttrProtocol,string=y -+ // -+ Uninstall = FixedPcdGetBool (PcdUninstallMemAttrProtocol); -+ QemuFwCfgParseBool ("opt/org.tianocore/UninstallMemAttrProtocol", &Uninstall); -+ DEBUG (( -+ DEBUG_WARN, -+ "%a: %auninstalling EFI memory protocol\n", -+ __func__, -+ Uninstall ? "" : "not " -+ )); -+ if (Uninstall) { -+ UninstallEfiMemoryAttributesProtocol (); -+ } -+ - // - // Process QEMU's -kernel command line option. The kernel booted this way - // will receive ACPI tables: in PlatformBootManagerBeforeConsole(), we -diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf -index 997eb1a442..70e4ebf94a 100644 ---- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf -+++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf -@@ -46,6 +46,7 @@ - PcdLib - PlatformBmPrintScLib - QemuBootOrderLib -+ QemuFwCfgSimpleParserLib - QemuLoadImageLib - ReportStatusCodeLib - TpmPlatformHierarchyLib -@@ -55,6 +56,7 @@ - UefiRuntimeServicesTableLib - - [FixedPcd] -+ gArmVirtTokenSpaceGuid.PcdUninstallMemAttrProtocol - gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate - gEfiMdePkgTokenSpaceGuid.PcdUartDefaultDataBits - gEfiMdePkgTokenSpaceGuid.PcdUartDefaultParity -@@ -73,5 +75,6 @@ - [Protocols] - gEfiFirmwareVolume2ProtocolGuid - gEfiGraphicsOutputProtocolGuid -+ gEfiMemoryAttributeProtocolGuid - gEfiPciRootBridgeIoProtocolGuid - gVirtioDeviceProtocolGuid diff --git a/SOURCES/edk2-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch b/SOURCES/0031-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch similarity index 83% rename from SOURCES/edk2-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch rename to SOURCES/0031-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch index 7d8f107..1b439a4 100644 --- a/SOURCES/edk2-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch +++ b/SOURCES/0031-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch @@ -1,8 +1,7 @@ -From 08fc72d06946ef3adebf110c097ed869ab0ed416 Mon Sep 17 00:00:00 2001 +From 3124da27dc460926f40477d247e021ceeabe0be3 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 30 Jan 2024 14:04:39 +0100 -Subject: [PATCH 7/9] MdePkg/ArchitecturalMsr.h: add #defines for MTRR cache - types +Subject: [PATCH] MdePkg/ArchitecturalMsr.h: add #defines for MTRR cache types RH-Author: Gerd Hoffmann RH-MergeRequest: 55: OvmfPkg/Sec: Setup MTRR early in the boot process. @@ -14,6 +13,10 @@ Reviewed-by: Michael D Kinney Reviewed-by: Laszlo Ersek Signed-off-by: Gerd Hoffmann Message-ID: <20240130130441.772484-3-kraxel@redhat.com> + +patch_name: edk2-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch +present_in_specfile: true +location_in_specfile: 50 --- MdePkg/Include/Register/Intel/ArchitecturalMsr.h | 7 +++++++ 1 file changed, 7 insertions(+) @@ -36,6 +39,3 @@ index 756e7c86ec..08ba949cf7 100644 /** MSR information returned for MSR indexes #MSR_IA32_MTRR_PHYSBASE0 to #MSR_IA32_MTRR_PHYSBASE9 --- -2.39.3 - diff --git a/SOURCES/edk2-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch b/SOURCES/0032-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch similarity index 89% rename from SOURCES/edk2-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch rename to SOURCES/0032-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch index 21649cf..89772d7 100644 --- a/SOURCES/edk2-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch +++ b/SOURCES/0032-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch @@ -1,7 +1,7 @@ -From 4d3ac0527ceb615a49214b0f7249d9198ddeb53a Mon Sep 17 00:00:00 2001 +From f015a541308b2d752c399b9ef9597c4585218032 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 30 Jan 2024 14:04:40 +0100 -Subject: [PATCH 8/9] UefiCpuPkg/MtrrLib.h: use cache type #defines from +Subject: [PATCH] UefiCpuPkg/MtrrLib.h: use cache type #defines from ArchitecturalMsr.h RH-Author: Gerd Hoffmann @@ -14,6 +14,10 @@ Reviewed-by: Michael D Kinney Reviewed-by: Laszlo Ersek Signed-off-by: Gerd Hoffmann Message-ID: <20240130130441.772484-4-kraxel@redhat.com> + +patch_name: edk2-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch +present_in_specfile: true +location_in_specfile: 51 --- UefiCpuPkg/Include/Library/MtrrLib.h | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) @@ -64,6 +68,3 @@ index 86cc1aab3b..287d249a99 100644 typedef struct { UINT64 BaseAddress; --- -2.39.3 - diff --git a/SOURCES/edk2-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch b/SOURCES/0033-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch similarity index 77% rename from SOURCES/edk2-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch rename to SOURCES/0033-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch index b36b4a0..4b65bd4 100644 --- a/SOURCES/edk2-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch +++ b/SOURCES/0033-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch @@ -1,8 +1,7 @@ -From 0e2a3df10d784fd38ceee2f6a733032d1333281f Mon Sep 17 00:00:00 2001 +From dd543686c34fc3c6ddfafc0104066889ad9d1813 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 30 Jan 2024 14:04:41 +0100 -Subject: [PATCH 9/9] OvmfPkg/Sec: use cache type #defines from - ArchitecturalMsr.h +Subject: [PATCH] OvmfPkg/Sec: use cache type #defines from ArchitecturalMsr.h RH-Author: Gerd Hoffmann RH-MergeRequest: 55: OvmfPkg/Sec: Setup MTRR early in the boot process. @@ -13,16 +12,20 @@ RH-Commit: [4/4] 55f00e3e153ca945ca458e7abc26780a8d83ac85 (kraxel.rh/centos-src- Reviewed-by: Laszlo Ersek Signed-off-by: Gerd Hoffmann Message-ID: <20240130130441.772484-5-kraxel@redhat.com> + +patch_name: edk2-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch +present_in_specfile: true +location_in_specfile: 52 --- OvmfPkg/IntelTdx/Sec/SecMain.c | 2 +- OvmfPkg/Sec/SecMain.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/OvmfPkg/IntelTdx/Sec/SecMain.c b/OvmfPkg/IntelTdx/Sec/SecMain.c -index 0daddac0a0..c00b852f0e 100644 +index 7094d86159..1a19f26178 100644 --- a/OvmfPkg/IntelTdx/Sec/SecMain.c +++ b/OvmfPkg/IntelTdx/Sec/SecMain.c -@@ -70,7 +70,7 @@ SecMtrrSetup ( +@@ -69,7 +69,7 @@ SecMtrrSetup ( } DefType.Uint64 = AsmReadMsr64 (MSR_IA32_MTRR_DEF_TYPE); @@ -32,10 +35,10 @@ index 0daddac0a0..c00b852f0e 100644 AsmWriteMsr64 (MSR_IA32_MTRR_DEF_TYPE, DefType.Uint64); } diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c -index 3b7dc7205d..aa0fa1b1ec 100644 +index 725b57e2fa..26963b924d 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c -@@ -766,7 +766,7 @@ SecMtrrSetup ( +@@ -765,7 +765,7 @@ SecMtrrSetup ( } DefType.Uint64 = AsmReadMsr64 (MSR_IA32_MTRR_DEF_TYPE); @@ -44,6 +47,3 @@ index 3b7dc7205d..aa0fa1b1ec 100644 DefType.Bits.E = 1; /* enable */ AsmWriteMsr64 (MSR_IA32_MTRR_DEF_TYPE, DefType.Uint64); } --- -2.39.3 - diff --git a/SOURCES/0034-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch b/SOURCES/0034-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch new file mode 100644 index 0000000..557b11d --- /dev/null +++ b/SOURCES/0034-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch @@ -0,0 +1,54 @@ +From bbd537bc6560494b0b08886364c38406b1e8107a Mon Sep 17 00:00:00 2001 +From: Sam +Date: Wed, 29 May 2024 07:46:03 +0800 +Subject: [PATCH] NetworkPkg TcpDxe: Fixed system stuck on PXE boot flow in + iPXE environment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This bug fix is based on the following commit "NetworkPkg TcpDxe: SECURITY PATCH" +REF: 1904a64 + +Issue Description: +An "Invalid handle" error was detected during runtime when attempting to destroy a child instance of the hashing protocol. The problematic code segment was: + +NetworkPkg\TcpDxe\TcpDriver.c +Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, ​&mHash2ServiceHandle); + +Root Cause Analysis: +The root cause of the error was the passing of an incorrect parameter type, a pointer to an EFI_HANDLE instead of an EFI_HANDLE itself, to the DestroyChild function. This mismatch resulted in the function receiving an invalid handle. + +Implemented Solution: +To resolve this issue, the function call was corrected to pass mHash2ServiceHandle directly: + +NetworkPkg\TcpDxe\TcpDriver.c +Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, mHash2ServiceHandle); + +This modification ensures the correct handle type is used, effectively rectifying the "Invalid handle" error. + +Verification: +Testing has been conducted, confirming the efficacy of the fix. Additionally, the BIOS can boot into the OS in an iPXE environment. + +Cc: Doug Flick [MSFT] + +Signed-off-by: Sam Tsai [Wiwynn] +Reviewed-by: Saloni Kasbekar +(cherry picked from commit ced13b93afea87a8a1fe6ddbb67240a84cb2e3d3) +--- + NetworkPkg/TcpDxe/TcpDriver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c +index 40bba4080c..c6e7c0df54 100644 +--- a/NetworkPkg/TcpDxe/TcpDriver.c ++++ b/NetworkPkg/TcpDxe/TcpDriver.c +@@ -509,7 +509,7 @@ TcpDestroyService ( + // + // Destroy the instance of the hashing protocol for this controller. + // +- Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle); ++ Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, mHash2ServiceHandle); + if (EFI_ERROR (Status)) { + return EFI_UNSUPPORTED; + } diff --git a/SOURCES/0035-OvmfPkg-add-morlock-support.patch b/SOURCES/0035-OvmfPkg-add-morlock-support.patch new file mode 100644 index 0000000..1ad1a30 --- /dev/null +++ b/SOURCES/0035-OvmfPkg-add-morlock-support.patch @@ -0,0 +1,127 @@ +From 3f8eab199430de18c1c6a98d1d0772499b17cc86 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 8 May 2024 13:14:26 +0200 +Subject: [PATCH] OvmfPkg: add morlock support + +Add dsc + fdf include files to add the MorLock drivers to the build. +Add the include files to OVMF build configurations. + +Signed-off-by: Gerd Hoffmann +(cherry picked from commit b45aff0dc9cb87f316eb17a11e5d4438175d9cca) +--- + OvmfPkg/Include/Dsc/MorLock.dsc.inc | 10 ++++++++++ + OvmfPkg/Include/Fdf/MorLock.fdf.inc | 10 ++++++++++ + OvmfPkg/OvmfPkgIa32.dsc | 1 + + OvmfPkg/OvmfPkgIa32.fdf | 1 + + OvmfPkg/OvmfPkgIa32X64.dsc | 1 + + OvmfPkg/OvmfPkgIa32X64.fdf | 1 + + OvmfPkg/OvmfPkgX64.dsc | 1 + + OvmfPkg/OvmfPkgX64.fdf | 1 + + 8 files changed, 26 insertions(+) + create mode 100644 OvmfPkg/Include/Dsc/MorLock.dsc.inc + create mode 100644 OvmfPkg/Include/Fdf/MorLock.fdf.inc + +diff --git a/OvmfPkg/Include/Dsc/MorLock.dsc.inc b/OvmfPkg/Include/Dsc/MorLock.dsc.inc +new file mode 100644 +index 0000000000..a8c5fb24b8 +--- /dev/null ++++ b/OvmfPkg/Include/Dsc/MorLock.dsc.inc +@@ -0,0 +1,10 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++# ++# MorLock support ++## ++ ++ SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf ++!if $(SMM_REQUIRE) == TRUE ++ SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf ++!endif +diff --git a/OvmfPkg/Include/Fdf/MorLock.fdf.inc b/OvmfPkg/Include/Fdf/MorLock.fdf.inc +new file mode 100644 +index 0000000000..20b7d6619a +--- /dev/null ++++ b/OvmfPkg/Include/Fdf/MorLock.fdf.inc +@@ -0,0 +1,10 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++# ++# MorLock support ++## ++ ++INF SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf ++!if $(SMM_REQUIRE) == TRUE ++INF SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf ++!endif +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index d8ae542686..65a866ae0c 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -887,6 +887,7 @@ + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc ++!include OvmfPkg/Include/Dsc/MorLock.dsc.inc + + !if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index 0ffa3be750..10eb6fe72b 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -355,6 +355,7 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc + + !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc ++!include OvmfPkg/Include/Fdf/MorLock.fdf.inc + + !if $(LOAD_X64_ON_IA32_ENABLE) == TRUE + INF OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 52ac2c96fc..679e25501b 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -901,6 +901,7 @@ + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc ++!include OvmfPkg/Include/Dsc/MorLock.dsc.inc + + !if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index c4f3ec0735..ff06bbfc6f 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -362,6 +362,7 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc + + !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc ++!include OvmfPkg/Include/Fdf/MorLock.fdf.inc + + ################################################################################ + +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index f76d0ef7bc..d294fd4625 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -969,6 +969,7 @@ + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc ++!include OvmfPkg/Include/Dsc/MorLock.dsc.inc + + !if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index bedd85ef7a..f3b787201f 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -402,6 +402,7 @@ INF OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf + !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc + + !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc ++!include OvmfPkg/Include/Fdf/MorLock.fdf.inc + + ################################################################################ + diff --git a/SOURCES/edk2-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch b/SOURCES/0036-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch similarity index 65% rename from SOURCES/edk2-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch rename to SOURCES/0036-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch index 31c78e0..653b277 100644 --- a/SOURCES/edk2-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch +++ b/SOURCES/0036-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch @@ -1,54 +1,36 @@ -From a0f61781d9d7d816363704823688ba251fe7e0ba Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Thu, 20 Jun 2024 10:32:29 -0400 -Subject: [PATCH 4/8] MdePkg/BaseRngLib: Add a smoketest for RDRAND and check - CPUID +From 3899f089b8197f52ca63fe1561f8e5e1341f8198 Mon Sep 17 00:00:00 2001 +From: Pedro Falcato +Date: Tue, 22 Nov 2022 22:31:03 +0000 +Subject: [PATCH] MdePkg/BaseRngLib: Add a smoketest for RDRAND and check CPUID -RH-Author: Jon Maloy -RH-MergeRequest: 75: NetworkPkg: SECURITY PATCH CVE-2023-45236 and CVE-2023-45237 -RH-Jira: RHEL-40270 RHEL-40272 -RH-Acked-by: Gerd Hoffmann -RH-Commit: [4/8] 4fe23181254479e4a0f1abd31cedabacaec22944 +RDRAND has notoriously been broken many times over its lifespan. +Add a smoketest to RDRAND, in order to better sniff out potential +security concerns. -JIRA: https://issues.redhat.com/browse/RHEL-40270 -Upstream: Merged -CVE: CVE-2023-45237 +Also add a proper CPUID test in order to support older CPUs which may +not have it; it was previously being tested but then promptly ignored. -commit c3a8ca7b54a9fd17acdf16c6282a92cc989fa92a -Author: Pedro Falcato -Date: Tue Nov 22 22:31:03 2022 +0000 +Testing algorithm inspired by linux's arch/x86/kernel/cpu/rdrand.c +:x86_init_rdrand() per commit 049f9ae9.. - MdePkg/BaseRngLib: Add a smoketest for RDRAND and check CPUID +Many thanks to Jason Donenfeld for relicensing his linux RDRAND detection +code to MIT and the public domain. - RDRAND has notoriously been broken many times over its lifespan. - Add a smoketest to RDRAND, in order to better sniff out potential - security concerns. +>On Tue, Nov 22, 2022 at 2:21 PM Jason A. Donenfeld wrote: + <..> +> I (re)wrote that function in Linux. I hereby relicense it as MIT, and +> also place it into public domain. Do with it what you will now. +> +> Jason - Also add a proper CPUID test in order to support older CPUs which may - not have it; it was previously being tested but then promptly ignored. +BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4163 - Testing algorithm inspired by linux's arch/x86/kernel/cpu/rdrand.c - :x86_init_rdrand() per commit 049f9ae9.. - - Many thanks to Jason Donenfeld for relicensing his linux RDRAND detection - code to MIT and the public domain. - - >On Tue, Nov 22, 2022 at 2:21 PM Jason A. Donenfeld wrote: - <..> - > I (re)wrote that function in Linux. I hereby relicense it as MIT, and - > also place it into public domain. Do with it what you will now. - > - > Jason - - BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4163 - - Signed-off-by: Pedro Falcato - Cc: Michael D Kinney - Cc: Liming Gao - Cc: Zhiguang Liu - Cc: Jason A. Donenfeld - -Signed-off-by: Jon Maloy +Signed-off-by: Pedro Falcato +Cc: Michael D Kinney +Cc: Liming Gao +Cc: Zhiguang Liu +Cc: Jason A. Donenfeld +(cherry picked from commit c3a8ca7b54a9fd17acdf16c6282a92cc989fa92a) --- MdePkg/Library/BaseRngLib/Rand/RdRand.c | 99 +++++++++++++++++++++++-- 1 file changed, 91 insertions(+), 8 deletions(-) @@ -208,6 +190,3 @@ index 9bd68352f9..06d2a6f12d 100644 } /** --- -2.39.3 - diff --git a/SOURCES/0037-SecurityPkg-RngDxe-add-rng-test.patch b/SOURCES/0037-SecurityPkg-RngDxe-add-rng-test.patch new file mode 100644 index 0000000..b894821 --- /dev/null +++ b/SOURCES/0037-SecurityPkg-RngDxe-add-rng-test.patch @@ -0,0 +1,43 @@ +From 4947d363211159647e9266fa20ad9d4c8bc52f71 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 31 May 2024 09:49:13 +0200 +Subject: [PATCH] SecurityPkg/RngDxe: add rng test + +Check whenever RngLib actually returns random numbers, only return +a non-zero number of Algorithms if that is the case. + +This has the effect that RndDxe loads and installs EFI_RNG_PROTOCOL +only in case it can actually deliver random numbers. + +Signed-off-by: Gerd Hoffmann +(cherry picked from commit a61bc0accb8a76edba4f073fdc7bafc908df045d) +--- + SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c +index 5723ed6957..8b0742bab6 100644 +--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c ++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c +@@ -23,6 +23,7 @@ + + #include + #include ++#include + + #include "RngDxeInternals.h" + +@@ -43,7 +44,12 @@ GetAvailableAlgorithms ( + VOID + ) + { +- mAvailableAlgoArrayCount = RNG_ALGORITHM_COUNT; ++ UINT64 RngTest; ++ ++ if (GetRandomNumber64 (&RngTest)) { ++ mAvailableAlgoArrayCount = RNG_ALGORITHM_COUNT; ++ } ++ + return EFI_SUCCESS; + } + diff --git a/SOURCES/edk2-OvmfPkg-wire-up-RngDxe.patch b/SOURCES/0038-OvmfPkg-wire-up-RngDxe.patch similarity index 66% rename from SOURCES/edk2-OvmfPkg-wire-up-RngDxe.patch rename to SOURCES/0038-OvmfPkg-wire-up-RngDxe.patch index d767dad..71d66be 100644 --- a/SOURCES/edk2-OvmfPkg-wire-up-RngDxe.patch +++ b/SOURCES/0038-OvmfPkg-wire-up-RngDxe.patch @@ -1,62 +1,42 @@ -From e22e11cc37c3bf3530ea8db1d18371c47c9e4440 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Thu, 20 Jun 2024 10:34:22 -0400 -Subject: [PATCH 6/8] OvmfPkg: wire up RngDxe +From 0aa96c512c689426838ec1cf4aa78ff088c03a1e Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 24 May 2024 12:51:17 +0200 +Subject: [PATCH] OvmfPkg: wire up RngDxe -RH-Author: Jon Maloy -RH-MergeRequest: 75: NetworkPkg: SECURITY PATCH CVE-2023-45236 and CVE-2023-45237 -RH-Jira: RHEL-40270 RHEL-40272 -RH-Acked-by: Gerd Hoffmann -RH-Commit: [6/8] 4adf88888386923ee824469cf836b4f63117807d +Add OvmfRng include snippets with the random number generator +configuration for OVMF. Include RngDxe, build with BaseRngLib, +so the rdrand instruction is used (if available). -JIRA: https://issues.redhat.com/browse/RHEL-40270 -Upstream: Merged -CVE: CVE-2023-45237 -Conflicts: Cherry pick wanted to add include files from the - missing 'add ShellComponents' (commit 2cb466cc2cbf...) - series. This had to be handled manually. +Also move VirtioRng to the include snippets. -commit 712797cf19acd292bf203522a79e40e7e13d268b -Author: Gerd Hoffmann -Date: Fri May 24 12:51:17 2024 +0200 +Use the new include snippets for OVMF builds. - OvmfPkg: wire up RngDxe - - Add OvmfRng include snippets with the random number generator - configuration for OVMF. Include RngDxe, build with BaseRngLib, - so the rdrand instruction is used (if available). - - Also move VirtioRng to the include snippets. - - Use the new include snippets for OVMF builds. - - Signed-off-by: Gerd Hoffmann - -Signed-off-by: Jon Maloy +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 712797cf19acd292bf203522a79e40e7e13d268b) --- OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +- - OvmfPkg/AmdSev/AmdSevX64.fdf | 3 ++- + OvmfPkg/AmdSev/AmdSevX64.fdf | 2 +- OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc | 9 +++++++++ OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc | 6 ++++++ OvmfPkg/IntelTdx/IntelTdxX64.dsc | 2 +- - OvmfPkg/IntelTdx/IntelTdxX64.fdf | 3 ++- + OvmfPkg/IntelTdx/IntelTdxX64.fdf | 2 +- OvmfPkg/Microvm/MicrovmX64.dsc | 2 +- - OvmfPkg/Microvm/MicrovmX64.fdf | 3 ++- + OvmfPkg/Microvm/MicrovmX64.fdf | 2 +- OvmfPkg/OvmfPkgIa32.dsc | 2 +- - OvmfPkg/OvmfPkgIa32.fdf | 3 ++- + OvmfPkg/OvmfPkgIa32.fdf | 2 +- OvmfPkg/OvmfPkgIa32X64.dsc | 2 +- - OvmfPkg/OvmfPkgIa32X64.fdf | 3 ++- + OvmfPkg/OvmfPkgIa32X64.fdf | 2 +- OvmfPkg/OvmfPkgX64.dsc | 2 +- - OvmfPkg/OvmfPkgX64.fdf | 3 ++- - 14 files changed, 33 insertions(+), 12 deletions(-) + OvmfPkg/OvmfPkgX64.fdf | 2 +- + 14 files changed, 27 insertions(+), 12 deletions(-) create mode 100644 OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc create mode 100644 OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc -index 7bb6ffb3f0..5d50e77002 100644 +index cf1ad83e09..4edc2a9069 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc -@@ -651,7 +651,6 @@ +@@ -649,7 +649,6 @@ OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf OvmfPkg/VirtioScsiDxe/VirtioScsi.inf @@ -64,19 +44,19 @@ index 7bb6ffb3f0..5d50e77002 100644 !if $(PVSCSI_ENABLE) == TRUE OvmfPkg/PvScsiDxe/PvScsiDxe.inf !endif -@@ -763,6 +762,7 @@ - gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 - } - !endif +@@ -740,6 +739,7 @@ + OvmfPkg/AmdSev/Grub/Grub.inf + + !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc OvmfPkg/PlatformDxe/Platform.inf OvmfPkg/AmdSevDxe/AmdSevDxe.inf { diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf -index 0e3d7bea2b..c94f2d34ee 100644 +index c56c98dc85..480837b0fa 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.fdf +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf -@@ -220,7 +220,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf +@@ -227,7 +227,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf INF OvmfPkg/Virtio10Dxe/Virtio10.inf INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf @@ -84,15 +64,14 @@ index 0e3d7bea2b..c94f2d34ee 100644 !if $(PVSCSI_ENABLE) == TRUE INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf !endif -@@ -316,6 +315,8 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf - # +@@ -318,6 +317,7 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc + !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc -+ + ################################################################################ - [FV.FVMAIN_COMPACT] diff --git a/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc b/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc new file mode 100644 index 0000000000..68839a0caa @@ -121,10 +100,10 @@ index 0000000000..99cb4a32b1 +INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf +INF OvmfPkg/VirtioRngDxe/VirtioRng.inf diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc -index fd6722499a..d38fed2171 100644 +index 9f49b60ff0..4b7e1596fc 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc -@@ -641,7 +641,6 @@ +@@ -636,7 +636,6 @@ OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf OvmfPkg/VirtioScsiDxe/VirtioScsi.inf @@ -132,16 +111,16 @@ index fd6722499a..d38fed2171 100644 !if $(PVSCSI_ENABLE) == TRUE OvmfPkg/PvScsiDxe/PvScsiDxe.inf !endif -@@ -752,6 +751,7 @@ - gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 - } - !endif +@@ -719,6 +718,7 @@ + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc !if $(SECURE_BOOT_ENABLE) == TRUE SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.fdf b/OvmfPkg/IntelTdx/IntelTdxX64.fdf -index 69ed7a9bc6..077a5c8637 100644 +index ce5d542048..88d0f75ae2 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.fdf +++ b/OvmfPkg/IntelTdx/IntelTdxX64.fdf @@ -285,7 +285,6 @@ READ_LOCK_STATUS = TRUE @@ -152,20 +131,19 @@ index 69ed7a9bc6..077a5c8637 100644 !if $(PVSCSI_ENABLE) == TRUE INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf !endif -@@ -333,6 +332,8 @@ INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf - INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf +@@ -326,6 +325,7 @@ INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf INF OvmfPkg/PlatformDxe/Platform.inf + !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc -+ + ################################################################################ - [FV.FVMAIN_COMPACT] diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc -index 79f14b5c05..ca6902971f 100644 +index fb73f2e089..9206f01816 100644 --- a/OvmfPkg/Microvm/MicrovmX64.dsc +++ b/OvmfPkg/Microvm/MicrovmX64.dsc -@@ -754,7 +754,6 @@ +@@ -760,7 +760,6 @@ OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf OvmfPkg/VirtioScsiDxe/VirtioScsi.inf @@ -173,19 +151,19 @@ index 79f14b5c05..ca6902971f 100644 OvmfPkg/VirtioSerialDxe/VirtioSerial.inf MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf -@@ -880,6 +879,7 @@ - gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE - gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 - } +@@ -846,6 +845,7 @@ + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc !if $(SECURE_BOOT_ENABLE) == TRUE SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf diff --git a/OvmfPkg/Microvm/MicrovmX64.fdf b/OvmfPkg/Microvm/MicrovmX64.fdf -index eda24a3ec9..767ee4b338 100644 +index 055e659a35..c8268d7e8c 100644 --- a/OvmfPkg/Microvm/MicrovmX64.fdf +++ b/OvmfPkg/Microvm/MicrovmX64.fdf -@@ -204,7 +204,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf +@@ -207,7 +207,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf INF OvmfPkg/Virtio10Dxe/Virtio10.inf INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf @@ -193,20 +171,19 @@ index eda24a3ec9..767ee4b338 100644 INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf !if $(SECURE_BOOT_ENABLE) == TRUE -@@ -303,6 +302,8 @@ INF OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf - INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf +@@ -299,6 +298,7 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc -+ + ################################################################################ - [FV.FVMAIN_COMPACT] diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc -index 83adecc374..4074aa382d 100644 +index 65a866ae0c..b64c215585 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc -@@ -804,7 +804,6 @@ +@@ -784,7 +784,6 @@ OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf OvmfPkg/VirtioScsiDxe/VirtioScsi.inf @@ -214,19 +191,19 @@ index 83adecc374..4074aa382d 100644 OvmfPkg/VirtioSerialDxe/VirtioSerial.inf !if $(PVSCSI_ENABLE) == TRUE OvmfPkg/PvScsiDxe/PvScsiDxe.inf -@@ -942,6 +941,7 @@ - gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 - } - !endif +@@ -888,6 +887,7 @@ + + !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc + !include OvmfPkg/Include/Dsc/MorLock.dsc.inc +!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc !if $(SECURE_BOOT_ENABLE) == TRUE SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf -index 88c57ff5ff..20cfd2788e 100644 +index 10eb6fe72b..c31276e4a3 100644 --- a/OvmfPkg/OvmfPkgIa32.fdf +++ b/OvmfPkg/OvmfPkgIa32.fdf -@@ -236,7 +236,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf +@@ -231,7 +231,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf INF OvmfPkg/Virtio10Dxe/Virtio10.inf INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf @@ -234,20 +211,19 @@ index 88c57ff5ff..20cfd2788e 100644 INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf !if $(PVSCSI_ENABLE) == TRUE INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf -@@ -367,6 +366,8 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf - # - !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc +@@ -356,6 +355,7 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc + !include OvmfPkg/Include/Fdf/MorLock.fdf.inc +!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc -+ + !if $(LOAD_X64_ON_IA32_ENABLE) == TRUE INF OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf - !endif diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc -index b47cdf63e7..75ef19bc85 100644 +index 679e25501b..ececac3757 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc -@@ -822,7 +822,6 @@ +@@ -798,7 +798,6 @@ OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf OvmfPkg/VirtioScsiDxe/VirtioScsi.inf @@ -255,19 +231,19 @@ index b47cdf63e7..75ef19bc85 100644 OvmfPkg/VirtioSerialDxe/VirtioSerial.inf !if $(PVSCSI_ENABLE) == TRUE OvmfPkg/PvScsiDxe/PvScsiDxe.inf -@@ -960,6 +959,7 @@ - gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 - } - !endif +@@ -902,6 +901,7 @@ + + !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc + !include OvmfPkg/Include/Dsc/MorLock.dsc.inc +!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc !if $(SECURE_BOOT_ENABLE) == TRUE SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf -index ab5a9bc306..8517c79ba2 100644 +index ff06bbfc6f..a7b4aeac08 100644 --- a/OvmfPkg/OvmfPkgIa32X64.fdf +++ b/OvmfPkg/OvmfPkgIa32X64.fdf -@@ -237,7 +237,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf +@@ -232,7 +232,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf INF OvmfPkg/Virtio10Dxe/Virtio10.inf INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf @@ -275,20 +251,19 @@ index ab5a9bc306..8517c79ba2 100644 INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf !if $(PVSCSI_ENABLE) == TRUE INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf -@@ -374,6 +373,8 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf - # - !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc +@@ -363,6 +362,7 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc + !include OvmfPkg/Include/Fdf/MorLock.fdf.inc +!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc -+ + ################################################################################ - [FV.FVMAIN_COMPACT] diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc -index be3824ec1e..631ff0c788 100644 +index d294fd4625..0ab4d3df06 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc -@@ -890,7 +890,6 @@ +@@ -866,7 +866,6 @@ OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf OvmfPkg/VirtioScsiDxe/VirtioScsi.inf @@ -296,19 +271,19 @@ index be3824ec1e..631ff0c788 100644 OvmfPkg/VirtioSerialDxe/VirtioSerial.inf !if $(PVSCSI_ENABLE) == TRUE OvmfPkg/PvScsiDxe/PvScsiDxe.inf -@@ -1028,6 +1027,7 @@ - gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 - } - !endif +@@ -970,6 +969,7 @@ + + !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc + !include OvmfPkg/Include/Dsc/MorLock.dsc.inc +!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc !if $(SECURE_BOOT_ENABLE) == TRUE SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf -index 851399888f..7ecde357ce 100644 +index f3b787201f..ae08ac4fe9 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf -@@ -262,7 +262,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf +@@ -263,7 +263,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf INF OvmfPkg/Virtio10Dxe/Virtio10.inf INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf @@ -316,15 +291,11 @@ index 851399888f..7ecde357ce 100644 INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf !if $(PVSCSI_ENABLE) == TRUE INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf -@@ -408,6 +407,8 @@ INF SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf - # - !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc +@@ -403,6 +402,7 @@ INF OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf + !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc + !include OvmfPkg/Include/Fdf/MorLock.fdf.inc +!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc -+ + ################################################################################ - [FV.FVMAIN_COMPACT] --- -2.39.3 - diff --git a/SOURCES/0039-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch b/SOURCES/0039-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch new file mode 100644 index 0000000..0194b84 --- /dev/null +++ b/SOURCES/0039-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch @@ -0,0 +1,37 @@ +From d5d19043e62a268a492f9a1ef6a11380d8f7e784 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 14 Jun 2024 11:45:49 +0200 +Subject: [PATCH] CryptoPkg/Test: call ProcessLibraryConstructorList + +Needed to properly initialize BaseRngLib. + +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 94961b8817eec6f8d0434555ac50a7aa51c22201) +--- + .../Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c +index d0c1c7a4f7..48d463b8ad 100644 +--- a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c ++++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c +@@ -8,6 +8,12 @@ + **/ + #include "TestBaseCryptLib.h" + ++VOID ++EFIAPI ++ProcessLibraryConstructorList ( ++ VOID ++ ); ++ + /** + Initialize the unit test framework, suite, and unit tests for the + sample unit tests and run the unit tests. +@@ -76,5 +82,6 @@ main ( + char *argv[] + ) + { ++ ProcessLibraryConstructorList (); + return UefiTestMain (); + } diff --git a/SOURCES/0040-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch b/SOURCES/0040-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch new file mode 100644 index 0000000..d32e748 --- /dev/null +++ b/SOURCES/0040-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch @@ -0,0 +1,43 @@ +From 320207a3df995771af36639c7bdf89c4203cf1c2 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 14 Jun 2024 11:45:53 +0200 +Subject: [PATCH] MdePkg/X86UnitTestHost: set rdrand cpuid bit + +Set the rdrand feature bit when faking cpuid for host test cases. +Needed to make the CryptoPkg test cases work. + +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 5e776299a2604b336a947e68593012ab2cc16eb4) +--- + MdePkg/Library/BaseLib/X86UnitTestHost.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/MdePkg/Library/BaseLib/X86UnitTestHost.c b/MdePkg/Library/BaseLib/X86UnitTestHost.c +index 8ba4f54a38..7f7276f7f4 100644 +--- a/MdePkg/Library/BaseLib/X86UnitTestHost.c ++++ b/MdePkg/Library/BaseLib/X86UnitTestHost.c +@@ -66,6 +66,15 @@ UnitTestHostBaseLibAsmCpuid ( + OUT UINT32 *Edx OPTIONAL + ) + { ++ UINT32 RetEcx; ++ ++ RetEcx = 0; ++ switch (Index) { ++ case 1: ++ RetEcx |= BIT30; /* RdRand */ ++ break; ++ } ++ + if (Eax != NULL) { + *Eax = 0; + } +@@ -75,7 +84,7 @@ UnitTestHostBaseLibAsmCpuid ( + } + + if (Ecx != NULL) { +- *Ecx = 0; ++ *Ecx = RetEcx; + } + + if (Edx != NULL) { diff --git a/SOURCES/edk2-AmdSevDxe-Fix-the-shim-fallback-reboot-workaround-fo.patch b/SOURCES/edk2-AmdSevDxe-Fix-the-shim-fallback-reboot-workaround-fo.patch new file mode 100644 index 0000000..8656838 --- /dev/null +++ b/SOURCES/edk2-AmdSevDxe-Fix-the-shim-fallback-reboot-workaround-fo.patch @@ -0,0 +1,63 @@ +From 481310a21104aba17bc0cddd236ecdf69d4ba662 Mon Sep 17 00:00:00 2001 +From: Oliver Steffen +Date: Mon, 26 Aug 2024 19:25:52 +0200 +Subject: [PATCH] AmdSevDxe: Fix the shim fallback reboot workaround for SNP + +RH-Author: Oliver Steffen +RH-MergeRequest: 68: AmdSevDxe: Fix the shim fallback reboot workaround for SNP +RH-Jira: RHEL-56081 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [1/1] ab8678b61d171f9c19459e034483437b29037b4b (osteffen/edk2) + +The shim fallback reboot workaround (introduced for SEV-ES) does +not always work for SEV-SNP, due to a conditional early return. + +Let's just register the workaround earlier in this function to +fix that. + +Signed-off-by: Oliver Steffen +--- + OvmfPkg/AmdSevDxe/AmdSevDxe.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c +index 0eb88e50ff..ca345e95da 100644 +--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c ++++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c +@@ -243,6 +243,17 @@ AmdSevDxeEntryPoint ( + return EFI_UNSUPPORTED; + } + ++ // Shim fallback reboot workaround ++ Status = gBS->CreateEventEx ( ++ EVT_NOTIFY_SIGNAL, ++ TPL_CALLBACK, ++ PopulateVarstore, ++ SystemTable, ++ &gEfiEndOfDxeEventGroupGuid, ++ &PopulateVarstoreEvent ++ ); ++ ASSERT_EFI_ERROR (Status); ++ + // + // Iterate through the GCD map and clear the C-bit from MMIO and NonExistent + // memory space. The NonExistent memory space will be used for mapping the +@@ -393,15 +404,5 @@ AmdSevDxeEntryPoint ( + ); + } + +- Status = gBS->CreateEventEx ( +- EVT_NOTIFY_SIGNAL, +- TPL_CALLBACK, +- PopulateVarstore, +- SystemTable, +- &gEfiEndOfDxeEventGroupGuid, +- &PopulateVarstoreEvent +- ); +- ASSERT_EFI_ERROR (Status); +- + return EFI_SUCCESS; + } +-- +2.39.3 + diff --git a/SOURCES/edk2-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch b/SOURCES/edk2-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch deleted file mode 100644 index c8e790e..0000000 --- a/SOURCES/edk2-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch +++ /dev/null @@ -1,57 +0,0 @@ -From b8793ffc6a7e7cfe3ecd9bd0da566ffd913a4544 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Thu, 20 Jun 2024 10:34:52 -0400 -Subject: [PATCH 7/8] CryptoPkg/Test: call ProcessLibraryConstructorList - -RH-Author: Jon Maloy -RH-MergeRequest: 75: NetworkPkg: SECURITY PATCH CVE-2023-45236 and CVE-2023-45237 -RH-Jira: RHEL-40270 RHEL-40272 -RH-Acked-by: Gerd Hoffmann -RH-Commit: [7/8] 7b09b94bfb56f5b81df2ccf1e6dbe21a7354a723 - -JIRA: https://issues.redhat.com/browse/RHEL-40270 -Upstream: Merged -CVE: CVE-2023-45237 - -commit 94961b8817eec6f8d0434555ac50a7aa51c22201 -Author: Gerd Hoffmann -Date: Fri Jun 14 11:45:49 2024 +0200 - - CryptoPkg/Test: call ProcessLibraryConstructorList - - Needed to properly initialize BaseRngLib. - - Signed-off-by: Gerd Hoffmann - -Signed-off-by: Jon Maloy ---- - .../Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c -index d0c1c7a4f7..48d463b8ad 100644 ---- a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c -+++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c -@@ -8,6 +8,12 @@ - **/ - #include "TestBaseCryptLib.h" - -+VOID -+EFIAPI -+ProcessLibraryConstructorList ( -+ VOID -+ ); -+ - /** - Initialize the unit test framework, suite, and unit tests for the - sample unit tests and run the unit tests. -@@ -76,5 +82,6 @@ main ( - char *argv[] - ) - { -+ ProcessLibraryConstructorList (); - return UefiTestMain (); - } --- -2.39.3 - diff --git a/SOURCES/edk2-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch b/SOURCES/edk2-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch deleted file mode 100644 index 270815c..0000000 --- a/SOURCES/edk2-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch +++ /dev/null @@ -1,170 +0,0 @@ -From f01b34eaeff2ccdd0ee7f2cf6371542efc0b13f5 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Sat, 6 Apr 2024 11:00:29 -0400 -Subject: [PATCH 1/2] EmbeddedPkg/Hob: Integer Overflow in CreateHob() - -RH-Author: Jon Maloy -RH-MergeRequest: 69: EmbeddedPkg/Hob: Integer Overflow in CreateHob() -RH-Jira: RHEL-30156 -RH-Acked-by: Oliver Steffen -RH-Acked-by: Gerd Hoffmann -RH-Commit: [1/2] 1b851d3ecf23092f7961cd0320221dc56b69adc4 - -JIRA: https://issues.redhat.com/browse/RHEL-30156 -CVE: CVE-2022-36765 -Upstream: Merged - -commit aeaee8944f0eaacbf4cdf39279785b9ba4836bb6 -Author: Gua Guo -Date: Thu Jan 11 13:07:50 2024 +0800 - - EmbeddedPkg/Hob: Integer Overflow in CreateHob() - - REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166 - - Fix integer overflow in various CreateHob instances. - Fixes: CVE-2022-36765 - - The CreateHob() function aligns the requested size to 8 - performing the following operation: - ``` - HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); - ``` - - No checks are performed to ensure this value doesn't - overflow, and could lead to CreateHob() returning a smaller - HOB than requested, which could lead to OOB HOB accesses. - - Reported-by: Marc Beatove - Cc: Leif Lindholm - Reviewed-by: Ard Biesheuvel - Cc: Abner Chang - Cc: John Mathew - Authored-by: Gerd Hoffmann - Signed-off-by: Gua Guo - -Signed-off-by: Jon Maloy ---- - EmbeddedPkg/Library/PrePiHobLib/Hob.c | 43 +++++++++++++++++++++++++++ - 1 file changed, 43 insertions(+) - -diff --git a/EmbeddedPkg/Library/PrePiHobLib/Hob.c b/EmbeddedPkg/Library/PrePiHobLib/Hob.c -index 8eb175aa96..cbc35152cc 100644 ---- a/EmbeddedPkg/Library/PrePiHobLib/Hob.c -+++ b/EmbeddedPkg/Library/PrePiHobLib/Hob.c -@@ -110,6 +110,13 @@ CreateHob ( - - HandOffHob = GetHobList (); - -+ // -+ // Check Length to avoid data overflow. -+ // -+ if (HobLength > MAX_UINT16 - 0x7) { -+ return NULL; -+ } -+ - HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); - - FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom; -@@ -160,6 +167,9 @@ BuildResourceDescriptorHob ( - - Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR)); - ASSERT (Hob != NULL); -+ if (Hob == NULL) { -+ return; -+ } - - Hob->ResourceType = ResourceType; - Hob->ResourceAttribute = ResourceAttribute; -@@ -401,6 +411,10 @@ BuildModuleHob ( - ); - - Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE)); -+ ASSERT (Hob != NULL); -+ if (Hob == NULL) { -+ return; -+ } - - CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid); - Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule; -@@ -449,6 +463,11 @@ BuildGuidHob ( - ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE))); - - Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength)); -+ ASSERT (Hob != NULL); -+ if (Hob == NULL) { -+ return NULL; -+ } -+ - CopyGuid (&Hob->Name, Guid); - return Hob + 1; - } -@@ -512,6 +531,10 @@ BuildFvHob ( - EFI_HOB_FIRMWARE_VOLUME *Hob; - - Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME)); -+ ASSERT (Hob != NULL); -+ if (Hob == NULL) { -+ return; -+ } - - Hob->BaseAddress = BaseAddress; - Hob->Length = Length; -@@ -543,6 +566,10 @@ BuildFv2Hob ( - EFI_HOB_FIRMWARE_VOLUME2 *Hob; - - Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2)); -+ ASSERT (Hob != NULL); -+ if (Hob == NULL) { -+ return; -+ } - - Hob->BaseAddress = BaseAddress; - Hob->Length = Length; -@@ -584,6 +611,10 @@ BuildFv3Hob ( - EFI_HOB_FIRMWARE_VOLUME3 *Hob; - - Hob = CreateHob (EFI_HOB_TYPE_FV3, sizeof (EFI_HOB_FIRMWARE_VOLUME3)); -+ ASSERT (Hob != NULL); -+ if (Hob == NULL) { -+ return; -+ } - - Hob->BaseAddress = BaseAddress; - Hob->Length = Length; -@@ -639,6 +670,10 @@ BuildCpuHob ( - EFI_HOB_CPU *Hob; - - Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU)); -+ ASSERT (Hob != NULL); -+ if (Hob == NULL) { -+ return; -+ } - - Hob->SizeOfMemorySpace = SizeOfMemorySpace; - Hob->SizeOfIoSpace = SizeOfIoSpace; -@@ -676,6 +711,10 @@ BuildStackHob ( - ); - - Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_STACK)); -+ ASSERT (Hob != NULL); -+ if (Hob == NULL) { -+ return; -+ } - - CopyGuid (&(Hob->AllocDescriptor.Name), &gEfiHobMemoryAllocStackGuid); - Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress; -@@ -756,6 +795,10 @@ BuildMemoryAllocationHob ( - ); - - Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION)); -+ ASSERT (Hob != NULL); -+ if (Hob == NULL) { -+ return; -+ } - - ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID)); - Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress; --- -2.39.3 - diff --git a/SOURCES/edk2-MdeModulePkg-Warn-if-out-of-flash-space-when-writing.patch b/SOURCES/edk2-MdeModulePkg-Warn-if-out-of-flash-space-when-writing.patch new file mode 100644 index 0000000..2198b6f --- /dev/null +++ b/SOURCES/edk2-MdeModulePkg-Warn-if-out-of-flash-space-when-writing.patch @@ -0,0 +1,43 @@ +From 880c1ca7420b873c5f81563b122d7bd1ebad72cb Mon Sep 17 00:00:00 2001 +From: Oliver Steffen +Date: Mon, 4 Mar 2024 15:32:58 +0100 +Subject: [PATCH] MdeModulePkg: Warn if out of flash space when writing + variables + +RH-Author: Oliver Steffen +RH-MergeRequest: 64: MdeModulePkg: Warn if out of flash space when writing variables +RH-Jira: RHEL-43442 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [1/1] b65130800090192f47f13d67ff14f902a4f5bfb5 (osteffen/edk2) + +Emit a DEBUG_WARN message if there is not enough flash space left to +write/update a variable. This condition is currently not logged +appropriately in all cases, given that full variable store can easily +render the system unbootable. +This new message helps identifying this condition. + +Signed-off-by: Oliver Steffen +Reviewed-by: Laszlo Ersek +Reviewed-by: Gerd Hoffmann +(cherry picked from commit 80b59ff8320d1bd134bf689fe9c0ddf4e0473b88) +Signed-off-by: Oliver Steffen +--- + MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c +index d394d237a5..1c7659031d 100644 +--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c ++++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c +@@ -2364,6 +2364,8 @@ Done: + ); + ASSERT_EFI_ERROR (Status); + } ++ } else if (Status == EFI_OUT_OF_RESOURCES) { ++ DEBUG ((DEBUG_WARN, "UpdateVariable failed: Out of flash space\n")); + } + + return Status; +-- +2.39.3 + diff --git a/SOURCES/edk2-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch b/SOURCES/edk2-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch deleted file mode 100644 index 3c58fff..0000000 --- a/SOURCES/edk2-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 90461020e9b7534dc03baeea7b485045ed5962e9 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Thu, 20 Jun 2024 10:35:27 -0400 -Subject: [PATCH 8/8] MdePkg/X86UnitTestHost: set rdrand cpuid bit - -RH-Author: Jon Maloy -RH-MergeRequest: 75: NetworkPkg: SECURITY PATCH CVE-2023-45236 and CVE-2023-45237 -RH-Jira: RHEL-40270 RHEL-40272 -RH-Acked-by: Gerd Hoffmann -RH-Commit: [8/8] 5bacbf3cf6fadd3362dfd6f31743707e65b4f119 - -JIRA: https://issues.redhat.com/browse/RHEL-40270 -Upstream: Merged -CVE: CVE-2023-45237 - -commit 5e776299a2604b336a947e68593012ab2cc16eb4 -Author: Gerd Hoffmann -Date: Fri Jun 14 11:45:53 2024 +0200 - - MdePkg/X86UnitTestHost: set rdrand cpuid bit - - Set the rdrand feature bit when faking cpuid for host test cases. - Needed to make the CryptoPkg test cases work. - - Signed-off-by: Gerd Hoffmann - -Signed-off-by: Jon Maloy ---- - MdePkg/Library/BaseLib/X86UnitTestHost.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/MdePkg/Library/BaseLib/X86UnitTestHost.c b/MdePkg/Library/BaseLib/X86UnitTestHost.c -index 8ba4f54a38..7f7276f7f4 100644 ---- a/MdePkg/Library/BaseLib/X86UnitTestHost.c -+++ b/MdePkg/Library/BaseLib/X86UnitTestHost.c -@@ -66,6 +66,15 @@ UnitTestHostBaseLibAsmCpuid ( - OUT UINT32 *Edx OPTIONAL - ) - { -+ UINT32 RetEcx; -+ -+ RetEcx = 0; -+ switch (Index) { -+ case 1: -+ RetEcx |= BIT30; /* RdRand */ -+ break; -+ } -+ - if (Eax != NULL) { - *Eax = 0; - } -@@ -75,7 +84,7 @@ UnitTestHostBaseLibAsmCpuid ( - } - - if (Ecx != NULL) { -- *Ecx = 0; -+ *Ecx = RetEcx; - } - - if (Edx != NULL) { --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch b/SOURCES/edk2-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch deleted file mode 100644 index e6e6dbc..0000000 --- a/SOURCES/edk2-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch +++ /dev/null @@ -1,170 +0,0 @@ -From 0d85ac65b3e469e879f687150d0a25e6dbd6cac1 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Thu, 8 Feb 2024 10:35:14 -0500 -Subject: [PATCH 02/18] NetworkPkg: : Add Unit tests to CI and create Host Test - DSC - -RH-Author: Jon Maloy -RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch -RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Laszlo Ersek -RH-Commit: [2/18] 331bea0d7e46de0e35e595ad08c94eec99c80cd8 - -JIRA: https://issues.redhat.com/browse/RHEL-21843 -CVE: CVE-2023-45230 -Upstream: Merged - -commit 8014ac2d7bbbc503f5562b51af46bb20ae3d22ff -Author: Doug Flick via groups.io -Date: Fri Jan 26 05:54:44 2024 +0800 - - NetworkPkg: : Add Unit tests to CI and create Host Test DSC - - Adds Host Based testing to the NetworkPkg - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - -Signed-off-by: Jon Maloy ---- - NetworkPkg/NetworkPkg.ci.yaml | 7 +- - NetworkPkg/Test/NetworkPkgHostTest.dsc | 98 ++++++++++++++++++++++++++ - 2 files changed, 104 insertions(+), 1 deletion(-) - create mode 100644 NetworkPkg/Test/NetworkPkgHostTest.dsc - -diff --git a/NetworkPkg/NetworkPkg.ci.yaml b/NetworkPkg/NetworkPkg.ci.yaml -index 07dc7abd69..076424eb60 100644 ---- a/NetworkPkg/NetworkPkg.ci.yaml -+++ b/NetworkPkg/NetworkPkg.ci.yaml -@@ -24,6 +24,9 @@ - "CompilerPlugin": { - "DscPath": "NetworkPkg.dsc" - }, -+ "HostUnitTestCompilerPlugin": { -+ "DscPath": "Test/NetworkPkgHostTest.dsc" -+ }, - "CharEncodingCheck": { - "IgnoreFiles": [] - }, -@@ -35,7 +38,9 @@ - "CryptoPkg/CryptoPkg.dec" - ], - # For host based unit tests -- "AcceptableDependencies-HOST_APPLICATION":[], -+ "AcceptableDependencies-HOST_APPLICATION":[ -+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec -+ ], - # For UEFI shell based apps - "AcceptableDependencies-UEFI_APPLICATION":[ - "ShellPkg/ShellPkg.dec" -diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc -new file mode 100644 -index 0000000000..1aeca5c5b3 ---- /dev/null -+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc -@@ -0,0 +1,98 @@ -+## @file -+# NetworkPkgHostTest DSC file used to build host-based unit tests. -+# -+# Copyright (c) Microsoft Corporation.
-+# SPDX-License-Identifier: BSD-2-Clause-Patent -+# -+## -+[Defines] -+ PLATFORM_NAME = NetworkPkgHostTest -+ PLATFORM_GUID = 3b68324e-fc07-4d49-9520-9347ede65879 -+ PLATFORM_VERSION = 0.1 -+ DSC_SPECIFICATION = 0x00010005 -+ OUTPUT_DIRECTORY = Build/NetworkPkg/HostTest -+ SUPPORTED_ARCHITECTURES = IA32|X64|AARCH64 -+ BUILD_TARGETS = NOOPT -+ SKUID_IDENTIFIER = DEFAULT -+ -+!include UnitTestFrameworkPkg/UnitTestFrameworkPkgHost.dsc.inc -+[Packages] -+ MdePkg/MdePkg.dec -+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec -+ -+[Components] -+ # -+ # Build HOST_APPLICATION that tests NetworkPkg -+ # -+ -+# Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests. -+[LibraryClasses] -+ NetLib|NetworkPkg/Library/DxeNetLib/DxeNetLib.inf -+ DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf -+ BaseLib|MdePkg/Library/BaseLib/BaseLib.inf -+ BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf -+ DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf -+ HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf -+ MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf -+ PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf -+ PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf -+ UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf -+ UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf -+ UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf -+ UefiLib|MdePkg/Library/UefiLib/UefiLib.inf -+ UefiRuntimeServicesTableLib|MdePkg/Library/UefiRuntimeServicesTableLib/UefiRuntimeServicesTableLib.inf -+ UefiHiiServicesLib|MdeModulePkg/Library/UefiHiiServicesLib/UefiHiiServicesLib.inf -+ UefiBootManagerLib|MdeModulePkg/Library/UefiBootManagerLib/UefiBootManagerLib.inf -+ TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf -+ PerformanceLib|MdePkg/Library/BasePerformanceLibNull/BasePerformanceLibNull.inf -+ PeCoffGetEntryPointLib|MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeCoffGetEntryPointLib.inf -+ DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf -+ DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf -+ SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf -+ RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf -+ VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf -+!ifdef CONTINUOUS_INTEGRATION -+ BaseCryptLib|CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf -+ TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf -+!else -+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf -+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf -+ TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf -+!endif -+ DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf -+ FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf -+ FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf -+ SortLib|MdeModulePkg/Library/UefiSortLib/UefiSortLib.inf -+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf -+ -+!if $(TOOL_CHAIN_TAG) == VS2019 or $(TOOL_CHAIN_TAG) == VS2022 -+[LibraryClasses.X64] -+ # Provide StackCookie support lib so that we can link to /GS exports for VS builds -+ RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf -+!endif -+ -+[LibraryClasses.common.UEFI_DRIVER] -+ HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf -+ ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf -+ DebugLib|MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf -+[LibraryClasses.common.UEFI_APPLICATION] -+ DebugLib|MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf -+ ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf -+[LibraryClasses.ARM, LibraryClasses.AARCH64] -+ # -+ # It is not possible to prevent ARM compiler calls to generic intrinsic functions. -+ # This library provides the instrinsic functions generated by a given compiler. -+ # [LibraryClasses.ARM] and NULL mean link this library into all ARM images. -+ # -+!if $(TOOL_CHAIN_TAG) != VS2017 and $(TOOL_CHAIN_TAG) != VS2015 and $(TOOL_CHAIN_TAG) != VS2019 -+ NULL|ArmPkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf -+!endif -+ NULL|MdePkg/Library/BaseStackCheckLib/BaseStackCheckLib.inf -+[LibraryClasses.ARM] -+ RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf -+[LibraryClasses.RISCV64] -+ RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf -+ -+[PcdsFixedAtBuild] -+ gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2 -+ gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType|0x4 --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch b/SOURCES/edk2-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch deleted file mode 100644 index 217f755..0000000 --- a/SOURCES/edk2-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch +++ /dev/null @@ -1,170 +0,0 @@ -From 3c1cf95b979cea6b0dee6e107756558a7a71d4ac Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Fri, 16 Feb 2024 10:48:05 -0500 -Subject: [PATCH 14/18] NetworkPkg: : Adds a SecurityFix.yaml file - -RH-Author: Jon Maloy -RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch -RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Laszlo Ersek -RH-Commit: [14/18] dddbcbe14e38dc1bb03acf4622d6285090c4bb02 - -JIRA: https://issues.redhat.com/browse/RHEL-21853 -CVE: CVE-2022-45235 -Upstream: Merged - -commit 1d0b95f6457d225c5108302a9da74b4ed7aa5a38 -Author: Doug Flick via groups.io -Date: Fri Jan 26 05:54:57 2024 +0800 - - NetworkPkg: : Adds a SecurityFix.yaml file - - This creates / adds a security file that tracks the security fixes - found in this package and can be used to find the fixes that were - applied. - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - -Signed-off-by: Jon Maloy ---- - NetworkPkg/SecurityFixes.yaml | 123 ++++++++++++++++++++++++++++++++++ - 1 file changed, 123 insertions(+) - create mode 100644 NetworkPkg/SecurityFixes.yaml - -diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml -new file mode 100644 -index 0000000000..7e900483fe ---- /dev/null -+++ b/NetworkPkg/SecurityFixes.yaml -@@ -0,0 +1,123 @@ -+## @file -+# Security Fixes for SecurityPkg -+# -+# Copyright (c) Microsoft Corporation -+# SPDX-License-Identifier: BSD-2-Clause-Patent -+## -+CVE_2023_45229: -+ commit_titles: -+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch" -+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests" -+ cve: CVE-2023-45229 -+ date_reported: 2023-08-28 13:56 UTC -+ description: "Bug 01 - edk2/NetworkPkg: Out-of-bounds read when processing IA_NA/IA_TA options in a DHCPv6 Advertise message" -+ note: -+ files_impacted: -+ - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c -+ - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h -+ links: -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4534 -+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45229 -+ - http://www.openwall.com/lists/oss-security/2024/01/16/2 -+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html -+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html -+CVE_2023_45230: -+ commit_titles: -+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch" -+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests" -+ cve: CVE-2023-45230 -+ date_reported: 2023-08-28 13:56 UTC -+ description: "Bug 02 - edk2/NetworkPkg: Buffer overflow in the DHCPv6 client via a long Server ID option" -+ note: -+ files_impacted: -+ - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c -+ - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h -+ links: -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4535 -+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45230 -+ - http://www.openwall.com/lists/oss-security/2024/01/16/2 -+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html -+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html -+CVE_2023_45231: -+ commit_titles: -+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Patch" -+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests" -+ cve: CVE-2023-45231 -+ date_reported: 2023-08-28 13:56 UTC -+ description: "Bug 03 - edk2/NetworkPkg: Out-of-bounds read when handling a ND Redirect message with truncated options" -+ note: -+ files_impacted: -+ - NetworkPkg/Ip6Dxe/Ip6Option.c -+ links: -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4536 -+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45231 -+ - http://www.openwall.com/lists/oss-security/2024/01/16/2 -+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html -+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html -+CVE_2023_45232: -+ commit_titles: -+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch" -+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests" -+ cve: CVE-2023-45232 -+ date_reported: 2023-08-28 13:56 UTC -+ description: "Bug 04 - edk2/NetworkPkg: Infinite loop when parsing unknown options in the Destination Options header" -+ note: -+ files_impacted: -+ - NetworkPkg/Ip6Dxe/Ip6Option.c -+ - NetworkPkg/Ip6Dxe/Ip6Option.h -+ links: -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4537 -+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45232 -+ - http://www.openwall.com/lists/oss-security/2024/01/16/2 -+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html -+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html -+CVE_2023_45233: -+ commit_titles: -+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch" -+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests" -+ cve: CVE-2023-45233 -+ date_reported: 2023-08-28 13:56 UTC -+ description: "Bug 05 - edk2/NetworkPkg: Infinite loop when parsing a PadN option in the Destination Options header " -+ note: This was fixed along with CVE-2023-45233 -+ files_impacted: -+ - NetworkPkg/Ip6Dxe/Ip6Option.c -+ - NetworkPkg/Ip6Dxe/Ip6Option.h -+ links: -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4538 -+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45233 -+ - http://www.openwall.com/lists/oss-security/2024/01/16/2 -+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html -+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html -+CVE_2023_45234: -+ commit_titles: -+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Patch" -+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Unit Tests" -+ cve: CVE-2023-45234 -+ date_reported: 2023-08-28 13:56 UTC -+ description: "Bug 06 - edk2/NetworkPkg: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message" -+ note: -+ files_impacted: -+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -+ links: -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4539 -+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45234 -+ - http://www.openwall.com/lists/oss-security/2024/01/16/2 -+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html -+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html -+CVE_2023_45235: -+ commit_titles: -+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Patch" -+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Unit Tests" -+ cve: CVE-2023-45235 -+ date_reported: 2023-08-28 13:56 UTC -+ description: "Bug 07 - edk2/NetworkPkg: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message" -+ note: -+ files_impacted: -+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h -+ links: -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4540 -+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45235 -+ - http://www.openwall.com/lists/oss-security/2024/01/16/2 -+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html -+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-Packet-Length-is-not-updated-bef.patch b/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-Packet-Length-is-not-updated-bef.patch deleted file mode 100644 index 8a7951c..0000000 --- a/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-Packet-Length-is-not-updated-bef.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 3ab0e3be00cc74b39db482e33bfe923f70768ae4 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Fri, 16 Feb 2024 10:48:05 -0500 -Subject: [PATCH 17/18] NetworkPkg: Dhcp6Dxe: Packet-Length is not updated - before appending - -RH-Author: Jon Maloy -RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch -RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Laszlo Ersek -RH-Commit: [17/18] c13c96534ecea4c43ca98cecf0789b07680958ca - -JIRA: https://issues.redhat.com/browse/RHEL-21841 -CVE: CVE-2023-45229 -Upstream: Merged - -commit 75deaf5c3c0d164c61653258c331151241bb69d8 -Author: Doug Flick -Date: Tue Feb 13 10:46:02 2024 -0800 - - NetworkPkg: Dhcp6Dxe: Packet-Length is not updated before appending - - In order for Dhcp6AppendIaAddrOption (..) to safely append the IA - Address option, the Packet-Length field must be updated before appending - the option. - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - Reviewed-by: Leif Lindholm - -Signed-off-by: Jon Maloy ---- - NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c -index e4e0725622..f38e3ee3fe 100644 ---- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c -+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c -@@ -924,6 +924,11 @@ Dhcp6AppendIaOption ( - *PacketCursor += sizeof (T2); - } - -+ // -+ // Update the packet length -+ // -+ Packet->Length += BytesNeeded; -+ - // - // Fill all the addresses belong to the Ia - // -@@ -935,11 +940,6 @@ Dhcp6AppendIaOption ( - } - } - -- // -- // Update the packet length -- // -- Packet->Length += BytesNeeded; -- - // - // Fill the value of Ia option length - // --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-Removes-duplicate-check-and-repl.patch b/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-Removes-duplicate-check-and-repl.patch deleted file mode 100644 index 822d4b0..0000000 --- a/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-Removes-duplicate-check-and-repl.patch +++ /dev/null @@ -1,162 +0,0 @@ -From bb9d1831fd53d43889112a2e30a52b2c4504fdae Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Fri, 16 Feb 2024 10:48:05 -0500 -Subject: [PATCH 16/18] NetworkPkg: Dhcp6Dxe: Removes duplicate check and - replaces with macro - -RH-Author: Jon Maloy -RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch -RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Laszlo Ersek -RH-Commit: [16/18] 61914482aa965883b1ec3f29cf6143b67e88742a - -JIRA: https://issues.redhat.com/browse/RHEL-21841 -CVE: CVE-2023-45229 -Upstream: Merged - -commit af3fad99d6088881562e50149f414f76a5be0140 -Author: Doug Flick -Date: Tue Feb 13 10:46:01 2024 -0800 - - NetworkPkg: Dhcp6Dxe: Removes duplicate check and replaces with macro - - Removes duplicate check after merge - - > - > // - > // Verify the PacketCursor is within the packet - > // - > if ( (*PacketCursor < Packet->Dhcp6.Option) - > || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - - sizeof (EFI_DHCP6_HEADER)))) - > { - > return EFI_INVALID_PARAMETER; - > } - > - - Converts the check to a macro and replaces all instances of the check - with the macro - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - Reviewed-by: Leif Lindholm - -Signed-off-by: Jon Maloy ---- - NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 44 +++++++++++++----------------- - 1 file changed, 19 insertions(+), 25 deletions(-) - -diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c -index 705c665c51..e4e0725622 100644 ---- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c -+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c -@@ -10,6 +10,16 @@ - - #include "Dhcp6Impl.h" - -+// -+// Verifies the packet cursor is within the packet -+// otherwise it is invalid -+// -+#define IS_INVALID_PACKET_CURSOR(PacketCursor, Packet) \ -+ (((*PacketCursor) < (Packet)->Dhcp6.Option) || \ -+ ((*PacketCursor) >= (Packet)->Dhcp6.Option + ((Packet)->Size - sizeof(EFI_DHCP6_HEADER))) \ -+ ) \ -+ -+ - /** - Generate client Duid in the format of Duid-llt. - -@@ -638,9 +648,7 @@ Dhcp6AppendOption ( - // - // Verify the PacketCursor is within the packet - // -- if ( (*PacketCursor < Packet->Dhcp6.Option) -- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) -- { -+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) { - return EFI_INVALID_PARAMETER; - } - -@@ -657,15 +665,6 @@ Dhcp6AppendOption ( - return EFI_BUFFER_TOO_SMALL; - } - -- // -- // Verify the PacketCursor is within the packet -- // -- if ( (*PacketCursor < Packet->Dhcp6.Option) -- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) -- { -- return EFI_INVALID_PARAMETER; -- } -- - WriteUnaligned16 ((UINT16 *)*PacketCursor, OptType); - *PacketCursor += DHCP6_SIZE_OF_OPT_CODE; - WriteUnaligned16 ((UINT16 *)*PacketCursor, OptLen); -@@ -744,9 +743,7 @@ Dhcp6AppendIaAddrOption ( - // - // Verify the PacketCursor is within the packet - // -- if ( (*PacketCursor < Packet->Dhcp6.Option) -- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) -- { -+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) { - return EFI_INVALID_PARAMETER; - } - -@@ -877,9 +874,7 @@ Dhcp6AppendIaOption ( - // - // Verify the PacketCursor is within the packet - // -- if ( (*PacketCursor < Packet->Dhcp6.Option) -- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) -- { -+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) { - return EFI_INVALID_PARAMETER; - } - -@@ -941,14 +936,14 @@ Dhcp6AppendIaOption ( - } - - // -- // Fill the value of Ia option length -+ // Update the packet length - // -- *Len = HTONS ((UINT16)(*PacketCursor - (UINT8 *)Len - 2)); -+ Packet->Length += BytesNeeded; - - // -- // Update the packet length -+ // Fill the value of Ia option length - // -- Packet->Length += BytesNeeded; -+ *Len = HTONS ((UINT16)(*PacketCursor - (UINT8 *)Len - 2)); - - return EFI_SUCCESS; - } -@@ -957,6 +952,7 @@ Dhcp6AppendIaOption ( - Append the appointed Elapsed time option to Buf, and move Buf to the end. - - @param[in, out] Packet A pointer to the packet, on success Packet->Length -+ will be updated. - @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor - will be moved to the end of the option. - @param[in] Instance The pointer to the Dhcp6 instance. -@@ -1012,9 +1008,7 @@ Dhcp6AppendETOption ( - // - // Verify the PacketCursor is within the packet - // -- if ( (*PacketCursor < Packet->Dhcp6.Option) -- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) -- { -+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) { - return EFI_INVALID_PARAMETER; - } - --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch b/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch deleted file mode 100644 index 0e4a60a..0000000 --- a/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch +++ /dev/null @@ -1,618 +0,0 @@ -From c1700b34913109cd9600f58f1fa6b82b08ce3795 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Fri, 9 Feb 2024 17:57:07 -0500 -Subject: [PATCH 04/18] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 - Patch - -RH-Author: Jon Maloy -RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch -RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Laszlo Ersek -RH-Commit: [4/18] 23b6841dbb01249055b8040d85995c366bd94252 - -JIRA: https://issues.redhat.com/browse/RHEL-21841 -CVE: CVE-2023-45229 -Upstream: Merged - -commit 1dbb10cc52dc8ef49bb700daa1cefc76b26d52e0 -Author: Doug Flick via groups.io -Date: Fri Jan 26 05:54:46 2024 +0800 - - NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch - - REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534 - - Bug Details: - PixieFail Bug #1 - CVE-2023-45229 - CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - CWE-125 Out-of-bounds Read - - Change Overview: - - Introduce Dhcp6SeekInnerOptionSafe which performs checks before seeking - the Inner Option from a DHCP6 Option. - - > - > EFI_STATUS - > Dhcp6SeekInnerOptionSafe ( - > IN UINT16 IaType, - > IN UINT8 *Option, - > IN UINT32 OptionLen, - > OUT UINT8 **IaInnerOpt, - > OUT UINT16 *IaInnerLen - > ); - > - - Lots of code cleanup to improve code readability. - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - -Signed-off-by: Jon Maloy ---- - NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 138 +++++++++++++++++++--- - NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 203 +++++++++++++++++++++----------- - 2 files changed, 256 insertions(+), 85 deletions(-) - -diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h -index f2422c2f28..220e7c68f1 100644 ---- a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h -+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h -@@ -45,6 +45,20 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE; - #define DHCP6_SERVICE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'S') - #define DHCP6_INSTANCE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'I') - -+#define DHCP6_PACKET_ALL 0 -+#define DHCP6_PACKET_STATEFUL 1 -+#define DHCP6_PACKET_STATELESS 2 -+ -+#define DHCP6_BASE_PACKET_SIZE 1024 -+ -+#define DHCP6_PORT_CLIENT 546 -+#define DHCP6_PORT_SERVER 547 -+ -+#define DHCP_CHECK_MEDIA_WAITING_TIME EFI_TIMER_PERIOD_SECONDS(20) -+ -+#define DHCP6_INSTANCE_FROM_THIS(Instance) CR ((Instance), DHCP6_INSTANCE, Dhcp6, DHCP6_INSTANCE_SIGNATURE) -+#define DHCP6_SERVICE_FROM_THIS(Service) CR ((Service), DHCP6_SERVICE, ServiceBinding, DHCP6_SERVICE_SIGNATURE) -+ - // - // For more information on DHCP options see RFC 8415, Section 21.1 - // -@@ -59,12 +73,10 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE; - // | (option-len octets) | - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // --#define DHCP6_SIZE_OF_OPT_CODE (sizeof(UINT16)) --#define DHCP6_SIZE_OF_OPT_LEN (sizeof(UINT16)) -+#define DHCP6_SIZE_OF_OPT_CODE (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpCode)) -+#define DHCP6_SIZE_OF_OPT_LEN (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpLen)) - --// - // Combined size of Code and Length --// - #define DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN (DHCP6_SIZE_OF_OPT_CODE + \ - DHCP6_SIZE_OF_OPT_LEN) - -@@ -73,34 +85,122 @@ STATIC_ASSERT ( - "Combined size of Code and Length must be 4 per RFC 8415" - ); - --// - // Offset to the length is just past the code --// --#define DHCP6_OPT_LEN_OFFSET(a) (a + DHCP6_SIZE_OF_OPT_CODE) -+#define DHCP6_OFFSET_OF_OPT_LEN(a) (a + DHCP6_SIZE_OF_OPT_CODE) - STATIC_ASSERT ( -- DHCP6_OPT_LEN_OFFSET (0) == 2, -+ DHCP6_OFFSET_OF_OPT_LEN (0) == 2, - "Offset of length is + 2 past start of option" - ); - --#define DHCP6_OPT_DATA_OFFSET(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN) -+#define DHCP6_OFFSET_OF_OPT_DATA(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN) - STATIC_ASSERT ( -- DHCP6_OPT_DATA_OFFSET (0) == 4, -+ DHCP6_OFFSET_OF_OPT_DATA (0) == 4, - "Offset to option data should be +4 from start of option" - ); -+// -+// Identity Association options (both NA (Non-Temporary) and TA (Temporary Association)) -+// are defined in RFC 8415 and are a deriviation of a TLV stucture -+// For more information on IA_NA see Section 21.4 -+// For more information on IA_TA see Section 21.5 -+// -+// -+// The format of IA_NA and IA_TA option: -+// -+// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+// | OPTION_IA_NA | option-len | -+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+// | IAID (4 octets) | -+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+// | T1 (only for IA_NA) | -+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+// | T2 (only for IA_NA) | -+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+// | | -+// . IA_NA-options/IA_TA-options . -+// . . -+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+// -+#define DHCP6_SIZE_OF_IAID (sizeof(UINT32)) -+#define DHCP6_SIZE_OF_TIME_INTERVAL (sizeof(UINT32)) - --#define DHCP6_PACKET_ALL 0 --#define DHCP6_PACKET_STATEFUL 1 --#define DHCP6_PACKET_STATELESS 2 -+// Combined size of IAID, T1, and T2 -+#define DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 (DHCP6_SIZE_OF_IAID + \ -+ DHCP6_SIZE_OF_TIME_INTERVAL + \ -+ DHCP6_SIZE_OF_TIME_INTERVAL) -+STATIC_ASSERT ( -+ DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 == 12, -+ "Combined size of IAID, T1, T2 must be 12 per RFC 8415" -+ ); - --#define DHCP6_BASE_PACKET_SIZE 1024 -+// This is the size of IA_TA without options -+#define DHCP6_MIN_SIZE_OF_IA_TA (DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \ -+ DHCP6_SIZE_OF_IAID) -+STATIC_ASSERT ( -+ DHCP6_MIN_SIZE_OF_IA_TA == 8, -+ "Minimum combined size of IA_TA per RFC 8415" -+ ); - --#define DHCP6_PORT_CLIENT 546 --#define DHCP6_PORT_SERVER 547 -+// Offset to a IA_TA inner option -+#define DHCP6_OFFSET_OF_IA_TA_INNER_OPT(a) (a + DHCP6_MIN_SIZE_OF_IA_TA) -+STATIC_ASSERT ( -+ DHCP6_OFFSET_OF_IA_TA_INNER_OPT (0) == 8, -+ "Offset of IA_TA Inner option is + 8 past start of option" -+ ); - --#define DHCP_CHECK_MEDIA_WAITING_TIME EFI_TIMER_PERIOD_SECONDS(20) -+// This is the size of IA_NA without options (16) -+#define DHCP6_MIN_SIZE_OF_IA_NA DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \ -+ DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 -+STATIC_ASSERT ( -+ DHCP6_MIN_SIZE_OF_IA_NA == 16, -+ "Minimum combined size of IA_TA per RFC 8415" -+ ); - --#define DHCP6_INSTANCE_FROM_THIS(Instance) CR ((Instance), DHCP6_INSTANCE, Dhcp6, DHCP6_INSTANCE_SIGNATURE) --#define DHCP6_SERVICE_FROM_THIS(Service) CR ((Service), DHCP6_SERVICE, ServiceBinding, DHCP6_SERVICE_SIGNATURE) -+#define DHCP6_OFFSET_OF_IA_NA_INNER_OPT(a) (a + DHCP6_MIN_SIZE_OF_IA_NA) -+STATIC_ASSERT ( -+ DHCP6_OFFSET_OF_IA_NA_INNER_OPT (0) == 16, -+ "Offset of IA_NA Inner option is + 16 past start of option" -+ ); -+ -+#define DHCP6_OFFSET_OF_IA_NA_T1(a) (a + \ -+ DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \ -+ DHCP6_SIZE_OF_IAID) -+STATIC_ASSERT ( -+ DHCP6_OFFSET_OF_IA_NA_T1 (0) == 8, -+ "Offset of IA_NA Inner option is + 8 past start of option" -+ ); -+ -+#define DHCP6_OFFSET_OF_IA_NA_T2(a) (a + \ -+ DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN +\ -+ DHCP6_SIZE_OF_IAID + \ -+ DHCP6_SIZE_OF_TIME_INTERVAL) -+STATIC_ASSERT ( -+ DHCP6_OFFSET_OF_IA_NA_T2 (0) == 12, -+ "Offset of IA_NA Inner option is + 12 past start of option" -+ ); -+ -+// -+// For more information see RFC 8415 Section 21.13 -+// -+// The format of the Status Code Option: -+// -+// 0 1 2 3 -+// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+// | OPTION_STATUS_CODE | option-len | -+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+// | status-code | | -+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | -+// . . -+// . status-message . -+// . . -+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+// -+#define DHCP6_OFFSET_OF_STATUS_CODE(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN) -+STATIC_ASSERT ( -+ DHCP6_OFFSET_OF_STATUS_CODE (0) == 4, -+ "Offset of status is + 4 past start of option" -+ ); - - extern EFI_IPv6_ADDRESS mAllDhcpRelayAndServersAddress; - extern EFI_DHCP6_PROTOCOL gDhcp6ProtocolTemplate; -diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c -index bf5aa7a769..89d16484a5 100644 ---- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c -+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c -@@ -598,8 +598,8 @@ Dhcp6UpdateIaInfo ( - // The inner options still start with 2 bytes option-code and 2 bytes option-len. - // - if (Instance->Config->IaDescriptor.Type == Dhcp6OptIana) { -- T1 = NTOHL (ReadUnaligned32 ((UINT32 *)(Option + 8))); -- T2 = NTOHL (ReadUnaligned32 ((UINT32 *)(Option + 12))); -+ T1 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T1 (Option)))); -+ T2 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T2 (Option)))); - // - // Refer to RFC3155 Chapter 22.4. If a client receives an IA_NA with T1 greater than T2, - // and both T1 and T2 are greater than 0, the client discards the IA_NA option and processes -@@ -609,13 +609,14 @@ Dhcp6UpdateIaInfo ( - return EFI_DEVICE_ERROR; - } - -- IaInnerOpt = Option + 16; -- IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 2))) - 12); -+ IaInnerOpt = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option); -+ IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_COMBINED_IAID_T1_T2); - } else { -- T1 = 0; -- T2 = 0; -- IaInnerOpt = Option + 8; -- IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 2))) - 4); -+ T1 = 0; -+ T2 = 0; -+ -+ IaInnerOpt = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option); -+ IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_IAID); - } - - // -@@ -641,7 +642,7 @@ Dhcp6UpdateIaInfo ( - Option = Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode); - - if (Option != NULL) { -- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 4))); -+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))); - if (StsCode != Dhcp6StsSuccess) { - return EFI_DEVICE_ERROR; - } -@@ -661,6 +662,87 @@ Dhcp6UpdateIaInfo ( - return Status; - } - -+/** -+ Seeks the Inner Options from a DHCP6 Option -+ -+ @param[in] IaType The type of the IA option. -+ @param[in] Option The pointer to the DHCP6 Option. -+ @param[in] OptionLen The length of the DHCP6 Option. -+ @param[out] IaInnerOpt The pointer to the IA inner option. -+ @param[out] IaInnerLen The length of the IA inner option. -+ -+ @retval EFI_SUCCESS Seek the inner option successfully. -+ @retval EFI_DEVICE_ERROR The OptionLen is invalid. On Error, -+ the pointers are not modified -+**/ -+EFI_STATUS -+Dhcp6SeekInnerOptionSafe ( -+ IN UINT16 IaType, -+ IN UINT8 *Option, -+ IN UINT32 OptionLen, -+ OUT UINT8 **IaInnerOpt, -+ OUT UINT16 *IaInnerLen -+ ) -+{ -+ UINT16 IaInnerLenTmp; -+ UINT8 *IaInnerOptTmp; -+ -+ if (Option == NULL) { -+ ASSERT (Option != NULL); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ if (IaInnerOpt == NULL) { -+ ASSERT (IaInnerOpt != NULL); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ if (IaInnerLen == NULL) { -+ ASSERT (IaInnerLen != NULL); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ if (IaType == Dhcp6OptIana) { -+ // Verify we have a fully formed IA_NA -+ if (OptionLen < DHCP6_MIN_SIZE_OF_IA_NA) { -+ return EFI_DEVICE_ERROR; -+ } -+ -+ // -+ IaInnerOptTmp = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option); -+ -+ // Verify the IaInnerLen is valid. -+ IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN (Option))); -+ if (IaInnerLenTmp < DHCP6_SIZE_OF_COMBINED_IAID_T1_T2) { -+ return EFI_DEVICE_ERROR; -+ } -+ -+ IaInnerLenTmp -= DHCP6_SIZE_OF_COMBINED_IAID_T1_T2; -+ } else if (IaType == Dhcp6OptIata) { -+ // Verify the OptionLen is valid. -+ if (OptionLen < DHCP6_MIN_SIZE_OF_IA_TA) { -+ return EFI_DEVICE_ERROR; -+ } -+ -+ IaInnerOptTmp = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option); -+ -+ // Verify the IaInnerLen is valid. -+ IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))); -+ if (IaInnerLenTmp < DHCP6_SIZE_OF_IAID) { -+ return EFI_DEVICE_ERROR; -+ } -+ -+ IaInnerLenTmp -= DHCP6_SIZE_OF_IAID; -+ } else { -+ return EFI_DEVICE_ERROR; -+ } -+ -+ *IaInnerOpt = IaInnerOptTmp; -+ *IaInnerLen = IaInnerLenTmp; -+ -+ return EFI_SUCCESS; -+} -+ - /** - Seek StatusCode Option in package. A Status Code option may appear in the - options field of a DHCP message and/or in the options field of another option. -@@ -684,6 +766,12 @@ Dhcp6SeekStsOption ( - UINT8 *IaInnerOpt; - UINT16 IaInnerLen; - UINT16 StsCode; -+ UINT32 OptionLen; -+ -+ // OptionLen is the length of the Options excluding the DHCP header. -+ // Length of the EFI_DHCP6_PACKET from the first byte of the Header field to the last -+ // byte of the Option[] field. -+ OptionLen = Packet->Length - sizeof (Packet->Dhcp6.Header); - - // - // Seek StatusCode option directly in DHCP message body. That is, search in -@@ -691,12 +779,12 @@ Dhcp6SeekStsOption ( - // - *Option = Dhcp6SeekOption ( - Packet->Dhcp6.Option, -- Packet->Length - 4, -+ OptionLen, - Dhcp6OptStatusCode - ); - - if (*Option != NULL) { -- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 4))); -+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_STATUS_CODE (*Option)))); - if (StsCode != Dhcp6StsSuccess) { - return EFI_DEVICE_ERROR; - } -@@ -707,7 +795,7 @@ Dhcp6SeekStsOption ( - // - *Option = Dhcp6SeekIaOption ( - Packet->Dhcp6.Option, -- Packet->Length - sizeof (EFI_DHCP6_HEADER), -+ OptionLen, - &Instance->Config->IaDescriptor - ); - if (*Option == NULL) { -@@ -715,52 +803,35 @@ Dhcp6SeekStsOption ( - } - - // -- // The format of the IA_NA option is: -+ // Calculate the distance from Packet->Dhcp6.Option to the IA option. - // -- // 0 1 2 3 -- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- // | OPTION_IA_NA | option-len | -- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- // | IAID (4 octets) | -- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- // | T1 | -- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- // | T2 | -- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- // | | -- // . IA_NA-options . -- // . . -- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+ // Packet->Size and Packet->Length are both UINT32 type, and Packet->Size is -+ // the size of the whole packet, including the DHCP header, and Packet->Length -+ // is the length of the DHCP message body, excluding the DHCP header. - // -- // The format of the IA_TA option is: -+ // (*Option - Packet->Dhcp6.Option) is the number of bytes from the start of -+ // DHCP6 option area to the start of the IA option. - // -- // 0 1 2 3 -- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- // | OPTION_IA_TA | option-len | -- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- // | IAID (4 octets) | -- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- // | | -- // . IA_TA-options . -- // . . -- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+ // Dhcp6SeekInnerOptionSafe() is searching starting from the start of the -+ // IA option to the end of the DHCP6 option area, thus subtract the space -+ // up until this option - // -+ OptionLen = OptionLen - (*Option - Packet->Dhcp6.Option); - - // -- // sizeof (option-code + option-len + IaId) = 8 -- // sizeof (option-code + option-len + IaId + T1) = 12 -- // sizeof (option-code + option-len + IaId + T1 + T2) = 16 -- // -- // The inner options still start with 2 bytes option-code and 2 bytes option-len. -+ // Seek the inner option - // -- if (Instance->Config->IaDescriptor.Type == Dhcp6OptIana) { -- IaInnerOpt = *Option + 16; -- IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 2))) - 12); -- } else { -- IaInnerOpt = *Option + 8; -- IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 2))) - 4); -+ if (EFI_ERROR ( -+ Dhcp6SeekInnerOptionSafe ( -+ Instance->Config->IaDescriptor.Type, -+ *Option, -+ OptionLen, -+ &IaInnerOpt, -+ &IaInnerLen -+ ) -+ )) -+ { -+ return EFI_DEVICE_ERROR; - } - - // -@@ -784,7 +855,7 @@ Dhcp6SeekStsOption ( - // - *Option = Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode); - if (*Option != NULL) { -- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 4))); -+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)((DHCP6_OFFSET_OF_STATUS_CODE (*Option))))); - if (StsCode != Dhcp6StsSuccess) { - return EFI_DEVICE_ERROR; - } -@@ -1105,7 +1176,7 @@ Dhcp6SendRequestMsg ( - // - Option = Dhcp6SeekOption ( - Instance->AdSelect->Dhcp6.Option, -- Instance->AdSelect->Length - 4, -+ Instance->AdSelect->Length - sizeof (EFI_DHCP6_HEADER), - Dhcp6OptServerId - ); - if (Option == NULL) { -@@ -1289,7 +1360,7 @@ Dhcp6SendDeclineMsg ( - // - Option = Dhcp6SeekOption ( - LastReply->Dhcp6.Option, -- LastReply->Length - 4, -+ LastReply->Length - sizeof (EFI_DHCP6_HEADER), - Dhcp6OptServerId - ); - if (Option == NULL) { -@@ -1448,7 +1519,7 @@ Dhcp6SendReleaseMsg ( - // - Option = Dhcp6SeekOption ( - LastReply->Dhcp6.Option, -- LastReply->Length - 4, -+ LastReply->Length - sizeof (EFI_DHCP6_HEADER), - Dhcp6OptServerId - ); - if (Option == NULL) { -@@ -1673,7 +1744,7 @@ Dhcp6SendRenewRebindMsg ( - - Option = Dhcp6SeekOption ( - LastReply->Dhcp6.Option, -- LastReply->Length - 4, -+ LastReply->Length - sizeof (EFI_DHCP6_HEADER), - Dhcp6OptServerId - ); - if (Option == NULL) { -@@ -2208,7 +2279,7 @@ Dhcp6HandleReplyMsg ( - // - Option = Dhcp6SeekOption ( - Packet->Dhcp6.Option, -- Packet->Length - 4, -+ Packet->Length - sizeof (EFI_DHCP6_HEADER), - Dhcp6OptRapidCommit - ); - -@@ -2354,7 +2425,7 @@ Dhcp6HandleReplyMsg ( - // - // Any error status code option is found. - // -- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 4))); -+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)((DHCP6_OFFSET_OF_STATUS_CODE (Option))))); - switch (StsCode) { - case Dhcp6StsUnspecFail: - // -@@ -2487,7 +2558,7 @@ Dhcp6SelectAdvertiseMsg ( - // - Option = Dhcp6SeekOption ( - AdSelect->Dhcp6.Option, -- AdSelect->Length - 4, -+ AdSelect->Length - sizeof (EFI_DHCP6_HEADER), - Dhcp6OptServerUnicast - ); - -@@ -2498,7 +2569,7 @@ Dhcp6SelectAdvertiseMsg ( - return EFI_OUT_OF_RESOURCES; - } - -- CopyMem (Instance->Unicast, Option + 4, sizeof (EFI_IPv6_ADDRESS)); -+ CopyMem (Instance->Unicast, DHCP6_OFFSET_OF_OPT_DATA (Option), sizeof (EFI_IPv6_ADDRESS)); - } - - // -@@ -2551,7 +2622,7 @@ Dhcp6HandleAdvertiseMsg ( - // - Option = Dhcp6SeekOption ( - Packet->Dhcp6.Option, -- Packet->Length - 4, -+ Packet->Length - sizeof (EFI_DHCP6_HEADER), - Dhcp6OptRapidCommit - ); - -@@ -2645,7 +2716,7 @@ Dhcp6HandleAdvertiseMsg ( - CopyMem (Instance->AdSelect, Packet, Packet->Size); - - if (Option != NULL) { -- Instance->AdPref = *(Option + 4); -+ Instance->AdPref = *(DHCP6_OFFSET_OF_OPT_DATA (Option)); - } - } else { - // -@@ -2714,11 +2785,11 @@ Dhcp6HandleStateful ( - // - Option = Dhcp6SeekOption ( - Packet->Dhcp6.Option, -- Packet->Length - 4, -+ Packet->Length - DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN, - Dhcp6OptClientId - ); - -- if ((Option == NULL) || (CompareMem (Option + 4, ClientId->Duid, ClientId->Length) != 0)) { -+ if ((Option == NULL) || (CompareMem (DHCP6_OFFSET_OF_OPT_DATA (Option), ClientId->Duid, ClientId->Length) != 0)) { - goto ON_CONTINUE; - } - -@@ -2727,7 +2798,7 @@ Dhcp6HandleStateful ( - // - Option = Dhcp6SeekOption ( - Packet->Dhcp6.Option, -- Packet->Length - 4, -+ Packet->Length - DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN, - Dhcp6OptServerId - ); - -@@ -2832,7 +2903,7 @@ Dhcp6HandleStateless ( - // - Option = Dhcp6SeekOption ( - Packet->Dhcp6.Option, -- Packet->Length - 4, -+ Packet->Length - sizeof (EFI_DHCP6_HEADER), - Dhcp6OptServerId - ); - --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Re.patch b/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Re.patch deleted file mode 100644 index afb800a..0000000 --- a/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Re.patch +++ /dev/null @@ -1,257 +0,0 @@ -From dcfd5b6e28536e5b28fb4c47ec57f8d106b6b181 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Fri, 16 Feb 2024 10:48:05 -0500 -Subject: [PATCH 15/18] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 - Related Patch - -RH-Author: Jon Maloy -RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch -RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Laszlo Ersek -RH-Commit: [15/18] e2fe2033c2f90145249d9416a539d5b2fc52596a - -JIRA: https://issues.redhat.com/browse/RHEL-21841 -CVE: CVE-2023-45229 -Upstream: Merged - -commit 1c440a5eceedc64e892877eeac0f1a4938f5abbb -Author: Doug Flick -Date: Tue Feb 13 10:46:00 2024 -0800 - - NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Related Patch - - REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4673 - REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534 - - This was not part of the Quarkslab bugs however the same pattern - as CVE-2023-45229 exists in Dhcp6UpdateIaInfo. - - This patch replaces the code in question with the safe function - created to patch CVE-2023-45229 - - > - > if (EFI_ERROR ( - > Dhcp6SeekInnerOptionSafe ( - > Instance->Config->IaDescriptor.Type, - > Option, - > OptionLen, - > &IaInnerOpt, - > &IaInnerLen - > ) - > )) - > { - > return EFI_DEVICE_ERROR; - > } - > - - Additionally corrects incorrect usage of macro to read the status - - > - StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN - (Option))); - > + StsCode = NTOHS (ReadUnaligned16 ((UINT16 *) - DHCP6_OFFSET_OF_STATUS_CODE (Option)); - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - Reviewed-by: Leif Lindholm - -Signed-off-by: Jon Maloy ---- - NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 70 ++++++++++++++++++++++++++--------- - NetworkPkg/Dhcp6Dxe/Dhcp6Io.h | 22 +++++++++++ - 2 files changed, 75 insertions(+), 17 deletions(-) - -diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c -index 3b8feb4a20..a9bffae353 100644 ---- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c -+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c -@@ -528,13 +528,23 @@ Dhcp6UpdateIaInfo ( - { - EFI_STATUS Status; - UINT8 *Option; -+ UINT32 OptionLen; - UINT8 *IaInnerOpt; - UINT16 IaInnerLen; - UINT16 StsCode; - UINT32 T1; - UINT32 T2; - -+ T1 = 0; -+ T2 = 0; -+ - ASSERT (Instance->Config != NULL); -+ -+ // OptionLen is the length of the Options excluding the DHCP header. -+ // Length of the EFI_DHCP6_PACKET from the first byte of the Header field to the last -+ // byte of the Option[] field. -+ OptionLen = Packet->Length - sizeof (Packet->Dhcp6.Header); -+ - // - // If the reply was received in response to a solicit with rapid commit option, - // request, renew or rebind message, the client updates the information it has -@@ -549,13 +559,29 @@ Dhcp6UpdateIaInfo ( - // - Option = Dhcp6SeekIaOption ( - Packet->Dhcp6.Option, -- Packet->Length - sizeof (EFI_DHCP6_HEADER), -+ OptionLen, - &Instance->Config->IaDescriptor - ); - if (Option == NULL) { - return EFI_DEVICE_ERROR; - } - -+ // -+ // Calculate the distance from Packet->Dhcp6.Option to the IA option. -+ // -+ // Packet->Size and Packet->Length are both UINT32 type, and Packet->Size is -+ // the size of the whole packet, including the DHCP header, and Packet->Length -+ // is the length of the DHCP message body, excluding the DHCP header. -+ // -+ // (*Option - Packet->Dhcp6.Option) is the number of bytes from the start of -+ // DHCP6 option area to the start of the IA option. -+ // -+ // Dhcp6SeekInnerOptionSafe() is searching starting from the start of the -+ // IA option to the end of the DHCP6 option area, thus subtract the space -+ // up until this option -+ // -+ OptionLen = OptionLen - (UINT32)(Option - Packet->Dhcp6.Option); -+ - // - // The format of the IA_NA option is: - // -@@ -591,32 +617,32 @@ Dhcp6UpdateIaInfo ( - // - - // -- // sizeof (option-code + option-len + IaId) = 8 -- // sizeof (option-code + option-len + IaId + T1) = 12 -- // sizeof (option-code + option-len + IaId + T1 + T2) = 16 -- // -- // The inner options still start with 2 bytes option-code and 2 bytes option-len. -+ // Seek the inner option - // -+ if (EFI_ERROR ( -+ Dhcp6SeekInnerOptionSafe ( -+ Instance->Config->IaDescriptor.Type, -+ Option, -+ OptionLen, -+ &IaInnerOpt, -+ &IaInnerLen -+ ) -+ )) -+ { -+ return EFI_DEVICE_ERROR; -+ } -+ - if (Instance->Config->IaDescriptor.Type == Dhcp6OptIana) { - T1 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T1 (Option)))); - T2 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T2 (Option)))); - // - // Refer to RFC3155 Chapter 22.4. If a client receives an IA_NA with T1 greater than T2, - // and both T1 and T2 are greater than 0, the client discards the IA_NA option and processes -- // the remainder of the message as though the server had not included the invalid IA_NA option. -+ // the remainder of the message as though the server had not included the invalid IA_NA option. - // - if ((T1 > T2) && (T2 > 0)) { - return EFI_DEVICE_ERROR; - } -- -- IaInnerOpt = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option); -- IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_COMBINED_IAID_T1_T2); -- } else { -- T1 = 0; -- T2 = 0; -- -- IaInnerOpt = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option); -- IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_IAID); - } - - // -@@ -642,7 +668,7 @@ Dhcp6UpdateIaInfo ( - Option = Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode); - - if (Option != NULL) { -- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))); -+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_STATUS_CODE (Option)))); - if (StsCode != Dhcp6StsSuccess) { - return EFI_DEVICE_ERROR; - } -@@ -703,15 +729,21 @@ Dhcp6SeekInnerOptionSafe ( - } - - if (IaType == Dhcp6OptIana) { -+ // - // Verify we have a fully formed IA_NA -+ // - if (OptionLen < DHCP6_MIN_SIZE_OF_IA_NA) { - return EFI_DEVICE_ERROR; - } - -+ // -+ // Get the IA Inner Option and Length - // - IaInnerOptTmp = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option); - -+ // - // Verify the IaInnerLen is valid. -+ // - IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN (Option))); - if (IaInnerLenTmp < DHCP6_SIZE_OF_COMBINED_IAID_T1_T2) { - return EFI_DEVICE_ERROR; -@@ -719,14 +751,18 @@ Dhcp6SeekInnerOptionSafe ( - - IaInnerLenTmp -= DHCP6_SIZE_OF_COMBINED_IAID_T1_T2; - } else if (IaType == Dhcp6OptIata) { -+ // - // Verify the OptionLen is valid. -+ // - if (OptionLen < DHCP6_MIN_SIZE_OF_IA_TA) { - return EFI_DEVICE_ERROR; - } - - IaInnerOptTmp = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option); - -+ // - // Verify the IaInnerLen is valid. -+ // - IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))); - if (IaInnerLenTmp < DHCP6_SIZE_OF_IAID) { - return EFI_DEVICE_ERROR; -diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h -index 051a652f2b..ab0e1ac27f 100644 ---- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h -+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h -@@ -217,4 +217,26 @@ Dhcp6OnTimerTick ( - IN VOID *Context - ); - -+/** -+ Seeks the Inner Options from a DHCP6 Option -+ -+ @param[in] IaType The type of the IA option. -+ @param[in] Option The pointer to the DHCP6 Option. -+ @param[in] OptionLen The length of the DHCP6 Option. -+ @param[out] IaInnerOpt The pointer to the IA inner option. -+ @param[out] IaInnerLen The length of the IA inner option. -+ -+ @retval EFI_SUCCESS Seek the inner option successfully. -+ @retval EFI_DEVICE_ERROR The OptionLen is invalid. On Error, -+ the pointers are not modified -+**/ -+EFI_STATUS -+Dhcp6SeekInnerOptionSafe ( -+ IN UINT16 IaType, -+ IN UINT8 *Option, -+ IN UINT32 OptionLen, -+ OUT UINT8 **IaInnerOpt, -+ OUT UINT16 *IaInnerLen -+ ); -+ - #endif --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch b/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch deleted file mode 100644 index 7a477bc..0000000 --- a/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch +++ /dev/null @@ -1,565 +0,0 @@ -From 76930459d2e3f82e10968ec8904e45c8bac77fd8 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Fri, 9 Feb 2024 17:57:07 -0500 -Subject: [PATCH 05/18] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 - Unit Tests - -RH-Author: Jon Maloy -RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch -RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Laszlo Ersek -RH-Commit: [5/18] 7421b6f8d8e6bc3d8ea4aaf90f65608136b968b2 - -JIRA: https://issues.redhat.com/browse/RHEL-21841 -CVE: CVE-2023-45229 -Upstream: Merged - -commit 07362769ab7a7d74dbea1c7a7a3662c7b5d1f097 -Author: Doug Flick via groups.io -Date: Fri Jan 26 05:54:47 2024 +0800 - - NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests - - REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534 - - These tests confirm that the report bug... - - "Out-of-bounds read when processing IA_NA/IA_TA options in a - DHCPv6 Advertise message" - - ..has been patched. - - The following functions are tested to confirm an out of bounds read is - patched and that the correct statuses are returned: - - Dhcp6SeekInnerOptionSafe - Dhcp6SeekStsOption - - TCBZ4534 - CVE-2023-45229 - CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - CWE-125 Out-of-bounds Read - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - -Signed-off-by: Jon Maloy ---- - NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 2 +- - .../GoogleTest/Dhcp6DxeGoogleTest.inf | 1 + - .../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | 365 +++++++++++++++++- - .../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h | 58 +++ - NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 + - 5 files changed, 424 insertions(+), 3 deletions(-) - create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h - -diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c -index 89d16484a5..3b8feb4a20 100644 ---- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c -+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c -@@ -816,7 +816,7 @@ Dhcp6SeekStsOption ( - // IA option to the end of the DHCP6 option area, thus subtract the space - // up until this option - // -- OptionLen = OptionLen - (*Option - Packet->Dhcp6.Option); -+ OptionLen = OptionLen - (UINT32)(*Option - Packet->Dhcp6.Option); - - // - // Seek the inner option -diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf -index 8e9119a371..12532ed30c 100644 ---- a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf -+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf -@@ -18,6 +18,7 @@ - [Sources] - Dhcp6DxeGoogleTest.cpp - Dhcp6IoGoogleTest.cpp -+ Dhcp6IoGoogleTest.h - ../Dhcp6Io.c - ../Dhcp6Utility.c - -diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp -index 7ee40e4af4..7db253a7b8 100644 ---- a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp -+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp -@@ -13,6 +13,7 @@ extern "C" { - #include - #include "../Dhcp6Impl.h" - #include "../Dhcp6Utility.h" -+ #include "Dhcp6IoGoogleTest.h" - } - - //////////////////////////////////////////////////////////////////////// -@@ -21,7 +22,35 @@ extern "C" { - - #define DHCP6_PACKET_MAX_LEN 1500 - -+// This definition is used by this test but is also required to compile -+// by Dhcp6Io.c -+#define DHCPV6_OPTION_IA_NA 3 -+#define DHCPV6_OPTION_IA_TA 4 -+ -+#define SEARCH_PATTERN 0xDEADC0DE -+#define SEARCH_PATTERN_LEN sizeof(SEARCH_PATTERN) -+ - //////////////////////////////////////////////////////////////////////// -+// Test structures for IA_NA and IA_TA options -+//////////////////////////////////////////////////////////////////////// -+typedef struct { -+ UINT16 Code; -+ UINT16 Len; -+ UINT32 IAID; -+} DHCPv6_OPTION; -+ -+typedef struct { -+ DHCPv6_OPTION Header; -+ UINT32 T1; -+ UINT32 T2; -+ UINT8 InnerOptions[0]; -+} DHCPv6_OPTION_IA_NA; -+ -+typedef struct { -+ DHCPv6_OPTION Header; -+ UINT8 InnerOptions[0]; -+} DHCPv6_OPTION_IA_TA; -+ - //////////////////////////////////////////////////////////////////////// - // Symbol Definitions - // These functions are not directly under test - but required to compile -@@ -210,7 +239,7 @@ TEST_F (Dhcp6AppendETOptionTest, InvalidDataExpectBufferTooSmall) { - Status = Dhcp6AppendETOption ( - Dhcp6AppendETOptionTest::Packet, - &Cursor, -- &Instance, // Instance is not used in this function -+ &Instance, // Instance is not used in this function - &ElapsedTime - ); - -@@ -240,7 +269,7 @@ TEST_F (Dhcp6AppendETOptionTest, ValidDataExpectSuccess) { - Status = Dhcp6AppendETOption ( - Dhcp6AppendETOptionTest::Packet, - &Cursor, -- &Instance, // Instance is not used in this function -+ &Instance, // Instance is not used in this function - &ElapsedTime - ); - -@@ -476,3 +505,335 @@ TEST_F (Dhcp6AppendIaOptionTest, IaTaValidDataExpectSuccess) { - // verify that the status is EFI_SUCCESS - ASSERT_EQ (Status, EFI_SUCCESS); - } -+ -+//////////////////////////////////////////////////////////////////////// -+// Dhcp6SeekInnerOptionSafe Tests -+//////////////////////////////////////////////////////////////////////// -+ -+// Define a fixture for your tests if needed -+class Dhcp6SeekInnerOptionSafeTest : public ::testing::Test { -+protected: -+ // Add any setup code if needed -+ virtual void -+ SetUp ( -+ ) -+ { -+ // Initialize any resources or variables -+ } -+ -+ // Add any cleanup code if needed -+ virtual void -+ TearDown ( -+ ) -+ { -+ // Clean up any resources or variables -+ } -+}; -+ -+// Test Description: -+// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IANA option is found. -+TEST_F (Dhcp6SeekInnerOptionSafeTest, IANAValidOptionExpectSuccess) { -+ EFI_STATUS Result; -+ UINT8 Option[sizeof (DHCPv6_OPTION_IA_NA) + SEARCH_PATTERN_LEN] = { 0 }; -+ UINT32 OptionLength = sizeof (Option); -+ DHCPv6_OPTION_IA_NA *OptionPtr = (DHCPv6_OPTION_IA_NA *)Option; -+ UINT32 SearchPattern = SEARCH_PATTERN; -+ -+ UINTN SearchPatternLength = SEARCH_PATTERN_LEN; -+ UINT8 *InnerOptionPtr = NULL; -+ UINT16 InnerOptionLength = 0; -+ -+ OptionPtr->Header.Code = Dhcp6OptIana; -+ OptionPtr->Header.Len = HTONS (4 + 12); // Valid length has to be more than 12 -+ OptionPtr->Header.IAID = 0x12345678; -+ OptionPtr->T1 = 0x11111111; -+ OptionPtr->T2 = 0x22222222; -+ CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength); -+ -+ Result = Dhcp6SeekInnerOptionSafe ( -+ Dhcp6OptIana, -+ Option, -+ OptionLength, -+ &InnerOptionPtr, -+ &InnerOptionLength -+ ); -+ ASSERT_EQ (Result, EFI_SUCCESS); -+ ASSERT_EQ (InnerOptionLength, 4); -+ ASSERT_EQ (CompareMem (InnerOptionPtr, &SearchPattern, SearchPatternLength), 0); -+} -+ -+// Test Description: -+// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_DEIVCE_ERROR when the IANA option size is invalid. -+TEST_F (Dhcp6SeekInnerOptionSafeTest, IANAInvalidSizeExpectFail) { -+ // Lets add an inner option of bytes we expect to find -+ EFI_STATUS Status; -+ UINT8 Option[sizeof (DHCPv6_OPTION_IA_NA) + SEARCH_PATTERN_LEN] = { 0 }; -+ UINT32 OptionLength = sizeof (Option); -+ DHCPv6_OPTION_IA_NA *OptionPtr = (DHCPv6_OPTION_IA_NA *)Option; -+ UINT32 SearchPattern = SEARCH_PATTERN; -+ -+ UINTN SearchPatternLength = SEARCH_PATTERN_LEN; -+ UINT8 *InnerOptionPtr = NULL; -+ UINT16 InnerOptionLength = 0; -+ -+ OptionPtr->Header.Code = Dhcp6OptIana; -+ OptionPtr->Header.Len = HTONS (4); // Set the length to lower than expected (12) -+ OptionPtr->Header.IAID = 0x12345678; -+ OptionPtr->T1 = 0x11111111; -+ OptionPtr->T2 = 0x22222222; -+ CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength); -+ -+ // Set the InnerOptionLength to be less than the size of the option -+ Status = Dhcp6SeekInnerOptionSafe ( -+ Dhcp6OptIana, -+ Option, -+ OptionLength, -+ &InnerOptionPtr, -+ &InnerOptionLength -+ ); -+ ASSERT_EQ (Status, EFI_DEVICE_ERROR); -+ -+ // Now set the OptionLength to be less than the size of the option -+ OptionLength = sizeof (DHCPv6_OPTION_IA_NA) - 1; -+ Status = Dhcp6SeekInnerOptionSafe ( -+ Dhcp6OptIana, -+ Option, -+ OptionLength, -+ &InnerOptionPtr, -+ &InnerOptionLength -+ ); -+ ASSERT_EQ (Status, EFI_DEVICE_ERROR); -+} -+ -+// Test Description: -+// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IATA option is found -+TEST_F (Dhcp6SeekInnerOptionSafeTest, IATAValidOptionExpectSuccess) { -+ // Lets add an inner option of bytes we expect to find -+ EFI_STATUS Status; -+ UINT8 Option[sizeof (DHCPv6_OPTION_IA_TA) + SEARCH_PATTERN_LEN] = { 0 }; -+ UINT32 OptionLength = sizeof (Option); -+ DHCPv6_OPTION_IA_TA *OptionPtr = (DHCPv6_OPTION_IA_TA *)Option; -+ UINT32 SearchPattern = SEARCH_PATTERN; -+ -+ UINTN SearchPatternLength = SEARCH_PATTERN_LEN; -+ UINT8 *InnerOptionPtr = NULL; -+ UINT16 InnerOptionLength = 0; -+ -+ OptionPtr->Header.Code = Dhcp6OptIata; -+ OptionPtr->Header.Len = HTONS (4 + 4); // Valid length has to be more than 4 -+ OptionPtr->Header.IAID = 0x12345678; -+ CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength); -+ -+ Status = Dhcp6SeekInnerOptionSafe ( -+ Dhcp6OptIata, -+ Option, -+ OptionLength, -+ &InnerOptionPtr, -+ &InnerOptionLength -+ ); -+ ASSERT_EQ (Status, EFI_SUCCESS); -+ ASSERT_EQ (InnerOptionLength, 4); -+ ASSERT_EQ (CompareMem (InnerOptionPtr, &SearchPattern, SearchPatternLength), 0); -+} -+ -+// Test Description: -+// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IATA option size is invalid. -+TEST_F (Dhcp6SeekInnerOptionSafeTest, IATAInvalidSizeExpectFail) { -+ // Lets add an inner option of bytes we expect to find -+ EFI_STATUS Status; -+ UINT8 Option[sizeof (DHCPv6_OPTION_IA_TA) + SEARCH_PATTERN_LEN] = { 0 }; -+ UINT32 OptionLength = sizeof (Option); -+ DHCPv6_OPTION_IA_TA *OptionPtr = (DHCPv6_OPTION_IA_TA *)Option; -+ UINT32 SearchPattern = SEARCH_PATTERN; -+ -+ UINTN SearchPatternLength = SEARCH_PATTERN_LEN; -+ UINT8 *InnerOptionPtr = NULL; -+ UINT16 InnerOptionLength = 0; -+ -+ OptionPtr->Header.Code = Dhcp6OptIata; -+ OptionPtr->Header.Len = HTONS (2); // Set the length to lower than expected (4) -+ OptionPtr->Header.IAID = 0x12345678; -+ CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength); -+ -+ Status = Dhcp6SeekInnerOptionSafe ( -+ Dhcp6OptIata, -+ Option, -+ OptionLength, -+ &InnerOptionPtr, -+ &InnerOptionLength -+ ); -+ ASSERT_EQ (Status, EFI_DEVICE_ERROR); -+ -+ // Now lets try modifying the OptionLength to be less than the size of the option -+ OptionLength = sizeof (DHCPv6_OPTION_IA_TA) - 1; -+ Status = Dhcp6SeekInnerOptionSafe ( -+ Dhcp6OptIata, -+ Option, -+ OptionLength, -+ &InnerOptionPtr, -+ &InnerOptionLength -+ ); -+ ASSERT_EQ (Status, EFI_DEVICE_ERROR); -+} -+ -+// Test Description: -+// This test verifies that any other Option Type fails -+TEST_F (Dhcp6SeekInnerOptionSafeTest, InvalidOption) { -+ // Lets add an inner option of bytes we expect to find -+ EFI_STATUS Result; -+ UINT8 Option[sizeof (DHCPv6_OPTION_IA_TA) + SEARCH_PATTERN_LEN] = { 0 }; -+ UINT32 OptionLength = sizeof (Option); -+ DHCPv6_OPTION_IA_TA *OptionPtr = (DHCPv6_OPTION_IA_TA *)Option; -+ UINT32 SearchPattern = SEARCH_PATTERN; -+ -+ UINTN SearchPatternLength = SEARCH_PATTERN_LEN; -+ UINT8 *InnerOptionPtr = NULL; -+ UINT16 InnerOptionLength = 0; -+ -+ OptionPtr->Header.Code = 0xC0DE; -+ OptionPtr->Header.Len = HTONS (2); // Set the length to lower than expected (4) -+ OptionPtr->Header.IAID = 0x12345678; -+ CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength); -+ -+ Result = Dhcp6SeekInnerOptionSafe (0xC0DE, Option, OptionLength, &InnerOptionPtr, &InnerOptionLength); -+ ASSERT_EQ (Result, EFI_DEVICE_ERROR); -+} -+ -+//////////////////////////////////////////////////////////////////////// -+// Dhcp6SeekStsOption Tests -+//////////////////////////////////////////////////////////////////////// -+ -+#define PACKET_SIZE (1500) -+ -+class Dhcp6SeekStsOptionTest : public ::testing::Test { -+public: -+ DHCP6_INSTANCE Instance = { 0 }; -+ EFI_DHCP6_PACKET *Packet = NULL; -+ EFI_DHCP6_CONFIG_DATA Config = { 0 }; -+ -+protected: -+ // Add any setup code if needed -+ virtual void -+ SetUp ( -+ ) -+ { -+ // Allocate a packet -+ Packet = (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_SIZE); -+ ASSERT_NE (Packet, nullptr); -+ -+ // Initialize the packet -+ Packet->Size = PACKET_SIZE; -+ -+ Instance.Config = &Config; -+ } -+ -+ // Add any cleanup code if needed -+ virtual void -+ TearDown ( -+ ) -+ { -+ // Clean up any resources or variables -+ FreePool (Packet); -+ } -+}; -+ -+// Test Description: -+// This test verifies that Dhcp6SeekStsOption returns EFI_DEVICE_ERROR when the option is invalid -+// This verifies that the calling function is working as expected -+TEST_F (Dhcp6SeekStsOptionTest, SeekIATAOptionExpectFail) { -+ EFI_STATUS Status; -+ UINT8 *Option = NULL; -+ UINT32 SearchPattern = SEARCH_PATTERN; -+ UINT16 SearchPatternLength = SEARCH_PATTERN_LEN; -+ UINT16 *Len = NULL; -+ EFI_DHCP6_IA Ia = { 0 }; -+ -+ Ia.Descriptor.Type = DHCPV6_OPTION_IA_TA; -+ Ia.IaAddressCount = 1; -+ Ia.IaAddress[0].PreferredLifetime = 0xDEADBEEF; -+ Ia.IaAddress[0].ValidLifetime = 0xDEADAAAA; -+ Ia.IaAddress[0].IpAddress = mAllDhcpRelayAndServersAddress; -+ -+ Packet->Length = sizeof (EFI_DHCP6_HEADER); -+ -+ Option = Dhcp6SeekStsOptionTest::Packet->Dhcp6.Option; -+ -+ // Let's append the option to the packet -+ Status = Dhcp6AppendOption ( -+ Dhcp6SeekStsOptionTest::Packet, -+ &Option, -+ Dhcp6OptStatusCode, -+ SearchPatternLength, -+ (UINT8 *)&SearchPattern -+ ); -+ ASSERT_EQ (Status, EFI_SUCCESS); -+ -+ // Inner option length - this will be overwritten later -+ Len = (UINT16 *)(Option + 2); -+ -+ // Fill in the inner IA option -+ Status = Dhcp6AppendIaOption ( -+ Dhcp6SeekStsOptionTest::Packet, -+ &Option, -+ &Ia, -+ 0x12345678, -+ 0x11111111, -+ 0x22222222 -+ ); -+ ASSERT_EQ (Status, EFI_SUCCESS); -+ -+ // overwrite the len of inner Ia option -+ *Len = HTONS (3); -+ -+ Dhcp6SeekStsOptionTest::Instance.Config->IaDescriptor.Type = DHCPV6_OPTION_IA_TA; -+ -+ Option = NULL; -+ Status = Dhcp6SeekStsOption (&(Dhcp6SeekStsOptionTest::Instance), Dhcp6SeekStsOptionTest::Packet, &Option); -+ -+ ASSERT_EQ (Status, EFI_DEVICE_ERROR); -+} -+ -+// Test Description: -+// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IATA option size is invalid. -+TEST_F (Dhcp6SeekStsOptionTest, SeekIANAOptionExpectSuccess) { -+ EFI_STATUS Status = EFI_NOT_FOUND; -+ UINT8 *Option = NULL; -+ UINT32 SearchPattern = SEARCH_PATTERN; -+ UINT16 SearchPatternLength = SEARCH_PATTERN_LEN; -+ EFI_DHCP6_IA Ia = { 0 }; -+ -+ Ia.Descriptor.Type = DHCPV6_OPTION_IA_NA; -+ Ia.IaAddressCount = 1; -+ Ia.IaAddress[0].PreferredLifetime = 0x11111111; -+ Ia.IaAddress[0].ValidLifetime = 0x22222222; -+ Ia.IaAddress[0].IpAddress = mAllDhcpRelayAndServersAddress; -+ Packet->Length = sizeof (EFI_DHCP6_HEADER); -+ -+ Option = Dhcp6SeekStsOptionTest::Packet->Dhcp6.Option; -+ -+ Status = Dhcp6AppendOption ( -+ Dhcp6SeekStsOptionTest::Packet, -+ &Option, -+ Dhcp6OptStatusCode, -+ SearchPatternLength, -+ (UINT8 *)&SearchPattern -+ ); -+ ASSERT_EQ (Status, EFI_SUCCESS); -+ -+ Status = Dhcp6AppendIaOption ( -+ Dhcp6SeekStsOptionTest::Packet, -+ &Option, -+ &Ia, -+ 0x12345678, -+ 0x11111111, -+ 0x22222222 -+ ); -+ ASSERT_EQ (Status, EFI_SUCCESS); -+ -+ Dhcp6SeekStsOptionTest::Instance.Config->IaDescriptor.Type = DHCPV6_OPTION_IA_NA; -+ -+ Option = NULL; -+ Status = Dhcp6SeekStsOption (&(Dhcp6SeekStsOptionTest::Instance), Dhcp6SeekStsOptionTest::Packet, &Option); -+ -+ ASSERT_EQ (Status, EFI_SUCCESS); -+} -diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h -new file mode 100644 -index 0000000000..aed3b89082 ---- /dev/null -+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h -@@ -0,0 +1,58 @@ -+/** @file -+ Acts as header for private functions under test in Dhcp6Io.c -+ -+ Copyright (c) Microsoft Corporation -+ SPDX-License-Identifier: BSD-2-Clause-Patent -+**/ -+ -+#ifndef DHCP6_IO_GOOGLE_TEST_H_ -+#define DHCP6_IO_GOOGLE_TEST_H_ -+ -+//////////////////////////////////////////////////////////////////////////////// -+// These are the functions that are being unit tested -+//////////////////////////////////////////////////////////////////////////////// -+ -+#include -+ -+/** -+ Seeks the Inner Options from a DHCP6 Option -+ -+ @param[in] IaType The type of the IA option. -+ @param[in] Option The pointer to the DHCP6 Option. -+ @param[in] OptionLen The length of the DHCP6 Option. -+ @param[out] IaInnerOpt The pointer to the IA inner option. -+ @param[out] IaInnerLen The length of the IA inner option. -+ -+ @retval EFI_SUCCESS Seek the inner option successfully. -+ @retval EFI_DEVICE_ERROR The OptionLen is invalid. -+*/ -+EFI_STATUS -+Dhcp6SeekInnerOptionSafe ( -+ UINT16 IaType, -+ UINT8 *Option, -+ UINT32 OptionLen, -+ UINT8 **IaInnerOpt, -+ UINT16 *IaInnerLen -+ ); -+ -+/** -+ Seek StatusCode Option in package. A Status Code option may appear in the -+ options field of a DHCP message and/or in the options field of another option. -+ See details in section 22.13, RFC3315. -+ -+ @param[in] Instance The pointer to the Dhcp6 instance. -+ @param[in] Packet The pointer to reply messages. -+ @param[out] Option The pointer to status code option. -+ -+ @retval EFI_SUCCESS Seek status code option successfully. -+ @retval EFI_DEVICE_ERROR An unexpected error. -+ -+**/ -+EFI_STATUS -+Dhcp6SeekStsOption ( -+ IN DHCP6_INSTANCE *Instance, -+ IN EFI_DHCP6_PACKET *Packet, -+ OUT UINT8 **Option -+ ); -+ -+#endif // DHCP6_IO_GOOGLE_TEST_H -diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc -index 20bc90b172..24dee654df 100644 ---- a/NetworkPkg/Test/NetworkPkgHostTest.dsc -+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc -@@ -16,6 +16,7 @@ - SKUID_IDENTIFIER = DEFAULT - - !include UnitTestFrameworkPkg/UnitTestFrameworkPkgHost.dsc.inc -+ - [Packages] - MdePkg/MdePkg.dec - UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch b/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch deleted file mode 100644 index a5ba9c7..0000000 --- a/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch +++ /dev/null @@ -1,1631 +0,0 @@ -From ad79184c7d5d9f95af057b31036167627e92deba Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Thu, 8 Feb 2024 10:35:14 -0500 -Subject: [PATCH 01/18] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 - Patch - -RH-Author: Jon Maloy -RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch -RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Laszlo Ersek -RH-Commit: [1/18] 0c3dc6f4652f517fcfbe21a5faab4d1eea934f58 - -JIRA: https://issues.redhat.com/browse/RHEL-21843 -CVE: CVE-2023-45230 -Upstream: Merged - -commit f31453e8d6542461d92d835e0b79fec8b039174d -Author: Doug Flick via groups.io -Date: Fri Jan 26 05:54:43 2024 +0800 - - NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch - - REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4535 - - Bug Details: - PixieFail Bug #2 - CVE-2023-45230 - CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H - CWE-119 Improper Restriction of Operations within the Bounds - of a Memory Buffer - - Changes Overview: - > -UINT8 * - > +EFI_STATUS - > Dhcp6AppendOption ( - > - IN OUT UINT8 *Buf, - > - IN UINT16 OptType, - > - IN UINT16 OptLen, - > - IN UINT8 *Data - > + IN OUT EFI_DHCP6_PACKET *Packet, - > + IN OUT UINT8 **PacketCursor, - > + IN UINT16 OptType, - > + IN UINT16 OptLen, - > + IN UINT8 *Data - > ); - - Dhcp6AppendOption() and variants can return errors now. All callsites - are adapted accordingly. - - It gets passed in EFI_DHCP6_PACKET as additional parameter ... - - > + // - > + // Verify the PacketCursor is within the packet - > + // - > + if ( (*PacketCursor < Packet->Dhcp6.Option) - > + || (*PacketCursor >= Packet->Dhcp6.Option + - (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) - > + { - > + return EFI_INVALID_PARAMETER; - > + } - - ... so it can look at Packet->Size when checking buffer space. - Also to allow Packet->Length updates. - - Lots of checks added. - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - -Signed-off-by: Jon Maloy ---- - NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 43 +++ - NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 409 +++++++++++++++++++---------- - NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 373 +++++++++++++++++++++----- - NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h | 82 +++--- - 4 files changed, 668 insertions(+), 239 deletions(-) - -diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h -index 0eb9c669b5..f2422c2f28 100644 ---- a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h -+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h -@@ -45,6 +45,49 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE; - #define DHCP6_SERVICE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'S') - #define DHCP6_INSTANCE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'I') - -+// -+// For more information on DHCP options see RFC 8415, Section 21.1 -+// -+// The format of DHCP options is: -+// -+// 0 1 2 3 -+// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+// | option-code | option-len | -+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+// | option-data | -+// | (option-len octets) | -+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+// -+#define DHCP6_SIZE_OF_OPT_CODE (sizeof(UINT16)) -+#define DHCP6_SIZE_OF_OPT_LEN (sizeof(UINT16)) -+ -+// -+// Combined size of Code and Length -+// -+#define DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN (DHCP6_SIZE_OF_OPT_CODE + \ -+ DHCP6_SIZE_OF_OPT_LEN) -+ -+STATIC_ASSERT ( -+ DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN == 4, -+ "Combined size of Code and Length must be 4 per RFC 8415" -+ ); -+ -+// -+// Offset to the length is just past the code -+// -+#define DHCP6_OPT_LEN_OFFSET(a) (a + DHCP6_SIZE_OF_OPT_CODE) -+STATIC_ASSERT ( -+ DHCP6_OPT_LEN_OFFSET (0) == 2, -+ "Offset of length is + 2 past start of option" -+ ); -+ -+#define DHCP6_OPT_DATA_OFFSET(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN) -+STATIC_ASSERT ( -+ DHCP6_OPT_DATA_OFFSET (0) == 4, -+ "Offset to option data should be +4 from start of option" -+ ); -+ - #define DHCP6_PACKET_ALL 0 - #define DHCP6_PACKET_STATEFUL 1 - #define DHCP6_PACKET_STATELESS 2 -diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c -index dcd01e6268..bf5aa7a769 100644 ---- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c -+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c -@@ -3,9 +3,9 @@ - - (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-+ Copyright (c) Microsoft Corporation - - SPDX-License-Identifier: BSD-2-Clause-Patent -- - **/ - - #include "Dhcp6Impl.h" -@@ -930,7 +930,8 @@ Dhcp6SendSolicitMsg ( - // - Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); - if (Packet == NULL) { -- return EFI_OUT_OF_RESOURCES; -+ Status = EFI_OUT_OF_RESOURCES; -+ goto ON_ERROR; - } - - Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen; -@@ -944,54 +945,64 @@ Dhcp6SendSolicitMsg ( - Cursor = Packet->Dhcp6.Option; - - Length = HTONS (ClientId->Length); -- Cursor = Dhcp6AppendOption ( -- Cursor, -+ Status = Dhcp6AppendOption ( -+ Packet, -+ &Cursor, - HTONS (Dhcp6OptClientId), - Length, - ClientId->Duid - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - -- Cursor = Dhcp6AppendETOption ( -- Cursor, -+ Status = Dhcp6AppendETOption ( -+ Packet, -+ &Cursor, - Instance, - &Elapsed - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - -- Cursor = Dhcp6AppendIaOption ( -- Cursor, -+ Status = Dhcp6AppendIaOption ( -+ Packet, -+ &Cursor, - Instance->IaCb.Ia, - Instance->IaCb.T1, - Instance->IaCb.T2, - Packet->Dhcp6.Header.MessageType - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - - // - // Append user-defined when configurate Dhcp6 service. - // - for (Index = 0; Index < Instance->Config->OptionCount; Index++) { - UserOpt = Instance->Config->OptionList[Index]; -- Cursor = Dhcp6AppendOption ( -- Cursor, -+ Status = Dhcp6AppendOption ( -+ Packet, -+ &Cursor, - UserOpt->OpCode, - UserOpt->OpLen, - UserOpt->Data - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - } - -- // -- // Determine the size/length of packet. -- // -- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); - ASSERT (Packet->Size > Packet->Length + 8); - - // - // Callback to user with the packet to be sent and check the user's feedback. - // - Status = Dhcp6CallbackUser (Instance, Dhcp6SendSolicit, &Packet); -- - if (EFI_ERROR (Status)) { -- FreePool (Packet); -- return Status; -+ goto ON_ERROR; - } - - // -@@ -1005,10 +1016,8 @@ Dhcp6SendSolicitMsg ( - Instance->StartTime = 0; - - Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed); -- - if (EFI_ERROR (Status)) { -- FreePool (Packet); -- return Status; -+ goto ON_ERROR; - } - - // -@@ -1020,6 +1029,14 @@ Dhcp6SendSolicitMsg ( - Elapsed, - Instance->Config->SolicitRetransmission - ); -+ -+ON_ERROR: -+ -+ if (Packet) { -+ FreePool (Packet); -+ } -+ -+ return Status; - } - - /** -@@ -1110,7 +1127,8 @@ Dhcp6SendRequestMsg ( - // - Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); - if (Packet == NULL) { -- return EFI_OUT_OF_RESOURCES; -+ Status = EFI_OUT_OF_RESOURCES; -+ goto ON_ERROR; - } - - Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen; -@@ -1124,51 +1142,67 @@ Dhcp6SendRequestMsg ( - Cursor = Packet->Dhcp6.Option; - - Length = HTONS (ClientId->Length); -- Cursor = Dhcp6AppendOption ( -- Cursor, -+ Status = Dhcp6AppendOption ( -+ Packet, -+ &Cursor, - HTONS (Dhcp6OptClientId), - Length, - ClientId->Duid - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - -- Cursor = Dhcp6AppendETOption ( -- Cursor, -+ Status = Dhcp6AppendETOption ( -+ Packet, -+ &Cursor, - Instance, - &Elapsed - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - -- Cursor = Dhcp6AppendOption ( -- Cursor, -+ Status = Dhcp6AppendOption ( -+ Packet, -+ &Cursor, - HTONS (Dhcp6OptServerId), - ServerId->Length, - ServerId->Duid - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - -- Cursor = Dhcp6AppendIaOption ( -- Cursor, -+ Status = Dhcp6AppendIaOption ( -+ Packet, -+ &Cursor, - Instance->IaCb.Ia, - Instance->IaCb.T1, - Instance->IaCb.T2, - Packet->Dhcp6.Header.MessageType - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - - // - // Append user-defined when configurate Dhcp6 service. - // - for (Index = 0; Index < Instance->Config->OptionCount; Index++) { - UserOpt = Instance->Config->OptionList[Index]; -- Cursor = Dhcp6AppendOption ( -- Cursor, -+ Status = Dhcp6AppendOption ( -+ Packet, -+ &Cursor, - UserOpt->OpCode, - UserOpt->OpLen, - UserOpt->Data - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - } - -- // -- // Determine the size/length of packet. -- // -- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); - ASSERT (Packet->Size > Packet->Length + 8); - - // -@@ -1177,8 +1211,7 @@ Dhcp6SendRequestMsg ( - Status = Dhcp6CallbackUser (Instance, Dhcp6SendRequest, &Packet); - - if (EFI_ERROR (Status)) { -- FreePool (Packet); -- return Status; -+ goto ON_ERROR; - } - - // -@@ -1194,14 +1227,21 @@ Dhcp6SendRequestMsg ( - Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed); - - if (EFI_ERROR (Status)) { -- FreePool (Packet); -- return Status; -+ goto ON_ERROR; - } - - // - // Enqueue the sent packet for the retransmission in case reply timeout. - // - return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); -+ -+ON_ERROR: -+ -+ if (Packet) { -+ FreePool (Packet); -+ } -+ -+ return Status; - } - - /** -@@ -1266,7 +1306,8 @@ Dhcp6SendDeclineMsg ( - // - Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE); - if (Packet == NULL) { -- return EFI_OUT_OF_RESOURCES; -+ Status = EFI_OUT_OF_RESOURCES; -+ goto ON_ERROR; - } - - Packet->Size = DHCP6_BASE_PACKET_SIZE; -@@ -1280,42 +1321,58 @@ Dhcp6SendDeclineMsg ( - Cursor = Packet->Dhcp6.Option; - - Length = HTONS (ClientId->Length); -- Cursor = Dhcp6AppendOption ( -- Cursor, -+ Status = Dhcp6AppendOption ( -+ Packet, -+ &Cursor, - HTONS (Dhcp6OptClientId), - Length, - ClientId->Duid - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - -- Cursor = Dhcp6AppendETOption ( -- Cursor, -+ Status = Dhcp6AppendETOption ( -+ Packet, -+ &Cursor, - Instance, - &Elapsed - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - -- Cursor = Dhcp6AppendOption ( -- Cursor, -+ Status = Dhcp6AppendOption ( -+ Packet, -+ &Cursor, - HTONS (Dhcp6OptServerId), - ServerId->Length, - ServerId->Duid - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - -- Cursor = Dhcp6AppendIaOption (Cursor, DecIa, 0, 0, Packet->Dhcp6.Header.MessageType); -+ Status = Dhcp6AppendIaOption ( -+ Packet, -+ &Cursor, -+ DecIa, -+ 0, -+ 0, -+ Packet->Dhcp6.Header.MessageType -+ ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - -- // -- // Determine the size/length of packet. -- // -- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); - ASSERT (Packet->Size > Packet->Length + 8); - - // - // Callback to user with the packet to be sent and check the user's feedback. - // - Status = Dhcp6CallbackUser (Instance, Dhcp6SendDecline, &Packet); -- - if (EFI_ERROR (Status)) { -- FreePool (Packet); -- return Status; -+ goto ON_ERROR; - } - - // -@@ -1329,16 +1386,22 @@ Dhcp6SendDeclineMsg ( - Instance->StartTime = 0; - - Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed); -- - if (EFI_ERROR (Status)) { -- FreePool (Packet); -- return Status; -+ goto ON_ERROR; - } - - // - // Enqueue the sent packet for the retransmission in case reply timeout. - // - return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); -+ -+ON_ERROR: -+ -+ if (Packet) { -+ FreePool (Packet); -+ } -+ -+ return Status; - } - - /** -@@ -1399,7 +1462,8 @@ Dhcp6SendReleaseMsg ( - // - Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE); - if (Packet == NULL) { -- return EFI_OUT_OF_RESOURCES; -+ Status = EFI_OUT_OF_RESOURCES; -+ goto ON_ERROR; - } - - Packet->Size = DHCP6_BASE_PACKET_SIZE; -@@ -1413,45 +1477,61 @@ Dhcp6SendReleaseMsg ( - Cursor = Packet->Dhcp6.Option; - - Length = HTONS (ClientId->Length); -- Cursor = Dhcp6AppendOption ( -- Cursor, -+ Status = Dhcp6AppendOption ( -+ Packet, -+ &Cursor, - HTONS (Dhcp6OptClientId), - Length, - ClientId->Duid - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - - // - // ServerId is extracted from packet, it's network order. - // -- Cursor = Dhcp6AppendOption ( -- Cursor, -+ Status = Dhcp6AppendOption ( -+ Packet, -+ &Cursor, - HTONS (Dhcp6OptServerId), - ServerId->Length, - ServerId->Duid - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - -- Cursor = Dhcp6AppendETOption ( -- Cursor, -+ Status = Dhcp6AppendETOption ( -+ Packet, -+ &Cursor, - Instance, - &Elapsed - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - -- Cursor = Dhcp6AppendIaOption (Cursor, RelIa, 0, 0, Packet->Dhcp6.Header.MessageType); -+ Status = Dhcp6AppendIaOption ( -+ Packet, -+ &Cursor, -+ RelIa, -+ 0, -+ 0, -+ Packet->Dhcp6.Header.MessageType -+ ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - -- // -- // Determine the size/length of packet -- // -- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); - ASSERT (Packet->Size > Packet->Length + 8); - - // - // Callback to user with the packet to be sent and check the user's feedback. - // - Status = Dhcp6CallbackUser (Instance, Dhcp6SendRelease, &Packet); -- - if (EFI_ERROR (Status)) { -- FreePool (Packet); -- return Status; -+ goto ON_ERROR; - } - - // -@@ -1461,16 +1541,22 @@ Dhcp6SendReleaseMsg ( - Instance->IaCb.Ia->State = Dhcp6Releasing; - - Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed); -- - if (EFI_ERROR (Status)) { -- FreePool (Packet); -- return Status; -+ goto ON_ERROR; - } - - // - // Enqueue the sent packet for the retransmission in case reply timeout. - // - return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); -+ -+ON_ERROR: -+ -+ if (Packet) { -+ FreePool (Packet); -+ } -+ -+ return Status; - } - - /** -@@ -1529,7 +1615,8 @@ Dhcp6SendRenewRebindMsg ( - // - Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); - if (Packet == NULL) { -- return EFI_OUT_OF_RESOURCES; -+ Status = EFI_OUT_OF_RESOURCES; -+ goto ON_ERROR; - } - - Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen; -@@ -1543,26 +1630,38 @@ Dhcp6SendRenewRebindMsg ( - Cursor = Packet->Dhcp6.Option; - - Length = HTONS (ClientId->Length); -- Cursor = Dhcp6AppendOption ( -- Cursor, -+ Status = Dhcp6AppendOption ( -+ Packet, -+ &Cursor, - HTONS (Dhcp6OptClientId), - Length, - ClientId->Duid - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - -- Cursor = Dhcp6AppendETOption ( -- Cursor, -+ Status = Dhcp6AppendETOption ( -+ Packet, -+ &Cursor, - Instance, - &Elapsed - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - -- Cursor = Dhcp6AppendIaOption ( -- Cursor, -+ Status = Dhcp6AppendIaOption ( -+ Packet, -+ &Cursor, - Instance->IaCb.Ia, - Instance->IaCb.T1, - Instance->IaCb.T2, - Packet->Dhcp6.Header.MessageType - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - - if (!RebindRequest) { - // -@@ -1578,18 +1677,22 @@ Dhcp6SendRenewRebindMsg ( - Dhcp6OptServerId - ); - if (Option == NULL) { -- FreePool (Packet); -- return EFI_DEVICE_ERROR; -+ Status = EFI_DEVICE_ERROR; -+ goto ON_ERROR; - } - - ServerId = (EFI_DHCP6_DUID *)(Option + 2); - -- Cursor = Dhcp6AppendOption ( -- Cursor, -+ Status = Dhcp6AppendOption ( -+ Packet, -+ &Cursor, - HTONS (Dhcp6OptServerId), - ServerId->Length, - ServerId->Duid - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - } - - // -@@ -1597,18 +1700,18 @@ Dhcp6SendRenewRebindMsg ( - // - for (Index = 0; Index < Instance->Config->OptionCount; Index++) { - UserOpt = Instance->Config->OptionList[Index]; -- Cursor = Dhcp6AppendOption ( -- Cursor, -+ Status = Dhcp6AppendOption ( -+ Packet, -+ &Cursor, - UserOpt->OpCode, - UserOpt->OpLen, - UserOpt->Data - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - } - -- // -- // Determine the size/length of packet. -- // -- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); - ASSERT (Packet->Size > Packet->Length + 8); - - // -@@ -1618,10 +1721,8 @@ Dhcp6SendRenewRebindMsg ( - Event = (RebindRequest) ? Dhcp6EnterRebinding : Dhcp6EnterRenewing; - - Status = Dhcp6CallbackUser (Instance, Event, &Packet); -- - if (EFI_ERROR (Status)) { -- FreePool (Packet); -- return Status; -+ goto ON_ERROR; - } - - // -@@ -1638,16 +1739,22 @@ Dhcp6SendRenewRebindMsg ( - Instance->StartTime = 0; - - Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed); -- - if (EFI_ERROR (Status)) { -- FreePool (Packet); -- return Status; -+ goto ON_ERROR; - } - - // - // Enqueue the sent packet for the retransmission in case reply timeout. - // - return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); -+ -+ON_ERROR: -+ -+ if (Packet) { -+ FreePool (Packet); -+ } -+ -+ return Status; - } - - /** -@@ -1811,7 +1918,8 @@ Dhcp6SendInfoRequestMsg ( - // - Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); - if (Packet == NULL) { -- return EFI_OUT_OF_RESOURCES; -+ Status = EFI_OUT_OF_RESOURCES; -+ goto ON_ERROR; - } - - Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen; -@@ -1828,44 +1936,56 @@ Dhcp6SendInfoRequestMsg ( - - if (SendClientId) { - Length = HTONS (ClientId->Length); -- Cursor = Dhcp6AppendOption ( -- Cursor, -+ Status = Dhcp6AppendOption ( -+ Packet, -+ &Cursor, - HTONS (Dhcp6OptClientId), - Length, - ClientId->Duid - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - } - -- Cursor = Dhcp6AppendETOption ( -- Cursor, -+ Status = Dhcp6AppendETOption ( -+ Packet, -+ &Cursor, - Instance, - &Elapsed - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - -- Cursor = Dhcp6AppendOption ( -- Cursor, -+ Status = Dhcp6AppendOption ( -+ Packet, -+ &Cursor, - OptionRequest->OpCode, - OptionRequest->OpLen, - OptionRequest->Data - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - - // - // Append user-defined when configurate Dhcp6 service. - // - for (Index = 0; Index < OptionCount; Index++) { - UserOpt = OptionList[Index]; -- Cursor = Dhcp6AppendOption ( -- Cursor, -+ Status = Dhcp6AppendOption ( -+ Packet, -+ &Cursor, - UserOpt->OpCode, - UserOpt->OpLen, - UserOpt->Data - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - } - -- // -- // Determine the size/length of packet. -- // -- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); - ASSERT (Packet->Size > Packet->Length + 8); - - // -@@ -1877,16 +1997,22 @@ Dhcp6SendInfoRequestMsg ( - // Send info-request packet with no state. - // - Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed); -- - if (EFI_ERROR (Status)) { -- FreePool (Packet); -- return Status; -+ goto ON_ERROR; - } - - // - // Enqueue the sent packet for the retransmission in case reply timeout. - // - return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, Retransmission); -+ -+ON_ERROR: -+ -+ if (Packet) { -+ FreePool (Packet); -+ } -+ -+ return Status; - } - - /** -@@ -1937,7 +2063,8 @@ Dhcp6SendConfirmMsg ( - // - Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); - if (Packet == NULL) { -- return EFI_OUT_OF_RESOURCES; -+ Status = EFI_OUT_OF_RESOURCES; -+ goto ON_ERROR; - } - - Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen; -@@ -1951,54 +2078,64 @@ Dhcp6SendConfirmMsg ( - Cursor = Packet->Dhcp6.Option; - - Length = HTONS (ClientId->Length); -- Cursor = Dhcp6AppendOption ( -- Cursor, -+ Status = Dhcp6AppendOption ( -+ Packet, -+ &Cursor, - HTONS (Dhcp6OptClientId), - Length, - ClientId->Duid - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - -- Cursor = Dhcp6AppendETOption ( -- Cursor, -+ Status = Dhcp6AppendETOption ( -+ Packet, -+ &Cursor, - Instance, - &Elapsed - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - -- Cursor = Dhcp6AppendIaOption ( -- Cursor, -+ Status = Dhcp6AppendIaOption ( -+ Packet, -+ &Cursor, - Instance->IaCb.Ia, - Instance->IaCb.T1, - Instance->IaCb.T2, - Packet->Dhcp6.Header.MessageType - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - - // - // Append user-defined when configurate Dhcp6 service. - // - for (Index = 0; Index < Instance->Config->OptionCount; Index++) { - UserOpt = Instance->Config->OptionList[Index]; -- Cursor = Dhcp6AppendOption ( -- Cursor, -+ Status = Dhcp6AppendOption ( -+ Packet, -+ &Cursor, - UserOpt->OpCode, - UserOpt->OpLen, - UserOpt->Data - ); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } - } - -- // -- // Determine the size/length of packet. -- // -- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); - ASSERT (Packet->Size > Packet->Length + 8); - - // - // Callback to user with the packet to be sent and check the user's feedback. - // - Status = Dhcp6CallbackUser (Instance, Dhcp6SendConfirm, &Packet); -- - if (EFI_ERROR (Status)) { -- FreePool (Packet); -- return Status; -+ goto ON_ERROR; - } - - // -@@ -2012,16 +2149,22 @@ Dhcp6SendConfirmMsg ( - Instance->StartTime = 0; - - Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed); -- - if (EFI_ERROR (Status)) { -- FreePool (Packet); -- return Status; -+ goto ON_ERROR; - } - - // - // Enqueue the sent packet for the retransmission in case reply timeout. - // - return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); -+ -+ON_ERROR: -+ -+ if (Packet) { -+ FreePool (Packet); -+ } -+ -+ return Status; - } - - /** -diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c -index e6368b5b1c..705c665c51 100644 ---- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c -+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c -@@ -577,24 +577,33 @@ Dhcp6OnTransmitted ( - } - - /** -- Append the option to Buf, and move Buf to the end. -+ Append the option to Buf, update the length of packet, and move Buf to the end. - -- @param[in, out] Buf The pointer to the buffer. -- @param[in] OptType The option type. -- @param[in] OptLen The length of option contents. -- @param[in] Data The pointer to the option content. -+ @param[in, out] Packet A pointer to the packet, on success Packet->Length -+ will be updated. -+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor -+ will be moved to the end of the option. -+ @param[in] OptType The option type. -+ @param[in] OptLen The length of option contents. -+ @param[in] Data The pointer to the option content. - -- @return Buf The position to append the next option. -+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid -+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option. -+ @retval EFI_SUCCESS The option is appended successfully. - - **/ --UINT8 * -+EFI_STATUS - Dhcp6AppendOption ( -- IN OUT UINT8 *Buf, -- IN UINT16 OptType, -- IN UINT16 OptLen, -- IN UINT8 *Data -+ IN OUT EFI_DHCP6_PACKET *Packet, -+ IN OUT UINT8 **PacketCursor, -+ IN UINT16 OptType, -+ IN UINT16 OptLen, -+ IN UINT8 *Data - ) - { -+ UINT32 Length; -+ UINT32 BytesNeeded; -+ - // - // The format of Dhcp6 option: - // -@@ -607,35 +616,95 @@ Dhcp6AppendOption ( - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // - -- ASSERT (OptLen != 0); -+ // -+ // Verify the arguments are valid -+ // -+ if (Packet == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ if ((PacketCursor == NULL) || (*PacketCursor == NULL)) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ if (Data == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ if (OptLen == 0) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // -+ // Verify the PacketCursor is within the packet -+ // -+ if ( (*PacketCursor < Packet->Dhcp6.Option) -+ || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) -+ { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // -+ // Calculate the bytes needed for the option -+ // -+ BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + NTOHS (OptLen); -+ -+ // -+ // Space remaining in the packet -+ // -+ Length = Packet->Size - Packet->Length; -+ if (Length < BytesNeeded) { -+ return EFI_BUFFER_TOO_SMALL; -+ } -+ -+ // -+ // Verify the PacketCursor is within the packet -+ // -+ if ( (*PacketCursor < Packet->Dhcp6.Option) -+ || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) -+ { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ WriteUnaligned16 ((UINT16 *)*PacketCursor, OptType); -+ *PacketCursor += DHCP6_SIZE_OF_OPT_CODE; -+ WriteUnaligned16 ((UINT16 *)*PacketCursor, OptLen); -+ *PacketCursor += DHCP6_SIZE_OF_OPT_LEN; -+ CopyMem (*PacketCursor, Data, NTOHS (OptLen)); -+ *PacketCursor += NTOHS (OptLen); - -- WriteUnaligned16 ((UINT16 *)Buf, OptType); -- Buf += 2; -- WriteUnaligned16 ((UINT16 *)Buf, OptLen); -- Buf += 2; -- CopyMem (Buf, Data, NTOHS (OptLen)); -- Buf += NTOHS (OptLen); -+ // Update the packet length by the length of the option + 4 bytes -+ Packet->Length += BytesNeeded; - -- return Buf; -+ return EFI_SUCCESS; - } - - /** - Append the appointed IA Address option to Buf, and move Buf to the end. - -- @param[in, out] Buf The pointer to the position to append. -+ @param[in, out] Packet A pointer to the packet, on success Packet->Length -+ will be updated. -+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor -+ will be moved to the end of the option. - @param[in] IaAddr The pointer to the IA Address. - @param[in] MessageType Message type of DHCP6 package. - -- @return Buf The position to append the next option. -+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid -+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option. -+ @retval EFI_SUCCESS The option is appended successfully. - - **/ --UINT8 * -+EFI_STATUS - Dhcp6AppendIaAddrOption ( -- IN OUT UINT8 *Buf, -+ IN OUT EFI_DHCP6_PACKET *Packet, -+ IN OUT UINT8 **PacketCursor, - IN EFI_DHCP6_IA_ADDRESS *IaAddr, - IN UINT32 MessageType - ) - { -+ UINT32 BytesNeeded; -+ UINT32 Length; -+ - // The format of the IA Address option is: - // - // 0 1 2 3 -@@ -657,17 +726,60 @@ Dhcp6AppendIaAddrOption ( - // . . - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - -+ // -+ // Verify the arguments are valid -+ // -+ if (Packet == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ if ((PacketCursor == NULL) || (*PacketCursor == NULL)) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ if (IaAddr == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // -+ // Verify the PacketCursor is within the packet -+ // -+ if ( (*PacketCursor < Packet->Dhcp6.Option) -+ || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) -+ { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN; -+ BytesNeeded += sizeof (EFI_IPv6_ADDRESS); -+ // -+ // Even if the preferred-lifetime is 0, it still needs to store it. -+ // -+ BytesNeeded += sizeof (IaAddr->PreferredLifetime); -+ // -+ // Even if the valid-lifetime is 0, it still needs to store it. -+ // -+ BytesNeeded += sizeof (IaAddr->ValidLifetime); -+ -+ // -+ // Space remaining in the packet -+ // -+ Length = Packet->Size - Packet->Length; -+ if (Length < BytesNeeded) { -+ return EFI_BUFFER_TOO_SMALL; -+ } -+ - // - // Fill the value of Ia Address option type - // -- WriteUnaligned16 ((UINT16 *)Buf, HTONS (Dhcp6OptIaAddr)); -- Buf += 2; -+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Dhcp6OptIaAddr)); -+ *PacketCursor += DHCP6_SIZE_OF_OPT_CODE; - -- WriteUnaligned16 ((UINT16 *)Buf, HTONS (sizeof (EFI_DHCP6_IA_ADDRESS))); -- Buf += 2; -+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (sizeof (EFI_DHCP6_IA_ADDRESS))); -+ *PacketCursor += DHCP6_SIZE_OF_OPT_LEN; - -- CopyMem (Buf, &IaAddr->IpAddress, sizeof (EFI_IPv6_ADDRESS)); -- Buf += sizeof (EFI_IPv6_ADDRESS); -+ CopyMem (*PacketCursor, &IaAddr->IpAddress, sizeof (EFI_IPv6_ADDRESS)); -+ *PacketCursor += sizeof (EFI_IPv6_ADDRESS); - - // - // Fill the value of preferred-lifetime and valid-lifetime. -@@ -675,44 +787,58 @@ Dhcp6AppendIaAddrOption ( - // should set to 0 when initiate a Confirm message. - // - if (MessageType != Dhcp6MsgConfirm) { -- WriteUnaligned32 ((UINT32 *)Buf, HTONL (IaAddr->PreferredLifetime)); -+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (IaAddr->PreferredLifetime)); - } - -- Buf += 4; -+ *PacketCursor += sizeof (IaAddr->PreferredLifetime); - - if (MessageType != Dhcp6MsgConfirm) { -- WriteUnaligned32 ((UINT32 *)Buf, HTONL (IaAddr->ValidLifetime)); -+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (IaAddr->ValidLifetime)); - } - -- Buf += 4; -+ *PacketCursor += sizeof (IaAddr->ValidLifetime); -+ -+ // -+ // Update the packet length -+ // -+ Packet->Length += BytesNeeded; - -- return Buf; -+ return EFI_SUCCESS; - } - - /** - Append the appointed Ia option to Buf, and move Buf to the end. - -- @param[in, out] Buf The pointer to the position to append. -+ @param[in, out] Packet A pointer to the packet, on success Packet->Length -+ will be updated. -+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor -+ will be moved to the end of the option. - @param[in] Ia The pointer to the Ia. - @param[in] T1 The time of T1. - @param[in] T2 The time of T2. - @param[in] MessageType Message type of DHCP6 package. - -- @return Buf The position to append the next Ia option. -+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid -+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option. -+ @retval EFI_SUCCESS The option is appended successfully. - - **/ --UINT8 * -+EFI_STATUS - Dhcp6AppendIaOption ( -- IN OUT UINT8 *Buf, -- IN EFI_DHCP6_IA *Ia, -- IN UINT32 T1, -- IN UINT32 T2, -- IN UINT32 MessageType -+ IN OUT EFI_DHCP6_PACKET *Packet, -+ IN OUT UINT8 **PacketCursor, -+ IN EFI_DHCP6_IA *Ia, -+ IN UINT32 T1, -+ IN UINT32 T2, -+ IN UINT32 MessageType - ) - { -- UINT8 *AddrOpt; -- UINT16 *Len; -- UINTN Index; -+ UINT8 *AddrOpt; -+ UINT16 *Len; -+ UINTN Index; -+ UINT32 BytesNeeded; -+ UINT32 Length; -+ EFI_STATUS Status; - - // - // The format of IA_NA and IA_TA option: -@@ -733,32 +859,74 @@ Dhcp6AppendIaOption ( - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // - -+ // -+ // Verify the arguments are valid -+ // -+ if (Packet == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ if ((PacketCursor == NULL) || (*PacketCursor == NULL)) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ if (Ia == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // -+ // Verify the PacketCursor is within the packet -+ // -+ if ( (*PacketCursor < Packet->Dhcp6.Option) -+ || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) -+ { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN; -+ BytesNeeded += sizeof (Ia->Descriptor.IaId); -+ // -+ // + N for the IA_NA-options/IA_TA-options -+ // Dhcp6AppendIaAddrOption will need to check the length for each address -+ // -+ if (Ia->Descriptor.Type == Dhcp6OptIana) { -+ BytesNeeded += sizeof (T1) + sizeof (T2); -+ } -+ -+ // -+ // Space remaining in the packet -+ // -+ Length = (UINT16)(Packet->Size - Packet->Length); -+ if (Length < BytesNeeded) { -+ return EFI_BUFFER_TOO_SMALL; -+ } -+ - // - // Fill the value of Ia option type - // -- WriteUnaligned16 ((UINT16 *)Buf, HTONS (Ia->Descriptor.Type)); -- Buf += 2; -+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Ia->Descriptor.Type)); -+ *PacketCursor += DHCP6_SIZE_OF_OPT_CODE; - - // - // Fill the len of Ia option later, keep the pointer first - // -- Len = (UINT16 *)Buf; -- Buf += 2; -+ Len = (UINT16 *)*PacketCursor; -+ *PacketCursor += DHCP6_SIZE_OF_OPT_LEN; - - // - // Fill the value of iaid - // -- WriteUnaligned32 ((UINT32 *)Buf, HTONL (Ia->Descriptor.IaId)); -- Buf += 4; -+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (Ia->Descriptor.IaId)); -+ *PacketCursor += sizeof (Ia->Descriptor.IaId); - - // - // Fill the value of t1 and t2 if iana, keep it 0xffffffff if no specified. - // - if (Ia->Descriptor.Type == Dhcp6OptIana) { -- WriteUnaligned32 ((UINT32 *)Buf, HTONL ((T1 != 0) ? T1 : 0xffffffff)); -- Buf += 4; -- WriteUnaligned32 ((UINT32 *)Buf, HTONL ((T2 != 0) ? T2 : 0xffffffff)); -- Buf += 4; -+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL ((T1 != 0) ? T1 : 0xffffffff)); -+ *PacketCursor += sizeof (T1); -+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL ((T2 != 0) ? T2 : 0xffffffff)); -+ *PacketCursor += sizeof (T2); - } - - // -@@ -766,35 +934,51 @@ Dhcp6AppendIaOption ( - // - for (Index = 0; Index < Ia->IaAddressCount; Index++) { - AddrOpt = (UINT8 *)Ia->IaAddress + Index * sizeof (EFI_DHCP6_IA_ADDRESS); -- Buf = Dhcp6AppendIaAddrOption (Buf, (EFI_DHCP6_IA_ADDRESS *)AddrOpt, MessageType); -+ Status = Dhcp6AppendIaAddrOption (Packet, PacketCursor, (EFI_DHCP6_IA_ADDRESS *)AddrOpt, MessageType); -+ if (EFI_ERROR (Status)) { -+ return Status; -+ } - } - - // - // Fill the value of Ia option length - // -- *Len = HTONS ((UINT16)(Buf - (UINT8 *)Len - 2)); -+ *Len = HTONS ((UINT16)(*PacketCursor - (UINT8 *)Len - 2)); - -- return Buf; -+ // -+ // Update the packet length -+ // -+ Packet->Length += BytesNeeded; -+ -+ return EFI_SUCCESS; - } - - /** - Append the appointed Elapsed time option to Buf, and move Buf to the end. - -- @param[in, out] Buf The pointer to the position to append. -+ @param[in, out] Packet A pointer to the packet, on success Packet->Length -+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor -+ will be moved to the end of the option. - @param[in] Instance The pointer to the Dhcp6 instance. - @param[out] Elapsed The pointer to the elapsed time value in -- the generated packet. -+ the generated packet. - -- @return Buf The position to append the next Ia option. -+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid -+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option. -+ @retval EFI_SUCCESS The option is appended successfully. - - **/ --UINT8 * -+EFI_STATUS - Dhcp6AppendETOption ( -- IN OUT UINT8 *Buf, -- IN DHCP6_INSTANCE *Instance, -- OUT UINT16 **Elapsed -+ IN OUT EFI_DHCP6_PACKET *Packet, -+ IN OUT UINT8 **PacketCursor, -+ IN DHCP6_INSTANCE *Instance, -+ OUT UINT16 **Elapsed - ) - { -+ UINT32 BytesNeeded; -+ UINT32 Length; -+ - // - // The format of elapsed time option: - // -@@ -806,27 +990,70 @@ Dhcp6AppendETOption ( - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // - -+ // -+ // Verify the arguments are valid -+ // -+ if (Packet == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ if ((PacketCursor == NULL) || (*PacketCursor == NULL)) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ if (Instance == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ if ((Elapsed == NULL)) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // -+ // Verify the PacketCursor is within the packet -+ // -+ if ( (*PacketCursor < Packet->Dhcp6.Option) -+ || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) -+ { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN; -+ // -+ // + 2 for elapsed-time -+ // -+ BytesNeeded += sizeof (UINT16); -+ // -+ // Space remaining in the packet -+ // -+ Length = Packet->Size - Packet->Length; -+ if (Length < BytesNeeded) { -+ return EFI_BUFFER_TOO_SMALL; -+ } -+ - // - // Fill the value of elapsed-time option type. - // -- WriteUnaligned16 ((UINT16 *)Buf, HTONS (Dhcp6OptElapsedTime)); -- Buf += 2; -+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Dhcp6OptElapsedTime)); -+ *PacketCursor += DHCP6_SIZE_OF_OPT_CODE; - - // - // Fill the len of elapsed-time option, which is fixed. - // -- WriteUnaligned16 ((UINT16 *)Buf, HTONS (2)); -- Buf += 2; -+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (2)); -+ *PacketCursor += DHCP6_SIZE_OF_OPT_LEN; - - // - // Fill in elapsed time value with 0 value for now. The actual value is - // filled in later just before the packet is transmitted. - // -- WriteUnaligned16 ((UINT16 *)Buf, HTONS (0)); -- *Elapsed = (UINT16 *)Buf; -- Buf += 2; -+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (0)); -+ *Elapsed = (UINT16 *)*PacketCursor; -+ *PacketCursor += sizeof (UINT16); - -- return Buf; -+ Packet->Length += BytesNeeded; -+ -+ return EFI_SUCCESS; - } - - /** -diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h -index 046454ff4a..06947f6c1f 100644 ---- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h -+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h -@@ -160,69 +160,85 @@ Dhcp6OnTransmitted ( - ); - - /** -- Append the appointed option to the buf, and move the buf to the end. -- -- @param[in, out] Buf The pointer to buffer. -- @param[in] OptType The option type. -- @param[in] OptLen The length of option content.s -- @param[in] Data The pointer to the option content. -- -- @return Buf The position to append the next option. -- -+ Append the option to Buf, update the length of packet, and move Buf to the end. -+ -+ @param[in, out] Packet A pointer to the packet, on success Packet->Length -+ will be updated. -+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor -+ will be moved to the end of the option. -+ @param[in] OptType The option type. -+ @param[in] OptLen The length of option contents. -+ @param[in] Data The pointer to the option content. -+ -+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid -+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option. -+ @retval EFI_SUCCESS The option is appended successfully. - **/ --UINT8 * -+EFI_STATUS - Dhcp6AppendOption ( -- IN OUT UINT8 *Buf, -- IN UINT16 OptType, -- IN UINT16 OptLen, -- IN UINT8 *Data -+ IN OUT EFI_DHCP6_PACKET *Packet, -+ IN OUT UINT8 **PacketCursor, -+ IN UINT16 OptType, -+ IN UINT16 OptLen, -+ IN UINT8 *Data - ); - - /** -- Append the Ia option to Buf, and move Buf to the end. -- -- @param[in, out] Buf The pointer to the position to append. -+ Append the appointed Ia option to Buf, update the Ia option length, and move Buf -+ to the end of the option. -+ @param[in, out] Packet A pointer to the packet, on success Packet->Length -+ will be updated. -+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor -+ will be moved to the end of the option. - @param[in] Ia The pointer to the Ia. - @param[in] T1 The time of T1. - @param[in] T2 The time of T2. - @param[in] MessageType Message type of DHCP6 package. - -- @return Buf The position to append the next Ia option. -- -+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid -+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option. -+ @retval EFI_SUCCESS The option is appended successfully. - **/ --UINT8 * -+EFI_STATUS - Dhcp6AppendIaOption ( -- IN OUT UINT8 *Buf, -- IN EFI_DHCP6_IA *Ia, -- IN UINT32 T1, -- IN UINT32 T2, -- IN UINT32 MessageType -+ IN OUT EFI_DHCP6_PACKET *Packet, -+ IN OUT UINT8 **PacketCursor, -+ IN EFI_DHCP6_IA *Ia, -+ IN UINT32 T1, -+ IN UINT32 T2, -+ IN UINT32 MessageType - ); - - /** - Append the appointed Elapsed time option to Buf, and move Buf to the end. - -- @param[in, out] Buf The pointer to the position to append. -+ @param[in, out] Packet A pointer to the packet, on success Packet->Length -+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor -+ will be moved to the end of the option. - @param[in] Instance The pointer to the Dhcp6 instance. - @param[out] Elapsed The pointer to the elapsed time value in - the generated packet. - -- @return Buf The position to append the next Ia option. -+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid -+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option. -+ @retval EFI_SUCCESS The option is appended successfully. - - **/ --UINT8 * -+EFI_STATUS - Dhcp6AppendETOption ( -- IN OUT UINT8 *Buf, -- IN DHCP6_INSTANCE *Instance, -- OUT UINT16 **Elapsed -+ IN OUT EFI_DHCP6_PACKET *Packet, -+ IN OUT UINT8 **PacketCursor, -+ IN DHCP6_INSTANCE *Instance, -+ OUT UINT16 **Elapsed - ); - - /** - Set the elapsed time based on the given instance and the pointer to the - elapsed time option. - -- @param[in] Elapsed The pointer to the position to append. -- @param[in] Instance The pointer to the Dhcp6 instance. -+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid -+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option. -+ @retval EFI_SUCCESS The option is appended successfully. - **/ - VOID - SetElapsedTime ( --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch b/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch deleted file mode 100644 index f4d0419..0000000 --- a/SOURCES/edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch +++ /dev/null @@ -1,630 +0,0 @@ -From c4b0517aaa38857640b4b08b55803ae8a833c1e7 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Thu, 8 Feb 2024 10:35:14 -0500 -Subject: [PATCH 03/18] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 - Unit Tests - -RH-Author: Jon Maloy -RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch -RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Laszlo Ersek -RH-Commit: [3/18] 0fe85bcd3683b2424bcd91ad1495d1b79eb07405 - -JIRA: https://issues.redhat.com/browse/RHEL-21843 -CVE: CVE-2023-45230 -Upstream: Merged - -commit 5f3658197bf29c83b3349b0ab1d99cdb0c3814bc -Author: Doug Flick via groups.io -Date: Fri Jan 26 05:54:45 2024 +0800 - - NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests - - REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4535 - - Confirms that reported issue... - - "Buffer overflow in the DHCPv6 client via a long Server ID option" - - ..has been corrected by the provided patch. - - Tests the following functions to ensure they appropriately handle - untrusted data (either too long or too small) to prevent a buffer - overflow: - - Dhcp6AppendOption - Dhcp6AppendETOption - Dhcp6AppendIaOption - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - -Signed-off-by: Jon Maloy ---- - .../GoogleTest/Dhcp6DxeGoogleTest.cpp | 20 + - .../GoogleTest/Dhcp6DxeGoogleTest.inf | 43 ++ - .../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | 478 ++++++++++++++++++ - NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 + - 4 files changed, 542 insertions(+) - create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp - create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf - create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp - -diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp -new file mode 100644 -index 0000000000..9aeced2f91 ---- /dev/null -+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp -@@ -0,0 +1,20 @@ -+/** @file -+ Acts as the main entry point for the tests for the Dhcp6Dxe module. -+ -+ Copyright (c) Microsoft Corporation -+ SPDX-License-Identifier: BSD-2-Clause-Patent -+**/ -+#include -+ -+//////////////////////////////////////////////////////////////////////////////// -+// Run the tests -+//////////////////////////////////////////////////////////////////////////////// -+int -+main ( -+ int argc, -+ char *argv[] -+ ) -+{ -+ testing::InitGoogleTest (&argc, argv); -+ return RUN_ALL_TESTS (); -+} -diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf -new file mode 100644 -index 0000000000..8e9119a371 ---- /dev/null -+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf -@@ -0,0 +1,43 @@ -+## @file -+# Unit test suite for the Dhcp6Dxe using Google Test -+# -+# Copyright (c) Microsoft Corporation.
-+# SPDX-License-Identifier: BSD-2-Clause-Patent -+## -+[Defines] -+ INF_VERSION = 0x00010017 -+ BASE_NAME = Dhcp6DxeGoogleTest -+ FILE_GUID = 1D2A4C65-38C8-4C2F-BB60-B5FA49625AA9 -+ VERSION_STRING = 1.0 -+ MODULE_TYPE = HOST_APPLICATION -+# -+# The following information is for reference only and not required by the build tools. -+# -+# VALID_ARCHITECTURES = IA32 X64 AARCH64 -+# -+[Sources] -+ Dhcp6DxeGoogleTest.cpp -+ Dhcp6IoGoogleTest.cpp -+ ../Dhcp6Io.c -+ ../Dhcp6Utility.c -+ -+[Packages] -+ MdePkg/MdePkg.dec -+ MdeModulePkg/MdeModulePkg.dec -+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec -+ NetworkPkg/NetworkPkg.dec -+ -+[LibraryClasses] -+ GoogleTestLib -+ DebugLib -+ NetLib -+ PcdLib -+ -+[Protocols] -+ gEfiDhcp6ServiceBindingProtocolGuid -+ -+[Pcd] -+ gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType -+ -+[Guids] -+ gZeroGuid -diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp -new file mode 100644 -index 0000000000..7ee40e4af4 ---- /dev/null -+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp -@@ -0,0 +1,478 @@ -+/** @file -+ Tests for Dhcp6Io.c. -+ -+ Copyright (c) Microsoft Corporation -+ SPDX-License-Identifier: BSD-2-Clause-Patent -+**/ -+#include -+ -+extern "C" { -+ #include -+ #include -+ #include -+ #include -+ #include "../Dhcp6Impl.h" -+ #include "../Dhcp6Utility.h" -+} -+ -+//////////////////////////////////////////////////////////////////////// -+// Defines -+//////////////////////////////////////////////////////////////////////// -+ -+#define DHCP6_PACKET_MAX_LEN 1500 -+ -+//////////////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////////////// -+// Symbol Definitions -+// These functions are not directly under test - but required to compile -+//////////////////////////////////////////////////////////////////////// -+ -+// This definition is used by this test but is also required to compile -+// by Dhcp6Io.c -+EFI_IPv6_ADDRESS mAllDhcpRelayAndServersAddress = { -+ { 0xFF, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 2 } -+}; -+ -+EFI_STATUS -+EFIAPI -+UdpIoSendDatagram ( -+ IN UDP_IO *UdpIo, -+ IN NET_BUF *Packet, -+ IN UDP_END_POINT *EndPoint OPTIONAL, -+ IN EFI_IP_ADDRESS *Gateway OPTIONAL, -+ IN UDP_IO_CALLBACK CallBack, -+ IN VOID *Context -+ ) -+{ -+ return EFI_SUCCESS; -+} -+ -+EFI_STATUS -+EFIAPI -+UdpIoRecvDatagram ( -+ IN UDP_IO *UdpIo, -+ IN UDP_IO_CALLBACK CallBack, -+ IN VOID *Context, -+ IN UINT32 HeadLen -+ ) -+{ -+ return EFI_SUCCESS; -+} -+ -+//////////////////////////////////////////////////////////////////////// -+// Dhcp6AppendOptionTest Tests -+//////////////////////////////////////////////////////////////////////// -+ -+class Dhcp6AppendOptionTest : public ::testing::Test { -+public: -+ UINT8 *Buffer = NULL; -+ EFI_DHCP6_PACKET *Packet; -+ -+protected: -+ // Add any setup code if needed -+ virtual void -+ SetUp ( -+ ) -+ { -+ // Initialize any resources or variables -+ Buffer = (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN); -+ ASSERT_NE (Buffer, (UINT8 *)NULL); -+ -+ Packet = (EFI_DHCP6_PACKET *)Buffer; -+ Packet->Size = DHCP6_PACKET_MAX_LEN; -+ } -+ -+ // Add any cleanup code if needed -+ virtual void -+ TearDown ( -+ ) -+ { -+ // Clean up any resources or variables -+ if (Buffer != NULL) { -+ FreePool (Buffer); -+ } -+ } -+}; -+ -+// Test Description: -+// Attempt to append an option to a packet that is too small by a duid that is too large -+TEST_F (Dhcp6AppendOptionTest, InvalidDataExpectBufferTooSmall) { -+ UINT8 *Cursor; -+ EFI_DHCP6_DUID *UntrustedDuid; -+ EFI_STATUS Status; -+ -+ UntrustedDuid = (EFI_DHCP6_DUID *)AllocateZeroPool (sizeof (EFI_DHCP6_DUID)); -+ ASSERT_NE (UntrustedDuid, (EFI_DHCP6_DUID *)NULL); -+ -+ UntrustedDuid->Length = NTOHS (0xFFFF); -+ -+ Cursor = Dhcp6AppendOptionTest::Packet->Dhcp6.Option; -+ -+ Status = Dhcp6AppendOption ( -+ Dhcp6AppendOptionTest::Packet, -+ &Cursor, -+ HTONS (Dhcp6OptServerId), -+ UntrustedDuid->Length, -+ UntrustedDuid->Duid -+ ); -+ -+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL); -+} -+ -+// Test Description: -+// Attempt to append an option to a packet that is large enough -+TEST_F (Dhcp6AppendOptionTest, ValidDataExpectSuccess) { -+ UINT8 *Cursor; -+ EFI_DHCP6_DUID *UntrustedDuid; -+ EFI_STATUS Status; -+ UINTN OriginalLength; -+ -+ UINT8 Duid[6] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05 }; -+ -+ Packet->Length = sizeof (EFI_DHCP6_HEADER); -+ OriginalLength = Packet->Length; -+ -+ UntrustedDuid = (EFI_DHCP6_DUID *)AllocateZeroPool (sizeof (EFI_DHCP6_DUID)); -+ ASSERT_NE (UntrustedDuid, (EFI_DHCP6_DUID *)NULL); -+ -+ UntrustedDuid->Length = NTOHS (sizeof (Duid)); -+ CopyMem (UntrustedDuid->Duid, Duid, sizeof (Duid)); -+ -+ Cursor = Dhcp6AppendOptionTest::Packet->Dhcp6.Option; -+ -+ Status = Dhcp6AppendOption ( -+ Dhcp6AppendOptionTest::Packet, -+ &Cursor, -+ HTONS (Dhcp6OptServerId), -+ UntrustedDuid->Length, -+ UntrustedDuid->Duid -+ ); -+ -+ ASSERT_EQ (Status, EFI_SUCCESS); -+ -+ // verify that the pointer to cursor moved by the expected amount -+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendOptionTest::Packet->Dhcp6.Option + sizeof (Duid) + 4); -+ -+ // verify that the length of the packet is now the expected amount -+ ASSERT_EQ (Dhcp6AppendOptionTest::Packet->Length, OriginalLength + sizeof (Duid) + 4); -+} -+ -+//////////////////////////////////////////////////////////////////////// -+// Dhcp6AppendETOption Tests -+//////////////////////////////////////////////////////////////////////// -+ -+class Dhcp6AppendETOptionTest : public ::testing::Test { -+public: -+ UINT8 *Buffer = NULL; -+ EFI_DHCP6_PACKET *Packet; -+ -+protected: -+ // Add any setup code if needed -+ virtual void -+ SetUp ( -+ ) -+ { -+ // Initialize any resources or variables -+ Buffer = (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN); -+ ASSERT_NE (Buffer, (UINT8 *)NULL); -+ -+ Packet = (EFI_DHCP6_PACKET *)Buffer; -+ Packet->Size = DHCP6_PACKET_MAX_LEN; -+ Packet->Length = sizeof (EFI_DHCP6_HEADER); -+ } -+ -+ // Add any cleanup code if needed -+ virtual void -+ TearDown ( -+ ) -+ { -+ // Clean up any resources or variables -+ if (Buffer != NULL) { -+ FreePool (Buffer); -+ } -+ } -+}; -+ -+// Test Description: -+// Attempt to append an option to a packet that is too small by a duid that is too large -+TEST_F (Dhcp6AppendETOptionTest, InvalidDataExpectBufferTooSmall) { -+ UINT8 *Cursor; -+ EFI_STATUS Status; -+ DHCP6_INSTANCE Instance; -+ UINT16 ElapsedTimeVal; -+ UINT16 *ElapsedTime; -+ -+ Cursor = Dhcp6AppendETOptionTest::Packet->Dhcp6.Option; -+ ElapsedTime = &ElapsedTimeVal; -+ -+ Packet->Length = Packet->Size - 2; -+ -+ Status = Dhcp6AppendETOption ( -+ Dhcp6AppendETOptionTest::Packet, -+ &Cursor, -+ &Instance, // Instance is not used in this function -+ &ElapsedTime -+ ); -+ -+ // verify that we error out because the packet is too small for the option header -+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL); -+ -+ // reset the length -+ Packet->Length = sizeof (EFI_DHCP6_HEADER); -+} -+ -+// Test Description: -+// Attempt to append an option to a packet that is large enough -+TEST_F (Dhcp6AppendETOptionTest, ValidDataExpectSuccess) { -+ UINT8 *Cursor; -+ EFI_STATUS Status; -+ DHCP6_INSTANCE Instance; -+ UINT16 ElapsedTimeVal; -+ UINT16 *ElapsedTime; -+ UINTN ExpectedSize; -+ UINTN OriginalLength; -+ -+ Cursor = Dhcp6AppendETOptionTest::Packet->Dhcp6.Option; -+ ElapsedTime = &ElapsedTimeVal; -+ ExpectedSize = 6; -+ OriginalLength = Packet->Length; -+ -+ Status = Dhcp6AppendETOption ( -+ Dhcp6AppendETOptionTest::Packet, -+ &Cursor, -+ &Instance, // Instance is not used in this function -+ &ElapsedTime -+ ); -+ -+ // verify that the status is EFI_SUCCESS -+ ASSERT_EQ (Status, EFI_SUCCESS); -+ -+ // verify that the pointer to cursor moved by the expected amount -+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendETOptionTest::Packet->Dhcp6.Option + ExpectedSize); -+ -+ // verify that the length of the packet is now the expected amount -+ ASSERT_EQ (Dhcp6AppendETOptionTest::Packet->Length, OriginalLength + ExpectedSize); -+} -+ -+//////////////////////////////////////////////////////////////////////// -+// Dhcp6AppendIaOption Tests -+//////////////////////////////////////////////////////////////////////// -+ -+class Dhcp6AppendIaOptionTest : public ::testing::Test { -+public: -+ UINT8 *Buffer = NULL; -+ EFI_DHCP6_PACKET *Packet; -+ EFI_DHCP6_IA *Ia; -+ -+protected: -+ // Add any setup code if needed -+ virtual void -+ SetUp ( -+ ) -+ { -+ // Initialize any resources or variables -+ Buffer = (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN); -+ ASSERT_NE (Buffer, (UINT8 *)NULL); -+ -+ Packet = (EFI_DHCP6_PACKET *)Buffer; -+ Packet->Size = DHCP6_PACKET_MAX_LEN; -+ -+ Ia = (EFI_DHCP6_IA *)AllocateZeroPool (sizeof (EFI_DHCP6_IA) + sizeof (EFI_DHCP6_IA_ADDRESS) * 2); -+ ASSERT_NE (Ia, (EFI_DHCP6_IA *)NULL); -+ -+ CopyMem (Ia->IaAddress, mAllDhcpRelayAndServersAddress.Addr, sizeof (EFI_IPv6_ADDRESS)); -+ CopyMem (Ia->IaAddress + 1, mAllDhcpRelayAndServersAddress.Addr, sizeof (EFI_IPv6_ADDRESS)); -+ -+ Ia->IaAddressCount = 2; -+ } -+ -+ // Add any cleanup code if needed -+ virtual void -+ TearDown ( -+ ) -+ { -+ // Clean up any resources or variables -+ if (Buffer != NULL) { -+ FreePool (Buffer); -+ } -+ -+ if (Ia != NULL) { -+ FreePool (Ia); -+ } -+ } -+}; -+ -+// Test Description: -+// Attempt to append an option to a packet that doesn't have enough space -+// for the option header -+TEST_F (Dhcp6AppendIaOptionTest, IaNaInvalidDataExpectBufferTooSmall) { -+ UINT8 *Cursor; -+ EFI_STATUS Status; -+ -+ Packet->Length = Packet->Size - 2; -+ -+ Ia->Descriptor.Type = Dhcp6OptIana; -+ Ia->Descriptor.IaId = 0x12345678; -+ -+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option; -+ -+ Status = Dhcp6AppendIaOption ( -+ Dhcp6AppendIaOptionTest::Packet, -+ &Cursor, -+ Ia, -+ 0x12345678, -+ 0x11111111, -+ Dhcp6OptIana -+ ); -+ -+ // verify that we error out because the packet is too small for the option header -+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL); -+ -+ // reset the length -+ Packet->Length = sizeof (EFI_DHCP6_HEADER); -+} -+ -+// Test Description: -+// Attempt to append an option to a packet that doesn't have enough space -+// for the option header -+TEST_F (Dhcp6AppendIaOptionTest, IaTaInvalidDataExpectBufferTooSmall) { -+ UINT8 *Cursor; -+ EFI_STATUS Status; -+ -+ // Use up nearly all the space in the packet -+ Packet->Length = Packet->Size - 2; -+ -+ Ia->Descriptor.Type = Dhcp6OptIata; -+ Ia->Descriptor.IaId = 0x12345678; -+ -+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option; -+ -+ Status = Dhcp6AppendIaOption ( -+ Dhcp6AppendIaOptionTest::Packet, -+ &Cursor, -+ Ia, -+ 0, -+ 0, -+ Dhcp6OptIata -+ ); -+ -+ // verify that we error out because the packet is too small for the option header -+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL); -+ -+ // reset the length -+ Packet->Length = sizeof (EFI_DHCP6_HEADER); -+} -+ -+TEST_F (Dhcp6AppendIaOptionTest, IaNaValidDataExpectSuccess) { -+ UINT8 *Cursor; -+ EFI_STATUS Status; -+ UINTN ExpectedSize; -+ UINTN OriginalLength; -+ -+ // -+ // 2 bytes for the option header type -+ // -+ ExpectedSize = 2; -+ // -+ // 2 bytes for the option header length -+ // -+ ExpectedSize += 2; -+ // -+ // 4 bytes for the IAID -+ // -+ ExpectedSize += 4; -+ // -+ // + 4 bytes for the T1 -+ // -+ ExpectedSize += 4; -+ // -+ // + 4 bytes for the T2 -+ // -+ ExpectedSize += 4; -+ // -+ // + (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2; -+ // + 2 bytes for the option header type -+ // + 2 bytes for the option header length -+ // + sizeof (EFI_DHCP6_IA_ADDRESS) for the IA Address -+ // -+ ExpectedSize += (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2; -+ -+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option; -+ -+ Packet->Length = sizeof (EFI_DHCP6_HEADER); -+ OriginalLength = Packet->Length; -+ -+ Ia->Descriptor.Type = Dhcp6OptIana; -+ Ia->Descriptor.IaId = 0x12345678; -+ -+ Status = Dhcp6AppendIaOption ( -+ Dhcp6AppendIaOptionTest::Packet, -+ &Cursor, -+ Ia, -+ 0x12345678, -+ 0x12345678, -+ Dhcp6OptIana -+ ); -+ -+ // verify that the pointer to cursor moved by the expected amount -+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option + ExpectedSize); -+ -+ // verify that the length of the packet is now the expected amount -+ ASSERT_EQ (Dhcp6AppendIaOptionTest::Packet->Length, OriginalLength + ExpectedSize); -+ -+ // verify that the status is EFI_SUCCESS -+ ASSERT_EQ (Status, EFI_SUCCESS); -+} -+ -+TEST_F (Dhcp6AppendIaOptionTest, IaTaValidDataExpectSuccess) { -+ UINT8 *Cursor; -+ EFI_STATUS Status; -+ UINTN ExpectedSize; -+ UINTN OriginalLength; -+ -+ // -+ // 2 bytes for the option header type -+ // -+ ExpectedSize = 2; -+ // -+ // 2 bytes for the option header length -+ // -+ ExpectedSize += 2; -+ // -+ // 4 bytes for the IAID -+ // -+ ExpectedSize += 4; -+ // -+ // + (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2; -+ // + 2 bytes for the option header type -+ // + 2 bytes for the option header length -+ // + sizeof (EFI_DHCP6_IA_ADDRESS) for the IA Address -+ // -+ ExpectedSize += (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2; -+ -+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option; -+ -+ Packet->Length = sizeof (EFI_DHCP6_HEADER); -+ OriginalLength = Packet->Length; -+ -+ Ia->Descriptor.Type = Dhcp6OptIata; -+ Ia->Descriptor.IaId = 0x12345678; -+ -+ Status = Dhcp6AppendIaOption ( -+ Dhcp6AppendIaOptionTest::Packet, -+ &Cursor, -+ Ia, -+ 0, -+ 0, -+ Dhcp6OptIata -+ ); -+ -+ // verify that the pointer to cursor moved by the expected amount -+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option + ExpectedSize); -+ -+ // verify that the length of the packet is now the expected amount -+ ASSERT_EQ (Dhcp6AppendIaOptionTest::Packet->Length, OriginalLength + ExpectedSize); -+ -+ // verify that the status is EFI_SUCCESS -+ ASSERT_EQ (Status, EFI_SUCCESS); -+} -diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc -index 1aeca5c5b3..20bc90b172 100644 ---- a/NetworkPkg/Test/NetworkPkgHostTest.dsc -+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc -@@ -24,6 +24,7 @@ - # - # Build HOST_APPLICATION that tests NetworkPkg - # -+ NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf - - # Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests. - [LibraryClasses] --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-DxeNetLib-Reword-PseudoRandom-error-loggi.patch b/SOURCES/edk2-NetworkPkg-DxeNetLib-Reword-PseudoRandom-error-loggi.patch index d94f7ca..415a914 100644 --- a/SOURCES/edk2-NetworkPkg-DxeNetLib-Reword-PseudoRandom-error-loggi.patch +++ b/SOURCES/edk2-NetworkPkg-DxeNetLib-Reword-PseudoRandom-error-loggi.patch @@ -1,12 +1,12 @@ -From 07d8292cce31630859b9e3138078d8cc8412a72f Mon Sep 17 00:00:00 2001 +From c5f142e26ea5e892a63ed35ca952c8b583a9f8c1 Mon Sep 17 00:00:00 2001 From: Oliver Steffen Date: Wed, 14 Aug 2024 09:53:49 +0200 -Subject: [PATCH 3/3] NetworkPkg/DxeNetLib: Reword PseudoRandom error logging +Subject: [PATCH 2/2] NetworkPkg/DxeNetLib: Reword PseudoRandom error logging RH-Author: Oliver Steffen -RH-MergeRequest: 82: NetworkPkg/DxeNetLib: adjust PseudoRandom error logging -RH-Jira: RHEL-54188 -RH-Commit: [2/2] acea6a5fd931cdb6854c69a4e3c6e49caed83e68 +RH-MergeRequest: 67: NetworkPkg/DxeNetLib: adjust PseudoRandom error logging +RH-Jira: RHEL-45899 +RH-Commit: [2/2] 0d465ca0ea00598e6826446cd08e890c2ae4bea7 (osteffen/edk2) The word "Failed" is used when logging tired Rng algorithms. These mostly non-critical messages confused some users. diff --git a/SOURCES/edk2-NetworkPkg-DxeNetLib-adjust-PseudoRandom-error-loggi.patch b/SOURCES/edk2-NetworkPkg-DxeNetLib-adjust-PseudoRandom-error-loggi.patch index 3921ae6..18fb2ab 100644 --- a/SOURCES/edk2-NetworkPkg-DxeNetLib-adjust-PseudoRandom-error-loggi.patch +++ b/SOURCES/edk2-NetworkPkg-DxeNetLib-adjust-PseudoRandom-error-loggi.patch @@ -1,12 +1,12 @@ -From 537128fa22e410dac59b149ed11264731f09765b Mon Sep 17 00:00:00 2001 +From 7cbd00792445ad50e861e4835cdb5ba60466aae3 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Wed, 19 Jun 2024 09:07:56 +0200 -Subject: [PATCH 2/3] NetworkPkg/DxeNetLib: adjust PseudoRandom error logging +Subject: [PATCH 1/2] NetworkPkg/DxeNetLib: adjust PseudoRandom error logging RH-Author: Oliver Steffen -RH-MergeRequest: 82: NetworkPkg/DxeNetLib: adjust PseudoRandom error logging -RH-Jira: RHEL-54188 -RH-Commit: [1/2] 5c4699fd88b0ebcf7fe8b7e3a3895bf772aebdb3 +RH-MergeRequest: 67: NetworkPkg/DxeNetLib: adjust PseudoRandom error logging +RH-Jira: RHEL-45899 +RH-Commit: [1/2] 15135d672cef4310cb29f8a55146f36b2ee1f15d (osteffen/edk2) There is a list of allowed rng algorithms, if /one/ of them is not supported this is not a problem, only /all/ of them failing is an diff --git a/SOURCES/edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch b/SOURCES/edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch deleted file mode 100644 index bbda006..0000000 --- a/SOURCES/edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch +++ /dev/null @@ -1,78 +0,0 @@ -From d51f47c8654f44a787d70b675830ebc7a4ea74f6 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Thu, 15 Feb 2024 11:51:09 -0500 -Subject: [PATCH 06/18] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch - -RH-Author: Jon Maloy -RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch -RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Laszlo Ersek -RH-Commit: [6/18] 58ad218f1216ac1ea34ca01ef8cc21e207e2eaf2 - -JIRA: https://issues.redhat.com/browse/RHEL-21845 -CVE: CVE-2022-45231 -Upstream: Merged - -commit bbfee34f4188ac00371abe1389ae9c9fb989a0cd -Author: Doug Flick -Date: Fri Jan 26 05:54:48 2024 +0800 - - NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch - - REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536 - - Bug Overview: - PixieFail Bug #3 - CVE-2023-45231 - CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - CWE-125 Out-of-bounds Read - - Out-of-bounds read when handling a ND Redirect message with truncated - options - - Change Overview: - - Adds a check to prevent truncated options from being parsed - + // - + // Cannot process truncated options. - + // Cannot process options with a length of 0 as there is no Type - field. - + // - + if (OptionLen < sizeof (IP6_OPTION_HEADER)) { - + return FALSE; - + } - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - -Signed-off-by: Jon Maloy ---- - NetworkPkg/Ip6Dxe/Ip6Option.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c -index 199eea124d..8718d5d875 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Option.c -+++ b/NetworkPkg/Ip6Dxe/Ip6Option.c -@@ -137,6 +137,14 @@ Ip6IsNDOptionValid ( - return FALSE; - } - -+ // -+ // Cannot process truncated options. -+ // Cannot process options with a length of 0 as there is no Type field. -+ // -+ if (OptionLen < sizeof (IP6_OPTION_HEADER)) { -+ return FALSE; -+ } -+ - Offset = 0; - - // --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Unit.patch b/SOURCES/edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Unit.patch deleted file mode 100644 index 307d160..0000000 --- a/SOURCES/edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Unit.patch +++ /dev/null @@ -1,277 +0,0 @@ -From a5757e84bd77ad98580c50ba81da2d1daf0f147a Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Wed, 14 Feb 2024 12:24:44 -0500 -Subject: [PATCH 07/18] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Unit - Tests - -RH-Author: Jon Maloy -RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch -RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Laszlo Ersek -RH-Commit: [7/18] 57d08b408b30ea98de1e5dfd74f8892b66c0867c - -JIRA: https://issues.redhat.com/browse/RHEL-21845 -CVE: CVE-2022-45231 -Upstream: Merged - -commit 6f77463d72807ec7f4ed6518c3dac29a1040df9f -Author: Doug Flick -Date: Fri Jan 26 05:54:49 2024 +0800 - - NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests - - REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536 - - Validates that the patch for... - - Out-of-bounds read when handling a ND Redirect message with truncated - options - - .. has been fixed - - Tests the following function to ensure that an out of bounds read does - not occur - Ip6OptionValidation - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - -Signed-off-by: Jon Maloy ---- - .../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp | 20 +++ - .../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf | 42 ++++++ - .../Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp | 129 ++++++++++++++++++ - NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 + - 4 files changed, 192 insertions(+) - create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp - create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf - create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp - -diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp -new file mode 100644 -index 0000000000..6ebfd5fdfb ---- /dev/null -+++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp -@@ -0,0 +1,20 @@ -+/** @file -+ Acts as the main entry point for the tests for the Ip6Dxe module. -+ -+ Copyright (c) Microsoft Corporation -+ SPDX-License-Identifier: BSD-2-Clause-Patent -+**/ -+#include -+ -+//////////////////////////////////////////////////////////////////////////////// -+// Run the tests -+//////////////////////////////////////////////////////////////////////////////// -+int -+main ( -+ int argc, -+ char *argv[] -+ ) -+{ -+ testing::InitGoogleTest (&argc, argv); -+ return RUN_ALL_TESTS (); -+} -diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf -new file mode 100644 -index 0000000000..6e4de0745f ---- /dev/null -+++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf -@@ -0,0 +1,42 @@ -+## @file -+# Unit test suite for the Ip6Dxe using Google Test -+# -+# Copyright (c) Microsoft Corporation.
-+# SPDX-License-Identifier: BSD-2-Clause-Patent -+## -+[Defines] -+ INF_VERSION = 0x00010017 -+ BASE_NAME = Ip6DxeUnitTest -+ FILE_GUID = 4F05D17D-D3E7-4AAE-820C-576D46D2D34A -+ VERSION_STRING = 1.0 -+ MODULE_TYPE = HOST_APPLICATION -+# -+# The following information is for reference only and not required by the build tools. -+# -+# VALID_ARCHITECTURES = IA32 X64 AARCH64 -+# -+[Sources] -+ Ip6DxeGoogleTest.cpp -+ Ip6OptionGoogleTest.cpp -+ ../Ip6Option.c -+ -+[Packages] -+ MdePkg/MdePkg.dec -+ MdeModulePkg/MdeModulePkg.dec -+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec -+ NetworkPkg/NetworkPkg.dec -+ -+[LibraryClasses] -+ GoogleTestLib -+ DebugLib -+ NetLib -+ PcdLib -+ -+[Protocols] -+ gEfiDhcp6ServiceBindingProtocolGuid -+ -+[Pcd] -+ gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType -+ -+[Guids] -+ gZeroGuid -diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp -new file mode 100644 -index 0000000000..f2cd90e1a9 ---- /dev/null -+++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp -@@ -0,0 +1,129 @@ -+/** @file -+ Tests for Ip6Option.c. -+ -+ Copyright (c) Microsoft Corporation -+ SPDX-License-Identifier: BSD-2-Clause-Patent -+**/ -+#include -+ -+extern "C" { -+ #include -+ #include -+ #include -+ #include "../Ip6Impl.h" -+ #include "../Ip6Option.h" -+} -+ -+///////////////////////////////////////////////////////////////////////// -+// Defines -+/////////////////////////////////////////////////////////////////////// -+ -+#define IP6_PREFIX_INFO_OPTION_DATA_LEN 32 -+#define OPTION_HEADER_IP6_PREFIX_DATA_LEN (sizeof (IP6_OPTION_HEADER) + IP6_PREFIX_INFO_OPTION_DATA_LEN) -+ -+//////////////////////////////////////////////////////////////////////// -+// Symbol Definitions -+// These functions are not directly under test - but required to compile -+//////////////////////////////////////////////////////////////////////// -+UINT32 mIp6Id; -+ -+EFI_STATUS -+Ip6SendIcmpError ( -+ IN IP6_SERVICE *IpSb, -+ IN NET_BUF *Packet, -+ IN EFI_IPv6_ADDRESS *SourceAddress OPTIONAL, -+ IN EFI_IPv6_ADDRESS *DestinationAddress, -+ IN UINT8 Type, -+ IN UINT8 Code, -+ IN UINT32 *Pointer OPTIONAL -+ ) -+{ -+ // .. -+ return EFI_SUCCESS; -+} -+ -+//////////////////////////////////////////////////////////////////////// -+// Ip6OptionValidation Tests -+//////////////////////////////////////////////////////////////////////// -+ -+// Define a fixture for your tests if needed -+class Ip6OptionValidationTest : public ::testing::Test { -+protected: -+ // Add any setup code if needed -+ virtual void -+ SetUp ( -+ ) -+ { -+ // Initialize any resources or variables -+ } -+ -+ // Add any cleanup code if needed -+ virtual void -+ TearDown ( -+ ) -+ { -+ // Clean up any resources or variables -+ } -+}; -+ -+// Test Description: -+// Null option should return false -+TEST_F (Ip6OptionValidationTest, NullOptionShouldReturnFalse) { -+ UINT8 *option = nullptr; -+ UINT16 optionLen = 10; // Provide a suitable length -+ -+ EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen)); -+} -+ -+// Test Description: -+// Truncated option should return false -+TEST_F (Ip6OptionValidationTest, TruncatedOptionShouldReturnFalse) { -+ UINT8 option[] = { 0x01 }; // Provide a truncated option -+ UINT16 optionLen = 1; -+ -+ EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen)); -+} -+ -+// Test Description: -+// Ip6OptionPrefixInfo Option with zero length should return false -+TEST_F (Ip6OptionValidationTest, OptionWithZeroLengthShouldReturnFalse) { -+ IP6_OPTION_HEADER optionHeader; -+ -+ optionHeader.Type = Ip6OptionPrefixInfo; -+ optionHeader.Length = 0; -+ UINT8 option[sizeof (IP6_OPTION_HEADER)]; -+ -+ CopyMem (option, &optionHeader, sizeof (IP6_OPTION_HEADER)); -+ UINT16 optionLen = sizeof (IP6_OPTION_HEADER); -+ -+ EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen)); -+} -+ -+// Test Description: -+// Ip6OptionPrefixInfo Option with valid length should return true -+TEST_F (Ip6OptionValidationTest, ValidPrefixInfoOptionShouldReturnTrue) { -+ IP6_OPTION_HEADER optionHeader; -+ -+ optionHeader.Type = Ip6OptionPrefixInfo; -+ optionHeader.Length = 4; // Length 4 * 8 = 32 -+ UINT8 option[OPTION_HEADER_IP6_PREFIX_DATA_LEN]; -+ -+ CopyMem (option, &optionHeader, sizeof (IP6_OPTION_HEADER)); -+ -+ EXPECT_TRUE (Ip6IsNDOptionValid (option, IP6_PREFIX_INFO_OPTION_DATA_LEN)); -+} -+ -+// Test Description: -+// Ip6OptionPrefixInfo Option with invalid length should return false -+TEST_F (Ip6OptionValidationTest, InvalidPrefixInfoOptionLengthShouldReturnFalse) { -+ IP6_OPTION_HEADER optionHeader; -+ -+ optionHeader.Type = Ip6OptionPrefixInfo; -+ optionHeader.Length = 3; // Length 3 * 8 = 24 (Invalid) -+ UINT8 option[sizeof (IP6_OPTION_HEADER)]; -+ -+ CopyMem (option, &optionHeader, sizeof (IP6_OPTION_HEADER)); -+ UINT16 optionLen = sizeof (IP6_OPTION_HEADER); -+ -+ EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen)); -+} -diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc -index 24dee654df..7fa7b0f9d5 100644 ---- a/NetworkPkg/Test/NetworkPkgHostTest.dsc -+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc -@@ -26,6 +26,7 @@ - # Build HOST_APPLICATION that tests NetworkPkg - # - NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf -+ NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf - - # Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests. - [LibraryClasses] --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Patc.patch b/SOURCES/edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Patc.patch deleted file mode 100644 index d70602f..0000000 --- a/SOURCES/edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Patc.patch +++ /dev/null @@ -1,377 +0,0 @@ -From ff4f1d8227c6c4c89060e24df37defec6d7a07e2 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Thu, 15 Feb 2024 11:51:09 -0500 -Subject: [PATCH 08/18] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch - -RH-Author: Jon Maloy -RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch -RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Laszlo Ersek -RH-Commit: [8/18] c7bf831954da5b678450f1ba8e34371645959c81 - -JIRA: https://issues.redhat.com/browse/RHEL-21847 -CVE: CVE-2022-45232 -Upstream: Merged - -JIRA: https://issues.redhat.com/browse/RHEL-21849 -CVE: CVE-2022-45233 -Upstream: Merged - -commit 4df0229ef992d4f2721a8508787ebf9dc81fbd6e -Author: Doug Flick -Date: Fri Jan 26 05:54:50 2024 +0800 - - NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch - - REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537 - REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538 - - Bug Details: - PixieFail Bug #4 - CVE-2023-45232 - CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') - - Infinite loop when parsing unknown options in the Destination Options - header - - PixieFail Bug #5 - CVE-2023-45233 - CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') - - Infinite loop when parsing a PadN option in the Destination Options - header - - Change Overview: - - Most importantly this change corrects the following incorrect math - and cleans up the code. - - > // It is a PadN option - > // - > - Offset = (UINT8)(Offset + *(Option + Offset + 1) + 2); - > + OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length; - > + Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen); - - > case Ip6OptionSkip: - > - Offset = (UINT8)(Offset + *(Option + Offset + 1)); - > OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length; - > Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen); - - Additionally, this change also corrects incorrect math where the calling - function was calculating the HDR EXT optionLen as a uint8 instead of a - uint16 - - > - OptionLen = (UINT8)((*Option + 1) * 8 - 2); - > + OptionLen = IP6_HDR_EXT_LEN (*Option) - - IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN; - - Additionally this check adds additional logic to santize the incoming - data - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - -Signed-off-by: Jon Maloy ---- - NetworkPkg/Ip6Dxe/Ip6Nd.h | 35 ++++++++++++++++ - NetworkPkg/Ip6Dxe/Ip6Option.c | 76 ++++++++++++++++++++++++++++++----- - NetworkPkg/Ip6Dxe/Ip6Option.h | 71 ++++++++++++++++++++++++++++++++ - 3 files changed, 171 insertions(+), 11 deletions(-) - -diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.h b/NetworkPkg/Ip6Dxe/Ip6Nd.h -index 860934a167..bf64e9114e 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Nd.h -+++ b/NetworkPkg/Ip6Dxe/Ip6Nd.h -@@ -56,13 +56,48 @@ VOID - VOID *Context - ); - -+// -+// Per RFC8200 Section 4.2 -+// -+// Two of the currently-defined extension headers -- the Hop-by-Hop -+// Options header and the Destination Options header -- carry a variable -+// number of type-length-value (TLV) encoded "options", of the following -+// format: -+// -+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - - -+// | Option Type | Opt Data Len | Option Data -+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - - -+// -+// Option Type 8-bit identifier of the type of option. -+// -+// Opt Data Len 8-bit unsigned integer. Length of the Option -+// Data field of this option, in octets. -+// -+// Option Data Variable-length field. Option-Type-specific -+// data. -+// - typedef struct _IP6_OPTION_HEADER { -+ /// -+ /// identifier of the type of option. -+ /// - UINT8 Type; -+ /// -+ /// Length of the Option Data field of this option, in octets. -+ /// - UINT8 Length; -+ /// -+ /// Option-Type-specific data. -+ /// - } IP6_OPTION_HEADER; - - STATIC_ASSERT (sizeof (IP6_OPTION_HEADER) == 2, "IP6_OPTION_HEADER is expected to be exactly 2 bytes long."); - -+#define IP6_NEXT_OPTION_OFFSET(offset, length) (offset + sizeof(IP6_OPTION_HEADER) + length) -+STATIC_ASSERT ( -+ IP6_NEXT_OPTION_OFFSET (0, 0) == 2, -+ "The next option is minimally the combined size of the option tag and length" -+ ); -+ - typedef struct _IP6_ETHE_ADDR_OPTION { - UINT8 Type; - UINT8 Length; -diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c -index 8718d5d875..fd97ce116f 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Option.c -+++ b/NetworkPkg/Ip6Dxe/Ip6Option.c -@@ -17,7 +17,8 @@ - @param[in] IpSb The IP6 service data. - @param[in] Packet The to be validated packet. - @param[in] Option The first byte of the option. -- @param[in] OptionLen The length of the whole option. -+ @param[in] OptionLen The length of all options, expressed in byte length of octets. -+ Maximum length is 2046 bytes or ((n + 1) * 8) - 2 where n is 255. - @param[in] Pointer Identifies the octet offset within - the invoking packet where the error was detected. - -@@ -31,12 +32,33 @@ Ip6IsOptionValid ( - IN IP6_SERVICE *IpSb, - IN NET_BUF *Packet, - IN UINT8 *Option, -- IN UINT8 OptionLen, -+ IN UINT16 OptionLen, - IN UINT32 Pointer - ) - { -- UINT8 Offset; -- UINT8 OptionType; -+ UINT16 Offset; -+ UINT8 OptionType; -+ UINT8 OptDataLen; -+ -+ if (Option == NULL) { -+ ASSERT (Option != NULL); -+ return FALSE; -+ } -+ -+ if ((OptionLen <= 0) || (OptionLen > IP6_MAX_EXT_DATA_LENGTH)) { -+ ASSERT (OptionLen > 0 && OptionLen <= IP6_MAX_EXT_DATA_LENGTH); -+ return FALSE; -+ } -+ -+ if (Packet == NULL) { -+ ASSERT (Packet != NULL); -+ return FALSE; -+ } -+ -+ if (IpSb == NULL) { -+ ASSERT (IpSb != NULL); -+ return FALSE; -+ } - - Offset = 0; - -@@ -54,7 +76,8 @@ Ip6IsOptionValid ( - // - // It is a PadN option - // -- Offset = (UINT8)(Offset + *(Option + Offset + 1) + 2); -+ OptDataLen = ((IP6_OPTION_HEADER *)(Option + Offset))->Length; -+ Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen); - break; - case Ip6OptionRouterAlert: - // -@@ -69,7 +92,8 @@ Ip6IsOptionValid ( - // - switch (OptionType & Ip6OptionMask) { - case Ip6OptionSkip: -- Offset = (UINT8)(Offset + *(Option + Offset + 1)); -+ OptDataLen = ((IP6_OPTION_HEADER *)(Option + Offset))->Length; -+ Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen); - break; - case Ip6OptionDiscard: - return FALSE; -@@ -308,7 +332,7 @@ Ip6IsExtsValid ( - UINT32 Pointer; - UINT32 Offset; - UINT8 *Option; -- UINT8 OptionLen; -+ UINT16 OptionLen; - BOOLEAN Flag; - UINT8 CountD; - UINT8 CountA; -@@ -385,6 +409,36 @@ Ip6IsExtsValid ( - // Fall through - // - case IP6_DESTINATION: -+ // -+ // See https://www.rfc-editor.org/rfc/rfc2460#section-4.2 page 23 -+ // -+ // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+ // | Next Header | Hdr Ext Len | | -+ // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + -+ // | | -+ // . . -+ // . Options . -+ // . . -+ // | | -+ // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+ // -+ // -+ // Next Header 8-bit selector. Identifies the type of header -+ // immediately following the Destination Options -+ // header. Uses the same values as the IPv4 -+ // Protocol field [RFC-1700 et seq.]. -+ // -+ // Hdr Ext Len 8-bit unsigned integer. Length of the -+ // Destination Options header in 8-octet units, not -+ // including the first 8 octets. -+ // -+ // Options Variable-length field, of length such that the -+ // complete Destination Options header is an -+ // integer multiple of 8 octets long. Contains one -+ // or more TLV-encoded options, as described in -+ // section 4.2. -+ // -+ - if (*NextHeader == IP6_DESTINATION) { - CountD++; - } -@@ -398,7 +452,7 @@ Ip6IsExtsValid ( - - Offset++; - Option = ExtHdrs + Offset; -- OptionLen = (UINT8)((*Option + 1) * 8 - 2); -+ OptionLen = IP6_HDR_EXT_LEN (*Option) - sizeof (IP6_EXT_HDR); - Option++; - Offset++; - -@@ -430,7 +484,7 @@ Ip6IsExtsValid ( - // - // Ignore the routing header and proceed to process the next header. - // -- Offset = Offset + (RoutingHead->HeaderLen + 1) * 8; -+ Offset = Offset + IP6_HDR_EXT_LEN (RoutingHead->HeaderLen); - - if (UnFragmentLen != NULL) { - *UnFragmentLen = Offset; -@@ -441,7 +495,7 @@ Ip6IsExtsValid ( - // to the packet's source address, pointing to the unrecognized routing - // type. - // -- Pointer = Offset + 2 + sizeof (EFI_IP6_HEADER); -+ Pointer = Offset + sizeof (IP6_EXT_HDR) + sizeof (EFI_IP6_HEADER); - if ((IpSb != NULL) && (Packet != NULL) && - !IP6_IS_MULTICAST (&Packet->Ip.Ip6->DestinationAddress)) - { -@@ -527,7 +581,7 @@ Ip6IsExtsValid ( - // - // RFC2402, Payload length is specified in 32-bit words, minus "2". - // -- OptionLen = (UINT8)((*Option + 2) * 4); -+ OptionLen = ((UINT16)(*Option + 2) * 4); - Offset = Offset + OptionLen; - break; - -diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.h b/NetworkPkg/Ip6Dxe/Ip6Option.h -index bd8e223c8a..fb07c28f5a 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Option.h -+++ b/NetworkPkg/Ip6Dxe/Ip6Option.h -@@ -12,6 +12,77 @@ - - #define IP6_FRAGMENT_OFFSET_MASK (~0x3) - -+// -+// For more information see RFC 8200, Section 4.3, 4.4, and 4.6 -+// -+// This example format is from section 4.6 -+// This does not apply to fragment headers -+// -+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+// | Next Header | Hdr Ext Len | | -+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + -+// | | -+// . . -+// . Header-Specific Data . -+// . . -+// | | -+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+// -+// Next Header 8-bit selector. Identifies the type of -+// header immediately following the extension -+// header. Uses the same values as the IPv4 -+// Protocol field [IANA-PN]. -+// -+// Hdr Ext Len 8-bit unsigned integer. Length of the -+// Destination Options header in 8-octet units, -+// not including the first 8 octets. -+ -+// -+// These defines apply to the following: -+// 1. Hop by Hop -+// 2. Routing -+// 3. Destination -+// -+typedef struct _IP6_EXT_HDR { -+ /// -+ /// The Next Header field identifies the type of header immediately -+ /// -+ UINT8 NextHeader; -+ /// -+ /// The Hdr Ext Len field specifies the length of the Hop-by-Hop Options -+ /// -+ UINT8 HdrExtLen; -+ /// -+ /// Header-Specific Data -+ /// -+} IP6_EXT_HDR; -+ -+STATIC_ASSERT ( -+ sizeof (IP6_EXT_HDR) == 2, -+ "The combined size of Next Header and Len is two 8 bit fields" -+ ); -+ -+// -+// IPv6 extension headers contain an 8-bit length field which describes the size of -+// the header. However, the length field only includes the size of the extension -+// header options, not the size of the first 8 bytes of the header. Therefore, in -+// order to calculate the full size of the extension header, we add 1 (to account -+// for the first 8 bytes omitted by the length field reporting) and then multiply -+// by 8 (since the size is represented in 8-byte units). -+// -+// a is the length field of the extension header (UINT8) -+// The result may be up to 2046 octets (UINT16) -+// -+#define IP6_HDR_EXT_LEN(a) (((UINT16)((UINT8)(a)) + 1) * 8) -+ -+// This is the maxmimum length permissible by a extension header -+// Length is UINT8 of 8 octets not including the first 8 octets -+#define IP6_MAX_EXT_DATA_LENGTH (IP6_HDR_EXT_LEN (MAX_UINT8) - sizeof(IP6_EXT_HDR)) -+STATIC_ASSERT ( -+ IP6_MAX_EXT_DATA_LENGTH == 2046, -+ "Maximum data length is ((MAX_UINT8 + 1) * 8) - 2" -+ ); -+ - typedef struct _IP6_FRAGMENT_HEADER { - UINT8 NextHeader; - UINT8 Reserved; --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Unit.patch b/SOURCES/edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Unit.patch deleted file mode 100644 index 6d2cd51..0000000 --- a/SOURCES/edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Unit.patch +++ /dev/null @@ -1,430 +0,0 @@ -From dab03ad5334af1c93797119f2eeda6ce757461f8 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Wed, 14 Feb 2024 20:25:29 -0500 -Subject: [PATCH 09/18] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Unit - Tests - -RH-Author: Jon Maloy -RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch -RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Laszlo Ersek -RH-Commit: [9/18] f68829a7f34f5a09a02d28cc5cfd109f90c442da - -JIRA: https://issues.redhat.com/browse/RHEL-21847 -CVE: CVE-2022-45232 -Upstream: Merged - -commit c9c87f08dd6ace36fa843424522c3558a8374cac -Author: Doug Flick -Date: Fri Jan 26 05:54:51 2024 +0800 - - NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests - - REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537 - REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538 - - Unit tests to confirm that.. - Infinite loop when parsing unknown options in the Destination Options - header - - and - - Infinite loop when parsing a PadN option in the Destination Options - header - - ... have been patched - - This patch tests the following functions: - Ip6IsOptionValid - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - -Signed-off-by: Jon Maloy ---- - .../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf | 10 +- - .../Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp | 278 ++++++++++++++++++ - .../Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h | 40 +++ - 3 files changed, 324 insertions(+), 4 deletions(-) - create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h - -diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf -index 6e4de0745f..ba29dbabad 100644 ---- a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf -+++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf -@@ -1,13 +1,13 @@ - ## @file --# Unit test suite for the Ip6Dxe using Google Test -+# Unit test suite for the Ip6DxeGoogleTest using Google Test - # - # Copyright (c) Microsoft Corporation.
- # SPDX-License-Identifier: BSD-2-Clause-Patent - ## - [Defines] - INF_VERSION = 0x00010017 -- BASE_NAME = Ip6DxeUnitTest -- FILE_GUID = 4F05D17D-D3E7-4AAE-820C-576D46D2D34A -+ BASE_NAME = Ip6DxeGoogleTest -+ FILE_GUID = AE39981C-B7FE-41A8-A9C2-F41910477CA3 - VERSION_STRING = 1.0 - MODULE_TYPE = HOST_APPLICATION - # -@@ -16,9 +16,11 @@ - # VALID_ARCHITECTURES = IA32 X64 AARCH64 - # - [Sources] -+ ../Ip6Option.c -+ Ip6OptionGoogleTest.h - Ip6DxeGoogleTest.cpp - Ip6OptionGoogleTest.cpp -- ../Ip6Option.c -+ Ip6OptionGoogleTest.h - - [Packages] - MdePkg/MdePkg.dec -diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp -index f2cd90e1a9..29f8a4a96e 100644 ---- a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp -+++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp -@@ -12,6 +12,7 @@ extern "C" { - #include - #include "../Ip6Impl.h" - #include "../Ip6Option.h" -+ #include "Ip6OptionGoogleTest.h" - } - - ///////////////////////////////////////////////////////////////////////// -@@ -127,3 +128,280 @@ TEST_F (Ip6OptionValidationTest, InvalidPrefixInfoOptionLengthShouldReturnFalse) - - EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen)); - } -+ -+//////////////////////////////////////////////////////////////////////// -+// Ip6IsOptionValid Tests -+//////////////////////////////////////////////////////////////////////// -+ -+// Define a fixture for your tests if needed -+class Ip6IsOptionValidTest : public ::testing::Test { -+protected: -+ // Add any setup code if needed -+ virtual void -+ SetUp ( -+ ) -+ { -+ // Initialize any resources or variables -+ } -+ -+ // Add any cleanup code if needed -+ virtual void -+ TearDown ( -+ ) -+ { -+ // Clean up any resources or variables -+ } -+}; -+ -+// Test Description -+// Verify that a NULL option is Invalid -+TEST_F (Ip6IsOptionValidTest, NullOptionShouldReturnTrue) { -+ NET_BUF Packet = { 0 }; -+ // we need to define enough of the packet to make the function work -+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above -+ IP6_SERVICE *IpSb = NULL; -+ -+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; -+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; -+ EFI_IP6_HEADER Ip6Header = { 0 }; -+ -+ Ip6Header.SourceAddress = SourceAddress; -+ Ip6Header.DestinationAddress = DestinationAddress; -+ Packet.Ip.Ip6 = &Ip6Header; -+ -+ EXPECT_FALSE (Ip6IsOptionValid (IpSb, &Packet, NULL, 0, 0)); -+} -+ -+// Test Description -+// Verify that an unknown option with a length of 0 and type of does not cause an infinite loop -+TEST_F (Ip6IsOptionValidTest, VerifyNoInfiniteLoopOnUnknownOptionLength0) { -+ NET_BUF Packet = { 0 }; -+ // we need to define enough of the packet to make the function work -+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above -+ UINT32 DeadCode = 0xDeadC0de; -+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it -+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode; -+ -+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; -+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; -+ EFI_IP6_HEADER Ip6Header = { 0 }; -+ -+ Ip6Header.SourceAddress = SourceAddress; -+ Ip6Header.DestinationAddress = DestinationAddress; -+ Packet.Ip.Ip6 = &Ip6Header; -+ -+ IP6_OPTION_HEADER optionHeader; -+ -+ optionHeader.Type = 23; // Unknown Option -+ optionHeader.Length = 0; // This will cause an infinite loop if the function is not working correctly -+ -+ // This should be a valid option even though the length is 0 -+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0)); -+} -+ -+// Test Description -+// Verify that an unknown option with a length of 1 and type of does not cause an infinite loop -+TEST_F (Ip6IsOptionValidTest, VerifyNoInfiniteLoopOnUnknownOptionLength1) { -+ NET_BUF Packet = { 0 }; -+ // we need to define enough of the packet to make the function work -+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above -+ UINT32 DeadCode = 0xDeadC0de; -+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it -+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode; -+ -+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; -+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; -+ EFI_IP6_HEADER Ip6Header = { 0 }; -+ -+ Ip6Header.SourceAddress = SourceAddress; -+ Ip6Header.DestinationAddress = DestinationAddress; -+ Packet.Ip.Ip6 = &Ip6Header; -+ -+ IP6_OPTION_HEADER optionHeader; -+ -+ optionHeader.Type = 23; // Unknown Option -+ optionHeader.Length = 1; // This will cause an infinite loop if the function is not working correctly -+ -+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0)); -+} -+ -+// Test Description -+// Verify that an unknown option with a length of 2 and type of does not cause an infinite loop -+TEST_F (Ip6IsOptionValidTest, VerifyIpSkipUnknownOption) { -+ NET_BUF Packet = { 0 }; -+ // we need to define enough of the packet to make the function work -+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above -+ UINT32 DeadCode = 0xDeadC0de; -+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it -+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode; -+ -+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; -+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; -+ EFI_IP6_HEADER Ip6Header = { 0 }; -+ -+ Ip6Header.SourceAddress = SourceAddress; -+ Ip6Header.DestinationAddress = DestinationAddress; -+ Packet.Ip.Ip6 = &Ip6Header; -+ -+ IP6_OPTION_HEADER optionHeader; -+ -+ optionHeader.Type = 23; // Unknown Option -+ optionHeader.Length = 2; // Valid length for an unknown option -+ -+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0)); -+} -+ -+// Test Description -+// Verify that Ip6OptionPad1 is valid with a length of 0 -+TEST_F (Ip6IsOptionValidTest, VerifyIp6OptionPad1) { -+ NET_BUF Packet = { 0 }; -+ // we need to define enough of the packet to make the function work -+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above -+ UINT32 DeadCode = 0xDeadC0de; -+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it -+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode; -+ -+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; -+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; -+ EFI_IP6_HEADER Ip6Header = { 0 }; -+ -+ Ip6Header.SourceAddress = SourceAddress; -+ Ip6Header.DestinationAddress = DestinationAddress; -+ Packet.Ip.Ip6 = &Ip6Header; -+ -+ IP6_OPTION_HEADER optionHeader; -+ -+ optionHeader.Type = Ip6OptionPad1; -+ optionHeader.Length = 0; -+ -+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0)); -+} -+ -+// Test Description -+// Verify that Ip6OptionPadN doesn't overflow with various lengths -+TEST_F (Ip6IsOptionValidTest, VerifyIp6OptionPadN) { -+ NET_BUF Packet = { 0 }; -+ // we need to define enough of the packet to make the function work -+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above -+ UINT32 DeadCode = 0xDeadC0de; -+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it -+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode; -+ -+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; -+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; -+ EFI_IP6_HEADER Ip6Header = { 0 }; -+ -+ Ip6Header.SourceAddress = SourceAddress; -+ Ip6Header.DestinationAddress = DestinationAddress; -+ Packet.Ip.Ip6 = &Ip6Header; -+ -+ IP6_OPTION_HEADER optionHeader; -+ -+ optionHeader.Type = Ip6OptionPadN; -+ optionHeader.Length = 0xFF; -+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0)); -+ -+ optionHeader.Length = 0xFE; -+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0)); -+ -+ optionHeader.Length = 0xFD; -+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0)); -+ -+ optionHeader.Length = 0xFC; -+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0)); -+} -+ -+// Test Description -+// Verify an unknown option doesn't cause an infinite loop with various lengths -+TEST_F (Ip6IsOptionValidTest, VerifyNoInfiniteLoopOnUnknownOptionLengthAttemptOverflow) { -+ NET_BUF Packet = { 0 }; -+ // we need to define enough of the packet to make the function work -+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above -+ UINT32 DeadCode = 0xDeadC0de; -+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it -+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode; -+ -+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; -+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; -+ EFI_IP6_HEADER Ip6Header = { 0 }; -+ -+ Ip6Header.SourceAddress = SourceAddress; -+ Ip6Header.DestinationAddress = DestinationAddress; -+ Packet.Ip.Ip6 = &Ip6Header; -+ -+ IP6_OPTION_HEADER optionHeader; -+ -+ optionHeader.Type = 23; // Unknown Option -+ optionHeader.Length = 0xFF; -+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0)); -+ -+ optionHeader.Length = 0xFE; -+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0)); -+ -+ optionHeader.Length = 0xFD; -+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0)); -+ -+ optionHeader.Length = 0xFC; -+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0)); -+} -+ -+// Test Description -+// Verify that the function supports multiple options -+TEST_F (Ip6IsOptionValidTest, MultiOptionSupport) { -+ UINT16 HdrLen; -+ NET_BUF Packet = { 0 }; -+ // we need to define enough of the packet to make the function work -+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above -+ UINT32 DeadCode = 0xDeadC0de; -+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it -+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode; -+ -+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; -+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 }; -+ EFI_IP6_HEADER Ip6Header = { 0 }; -+ -+ Ip6Header.SourceAddress = SourceAddress; -+ Ip6Header.DestinationAddress = DestinationAddress; -+ Packet.Ip.Ip6 = &Ip6Header; -+ -+ UINT8 ExtHdr[1024] = { 0 }; -+ UINT8 *Cursor = ExtHdr; -+ IP6_OPTION_HEADER *Option = (IP6_OPTION_HEADER *)ExtHdr; -+ -+ // Let's start chaining options -+ -+ Option->Type = 23; // Unknown Option -+ Option->Length = 0xFC; -+ -+ Cursor += sizeof (IP6_OPTION_HEADER) + 0xFC; -+ -+ Option = (IP6_OPTION_HEADER *)Cursor; -+ Option->Type = Ip6OptionPad1; -+ -+ Cursor += sizeof (1); -+ -+ // Type and length aren't processed, instead it just moves the pointer forward by 4 bytes -+ Option = (IP6_OPTION_HEADER *)Cursor; -+ Option->Type = Ip6OptionRouterAlert; -+ Option->Length = 4; -+ -+ Cursor += sizeof (IP6_OPTION_HEADER) + 4; -+ -+ Option = (IP6_OPTION_HEADER *)Cursor; -+ Option->Type = Ip6OptionPadN; -+ Option->Length = 0xFC; -+ -+ Cursor += sizeof (IP6_OPTION_HEADER) + 0xFC; -+ -+ Option = (IP6_OPTION_HEADER *)Cursor; -+ Option->Type = Ip6OptionRouterAlert; -+ Option->Length = 4; -+ -+ Cursor += sizeof (IP6_OPTION_HEADER) + 4; -+ -+ // Total 524 -+ -+ HdrLen = (UINT16)(Cursor - ExtHdr); -+ -+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, ExtHdr, HdrLen, 0)); -+} -diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h -new file mode 100644 -index 0000000000..0509b6ae30 ---- /dev/null -+++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h -@@ -0,0 +1,40 @@ -+/** @file -+ Exposes the functions needed to test the Ip6Option module. -+ -+ Copyright (c) Microsoft Corporation -+ SPDX-License-Identifier: BSD-2-Clause-Patent -+**/ -+ -+#ifndef IP6_OPTION_HEADER_GOOGLE_TEST_H_ -+#define IP6_OPTION_HEADER_GOOGLE_TEST_H_ -+ -+#include -+#include "../Ip6Impl.h" -+ -+/** -+ Validate the IP6 option format for both the packets we received -+ and that we will transmit. It will compute the ICMPv6 error message fields -+ if the option is malformatted. -+ -+ @param[in] IpSb The IP6 service data. -+ @param[in] Packet The to be validated packet. -+ @param[in] Option The first byte of the option. -+ @param[in] OptionLen The length of the whole option. -+ @param[in] Pointer Identifies the octet offset within -+ the invoking packet where the error was detected. -+ -+ -+ @retval TRUE The option is properly formatted. -+ @retval FALSE The option is malformatted. -+ -+**/ -+BOOLEAN -+Ip6IsOptionValid ( -+ IN IP6_SERVICE *IpSb, -+ IN NET_BUF *Packet, -+ IN UINT8 *Option, -+ IN UINT16 OptionLen, -+ IN UINT32 Pointer -+ ); -+ -+#endif // __IP6_OPTION_HEADER_GOOGLE_TEST_H__ --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch b/SOURCES/edk2-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch deleted file mode 100644 index ecd2133..0000000 --- a/SOURCES/edk2-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch +++ /dev/null @@ -1,1299 +0,0 @@ -From 87165171b47990d6c3a9aea4d7794702df5dd0ea Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Tue, 11 Jun 2024 15:19:39 -0400 -Subject: [PATCH 1/8] NetworkPkg: SECURITY PATCH CVE-2023-45237 - -RH-Author: Jon Maloy -RH-MergeRequest: 75: NetworkPkg: SECURITY PATCH CVE-2023-45236 and CVE-2023-45237 -RH-Jira: RHEL-40270 RHEL-40272 -RH-Acked-by: Gerd Hoffmann -RH-Commit: [1/8] 9ec136cf9042d3b41d01b9caeb66406cee9f23d9 - -JIRA: https://issues.redhat.com/browse/RHEL-40270 -Upstream: Merged -CVE: CVE-2023-45237 - -commit 4c4ceb2ceb80c42fd5545b2a4bd80321f07f4345 -Author: Doug Flick -Date: Wed May 8 22:56:28 2024 -0700 - - NetworkPkg: SECURITY PATCH CVE-2023-45237 - - REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4542 - - Bug Overview: - PixieFail Bug #9 - CVE-2023-45237 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) - - Use of a Weak PseudoRandom Number Generator - - Change Overview: - - Updates all Instances of NET_RANDOM (NetRandomInitSeed ()) to either - - > - > EFI_STATUS - > EFIAPI - > PseudoRandomU32 ( - > OUT UINT32 *Output - > ); - > - - or (depending on the use case) - - > - > EFI_STATUS - > EFIAPI - > PseudoRandom ( - > OUT VOID *Output, - > IN UINTN OutputLength - > ); - > - - This is because the use of - - Example: - - The following code snippet PseudoRandomU32 () function is used: - - > - > UINT32 Random; - > - > Status = PseudoRandomU32 (&Random); - > if (EFI_ERROR (Status)) { - > DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", - __func__, Status)); - > return Status; - > } - > - This also introduces a new PCD to enable/disable the use of the - secure implementation of algorithms for PseudoRandom () and - instead depend on the default implementation. This may be required for - some platforms where the UEFI Spec defined algorithms are not available. - - > - > PcdEnforceSecureRngAlgorithms - > - - If the platform does not have any one of the UEFI defined - secure RNG algorithms then the driver will assert. - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - -Signed-off-by: Jon Maloy ---- - NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c | 10 +- - NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c | 11 +- - NetworkPkg/DnsDxe/DnsDhcp.c | 10 +- - NetworkPkg/DnsDxe/DnsImpl.c | 11 +- - NetworkPkg/HttpBootDxe/HttpBootDhcp6.c | 10 +- - NetworkPkg/IScsiDxe/IScsiCHAP.c | 19 ++- - NetworkPkg/IScsiDxe/IScsiMisc.c | 14 +-- - NetworkPkg/IScsiDxe/IScsiMisc.h | 6 +- - NetworkPkg/Include/Library/NetLib.h | 40 +++++-- - NetworkPkg/Ip4Dxe/Ip4Driver.c | 10 +- - NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c | 9 +- - NetworkPkg/Ip6Dxe/Ip6Driver.c | 17 ++- - NetworkPkg/Ip6Dxe/Ip6If.c | 12 +- - NetworkPkg/Ip6Dxe/Ip6Mld.c | 12 +- - NetworkPkg/Ip6Dxe/Ip6Nd.c | 33 +++++- - NetworkPkg/Ip6Dxe/Ip6Nd.h | 8 +- - NetworkPkg/Library/DxeNetLib/DxeNetLib.c | 130 ++++++++++++++++++--- - NetworkPkg/Library/DxeNetLib/DxeNetLib.inf | 14 ++- - NetworkPkg/NetworkPkg.dec | 7 ++ - NetworkPkg/SecurityFixes.yaml | 39 +++++++ - NetworkPkg/TcpDxe/TcpDriver.c | 15 ++- - NetworkPkg/TcpDxe/TcpDxe.inf | 3 + - NetworkPkg/Udp4Dxe/Udp4Driver.c | 10 +- - NetworkPkg/Udp6Dxe/Udp6Driver.c | 11 +- - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c | 9 +- - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 11 +- - NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c | 12 +- - 27 files changed, 410 insertions(+), 83 deletions(-) - -diff --git a/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c b/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c -index 8c37e93be3..892caee368 100644 ---- a/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c -+++ b/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c -@@ -1,6 +1,7 @@ - /** @file - - Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -189,6 +190,13 @@ Dhcp4CreateService ( - { - DHCP_SERVICE *DhcpSb; - EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - *Service = NULL; - DhcpSb = AllocateZeroPool (sizeof (DHCP_SERVICE)); -@@ -203,7 +211,7 @@ Dhcp4CreateService ( - DhcpSb->Image = ImageHandle; - InitializeListHead (&DhcpSb->Children); - DhcpSb->DhcpState = Dhcp4Stopped; -- DhcpSb->Xid = NET_RANDOM (NetRandomInitSeed ()); -+ DhcpSb->Xid = Random; - CopyMem ( - &DhcpSb->ServiceBinding, - &mDhcp4ServiceBindingTemplate, -diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c -index b591a4605b..e7f2787a98 100644 ---- a/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c -+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c -@@ -3,7 +3,7 @@ - implementation for Dhcp6 Driver. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -123,6 +123,13 @@ Dhcp6CreateService ( - { - DHCP6_SERVICE *Dhcp6Srv; - EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - *Service = NULL; - Dhcp6Srv = AllocateZeroPool (sizeof (DHCP6_SERVICE)); -@@ -147,7 +154,7 @@ Dhcp6CreateService ( - Dhcp6Srv->Signature = DHCP6_SERVICE_SIGNATURE; - Dhcp6Srv->Controller = Controller; - Dhcp6Srv->Image = ImageHandle; -- Dhcp6Srv->Xid = (0xffffff & NET_RANDOM (NetRandomInitSeed ())); -+ Dhcp6Srv->Xid = (0xffffff & Random); - - CopyMem ( - &Dhcp6Srv->ServiceBinding, -diff --git a/NetworkPkg/DnsDxe/DnsDhcp.c b/NetworkPkg/DnsDxe/DnsDhcp.c -index 933565a32d..9eb3c1d2d8 100644 ---- a/NetworkPkg/DnsDxe/DnsDhcp.c -+++ b/NetworkPkg/DnsDxe/DnsDhcp.c -@@ -2,6 +2,7 @@ - Functions implementation related with DHCPv4/v6 for DNS driver. - - Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -277,6 +278,7 @@ GetDns4ServerFromDhcp4 ( - EFI_DHCP4_TRANSMIT_RECEIVE_TOKEN Token; - BOOLEAN IsDone; - UINTN Index; -+ UINT32 Random; - - Image = Instance->Service->ImageHandle; - Controller = Instance->Service->ControllerHandle; -@@ -292,6 +294,12 @@ GetDns4ServerFromDhcp4 ( - Data = NULL; - InterfaceInfo = NULL; - -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - ZeroMem ((UINT8 *)ParaList, sizeof (ParaList)); - - ZeroMem (&MnpConfigData, sizeof (EFI_MANAGED_NETWORK_CONFIG_DATA)); -@@ -467,7 +475,7 @@ GetDns4ServerFromDhcp4 ( - - Status = Dhcp4->Build (Dhcp4, &SeedPacket, 0, NULL, 2, ParaList, &Token.Packet); - -- Token.Packet->Dhcp4.Header.Xid = HTONL (NET_RANDOM (NetRandomInitSeed ())); -+ Token.Packet->Dhcp4.Header.Xid = Random; - - Token.Packet->Dhcp4.Header.Reserved = HTONS ((UINT16)0x8000); - -diff --git a/NetworkPkg/DnsDxe/DnsImpl.c b/NetworkPkg/DnsDxe/DnsImpl.c -index d311812800..c2629bb8df 100644 ---- a/NetworkPkg/DnsDxe/DnsImpl.c -+++ b/NetworkPkg/DnsDxe/DnsImpl.c -@@ -2,6 +2,7 @@ - DnsDxe support functions implementation. - - Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -1963,6 +1964,14 @@ ConstructDNSQuery ( - NET_FRAGMENT Frag; - DNS_HEADER *DnsHeader; - DNS_QUERY_SECTION *DnsQuery; -+ EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - // - // Messages carried by UDP are restricted to 512 bytes (not counting the IP -@@ -1977,7 +1986,7 @@ ConstructDNSQuery ( - // Fill header - // - DnsHeader = (DNS_HEADER *)Frag.Bulk; -- DnsHeader->Identification = (UINT16)NET_RANDOM (NetRandomInitSeed ()); -+ DnsHeader->Identification = (UINT16)Random; - DnsHeader->Flags.Uint16 = 0x0000; - DnsHeader->Flags.Bits.RD = 1; - DnsHeader->Flags.Bits.OpCode = DNS_FLAGS_OPCODE_STANDARD; -diff --git a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c -index b22cef4ff5..f964515b0f 100644 ---- a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c -+++ b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c -@@ -2,6 +2,7 @@ - Functions implementation related with DHCPv6 for HTTP boot driver. - - Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -951,6 +952,7 @@ HttpBootDhcp6Sarr ( - UINT32 OptCount; - UINT8 Buffer[HTTP_BOOT_DHCP6_OPTION_MAX_SIZE]; - EFI_STATUS Status; -+ UINT32 Random; - - Dhcp6 = Private->Dhcp6; - ASSERT (Dhcp6 != NULL); -@@ -961,6 +963,12 @@ HttpBootDhcp6Sarr ( - OptCount = HttpBootBuildDhcp6Options (Private, OptList, Buffer); - ASSERT (OptCount > 0); - -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - Retransmit = AllocateZeroPool (sizeof (EFI_DHCP6_RETRANSMISSION)); - if (Retransmit == NULL) { - return EFI_OUT_OF_RESOURCES; -@@ -976,7 +984,7 @@ HttpBootDhcp6Sarr ( - Config.IaInfoEvent = NULL; - Config.RapidCommit = FALSE; - Config.ReconfigureAccept = FALSE; -- Config.IaDescriptor.IaId = NET_RANDOM (NetRandomInitSeed ()); -+ Config.IaDescriptor.IaId = Random; - Config.IaDescriptor.Type = EFI_DHCP6_IA_TYPE_NA; - Config.SolicitRetransmission = Retransmit; - Retransmit->Irt = 4; -diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c -index b507f11cd4..bebb1ac29b 100644 ---- a/NetworkPkg/IScsiDxe/IScsiCHAP.c -+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c -@@ -3,6 +3,7 @@ - Configuration. - - Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -576,16 +577,24 @@ IScsiCHAPToSendReq ( - // - // CHAP_I= - // -- IScsiGenRandom ((UINT8 *)&AuthData->OutIdentifier, 1); -+ Status = IScsiGenRandom ((UINT8 *)&AuthData->OutIdentifier, 1); -+ if (EFI_ERROR (Status)) { -+ break; -+ } -+ - AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", AuthData->OutIdentifier); - IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_IDENTIFIER, ValueStr); - // - // CHAP_C= - // -- IScsiGenRandom ( -- (UINT8 *)AuthData->OutChallenge, -- AuthData->Hash->DigestSize -- ); -+ Status = IScsiGenRandom ( -+ (UINT8 *)AuthData->OutChallenge, -+ AuthData->Hash->DigestSize -+ ); -+ if (EFI_ERROR (Status)) { -+ break; -+ } -+ - BinToHexStatus = IScsiBinToHex ( - (UINT8 *)AuthData->OutChallenge, - AuthData->Hash->DigestSize, -diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c -index 78dc5c73d3..2159b84949 100644 ---- a/NetworkPkg/IScsiDxe/IScsiMisc.c -+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c -@@ -2,6 +2,7 @@ - Miscellaneous routines for iSCSI driver. - - Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -474,20 +475,17 @@ IScsiNetNtoi ( - @param[in, out] Rand The buffer to contain random numbers. - @param[in] RandLength The length of the Rand buffer. - -+ @retval EFI_SUCCESS on success -+ @retval others on error -+ - **/ --VOID -+EFI_STATUS - IScsiGenRandom ( - IN OUT UINT8 *Rand, - IN UINTN RandLength - ) - { -- UINT32 Random; -- -- while (RandLength > 0) { -- Random = NET_RANDOM (NetRandomInitSeed ()); -- *Rand++ = (UINT8)(Random); -- RandLength--; -- } -+ return PseudoRandom (Rand, RandLength); - } - - /** -diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h -index a951eee70e..91b2cd2261 100644 ---- a/NetworkPkg/IScsiDxe/IScsiMisc.h -+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h -@@ -2,6 +2,7 @@ - Miscellaneous definitions for iSCSI driver. - - Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -202,8 +203,11 @@ IScsiNetNtoi ( - @param[in, out] Rand The buffer to contain random numbers. - @param[in] RandLength The length of the Rand buffer. - -+ @retval EFI_SUCCESS on success -+ @retval others on error -+ - **/ --VOID -+EFI_STATUS - IScsiGenRandom ( - IN OUT UINT8 *Rand, - IN UINTN RandLength -diff --git a/NetworkPkg/Include/Library/NetLib.h b/NetworkPkg/Include/Library/NetLib.h -index 8c0e62b388..e8108b79db 100644 ---- a/NetworkPkg/Include/Library/NetLib.h -+++ b/NetworkPkg/Include/Library/NetLib.h -@@ -3,6 +3,7 @@ - It provides basic functions for the UEFI network stack. - - Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -539,8 +540,6 @@ extern EFI_IPv4_ADDRESS mZeroIp4Addr; - #define TICKS_PER_MS 10000U - #define TICKS_PER_SECOND 10000000U - --#define NET_RANDOM(Seed) ((UINT32) ((UINT32) (Seed) * 1103515245UL + 12345) % 4294967295UL) -- - /** - Extract a UINT32 from a byte stream. - -@@ -580,19 +579,40 @@ NetPutUint32 ( - ); - - /** -- Initialize a random seed using current time and monotonic count. -+ Generate a Random output data given a length. - -- Get current time and monotonic count first. Then initialize a random seed -- based on some basic mathematics operation on the hour, day, minute, second, -- nanosecond and year of the current time and the monotonic count value. -+ @param[out] Output - The buffer to store the generated random data. -+ @param[in] OutputLength - The length of the output buffer. - -- @return The random seed initialized with current time. -+ @retval EFI_SUCCESS On Success -+ @retval EFI_INVALID_PARAMETER Pointer is null or size is zero -+ @retval EFI_NOT_FOUND RNG protocol not found -+ @retval Others Error from RngProtocol->GetRNG() - -+ @return Status code - **/ --UINT32 -+EFI_STATUS - EFIAPI --NetRandomInitSeed ( -- VOID -+PseudoRandom ( -+ OUT VOID *Output, -+ IN UINTN OutputLength -+ ); -+ -+/** -+ Generate a 32-bit pseudo-random number. -+ -+ @param[out] Output - The buffer to store the generated random number. -+ -+ @retval EFI_SUCCESS On Success -+ @retval EFI_NOT_FOUND RNG protocol not found -+ @retval Others Error from RngProtocol->GetRNG() -+ -+ @return Status code -+**/ -+EFI_STATUS -+EFIAPI -+PseudoRandomU32 ( -+ OUT UINT32 *Output - ); - - #define NET_LIST_USER_STRUCT(Entry, Type, Field) \ -diff --git a/NetworkPkg/Ip4Dxe/Ip4Driver.c b/NetworkPkg/Ip4Dxe/Ip4Driver.c -index ec483ff01f..683423f38d 100644 ---- a/NetworkPkg/Ip4Dxe/Ip4Driver.c -+++ b/NetworkPkg/Ip4Dxe/Ip4Driver.c -@@ -2,6 +2,7 @@ - The driver binding and service binding protocol for IP4 driver. - - Copyright (c) 2005 - 2019, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - (C) Copyright 2015 Hewlett-Packard Development Company, L.P.
- - SPDX-License-Identifier: BSD-2-Clause-Patent -@@ -549,11 +550,18 @@ Ip4DriverBindingStart ( - EFI_IP4_CONFIG2_PROTOCOL *Ip4Cfg2; - UINTN Index; - IP4_CONFIG2_DATA_ITEM *DataItem; -+ UINT32 Random; - - IpSb = NULL; - Ip4Cfg2 = NULL; - DataItem = NULL; - -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - // - // Test for the Ip4 service binding protocol - // -@@ -653,7 +661,7 @@ Ip4DriverBindingStart ( - // - // Initialize the IP4 ID - // -- mIp4Id = (UINT16)NET_RANDOM (NetRandomInitSeed ()); -+ mIp4Id = (UINT16)Random; - - return Status; - -diff --git a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c -index 70e232ce6c..4c1354d26c 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c -+++ b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c -@@ -2276,6 +2276,13 @@ Ip6ConfigInitInstance ( - UINTN Index; - UINT16 IfIndex; - IP6_CONFIG_DATA_ITEM *DataItem; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - IpSb = IP6_SERVICE_FROM_IP6_CONFIG_INSTANCE (Instance); - -@@ -2381,7 +2388,7 @@ Ip6ConfigInitInstance ( - // The NV variable is not set, so generate a random IAID, and write down the - // fresh new configuration as the NV variable now. - // -- Instance->IaId = NET_RANDOM (NetRandomInitSeed ()); -+ Instance->IaId = Random; - - for (Index = 0; Index < IpSb->SnpMode.HwAddressSize; Index++) { - Instance->IaId |= (IpSb->SnpMode.CurrentAddress.Addr[Index] << ((Index << 3) & 31)); -diff --git a/NetworkPkg/Ip6Dxe/Ip6Driver.c b/NetworkPkg/Ip6Dxe/Ip6Driver.c -index b483a7d136..cbe011dad4 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Driver.c -+++ b/NetworkPkg/Ip6Dxe/Ip6Driver.c -@@ -3,7 +3,7 @@ - - Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
- (C) Copyright 2015 Hewlett-Packard Development Company, L.P.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -316,7 +316,11 @@ Ip6CreateService ( - IpSb->CurHopLimit = IP6_HOP_LIMIT; - IpSb->LinkMTU = IP6_MIN_LINK_MTU; - IpSb->BaseReachableTime = IP6_REACHABLE_TIME; -- Ip6UpdateReachableTime (IpSb); -+ Status = Ip6UpdateReachableTime (IpSb); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } -+ - // - // RFC4861 RETRANS_TIMER: 1,000 milliseconds - // -@@ -516,11 +520,18 @@ Ip6DriverBindingStart ( - EFI_STATUS Status; - EFI_IP6_CONFIG_PROTOCOL *Ip6Cfg; - IP6_CONFIG_DATA_ITEM *DataItem; -+ UINT32 Random; - - IpSb = NULL; - Ip6Cfg = NULL; - DataItem = NULL; - -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - // - // Test for the Ip6 service binding protocol - // -@@ -656,7 +667,7 @@ Ip6DriverBindingStart ( - // - // Initialize the IP6 ID - // -- mIp6Id = NET_RANDOM (NetRandomInitSeed ()); -+ mIp6Id = Random; - - return EFI_SUCCESS; - -diff --git a/NetworkPkg/Ip6Dxe/Ip6If.c b/NetworkPkg/Ip6Dxe/Ip6If.c -index 4629c05f25..f3d11c4d21 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6If.c -+++ b/NetworkPkg/Ip6Dxe/Ip6If.c -@@ -2,7 +2,7 @@ - Implement IP6 pseudo interface. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -89,6 +89,14 @@ Ip6SetAddress ( - IP6_PREFIX_LIST_ENTRY *PrefixEntry; - UINT64 Delay; - IP6_DELAY_JOIN_LIST *DelayNode; -+ EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - NET_CHECK_SIGNATURE (Interface, IP6_INTERFACE_SIGNATURE); - -@@ -164,7 +172,7 @@ Ip6SetAddress ( - // Thus queue the address to be processed in Duplicate Address Detection module - // after the delay time (in milliseconds). - // -- Delay = (UINT64)NET_RANDOM (NetRandomInitSeed ()); -+ Delay = (UINT64)Random; - Delay = MultU64x32 (Delay, IP6_ONE_SECOND_IN_MS); - Delay = RShiftU64 (Delay, 32); - -diff --git a/NetworkPkg/Ip6Dxe/Ip6Mld.c b/NetworkPkg/Ip6Dxe/Ip6Mld.c -index e6b2b653e2..498a118543 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Mld.c -+++ b/NetworkPkg/Ip6Dxe/Ip6Mld.c -@@ -696,7 +696,15 @@ Ip6UpdateDelayTimer ( - IN OUT IP6_MLD_GROUP *Group - ) - { -- UINT32 Delay; -+ UINT32 Delay; -+ EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - // - // If the Query packet specifies a Maximum Response Delay of zero, perform timer -@@ -715,7 +723,7 @@ Ip6UpdateDelayTimer ( - // is less than the remaining value of the running timer. - // - if ((Group->DelayTimer == 0) || (Delay < Group->DelayTimer)) { -- Group->DelayTimer = Delay / 4294967295UL * NET_RANDOM (NetRandomInitSeed ()); -+ Group->DelayTimer = Delay / 4294967295UL * Random; - } - - return EFI_SUCCESS; -diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.c b/NetworkPkg/Ip6Dxe/Ip6Nd.c -index c10c7017f8..72aa45c10f 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Nd.c -+++ b/NetworkPkg/Ip6Dxe/Ip6Nd.c -@@ -2,7 +2,7 @@ - Implementation of Neighbor Discovery support routines. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -16,17 +16,28 @@ EFI_MAC_ADDRESS mZeroMacAddress; - - @param[in, out] IpSb Points to the IP6_SERVICE. - -+ @retval EFI_SUCCESS ReachableTime Updated -+ @retval others Failed to update ReachableTime - **/ --VOID -+EFI_STATUS - Ip6UpdateReachableTime ( - IN OUT IP6_SERVICE *IpSb - ) - { -- UINT32 Random; -+ UINT32 Random; -+ EFI_STATUS Status; - -- Random = (NetRandomInitSeed () / 4294967295UL) * IP6_RANDOM_FACTOR_SCALE; -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ -+ Random = (Random / 4294967295UL) * IP6_RANDOM_FACTOR_SCALE; - Random = Random + IP6_MIN_RANDOM_FACTOR_SCALED; - IpSb->ReachableTime = (IpSb->BaseReachableTime * Random) / IP6_RANDOM_FACTOR_SCALE; -+ -+ return EFI_SUCCESS; - } - - /** -@@ -972,10 +983,17 @@ Ip6InitDADProcess ( - IP6_SERVICE *IpSb; - EFI_STATUS Status; - UINT32 MaxDelayTick; -+ UINT32 Random; - - NET_CHECK_SIGNATURE (IpIf, IP6_INTERFACE_SIGNATURE); - ASSERT (AddressInfo != NULL); - -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - // - // Do nothing if we have already started DAD on the address. - // -@@ -1014,7 +1032,7 @@ Ip6InitDADProcess ( - Entry->Transmit = 0; - Entry->Receive = 0; - MaxDelayTick = IP6_MAX_RTR_SOLICITATION_DELAY / IP6_TIMER_INTERVAL_IN_MS; -- Entry->RetransTick = (MaxDelayTick * ((NET_RANDOM (NetRandomInitSeed ()) % 5) + 1)) / 5; -+ Entry->RetransTick = (MaxDelayTick * ((Random % 5) + 1)) / 5; - Entry->AddressInfo = AddressInfo; - Entry->Callback = Callback; - Entry->Context = Context; -@@ -2078,7 +2096,10 @@ Ip6ProcessRouterAdvertise ( - // in BaseReachableTime and recompute a ReachableTime. - // - IpSb->BaseReachableTime = ReachableTime; -- Ip6UpdateReachableTime (IpSb); -+ Status = Ip6UpdateReachableTime (IpSb); -+ if (EFI_ERROR (Status)) { -+ goto Exit; -+ } - } - - if (RetransTimer != 0) { -diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.h b/NetworkPkg/Ip6Dxe/Ip6Nd.h -index bf64e9114e..5795e23c7d 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Nd.h -+++ b/NetworkPkg/Ip6Dxe/Ip6Nd.h -@@ -2,7 +2,7 @@ - Definition of Neighbor Discovery support routines. - - Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -780,10 +780,10 @@ Ip6OnArpResolved ( - /** - Update the ReachableTime in IP6 service binding instance data, in milliseconds. - -- @param[in, out] IpSb Points to the IP6_SERVICE. -- -+ @retval EFI_SUCCESS ReachableTime Updated -+ @retval others Failed to update ReachableTime - **/ --VOID -+EFI_STATUS - Ip6UpdateReachableTime ( - IN OUT IP6_SERVICE *IpSb - ); -diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c -index fd4a9e15a8..01c13c08d2 100644 ---- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c -+++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c -@@ -3,6 +3,7 @@ - - Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.
- (C) Copyright 2015 Hewlett Packard Enterprise Development LP
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - **/ - -@@ -31,6 +32,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent - #include - #include - #include -+#include - - #define NIC_ITEM_CONFIG_SIZE (sizeof (NIC_IP4_CONFIG_INFO) + sizeof (EFI_IP4_ROUTE_TABLE) * MAX_IP4_CONFIG_IN_VARIABLE) - #define DEFAULT_ZERO_START ((UINTN) ~0) -@@ -127,6 +129,25 @@ GLOBAL_REMOVE_IF_UNREFERENCED VLAN_DEVICE_PATH mNetVlanDevicePathTemplate = { - 0 - }; - -+// -+// These represent UEFI SPEC defined algorithms that should be supported by -+// the RNG protocol and are generally considered secure. -+// -+// The order of the algorithms in this array is important. This order is the order -+// in which the algorithms will be tried by the RNG protocol. -+// If your platform needs to use a specific algorithm for the random number generator, -+// then you should place that algorithm first in the array. -+// -+GLOBAL_REMOVE_IF_UNREFERENCED EFI_GUID *mSecureHashAlgorithms[] = { -+ &gEfiRngAlgorithmSp80090Ctr256Guid, // SP800-90A DRBG CTR using AES-256 -+ &gEfiRngAlgorithmSp80090Hmac256Guid, // SP800-90A DRBG HMAC using SHA-256 -+ &gEfiRngAlgorithmSp80090Hash256Guid, // SP800-90A DRBG Hash using SHA-256 -+ &gEfiRngAlgorithmArmRndr, // unspecified SP800-90A DRBG via ARM RNDR register -+ &gEfiRngAlgorithmRaw, // Raw data from NRBG (or TRNG) -+}; -+ -+#define SECURE_HASH_ALGORITHMS_SIZE (sizeof (mSecureHashAlgorithms) / sizeof (EFI_GUID *)) -+ - /** - Locate the handles that support SNP, then open one of them - to send the syslog packets. The caller isn't required to close -@@ -884,34 +905,107 @@ Ip6Swap128 ( - } - - /** -- Initialize a random seed using current time and monotonic count. -+ Generate a Random output data given a length. - -- Get current time and monotonic count first. Then initialize a random seed -- based on some basic mathematics operation on the hour, day, minute, second, -- nanosecond and year of the current time and the monotonic count value. -+ @param[out] Output - The buffer to store the generated random data. -+ @param[in] OutputLength - The length of the output buffer. - -- @return The random seed initialized with current time. -+ @retval EFI_SUCCESS On Success -+ @retval EFI_INVALID_PARAMETER Pointer is null or size is zero -+ @retval EFI_NOT_FOUND RNG protocol not found -+ @retval Others Error from RngProtocol->GetRNG() - -+ @return Status code - **/ --UINT32 -+EFI_STATUS - EFIAPI --NetRandomInitSeed ( -- VOID -+PseudoRandom ( -+ OUT VOID *Output, -+ IN UINTN OutputLength - ) - { -- EFI_TIME Time; -- UINT32 Seed; -- UINT64 MonotonicCount; -+ EFI_RNG_PROTOCOL *RngProtocol; -+ EFI_STATUS Status; -+ UINTN AlgorithmIndex; -+ -+ if ((Output == NULL) || (OutputLength == 0)) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ Status = gBS->LocateProtocol (&gEfiRngProtocolGuid, NULL, (VOID **)&RngProtocol); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to locate EFI_RNG_PROTOCOL: %r\n", Status)); -+ ASSERT_EFI_ERROR (Status); -+ return Status; -+ } -+ -+ if (PcdGetBool (PcdEnforceSecureRngAlgorithms)) { -+ for (AlgorithmIndex = 0; AlgorithmIndex < SECURE_HASH_ALGORITHMS_SIZE; AlgorithmIndex++) { -+ Status = RngProtocol->GetRNG (RngProtocol, mSecureHashAlgorithms[AlgorithmIndex], OutputLength, (UINT8 *)Output); -+ if (!EFI_ERROR (Status)) { -+ // -+ // Secure Algorithm was supported on this platform -+ // -+ return EFI_SUCCESS; -+ } else if (Status == EFI_UNSUPPORTED) { -+ // -+ // Secure Algorithm was not supported on this platform -+ // -+ DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status)); -+ -+ // -+ // Try the next secure algorithm -+ // -+ continue; -+ } else { -+ // -+ // Some other error occurred -+ // -+ DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status)); -+ ASSERT_EFI_ERROR (Status); -+ return Status; -+ } -+ } -+ -+ // -+ // If we get here, we failed to generate random data using any secure algorithm -+ // Platform owner should ensure that at least one secure algorithm is supported -+ // -+ ASSERT_EFI_ERROR (Status); -+ return Status; -+ } -+ -+ // -+ // Lets try using the default algorithm (which may not be secure) -+ // -+ Status = RngProtocol->GetRNG (RngProtocol, NULL, OutputLength, (UINT8 *)Output); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random data: %r\n", __func__, Status)); -+ ASSERT_EFI_ERROR (Status); -+ return Status; -+ } - -- gRT->GetTime (&Time, NULL); -- Seed = (Time.Hour << 24 | Time.Day << 16 | Time.Minute << 8 | Time.Second); -- Seed ^= Time.Nanosecond; -- Seed ^= Time.Year << 7; -+ return EFI_SUCCESS; -+} -+ -+/** -+ Generate a 32-bit pseudo-random number. - -- gBS->GetNextMonotonicCount (&MonotonicCount); -- Seed += (UINT32)MonotonicCount; -+ @param[out] Output - The buffer to store the generated random number. - -- return Seed; -+ @retval EFI_SUCCESS On Success -+ @retval EFI_NOT_FOUND RNG protocol not found -+ @retval Others Error from RngProtocol->GetRNG() -+ -+ @return Status code -+**/ -+EFI_STATUS -+EFIAPI -+PseudoRandomU32 ( -+ OUT UINT32 *Output -+ ) -+{ -+ return PseudoRandom (Output, sizeof (*Output)); - } - - /** -diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf -index 8145d256ec..a8f534a293 100644 ---- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf -+++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf -@@ -3,6 +3,7 @@ - # - # Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
- # (C) Copyright 2015 Hewlett Packard Enterprise Development LP
-+# Copyright (c) Microsoft Corporation - # SPDX-License-Identifier: BSD-2-Clause-Patent - # - ## -@@ -49,7 +50,11 @@ - gEfiSmbiosTableGuid ## SOMETIMES_CONSUMES ## SystemTable - gEfiSmbios3TableGuid ## SOMETIMES_CONSUMES ## SystemTable - gEfiAdapterInfoMediaStateGuid ## SOMETIMES_CONSUMES -- -+ gEfiRngAlgorithmRaw ## CONSUMES -+ gEfiRngAlgorithmSp80090Ctr256Guid ## CONSUMES -+ gEfiRngAlgorithmSp80090Hmac256Guid ## CONSUMES -+ gEfiRngAlgorithmSp80090Hash256Guid ## CONSUMES -+ gEfiRngAlgorithmArmRndr ## CONSUMES - - [Protocols] - gEfiSimpleNetworkProtocolGuid ## SOMETIMES_CONSUMES -@@ -59,3 +64,10 @@ - gEfiComponentNameProtocolGuid ## SOMETIMES_CONSUMES - gEfiComponentName2ProtocolGuid ## SOMETIMES_CONSUMES - gEfiAdapterInformationProtocolGuid ## SOMETIMES_CONSUMES -+ gEfiRngProtocolGuid ## CONSUMES -+ -+[FixedPcd] -+ gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms ## CONSUMES -+ -+[Depex] -+ gEfiRngProtocolGuid -diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec -index e06f35e774..7c4289b77b 100644 ---- a/NetworkPkg/NetworkPkg.dec -+++ b/NetworkPkg/NetworkPkg.dec -@@ -5,6 +5,7 @@ - # - # Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved.
- # (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP
-+# Copyright (c) Microsoft Corporation - # - # SPDX-License-Identifier: BSD-2-Clause-Patent - # -@@ -130,6 +131,12 @@ - # @Prompt Indicates whether SnpDxe creates event for ExitBootServices() call. - gEfiNetworkPkgTokenSpaceGuid.PcdSnpCreateExitBootServicesEvent|TRUE|BOOLEAN|0x1000000C - -+ ## Enforces the use of Secure UEFI spec defined RNG algorithms for all network connections. -+ # TRUE - Enforce the use of Secure UEFI spec defined RNG algorithms. -+ # FALSE - Do not enforce and depend on the default implementation of RNG algorithm from the provider. -+ # @Prompt Enforce the use of Secure UEFI spec defined RNG algorithms. -+ gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms|TRUE|BOOLEAN|0x1000000D -+ - [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] - ## IPv6 DHCP Unique Identifier (DUID) Type configuration (From RFCs 3315 and 6355). - # 01 = DUID Based on Link-layer Address Plus Time [DUID-LLT] -diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml -index fa42025e0d..20a4555019 100644 ---- a/NetworkPkg/SecurityFixes.yaml -+++ b/NetworkPkg/SecurityFixes.yaml -@@ -122,3 +122,42 @@ CVE_2023_45235: - - http://www.openwall.com/lists/oss-security/2024/01/16/2 - - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html - - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html -+CVE_2023_45237: -+ commit_titles: -+ - "NetworkPkg:: SECURITY PATCH CVE 2023-45237" -+ cve: CVE-2023-45237 -+ date_reported: 2023-08-28 13:56 UTC -+ description: "Bug 09 - Use of a Weak PseudoRandom Number Generator" -+ note: -+ files_impacted: -+ - NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c -+ - NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c -+ - NetworkPkg/DnsDxe/DnsDhcp.c -+ - NetworkPkg/DnsDxe/DnsImpl.c -+ - NetworkPkg/HttpBootDxe/HttpBootDhcp6.c -+ - NetworkPkg/IScsiDxe/IScsiCHAP.c -+ - NetworkPkg/IScsiDxe/IScsiMisc.c -+ - NetworkPkg/IScsiDxe/IScsiMisc.h -+ - NetworkPkg/Include/Library/NetLib.h -+ - NetworkPkg/Ip4Dxe/Ip4Driver.c -+ - NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c -+ - NetworkPkg/Ip6Dxe/Ip6Driver.c -+ - NetworkPkg/Ip6Dxe/Ip6If.c -+ - NetworkPkg/Ip6Dxe/Ip6Mld.c -+ - NetworkPkg/Ip6Dxe/Ip6Nd.c -+ - NetworkPkg/Ip6Dxe/Ip6Nd.h -+ - NetworkPkg/Library/DxeNetLib/DxeNetLib.c -+ - NetworkPkg/Library/DxeNetLib/DxeNetLib.inf -+ - NetworkPkg/NetworkPkg.dec -+ - NetworkPkg/TcpDxe/TcpDriver.c -+ - NetworkPkg/Udp4Dxe/Udp4Driver.c -+ - NetworkPkg/Udp6Dxe/Udp6Driver.c -+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c -+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -+ - NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c -+ links: -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4542 -+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45237 -+ - http://www.openwall.com/lists/oss-security/2024/01/16/2 -+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html -+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html -diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c -index 98a90e0210..8fe6badd68 100644 ---- a/NetworkPkg/TcpDxe/TcpDriver.c -+++ b/NetworkPkg/TcpDxe/TcpDriver.c -@@ -2,7 +2,7 @@ - The driver binding and service binding protocol for the TCP driver. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -163,7 +163,13 @@ TcpDriverEntryPoint ( - ) - { - EFI_STATUS Status; -- UINT32 Seed; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - // - // Install the TCP Driver Binding Protocol -@@ -203,9 +209,8 @@ TcpDriverEntryPoint ( - // - // Initialize ISS and random port. - // -- Seed = NetRandomInitSeed (); -- mTcpGlobalIss = NET_RANDOM (Seed) % mTcpGlobalIss; -- mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (NET_RANDOM (Seed) % TCP_PORT_KNOWN)); -+ mTcpGlobalIss = Random % mTcpGlobalIss; -+ mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN)); - mTcp6RandomPort = mTcp4RandomPort; - - return EFI_SUCCESS; -diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf -index c0acbdca57..cf5423f4c5 100644 ---- a/NetworkPkg/TcpDxe/TcpDxe.inf -+++ b/NetworkPkg/TcpDxe/TcpDxe.inf -@@ -82,5 +82,8 @@ - gEfiTcp6ProtocolGuid ## BY_START - gEfiTcp6ServiceBindingProtocolGuid ## BY_START - -+[Depex] -+ gEfiHash2ServiceBindingProtocolGuid -+ - [UserExtensions.TianoCore."ExtraFiles"] - TcpDxeExtra.uni -diff --git a/NetworkPkg/Udp4Dxe/Udp4Driver.c b/NetworkPkg/Udp4Dxe/Udp4Driver.c -index cb917fcfc9..c7ea16f4cd 100644 ---- a/NetworkPkg/Udp4Dxe/Udp4Driver.c -+++ b/NetworkPkg/Udp4Dxe/Udp4Driver.c -@@ -1,6 +1,7 @@ - /** @file - - Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -555,6 +556,13 @@ Udp4DriverEntryPoint ( - ) - { - EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - // - // Install the Udp4DriverBinding and Udp4ComponentName protocols. -@@ -571,7 +579,7 @@ Udp4DriverEntryPoint ( - // - // Initialize the UDP random port. - // -- mUdp4RandomPort = (UINT16)(((UINT16)NetRandomInitSeed ()) % UDP4_PORT_KNOWN + UDP4_PORT_KNOWN); -+ mUdp4RandomPort = (UINT16)(((UINT16)Random) % UDP4_PORT_KNOWN + UDP4_PORT_KNOWN); - } - - return Status; -diff --git a/NetworkPkg/Udp6Dxe/Udp6Driver.c b/NetworkPkg/Udp6Dxe/Udp6Driver.c -index ae96fb9966..edb758d57c 100644 ---- a/NetworkPkg/Udp6Dxe/Udp6Driver.c -+++ b/NetworkPkg/Udp6Dxe/Udp6Driver.c -@@ -2,7 +2,7 @@ - Driver Binding functions and Service Binding functions for the Network driver module. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -596,6 +596,13 @@ Udp6DriverEntryPoint ( - ) - { - EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - // - // Install the Udp6DriverBinding and Udp6ComponentName protocols. -@@ -614,7 +621,7 @@ Udp6DriverEntryPoint ( - // Initialize the UDP random port. - // - mUdp6RandomPort = (UINT16)( -- ((UINT16)NetRandomInitSeed ()) % -+ ((UINT16)Random) % - UDP6_PORT_KNOWN + - UDP6_PORT_KNOWN - ); -diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c -index 91146b78cb..452038c219 100644 ---- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c -+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c -@@ -2,7 +2,7 @@ - Functions implementation related with DHCPv4 for UefiPxeBc Driver. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -1381,6 +1381,12 @@ PxeBcDhcp4Discover ( - UINT8 VendorOptLen; - UINT32 Xid; - -+ Status = PseudoRandomU32 (&Xid); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - Mode = Private->PxeBc.Mode; - Dhcp4 = Private->Dhcp4; - Status = EFI_SUCCESS; -@@ -1471,7 +1477,6 @@ PxeBcDhcp4Discover ( - // - // Set fields of the token for the request packet. - // -- Xid = NET_RANDOM (NetRandomInitSeed ()); - Token.Packet->Dhcp4.Header.Xid = HTONL (Xid); - Token.Packet->Dhcp4.Header.Reserved = HTONS ((UINT16)((IsBCast) ? 0x8000 : 0x0)); - CopyMem (&Token.Packet->Dhcp4.Header.ClientAddr, &Private->StationIp, sizeof (EFI_IPv4_ADDRESS)); -diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -index 7fd1281c11..bcabbd2219 100644 ---- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -@@ -2180,7 +2180,7 @@ PxeBcDhcp6Discover ( - UINTN ReadSize; - UINT16 OpCode; - UINT16 OpLen; -- UINT32 Xid; -+ UINT32 Random; - EFI_STATUS Status; - UINTN DiscoverLenNeeded; - -@@ -2198,6 +2198,12 @@ PxeBcDhcp6Discover ( - return EFI_DEVICE_ERROR; - } - -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - DiscoverLenNeeded = sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET); - Discover = AllocateZeroPool (DiscoverLenNeeded); - if (Discover == NULL) { -@@ -2207,8 +2213,7 @@ PxeBcDhcp6Discover ( - // - // Build the discover packet by the cached request packet before. - // -- Xid = NET_RANDOM (NetRandomInitSeed ()); -- Discover->TransactionId = HTONL (Xid); -+ Discover->TransactionId = HTONL (Random); - Discover->MessageType = Request->Dhcp6.Header.MessageType; - RequestOpt = Request->Dhcp6.Option; - DiscoverOpt = Discover->DhcpOptions; -diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c -index d84aca7e85..4cd915b411 100644 ---- a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c -+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c -@@ -3,6 +3,7 @@ - - (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
- Copyright (c) 2007 - 2019, Intel Corporation. All rights reserved.
-+ Copyright (c) Microsoft Corporation - - SPDX-License-Identifier: BSD-2-Clause-Patent - -@@ -892,6 +893,13 @@ PxeBcCreateIp6Children ( - PXEBC_PRIVATE_PROTOCOL *Id; - EFI_SIMPLE_NETWORK_PROTOCOL *Snp; - UINTN Index; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number using EFI_RNG_PROTOCOL: %r\n", Status)); -+ return Status; -+ } - - if (Private->Ip6Nic != NULL) { - // -@@ -935,9 +943,9 @@ PxeBcCreateIp6Children ( - } - - // -- // Generate a random IAID for the Dhcp6 assigned address. -+ // Set a random IAID for the Dhcp6 assigned address. - // -- Private->IaId = NET_RANDOM (NetRandomInitSeed ()); -+ Private->IaId = Random; - if (Private->Snp != NULL) { - for (Index = 0; Index < Private->Snp->Mode->HwAddressSize; Index++) { - Private->IaId |= (Private->Snp->Mode->CurrentAddress.Addr[Index] << ((Index << 3) & 31)); --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch b/SOURCES/edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch deleted file mode 100644 index 3689e4f..0000000 --- a/SOURCES/edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 5e93f6c09a57dd69f1b05654455452c4a0154a79 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Thu, 13 Jun 2024 18:35:46 -0400 -Subject: [PATCH 3/8] NetworkPkg TcpDxe: Fixed system stuck on PXE boot flow in - iPXE environment -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Jon Maloy -RH-MergeRequest: 75: NetworkPkg: SECURITY PATCH CVE-2023-45236 and CVE-2023-45237 -RH-Jira: RHEL-40270 RHEL-40272 -RH-Acked-by: Gerd Hoffmann -RH-Commit: [3/8] 9307e82e90d6f526d303607255a4c469ebe574d4 - -JIRA: https://issues.redhat.com/browse/RHEL-40272 -Upstream: Merged -CVE: CVE-2023-45236 - -commit ced13b93afea87a8a1fe6ddbb67240a84cb2e3d3 -Author: Sam -Date: Wed May 29 07:46:03 2024 +0800 - - NetworkPkg TcpDxe: Fixed system stuck on PXE boot flow in iPXE environment - - This bug fix is based on the following commit "NetworkPkg TcpDxe: SECURITY PATCH" - REF: 1904a64 - - Issue Description: - An "Invalid handle" error was detected during runtime when attempting to destroy a child instance of the hashing protocol. The problematic code segment was: - - NetworkPkg\TcpDxe\TcpDriver.c - Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, ​&mHash2ServiceHandle); - - Root Cause Analysis: - The root cause of the error was the passing of an incorrect parameter type, a pointer to an EFI_HANDLE instead of an EFI_HANDLE itself, to the DestroyChild function. This mismatch resulted in the function receiving an invalid handle. - - Implemented Solution: - To resolve this issue, the function call was corrected to pass mHash2ServiceHandle directly: - - NetworkPkg\TcpDxe\TcpDriver.c - Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, mHash2ServiceHandle); - - This modification ensures the correct handle type is used, effectively rectifying the "Invalid handle" error. - - Verification: - Testing has been conducted, confirming the efficacy of the fix. Additionally, the BIOS can boot into the OS in an iPXE environment. - - Cc: Doug Flick [MSFT] - - Signed-off-by: Sam Tsai [Wiwynn] - Reviewed-by: Saloni Kasbekar - -Signed-off-by: Jon Maloy ---- - NetworkPkg/TcpDxe/TcpDriver.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c -index 40bba4080c..c6e7c0df54 100644 ---- a/NetworkPkg/TcpDxe/TcpDriver.c -+++ b/NetworkPkg/TcpDxe/TcpDriver.c -@@ -509,7 +509,7 @@ TcpDestroyService ( - // - // Destroy the instance of the hashing protocol for this controller. - // -- Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle); -+ Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, mHash2ServiceHandle); - if (EFI_ERROR (Status)) { - return EFI_UNSUPPORTED; - } --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch b/SOURCES/edk2-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch deleted file mode 100644 index 1624859..0000000 --- a/SOURCES/edk2-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch +++ /dev/null @@ -1,841 +0,0 @@ -From 6f0cf9f14b1abefa62416c1611f01d6fb3353c44 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Tue, 11 Jun 2024 15:20:29 -0400 -Subject: [PATCH 2/8] NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236 - -RH-Author: Jon Maloy -RH-MergeRequest: 75: NetworkPkg: SECURITY PATCH CVE-2023-45236 and CVE-2023-45237 -RH-Jira: RHEL-40270 RHEL-40272 -RH-Acked-by: Gerd Hoffmann -RH-Commit: [2/8] 18e88b5def6b058ecd4ffa565ef6f3bafe6f03ad - -JIRA: https://issues.redhat.com/browse/RHEL-40272 -Upstream: Merged -CVE: CVE-2023-45236 - -commit 1904a64bcc18199738e5be183d28887ac5d837d7 -Author: Doug Flick -Date: Wed May 8 22:56:29 2024 -0700 - - NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236 - - REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541 - REF: https://www.rfc-editor.org/rfc/rfc1948.txt - REF: https://www.rfc-editor.org/rfc/rfc6528.txt - REF: https://www.rfc-editor.org/rfc/rfc9293.txt - - Bug Overview: - PixieFail Bug #8 - CVE-2023-45236 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N - CWE-200 Exposure of Sensitive Information to an Unauthorized Actor - - Updates TCP ISN generation to use a cryptographic hash of the - connection's identifying parameters and a secret key. - This prevents an attacker from guessing the ISN used for some other - connection. - - This is follows the guidance in RFC 1948, RFC 6528, and RFC 9293. - - RFC: 9293 Section 3.4.1. Initial Sequence Number Selection - - A TCP implementation MUST use the above type of "clock" for clock- - driven selection of initial sequence numbers (MUST-8), and SHOULD - generate its initial sequence numbers with the expression: - - ISN = M + F(localip, localport, remoteip, remoteport, secretkey) - - where M is the 4 microsecond timer, and F() is a pseudorandom - function (PRF) of the connection's identifying parameters ("localip, - localport, remoteip, remoteport") and a secret key ("secretkey") - (SHLD-1). F() MUST NOT be computable from the outside (MUST-9), or - an attacker could still guess at sequence numbers from the ISN used - for some other connection. The PRF could be implemented as a - cryptographic hash of the concatenation of the TCP connection - parameters and some secret data. For discussion of the selection of - a specific hash algorithm and management of the secret key data, - please see Section 3 of [42]. - - For each connection there is a send sequence number and a receive - sequence number. The initial send sequence number (ISS) is chosen by - the data sending TCP peer, and the initial receive sequence number - (IRS) is learned during the connection-establishing procedure. - - For a connection to be established or initialized, the two TCP peers - must synchronize on each other's initial sequence numbers. This is - done in an exchange of connection-establishing segments carrying a - control bit called "SYN" (for synchronize) and the initial sequence - numbers. As a shorthand, segments carrying the SYN bit are also - called "SYNs". Hence, the solution requires a suitable mechanism for - picking an initial sequence number and a slightly involved handshake - to exchange the ISNs. - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar ---- - NetworkPkg/SecurityFixes.yaml | 22 +++ - NetworkPkg/TcpDxe/TcpDriver.c | 92 ++++++++++++- - NetworkPkg/TcpDxe/TcpDxe.inf | 8 +- - NetworkPkg/TcpDxe/TcpFunc.h | 23 ++-- - NetworkPkg/TcpDxe/TcpInput.c | 13 +- - NetworkPkg/TcpDxe/TcpMain.h | 59 ++++++-- - NetworkPkg/TcpDxe/TcpMisc.c | 244 ++++++++++++++++++++++++++++++++-- - NetworkPkg/TcpDxe/TcpTimer.c | 3 +- - 8 files changed, 415 insertions(+), 49 deletions(-) - -diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml -index 20a4555019..4305328425 100644 ---- a/NetworkPkg/SecurityFixes.yaml -+++ b/NetworkPkg/SecurityFixes.yaml -@@ -122,6 +122,28 @@ CVE_2023_45235: - - http://www.openwall.com/lists/oss-security/2024/01/16/2 - - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html - - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html -+CVE_2023_45236: -+ commit_titles: -+ - "NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Patch" -+ cve: CVE-2023-45236 -+ date_reported: 2023-08-28 13:56 UTC -+ description: "Bug 08 - edk2/NetworkPkg: Predictable TCP Initial Sequence Numbers" -+ note: -+ files_impacted: -+ - NetworkPkg/Include/Library/NetLib.h -+ - NetworkPkg/TcpDxe/TcpDriver.c -+ - NetworkPkg/TcpDxe/TcpDxe.inf -+ - NetworkPkg/TcpDxe/TcpFunc.h -+ - NetworkPkg/TcpDxe/TcpInput.c -+ - NetworkPkg/TcpDxe/TcpMain.h -+ - NetworkPkg/TcpDxe/TcpMisc.c -+ - NetworkPkg/TcpDxe/TcpTimer.c -+ links: -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4541 -+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45236 -+ - http://www.openwall.com/lists/oss-security/2024/01/16/2 -+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html -+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html - CVE_2023_45237: - commit_titles: - - "NetworkPkg:: SECURITY PATCH CVE 2023-45237" -diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c -index 8fe6badd68..40bba4080c 100644 ---- a/NetworkPkg/TcpDxe/TcpDriver.c -+++ b/NetworkPkg/TcpDxe/TcpDriver.c -@@ -83,6 +83,12 @@ EFI_SERVICE_BINDING_PROTOCOL gTcpServiceBinding = { - TcpServiceBindingDestroyChild - }; - -+// -+// This is the handle for the Hash2ServiceBinding Protocol instance this driver produces -+// if the platform does not provide one. -+// -+EFI_HANDLE mHash2ServiceHandle = NULL; -+ - /** - Create and start the heartbeat timer for the TCP driver. - -@@ -165,6 +171,23 @@ TcpDriverEntryPoint ( - EFI_STATUS Status; - UINT32 Random; - -+ // -+ // Initialize the Secret used for hashing TCP sequence numbers -+ // -+ // Normally this should be regenerated periodically, but since -+ // this is only used for UEFI networking and not a general purpose -+ // operating system, it is not necessary to regenerate it. -+ // -+ Status = PseudoRandomU32 (&mTcpGlobalSecret); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ -+ // -+ // Get a random number used to generate a random port number -+ // Intentionally not linking this to mTcpGlobalSecret to avoid leaking information about the secret -+ // - Status = PseudoRandomU32 (&Random); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status)); -@@ -207,9 +230,8 @@ TcpDriverEntryPoint ( - } - - // -- // Initialize ISS and random port. -+ // Initialize the random port. - // -- mTcpGlobalIss = Random % mTcpGlobalIss; - mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN)); - mTcp6RandomPort = mTcp4RandomPort; - -@@ -224,6 +246,8 @@ TcpDriverEntryPoint ( - @param[in] IpVersion IP_VERSION_4 or IP_VERSION_6. - - @retval EFI_OUT_OF_RESOURCES Failed to allocate some resources. -+ @retval EFI_UNSUPPORTED Service Binding Protocols are unavailable. -+ @retval EFI_ALREADY_STARTED The TCP driver is already started on the controller. - @retval EFI_SUCCESS A new IP6 service binding private was created. - - **/ -@@ -234,11 +258,13 @@ TcpCreateService ( - IN UINT8 IpVersion - ) - { -- EFI_STATUS Status; -- EFI_GUID *IpServiceBindingGuid; -- EFI_GUID *TcpServiceBindingGuid; -- TCP_SERVICE_DATA *TcpServiceData; -- IP_IO_OPEN_DATA OpenData; -+ EFI_STATUS Status; -+ EFI_GUID *IpServiceBindingGuid; -+ EFI_GUID *TcpServiceBindingGuid; -+ TCP_SERVICE_DATA *TcpServiceData; -+ IP_IO_OPEN_DATA OpenData; -+ EFI_SERVICE_BINDING_PROTOCOL *Hash2ServiceBinding; -+ EFI_HASH2_PROTOCOL *Hash2Protocol; - - if (IpVersion == IP_VERSION_4) { - IpServiceBindingGuid = &gEfiIp4ServiceBindingProtocolGuid; -@@ -272,6 +298,33 @@ TcpCreateService ( - return EFI_UNSUPPORTED; - } - -+ Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol); -+ if (EFI_ERROR (Status)) { -+ // -+ // If we can't find the Hashing protocol, then we need to create one. -+ // -+ -+ // -+ // Platform is expected to publish the hash service binding protocol to support TCP. -+ // -+ Status = gBS->LocateProtocol ( -+ &gEfiHash2ServiceBindingProtocolGuid, -+ NULL, -+ (VOID **)&Hash2ServiceBinding -+ ); -+ if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->CreateChild == NULL)) { -+ return EFI_UNSUPPORTED; -+ } -+ -+ // -+ // Create an instance of the hash protocol for this controller. -+ // -+ Status = Hash2ServiceBinding->CreateChild (Hash2ServiceBinding, &mHash2ServiceHandle); -+ if (EFI_ERROR (Status)) { -+ return EFI_UNSUPPORTED; -+ } -+ } -+ - // - // Create the TCP service data. - // -@@ -423,6 +476,7 @@ TcpDestroyService ( - EFI_STATUS Status; - LIST_ENTRY *List; - TCP_DESTROY_CHILD_IN_HANDLE_BUF_CONTEXT Context; -+ EFI_SERVICE_BINDING_PROTOCOL *Hash2ServiceBinding; - - ASSERT ((IpVersion == IP_VERSION_4) || (IpVersion == IP_VERSION_6)); - -@@ -439,6 +493,30 @@ TcpDestroyService ( - return EFI_SUCCESS; - } - -+ // -+ // Destroy the Hash2ServiceBinding instance if it is created by Tcp driver. -+ // -+ if (mHash2ServiceHandle != NULL) { -+ Status = gBS->LocateProtocol ( -+ &gEfiHash2ServiceBindingProtocolGuid, -+ NULL, -+ (VOID **)&Hash2ServiceBinding -+ ); -+ if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->DestroyChild == NULL)) { -+ return EFI_UNSUPPORTED; -+ } -+ -+ // -+ // Destroy the instance of the hashing protocol for this controller. -+ // -+ Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle); -+ if (EFI_ERROR (Status)) { -+ return EFI_UNSUPPORTED; -+ } -+ -+ mHash2ServiceHandle = NULL; -+ } -+ - Status = gBS->OpenProtocol ( - NicHandle, - ServiceBindingGuid, -diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf -index cf5423f4c5..76de4cf9ec 100644 ---- a/NetworkPkg/TcpDxe/TcpDxe.inf -+++ b/NetworkPkg/TcpDxe/TcpDxe.inf -@@ -6,6 +6,7 @@ - # stack has been loaded in system. This driver supports both IPv4 and IPv6 network stack. - # - # Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-+# Copyright (c) Microsoft Corporation - # - # SPDX-License-Identifier: BSD-2-Clause-Patent - # -@@ -68,7 +69,6 @@ - NetLib - IpIoLib - -- - [Protocols] - ## SOMETIMES_CONSUMES - ## SOMETIMES_PRODUCES -@@ -81,6 +81,12 @@ - gEfiIp6ServiceBindingProtocolGuid ## TO_START - gEfiTcp6ProtocolGuid ## BY_START - gEfiTcp6ServiceBindingProtocolGuid ## BY_START -+ gEfiHash2ProtocolGuid ## BY_START -+ gEfiHash2ServiceBindingProtocolGuid ## BY_START -+ -+[Guids] -+ gEfiHashAlgorithmMD5Guid ## CONSUMES -+ gEfiHashAlgorithmSha256Guid ## CONSUMES - - [Depex] - gEfiHash2ServiceBindingProtocolGuid -diff --git a/NetworkPkg/TcpDxe/TcpFunc.h b/NetworkPkg/TcpDxe/TcpFunc.h -index a7af01fff2..c707bee3e5 100644 ---- a/NetworkPkg/TcpDxe/TcpFunc.h -+++ b/NetworkPkg/TcpDxe/TcpFunc.h -@@ -2,7 +2,7 @@ - Declaration of external functions shared in TCP driver. - - Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -36,8 +36,11 @@ VOID - - @param[in, out] Tcb Pointer to the TCP_CB of this TCP instance. - -+ @retval EFI_SUCCESS The operation completed successfully -+ @retval others The underlying functions failed and could not complete the operation -+ - **/ --VOID -+EFI_STATUS - TcpInitTcbLocal ( - IN OUT TCP_CB *Tcb - ); -@@ -128,17 +131,6 @@ TcpCloneTcb ( - IN TCP_CB *Tcb - ); - --/** -- Compute an ISS to be used by a new connection. -- -- @return The result ISS. -- --**/ --TCP_SEQNO --TcpGetIss ( -- VOID -- ); -- - /** - Get the local mss. - -@@ -202,8 +194,11 @@ TcpFormatNetbuf ( - @param[in, out] Tcb Pointer to the TCP_CB that wants to initiate a - connection. - -+ @retval EFI_SUCCESS The operation completed successfully -+ @retval others The underlying functions failed and could not complete the operation -+ - **/ --VOID -+EFI_STATUS - TcpOnAppConnect ( - IN OUT TCP_CB *Tcb - ); -diff --git a/NetworkPkg/TcpDxe/TcpInput.c b/NetworkPkg/TcpDxe/TcpInput.c -index 7b329be64d..86dd7c4907 100644 ---- a/NetworkPkg/TcpDxe/TcpInput.c -+++ b/NetworkPkg/TcpDxe/TcpInput.c -@@ -724,6 +724,7 @@ TcpInput ( - TCP_SEQNO Urg; - UINT16 Checksum; - INT32 Usable; -+ EFI_STATUS Status; - - ASSERT ((Version == IP_VERSION_4) || (Version == IP_VERSION_6)); - -@@ -872,7 +873,17 @@ TcpInput ( - Tcb->LocalEnd.Port = Head->DstPort; - Tcb->RemoteEnd.Port = Head->SrcPort; - -- TcpInitTcbLocal (Tcb); -+ Status = TcpInitTcbLocal (Tcb); -+ if (EFI_ERROR (Status)) { -+ DEBUG ( -+ (DEBUG_ERROR, -+ "TcpInput: discard a segment because failed to init local end for TCB %p\n", -+ Tcb) -+ ); -+ -+ goto DISCARD; -+ } -+ - TcpInitTcbPeer (Tcb, Seg, &Option); - - TcpSetState (Tcb, TCP_SYN_RCVD); -diff --git a/NetworkPkg/TcpDxe/TcpMain.h b/NetworkPkg/TcpDxe/TcpMain.h -index c0c9b7f46e..4d5566ab93 100644 ---- a/NetworkPkg/TcpDxe/TcpMain.h -+++ b/NetworkPkg/TcpDxe/TcpMain.h -@@ -3,7 +3,7 @@ - It is the common head file for all Tcp*.c in TCP driver. - - Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -13,6 +13,7 @@ - - #include - #include -+#include - #include - #include - #include -@@ -31,7 +32,7 @@ extern EFI_UNICODE_STRING_TABLE *gTcpControllerNameTable; - - extern LIST_ENTRY mTcpRunQue; - extern LIST_ENTRY mTcpListenQue; --extern TCP_SEQNO mTcpGlobalIss; -+extern TCP_SEQNO mTcpGlobalSecret; - extern UINT32 mTcpTick; - - /// -@@ -45,14 +46,6 @@ extern UINT32 mTcpTick; - - #define TCP_EXPIRE_TIME 65535 - --/// --/// The implementation selects the initial send sequence number and the unit to --/// be added when it is increased. --/// --#define TCP_BASE_ISS 0x4d7e980b --#define TCP_ISS_INCREMENT_1 2048 --#define TCP_ISS_INCREMENT_2 100 -- - typedef union { - EFI_TCP4_CONFIG_DATA Tcp4CfgData; - EFI_TCP6_CONFIG_DATA Tcp6CfgData; -@@ -774,4 +767,50 @@ Tcp6Poll ( - IN EFI_TCP6_PROTOCOL *This - ); - -+/** -+ Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local -+ and remote IP addresses and ports. -+ -+ This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1 -+ Where the ISN is computed as follows: -+ ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret) -+ -+ Otherwise: -+ ISN = M + F(localip, localport, remoteip, remoteport, secretkey) -+ -+ "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the -+ connection's identifying parameters ("localip, localport, remoteip, remoteport") -+ and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the -+ outside (MUST-9), or an attacker could still guess at sequence numbers from the -+ ISN used for some other connection. The PRF could be implemented as a -+ cryptographic hash of the concatenation of the TCP connection parameters and some -+ secret data. For discussion of the selection of a specific hash algorithm and -+ management of the secret key data." -+ -+ @param[in] LocalIp A pointer to the local IP address of the TCP connection. -+ @param[in] LocalIpSize The size, in bytes, of the LocalIp buffer. -+ @param[in] LocalPort The local port number of the TCP connection. -+ @param[in] RemoteIp A pointer to the remote IP address of the TCP connection. -+ @param[in] RemoteIpSize The size, in bytes, of the RemoteIp buffer. -+ @param[in] RemotePort The remote port number of the TCP connection. -+ @param[out] Isn A pointer to the variable that will receive the Initial -+ Sequence Number (ISN). -+ -+ @retval EFI_SUCCESS The operation completed successfully, and the ISN was -+ retrieved. -+ @retval EFI_INVALID_PARAMETER One or more of the input parameters are invalid. -+ @retval EFI_UNSUPPORTED The operation is not supported. -+ -+**/ -+EFI_STATUS -+TcpGetIsn ( -+ IN UINT8 *LocalIp, -+ IN UINTN LocalIpSize, -+ IN UINT16 LocalPort, -+ IN UINT8 *RemoteIp, -+ IN UINTN RemoteIpSize, -+ IN UINT16 RemotePort, -+ OUT TCP_SEQNO *Isn -+ ); -+ - #endif -diff --git a/NetworkPkg/TcpDxe/TcpMisc.c b/NetworkPkg/TcpDxe/TcpMisc.c -index c93212d47d..3310306f63 100644 ---- a/NetworkPkg/TcpDxe/TcpMisc.c -+++ b/NetworkPkg/TcpDxe/TcpMisc.c -@@ -3,7 +3,7 @@ - - (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
- Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -20,7 +20,34 @@ LIST_ENTRY mTcpListenQue = { - &mTcpListenQue - }; - --TCP_SEQNO mTcpGlobalIss = TCP_BASE_ISS; -+// -+// The Session secret -+// This must be initialized to a random value at boot time -+// -+TCP_SEQNO mTcpGlobalSecret; -+ -+// -+// Union to hold either an IPv4 or IPv6 address -+// This is used to simplify the ISN hash computation -+// -+typedef union { -+ UINT8 IPv4[4]; -+ UINT8 IPv6[16]; -+} NETWORK_ADDRESS; -+ -+// -+// The ISN is computed by hashing this structure -+// It is initialized with the local and remote IP addresses and ports -+// and the secret -+// -+// -+typedef struct { -+ UINT16 LocalPort; -+ UINT16 RemotePort; -+ NETWORK_ADDRESS LocalAddress; -+ NETWORK_ADDRESS RemoteAddress; -+ TCP_SEQNO Secret; -+} ISN_HASH_CTX; - - CHAR16 *mTcpStateName[] = { - L"TCP_CLOSED", -@@ -41,12 +68,18 @@ CHAR16 *mTcpStateName[] = { - - @param[in, out] Tcb Pointer to the TCP_CB of this TCP instance. - -+ @retval EFI_SUCCESS The operation completed successfully -+ @retval others The underlying functions failed and could not complete the operation -+ - **/ --VOID -+EFI_STATUS - TcpInitTcbLocal ( - IN OUT TCP_CB *Tcb - ) - { -+ TCP_SEQNO Isn; -+ EFI_STATUS Status; -+ - // - // Compute the checksum of the fixed parts of pseudo header - // -@@ -57,6 +90,16 @@ TcpInitTcbLocal ( - 0x06, - 0 - ); -+ -+ Status = TcpGetIsn ( -+ Tcb->LocalEnd.Ip.v4.Addr, -+ sizeof (IPv4_ADDRESS), -+ Tcb->LocalEnd.Port, -+ Tcb->RemoteEnd.Ip.v4.Addr, -+ sizeof (IPv4_ADDRESS), -+ Tcb->RemoteEnd.Port, -+ &Isn -+ ); - } else { - Tcb->HeadSum = NetIp6PseudoHeadChecksum ( - &Tcb->LocalEnd.Ip.v6, -@@ -64,9 +107,25 @@ TcpInitTcbLocal ( - 0x06, - 0 - ); -+ -+ Status = TcpGetIsn ( -+ Tcb->LocalEnd.Ip.v6.Addr, -+ sizeof (IPv6_ADDRESS), -+ Tcb->LocalEnd.Port, -+ Tcb->RemoteEnd.Ip.v6.Addr, -+ sizeof (IPv6_ADDRESS), -+ Tcb->RemoteEnd.Port, -+ &Isn -+ ); -+ } -+ -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "TcpInitTcbLocal: failed to get isn\n")); -+ ASSERT (FALSE); -+ return Status; - } - -- Tcb->Iss = TcpGetIss (); -+ Tcb->Iss = Isn; - Tcb->SndUna = Tcb->Iss; - Tcb->SndNxt = Tcb->Iss; - -@@ -82,6 +141,8 @@ TcpInitTcbLocal ( - Tcb->RetxmitSeqMax = 0; - - Tcb->ProbeTimerOn = FALSE; -+ -+ return EFI_SUCCESS; - } - - /** -@@ -506,18 +567,162 @@ TcpCloneTcb ( - } - - /** -- Compute an ISS to be used by a new connection. -- -- @return The resulting ISS. -+ Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local -+ and remote IP addresses and ports. -+ -+ This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1 -+ Where the ISN is computed as follows: -+ ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret) -+ -+ Otherwise: -+ ISN = M + F(localip, localport, remoteip, remoteport, secretkey) -+ -+ "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the -+ connection's identifying parameters ("localip, localport, remoteip, remoteport") -+ and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the -+ outside (MUST-9), or an attacker could still guess at sequence numbers from the -+ ISN used for some other connection. The PRF could be implemented as a -+ cryptographic hash of the concatenation of the TCP connection parameters and some -+ secret data. For discussion of the selection of a specific hash algorithm and -+ management of the secret key data." -+ -+ @param[in] LocalIp A pointer to the local IP address of the TCP connection. -+ @param[in] LocalIpSize The size, in bytes, of the LocalIp buffer. -+ @param[in] LocalPort The local port number of the TCP connection. -+ @param[in] RemoteIp A pointer to the remote IP address of the TCP connection. -+ @param[in] RemoteIpSize The size, in bytes, of the RemoteIp buffer. -+ @param[in] RemotePort The remote port number of the TCP connection. -+ @param[out] Isn A pointer to the variable that will receive the Initial -+ Sequence Number (ISN). -+ -+ @retval EFI_SUCCESS The operation completed successfully, and the ISN was -+ retrieved. -+ @retval EFI_INVALID_PARAMETER One or more of the input parameters are invalid. -+ @retval EFI_UNSUPPORTED The operation is not supported. - - **/ --TCP_SEQNO --TcpGetIss ( -- VOID -+EFI_STATUS -+TcpGetIsn ( -+ IN UINT8 *LocalIp, -+ IN UINTN LocalIpSize, -+ IN UINT16 LocalPort, -+ IN UINT8 *RemoteIp, -+ IN UINTN RemoteIpSize, -+ IN UINT16 RemotePort, -+ OUT TCP_SEQNO *Isn - ) - { -- mTcpGlobalIss += TCP_ISS_INCREMENT_1; -- return mTcpGlobalIss; -+ EFI_STATUS Status; -+ EFI_HASH2_PROTOCOL *Hash2Protocol; -+ EFI_HASH2_OUTPUT HashResult; -+ ISN_HASH_CTX IsnHashCtx; -+ EFI_TIME TimeStamp; -+ -+ // -+ // Check that the ISN pointer is valid -+ // -+ if (Isn == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // -+ // The local ip may be a v4 or v6 address and may not be NULL -+ // -+ if ((LocalIp == NULL) || (LocalIpSize == 0) || (RemoteIp == NULL) || (RemoteIpSize == 0)) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // -+ // the local ip may be a v4 or v6 address -+ // -+ if ((LocalIpSize != sizeof (EFI_IPv4_ADDRESS)) && (LocalIpSize != sizeof (EFI_IPv6_ADDRESS))) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // -+ // Locate the Hash Protocol -+ // -+ Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_NET, "Failed to locate Hash Protocol: %r\n", Status)); -+ -+ // -+ // TcpCreateService(..) is expected to be called prior to this function -+ // -+ ASSERT_EFI_ERROR (Status); -+ return Status; -+ } -+ -+ // -+ // Initialize the hash algorithm -+ // -+ Status = Hash2Protocol->HashInit (Hash2Protocol, &gEfiHashAlgorithmSha256Guid); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_NET, "Failed to initialize sha256 hash algorithm: %r\n", Status)); -+ return Status; -+ } -+ -+ IsnHashCtx.LocalPort = LocalPort; -+ IsnHashCtx.RemotePort = RemotePort; -+ IsnHashCtx.Secret = mTcpGlobalSecret; -+ -+ // -+ // Check the IP address family and copy accordingly -+ // -+ if (LocalIpSize == sizeof (EFI_IPv4_ADDRESS)) { -+ CopyMem (&IsnHashCtx.LocalAddress.IPv4, LocalIp, LocalIpSize); -+ } else if (LocalIpSize == sizeof (EFI_IPv6_ADDRESS)) { -+ CopyMem (&IsnHashCtx.LocalAddress.IPv6, LocalIp, LocalIpSize); -+ } else { -+ return EFI_INVALID_PARAMETER; // Unsupported address size -+ } -+ -+ // -+ // Repeat the process for the remote IP address -+ // -+ if (RemoteIpSize == sizeof (EFI_IPv4_ADDRESS)) { -+ CopyMem (&IsnHashCtx.RemoteAddress.IPv4, RemoteIp, RemoteIpSize); -+ } else if (RemoteIpSize == sizeof (EFI_IPv6_ADDRESS)) { -+ CopyMem (&IsnHashCtx.RemoteAddress.IPv6, RemoteIp, RemoteIpSize); -+ } else { -+ return EFI_INVALID_PARAMETER; // Unsupported address size -+ } -+ -+ // -+ // Compute the hash -+ // Update the hash with the data -+ // -+ Status = Hash2Protocol->HashUpdate (Hash2Protocol, (UINT8 *)&IsnHashCtx, sizeof (IsnHashCtx)); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_NET, "Failed to update hash: %r\n", Status)); -+ return Status; -+ } -+ -+ // -+ // Finalize the hash and retrieve the result -+ // -+ Status = Hash2Protocol->HashFinal (Hash2Protocol, &HashResult); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_NET, "Failed to finalize hash: %r\n", Status)); -+ return Status; -+ } -+ -+ Status = gRT->GetTime (&TimeStamp, NULL); -+ if (EFI_ERROR (Status)) { -+ return Status; -+ } -+ -+ // -+ // copy the first 4 bytes of the hash result into the ISN -+ // -+ CopyMem (Isn, HashResult.Md5Hash, sizeof (*Isn)); -+ -+ // -+ // now add the timestamp to the ISN as 4 microseconds units (1000 / 4 = 250) -+ // -+ *Isn += (TCP_SEQNO)TimeStamp.Nanosecond * 250; -+ -+ return Status; - } - - /** -@@ -721,17 +926,28 @@ TcpFormatNetbuf ( - @param[in, out] Tcb Pointer to the TCP_CB that wants to initiate a - connection. - -+ @retval EFI_SUCCESS The operation completed successfully -+ @retval others The underlying functions failed and could not complete the operation -+ - **/ --VOID -+EFI_STATUS - TcpOnAppConnect ( - IN OUT TCP_CB *Tcb - ) - { -- TcpInitTcbLocal (Tcb); -+ EFI_STATUS Status; -+ -+ Status = TcpInitTcbLocal (Tcb); -+ if (EFI_ERROR (Status)) { -+ return Status; -+ } -+ - TcpSetState (Tcb, TCP_SYN_SENT); - - TcpSetTimer (Tcb, TCP_TIMER_CONNECT, Tcb->ConnectTimeout); - TcpToSendData (Tcb, 1); -+ -+ return EFI_SUCCESS; - } - - /** -diff --git a/NetworkPkg/TcpDxe/TcpTimer.c b/NetworkPkg/TcpDxe/TcpTimer.c -index 5d2e124977..065b1bdf5f 100644 ---- a/NetworkPkg/TcpDxe/TcpTimer.c -+++ b/NetworkPkg/TcpDxe/TcpTimer.c -@@ -2,7 +2,7 @@ - TCP timer related functions. - - Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -483,7 +483,6 @@ TcpTickingDpc ( - INT16 Index; - - mTcpTick++; -- mTcpGlobalIss += TCP_ISS_INCREMENT_2; - - // - // Don't use LIST_FOR_EACH, which isn't delete safe. --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch b/SOURCES/edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch deleted file mode 100644 index b62e054..0000000 --- a/SOURCES/edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch +++ /dev/null @@ -1,168 +0,0 @@ -From 1afdf854f67fbaeea47f15efa0c34c0f1fe6a504 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Fri, 16 Feb 2024 10:48:05 -0500 -Subject: [PATCH 10/18] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 - Patch - -RH-Author: Jon Maloy -RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch -RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Laszlo Ersek -RH-Commit: [10/18] c7527c63ebe3afb55a2ef78103c1a57de26c36b7 - -JIRA: https://issues.redhat.com/browse/RHEL-21851 -CVE: CVE-2022-45234 -Upstream: Merged - -commit 1b53515d53d303166b2bbd31e2cc7f16fd0aecd7 -Author: Doug Flick -Date: Fri Jan 26 05:54:52 2024 +0800 - - NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Patch - - REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539 - - Bug Details: - PixieFail Bug #6 - CVE-2023-45234 - CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H - CWE-119 Improper Restriction of Operations within the Bounds of - a Memory Buffer - - Buffer overflow when processing DNS Servers option in a DHCPv6 - Advertise message - - Change Overview: - - Introduces a function to cache the Dns Server and perform sanitizing - on the incoming DnsServerLen to ensure that the length is valid - - > + EFI_STATUS - > + PxeBcCacheDnsServerAddresses ( - > + IN PXEBC_PRIVATE_DATA *Private, - > + IN PXEBC_DHCP6_PACKET_CACHE *Cache6 - > + ) - - Additional code cleanup - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - -Signed-off-by: Jon Maloy ---- - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 71 +++++++++++++++++++++++++--- - 1 file changed, 65 insertions(+), 6 deletions(-) - -diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -index 425e0cf806..2b2d372889 100644 ---- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -@@ -3,6 +3,7 @@ - - (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-+ Copyright (c) Microsoft Corporation - - SPDX-License-Identifier: BSD-2-Clause-Patent - -@@ -1312,6 +1313,65 @@ PxeBcSelectDhcp6Offer ( - } - } - -+/** -+ Cache the DHCPv6 DNS Server addresses -+ -+ @param[in] Private The pointer to PXEBC_PRIVATE_DATA. -+ @param[in] Cache6 The pointer to PXEBC_DHCP6_PACKET_CACHE. -+ -+ @retval EFI_SUCCESS Cache the DHCPv6 DNS Server address successfully. -+ @retval EFI_OUT_OF_RESOURCES Failed to allocate resources. -+ @retval EFI_DEVICE_ERROR The DNS Server Address Length provided by a untrusted -+ option is not a multiple of 16 bytes (sizeof (EFI_IPv6_ADDRESS)). -+**/ -+EFI_STATUS -+PxeBcCacheDnsServerAddresses ( -+ IN PXEBC_PRIVATE_DATA *Private, -+ IN PXEBC_DHCP6_PACKET_CACHE *Cache6 -+ ) -+{ -+ UINT16 DnsServerLen; -+ -+ DnsServerLen = NTOHS (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen); -+ // -+ // Make sure that the number is nonzero -+ // -+ if (DnsServerLen == 0) { -+ return EFI_DEVICE_ERROR; -+ } -+ -+ // -+ // Make sure the DnsServerlen is a multiple of EFI_IPv6_ADDRESS (16) -+ // -+ if (DnsServerLen % sizeof (EFI_IPv6_ADDRESS) != 0) { -+ return EFI_DEVICE_ERROR; -+ } -+ -+ // -+ // This code is currently written to only support a single DNS Server instead -+ // of multiple such as is spec defined (RFC3646, Section 3). The proper behavior -+ // would be to allocate the full space requested, CopyMem all of the data, -+ // and then add a DnsServerCount field to Private and update additional code -+ // that depends on this. -+ // -+ // To support multiple DNS servers the `AllocationSize` would need to be changed to DnsServerLen -+ // -+ // This is tracked in https://bugzilla.tianocore.org/show_bug.cgi?id=1886 -+ // -+ Private->DnsServer = AllocateZeroPool (sizeof (EFI_IPv6_ADDRESS)); -+ if (Private->DnsServer == NULL) { -+ return EFI_OUT_OF_RESOURCES; -+ } -+ -+ // -+ // Intentionally only copy over the first server address. -+ // To support multiple DNS servers, the `Length` would need to be changed to DnsServerLen -+ // -+ CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->Data, sizeof (EFI_IPv6_ADDRESS)); -+ -+ return EFI_SUCCESS; -+} -+ - /** - Handle the DHCPv6 offer packet. - -@@ -1335,6 +1395,7 @@ PxeBcHandleDhcp6Offer ( - UINT32 SelectIndex; - UINT32 Index; - -+ ASSERT (Private != NULL); - ASSERT (Private->SelectIndex > 0); - SelectIndex = (UINT32)(Private->SelectIndex - 1); - ASSERT (SelectIndex < PXEBC_OFFER_MAX_NUM); -@@ -1342,15 +1403,13 @@ PxeBcHandleDhcp6Offer ( - Status = EFI_SUCCESS; - - // -- // First try to cache DNS server address if DHCP6 offer provides. -+ // First try to cache DNS server addresses if DHCP6 offer provides. - // - if (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] != NULL) { -- Private->DnsServer = AllocateZeroPool (NTOHS (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen)); -- if (Private->DnsServer == NULL) { -- return EFI_OUT_OF_RESOURCES; -+ Status = PxeBcCacheDnsServerAddresses (Private, Cache6); -+ if (EFI_ERROR (Status)) { -+ return Status; - } -- -- CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->Data, sizeof (EFI_IPv6_ADDRESS)); - } - - if (Cache6->OfferType == PxeOfferTypeDhcpBinl) { --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p2.patch b/SOURCES/edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p2.patch deleted file mode 100644 index bd66c13..0000000 --- a/SOURCES/edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p2.patch +++ /dev/null @@ -1,511 +0,0 @@ -From d60257df151a6c58aefe74c2d2baee59344318d2 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Fri, 16 Feb 2024 10:48:05 -0500 -Subject: [PATCH 11/18] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 - Unit Tests - -RH-Author: Jon Maloy -RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch -RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Laszlo Ersek -RH-Commit: [11/18] b917383d597172d4bf75548d9b281d08bf34e299 - -JIRA: https://issues.redhat.com/browse/RHEL-21851 -CVE: CVE-2022-45234 -Upstream: Merged - -commit 458c582685fc0e8057d2511c5a0394078d988c17 -Author: Doug Flick -Date: Fri Jan 26 05:54:53 2024 +0800 - - NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Unit Tests - - REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539 - - Unit tests to that the bug.. - - Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise - message - - ..has been patched - - This contains tests for the following functions: - PxeBcHandleDhcp6Offer - PxeBcCacheDnsServerAddresses - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - -Signed-off-by: Jon Maloy ---- - NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 + - .../GoogleTest/PxeBcDhcp6GoogleTest.cpp | 300 ++++++++++++++++++ - .../GoogleTest/PxeBcDhcp6GoogleTest.h | 50 +++ - .../GoogleTest/UefiPxeBcDxeGoogleTest.cpp | 19 ++ - .../GoogleTest/UefiPxeBcDxeGoogleTest.inf | 48 +++ - 5 files changed, 418 insertions(+) - create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp - create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h - create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp - create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf - -diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc -index 7fa7b0f9d5..a0273c4310 100644 ---- a/NetworkPkg/Test/NetworkPkgHostTest.dsc -+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc -@@ -27,6 +27,7 @@ - # - NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf - NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf -+ NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf - - # Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests. - [LibraryClasses] -diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp -new file mode 100644 -index 0000000000..8260eeee50 ---- /dev/null -+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp -@@ -0,0 +1,300 @@ -+/** @file -+ Host based unit test for PxeBcDhcp6.c. -+ -+ Copyright (c) Microsoft Corporation -+ SPDX-License-Identifier: BSD-2-Clause-Patent -+**/ -+#include -+ -+extern "C" { -+ #include -+ #include -+ #include -+ #include "../PxeBcImpl.h" -+ #include "../PxeBcDhcp6.h" -+ #include "PxeBcDhcp6GoogleTest.h" -+} -+ -+/////////////////////////////////////////////////////////////////////////////// -+// Definitions -+/////////////////////////////////////////////////////////////////////////////// -+ -+#define PACKET_SIZE (1500) -+ -+typedef struct { -+ UINT16 OptionCode; // The option code for DHCP6_OPT_SERVER_ID (e.g., 0x03) -+ UINT16 OptionLen; // The length of the option (e.g., 16 bytes) -+ UINT8 ServerId[16]; // The 16-byte DHCPv6 Server Identifier -+} DHCP6_OPTION_SERVER_ID; -+ -+/////////////////////////////////////////////////////////////////////////////// -+/// Symbol Definitions -+/////////////////////////////////////////////////////////////////////////////// -+ -+EFI_STATUS -+MockUdpWrite ( -+ IN EFI_PXE_BASE_CODE_PROTOCOL *This, -+ IN UINT16 OpFlags, -+ IN EFI_IP_ADDRESS *DestIp, -+ IN EFI_PXE_BASE_CODE_UDP_PORT *DestPort, -+ IN EFI_IP_ADDRESS *GatewayIp OPTIONAL, -+ IN EFI_IP_ADDRESS *SrcIp OPTIONAL, -+ IN OUT EFI_PXE_BASE_CODE_UDP_PORT *SrcPort OPTIONAL, -+ IN UINTN *HeaderSize OPTIONAL, -+ IN VOID *HeaderPtr OPTIONAL, -+ IN UINTN *BufferSize, -+ IN VOID *BufferPtr -+ ) -+{ -+ return EFI_SUCCESS; -+} -+ -+EFI_STATUS -+MockUdpRead ( -+ IN EFI_PXE_BASE_CODE_PROTOCOL *This, -+ IN UINT16 OpFlags, -+ IN OUT EFI_IP_ADDRESS *DestIp OPTIONAL, -+ IN OUT EFI_PXE_BASE_CODE_UDP_PORT *DestPort OPTIONAL, -+ IN OUT EFI_IP_ADDRESS *SrcIp OPTIONAL, -+ IN OUT EFI_PXE_BASE_CODE_UDP_PORT *SrcPort OPTIONAL, -+ IN UINTN *HeaderSize OPTIONAL, -+ IN VOID *HeaderPtr OPTIONAL, -+ IN OUT UINTN *BufferSize, -+ IN VOID *BufferPtr -+ ) -+{ -+ return EFI_SUCCESS; -+} -+ -+EFI_STATUS -+MockConfigure ( -+ IN EFI_UDP6_PROTOCOL *This, -+ IN EFI_UDP6_CONFIG_DATA *UdpConfigData OPTIONAL -+ ) -+{ -+ return EFI_SUCCESS; -+} -+ -+// Needed by PxeBcSupport -+EFI_STATUS -+EFIAPI -+QueueDpc ( -+ IN EFI_TPL DpcTpl, -+ IN EFI_DPC_PROCEDURE DpcProcedure, -+ IN VOID *DpcContext OPTIONAL -+ ) -+{ -+ return EFI_SUCCESS; -+} -+ -+/////////////////////////////////////////////////////////////////////////////// -+// PxeBcHandleDhcp6OfferTest Tests -+/////////////////////////////////////////////////////////////////////////////// -+ -+class PxeBcHandleDhcp6OfferTest : public ::testing::Test { -+public: -+ PXEBC_PRIVATE_DATA Private = { 0 }; -+ EFI_UDP6_PROTOCOL Udp6Read; -+ EFI_PXE_BASE_CODE_MODE Mode = { 0 }; -+ -+protected: -+ // Add any setup code if needed -+ virtual void -+ SetUp ( -+ ) -+ { -+ Private.Dhcp6Request = (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_SIZE); -+ -+ // Need to setup the EFI_PXE_BASE_CODE_PROTOCOL -+ // The function under test really only needs the following: -+ // UdpWrite -+ // UdpRead -+ -+ Private.PxeBc.UdpWrite = (EFI_PXE_BASE_CODE_UDP_WRITE)MockUdpWrite; -+ Private.PxeBc.UdpRead = (EFI_PXE_BASE_CODE_UDP_READ)MockUdpRead; -+ -+ // Need to setup EFI_UDP6_PROTOCOL -+ // The function under test really only needs the following: -+ // Configure -+ -+ Udp6Read.Configure = (EFI_UDP6_CONFIGURE)MockConfigure; -+ Private.Udp6Read = &Udp6Read; -+ -+ // Need to setup the EFI_PXE_BASE_CODE_MODE -+ Private.PxeBc.Mode = &Mode; -+ -+ // for this test it doesn't really matter what the Dhcpv6 ack is set to -+ } -+ -+ // Add any cleanup code if needed -+ virtual void -+ TearDown ( -+ ) -+ { -+ if (Private.Dhcp6Request != NULL) { -+ FreePool (Private.Dhcp6Request); -+ } -+ -+ // Clean up any resources or variables -+ } -+}; -+ -+// Note: -+// Testing PxeBcHandleDhcp6Offer() is difficult because it depends on a -+// properly setup Private structure. Attempting to properly test this function -+// without a signficant refactor is a fools errand. Instead, we will test -+// that we can prevent an overflow in the function. -+TEST_F (PxeBcHandleDhcp6OfferTest, BasicUsageTest) { -+ PXEBC_DHCP6_PACKET_CACHE *Cache6 = NULL; -+ EFI_DHCP6_PACKET_OPTION Option = { 0 }; -+ -+ Private.SelectIndex = 1; // SelectIndex is 1-based -+ Cache6 = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6; -+ -+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = &Option; -+ // Setup the DHCPv6 offer packet -+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode = DHCP6_OPT_SERVER_ID; -+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen = NTOHS (1337); -+ -+ ASSERT_EQ (PxeBcHandleDhcp6Offer (&(PxeBcHandleDhcp6OfferTest::Private)), EFI_DEVICE_ERROR); -+} -+ -+class PxeBcCacheDnsServerAddressesTest : public ::testing::Test { -+public: -+ PXEBC_PRIVATE_DATA Private = { 0 }; -+ -+protected: -+ // Add any setup code if needed -+ virtual void -+ SetUp ( -+ ) -+ { -+ } -+ -+ // Add any cleanup code if needed -+ virtual void -+ TearDown ( -+ ) -+ { -+ } -+}; -+ -+// Test Description -+// Test that we cache the DNS server address from the DHCPv6 offer packet -+TEST_F (PxeBcCacheDnsServerAddressesTest, BasicUsageTest) { -+ UINT8 SearchPattern[16] = { 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF }; -+ EFI_DHCP6_PACKET_OPTION *Option; -+ PXEBC_DHCP6_PACKET_CACHE *Cache6 = NULL; -+ -+ Option = (EFI_DHCP6_PACKET_OPTION *)AllocateZeroPool (sizeof (EFI_DHCP6_PACKET_OPTION) + sizeof (SearchPattern)); -+ ASSERT_NE (Option, nullptr); -+ -+ Option->OpCode = DHCP6_OPT_SERVER_ID; -+ Option->OpLen = NTOHS (sizeof (SearchPattern)); -+ CopyMem (Option->Data, SearchPattern, sizeof (SearchPattern)); -+ -+ Private.SelectIndex = 1; // SelectIndex is 1-based -+ Cache6 = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6; -+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = Option; -+ -+ Private.DnsServer = nullptr; -+ -+ ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesTest::Private), Cache6), EFI_SUCCESS); -+ ASSERT_NE (Private.DnsServer, nullptr); -+ ASSERT_EQ (CompareMem (Private.DnsServer, SearchPattern, sizeof (SearchPattern)), 0); -+ -+ if (Private.DnsServer) { -+ FreePool (Private.DnsServer); -+ } -+ -+ if (Option) { -+ FreePool (Option); -+ } -+} -+// Test Description -+// Test that we can prevent an overflow in the function -+TEST_F (PxeBcCacheDnsServerAddressesTest, AttemptOverflowTest) { -+ EFI_DHCP6_PACKET_OPTION Option = { 0 }; -+ PXEBC_DHCP6_PACKET_CACHE *Cache6 = NULL; -+ -+ Private.SelectIndex = 1; // SelectIndex is 1-based -+ Cache6 = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6; -+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = &Option; -+ // Setup the DHCPv6 offer packet -+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode = DHCP6_OPT_SERVER_ID; -+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen = NTOHS (1337); -+ -+ Private.DnsServer = NULL; -+ -+ ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesTest::Private), Cache6), EFI_DEVICE_ERROR); -+ ASSERT_EQ (Private.DnsServer, nullptr); -+ -+ if (Private.DnsServer) { -+ FreePool (Private.DnsServer); -+ } -+} -+ -+// Test Description -+// Test that we can prevent an underflow in the function -+TEST_F (PxeBcCacheDnsServerAddressesTest, AttemptUnderflowTest) { -+ EFI_DHCP6_PACKET_OPTION Option = { 0 }; -+ PXEBC_DHCP6_PACKET_CACHE *Cache6 = NULL; -+ -+ Private.SelectIndex = 1; // SelectIndex is 1-based -+ Cache6 = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6; -+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = &Option; -+ // Setup the DHCPv6 offer packet -+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode = DHCP6_OPT_SERVER_ID; -+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen = NTOHS (2); -+ -+ Private.DnsServer = NULL; -+ -+ ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesTest::Private), Cache6), EFI_DEVICE_ERROR); -+ ASSERT_EQ (Private.DnsServer, nullptr); -+ -+ if (Private.DnsServer) { -+ FreePool (Private.DnsServer); -+ } -+} -+ -+// Test Description -+// Test that we can handle recursive dns (multiple dns entries) -+TEST_F (PxeBcCacheDnsServerAddressesTest, MultipleDnsEntries) { -+ EFI_DHCP6_PACKET_OPTION Option = { 0 }; -+ PXEBC_DHCP6_PACKET_CACHE *Cache6 = NULL; -+ -+ Private.SelectIndex = 1; // SelectIndex is 1-based -+ Cache6 = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6; -+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = &Option; -+ // Setup the DHCPv6 offer packet -+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode = DHCP6_OPT_SERVER_ID; -+ -+ EFI_IPv6_ADDRESS addresses[2] = { -+ // 2001:db8:85a3::8a2e:370:7334 -+ { 0x20, 0x01, 0x0d, 0xb8, 0x85, 0xa3, 0x00, 0x00, 0x00, 0x00, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x34 }, -+ // fe80::d478:91c3:ecd7:4ff9 -+ { 0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd4, 0x78, 0x91, 0xc3, 0xec, 0xd7, 0x4f, 0xf9 } -+ }; -+ -+ CopyMem (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->Data, &addresses, sizeof (addresses)); -+ -+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen = NTOHS (sizeof (addresses)); -+ -+ Private.DnsServer = NULL; -+ -+ ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesTest::Private), Cache6), EFI_SUCCESS); -+ -+ ASSERT_NE (Private.DnsServer, nullptr); -+ -+ // -+ // This is expected to fail until DnsServer supports multiple DNS servers -+ // -+ // This is tracked in https://bugzilla.tianocore.org/show_bug.cgi?id=1886 -+ // -+ // Disabling: -+ // ASSERT_EQ (CompareMem(Private.DnsServer, &addresses, sizeof(addresses)), 0); -+ -+ if (Private.DnsServer) { -+ FreePool (Private.DnsServer); -+ } -+} -diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h -new file mode 100644 -index 0000000000..b17c314791 ---- /dev/null -+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h -@@ -0,0 +1,50 @@ -+/** @file -+ This file exposes the internal interfaces which may be unit tested -+ for the PxeBcDhcp6Dxe driver. -+ -+ Copyright (c) Microsoft Corporation.
-+ SPDX-License-Identifier: BSD-2-Clause-Patent -+**/ -+ -+#ifndef PXE_BC_DHCP6_GOOGLE_TEST_H_ -+#define PXE_BC_DHCP6_GOOGLE_TEST_H_ -+ -+// -+// Minimal includes needed to compile -+// -+#include -+#include "../PxeBcImpl.h" -+ -+/** -+ Handle the DHCPv6 offer packet. -+ -+ @param[in] Private The pointer to PXEBC_PRIVATE_DATA. -+ -+ @retval EFI_SUCCESS Handled the DHCPv6 offer packet successfully. -+ @retval EFI_NO_RESPONSE No response to the following request packet. -+ @retval EFI_OUT_OF_RESOURCES Failed to allocate resources. -+ @retval EFI_BUFFER_TOO_SMALL Can't cache the offer pacet. -+ -+**/ -+EFI_STATUS -+PxeBcHandleDhcp6Offer ( -+ IN PXEBC_PRIVATE_DATA *Private -+ ); -+ -+/** -+ Cache the DHCPv6 Server address -+ -+ @param[in] Private The pointer to PXEBC_PRIVATE_DATA. -+ @param[in] Cache6 The pointer to PXEBC_DHCP6_PACKET_CACHE. -+ -+ @retval EFI_SUCCESS Cache the DHCPv6 Server address successfully. -+ @retval EFI_OUT_OF_RESOURCES Failed to allocate resources. -+ @retval EFI_DEVICE_ERROR Failed to cache the DHCPv6 Server address. -+**/ -+EFI_STATUS -+PxeBcCacheDnsServerAddresses ( -+ IN PXEBC_PRIVATE_DATA *Private, -+ IN PXEBC_DHCP6_PACKET_CACHE *Cache6 -+ ); -+ -+#endif // PXE_BC_DHCP6_GOOGLE_TEST_H_ -diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp -new file mode 100644 -index 0000000000..cc4fdf525b ---- /dev/null -+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp -@@ -0,0 +1,19 @@ -+/** @file -+ Acts as the main entry point for the tests for the UefiPxeBcDxe module. -+ Copyright (c) Microsoft Corporation -+ SPDX-License-Identifier: BSD-2-Clause-Patent -+**/ -+#include -+ -+//////////////////////////////////////////////////////////////////////////////// -+// Run the tests -+//////////////////////////////////////////////////////////////////////////////// -+int -+main ( -+ int argc, -+ char *argv[] -+ ) -+{ -+ testing::InitGoogleTest (&argc, argv); -+ return RUN_ALL_TESTS (); -+} -diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf -new file mode 100644 -index 0000000000..301dcdf611 ---- /dev/null -+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf -@@ -0,0 +1,48 @@ -+## @file -+# Unit test suite for the UefiPxeBcDxe using Google Test -+# -+# Copyright (c) Microsoft Corporation.
-+# SPDX-License-Identifier: BSD-2-Clause-Patent -+## -+[Defines] -+INF_VERSION = 0x00010005 -+BASE_NAME = UefiPxeBcDxeGoogleTest -+FILE_GUID = 77D45C64-EC1E-4174-887B-886E89FD1EDF -+MODULE_TYPE = HOST_APPLICATION -+VERSION_STRING = 1.0 -+ -+# -+# The following information is for reference only and not required by the build tools. -+# -+# VALID_ARCHITECTURES = IA32 X64 -+# -+ -+[Sources] -+ UefiPxeBcDxeGoogleTest.cpp -+ PxeBcDhcp6GoogleTest.cpp -+ PxeBcDhcp6GoogleTest.h -+ ../PxeBcDhcp6.c -+ ../PxeBcSupport.c -+ -+[Packages] -+ MdePkg/MdePkg.dec -+ MdeModulePkg/MdeModulePkg.dec -+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec -+ NetworkPkg/NetworkPkg.dec -+ -+[LibraryClasses] -+ GoogleTestLib -+ DebugLib -+ NetLib -+ PcdLib -+ -+[Protocols] -+ gEfiDhcp6ServiceBindingProtocolGuid -+ gEfiDns6ServiceBindingProtocolGuid -+ gEfiDns6ProtocolGuid -+ -+[Pcd] -+ gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType -+ -+[Guids] -+ gZeroGuid --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p3.patch b/SOURCES/edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p3.patch deleted file mode 100644 index 43c0be5..0000000 --- a/SOURCES/edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p3.patch +++ /dev/null @@ -1,257 +0,0 @@ -From b57bd437db8cff7b7a206e3cd694b7821014ba53 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Fri, 16 Feb 2024 10:48:05 -0500 -Subject: [PATCH 12/18] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 - Patch - -RH-Author: Jon Maloy -RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch -RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Laszlo Ersek -RH-Commit: [12/18] 310a770792d1a81dbf54ee372f926541309492e8 - -JIRA: https://issues.redhat.com/browse/RHEL-21853 -CVE: CVE-2022-45235 -Upstream: Merged - -commit fac297724e6cc343430cd0104e55cd7a96d1151e -Author: Doug Flick -Date: Fri Jan 26 05:54:55 2024 +0800 - - NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Patch - - REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540 - - Bug Details: - PixieFail Bug #7 - CVE-2023-45235 - CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H - CWE-119 Improper Restriction of Operations within the Bounds of - a Memory Buffer - - Buffer overflow when handling Server ID option from a DHCPv6 proxy - Advertise message - - Change Overview: - - Performs two checks - - 1. Checks that the length of the duid is accurate - > + // - > + // Check that the minimum and maximum requirements are met - > + // - > + if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) || - (OpLen > PXEBC_MAX_SIZE_OF_DUID)) { - > + Status = EFI_INVALID_PARAMETER; - > + goto ON_ERROR; - > + } - - 2. Ensures that the amount of data written to the buffer is tracked and - never exceeds that - > + // - > + // Check that the option length is valid. - > + // - > + if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN) - > DiscoverLenNeeded) { - > + Status = EFI_OUT_OF_RESOURCES; - > + goto ON_ERROR; - > + } - - Additional code clean up and fix for memory leak in case Option was NULL - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - -Signed-off-by: Jon Maloy ---- - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 77 ++++++++++++++++++++++------ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h | 17 ++++++ - 2 files changed, 78 insertions(+), 16 deletions(-) - -diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -index 2b2d372889..7fd1281c11 100644 ---- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -@@ -887,6 +887,7 @@ PxeBcRequestBootService ( - EFI_STATUS Status; - EFI_DHCP6_PACKET *IndexOffer; - UINT8 *Option; -+ UINTN DiscoverLenNeeded; - - PxeBc = &Private->PxeBc; - Request = Private->Dhcp6Request; -@@ -899,7 +900,8 @@ PxeBcRequestBootService ( - return EFI_DEVICE_ERROR; - } - -- Discover = AllocateZeroPool (sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET)); -+ DiscoverLenNeeded = sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET); -+ Discover = AllocateZeroPool (DiscoverLenNeeded); - if (Discover == NULL) { - return EFI_OUT_OF_RESOURCES; - } -@@ -924,16 +926,34 @@ PxeBcRequestBootService ( - DHCP6_OPT_SERVER_ID - ); - if (Option == NULL) { -- return EFI_NOT_FOUND; -+ Status = EFI_NOT_FOUND; -+ goto ON_ERROR; - } - - // - // Add Server ID Option. - // - OpLen = NTOHS (((EFI_DHCP6_PACKET_OPTION *)Option)->OpLen); -- CopyMem (DiscoverOpt, Option, OpLen + 4); -- DiscoverOpt += (OpLen + 4); -- DiscoverLen += (OpLen + 4); -+ -+ // -+ // Check that the minimum and maximum requirements are met -+ // -+ if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) || (OpLen > PXEBC_MAX_SIZE_OF_DUID)) { -+ Status = EFI_INVALID_PARAMETER; -+ goto ON_ERROR; -+ } -+ -+ // -+ // Check that the option length is valid. -+ // -+ if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN) > DiscoverLenNeeded) { -+ Status = EFI_OUT_OF_RESOURCES; -+ goto ON_ERROR; -+ } -+ -+ CopyMem (DiscoverOpt, Option, OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); -+ DiscoverOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); -+ DiscoverLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); - } - - while (RequestLen < Request->Length) { -@@ -944,16 +964,24 @@ PxeBcRequestBootService ( - (OpCode != DHCP6_OPT_SERVER_ID) - ) - { -+ // -+ // Check that the option length is valid. -+ // -+ if (DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN > DiscoverLenNeeded) { -+ Status = EFI_OUT_OF_RESOURCES; -+ goto ON_ERROR; -+ } -+ - // - // Copy all the options except IA option and Server ID - // -- CopyMem (DiscoverOpt, RequestOpt, OpLen + 4); -- DiscoverOpt += (OpLen + 4); -- DiscoverLen += (OpLen + 4); -+ CopyMem (DiscoverOpt, RequestOpt, OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); -+ DiscoverOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); -+ DiscoverLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); - } - -- RequestOpt += (OpLen + 4); -- RequestLen += (OpLen + 4); -+ RequestOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); -+ RequestLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); - } - - // -@@ -2154,6 +2182,7 @@ PxeBcDhcp6Discover ( - UINT16 OpLen; - UINT32 Xid; - EFI_STATUS Status; -+ UINTN DiscoverLenNeeded; - - PxeBc = &Private->PxeBc; - Mode = PxeBc->Mode; -@@ -2169,7 +2198,8 @@ PxeBcDhcp6Discover ( - return EFI_DEVICE_ERROR; - } - -- Discover = AllocateZeroPool (sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET)); -+ DiscoverLenNeeded = sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET); -+ Discover = AllocateZeroPool (DiscoverLenNeeded); - if (Discover == NULL) { - return EFI_OUT_OF_RESOURCES; - } -@@ -2185,22 +2215,37 @@ PxeBcDhcp6Discover ( - DiscoverLen = sizeof (EFI_DHCP6_HEADER); - RequestLen = DiscoverLen; - -+ // -+ // The request packet is generated by the UEFI network stack. In the DHCP4 DORA and DHCP6 SARR sequence, -+ // the first (discover in DHCP4 and solicit in DHCP6) and third (request in both DHCP4 and DHCP6) are -+ // generated by the DHCP client (the UEFI network stack in this case). By the time this function executes, -+ // the DHCP sequence already has been executed once (see UEFI Specification Figures 24.2 and 24.3), with -+ // Private->Dhcp6Request being a cached copy of the DHCP6 request packet that UEFI network stack previously -+ // generated and sent. -+ // -+ // Therefore while this code looks like it could overflow, in practice it's not possible. -+ // - while (RequestLen < Request->Length) { - OpCode = NTOHS (((EFI_DHCP6_PACKET_OPTION *)RequestOpt)->OpCode); - OpLen = NTOHS (((EFI_DHCP6_PACKET_OPTION *)RequestOpt)->OpLen); - if ((OpCode != EFI_DHCP6_IA_TYPE_NA) && - (OpCode != EFI_DHCP6_IA_TYPE_TA)) - { -+ if (DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN > DiscoverLenNeeded) { -+ Status = EFI_OUT_OF_RESOURCES; -+ goto ON_ERROR; -+ } -+ - // - // Copy all the options except IA option. - // -- CopyMem (DiscoverOpt, RequestOpt, OpLen + 4); -- DiscoverOpt += (OpLen + 4); -- DiscoverLen += (OpLen + 4); -+ CopyMem (DiscoverOpt, RequestOpt, OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); -+ DiscoverOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); -+ DiscoverLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); - } - -- RequestOpt += (OpLen + 4); -- RequestLen += (OpLen + 4); -+ RequestOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); -+ RequestLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); - } - - Status = PxeBc->UdpWrite ( -diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h -index c86f6d391b..6357d27fae 100644 ---- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h -+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h -@@ -34,6 +34,23 @@ - #define PXEBC_ADDR_START_DELIMITER '[' - #define PXEBC_ADDR_END_DELIMITER ']' - -+// -+// A DUID consists of a 2-octet type code represented in network byte -+// order, followed by a variable number of octets that make up the -+// actual identifier. The length of the DUID (not including the type -+// code) is at least 1 octet and at most 128 octets. -+// -+#define PXEBC_MIN_SIZE_OF_DUID (sizeof(UINT16) + 1) -+#define PXEBC_MAX_SIZE_OF_DUID (sizeof(UINT16) + 128) -+ -+// -+// This define represents the combineds code and length field from -+// https://datatracker.ietf.org/doc/html/rfc3315#section-22.1 -+// -+#define PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN \ -+ (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpCode) + \ -+ sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpLen)) -+ - #define GET_NEXT_DHCP6_OPTION(Opt) \ - (EFI_DHCP6_PACKET_OPTION *) ((UINT8 *) (Opt) + \ - sizeof (EFI_DHCP6_PACKET_OPTION) + (NTOHS ((Opt)->OpLen)) - 1) --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p4.patch b/SOURCES/edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p4.patch deleted file mode 100644 index 3297cc0..0000000 --- a/SOURCES/edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p4.patch +++ /dev/null @@ -1,409 +0,0 @@ -From 59b9d468ebf6be2a5c53d7979c12040f9b41c2c2 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Fri, 16 Feb 2024 10:48:05 -0500 -Subject: [PATCH 13/18] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 - Unit Tests - -RH-Author: Jon Maloy -RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch -RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Laszlo Ersek -RH-Commit: [13/18] 074410155526b2ee2a74cf161ea46385932da059 - -JIRA: https://issues.redhat.com/browse/RHEL-21853 -CVE: CVE-2022-45235 -Upstream: Merged - -commit ff2986358f75d8f58ef08a66fe673539c9c48f41 -Author: Doug Flick -Date: Fri Jan 26 05:54:56 2024 +0800 - - NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Unit Tests - - REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540 - - Unit tests to confirm that the bug.. - - Buffer overflow when handling Server ID option from a DHCPv6 proxy - Advertise message - - ..has been patched. - - This patch contains unit tests for the following functions: - PxeBcRequestBootService - PxeBcDhcp6Discover - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - -Signed-off-by: Jon Maloy ---- - NetworkPkg/Test/NetworkPkgHostTest.dsc | 5 +- - .../GoogleTest/PxeBcDhcp6GoogleTest.cpp | 278 +++++++++++++++++- - .../GoogleTest/PxeBcDhcp6GoogleTest.h | 18 ++ - 3 files changed, 298 insertions(+), 3 deletions(-) - -diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc -index a0273c4310..fa301a7a52 100644 ---- a/NetworkPkg/Test/NetworkPkgHostTest.dsc -+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc -@@ -27,7 +27,10 @@ - # - NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf - NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf -- NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf -+ NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf { -+ -+ UefiRuntimeServicesTableLib|MdePkg/Test/Mock/Library/GoogleTest/MockUefiRuntimeServicesTableLib/MockUefiRuntimeServicesTableLib.inf -+ } - - # Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests. - [LibraryClasses] -diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp -index 8260eeee50..bd423ebadf 100644 ---- a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp -+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp -@@ -4,7 +4,9 @@ - Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - **/ --#include -+#include -+#include -+#include - - extern "C" { - #include -@@ -19,7 +21,8 @@ extern "C" { - // Definitions - /////////////////////////////////////////////////////////////////////////////// - --#define PACKET_SIZE (1500) -+#define PACKET_SIZE (1500) -+#define REQUEST_OPTION_LENGTH (120) - - typedef struct { - UINT16 OptionCode; // The option code for DHCP6_OPT_SERVER_ID (e.g., 0x03) -@@ -76,6 +79,26 @@ MockConfigure ( - } - - // Needed by PxeBcSupport -+EFI_STATUS -+PxeBcDns6 ( -+ IN PXEBC_PRIVATE_DATA *Private, -+ IN CHAR16 *HostName, -+ OUT EFI_IPv6_ADDRESS *IpAddress -+ ) -+{ -+ return EFI_SUCCESS; -+} -+ -+UINT32 -+PxeBcBuildDhcp6Options ( -+ IN PXEBC_PRIVATE_DATA *Private, -+ OUT EFI_DHCP6_PACKET_OPTION **OptList, -+ IN UINT8 *Buffer -+ ) -+{ -+ return EFI_SUCCESS; -+} -+ - EFI_STATUS - EFIAPI - QueueDpc ( -@@ -159,6 +182,10 @@ TEST_F (PxeBcHandleDhcp6OfferTest, BasicUsageTest) { - ASSERT_EQ (PxeBcHandleDhcp6Offer (&(PxeBcHandleDhcp6OfferTest::Private)), EFI_DEVICE_ERROR); - } - -+/////////////////////////////////////////////////////////////////////////////// -+// PxeBcCacheDnsServerAddresses Tests -+/////////////////////////////////////////////////////////////////////////////// -+ - class PxeBcCacheDnsServerAddressesTest : public ::testing::Test { - public: - PXEBC_PRIVATE_DATA Private = { 0 }; -@@ -298,3 +325,250 @@ TEST_F (PxeBcCacheDnsServerAddressesTest, MultipleDnsEntries) { - FreePool (Private.DnsServer); - } - } -+ -+/////////////////////////////////////////////////////////////////////////////// -+// PxeBcRequestBootServiceTest Test Cases -+/////////////////////////////////////////////////////////////////////////////// -+ -+class PxeBcRequestBootServiceTest : public ::testing::Test { -+public: -+ PXEBC_PRIVATE_DATA Private = { 0 }; -+ EFI_UDP6_PROTOCOL Udp6Read; -+ -+protected: -+ // Add any setup code if needed -+ virtual void -+ SetUp ( -+ ) -+ { -+ Private.Dhcp6Request = (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_SIZE); -+ -+ // Need to setup the EFI_PXE_BASE_CODE_PROTOCOL -+ // The function under test really only needs the following: -+ // UdpWrite -+ // UdpRead -+ -+ Private.PxeBc.UdpWrite = (EFI_PXE_BASE_CODE_UDP_WRITE)MockUdpWrite; -+ Private.PxeBc.UdpRead = (EFI_PXE_BASE_CODE_UDP_READ)MockUdpRead; -+ -+ // Need to setup EFI_UDP6_PROTOCOL -+ // The function under test really only needs the following: -+ // Configure -+ -+ Udp6Read.Configure = (EFI_UDP6_CONFIGURE)MockConfigure; -+ Private.Udp6Read = &Udp6Read; -+ } -+ -+ // Add any cleanup code if needed -+ virtual void -+ TearDown ( -+ ) -+ { -+ if (Private.Dhcp6Request != NULL) { -+ FreePool (Private.Dhcp6Request); -+ } -+ -+ // Clean up any resources or variables -+ } -+}; -+ -+TEST_F (PxeBcRequestBootServiceTest, ServerDiscoverBasicUsageTest) { -+ PxeBcRequestBootServiceTest::Private.OfferBuffer[0].Dhcp6.OfferType = PxeOfferTypeProxyBinl; -+ -+ DHCP6_OPTION_SERVER_ID Server = { 0 }; -+ -+ Server.OptionCode = HTONS (DHCP6_OPT_SERVER_ID); -+ Server.OptionLen = HTONS (16); // valid length -+ UINT8 Index = 0; -+ -+ EFI_DHCP6_PACKET *Packet = (EFI_DHCP6_PACKET *)&Private.OfferBuffer[Index].Dhcp6.Packet.Offer; -+ -+ UINT8 *Cursor = (UINT8 *)(Packet->Dhcp6.Option); -+ -+ CopyMem (Cursor, &Server, sizeof (Server)); -+ Cursor += sizeof (Server); -+ -+ // Update the packet length -+ Packet->Length = (UINT16)(Cursor - (UINT8 *)Packet); -+ Packet->Size = PACKET_SIZE; -+ -+ ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Private), Index), EFI_SUCCESS); -+} -+ -+TEST_F (PxeBcRequestBootServiceTest, AttemptDiscoverOverFlowExpectFailure) { -+ PxeBcRequestBootServiceTest::Private.OfferBuffer[0].Dhcp6.OfferType = PxeOfferTypeProxyBinl; -+ -+ DHCP6_OPTION_SERVER_ID Server = { 0 }; -+ -+ Server.OptionCode = HTONS (DHCP6_OPT_SERVER_ID); -+ Server.OptionLen = HTONS (1500); // This length would overflow without a check -+ UINT8 Index = 0; -+ -+ EFI_DHCP6_PACKET *Packet = (EFI_DHCP6_PACKET *)&Private.OfferBuffer[Index].Dhcp6.Packet.Offer; -+ -+ UINT8 *Cursor = (UINT8 *)(Packet->Dhcp6.Option); -+ -+ CopyMem (Cursor, &Server, sizeof (Server)); -+ Cursor += sizeof (Server); -+ -+ // Update the packet length -+ Packet->Length = (UINT16)(Cursor - (UINT8 *)Packet); -+ Packet->Size = PACKET_SIZE; -+ -+ // This is going to be stopped by the duid overflow check -+ ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Private), Index), EFI_INVALID_PARAMETER); -+} -+ -+TEST_F (PxeBcRequestBootServiceTest, RequestBasicUsageTest) { -+ EFI_DHCP6_PACKET_OPTION RequestOpt = { 0 }; // the data section doesn't really matter -+ -+ RequestOpt.OpCode = HTONS (0x1337); -+ RequestOpt.OpLen = 0; // valid length -+ -+ UINT8 Index = 0; -+ -+ EFI_DHCP6_PACKET *Packet = (EFI_DHCP6_PACKET *)&Private.Dhcp6Request[Index]; -+ -+ UINT8 *Cursor = (UINT8 *)(Packet->Dhcp6.Option); -+ -+ CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt)); -+ Cursor += sizeof (RequestOpt); -+ -+ // Update the packet length -+ Packet->Length = (UINT16)(Cursor - (UINT8 *)Packet); -+ Packet->Size = PACKET_SIZE; -+ -+ ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Private), Index), EFI_SUCCESS); -+} -+ -+TEST_F (PxeBcRequestBootServiceTest, AttemptRequestOverFlowExpectFailure) { -+ EFI_DHCP6_PACKET_OPTION RequestOpt = { 0 }; // the data section doesn't really matter -+ -+ RequestOpt.OpCode = HTONS (0x1337); -+ RequestOpt.OpLen = 1500; // this length would overflow without a check -+ -+ UINT8 Index = 0; -+ -+ EFI_DHCP6_PACKET *Packet = (EFI_DHCP6_PACKET *)&Private.Dhcp6Request[Index]; -+ -+ UINT8 *Cursor = (UINT8 *)(Packet->Dhcp6.Option); -+ -+ CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt)); -+ Cursor += sizeof (RequestOpt); -+ -+ // Update the packet length -+ Packet->Length = (UINT16)(Cursor - (UINT8 *)Packet); -+ Packet->Size = PACKET_SIZE; -+ -+ ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Private), Index), EFI_OUT_OF_RESOURCES); -+} -+ -+/////////////////////////////////////////////////////////////////////////////// -+// PxeBcDhcp6Discover Test -+/////////////////////////////////////////////////////////////////////////////// -+ -+class PxeBcDhcp6DiscoverTest : public ::testing::Test { -+public: -+ PXEBC_PRIVATE_DATA Private = { 0 }; -+ EFI_UDP6_PROTOCOL Udp6Read; -+ -+protected: -+ MockUefiRuntimeServicesTableLib RtServicesMock; -+ -+ // Add any setup code if needed -+ virtual void -+ SetUp ( -+ ) -+ { -+ Private.Dhcp6Request = (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_SIZE); -+ -+ // Need to setup the EFI_PXE_BASE_CODE_PROTOCOL -+ // The function under test really only needs the following: -+ // UdpWrite -+ // UdpRead -+ -+ Private.PxeBc.UdpWrite = (EFI_PXE_BASE_CODE_UDP_WRITE)MockUdpWrite; -+ Private.PxeBc.UdpRead = (EFI_PXE_BASE_CODE_UDP_READ)MockUdpRead; -+ -+ // Need to setup EFI_UDP6_PROTOCOL -+ // The function under test really only needs the following: -+ // Configure -+ -+ Udp6Read.Configure = (EFI_UDP6_CONFIGURE)MockConfigure; -+ Private.Udp6Read = &Udp6Read; -+ } -+ -+ // Add any cleanup code if needed -+ virtual void -+ TearDown ( -+ ) -+ { -+ if (Private.Dhcp6Request != NULL) { -+ FreePool (Private.Dhcp6Request); -+ } -+ -+ // Clean up any resources or variables -+ } -+}; -+ -+// Test Description -+// This will cause an overflow by an untrusted packet during the option parsing -+TEST_F (PxeBcDhcp6DiscoverTest, BasicOverflowTest) { -+ EFI_IPv6_ADDRESS DestIp = { 0 }; -+ EFI_DHCP6_PACKET_OPTION RequestOpt = { 0 }; // the data section doesn't really matter -+ -+ RequestOpt.OpCode = HTONS (0x1337); -+ RequestOpt.OpLen = HTONS (0xFFFF); // overflow -+ -+ UINT8 *Cursor = (UINT8 *)(Private.Dhcp6Request->Dhcp6.Option); -+ -+ CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt)); -+ Cursor += sizeof (RequestOpt); -+ -+ Private.Dhcp6Request->Length = (UINT16)(Cursor - (UINT8 *)Private.Dhcp6Request); -+ -+ EXPECT_CALL (RtServicesMock, gRT_GetTime) -+ .WillOnce (::testing::Return (0)); -+ -+ ASSERT_EQ ( -+ PxeBcDhcp6Discover ( -+ &(PxeBcDhcp6DiscoverTest::Private), -+ 0, -+ NULL, -+ FALSE, -+ (EFI_IP_ADDRESS *)&DestIp -+ ), -+ EFI_OUT_OF_RESOURCES -+ ); -+} -+ -+// Test Description -+// This will test that we can handle a packet with a valid option length -+TEST_F (PxeBcDhcp6DiscoverTest, BasicUsageTest) { -+ EFI_IPv6_ADDRESS DestIp = { 0 }; -+ EFI_DHCP6_PACKET_OPTION RequestOpt = { 0 }; // the data section doesn't really matter -+ -+ RequestOpt.OpCode = HTONS (0x1337); -+ RequestOpt.OpLen = HTONS (0x30); -+ -+ UINT8 *Cursor = (UINT8 *)(Private.Dhcp6Request->Dhcp6.Option); -+ -+ CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt)); -+ Cursor += sizeof (RequestOpt); -+ -+ Private.Dhcp6Request->Length = (UINT16)(Cursor - (UINT8 *)Private.Dhcp6Request); -+ -+ EXPECT_CALL (RtServicesMock, gRT_GetTime) -+ .WillOnce (::testing::Return (0)); -+ -+ ASSERT_EQ ( -+ PxeBcDhcp6Discover ( -+ &(PxeBcDhcp6DiscoverTest::Private), -+ 0, -+ NULL, -+ FALSE, -+ (EFI_IP_ADDRESS *)&DestIp -+ ), -+ EFI_SUCCESS -+ ); -+} -diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h -index b17c314791..0d825e4425 100644 ---- a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h -+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h -@@ -47,4 +47,22 @@ PxeBcCacheDnsServerAddresses ( - IN PXEBC_DHCP6_PACKET_CACHE *Cache6 - ); - -+/** -+ Build and send out the request packet for the bootfile, and parse the reply. -+ -+ @param[in] Private The pointer to PxeBc private data. -+ @param[in] Index PxeBc option boot item type. -+ -+ @retval EFI_SUCCESS Successfully discovered the boot file. -+ @retval EFI_OUT_OF_RESOURCES Failed to allocate resources. -+ @retval EFI_NOT_FOUND Can't get the PXE reply packet. -+ @retval Others Failed to discover the boot file. -+ -+**/ -+EFI_STATUS -+PxeBcRequestBootService ( -+ IN PXEBC_PRIVATE_DATA *Private, -+ IN UINT32 Index -+ ); -+ - #endif // PXE_BC_DHCP6_GOOGLE_TEST_H_ --- -2.39.3 - diff --git a/SOURCES/edk2-NetworkPkg-Updating-SecurityFixes.yaml.patch b/SOURCES/edk2-NetworkPkg-Updating-SecurityFixes.yaml.patch deleted file mode 100644 index 39cb6d1..0000000 --- a/SOURCES/edk2-NetworkPkg-Updating-SecurityFixes.yaml.patch +++ /dev/null @@ -1,51 +0,0 @@ -From ababd8837103d4e504cc5d044a13fb9516543795 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Fri, 16 Feb 2024 10:48:05 -0500 -Subject: [PATCH 18/18] NetworkPkg: : Updating SecurityFixes.yaml - -RH-Author: Jon Maloy -RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch -RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 -RH-Acked-by: Gerd Hoffmann -RH-Acked-by: Laszlo Ersek -RH-Commit: [18/18] e77d4ea79359b99e7d1073251d67909c2bfdb879 - -JIRA: https://issues.redhat.com/browse/RHEL-21841 -CVE: CVE-2023-45229 -Upstream: Merged - -commit 5fd3078a2e08f607dc86a16c1b184b6e30a34a49 -Author: Doug Flick -Date: Tue Feb 13 10:46:03 2024 -0800 - - NetworkPkg: : Updating SecurityFixes.yaml - - This captures the related security change for Dhcp6Dxe that is related - to CVE-2023-45229 - - Cc: Saloni Kasbekar - Cc: Zachary Clark-williams - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Saloni Kasbekar - Reviewed-by: Leif Lindholm - -Signed-off-by: Jon Maloy ---- - NetworkPkg/SecurityFixes.yaml | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml -index 7e900483fe..fa42025e0d 100644 ---- a/NetworkPkg/SecurityFixes.yaml -+++ b/NetworkPkg/SecurityFixes.yaml -@@ -8,6 +8,7 @@ CVE_2023_45229: - commit_titles: - - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch" - - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests" -+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Related Patch" - cve: CVE-2023-45229 - date_reported: 2023-08-28 13:56 UTC - description: "Bug 01 - edk2/NetworkPkg: Out-of-bounds read when processing IA_NA/IA_TA options in a DHCPv6 Advertise message" --- -2.39.3 - diff --git a/SOURCES/edk2-OvmfPkg-Add-Hash2DxeCrypto-to-OvmfPkg.patch b/SOURCES/edk2-OvmfPkg-Add-Hash2DxeCrypto-to-OvmfPkg.patch deleted file mode 100644 index f1a835e..0000000 --- a/SOURCES/edk2-OvmfPkg-Add-Hash2DxeCrypto-to-OvmfPkg.patch +++ /dev/null @@ -1,201 +0,0 @@ -From 1b48c27469c9867c69e6f2b35aa7cd5562b5cf39 Mon Sep 17 00:00:00 2001 -From: Doug Flick -Date: Wed, 8 May 2024 22:56:24 -0700 -Subject: [PATCH 1/3] OvmfPkg: Add Hash2DxeCrypto to OvmfPkg - -RH-Author: Oliver Steffen -RH-MergeRequest: 79: OvmfPkg: Add Hash2DxeCrypto to OvmfPkg -RH-Jira: RHEL-46976 -RH-Commit: [1/1] 71f16261937c2fe2ff6fa434db6f300ff7f4fef0 - -JIRA: https://issues.redhat.com/browse/RHEL-46976 -Upstream: Merged - -Upstream commit 4c4ceb2ceb80 ("NetworkPkg: SECURITY PATCH CVE-2023-45237") -broke HTTP boot in OVMF. This fixes it. - -commit cb9d71189134e78efb00759eb9649ce92bf5b29a -Author: Doug Flick -Date: Wed May 8 22:56:24 2024 -0700 - - OvmfPkg: Add Hash2DxeCrypto to OvmfPkg - - This patch adds Hash2DxeCrypto to OvmfPkg. The Hash2DxeCrypto is - used to provide the hashing protocol services. - - Cc: Ard Biesheuvel - Cc: Jiewen Yao - Cc: Gerd Hoffmann - - Signed-off-by: Doug Flick [MSFT] - Tested-by: Gerd Hoffmann - Acked-by: Gerd Hoffmann - Reviewed-by: Ard Biesheuvel - -Signed-off-by: Oliver Steffen ---- - OvmfPkg/OvmfPkgIa32.dsc | 6 +++++- - OvmfPkg/OvmfPkgIa32.fdf | 5 +++++ - OvmfPkg/OvmfPkgIa32X64.dsc | 6 +++++- - OvmfPkg/OvmfPkgIa32X64.fdf | 5 +++++ - OvmfPkg/OvmfPkgX64.dsc | 6 +++++- - OvmfPkg/OvmfPkgX64.fdf | 5 +++++ - OvmfPkg/OvmfXen.dsc | 5 +++++ - OvmfPkg/OvmfXen.fdf | 5 +++++ - 8 files changed, 40 insertions(+), 3 deletions(-) - -diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc -index 4074aa382d..bd15bb30fe 100644 ---- a/OvmfPkg/OvmfPkgIa32.dsc -+++ b/OvmfPkg/OvmfPkgIa32.dsc -@@ -226,7 +226,6 @@ - VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf - VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf - -- - # - # Network libraries - # -@@ -884,6 +883,11 @@ - MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf - MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf - -+ # -+ # Hash2 Protocol producer -+ # -+ SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf -+ - # - # Network Support - # -diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf -index 20cfd2788e..2df265982b 100644 ---- a/OvmfPkg/OvmfPkgIa32.fdf -+++ b/OvmfPkg/OvmfPkgIa32.fdf -@@ -303,6 +303,11 @@ INF ShellPkg/Application/Shell/Shell.inf - - INF MdeModulePkg/Logo/LogoDxe.inf - -+# -+# Hash2 Protocol producer -+# -+INF SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf -+ - # - # Network modules - # -diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc -index 75ef19bc85..358f510ef8 100644 ---- a/OvmfPkg/OvmfPkgIa32X64.dsc -+++ b/OvmfPkg/OvmfPkgIa32X64.dsc -@@ -231,7 +231,6 @@ - VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf - VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf - -- - # - # Network libraries - # -@@ -902,6 +901,11 @@ - MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf - MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf - -+ # -+ # Hash2 Protocol producer -+ # -+ SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf -+ - # - # Network Support - # -diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf -index 8517c79ba2..4a73d67238 100644 ---- a/OvmfPkg/OvmfPkgIa32X64.fdf -+++ b/OvmfPkg/OvmfPkgIa32X64.fdf -@@ -304,6 +304,11 @@ INF ShellPkg/Application/Shell/Shell.inf - - INF MdeModulePkg/Logo/LogoDxe.inf - -+# -+# Hash2 Protocol producer -+# -+INF SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf -+ - # - # Network modules - # -diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc -index 631ff0c788..266d77e15c 100644 ---- a/OvmfPkg/OvmfPkgX64.dsc -+++ b/OvmfPkg/OvmfPkgX64.dsc -@@ -247,7 +247,6 @@ - VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf - VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf - -- - # - # Network libraries - # -@@ -970,6 +969,11 @@ - MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf - MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf - -+ # -+ # Hash2 Protocol producer -+ # -+ SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf -+ - # - # Network Support - # -diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf -index 7ecde357ce..cedc362d04 100644 ---- a/OvmfPkg/OvmfPkgX64.fdf -+++ b/OvmfPkg/OvmfPkgX64.fdf -@@ -331,6 +331,11 @@ INF MdeModulePkg/Logo/LogoDxe.inf - - INF OvmfPkg/TdxDxe/TdxDxe.inf - -+# -+# Hash2 Protocol producer -+# -+INF SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf -+ - # - # Network modules - # -diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc -index 0063245b56..021558423d 100644 ---- a/OvmfPkg/OvmfXen.dsc -+++ b/OvmfPkg/OvmfXen.dsc -@@ -682,6 +682,11 @@ - MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf - MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf - -+ # -+ # Hash2 Protocol producer -+ # -+ SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf -+ - # - # Network Support - # -diff --git a/OvmfPkg/OvmfXen.fdf b/OvmfPkg/OvmfXen.fdf -index bdff7c52d8..e970b91652 100644 ---- a/OvmfPkg/OvmfXen.fdf -+++ b/OvmfPkg/OvmfXen.fdf -@@ -315,6 +315,11 @@ INF ShellPkg/Application/Shell/Shell.inf - - INF MdeModulePkg/Logo/LogoDxe.inf - -+# -+# Hash2 Protocol producer -+# -+INF SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf -+ - # - # Network modules - # --- -2.39.3 - diff --git a/SOURCES/edk2-OvmfPkg-CpuHotplugSmm-delay-SMM-exit.patch b/SOURCES/edk2-OvmfPkg-CpuHotplugSmm-delay-SMM-exit.patch new file mode 100644 index 0000000..eff7e1b --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-CpuHotplugSmm-delay-SMM-exit.patch @@ -0,0 +1,46 @@ +From 33ebaa6f0d476008ca6ba264657ac37faf63b723 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 29 Aug 2024 09:20:29 +0200 +Subject: [PATCH 1/2] OvmfPkg/CpuHotplugSmm: delay SMM exit + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 74: OvmfPkg/CpuHotplugSmm: delay SMM exit +RH-Jira: RHEL-56974 +RH-Acked-by: Oliver Steffen +RH-Commit: [1/1] e1fb3f4db68457ec9f59ca5db47606bf4c34e6c5 (kraxel.rh/centos-src-edk2) + +Let APs wait until the BSP has completed the register updates to remove +the CPU. This makes sure all APs stay in SMM mode until the CPU +hot-unplug operation is complete, which in turn makes sure the ACPI lock +is released only after the CPU hot-unplug operation is complete. + +Some background: The CPU hotplug SMI is triggered from an ACPI function +which is protected by an ACPI lock. The ACPI function is in the ACPI +tables generated by qemu. + +Signed-off-by: Gerd Hoffmann + +upstream: submitted (https://github.com/tianocore/edk2/pull/6138) +--- + OvmfPkg/CpuHotplugSmm/CpuHotplug.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/OvmfPkg/CpuHotplugSmm/CpuHotplug.c b/OvmfPkg/CpuHotplugSmm/CpuHotplug.c +index d504163026..5af78211d3 100644 +--- a/OvmfPkg/CpuHotplugSmm/CpuHotplug.c ++++ b/OvmfPkg/CpuHotplugSmm/CpuHotplug.c +@@ -355,6 +355,11 @@ EjectCpu ( + // + QemuSelector = mCpuHotEjectData->QemuSelectorMap[ProcessorNum]; + if (QemuSelector == CPU_EJECT_QEMU_SELECTOR_INVALID) { ++ /* wait until BSP is done */ ++ while (mCpuHotEjectData->Handler != NULL) { ++ CpuPause (); ++ } ++ + return; + } + +-- +2.39.3 + diff --git a/SOURCES/edk2-OvmfPkg-RiscVVirt-use-gEfiAuthenticatedVariableGuid-.patch b/SOURCES/edk2-OvmfPkg-RiscVVirt-use-gEfiAuthenticatedVariableGuid-.patch deleted file mode 100644 index 74f594f..0000000 --- a/SOURCES/edk2-OvmfPkg-RiscVVirt-use-gEfiAuthenticatedVariableGuid-.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 390efa52b8c2b61bcc6f24cc9f3b805798150b6e Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Tue, 9 Jan 2024 12:29:00 +0100 -Subject: [PATCH 1/3] OvmfPkg/RiscVVirt: use gEfiAuthenticatedVariableGuid - unconditionally -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -ArmVirt and OVMF are doing the same. - -See commit d92eaabefbe0 ("OvmfPkg: simplify VARIABLE_STORE_HEADER -generation") for details. - -Suggested-by: László Érsek -Signed-off-by: Gerd Hoffmann -Reviewed-by: Sunil V L -Reviewed-by: Laszlo Ersek -Message-Id: <20240109112902.30002-2-kraxel@redhat.com> -(cherry picked from commit 3b1ddbddeee64cee5aba4f0170fbf5e4781d4879) ---- - OvmfPkg/RiscVVirt/VarStore.fdf.inc | 9 +-------- - 1 file changed, 1 insertion(+), 8 deletions(-) - -diff --git a/OvmfPkg/RiscVVirt/VarStore.fdf.inc b/OvmfPkg/RiscVVirt/VarStore.fdf.inc -index aba32315cc..6679c246b3 100644 ---- a/OvmfPkg/RiscVVirt/VarStore.fdf.inc -+++ b/OvmfPkg/RiscVVirt/VarStore.fdf.inc -@@ -36,19 +36,12 @@ DATA = { - # Blockmap[1]: End - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - ## This is the VARIABLE_STORE_HEADER --!if $(SECURE_BOOT_ENABLE) == TRUE -+ # It is compatible with SECURE_BOOT_ENABLE == FALSE as well. - # Signature: gEfiAuthenticatedVariableGuid = - # { 0xaaf32c78, 0x947b, 0x439a, - # { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }} - 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, - 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, --!else -- # Signature: gEfiVariableGuid = -- # { 0xddcf3616, 0x3275, 0x4164, -- # { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }} -- 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41, -- 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d, --!endif - # Size: 0x40000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - - # 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0x3FFB8 - # This can speed up the Variable Dispatch a bit. --- -2.39.3 - diff --git a/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-ValidateFvHeader-unwritten-s.patch b/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-ValidateFvHeader-unwritten-s.patch deleted file mode 100644 index d63468d..0000000 --- a/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-ValidateFvHeader-unwritten-s.patch +++ /dev/null @@ -1,48 +0,0 @@ -From cfcef96bb3c63342d4fb87cf0cda8e9dcaef9b2b Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Tue, 16 Jan 2024 18:11:04 +0100 -Subject: [PATCH 5/6] OvmfPkg/VirtNorFlashDxe: ValidateFvHeader: unwritten - state is EOL too - -RH-Author: Gerd Hoffmann -RH-MergeRequest: 52: OvmfPkg/VirtNorFlashDxe: backport more fixes. -RH-Jira: RHEL-20963 -RH-Acked-by: Laszlo Ersek -RH-Acked-by: Miroslav Rezanina -RH-Commit: [5/6] 24a9f2d03eeaf61ea8f0ea5a40f0921994b08688 (kraxel.rh/centos-src-edk2) - -It is possible to find variable entries with State being 0xff, i.e. not -updated since flash block erase. This indicates the variable driver -could not complete the header write while appending a new entry, and -therefore State was not set to VAR_HEADER_VALID_ONLY. - -This can only happen at the end of the variable list, so treat this as -additional "end of variable list" condition. - -Signed-off-by: Gerd Hoffmann -Reviewed-by: Laszlo Ersek -Message-Id: <20240116171105.37831-6-kraxel@redhat.com> -(cherry picked from commit 735d0a5e2e25c1577bf9bea7826da937ca38169d) ---- - OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c -index 8fcd999ac6..c8b5e0be13 100644 ---- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c -+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c -@@ -302,6 +302,11 @@ ValidateFvHeader ( - break; - } - -+ if (VarHeader->State == 0xff) { -+ DEBUG ((DEBUG_INFO, "%a: end of var list (unwritten state)\n", __func__)); -+ break; -+ } -+ - VarName = NULL; - switch (VarHeader->State) { - // usage: State = VAR_HEADER_VALID_ONLY --- -2.39.3 - diff --git a/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-add-a-loop-for-NorFlashWrite.patch b/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-add-a-loop-for-NorFlashWrite.patch deleted file mode 100644 index 47a1a95..0000000 --- a/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-add-a-loop-for-NorFlashWrite.patch +++ /dev/null @@ -1,74 +0,0 @@ -From a82176278e664c3955197d1e076188471d88a422 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Tue, 16 Jan 2024 18:11:02 +0100 -Subject: [PATCH 3/6] OvmfPkg/VirtNorFlashDxe: add a loop for - NorFlashWriteBuffer calls. - -RH-Author: Gerd Hoffmann -RH-MergeRequest: 52: OvmfPkg/VirtNorFlashDxe: backport more fixes. -RH-Jira: RHEL-20963 -RH-Acked-by: Laszlo Ersek -RH-Acked-by: Miroslav Rezanina -RH-Commit: [3/6] 993426855451252f1126348e107e386b07314bfd (kraxel.rh/centos-src-edk2) - -Replace the two NorFlashWriteBuffer() calls with a loop containing a -single NorFlashWriteBuffer() call. - -With the changes in place the code is able to handle updates larger -than two P30_MAX_BUFFER_SIZE_IN_BYTES blocks, even though the patch -does not actually change the size limit. - -Signed-off-by: Gerd Hoffmann -Reviewed-by: Laszlo Ersek -Message-Id: <20240116171105.37831-4-kraxel@redhat.com> -(cherry picked from commit 28ffd726894f11a587a6ac7f71a4c4af341e24d2) ---- - OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c | 21 ++++++++------------- - 1 file changed, 8 insertions(+), 13 deletions(-) - -diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c -index 88a4d2c23f..3d1343b381 100644 ---- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c -+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c -@@ -521,6 +521,7 @@ NorFlashWriteSingleBlock ( - UINTN BlockAddress; - UINT8 *OrigData; - UINTN Start, End; -+ UINT32 Index, Count; - - DEBUG ((DEBUG_BLKIO, "NorFlashWriteSingleBlock(Parameters: Lba=%ld, Offset=0x%x, *NumBytes=0x%x, Buffer @ 0x%08x)\n", Lba, Offset, *NumBytes, Buffer)); - -@@ -621,23 +622,17 @@ NorFlashWriteSingleBlock ( - goto Exit; - } - -- Status = NorFlashWriteBuffer ( -- Instance, -- BlockAddress + Start, -- P30_MAX_BUFFER_SIZE_IN_BYTES, -- Instance->ShadowBuffer -- ); -- if (EFI_ERROR (Status)) { -- goto Exit; -- } -- -- if ((End - Start) > P30_MAX_BUFFER_SIZE_IN_BYTES) { -+ Count = (End - Start) / P30_MAX_BUFFER_SIZE_IN_BYTES; -+ for (Index = 0; Index < Count; Index++) { - Status = NorFlashWriteBuffer ( - Instance, -- BlockAddress + Start + P30_MAX_BUFFER_SIZE_IN_BYTES, -+ BlockAddress + Start + Index * P30_MAX_BUFFER_SIZE_IN_BYTES, - P30_MAX_BUFFER_SIZE_IN_BYTES, -- Instance->ShadowBuffer + P30_MAX_BUFFER_SIZE_IN_BYTES -+ Instance->ShadowBuffer + Index * P30_MAX_BUFFER_SIZE_IN_BYTES - ); -+ if (EFI_ERROR (Status)) { -+ goto Exit; -+ } - } - - Exit: --- -2.39.3 - diff --git a/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-add-casts-to-UINTN-and-UINT3.patch b/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-add-casts-to-UINTN-and-UINT3.patch deleted file mode 100644 index 5ac4d29..0000000 --- a/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-add-casts-to-UINTN-and-UINT3.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 74d2d4b58efe72b931bd2979254cb0fa02a38276 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Tue, 16 Jan 2024 18:11:00 +0100 -Subject: [PATCH 1/6] OvmfPkg/VirtNorFlashDxe: add casts to UINTN and UINT32 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RH-Author: Gerd Hoffmann -RH-MergeRequest: 52: OvmfPkg/VirtNorFlashDxe: backport more fixes. -RH-Jira: RHEL-20963 -RH-Acked-by: Laszlo Ersek -RH-Acked-by: Miroslav Rezanina -RH-Commit: [1/6] ad54e96a5f20907ac591fcfcc0961d353953c4f1 (kraxel.rh/centos-src-edk2) - -This is needed to avoid bit operations being applied to signed integers. - -Suggested-by: László Érsek -Signed-off-by: Gerd Hoffmann -Reviewed-by: Laszlo Ersek -Message-Id: <20240116171105.37831-2-kraxel@redhat.com> -(cherry picked from commit 0395045ae307c43a41f72ca9a8bf4eb8f16b2fe0) ---- - OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c | 2 +- - OvmfPkg/VirtNorFlashDxe/VirtNorFlash.h | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c -index 1afd60ce66..7f4743b003 100644 ---- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c -+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c -@@ -581,7 +581,7 @@ NorFlashWriteSingleBlock ( - // contents, while checking whether the old version had any bits cleared - // that we want to set. In that case, we will need to erase the block first. - for (CurOffset = 0; CurOffset < *NumBytes; CurOffset++) { -- if (~OrigData[CurOffset] & Buffer[CurOffset]) { -+ if (~(UINT32)OrigData[CurOffset] & (UINT32)Buffer[CurOffset]) { - goto DoErase; - } - -diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.h b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.h -index b7f5d208b2..455eafacc2 100644 ---- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.h -+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.h -@@ -61,7 +61,7 @@ - #define P30_MAX_BUFFER_SIZE_IN_BYTES ((UINTN)128) - #define P30_MAX_BUFFER_SIZE_IN_WORDS (P30_MAX_BUFFER_SIZE_IN_BYTES/((UINTN)4)) - #define MAX_BUFFERED_PROG_ITERATIONS 10000000 --#define BOUNDARY_OF_32_WORDS 0x7F -+#define BOUNDARY_OF_32_WORDS ((UINTN)0x7F) - - // CFI Addresses - #define P30_CFI_ADDR_QUERY_UNIQUE_QRY 0x10 --- -2.39.3 - diff --git a/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-allow-larger-writes-without-.patch b/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-allow-larger-writes-without-.patch deleted file mode 100644 index ed1f4a1..0000000 --- a/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-allow-larger-writes-without-.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 75774a03a6e0d2f5ca8103bab8d7d31e40624edd Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Tue, 16 Jan 2024 18:11:03 +0100 -Subject: [PATCH 4/6] OvmfPkg/VirtNorFlashDxe: allow larger writes without - block erase - -RH-Author: Gerd Hoffmann -RH-MergeRequest: 52: OvmfPkg/VirtNorFlashDxe: backport more fixes. -RH-Jira: RHEL-20963 -RH-Acked-by: Laszlo Ersek -RH-Acked-by: Miroslav Rezanina -RH-Commit: [4/6] 4bc6828b395ef708201a49001348bb61a0108339 (kraxel.rh/centos-src-edk2) - -Raise the limit for writes without block erase from two to four -P30_MAX_BUFFER_SIZE_IN_BYTES blocks. With this in place almost all efi -variable updates are handled without block erase. With the old limit -some variable updates (with device paths) took the block erase code -path. - -Signed-off-by: Gerd Hoffmann -Reviewed-by: Laszlo Ersek -Message-Id: <20240116171105.37831-5-kraxel@redhat.com> -(cherry picked from commit b25733c97442513890ae6bb8e10fd340f13844a7) ---- - OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c -index 3d1343b381..3d1d20daa1 100644 ---- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c -+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c -@@ -550,13 +550,15 @@ NorFlashWriteSingleBlock ( - return EFI_BAD_BUFFER_SIZE; - } - -- // Pick P30_MAX_BUFFER_SIZE_IN_BYTES (== 128 bytes) as a good start for word -- // operations as opposed to erasing the block and writing the data regardless -- // if an erase is really needed. It looks like most individual NV variable -- // writes are smaller than 128 bytes. -- // To avoid pathological cases were a 2 byte write is disregarded because it -- // occurs right at a 128 byte buffered write alignment boundary, permit up to -- // twice the max buffer size, and perform two writes if needed. -+ // Pick 4 * P30_MAX_BUFFER_SIZE_IN_BYTES (== 512 bytes) as a good -+ // start for word operations as opposed to erasing the block and -+ // writing the data regardless if an erase is really needed. -+ // -+ // Many NV variable updates are small enough for a a single -+ // P30_MAX_BUFFER_SIZE_IN_BYTES block write. In case the update is -+ // larger than a single block, or the update crosses a -+ // P30_MAX_BUFFER_SIZE_IN_BYTES boundary (as shown in the diagram -+ // below), or both, we might have to write two or more blocks. - // - // 0 128 256 - // [----------------|----------------] -@@ -578,7 +580,7 @@ NorFlashWriteSingleBlock ( - Start = Offset & ~BOUNDARY_OF_32_WORDS; - End = ALIGN_VALUE (Offset + *NumBytes, P30_MAX_BUFFER_SIZE_IN_BYTES); - -- if ((End - Start) <= (2 * P30_MAX_BUFFER_SIZE_IN_BYTES)) { -+ if ((End - Start) <= (4 * P30_MAX_BUFFER_SIZE_IN_BYTES)) { - // Check to see if we need to erase before programming the data into NOR. - // If the destination bits are only changing from 1s to 0s we can just write. - // After a block is erased all bits in the block is set to 1. --- -2.39.3 - diff --git a/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-clarify-block-write-logic-fi.patch b/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-clarify-block-write-logic-fi.patch deleted file mode 100644 index bcf19d2..0000000 --- a/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-clarify-block-write-logic-fi.patch +++ /dev/null @@ -1,111 +0,0 @@ -From ef99dec08d51bad7be0f84942443a8a0e1412c87 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Tue, 16 Jan 2024 18:11:01 +0100 -Subject: [PATCH 2/6] OvmfPkg/VirtNorFlashDxe: clarify block write logic & fix - shadowbuffer reads - -RH-Author: Gerd Hoffmann -RH-MergeRequest: 52: OvmfPkg/VirtNorFlashDxe: backport more fixes. -RH-Jira: RHEL-20963 -RH-Acked-by: Laszlo Ersek -RH-Acked-by: Miroslav Rezanina -RH-Commit: [2/6] e2f2231fd1b7b702aa5372e790c1d2c06ca79f74 (kraxel.rh/centos-src-edk2) - -Introduce 'Start' and 'End' variables to make it easier to follow the -logic and code flow. Also add a ascii art diagram (based on a -suggestion by Laszlo). - -This also fixes the 'Size' calculation for the NorFlashRead() call. -Without this patch the code will read only one instead of two -P30_MAX_BUFFER_SIZE_IN_BYTES blocks in case '*NumBytes' is smaller than -P30_MAX_BUFFER_SIZE_IN_BYTES but 'Offset + *NumBytes' is not, i.e. the -update range crosses a P30_MAX_BUFFER_SIZE_IN_BYTES boundary. - -Signed-off-by: Gerd Hoffmann -Reviewed-by: Laszlo Ersek -Message-Id: <20240116171105.37831-3-kraxel@redhat.com> -(cherry picked from commit 35d8ea8097794b522149688b5cfaf8364bc44d54) ---- - OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c | 36 ++++++++++++++++++++------ - 1 file changed, 28 insertions(+), 8 deletions(-) - -diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c -index 7f4743b003..88a4d2c23f 100644 ---- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c -+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c -@@ -520,6 +520,7 @@ NorFlashWriteSingleBlock ( - UINTN BlockSize; - UINTN BlockAddress; - UINT8 *OrigData; -+ UINTN Start, End; - - DEBUG ((DEBUG_BLKIO, "NorFlashWriteSingleBlock(Parameters: Lba=%ld, Offset=0x%x, *NumBytes=0x%x, Buffer @ 0x%08x)\n", Lba, Offset, *NumBytes, Buffer)); - -@@ -555,7 +556,28 @@ NorFlashWriteSingleBlock ( - // To avoid pathological cases were a 2 byte write is disregarded because it - // occurs right at a 128 byte buffered write alignment boundary, permit up to - // twice the max buffer size, and perform two writes if needed. -- if ((*NumBytes + (Offset & BOUNDARY_OF_32_WORDS)) <= (2 * P30_MAX_BUFFER_SIZE_IN_BYTES)) { -+ // -+ // 0 128 256 -+ // [----------------|----------------] -+ // ^ ^ ^ ^ -+ // | | | | -+ // | | | End, the next "word" boundary beyond -+ // | | | the (logical) update -+ // | | | -+ // | | (Offset & BOUNDARY_OF_32_WORDS) + NumBytes; -+ // | | i.e., the relative offset inside (or just past) -+ // | | the *double-word* such that it is the -+ // | | *exclusive* end of the (logical) update. -+ // | | -+ // | Offset & BOUNDARY_OF_32_WORDS; i.e., Offset within the "word"; -+ // | this is where the (logical) update is supposed to start -+ // | -+ // Start = Offset & ~BOUNDARY_OF_32_WORDS; i.e., Offset truncated to "word" boundary -+ -+ Start = Offset & ~BOUNDARY_OF_32_WORDS; -+ End = ALIGN_VALUE (Offset + *NumBytes, P30_MAX_BUFFER_SIZE_IN_BYTES); -+ -+ if ((End - Start) <= (2 * P30_MAX_BUFFER_SIZE_IN_BYTES)) { - // Check to see if we need to erase before programming the data into NOR. - // If the destination bits are only changing from 1s to 0s we can just write. - // After a block is erased all bits in the block is set to 1. -@@ -565,8 +587,8 @@ NorFlashWriteSingleBlock ( - Status = NorFlashRead ( - Instance, - Lba, -- Offset & ~BOUNDARY_OF_32_WORDS, -- (*NumBytes | BOUNDARY_OF_32_WORDS) + 1, -+ Start, -+ End - Start, - Instance->ShadowBuffer - ); - if (EFI_ERROR (Status)) { -@@ -601,7 +623,7 @@ NorFlashWriteSingleBlock ( - - Status = NorFlashWriteBuffer ( - Instance, -- BlockAddress + (Offset & ~BOUNDARY_OF_32_WORDS), -+ BlockAddress + Start, - P30_MAX_BUFFER_SIZE_IN_BYTES, - Instance->ShadowBuffer - ); -@@ -609,12 +631,10 @@ NorFlashWriteSingleBlock ( - goto Exit; - } - -- if ((*NumBytes + (Offset & BOUNDARY_OF_32_WORDS)) > P30_MAX_BUFFER_SIZE_IN_BYTES) { -- BlockAddress += P30_MAX_BUFFER_SIZE_IN_BYTES; -- -+ if ((End - Start) > P30_MAX_BUFFER_SIZE_IN_BYTES) { - Status = NorFlashWriteBuffer ( - Instance, -- BlockAddress + (Offset & ~BOUNDARY_OF_32_WORDS), -+ BlockAddress + Start + P30_MAX_BUFFER_SIZE_IN_BYTES, - P30_MAX_BUFFER_SIZE_IN_BYTES, - Instance->ShadowBuffer + P30_MAX_BUFFER_SIZE_IN_BYTES - ); --- -2.39.3 - diff --git a/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-move-DoErase-code-block-into.patch b/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-move-DoErase-code-block-into.patch deleted file mode 100644 index d2e062d..0000000 --- a/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-move-DoErase-code-block-into.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 0429352edb21bd20b8192aec3f484361f4dc3b33 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Tue, 16 Jan 2024 18:11:05 +0100 -Subject: [PATCH 6/6] OvmfPkg/VirtNorFlashDxe: move DoErase code block into new - function - -RH-Author: Gerd Hoffmann -RH-MergeRequest: 52: OvmfPkg/VirtNorFlashDxe: backport more fixes. -RH-Jira: RHEL-20963 -RH-Acked-by: Laszlo Ersek -RH-Acked-by: Miroslav Rezanina -RH-Commit: [6/6] 9a25dbbd0d9881664f8ce30efb95c63099785204 (kraxel.rh/centos-src-edk2) - -Move the DoErase code block into a separate function, call the function -instead of jumping around with goto. - -Signed-off-by: Gerd Hoffmann -Message-Id: <20240116171105.37831-7-kraxel@redhat.com> -Reviewed-by: Laszlo Ersek -(cherry picked from commit b481b00f593ef37695ee14271453320ed02a1256) ---- - OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c | 76 ++++++++++++++++++-------- - 1 file changed, 52 insertions(+), 24 deletions(-) - -diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c -index 3d1d20daa1..e6aaed27ce 100644 ---- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c -+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c -@@ -502,6 +502,38 @@ NorFlashRead ( - return EFI_SUCCESS; - } - -+STATIC -+EFI_STATUS -+NorFlashWriteSingleBlockWithErase ( -+ IN NOR_FLASH_INSTANCE *Instance, -+ IN EFI_LBA Lba, -+ IN UINTN Offset, -+ IN OUT UINTN *NumBytes, -+ IN UINT8 *Buffer -+ ) -+{ -+ EFI_STATUS Status; -+ -+ // Read NOR Flash data into shadow buffer -+ Status = NorFlashReadBlocks (Instance, Lba, Instance->BlockSize, Instance->ShadowBuffer); -+ if (EFI_ERROR (Status)) { -+ // Return one of the pre-approved error statuses -+ return EFI_DEVICE_ERROR; -+ } -+ -+ // Put the data at the appropriate location inside the buffer area -+ CopyMem ((VOID *)((UINTN)Instance->ShadowBuffer + Offset), Buffer, *NumBytes); -+ -+ // Write the modified buffer back to the NorFlash -+ Status = NorFlashWriteBlocks (Instance, Lba, Instance->BlockSize, Instance->ShadowBuffer); -+ if (EFI_ERROR (Status)) { -+ // Return one of the pre-approved error statuses -+ return EFI_DEVICE_ERROR; -+ } -+ -+ return EFI_SUCCESS; -+} -+ - /* - Write a full or portion of a block. It must not span block boundaries; that is, - Offset + *NumBytes <= Instance->BlockSize. -@@ -607,7 +639,14 @@ NorFlashWriteSingleBlock ( - // that we want to set. In that case, we will need to erase the block first. - for (CurOffset = 0; CurOffset < *NumBytes; CurOffset++) { - if (~(UINT32)OrigData[CurOffset] & (UINT32)Buffer[CurOffset]) { -- goto DoErase; -+ Status = NorFlashWriteSingleBlockWithErase ( -+ Instance, -+ Lba, -+ Offset, -+ NumBytes, -+ Buffer -+ ); -+ return Status; - } - - OrigData[CurOffset] = Buffer[CurOffset]; -@@ -636,33 +675,22 @@ NorFlashWriteSingleBlock ( - goto Exit; - } - } -- --Exit: -- // Put device back into Read Array mode -- SEND_NOR_COMMAND (Instance->DeviceBaseAddress, 0, P30_CMD_READ_ARRAY); -- -+ } else { -+ Status = NorFlashWriteSingleBlockWithErase ( -+ Instance, -+ Lba, -+ Offset, -+ NumBytes, -+ Buffer -+ ); - return Status; - } - --DoErase: -- // Read NOR Flash data into shadow buffer -- Status = NorFlashReadBlocks (Instance, Lba, BlockSize, Instance->ShadowBuffer); -- if (EFI_ERROR (Status)) { -- // Return one of the pre-approved error statuses -- return EFI_DEVICE_ERROR; -- } -- -- // Put the data at the appropriate location inside the buffer area -- CopyMem ((VOID *)((UINTN)Instance->ShadowBuffer + Offset), Buffer, *NumBytes); -- -- // Write the modified buffer back to the NorFlash -- Status = NorFlashWriteBlocks (Instance, Lba, BlockSize, Instance->ShadowBuffer); -- if (EFI_ERROR (Status)) { -- // Return one of the pre-approved error statuses -- return EFI_DEVICE_ERROR; -- } -+Exit: -+ // Put device back into Read Array mode -+ SEND_NOR_COMMAND (Instance->DeviceBaseAddress, 0, P30_CMD_READ_ARRAY); - -- return EFI_SUCCESS; -+ return Status; - } - - EFI_STATUS --- -2.39.3 - diff --git a/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-sanity-check-variables.patch b/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-sanity-check-variables.patch deleted file mode 100644 index 847f62e..0000000 --- a/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-sanity-check-variables.patch +++ /dev/null @@ -1,210 +0,0 @@ -From d557e973e4a400325f68014e463201a5b48c1547 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Tue, 9 Jan 2024 12:29:02 +0100 -Subject: [PATCH 3/3] OvmfPkg/VirtNorFlashDxe: sanity-check variables - -Extend the ValidateFvHeader function, additionally to the header checks -walk over the list of variables and sanity check them. - -In case we find inconsistencies indicating variable store corruption -return EFI_NOT_FOUND so the variable store will be re-initialized. - -Signed-off-by: Gerd Hoffmann -Message-Id: <20240109112902.30002-4-kraxel@redhat.com> -Reviewed-by: Laszlo Ersek -[lersek@redhat.com: fix StartId initialization/assignment coding style] -(cherry picked from commit 4a443f73fd67ca8caaf0a3e1a01f8231b330d2e0) ---- - OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf | 1 + - OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c | 149 +++++++++++++++++++- - 2 files changed, 145 insertions(+), 5 deletions(-) - -diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf -index 2a3d4a218e..f549400280 100644 ---- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf -+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf -@@ -34,6 +34,7 @@ - DxeServicesTableLib - HobLib - IoLib -+ SafeIntLib - UefiBootServicesTableLib - UefiDriverEntryPoint - UefiLib -diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c -index 9a614ae4b2..8fcd999ac6 100644 ---- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c -+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c -@@ -12,6 +12,7 @@ - #include - #include - #include -+#include - #include - - #include -@@ -185,11 +186,12 @@ ValidateFvHeader ( - IN NOR_FLASH_INSTANCE *Instance - ) - { -- UINT16 Checksum; -- EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader; -- VARIABLE_STORE_HEADER *VariableStoreHeader; -- UINTN VariableStoreLength; -- UINTN FvLength; -+ UINT16 Checksum; -+ CONST EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader; -+ CONST VARIABLE_STORE_HEADER *VariableStoreHeader; -+ UINTN VarOffset; -+ UINTN VariableStoreLength; -+ UINTN FvLength; - - FwVolHeader = (EFI_FIRMWARE_VOLUME_HEADER *)Instance->RegionBaseAddress; - -@@ -258,6 +260,143 @@ ValidateFvHeader ( - return EFI_NOT_FOUND; - } - -+ // -+ // check variables -+ // -+ DEBUG ((DEBUG_INFO, "%a: checking variables\n", __func__)); -+ VarOffset = sizeof (*VariableStoreHeader); -+ for ( ; ;) { -+ UINTN VarHeaderEnd; -+ UINTN VarNameEnd; -+ UINTN VarEnd; -+ UINTN VarPadding; -+ CONST AUTHENTICATED_VARIABLE_HEADER *VarHeader; -+ CONST CHAR16 *VarName; -+ CONST CHAR8 *VarState; -+ RETURN_STATUS Status; -+ -+ Status = SafeUintnAdd (VarOffset, sizeof (*VarHeader), &VarHeaderEnd); -+ if (RETURN_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__)); -+ return EFI_NOT_FOUND; -+ } -+ -+ if (VarHeaderEnd >= VariableStoreHeader->Size) { -+ if (VarOffset <= VariableStoreHeader->Size - sizeof (UINT16)) { -+ CONST UINT16 *StartId; -+ -+ StartId = (VOID *)((UINTN)VariableStoreHeader + VarOffset); -+ if (*StartId == 0x55aa) { -+ DEBUG ((DEBUG_ERROR, "%a: startid at invalid location\n", __func__)); -+ return EFI_NOT_FOUND; -+ } -+ } -+ -+ DEBUG ((DEBUG_INFO, "%a: end of var list (no space left)\n", __func__)); -+ break; -+ } -+ -+ VarHeader = (VOID *)((UINTN)VariableStoreHeader + VarOffset); -+ if (VarHeader->StartId != 0x55aa) { -+ DEBUG ((DEBUG_INFO, "%a: end of var list (no startid)\n", __func__)); -+ break; -+ } -+ -+ VarName = NULL; -+ switch (VarHeader->State) { -+ // usage: State = VAR_HEADER_VALID_ONLY -+ case VAR_HEADER_VALID_ONLY: -+ VarState = "header-ok"; -+ VarName = L""; -+ break; -+ -+ // usage: State = VAR_ADDED -+ case VAR_ADDED: -+ VarState = "ok"; -+ break; -+ -+ // usage: State &= VAR_IN_DELETED_TRANSITION -+ case VAR_ADDED &VAR_IN_DELETED_TRANSITION: -+ VarState = "del-in-transition"; -+ break; -+ -+ // usage: State &= VAR_DELETED -+ case VAR_ADDED &VAR_DELETED: -+ case VAR_ADDED &VAR_DELETED &VAR_IN_DELETED_TRANSITION: -+ VarState = "deleted"; -+ break; -+ -+ default: -+ DEBUG (( -+ DEBUG_ERROR, -+ "%a: invalid variable state: 0x%x\n", -+ __func__, -+ VarHeader->State -+ )); -+ return EFI_NOT_FOUND; -+ } -+ -+ Status = SafeUintnAdd (VarHeaderEnd, VarHeader->NameSize, &VarNameEnd); -+ if (RETURN_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__)); -+ return EFI_NOT_FOUND; -+ } -+ -+ Status = SafeUintnAdd (VarNameEnd, VarHeader->DataSize, &VarEnd); -+ if (RETURN_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__)); -+ return EFI_NOT_FOUND; -+ } -+ -+ if (VarEnd > VariableStoreHeader->Size) { -+ DEBUG (( -+ DEBUG_ERROR, -+ "%a: invalid variable size: 0x%Lx + 0x%Lx + 0x%x + 0x%x > 0x%x\n", -+ __func__, -+ (UINT64)VarOffset, -+ (UINT64)(sizeof (*VarHeader)), -+ VarHeader->NameSize, -+ VarHeader->DataSize, -+ VariableStoreHeader->Size -+ )); -+ return EFI_NOT_FOUND; -+ } -+ -+ if (((VarHeader->NameSize & 1) != 0) || -+ (VarHeader->NameSize < 4)) -+ { -+ DEBUG ((DEBUG_ERROR, "%a: invalid name size\n", __func__)); -+ return EFI_NOT_FOUND; -+ } -+ -+ if (VarName == NULL) { -+ VarName = (VOID *)((UINTN)VariableStoreHeader + VarHeaderEnd); -+ if (VarName[VarHeader->NameSize / 2 - 1] != L'\0') { -+ DEBUG ((DEBUG_ERROR, "%a: name is not null terminated\n", __func__)); -+ return EFI_NOT_FOUND; -+ } -+ } -+ -+ DEBUG (( -+ DEBUG_VERBOSE, -+ "%a: +0x%04Lx: name=0x%x data=0x%x guid=%g '%s' (%a)\n", -+ __func__, -+ (UINT64)VarOffset, -+ VarHeader->NameSize, -+ VarHeader->DataSize, -+ &VarHeader->VendorGuid, -+ VarName, -+ VarState -+ )); -+ -+ VarPadding = (4 - (VarEnd & 3)) & 3; -+ Status = SafeUintnAdd (VarEnd, VarPadding, &VarOffset); -+ if (RETURN_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__)); -+ return EFI_NOT_FOUND; -+ } -+ } -+ - return EFI_SUCCESS; - } - --- -2.39.3 - diff --git a/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-stop-accepting-gEfiVariableG.patch b/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-stop-accepting-gEfiVariableG.patch deleted file mode 100644 index e49c2cc..0000000 --- a/SOURCES/edk2-OvmfPkg-VirtNorFlashDxe-stop-accepting-gEfiVariableG.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 77047a56601aaa955a12030343bdee973b9d393d Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Tue, 9 Jan 2024 12:29:01 +0100 -Subject: [PATCH 2/3] OvmfPkg/VirtNorFlashDxe: stop accepting gEfiVariableGuid -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Only accept gEfiAuthenticatedVariableGuid when checking the variable -store header in ValidateFvHeader(). - -The edk2 code base has been switched to use the authenticated varstore -format unconditionally (even in case secure boot is not used or -supported) a few years ago. - -Suggested-by: László Érsek -Signed-off-by: Gerd Hoffmann -Reviewed-by: Laszlo Ersek -Message-Id: <20240109112902.30002-3-kraxel@redhat.com> -(cherry picked from commit ae22b2f136bcbd27135a5f4dd76d3a68a172d00e) ---- - OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c -index 5ee98e9b59..9a614ae4b2 100644 ---- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c -+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c -@@ -239,9 +239,7 @@ ValidateFvHeader ( - VariableStoreHeader = (VARIABLE_STORE_HEADER *)((UINTN)FwVolHeader + FwVolHeader->HeaderLength); - - // Check the Variable Store Guid -- if (!CompareGuid (&VariableStoreHeader->Signature, &gEfiVariableGuid) && -- !CompareGuid (&VariableStoreHeader->Signature, &gEfiAuthenticatedVariableGuid)) -- { -+ if (!CompareGuid (&VariableStoreHeader->Signature, &gEfiAuthenticatedVariableGuid)) { - DEBUG (( - DEBUG_INFO, - "%a: Variable Store Guid non-compatible\n", --- -2.39.3 - diff --git a/SOURCES/edk2-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch b/SOURCES/edk2-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch deleted file mode 100644 index 2184d8c..0000000 --- a/SOURCES/edk2-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch +++ /dev/null @@ -1,68 +0,0 @@ -From b3a9b8a85e2782600b4fd26d08a4d15826cadcf7 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Wed, 17 Jan 2024 12:20:52 -0500 -Subject: [PATCH 3/3] SecurityPkg: : Adding CVE 2022-36763 to - SecurityFixes.yaml - -RH-Author: Jon Maloy -RH-MergeRequest: 51: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117 - CVE 2022-36763 -RH-Jira: RHEL-21155 -RH-Acked-by: Gerd Hoffmann -RH-Commit: [3/3] 0763dad29bb6b9b3832b166bbabe15e84ed7208c - -JIRA: https://issues.redhat.com/browse/RHEL-21155 -Upstream: Merged -CVE: CVE-2022-36763 - -commit 1ddcb9fc6b4164e882687b031e8beacfcf7df29e -Author: Douglas Flick [MSFT] -Date: Fri Jan 12 02:16:03 2024 +0800 - - SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml - - This creates / adds a security file that tracks the security fixes - found in this package and can be used to find the fixes that were - applied. - - Cc: Jiewen Yao - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Jiewen Yao - -Signed-off-by: Jon Maloy ---- - SecurityPkg/SecurityFixes.yaml | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - create mode 100644 SecurityPkg/SecurityFixes.yaml - -diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml -new file mode 100644 -index 0000000000..f9e3e7be74 ---- /dev/null -+++ b/SecurityPkg/SecurityFixes.yaml -@@ -0,0 +1,22 @@ -+## @file -+# Security Fixes for SecurityPkg -+# -+# Copyright (c) Microsoft Corporation -+# SPDX-License-Identifier: BSD-2-Clause-Patent -+## -+CVE_2022_36763: -+ commit_titles: -+ - "SecurityPkg: DxeTpm2Measurement: SECURITY PATCH 4117 - CVE 2022-36763" -+ - "SecurityPkg: DxeTpmMeasurement: SECURITY PATCH 4117 - CVE 2022-36763" -+ - "SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml" -+ cve: CVE-2022-36763 -+ date_reported: 2022-10-25 11:31 UTC -+ description: (CVE-2022-36763) - Heap Buffer Overflow in Tcg2MeasureGptTable() -+ note: This patch is related to and supersedes TCBZ2168 -+ files_impacted: -+ - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c -+ - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c -+ links: -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4117 -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=2168 -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=1990 --- -2.39.3 - diff --git a/SOURCES/edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-2.patch b/SOURCES/edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-2.patch deleted file mode 100644 index 863438e..0000000 --- a/SOURCES/edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-2.patch +++ /dev/null @@ -1,273 +0,0 @@ -From 31ebaa021650c9b23c27f3a7954d33c1ef1e1502 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Tue, 13 Feb 2024 16:30:10 -0500 -Subject: [PATCH 3/9] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH - 4117/4118 symbol rename - -RH-Author: Jon Maloy -RH-MergeRequest: 53: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764 -RH-Jira: RHEL-21157 -RH-Acked-by: Laszlo Ersek -RH-Acked-by: Gerd Hoffmann -RH-Commit: [3/5] d18f14e0a7df36223dab179bf7e9556db43f4c55 - -JIRA: https://issues.redhat.com/browse/RHEL-21157 -CVE: CVE-2022-36764 -Upstream: Merged - -commit 40adbb7f628dee79156c679fb0857968b61b7620 -Author: Doug Flick -Date: Wed Jan 17 14:47:20 2024 -0800 - - SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117/4118 symbol rename - - Updates the sanitation function names to be lib unique names - - Cc: Jiewen Yao - Cc: Rahul Kumar - - Signed-off-by: Doug Flick [MSFT] - Message-Id: <7b18434c8a8b561654efd40ced3becb8b378c8f1.1705529990.git.doug.edk2@gmail.com> - Reviewed-by: Jiewen Yao - -Signed-off-by: Jon Maloy ---- - .../DxeTpm2MeasureBootLib.c | 8 +++--- - .../DxeTpm2MeasureBootLibSanitization.c | 8 +++--- - .../DxeTpm2MeasureBootLibSanitization.h | 8 +++--- - .../DxeTpm2MeasureBootLibSanitizationTest.c | 26 +++++++++---------- - 4 files changed, 25 insertions(+), 25 deletions(-) - -diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c -index 714cc8e03e..73719f3b96 100644 ---- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c -+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c -@@ -200,7 +200,7 @@ Tcg2MeasureGptTable ( - BlockIo->Media->BlockSize, - (UINT8 *)PrimaryHeader - ); -- if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) { -+ if (EFI_ERROR (Status) || EFI_ERROR (Tpm2SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) { - DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n")); - FreePool (PrimaryHeader); - return EFI_DEVICE_ERROR; -@@ -209,7 +209,7 @@ Tcg2MeasureGptTable ( - // - // Read the partition entry. - // -- Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize); -+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize); - if (EFI_ERROR (Status)) { - FreePool (PrimaryHeader); - return EFI_BAD_BUFFER_SIZE; -@@ -250,7 +250,7 @@ Tcg2MeasureGptTable ( - // - // Prepare Data for Measurement (CcProtocol and Tcg2Protocol) - // -- Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &TcgEventSize); -+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &TcgEventSize); - if (EFI_ERROR (Status)) { - FreePool (PrimaryHeader); - FreePool (EntryPtr); -@@ -420,7 +420,7 @@ Tcg2MeasurePeImage ( - } - - FilePathSize = (UINT32)GetDevicePathSize (FilePath); -- Status = SanitizePeImageEventSize (FilePathSize, &EventSize); -+ Status = Tpm2SanitizePeImageEventSize (FilePathSize, &EventSize); - if (EFI_ERROR (Status)) { - return EFI_UNSUPPORTED; - } -diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c -index 2a4d52c6d5..809a3bfd89 100644 ---- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c -+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c -@@ -63,7 +63,7 @@ - **/ - EFI_STATUS - EFIAPI --SanitizeEfiPartitionTableHeader ( -+Tpm2SanitizeEfiPartitionTableHeader ( - IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, - IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo - ) -@@ -169,7 +169,7 @@ SanitizeEfiPartitionTableHeader ( - **/ - EFI_STATUS - EFIAPI --SanitizePrimaryHeaderAllocationSize ( -+Tpm2SanitizePrimaryHeaderAllocationSize ( - IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, - OUT UINT32 *AllocationSize - ) -@@ -221,7 +221,7 @@ SanitizePrimaryHeaderAllocationSize ( - One of the passed parameters was invalid. - **/ - EFI_STATUS --SanitizePrimaryHeaderGptEventSize ( -+Tpm2SanitizePrimaryHeaderGptEventSize ( - IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, - IN UINTN NumberOfPartition, - OUT UINT32 *EventSize -@@ -292,7 +292,7 @@ SanitizePrimaryHeaderGptEventSize ( - One of the passed parameters was invalid. - **/ - EFI_STATUS --SanitizePeImageEventSize ( -+Tpm2SanitizePeImageEventSize ( - IN UINT32 FilePathSize, - OUT UINT32 *EventSize - ) -diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h -index 8f72ba4240..8526bc7537 100644 ---- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h -+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h -@@ -54,7 +54,7 @@ - **/ - EFI_STATUS - EFIAPI --SanitizeEfiPartitionTableHeader ( -+Tpm2SanitizeEfiPartitionTableHeader ( - IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, - IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo - ); -@@ -78,7 +78,7 @@ SanitizeEfiPartitionTableHeader ( - **/ - EFI_STATUS - EFIAPI --SanitizePrimaryHeaderAllocationSize ( -+Tpm2SanitizePrimaryHeaderAllocationSize ( - IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, - OUT UINT32 *AllocationSize - ); -@@ -107,7 +107,7 @@ SanitizePrimaryHeaderAllocationSize ( - One of the passed parameters was invalid. - **/ - EFI_STATUS --SanitizePrimaryHeaderGptEventSize ( -+Tpm2SanitizePrimaryHeaderGptEventSize ( - IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, - IN UINTN NumberOfPartition, - OUT UINT32 *EventSize -@@ -131,7 +131,7 @@ SanitizePrimaryHeaderGptEventSize ( - One of the passed parameters was invalid. - **/ - EFI_STATUS --SanitizePeImageEventSize ( -+Tpm2SanitizePeImageEventSize ( - IN UINT32 FilePathSize, - OUT UINT32 *EventSize - ); -diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c -index 820e99aeb9..50a68e1076 100644 ---- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c -+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c -@@ -84,27 +84,27 @@ TestSanitizeEfiPartitionTableHeader ( - PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize); - - // Test that a normal PrimaryHeader passes validation -- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); -+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); - UT_ASSERT_NOT_EFI_ERROR (Status); - - // Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR - // Should print "Invalid Partition Table Header NumberOfPartitionEntries!"" - PrimaryHeader.NumberOfPartitionEntries = 0; -- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); -+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); - UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR); - PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY; - - // Test that when the header size is too small, the function returns EFI_DEVICE_ERROR - // Should print "Invalid Partition Table Header Size!" - PrimaryHeader.Header.HeaderSize = 0; -- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); -+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); - UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR); - PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER); - - // Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR - // should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!" - PrimaryHeader.SizeOfPartitionEntry = 1; -- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); -+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); - UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR); - - DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__)); -@@ -137,7 +137,7 @@ TestSanitizePrimaryHeaderAllocationSize ( - PrimaryHeader.NumberOfPartitionEntries = 5; - PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY; - -- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); -+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); - UT_ASSERT_NOT_EFI_ERROR (Status); - - // Test that the allocation size is correct compared to the existing logic -@@ -146,19 +146,19 @@ TestSanitizePrimaryHeaderAllocationSize ( - // Test that an overflow is detected - PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32; - PrimaryHeader.SizeOfPartitionEntry = 5; -- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); -+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); - UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); - - // Test the inverse - PrimaryHeader.NumberOfPartitionEntries = 5; - PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32; -- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); -+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); - UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); - - // Test the worst case scenario - PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32; - PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32; -- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); -+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); - UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); - - DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__)); -@@ -196,7 +196,7 @@ TestSanitizePrimaryHeaderGptEventSize ( - NumberOfPartition = 13; - - // that the primary event size is correct -- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize); -+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize); - UT_ASSERT_NOT_EFI_ERROR (Status); - - // Calculate the existing logic event size -@@ -207,12 +207,12 @@ TestSanitizePrimaryHeaderGptEventSize ( - UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize); - - // Tests that the primary event size may not overflow -- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize); -+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize); - UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); - - // Test that the size of partition entries may not overflow - PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32; -- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize); -+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize); - UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); - - DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__)); -@@ -245,7 +245,7 @@ TestSanitizePeImageEventSize ( - FilePathSize = 255; - - // Test that a normal PE image passes validation -- Status = SanitizePeImageEventSize (FilePathSize, &EventSize); -+ Status = Tpm2SanitizePeImageEventSize (FilePathSize, &EventSize); - UT_ASSERT_EQUAL (Status, EFI_SUCCESS); - - // Test that the event size is correct compared to the existing logic -@@ -258,7 +258,7 @@ TestSanitizePeImageEventSize ( - } - - // Test that the event size may not overflow -- Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize); -+ Status = Tpm2SanitizePeImageEventSize (MAX_UINT32, &EventSize); - UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); - - DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__)); --- -2.39.3 - diff --git a/SOURCES/edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch b/SOURCES/edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch deleted file mode 100644 index c744f7a..0000000 --- a/SOURCES/edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch +++ /dev/null @@ -1,1010 +0,0 @@ -From 200f0cae49a1f5c2a383e148230560f18a8afe19 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Wed, 17 Jan 2024 12:20:52 -0500 -Subject: [PATCH 1/3] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117 - - CVE 2022-36763 - -RH-Author: Jon Maloy -RH-MergeRequest: 51: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117 - CVE 2022-36763 -RH-Jira: RHEL-21155 -RH-Acked-by: Gerd Hoffmann -RH-Commit: [1/3] 43764d70389c328076719f7e7a731e70c34b6846 - -JIRA: https://issues.redhat.com/browse/RHEL-21155 -Upstream: Merged -CVE: CVE-2022-36763 - -commit 224446543206450ddb5830e6abd026d61d3c7f4b -Author: Douglas Flick [MSFT] -Date: Fri Jan 12 02:16:01 2024 +0800 - - SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117 - CVE 2022-36763 - - This commit contains the patch files and tests for DxeTpm2MeasureBootLib - CVE 2022-36763. - - Cc: Jiewen Yao - - Signed-off-by: Doug Flick [MSFT] - -Signed-off-by: Jon Maloy ---- - .../DxeTpm2MeasureBootLib.c | 69 ++-- - .../DxeTpm2MeasureBootLib.inf | 4 +- - .../DxeTpm2MeasureBootLibSanitization.c | 275 ++++++++++++++++ - .../DxeTpm2MeasureBootLibSanitization.h | 113 +++++++ - .../DxeTpm2MeasureBootLibSanitizationTest.c | 303 ++++++++++++++++++ - ...Tpm2MeasureBootLibSanitizationTestHost.inf | 28 ++ - SecurityPkg/SecurityPkg.ci.yaml | 1 + - SecurityPkg/Test/SecurityPkgHostTest.dsc | 1 + - 8 files changed, 764 insertions(+), 30 deletions(-) - create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c - create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h - create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c - create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf - -diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c -index 36a256a7af..0475103d6e 100644 ---- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c -+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c -@@ -20,6 +20,8 @@ Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
- (C) Copyright 2015 Hewlett Packard Enterprise Development LP
- SPDX-License-Identifier: BSD-2-Clause-Patent - -+Copyright (c) Microsoft Corporation.
-+SPDX-License-Identifier: BSD-2-Clause-Patent - **/ - - #include -@@ -44,6 +46,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent - #include - #include - -+#include "DxeTpm2MeasureBootLibSanitization.h" -+ - typedef struct { - EFI_TCG2_PROTOCOL *Tcg2Protocol; - EFI_CC_MEASUREMENT_PROTOCOL *CcProtocol; -@@ -144,10 +148,11 @@ Tcg2MeasureGptTable ( - EFI_TCG2_EVENT *Tcg2Event; - EFI_CC_EVENT *CcEvent; - EFI_GPT_DATA *GptData; -- UINT32 EventSize; -+ UINT32 TcgEventSize; - EFI_TCG2_PROTOCOL *Tcg2Protocol; - EFI_CC_MEASUREMENT_PROTOCOL *CcProtocol; - EFI_CC_MR_INDEX MrIndex; -+ UINT32 AllocSize; - - if (mTcg2MeasureGptCount > 0) { - return EFI_SUCCESS; -@@ -195,25 +200,22 @@ Tcg2MeasureGptTable ( - BlockIo->Media->BlockSize, - (UINT8 *)PrimaryHeader - ); -- if (EFI_ERROR (Status)) { -- DEBUG ((DEBUG_ERROR, "Failed to Read Partition Table Header!\n")); -+ if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) { -+ DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n")); - FreePool (PrimaryHeader); - return EFI_DEVICE_ERROR; - } - - // -- // PrimaryHeader->SizeOfPartitionEntry should not be zero -+ // Read the partition entry. - // -- if (PrimaryHeader->SizeOfPartitionEntry == 0) { -- DEBUG ((DEBUG_ERROR, "SizeOfPartitionEntry should not be zero!\n")); -+ Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize); -+ if (EFI_ERROR (Status)) { - FreePool (PrimaryHeader); - return EFI_BAD_BUFFER_SIZE; - } - -- // -- // Read the partition entry. -- // -- EntryPtr = (UINT8 *)AllocatePool (PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry); -+ EntryPtr = (UINT8 *)AllocatePool (AllocSize); - if (EntryPtr == NULL) { - FreePool (PrimaryHeader); - return EFI_OUT_OF_RESOURCES; -@@ -223,7 +225,7 @@ Tcg2MeasureGptTable ( - DiskIo, - BlockIo->Media->MediaId, - MultU64x32 (PrimaryHeader->PartitionEntryLBA, BlockIo->Media->BlockSize), -- PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry, -+ AllocSize, - EntryPtr - ); - if (EFI_ERROR (Status)) { -@@ -248,16 +250,21 @@ Tcg2MeasureGptTable ( - // - // Prepare Data for Measurement (CcProtocol and Tcg2Protocol) - // -- EventSize = (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions) -- + NumberOfPartition * PrimaryHeader->SizeOfPartitionEntry); -- EventPtr = (UINT8 *)AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)); -+ Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &TcgEventSize); -+ if (EFI_ERROR (Status)) { -+ FreePool (PrimaryHeader); -+ FreePool (EntryPtr); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ EventPtr = (UINT8 *)AllocateZeroPool (TcgEventSize); - if (EventPtr == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - - Tcg2Event = (EFI_TCG2_EVENT *)EventPtr; -- Tcg2Event->Size = EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event); -+ Tcg2Event->Size = TcgEventSize; - Tcg2Event->Header.HeaderSize = sizeof (EFI_TCG2_EVENT_HEADER); - Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION; - Tcg2Event->Header.PCRIndex = 5; -@@ -310,7 +317,7 @@ Tcg2MeasureGptTable ( - CcProtocol, - 0, - (EFI_PHYSICAL_ADDRESS)(UINTN)(VOID *)GptData, -- (UINT64)EventSize, -+ (UINT64)TcgEventSize - OFFSET_OF (EFI_TCG2_EVENT, Event), - CcEvent - ); - if (!EFI_ERROR (Status)) { -@@ -326,7 +333,7 @@ Tcg2MeasureGptTable ( - Tcg2Protocol, - 0, - (EFI_PHYSICAL_ADDRESS)(UINTN)(VOID *)GptData, -- (UINT64)EventSize, -+ (UINT64)TcgEventSize - OFFSET_OF (EFI_TCG2_EVENT, Event), - Tcg2Event - ); - if (!EFI_ERROR (Status)) { -@@ -443,11 +450,13 @@ Tcg2MeasurePeImage ( - Tcg2Event->Header.PCRIndex = 2; - break; - default: -- DEBUG (( -- DEBUG_ERROR, -- "Tcg2MeasurePeImage: Unknown subsystem type %d", -- ImageType -- )); -+ DEBUG ( -+ ( -+ DEBUG_ERROR, -+ "Tcg2MeasurePeImage: Unknown subsystem type %d", -+ ImageType -+ ) -+ ); - goto Finish; - } - -@@ -515,7 +524,7 @@ Finish: - - @param MeasureBootProtocols Pointer to the located measure boot protocol instances. - -- @retval EFI_SUCCESS Sucessfully locate the measure boot protocol instances (at least one instance). -+ @retval EFI_SUCCESS Successfully locate the measure boot protocol instances (at least one instance). - @retval EFI_UNSUPPORTED Measure boot is not supported. - **/ - EFI_STATUS -@@ -646,12 +655,14 @@ DxeTpm2MeasureBootHandler ( - return EFI_SUCCESS; - } - -- DEBUG (( -- DEBUG_INFO, -- "Tcg2Protocol = %p, CcMeasurementProtocol = %p\n", -- MeasureBootProtocols.Tcg2Protocol, -- MeasureBootProtocols.CcProtocol -- )); -+ DEBUG ( -+ ( -+ DEBUG_INFO, -+ "Tcg2Protocol = %p, CcMeasurementProtocol = %p\n", -+ MeasureBootProtocols.Tcg2Protocol, -+ MeasureBootProtocols.CcProtocol -+ ) -+ ); - - // - // Copy File Device Path -diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf -index 6dca79a20c..28995f438d 100644 ---- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf -+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf -@@ -37,6 +37,8 @@ - - [Sources] - DxeTpm2MeasureBootLib.c -+ DxeTpm2MeasureBootLibSanitization.c -+ DxeTpm2MeasureBootLibSanitization.h - - [Packages] - MdePkg/MdePkg.dec -@@ -46,6 +48,7 @@ - - [LibraryClasses] - BaseMemoryLib -+ SafeIntLib - DebugLib - MemoryAllocationLib - DevicePathLib -@@ -65,4 +68,3 @@ - gEfiFirmwareVolumeBlockProtocolGuid ## SOMETIMES_CONSUMES - gEfiBlockIoProtocolGuid ## SOMETIMES_CONSUMES - gEfiDiskIoProtocolGuid ## SOMETIMES_CONSUMES -- -diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c -new file mode 100644 -index 0000000000..e2309655d3 ---- /dev/null -+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c -@@ -0,0 +1,275 @@ -+/** @file -+ The library instance provides security service of TPM2 measure boot and -+ Confidential Computing (CC) measure boot. -+ -+ Caution: This file requires additional review when modified. -+ This library will have external input - PE/COFF image and GPT partition. -+ This external input must be validated carefully to avoid security issue like -+ buffer overflow, integer overflow. -+ -+ This file will pull out the validation logic from the following functions, in an -+ attempt to validate the untrusted input in the form of unit tests -+ -+ These are those functions: -+ -+ DxeTpm2MeasureBootLibImageRead() function will make sure the PE/COFF image content -+ read is within the image buffer. -+ -+ Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse -+ partition data carefully. -+ -+ Copyright (c) Microsoft Corporation.
-+ SPDX-License-Identifier: BSD-2-Clause-Patent -+**/ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "DxeTpm2MeasureBootLibSanitization.h" -+ -+#define GPT_HEADER_REVISION_V1 0x00010000 -+ -+/** -+ This function will validate the EFI_PARTITION_TABLE_HEADER structure is safe to parse -+ However this function will not attempt to verify the validity of the GPT partition -+ It will check the following: -+ - Signature -+ - Revision -+ - AlternateLBA -+ - FirstUsableLBA -+ - LastUsableLBA -+ - PartitionEntryLBA -+ - NumberOfPartitionEntries -+ - SizeOfPartitionEntry -+ - BlockIo -+ -+ @param[in] PrimaryHeader -+ Pointer to the EFI_PARTITION_TABLE_HEADER structure. -+ -+ @param[in] BlockIo -+ Pointer to the EFI_BLOCK_IO_PROTOCOL structure. -+ -+ @retval EFI_SUCCESS -+ The EFI_PARTITION_TABLE_HEADER structure is valid. -+ -+ @retval EFI_INVALID_PARAMETER -+ The EFI_PARTITION_TABLE_HEADER structure is invalid. -+**/ -+EFI_STATUS -+EFIAPI -+SanitizeEfiPartitionTableHeader ( -+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, -+ IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo -+ ) -+{ -+ // -+ // Verify that the input parameters are safe to use -+ // -+ if (PrimaryHeader == NULL) { -+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header!\n")); -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ if ((BlockIo == NULL) || (BlockIo->Media == NULL)) { -+ DEBUG ((DEBUG_ERROR, "Invalid BlockIo!\n")); -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // -+ // The signature must be EFI_PTAB_HEADER_ID ("EFI PART" in ASCII) -+ // -+ if (PrimaryHeader->Header.Signature != EFI_PTAB_HEADER_ID) { -+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header!\n")); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ // -+ // The version must be GPT_HEADER_REVISION_V1 (0x00010000) -+ // -+ if (PrimaryHeader->Header.Revision != GPT_HEADER_REVISION_V1) { -+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header Revision!\n")); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ // -+ // The HeaderSize must be greater than or equal to 92 and must be less than or equal to the logical block size -+ // -+ if ((PrimaryHeader->Header.HeaderSize < sizeof (EFI_PARTITION_TABLE_HEADER)) || (PrimaryHeader->Header.HeaderSize > BlockIo->Media->BlockSize)) { -+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header HeaderSize!\n")); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ // -+ // The partition entries should all be before the first usable block -+ // -+ if (PrimaryHeader->FirstUsableLBA <= PrimaryHeader->PartitionEntryLBA) { -+ DEBUG ((DEBUG_ERROR, "GPT PartitionEntryLBA is not less than FirstUsableLBA!\n")); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ // -+ // Check that the PartitionEntryLBA greater than the Max LBA -+ // This will be used later for multiplication -+ // -+ if (PrimaryHeader->PartitionEntryLBA > DivU64x32 (MAX_UINT64, BlockIo->Media->BlockSize)) { -+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header PartitionEntryLBA!\n")); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ // -+ // Check that the number of partition entries is greater than zero -+ // -+ if (PrimaryHeader->NumberOfPartitionEntries == 0) { -+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header NumberOfPartitionEntries!\n")); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ // -+ // SizeOfPartitionEntry must be 128, 256, 512... improper size may lead to accessing uninitialized memory -+ // -+ if ((PrimaryHeader->SizeOfPartitionEntry < 128) || ((PrimaryHeader->SizeOfPartitionEntry & (PrimaryHeader->SizeOfPartitionEntry - 1)) != 0)) { -+ DEBUG ((DEBUG_ERROR, "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!\n")); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ // -+ // This check is to prevent overflow when calculating the allocation size for the partition entries -+ // This check will be used later for multiplication -+ // -+ if (PrimaryHeader->NumberOfPartitionEntries > DivU64x32 (MAX_UINT64, PrimaryHeader->SizeOfPartitionEntry)) { -+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header NumberOfPartitionEntries!\n")); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ return EFI_SUCCESS; -+} -+ -+/** -+ This function will validate that the allocation size from the primary header is sane -+ It will check the following: -+ - AllocationSize does not overflow -+ -+ @param[in] PrimaryHeader -+ Pointer to the EFI_PARTITION_TABLE_HEADER structure. -+ -+ @param[out] AllocationSize -+ Pointer to the allocation size. -+ -+ @retval EFI_SUCCESS -+ The allocation size is valid. -+ -+ @retval EFI_OUT_OF_RESOURCES -+ The allocation size is invalid. -+**/ -+EFI_STATUS -+EFIAPI -+SanitizePrimaryHeaderAllocationSize ( -+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, -+ OUT UINT32 *AllocationSize -+ ) -+{ -+ EFI_STATUS Status; -+ -+ if (PrimaryHeader == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ if (AllocationSize == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // -+ // Replacing logic: -+ // PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry; -+ // -+ Status = SafeUint32Mult (PrimaryHeader->NumberOfPartitionEntries, PrimaryHeader->SizeOfPartitionEntry, AllocationSize); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Allocation Size would have overflowed!\n")); -+ return EFI_BAD_BUFFER_SIZE; -+ } -+ -+ return EFI_SUCCESS; -+} -+ -+/** -+ This function will validate that the Gpt Event Size calculated from the primary header is sane -+ It will check the following: -+ - EventSize does not overflow -+ -+ Important: This function includes the entire length of the allocated space, including -+ (sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)) . When hashing the buffer allocated with this -+ size, the caller must subtract the size of the (sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)) -+ from the size of the buffer before hashing. -+ -+ @param[in] PrimaryHeader - Pointer to the EFI_PARTITION_TABLE_HEADER structure. -+ @param[in] NumberOfPartition - Number of partitions. -+ @param[out] EventSize - Pointer to the event size. -+ -+ @retval EFI_SUCCESS -+ The event size is valid. -+ -+ @retval EFI_OUT_OF_RESOURCES -+ Overflow would have occurred. -+ -+ @retval EFI_INVALID_PARAMETER -+ One of the passed parameters was invalid. -+**/ -+EFI_STATUS -+SanitizePrimaryHeaderGptEventSize ( -+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, -+ IN UINTN NumberOfPartition, -+ OUT UINT32 *EventSize -+ ) -+{ -+ EFI_STATUS Status; -+ UINT32 SafeNumberOfPartitions; -+ -+ if (PrimaryHeader == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ if (EventSize == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // -+ // We shouldn't even attempt to perform the multiplication if the number of partitions is greater than the maximum value of UINT32 -+ // -+ Status = SafeUintnToUint32 (NumberOfPartition, &SafeNumberOfPartitions); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "NumberOfPartition would have overflowed!\n")); -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // -+ // Replacing logic: -+ // (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions) + NumberOfPartition * PrimaryHeader.SizeOfPartitionEntry); -+ // -+ Status = SafeUint32Mult (SafeNumberOfPartitions, PrimaryHeader->SizeOfPartitionEntry, EventSize); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Event Size would have overflowed!\n")); -+ return EFI_BAD_BUFFER_SIZE; -+ } -+ -+ // -+ // Replacing logic: -+ // *EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event); -+ // -+ Status = SafeUint32Add ( -+ OFFSET_OF (EFI_TCG2_EVENT, Event) + OFFSET_OF (EFI_GPT_DATA, Partitions), -+ *EventSize, -+ EventSize -+ ); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Event Size would have overflowed because of GPTData!\n")); -+ return EFI_BAD_BUFFER_SIZE; -+ } -+ -+ return EFI_SUCCESS; -+} -diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h -new file mode 100644 -index 0000000000..048b738987 ---- /dev/null -+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h -@@ -0,0 +1,113 @@ -+/** @file -+ This file includes the function prototypes for the sanitization functions. -+ -+ These are those functions: -+ -+ DxeTpm2MeasureBootLibImageRead() function will make sure the PE/COFF image content -+ read is within the image buffer. -+ -+ Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse -+ partition data carefully. -+ -+ Copyright (c) Microsoft Corporation.
-+ SPDX-License-Identifier: BSD-2-Clause-Patent -+ -+**/ -+ -+#ifndef DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_ -+#define DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_ -+ -+#include -+#include -+#include -+#include -+#include -+ -+/** -+ This function will validate the EFI_PARTITION_TABLE_HEADER structure is safe to parse -+ However this function will not attempt to verify the validity of the GPT partition -+ It will check the following: -+ - Signature -+ - Revision -+ - AlternateLBA -+ - FirstUsableLBA -+ - LastUsableLBA -+ - PartitionEntryLBA -+ - NumberOfPartitionEntries -+ - SizeOfPartitionEntry -+ - BlockIo -+ -+ @param[in] PrimaryHeader -+ Pointer to the EFI_PARTITION_TABLE_HEADER structure. -+ -+ @param[in] BlockIo -+ Pointer to the EFI_BLOCK_IO_PROTOCOL structure. -+ -+ @retval EFI_SUCCESS -+ The EFI_PARTITION_TABLE_HEADER structure is valid. -+ -+ @retval EFI_INVALID_PARAMETER -+ The EFI_PARTITION_TABLE_HEADER structure is invalid. -+**/ -+EFI_STATUS -+EFIAPI -+SanitizeEfiPartitionTableHeader ( -+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, -+ IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo -+ ); -+ -+/** -+ This function will validate that the allocation size from the primary header is sane -+ It will check the following: -+ - AllocationSize does not overflow -+ -+ @param[in] PrimaryHeader -+ Pointer to the EFI_PARTITION_TABLE_HEADER structure. -+ -+ @param[out] AllocationSize -+ Pointer to the allocation size. -+ -+ @retval EFI_SUCCESS -+ The allocation size is valid. -+ -+ @retval EFI_OUT_OF_RESOURCES -+ The allocation size is invalid. -+**/ -+EFI_STATUS -+EFIAPI -+SanitizePrimaryHeaderAllocationSize ( -+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, -+ OUT UINT32 *AllocationSize -+ ); -+ -+/** -+ This function will validate that the Gpt Event Size calculated from the primary header is sane -+ It will check the following: -+ - EventSize does not overflow -+ -+ Important: This function includes the entire length of the allocated space, including -+ (sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)) . When hashing the buffer allocated with this -+ size, the caller must subtract the size of the (sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)) -+ from the size of the buffer before hashing. -+ -+ @param[in] PrimaryHeader - Pointer to the EFI_PARTITION_TABLE_HEADER structure. -+ @param[in] NumberOfPartition - Number of partitions. -+ @param[out] EventSize - Pointer to the event size. -+ -+ @retval EFI_SUCCESS -+ The event size is valid. -+ -+ @retval EFI_OUT_OF_RESOURCES -+ Overflow would have occurred. -+ -+ @retval EFI_INVALID_PARAMETER -+ One of the passed parameters was invalid. -+**/ -+EFI_STATUS -+SanitizePrimaryHeaderGptEventSize ( -+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, -+ IN UINTN NumberOfPartition, -+ OUT UINT32 *EventSize -+ ); -+ -+#endif // DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_ -diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c -new file mode 100644 -index 0000000000..3eb9763e3c ---- /dev/null -+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c -@@ -0,0 +1,303 @@ -+/** @file -+ This file includes the unit test cases for the DxeTpm2MeasureBootLibSanitizationTest.c. -+ -+ Copyright (c) Microsoft Corporation.
-+ SPDX-License-Identifier: BSD-2-Clause-Patent -+**/ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "../DxeTpm2MeasureBootLibSanitization.h" -+ -+#define UNIT_TEST_NAME "DxeTpm2MeasureBootLibSanitizationTest" -+#define UNIT_TEST_VERSION "1.0" -+ -+#define DEFAULT_PRIMARY_TABLE_HEADER_REVISION 0x00010000 -+#define DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES 1 -+#define DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY 128 -+ -+/** -+ This function tests the SanitizeEfiPartitionTableHeader function. -+ It's intent is to test that a malicious EFI_PARTITION_TABLE_HEADER -+ structure will not cause undefined or unexpected behavior. -+ -+ In general the TPM should still be able to measure the data, but -+ be the header should be sanitized to prevent any unexpected behavior. -+ -+ @param[in] Context The unit test context. -+ -+ @retval UNIT_TEST_PASSED The test passed. -+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed. -+**/ -+UNIT_TEST_STATUS -+EFIAPI -+TestSanitizeEfiPartitionTableHeader ( -+ IN UNIT_TEST_CONTEXT Context -+ ) -+{ -+ EFI_STATUS Status; -+ EFI_PARTITION_TABLE_HEADER PrimaryHeader; -+ EFI_BLOCK_IO_PROTOCOL BlockIo; -+ EFI_BLOCK_IO_MEDIA BlockMedia; -+ -+ // Generate EFI_BLOCK_IO_MEDIA test data -+ BlockMedia.MediaId = 1; -+ BlockMedia.RemovableMedia = FALSE; -+ BlockMedia.MediaPresent = TRUE; -+ BlockMedia.LogicalPartition = FALSE; -+ BlockMedia.ReadOnly = FALSE; -+ BlockMedia.WriteCaching = FALSE; -+ BlockMedia.BlockSize = 512; -+ BlockMedia.IoAlign = 1; -+ BlockMedia.LastBlock = 0; -+ -+ // Generate EFI_BLOCK_IO_PROTOCOL test data -+ BlockIo.Revision = 1; -+ BlockIo.Media = &BlockMedia; -+ BlockIo.Reset = NULL; -+ BlockIo.ReadBlocks = NULL; -+ BlockIo.WriteBlocks = NULL; -+ BlockIo.FlushBlocks = NULL; -+ -+ // Geneate EFI_PARTITION_TABLE_HEADER test data -+ PrimaryHeader.Header.Signature = EFI_PTAB_HEADER_ID; -+ PrimaryHeader.Header.Revision = DEFAULT_PRIMARY_TABLE_HEADER_REVISION; -+ PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER); -+ PrimaryHeader.MyLBA = 1; -+ PrimaryHeader.AlternateLBA = 2; -+ PrimaryHeader.FirstUsableLBA = 3; -+ PrimaryHeader.LastUsableLBA = 4; -+ PrimaryHeader.PartitionEntryLBA = 5; -+ PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES; -+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY; -+ PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid -+ -+ // Calculate the CRC32 of the PrimaryHeader -+ PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize); -+ -+ // Test that a normal PrimaryHeader passes validation -+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); -+ UT_ASSERT_NOT_EFI_ERROR (Status); -+ -+ // Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR -+ // Should print "Invalid Partition Table Header NumberOfPartitionEntries!"" -+ PrimaryHeader.NumberOfPartitionEntries = 0; -+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); -+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR); -+ PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY; -+ -+ // Test that when the header size is too small, the function returns EFI_DEVICE_ERROR -+ // Should print "Invalid Partition Table Header Size!" -+ PrimaryHeader.Header.HeaderSize = 0; -+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); -+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR); -+ PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER); -+ -+ // Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR -+ // should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!" -+ PrimaryHeader.SizeOfPartitionEntry = 1; -+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); -+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR); -+ -+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__)); -+ -+ return UNIT_TEST_PASSED; -+} -+ -+/** -+ This function tests the SanitizePrimaryHeaderAllocationSize function. -+ It's intent is to test that the untrusted input from a EFI_PARTITION_TABLE_HEADER -+ structure will not cause an overflow when calculating the allocation size. -+ -+ @param[in] Context The unit test context. -+ -+ @retval UNIT_TEST_PASSED The test passed. -+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed. -+**/ -+UNIT_TEST_STATUS -+EFIAPI -+TestSanitizePrimaryHeaderAllocationSize ( -+ IN UNIT_TEST_CONTEXT Context -+ ) -+{ -+ UINT32 AllocationSize; -+ -+ EFI_STATUS Status; -+ EFI_PARTITION_TABLE_HEADER PrimaryHeader; -+ -+ // Test that a normal PrimaryHeader passes validation -+ PrimaryHeader.NumberOfPartitionEntries = 5; -+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY; -+ -+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); -+ UT_ASSERT_NOT_EFI_ERROR (Status); -+ -+ // Test that the allocation size is correct compared to the existing logic -+ UT_ASSERT_EQUAL (AllocationSize, PrimaryHeader.NumberOfPartitionEntries * PrimaryHeader.SizeOfPartitionEntry); -+ -+ // Test that an overflow is detected -+ PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32; -+ PrimaryHeader.SizeOfPartitionEntry = 5; -+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); -+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); -+ -+ // Test the inverse -+ PrimaryHeader.NumberOfPartitionEntries = 5; -+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32; -+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); -+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); -+ -+ // Test the worst case scenario -+ PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32; -+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32; -+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); -+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); -+ -+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__)); -+ -+ return UNIT_TEST_PASSED; -+} -+ -+/** -+ This function tests the SanitizePrimaryHeaderGptEventSize function. -+ It's intent is to test that the untrusted input from a EFI_GPT_DATA structure -+ will not cause an overflow when calculating the event size. -+ -+ @param[in] Context The unit test context. -+ -+ @retval UNIT_TEST_PASSED The test passed. -+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed. -+**/ -+UNIT_TEST_STATUS -+EFIAPI -+TestSanitizePrimaryHeaderGptEventSize ( -+ IN UNIT_TEST_CONTEXT Context -+ ) -+{ -+ UINT32 EventSize; -+ UINT32 ExistingLogicEventSize; -+ EFI_STATUS Status; -+ EFI_PARTITION_TABLE_HEADER PrimaryHeader; -+ UINTN NumberOfPartition; -+ EFI_GPT_DATA *GptData; -+ EFI_TCG2_EVENT *Tcg2Event; -+ -+ Tcg2Event = NULL; -+ GptData = NULL; -+ -+ // Test that a normal PrimaryHeader passes validation -+ PrimaryHeader.NumberOfPartitionEntries = 5; -+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY; -+ -+ // set the number of partitions -+ NumberOfPartition = 13; -+ -+ // that the primary event size is correct -+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize); -+ UT_ASSERT_NOT_EFI_ERROR (Status); -+ -+ // Calculate the existing logic event size -+ ExistingLogicEventSize = (UINT32)(OFFSET_OF (EFI_TCG2_EVENT, Event) + OFFSET_OF (EFI_GPT_DATA, Partitions) -+ + NumberOfPartition * PrimaryHeader.SizeOfPartitionEntry); -+ -+ // Check that the event size is correct -+ UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize); -+ -+ // Tests that the primary event size may not overflow -+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize); -+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); -+ -+ // Test that the size of partition entries may not overflow -+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32; -+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize); -+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); -+ -+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__)); -+ -+ return UNIT_TEST_PASSED; -+} -+ -+// *--------------------------------------------------------------------* -+// * Unit Test Code Main Function -+// *--------------------------------------------------------------------* -+ -+/** -+ This function acts as the entry point for the unit tests. -+ -+ @retval UNIT_TEST_PASSED The test passed. -+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed. -+ @retval others The test failed. -+**/ -+EFI_STATUS -+EFIAPI -+UefiTestMain ( -+ VOID -+ ) -+{ -+ EFI_STATUS Status; -+ UNIT_TEST_FRAMEWORK_HANDLE Framework; -+ UNIT_TEST_SUITE_HANDLE Tcg2MeasureBootLibValidationTestSuite; -+ -+ Framework = NULL; -+ -+ DEBUG ((DEBUG_INFO, "%a: TestMain() - Start\n", UNIT_TEST_NAME)); -+ -+ Status = InitUnitTestFramework (&Framework, UNIT_TEST_NAME, gEfiCallerBaseName, UNIT_TEST_VERSION); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a: Failed in InitUnitTestFramework. Status = %r\n", UNIT_TEST_NAME, Status)); -+ goto EXIT; -+ } -+ -+ Status = CreateUnitTestSuite (&Tcg2MeasureBootLibValidationTestSuite, Framework, "Tcg2MeasureBootLibValidationTestSuite", "Common.Tcg2MeasureBootLibValidation", NULL, NULL); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%s: Failed in CreateUnitTestSuite for Tcg2MeasureBootLibValidationTestSuite\n", UNIT_TEST_NAME)); -+ Status = EFI_OUT_OF_RESOURCES; -+ goto EXIT; -+ } -+ -+ // -----------Suite---------------------------------Description----------------------------Class----------------------------------Test Function------------------------Pre---Clean-Context -+ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.Tcg2MeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL); -+ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL); -+ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL); -+ -+ Status = RunAllTestSuites (Framework); -+ -+EXIT: -+ if (Framework != NULL) { -+ FreeUnitTestFramework (Framework); -+ } -+ -+ DEBUG ((DEBUG_INFO, "%a: TestMain() - End\n", UNIT_TEST_NAME)); -+ return Status; -+} -+ -+/// -+/// Avoid ECC error for function name that starts with lower case letter -+/// -+#define DxeTpm2MeasureBootLibUnitTestMain main -+ -+/** -+ Standard POSIX C entry point for host based unit test execution. -+ -+ @param[in] Argc Number of arguments -+ @param[in] Argv Array of pointers to arguments -+ -+ @retval 0 Success -+ @retval other Error -+**/ -+INT32 -+DxeTpm2MeasureBootLibUnitTestMain ( -+ IN INT32 Argc, -+ IN CHAR8 *Argv[] -+ ) -+{ -+ return (INT32)UefiTestMain (); -+} -diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf -new file mode 100644 -index 0000000000..2999aa2a44 ---- /dev/null -+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf -@@ -0,0 +1,28 @@ -+## @file -+# This file builds the unit tests for DxeTpm2MeasureBootLib -+# -+# Copyright (C) Microsoft Corporation.
-+# SPDX-License-Identifier: BSD-2-Clause-Patent -+## -+ -+[Defines] -+ INF_VERSION = 0x00010006 -+ BASE_NAME = DxeTpm2MeasuredBootLibTest -+ FILE_GUID = 144d757f-d423-484e-9309-a23695fad5bd -+ MODULE_TYPE = HOST_APPLICATION -+ VERSION_STRING = 1.0 -+ ENTRY_POINT = main -+ -+[Sources] -+ DxeTpm2MeasureBootLibSanitizationTest.c -+ ../DxeTpm2MeasureBootLibSanitization.c -+ -+[Packages] -+ MdePkg/MdePkg.dec -+ -+[LibraryClasses] -+ BaseLib -+ DebugLib -+ UnitTestLib -+ PrintLib -+ SafeIntLib -diff --git a/SecurityPkg/SecurityPkg.ci.yaml b/SecurityPkg/SecurityPkg.ci.yaml -index 3f03762bd6..24389531af 100644 ---- a/SecurityPkg/SecurityPkg.ci.yaml -+++ b/SecurityPkg/SecurityPkg.ci.yaml -@@ -16,6 +16,7 @@ - ## ] - "ExceptionList": [ - "8005", "gRT", -+ "8001", "DxeTpm2MeasureBootLibUnitTestMain", - ], - ## Both file path and directory path are accepted. - "IgnoreFiles": [ -diff --git a/SecurityPkg/Test/SecurityPkgHostTest.dsc b/SecurityPkg/Test/SecurityPkgHostTest.dsc -index ad5b4fc350..788c1ab6fe 100644 ---- a/SecurityPkg/Test/SecurityPkgHostTest.dsc -+++ b/SecurityPkg/Test/SecurityPkgHostTest.dsc -@@ -26,6 +26,7 @@ - SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.inf - SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf - SecurityPkg/Test/Mock/Library/GoogleTest/MockPlatformPKProtectionLib/MockPlatformPKProtectionLib.inf -+ SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf - - # - # Build SecurityPkg HOST_APPLICATION Tests --- -2.39.3 - diff --git a/SOURCES/edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-4118.patch b/SOURCES/edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-4118.patch deleted file mode 100644 index 3fa4b3e..0000000 --- a/SOURCES/edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-4118.patch +++ /dev/null @@ -1,284 +0,0 @@ -From 808551c1cb2ac9dc9a6287cbc85b167aa9eb2d7e Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Wed, 7 Feb 2024 15:43:10 -0500 -Subject: [PATCH 1/9] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - - CVE 2022-36764 - -RH-Author: Jon Maloy -RH-MergeRequest: 53: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764 -RH-Jira: RHEL-21157 -RH-Acked-by: Laszlo Ersek -RH-Acked-by: Gerd Hoffmann -RH-Commit: [1/5] 50edfd997d089549ac41b9592131ac1212fc3431 - -JIRA: https://issues.redhat.com/browse/RHEL-21157 -CVE: CVE-2022-36764 -Upstream: Merged - -commit c7b27944218130cca3bbb20314ba5b88b5de4aa4 -Author: Douglas Flick [MSFT] -Date: Fri Jan 12 02:16:04 2024 +0800 - - SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764 - - This commit contains the patch files and tests for DxeTpm2MeasureBootLib - CVE 2022-36764. - - Cc: Jiewen Yao - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Jiewen Yao - -Signed-off-by: Jon Maloy ---- - .../DxeTpm2MeasureBootLib.c | 12 ++-- - .../DxeTpm2MeasureBootLibSanitization.c | 46 +++++++++++++- - .../DxeTpm2MeasureBootLibSanitization.h | 28 ++++++++- - .../DxeTpm2MeasureBootLibSanitizationTest.c | 60 ++++++++++++++++--- - 4 files changed, 131 insertions(+), 15 deletions(-) - -diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c -index 0475103d6e..714cc8e03e 100644 ---- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c -+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c -@@ -378,7 +378,6 @@ Exit: - @retval EFI_OUT_OF_RESOURCES No enough resource to measure image. - @retval EFI_UNSUPPORTED ImageType is unsupported or PE image is mal-format. - @retval other error value -- - **/ - EFI_STATUS - EFIAPI -@@ -405,6 +404,7 @@ Tcg2MeasurePeImage ( - Status = EFI_UNSUPPORTED; - ImageLoad = NULL; - EventPtr = NULL; -+ Tcg2Event = NULL; - - Tcg2Protocol = MeasureBootProtocols->Tcg2Protocol; - CcProtocol = MeasureBootProtocols->CcProtocol; -@@ -420,18 +420,22 @@ Tcg2MeasurePeImage ( - } - - FilePathSize = (UINT32)GetDevicePathSize (FilePath); -+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize); -+ if (EFI_ERROR (Status)) { -+ return EFI_UNSUPPORTED; -+ } - - // - // Determine destination PCR by BootPolicy - // -- EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize; -- EventPtr = AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)); -+ // from a malicious GPT disk partition -+ EventPtr = AllocateZeroPool (EventSize); - if (EventPtr == NULL) { - return EFI_OUT_OF_RESOURCES; - } - - Tcg2Event = (EFI_TCG2_EVENT *)EventPtr; -- Tcg2Event->Size = EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event); -+ Tcg2Event->Size = EventSize; - Tcg2Event->Header.HeaderSize = sizeof (EFI_TCG2_EVENT_HEADER); - Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION; - ImageLoad = (EFI_IMAGE_LOAD_EVENT *)Tcg2Event->Event; -diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c -index e2309655d3..2a4d52c6d5 100644 ---- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c -+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c -@@ -151,7 +151,7 @@ SanitizeEfiPartitionTableHeader ( - } - - /** -- This function will validate that the allocation size from the primary header is sane -+ This function will validate that the allocation size from the primary header is sane - It will check the following: - - AllocationSize does not overflow - -@@ -273,3 +273,47 @@ SanitizePrimaryHeaderGptEventSize ( - - return EFI_SUCCESS; - } -+ -+/** -+ This function will validate that the PeImage Event Size from the loaded image is sane -+ It will check the following: -+ - EventSize does not overflow -+ -+ @param[in] FilePathSize - Size of the file path. -+ @param[out] EventSize - Pointer to the event size. -+ -+ @retval EFI_SUCCESS -+ The event size is valid. -+ -+ @retval EFI_OUT_OF_RESOURCES -+ Overflow would have occurred. -+ -+ @retval EFI_INVALID_PARAMETER -+ One of the passed parameters was invalid. -+**/ -+EFI_STATUS -+SanitizePeImageEventSize ( -+ IN UINT32 FilePathSize, -+ OUT UINT32 *EventSize -+ ) -+{ -+ EFI_STATUS Status; -+ -+ // Replacing logic: -+ // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize; -+ Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n")); -+ return EFI_BAD_BUFFER_SIZE; -+ } -+ -+ // Replacing logic: -+ // EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event) -+ Status = SafeUint32Add (*EventSize, OFFSET_OF (EFI_TCG2_EVENT, Event), EventSize); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n")); -+ return EFI_BAD_BUFFER_SIZE; -+ } -+ -+ return EFI_SUCCESS; -+} -diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h -index 048b738987..8f72ba4240 100644 ---- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h -+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h -@@ -9,6 +9,9 @@ - Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse - partition data carefully. - -+ Tcg2MeasurePeImage() function will accept untrusted PE/COFF image and validate its -+ data structure within this image buffer before use. -+ - Copyright (c) Microsoft Corporation.
- SPDX-License-Identifier: BSD-2-Clause-Patent - -@@ -110,4 +113,27 @@ SanitizePrimaryHeaderGptEventSize ( - OUT UINT32 *EventSize - ); - --#endif // DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_ -+/** -+ This function will validate that the PeImage Event Size from the loaded image is sane -+ It will check the following: -+ - EventSize does not overflow -+ -+ @param[in] FilePathSize - Size of the file path. -+ @param[out] EventSize - Pointer to the event size. -+ -+ @retval EFI_SUCCESS -+ The event size is valid. -+ -+ @retval EFI_OUT_OF_RESOURCES -+ Overflow would have occurred. -+ -+ @retval EFI_INVALID_PARAMETER -+ One of the passed parameters was invalid. -+**/ -+EFI_STATUS -+SanitizePeImageEventSize ( -+ IN UINT32 FilePathSize, -+ OUT UINT32 *EventSize -+ ); -+ -+#endif // DXE_TPM2_MEASURE_BOOT_LIB_VALIDATION_ -diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c -index 3eb9763e3c..820e99aeb9 100644 ---- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c -+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c -@@ -72,10 +72,10 @@ TestSanitizeEfiPartitionTableHeader ( - PrimaryHeader.Header.Revision = DEFAULT_PRIMARY_TABLE_HEADER_REVISION; - PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER); - PrimaryHeader.MyLBA = 1; -- PrimaryHeader.AlternateLBA = 2; -- PrimaryHeader.FirstUsableLBA = 3; -- PrimaryHeader.LastUsableLBA = 4; -- PrimaryHeader.PartitionEntryLBA = 5; -+ PrimaryHeader.PartitionEntryLBA = 2; -+ PrimaryHeader.AlternateLBA = 3; -+ PrimaryHeader.FirstUsableLBA = 4; -+ PrimaryHeader.LastUsableLBA = 5; - PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES; - PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY; - PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid -@@ -187,11 +187,6 @@ TestSanitizePrimaryHeaderGptEventSize ( - EFI_STATUS Status; - EFI_PARTITION_TABLE_HEADER PrimaryHeader; - UINTN NumberOfPartition; -- EFI_GPT_DATA *GptData; -- EFI_TCG2_EVENT *Tcg2Event; -- -- Tcg2Event = NULL; -- GptData = NULL; - - // Test that a normal PrimaryHeader passes validation - PrimaryHeader.NumberOfPartitionEntries = 5; -@@ -225,6 +220,52 @@ TestSanitizePrimaryHeaderGptEventSize ( - return UNIT_TEST_PASSED; - } - -+/** -+ This function tests the SanitizePeImageEventSize function. -+ It's intent is to test that the untrusted input from a file path when generating a -+ EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating -+ the event size when allocating space -+ -+ @param[in] Context The unit test context. -+ -+ @retval UNIT_TEST_PASSED The test passed. -+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed. -+**/ -+UNIT_TEST_STATUS -+EFIAPI -+TestSanitizePeImageEventSize ( -+ IN UNIT_TEST_CONTEXT Context -+ ) -+{ -+ UINT32 EventSize; -+ UINTN ExistingLogicEventSize; -+ UINT32 FilePathSize; -+ EFI_STATUS Status; -+ -+ FilePathSize = 255; -+ -+ // Test that a normal PE image passes validation -+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize); -+ UT_ASSERT_EQUAL (Status, EFI_SUCCESS); -+ -+ // Test that the event size is correct compared to the existing logic -+ ExistingLogicEventSize = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize; -+ ExistingLogicEventSize += OFFSET_OF (EFI_TCG2_EVENT, Event); -+ -+ if (EventSize != ExistingLogicEventSize) { -+ UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize); -+ return UNIT_TEST_ERROR_TEST_FAILED; -+ } -+ -+ // Test that the event size may not overflow -+ Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize); -+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); -+ -+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__)); -+ -+ return UNIT_TEST_PASSED; -+} -+ - // *--------------------------------------------------------------------* - // * Unit Test Code Main Function - // *--------------------------------------------------------------------* -@@ -267,6 +308,7 @@ UefiTestMain ( - AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.Tcg2MeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL); - AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL); - AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL); -+ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL); - - Status = RunAllTestSuites (Framework); - --- -2.39.3 - diff --git a/SOURCES/edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-411-3.patch b/SOURCES/edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-411-3.patch deleted file mode 100644 index 3eba4fa..0000000 --- a/SOURCES/edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-411-3.patch +++ /dev/null @@ -1,280 +0,0 @@ -From bf371de652c1132667666a9534ec2d91f9ea111d Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Tue, 13 Feb 2024 16:30:10 -0500 -Subject: [PATCH 4/9] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH - 4117/4118 symbol rename - -RH-Author: Jon Maloy -RH-MergeRequest: 53: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764 -RH-Jira: RHEL-21157 -RH-Acked-by: Laszlo Ersek -RH-Acked-by: Gerd Hoffmann -RH-Commit: [4/5] bf00b368887b50b1ff5578a4491550b5741e3e34 - -JIRA: https://issues.redhat.com/browse/RHEL-21157 -CVE: CVE-2022-36764 -Upstream: Merged - -commit 326db0c9072004dea89427ea3a44393a84966f2b -Author: Doug Flick -Date: Wed Jan 17 14:47:21 2024 -0800 - - SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117/4118 symbol rename - - Updates the sanitation function names to be lib unique names - - Cc: Jiewen Yao - Cc: Rahul Kumar - - Signed-off-by: Doug Flick [MSFT] - Message-Id: <355aa846a99ca6ac0f7574cf5982661da0d9fea6.1705529990.git.doug.edk2@gmail.com> - Reviewed-by: Jiewen Yao - -Signed-off-by: Jon Maloy ---- - .../DxeTpmMeasureBootLib.c | 8 +++--- - .../DxeTpmMeasureBootLibSanitization.c | 10 +++---- - .../DxeTpmMeasureBootLibSanitization.h | 8 +++--- - .../DxeTpmMeasureBootLibSanitizationTest.c | 26 +++++++++---------- - 4 files changed, 26 insertions(+), 26 deletions(-) - -diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c -index a9fc440a09..ac855b8fbb 100644 ---- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c -+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c -@@ -174,7 +174,7 @@ TcgMeasureGptTable ( - BlockIo->Media->BlockSize, - (UINT8 *)PrimaryHeader - ); -- if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) { -+ if (EFI_ERROR (Status) || EFI_ERROR (TpmSanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) { - DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n")); - FreePool (PrimaryHeader); - return EFI_DEVICE_ERROR; -@@ -183,7 +183,7 @@ TcgMeasureGptTable ( - // - // Read the partition entry. - // -- Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize); -+ Status = TpmSanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize); - if (EFI_ERROR (Status)) { - FreePool (PrimaryHeader); - return EFI_DEVICE_ERROR; -@@ -224,7 +224,7 @@ TcgMeasureGptTable ( - // - // Prepare Data for Measurement - // -- Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &EventSize); -+ Status = TpmSanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &EventSize); - TcgEvent = (TCG_PCR_EVENT *)AllocateZeroPool (EventSize); - if (TcgEvent == NULL) { - FreePool (PrimaryHeader); -@@ -351,7 +351,7 @@ TcgMeasurePeImage ( - - // Determine destination PCR by BootPolicy - // -- Status = SanitizePeImageEventSize (FilePathSize, &EventSize); -+ Status = TpmSanitizePeImageEventSize (FilePathSize, &EventSize); - if (EFI_ERROR (Status)) { - return EFI_UNSUPPORTED; - } -diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c -index c989851cec..070e4a2c1c 100644 ---- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c -+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c -@@ -1,5 +1,5 @@ - /** @file -- The library instance provides security service of TPM2 measure boot and -+ The library instance provides security service of TPM measure boot and - Confidential Computing (CC) measure boot. - - Caution: This file requires additional review when modified. -@@ -63,7 +63,7 @@ - **/ - EFI_STATUS - EFIAPI --SanitizeEfiPartitionTableHeader ( -+TpmSanitizeEfiPartitionTableHeader ( - IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, - IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo - ) -@@ -145,7 +145,7 @@ SanitizeEfiPartitionTableHeader ( - **/ - EFI_STATUS - EFIAPI --SanitizePrimaryHeaderAllocationSize ( -+TpmSanitizePrimaryHeaderAllocationSize ( - IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, - OUT UINT32 *AllocationSize - ) -@@ -194,7 +194,7 @@ SanitizePrimaryHeaderAllocationSize ( - One of the passed parameters was invalid. - **/ - EFI_STATUS --SanitizePrimaryHeaderGptEventSize ( -+TpmSanitizePrimaryHeaderGptEventSize ( - IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, - IN UINTN NumberOfPartition, - OUT UINT32 *EventSize -@@ -258,7 +258,7 @@ SanitizePrimaryHeaderGptEventSize ( - One of the passed parameters was invalid. - **/ - EFI_STATUS --SanitizePeImageEventSize ( -+TpmSanitizePeImageEventSize ( - IN UINT32 FilePathSize, - OUT UINT32 *EventSize - ) -diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h -index 2248495813..db6e9c3752 100644 ---- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h -+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h -@@ -53,7 +53,7 @@ - **/ - EFI_STATUS - EFIAPI --SanitizeEfiPartitionTableHeader ( -+TpmSanitizeEfiPartitionTableHeader ( - IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, - IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo - ); -@@ -77,7 +77,7 @@ SanitizeEfiPartitionTableHeader ( - **/ - EFI_STATUS - EFIAPI --SanitizePrimaryHeaderAllocationSize ( -+TpmSanitizePrimaryHeaderAllocationSize ( - IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, - OUT UINT32 *AllocationSize - ); -@@ -105,7 +105,7 @@ SanitizePrimaryHeaderAllocationSize ( - One of the passed parameters was invalid. - **/ - EFI_STATUS --SanitizePrimaryHeaderGptEventSize ( -+TpmSanitizePrimaryHeaderGptEventSize ( - IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, - IN UINTN NumberOfPartition, - OUT UINT32 *EventSize -@@ -129,7 +129,7 @@ SanitizePrimaryHeaderGptEventSize ( - One of the passed parameters was invalid. - **/ - EFI_STATUS --SanitizePeImageEventSize ( -+TpmSanitizePeImageEventSize ( - IN UINT32 FilePathSize, - OUT UINT32 *EventSize - ); -diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c -index c41498be45..de1740af41 100644 ---- a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c -+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c -@@ -83,27 +83,27 @@ TestSanitizeEfiPartitionTableHeader ( - PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize); - - // Test that a normal PrimaryHeader passes validation -- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); -+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); - UT_ASSERT_NOT_EFI_ERROR (Status); - - // Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR - // Should print "Invalid Partition Table Header NumberOfPartitionEntries!"" - PrimaryHeader.NumberOfPartitionEntries = 0; -- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); -+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); - UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR); - PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY; - - // Test that when the header size is too small, the function returns EFI_DEVICE_ERROR - // Should print "Invalid Partition Table Header Size!" - PrimaryHeader.Header.HeaderSize = 0; -- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); -+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); - UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR); - PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER); - - // Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR - // should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!" - PrimaryHeader.SizeOfPartitionEntry = 1; -- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); -+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); - UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR); - - DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__)); -@@ -136,7 +136,7 @@ TestSanitizePrimaryHeaderAllocationSize ( - PrimaryHeader.NumberOfPartitionEntries = 5; - PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY; - -- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); -+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); - UT_ASSERT_NOT_EFI_ERROR (Status); - - // Test that the allocation size is correct compared to the existing logic -@@ -145,19 +145,19 @@ TestSanitizePrimaryHeaderAllocationSize ( - // Test that an overflow is detected - PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32; - PrimaryHeader.SizeOfPartitionEntry = 5; -- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); -+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); - UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); - - // Test the inverse - PrimaryHeader.NumberOfPartitionEntries = 5; - PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32; -- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); -+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); - UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); - - // Test the worst case scenario - PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32; - PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32; -- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); -+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); - UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); - - DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__)); -@@ -195,7 +195,7 @@ TestSanitizePrimaryHeaderGptEventSize ( - NumberOfPartition = 13; - - // that the primary event size is correct -- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize); -+ Status = TpmSanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize); - UT_ASSERT_NOT_EFI_ERROR (Status); - - // Calculate the existing logic event size -@@ -206,12 +206,12 @@ TestSanitizePrimaryHeaderGptEventSize ( - UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize); - - // Tests that the primary event size may not overflow -- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize); -+ Status = TpmSanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize); - UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); - - // Test that the size of partition entries may not overflow - PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32; -- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize); -+ Status = TpmSanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize); - UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); - - DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__)); -@@ -269,7 +269,7 @@ TestSanitizePeImageEventSize ( - FilePathSize = 255; - - // Test that a normal PE image passes validation -- Status = SanitizePeImageEventSize (FilePathSize, &EventSize); -+ Status = TpmSanitizePeImageEventSize (FilePathSize, &EventSize); - if (EFI_ERROR (Status)) { - UT_LOG_ERROR ("SanitizePeImageEventSize failed with %r\n", Status); - goto Exit; -@@ -285,7 +285,7 @@ TestSanitizePeImageEventSize ( - } - - // Test that the event size may not overflow -- Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize); -+ Status = TpmSanitizePeImageEventSize (MAX_UINT32, &EventSize); - if (Status != EFI_BAD_BUFFER_SIZE) { - UT_LOG_ERROR ("SanitizePeImageEventSize succeded when it was supposed to fail with %r\n", Status); - goto Exit; --- -2.39.3 - diff --git a/SOURCES/edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch b/SOURCES/edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch deleted file mode 100644 index 5f4a6dd..0000000 --- a/SOURCES/edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch +++ /dev/null @@ -1,914 +0,0 @@ -From 8876f4f55b37e84f918282aba190fdd36eeb5f2a Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Wed, 17 Jan 2024 12:20:52 -0500 -Subject: [PATCH 2/3] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117 - - CVE 2022-36763 - -RH-Author: Jon Maloy -RH-MergeRequest: 51: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117 - CVE 2022-36763 -RH-Jira: RHEL-21155 -RH-Acked-by: Gerd Hoffmann -RH-Commit: [2/3] 50a9b8392352266a5f0b7af2d6c82f829da8983b - -JIRA: https://issues.redhat.com/browse/RHEL-21155 -Upstream: Merged -CVE: CVE-2022-36763 - -commit 4776a1b39ee08fc45c70c1eab5a0195f325000d3 -Author: Douglas Flick [MSFT] -Date: Fri Jan 12 02:16:02 2024 +0800 - - SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117 - CVE 2022-36763 - - This commit contains the patch files and tests for DxeTpmMeasureBootLib - CVE 2022-36763. - - Cc: Jiewen Yao - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Jiewen Yao - -Signed-off-by: Jon Maloy ---- - .../DxeTpmMeasureBootLib.c | 40 ++- - .../DxeTpmMeasureBootLib.inf | 4 +- - .../DxeTpmMeasureBootLibSanitization.c | 241 ++++++++++++++ - .../DxeTpmMeasureBootLibSanitization.h | 114 +++++++ - .../DxeTpmMeasureBootLibSanitizationTest.c | 301 ++++++++++++++++++ - ...eTpmMeasureBootLibSanitizationTestHost.inf | 28 ++ - SecurityPkg/SecurityPkg.ci.yaml | 1 + - SecurityPkg/Test/SecurityPkgHostTest.dsc | 1 + - 8 files changed, 716 insertions(+), 14 deletions(-) - create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c - create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h - create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c - create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf - -diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c -index 220393dd2b..669ab19134 100644 ---- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c -+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c -@@ -18,6 +18,8 @@ - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
- SPDX-License-Identifier: BSD-2-Clause-Patent - -+Copyright (c) Microsoft Corporation.
-+SPDX-License-Identifier: BSD-2-Clause-Patent - **/ - - #include -@@ -40,6 +42,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent - #include - #include - -+#include "DxeTpmMeasureBootLibSanitization.h" -+ - // - // Flag to check GPT partition. It only need be measured once. - // -@@ -136,6 +140,9 @@ TcgMeasureGptTable ( - UINT32 EventSize; - UINT32 EventNumber; - EFI_PHYSICAL_ADDRESS EventLogLastEntry; -+ UINT32 AllocSize; -+ -+ GptData = NULL; - - if (mMeasureGptCount > 0) { - return EFI_SUCCESS; -@@ -166,8 +173,8 @@ TcgMeasureGptTable ( - BlockIo->Media->BlockSize, - (UINT8 *)PrimaryHeader - ); -- if (EFI_ERROR (Status)) { -- DEBUG ((DEBUG_ERROR, "Failed to Read Partition Table Header!\n")); -+ if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) { -+ DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n")); - FreePool (PrimaryHeader); - return EFI_DEVICE_ERROR; - } -@@ -175,7 +182,13 @@ TcgMeasureGptTable ( - // - // Read the partition entry. - // -- EntryPtr = (UINT8 *)AllocatePool (PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry); -+ Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize); -+ if (EFI_ERROR (Status)) { -+ FreePool (PrimaryHeader); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ EntryPtr = (UINT8 *)AllocatePool (AllocSize); - if (EntryPtr == NULL) { - FreePool (PrimaryHeader); - return EFI_OUT_OF_RESOURCES; -@@ -185,7 +198,7 @@ TcgMeasureGptTable ( - DiskIo, - BlockIo->Media->MediaId, - MultU64x32 (PrimaryHeader->PartitionEntryLBA, BlockIo->Media->BlockSize), -- PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry, -+ AllocSize, - EntryPtr - ); - if (EFI_ERROR (Status)) { -@@ -210,9 +223,8 @@ TcgMeasureGptTable ( - // - // Prepare Data for Measurement - // -- EventSize = (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions) -- + NumberOfPartition * PrimaryHeader->SizeOfPartitionEntry); -- TcgEvent = (TCG_PCR_EVENT *)AllocateZeroPool (EventSize + sizeof (TCG_PCR_EVENT_HDR)); -+ Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &EventSize); -+ TcgEvent = (TCG_PCR_EVENT *)AllocateZeroPool (EventSize); - if (TcgEvent == NULL) { - FreePool (PrimaryHeader); - FreePool (EntryPtr); -@@ -221,7 +233,7 @@ TcgMeasureGptTable ( - - TcgEvent->PCRIndex = 5; - TcgEvent->EventType = EV_EFI_GPT_EVENT; -- TcgEvent->EventSize = EventSize; -+ TcgEvent->EventSize = EventSize - sizeof (TCG_PCR_EVENT_HDR); - GptData = (EFI_GPT_DATA *)TcgEvent->Event; - - // -@@ -361,11 +373,13 @@ TcgMeasurePeImage ( - TcgEvent->PCRIndex = 2; - break; - default: -- DEBUG (( -- DEBUG_ERROR, -- "TcgMeasurePeImage: Unknown subsystem type %d", -- ImageType -- )); -+ DEBUG ( -+ ( -+ DEBUG_ERROR, -+ "TcgMeasurePeImage: Unknown subsystem type %d", -+ ImageType -+ ) -+ ); - goto Finish; - } - -diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf -index ebab6f7c1e..414c654d15 100644 ---- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf -+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf -@@ -32,6 +32,8 @@ - - [Sources] - DxeTpmMeasureBootLib.c -+ DxeTpmMeasureBootLibSanitization.c -+ DxeTpmMeasureBootLibSanitization.h - - [Packages] - MdePkg/MdePkg.dec -@@ -41,6 +43,7 @@ - - [LibraryClasses] - BaseMemoryLib -+ SafeIntLib - DebugLib - MemoryAllocationLib - DevicePathLib -@@ -59,4 +62,3 @@ - gEfiFirmwareVolumeBlockProtocolGuid ## SOMETIMES_CONSUMES - gEfiBlockIoProtocolGuid ## SOMETIMES_CONSUMES - gEfiDiskIoProtocolGuid ## SOMETIMES_CONSUMES -- -diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c -new file mode 100644 -index 0000000000..a3fa46f5e6 ---- /dev/null -+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c -@@ -0,0 +1,241 @@ -+/** @file -+ The library instance provides security service of TPM2 measure boot and -+ Confidential Computing (CC) measure boot. -+ -+ Caution: This file requires additional review when modified. -+ This library will have external input - PE/COFF image and GPT partition. -+ This external input must be validated carefully to avoid security issue like -+ buffer overflow, integer overflow. -+ -+ This file will pull out the validation logic from the following functions, in an -+ attempt to validate the untrusted input in the form of unit tests -+ -+ These are those functions: -+ -+ DxeTpmMeasureBootLibImageRead() function will make sure the PE/COFF image content -+ read is within the image buffer. -+ -+ Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse -+ partition data carefully. -+ -+ Copyright (c) Microsoft Corporation.
-+ SPDX-License-Identifier: BSD-2-Clause-Patent -+**/ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "DxeTpmMeasureBootLibSanitization.h" -+ -+#define GPT_HEADER_REVISION_V1 0x00010000 -+ -+/** -+ This function will validate the EFI_PARTITION_TABLE_HEADER structure is safe to parse -+ However this function will not attempt to verify the validity of the GPT partition -+ It will check the following: -+ - Signature -+ - Revision -+ - AlternateLBA -+ - FirstUsableLBA -+ - LastUsableLBA -+ - PartitionEntryLBA -+ - NumberOfPartitionEntries -+ - SizeOfPartitionEntry -+ - BlockIo -+ -+ @param[in] PrimaryHeader -+ Pointer to the EFI_PARTITION_TABLE_HEADER structure. -+ -+ @param[in] BlockIo -+ Pointer to the EFI_BLOCK_IO_PROTOCOL structure. -+ -+ @retval EFI_SUCCESS -+ The EFI_PARTITION_TABLE_HEADER structure is valid. -+ -+ @retval EFI_INVALID_PARAMETER -+ The EFI_PARTITION_TABLE_HEADER structure is invalid. -+**/ -+EFI_STATUS -+EFIAPI -+SanitizeEfiPartitionTableHeader ( -+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, -+ IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo -+ ) -+{ -+ // Verify that the input parameters are safe to use -+ if (PrimaryHeader == NULL) { -+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header!\n")); -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ if ((BlockIo == NULL) || (BlockIo->Media == NULL)) { -+ DEBUG ((DEBUG_ERROR, "Invalid BlockIo!\n")); -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // The signature must be EFI_PTAB_HEADER_ID ("EFI PART" in ASCII) -+ if (PrimaryHeader->Header.Signature != EFI_PTAB_HEADER_ID) { -+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header!\n")); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ // The version must be GPT_HEADER_REVISION_V1 (0x00010000) -+ if (PrimaryHeader->Header.Revision != GPT_HEADER_REVISION_V1) { -+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header Revision!\n")); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ // The HeaderSize must be greater than or equal to 92 and must be less than or equal to the logical block size -+ if ((PrimaryHeader->Header.HeaderSize < sizeof (EFI_PARTITION_TABLE_HEADER)) || (PrimaryHeader->Header.HeaderSize > BlockIo->Media->BlockSize)) { -+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header HeaderSize!\n")); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ // check that the PartitionEntryLBA greater than the Max LBA -+ // This will be used later for multiplication -+ if (PrimaryHeader->PartitionEntryLBA > DivU64x32 (MAX_UINT64, BlockIo->Media->BlockSize)) { -+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header PartitionEntryLBA!\n")); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ // Check that the number of partition entries is greater than zero -+ if (PrimaryHeader->NumberOfPartitionEntries == 0) { -+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header NumberOfPartitionEntries!\n")); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ // SizeOfPartitionEntry must be 128, 256, 512... improper size may lead to accessing uninitialized memory -+ if ((PrimaryHeader->SizeOfPartitionEntry < 128) || ((PrimaryHeader->SizeOfPartitionEntry & (PrimaryHeader->SizeOfPartitionEntry - 1)) != 0)) { -+ DEBUG ((DEBUG_ERROR, "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!\n")); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ // This check is to prevent overflow when calculating the allocation size for the partition entries -+ // This check will be used later for multiplication -+ if (PrimaryHeader->NumberOfPartitionEntries > DivU64x32 (MAX_UINT64, PrimaryHeader->SizeOfPartitionEntry)) { -+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header NumberOfPartitionEntries!\n")); -+ return EFI_DEVICE_ERROR; -+ } -+ -+ return EFI_SUCCESS; -+} -+ -+/** -+ This function will validate that the allocation size from the primary header is sane -+ It will check the following: -+ - AllocationSize does not overflow -+ -+ @param[in] PrimaryHeader -+ Pointer to the EFI_PARTITION_TABLE_HEADER structure. -+ -+ @param[out] AllocationSize -+ Pointer to the allocation size. -+ -+ @retval EFI_SUCCESS -+ The allocation size is valid. -+ -+ @retval EFI_OUT_OF_RESOURCES -+ The allocation size is invalid. -+**/ -+EFI_STATUS -+EFIAPI -+SanitizePrimaryHeaderAllocationSize ( -+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, -+ OUT UINT32 *AllocationSize -+ ) -+{ -+ EFI_STATUS Status; -+ -+ if (PrimaryHeader == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ if (AllocationSize == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // Replacing logic: -+ // PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry; -+ Status = SafeUint32Mult (PrimaryHeader->NumberOfPartitionEntries, PrimaryHeader->SizeOfPartitionEntry, AllocationSize); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Allocation Size would have overflowed!\n")); -+ return EFI_BAD_BUFFER_SIZE; -+ } -+ -+ return EFI_SUCCESS; -+} -+ -+/** -+ This function will validate that the Gpt Event Size calculated from the primary header is sane -+ It will check the following: -+ - EventSize does not overflow -+ -+ Important: This function includes the entire length of the allocated space, including the -+ TCG_PCR_EVENT_HDR. When hashing the buffer allocated with this size, the caller must subtract -+ the size of the TCG_PCR_EVENT_HDR from the size of the buffer before hashing. -+ -+ @param[in] PrimaryHeader - Pointer to the EFI_PARTITION_TABLE_HEADER structure. -+ @param[in] NumberOfPartition - Number of partitions. -+ @param[out] EventSize - Pointer to the event size. -+ -+ @retval EFI_SUCCESS -+ The event size is valid. -+ -+ @retval EFI_OUT_OF_RESOURCES -+ Overflow would have occurred. -+ -+ @retval EFI_INVALID_PARAMETER -+ One of the passed parameters was invalid. -+**/ -+EFI_STATUS -+SanitizePrimaryHeaderGptEventSize ( -+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, -+ IN UINTN NumberOfPartition, -+ OUT UINT32 *EventSize -+ ) -+{ -+ EFI_STATUS Status; -+ UINT32 SafeNumberOfPartitions; -+ -+ if (PrimaryHeader == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ if (EventSize == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // We shouldn't even attempt to perform the multiplication if the number of partitions is greater than the maximum value of UINT32 -+ Status = SafeUintnToUint32 (NumberOfPartition, &SafeNumberOfPartitions); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "NumberOfPartition would have overflowed!\n")); -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // Replacing logic: -+ // (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions) + NumberOfPartition * PrimaryHeader.SizeOfPartitionEntry + sizeof (TCG_PCR_EVENT_HDR)); -+ Status = SafeUint32Mult (SafeNumberOfPartitions, PrimaryHeader->SizeOfPartitionEntry, EventSize); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Event Size would have overflowed!\n")); -+ return EFI_BAD_BUFFER_SIZE; -+ } -+ -+ Status = SafeUint32Add ( -+ sizeof (TCG_PCR_EVENT_HDR) + -+ OFFSET_OF (EFI_GPT_DATA, Partitions), -+ *EventSize, -+ EventSize -+ ); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Event Size would have overflowed because of GPTData!\n")); -+ return EFI_BAD_BUFFER_SIZE; -+ } -+ -+ return EFI_SUCCESS; -+} -diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h -new file mode 100644 -index 0000000000..0d9d00c281 ---- /dev/null -+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h -@@ -0,0 +1,114 @@ -+/** @file -+ This file includes the function prototypes for the sanitization functions. -+ -+ These are those functions: -+ -+ DxeTpmMeasureBootLibImageRead() function will make sure the PE/COFF image content -+ read is within the image buffer. -+ -+ TcgMeasurePeImage() function will accept untrusted PE/COFF image and validate its -+ data structure within this image buffer before use. -+ -+ TcgMeasureGptTable() function will receive untrusted GPT partition table, and parse -+ partition data carefully. -+ -+ Copyright (c) Microsoft Corporation.
-+ SPDX-License-Identifier: BSD-2-Clause-Patent -+ -+**/ -+ -+#ifndef DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_ -+#define DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_ -+ -+#include -+#include -+#include -+#include -+ -+/** -+ This function will validate the EFI_PARTITION_TABLE_HEADER structure is safe to parse -+ However this function will not attempt to verify the validity of the GPT partition -+ It will check the following: -+ - Signature -+ - Revision -+ - AlternateLBA -+ - FirstUsableLBA -+ - LastUsableLBA -+ - PartitionEntryLBA -+ - NumberOfPartitionEntries -+ - SizeOfPartitionEntry -+ - BlockIo -+ -+ @param[in] PrimaryHeader -+ Pointer to the EFI_PARTITION_TABLE_HEADER structure. -+ -+ @param[in] BlockIo -+ Pointer to the EFI_BLOCK_IO_PROTOCOL structure. -+ -+ @retval EFI_SUCCESS -+ The EFI_PARTITION_TABLE_HEADER structure is valid. -+ -+ @retval EFI_INVALID_PARAMETER -+ The EFI_PARTITION_TABLE_HEADER structure is invalid. -+**/ -+EFI_STATUS -+EFIAPI -+SanitizeEfiPartitionTableHeader ( -+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, -+ IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo -+ ); -+ -+/** -+ This function will validate that the allocation size from the primary header is sane -+ It will check the following: -+ - AllocationSize does not overflow -+ -+ @param[in] PrimaryHeader -+ Pointer to the EFI_PARTITION_TABLE_HEADER structure. -+ -+ @param[out] AllocationSize -+ Pointer to the allocation size. -+ -+ @retval EFI_SUCCESS -+ The allocation size is valid. -+ -+ @retval EFI_OUT_OF_RESOURCES -+ The allocation size is invalid. -+**/ -+EFI_STATUS -+EFIAPI -+SanitizePrimaryHeaderAllocationSize ( -+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, -+ OUT UINT32 *AllocationSize -+ ); -+ -+/** -+ This function will validate that the Gpt Event Size calculated from the primary header is sane -+ It will check the following: -+ - EventSize does not overflow -+ -+ Important: This function includes the entire length of the allocated space, including the -+ TCG_PCR_EVENT_HDR. When hashing the buffer allocated with this size, the caller must subtract -+ the size of the TCG_PCR_EVENT_HDR from the size of the buffer before hashing. -+ -+ @param[in] PrimaryHeader - Pointer to the EFI_PARTITION_TABLE_HEADER structure. -+ @param[in] NumberOfPartition - Number of partitions. -+ @param[out] EventSize - Pointer to the event size. -+ -+ @retval EFI_SUCCESS -+ The event size is valid. -+ -+ @retval EFI_OUT_OF_RESOURCES -+ Overflow would have occurred. -+ -+ @retval EFI_INVALID_PARAMETER -+ One of the passed parameters was invalid. -+**/ -+EFI_STATUS -+SanitizePrimaryHeaderGptEventSize ( -+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader, -+ IN UINTN NumberOfPartition, -+ OUT UINT32 *EventSize -+ ); -+ -+#endif // DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_ -diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c -new file mode 100644 -index 0000000000..eeb928cdb0 ---- /dev/null -+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c -@@ -0,0 +1,301 @@ -+/** @file -+This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c. -+ -+Copyright (c) Microsoft Corporation.
-+SPDX-License-Identifier: BSD-2-Clause-Patent -+**/ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "../DxeTpmMeasureBootLibSanitization.h" -+ -+#define UNIT_TEST_NAME "DxeTpmMeasureBootLibSanitizationTest" -+#define UNIT_TEST_VERSION "1.0" -+ -+#define DEFAULT_PRIMARY_TABLE_HEADER_REVISION 0x00010000 -+#define DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES 1 -+#define DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY 128 -+ -+/** -+ This function tests the SanitizeEfiPartitionTableHeader function. -+ It's intent is to test that a malicious EFI_PARTITION_TABLE_HEADER -+ structure will not cause undefined or unexpected behavior. -+ -+ In general the TPM should still be able to measure the data, but -+ be the header should be sanitized to prevent any unexpected behavior. -+ -+ @param[in] Context The unit test context. -+ -+ @retval UNIT_TEST_PASSED The test passed. -+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed. -+**/ -+UNIT_TEST_STATUS -+EFIAPI -+TestSanitizeEfiPartitionTableHeader ( -+ IN UNIT_TEST_CONTEXT Context -+ ) -+{ -+ EFI_STATUS Status; -+ EFI_PARTITION_TABLE_HEADER PrimaryHeader; -+ EFI_BLOCK_IO_PROTOCOL BlockIo; -+ EFI_BLOCK_IO_MEDIA BlockMedia; -+ -+ // Generate EFI_BLOCK_IO_MEDIA test data -+ BlockMedia.MediaId = 1; -+ BlockMedia.RemovableMedia = FALSE; -+ BlockMedia.MediaPresent = TRUE; -+ BlockMedia.LogicalPartition = FALSE; -+ BlockMedia.ReadOnly = FALSE; -+ BlockMedia.WriteCaching = FALSE; -+ BlockMedia.BlockSize = 512; -+ BlockMedia.IoAlign = 1; -+ BlockMedia.LastBlock = 0; -+ -+ // Generate EFI_BLOCK_IO_PROTOCOL test data -+ BlockIo.Revision = 1; -+ BlockIo.Media = &BlockMedia; -+ BlockIo.Reset = NULL; -+ BlockIo.ReadBlocks = NULL; -+ BlockIo.WriteBlocks = NULL; -+ BlockIo.FlushBlocks = NULL; -+ -+ // Geneate EFI_PARTITION_TABLE_HEADER test data -+ PrimaryHeader.Header.Signature = EFI_PTAB_HEADER_ID; -+ PrimaryHeader.Header.Revision = DEFAULT_PRIMARY_TABLE_HEADER_REVISION; -+ PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER); -+ PrimaryHeader.MyLBA = 1; -+ PrimaryHeader.AlternateLBA = 2; -+ PrimaryHeader.FirstUsableLBA = 3; -+ PrimaryHeader.LastUsableLBA = 4; -+ PrimaryHeader.PartitionEntryLBA = 5; -+ PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES; -+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY; -+ PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid -+ -+ // Calculate the CRC32 of the PrimaryHeader -+ PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize); -+ -+ // Test that a normal PrimaryHeader passes validation -+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); -+ UT_ASSERT_NOT_EFI_ERROR (Status); -+ -+ // Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR -+ // Should print "Invalid Partition Table Header NumberOfPartitionEntries!"" -+ PrimaryHeader.NumberOfPartitionEntries = 0; -+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); -+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR); -+ PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY; -+ -+ // Test that when the header size is too small, the function returns EFI_DEVICE_ERROR -+ // Should print "Invalid Partition Table Header Size!" -+ PrimaryHeader.Header.HeaderSize = 0; -+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); -+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR); -+ PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER); -+ -+ // Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR -+ // should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!" -+ PrimaryHeader.SizeOfPartitionEntry = 1; -+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo); -+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR); -+ -+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__)); -+ -+ return UNIT_TEST_PASSED; -+} -+ -+/** -+ This function tests the SanitizePrimaryHeaderAllocationSize function. -+ It's intent is to test that the untrusted input from a EFI_PARTITION_TABLE_HEADER -+ structure will not cause an overflow when calculating the allocation size. -+ -+ @param[in] Context The unit test context. -+ -+ @retval UNIT_TEST_PASSED The test passed. -+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed. -+**/ -+UNIT_TEST_STATUS -+EFIAPI -+TestSanitizePrimaryHeaderAllocationSize ( -+ IN UNIT_TEST_CONTEXT Context -+ ) -+{ -+ UINT32 AllocationSize; -+ -+ EFI_STATUS Status; -+ EFI_PARTITION_TABLE_HEADER PrimaryHeader; -+ -+ // Test that a normal PrimaryHeader passes validation -+ PrimaryHeader.NumberOfPartitionEntries = 5; -+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY; -+ -+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); -+ UT_ASSERT_NOT_EFI_ERROR (Status); -+ -+ // Test that the allocation size is correct compared to the existing logic -+ UT_ASSERT_EQUAL (AllocationSize, PrimaryHeader.NumberOfPartitionEntries * PrimaryHeader.SizeOfPartitionEntry); -+ -+ // Test that an overflow is detected -+ PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32; -+ PrimaryHeader.SizeOfPartitionEntry = 5; -+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); -+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); -+ -+ // Test the inverse -+ PrimaryHeader.NumberOfPartitionEntries = 5; -+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32; -+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); -+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); -+ -+ // Test the worst case scenario -+ PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32; -+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32; -+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize); -+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); -+ -+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__)); -+ -+ return UNIT_TEST_PASSED; -+} -+ -+/** -+ This function tests the SanitizePrimaryHeaderGptEventSize function. -+ It's intent is to test that the untrusted input from a EFI_GPT_DATA structure -+ will not cause an overflow when calculating the event size. -+ -+ @param[in] Context The unit test context. -+ -+ @retval UNIT_TEST_PASSED The test passed. -+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed. -+**/ -+UNIT_TEST_STATUS -+EFIAPI -+TestSanitizePrimaryHeaderGptEventSize ( -+ IN UNIT_TEST_CONTEXT Context -+ ) -+{ -+ UINT32 EventSize; -+ UINT32 ExistingLogicEventSize; -+ EFI_STATUS Status; -+ EFI_PARTITION_TABLE_HEADER PrimaryHeader; -+ UINTN NumberOfPartition; -+ EFI_GPT_DATA *GptData; -+ -+ GptData = NULL; -+ -+ // Test that a normal PrimaryHeader passes validation -+ PrimaryHeader.NumberOfPartitionEntries = 5; -+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY; -+ -+ // set the number of partitions -+ NumberOfPartition = 13; -+ -+ // that the primary event size is correct -+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize); -+ UT_ASSERT_NOT_EFI_ERROR (Status); -+ -+ // Calculate the existing logic event size -+ ExistingLogicEventSize = (UINT32)(sizeof (TCG_PCR_EVENT_HDR) + OFFSET_OF (EFI_GPT_DATA, Partitions) -+ + NumberOfPartition * PrimaryHeader.SizeOfPartitionEntry); -+ -+ // Check that the event size is correct -+ UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize); -+ -+ // Tests that the primary event size may not overflow -+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize); -+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); -+ -+ // Test that the size of partition entries may not overflow -+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32; -+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize); -+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE); -+ -+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__)); -+ -+ return UNIT_TEST_PASSED; -+} -+ -+// *--------------------------------------------------------------------* -+// * Unit Test Code Main Function -+// *--------------------------------------------------------------------* -+ -+/** -+ This function acts as the entry point for the unit tests. -+ -+ @param argc - The number of command line arguments -+ @param argv - The command line arguments -+ -+ @return int - The status of the test -+**/ -+EFI_STATUS -+EFIAPI -+UefiTestMain ( -+ VOID -+ ) -+{ -+ EFI_STATUS Status; -+ UNIT_TEST_FRAMEWORK_HANDLE Framework; -+ UNIT_TEST_SUITE_HANDLE TcgMeasureBootLibValidationTestSuite; -+ -+ Framework = NULL; -+ -+ DEBUG ((DEBUG_INFO, "%a: TestMain() - Start\n", UNIT_TEST_NAME)); -+ -+ Status = InitUnitTestFramework (&Framework, UNIT_TEST_NAME, gEfiCallerBaseName, UNIT_TEST_VERSION); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a: Failed in InitUnitTestFramework. Status = %r\n", UNIT_TEST_NAME, Status)); -+ goto EXIT; -+ } -+ -+ Status = CreateUnitTestSuite (&TcgMeasureBootLibValidationTestSuite, Framework, "TcgMeasureBootLibValidationTestSuite", "Common.TcgMeasureBootLibValidation", NULL, NULL); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%s: Failed in CreateUnitTestSuite for TcgMeasureBootLibValidationTestSuite\n", UNIT_TEST_NAME)); -+ Status = EFI_OUT_OF_RESOURCES; -+ goto EXIT; -+ } -+ -+ // -----------Suite---------------------------------Description----------------------------Class----------------------------------Test Function------------------------Pre---Clean-Context -+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.TcgMeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL); -+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL); -+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL); -+ -+ Status = RunAllTestSuites (Framework); -+ -+EXIT: -+ if (Framework != NULL) { -+ FreeUnitTestFramework (Framework); -+ } -+ -+ DEBUG ((DEBUG_INFO, "%a: TestMain() - End\n", UNIT_TEST_NAME)); -+ return Status; -+} -+ -+/// -+/// Avoid ECC error for function name that starts with lower case letter -+/// -+#define DxeTpmMeasureBootLibUnitTestMain main -+ -+/** -+ Standard POSIX C entry point for host based unit test execution. -+ -+ @param[in] Argc Number of arguments -+ @param[in] Argv Array of pointers to arguments -+ -+ @retval 0 Success -+ @retval other Error -+**/ -+INT32 -+DxeTpmMeasureBootLibUnitTestMain ( -+ IN INT32 Argc, -+ IN CHAR8 *Argv[] -+ ) -+{ -+ return (INT32)UefiTestMain (); -+} -diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf -new file mode 100644 -index 0000000000..47b0811b00 ---- /dev/null -+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf -@@ -0,0 +1,28 @@ -+## @file -+# This file builds the unit tests for DxeTpmMeasureBootLib -+# -+# Copyright (C) Microsoft Corporation.
-+# SPDX-License-Identifier: BSD-2-Clause-Patent -+## -+ -+[Defines] -+ INF_VERSION = 0x00010006 -+ BASE_NAME = DxeTpmMeasuredBootLibTest -+ FILE_GUID = eb01bc38-309c-4d3e-967e-9f078c90772f -+ MODULE_TYPE = HOST_APPLICATION -+ VERSION_STRING = 1.0 -+ ENTRY_POINT = main -+ -+[Sources] -+ DxeTpmMeasureBootLibSanitizationTest.c -+ ../DxeTpmMeasureBootLibSanitization.c -+ -+[Packages] -+ MdePkg/MdePkg.dec -+ -+[LibraryClasses] -+ BaseLib -+ DebugLib -+ UnitTestLib -+ PrintLib -+ SafeIntLib -diff --git a/SecurityPkg/SecurityPkg.ci.yaml b/SecurityPkg/SecurityPkg.ci.yaml -index 24389531af..53e5b1fd8e 100644 ---- a/SecurityPkg/SecurityPkg.ci.yaml -+++ b/SecurityPkg/SecurityPkg.ci.yaml -@@ -17,6 +17,7 @@ - "ExceptionList": [ - "8005", "gRT", - "8001", "DxeTpm2MeasureBootLibUnitTestMain", -+ "8001", "DxeTpmMeasureBootLibUnitTestMain" - ], - ## Both file path and directory path are accepted. - "IgnoreFiles": [ -diff --git a/SecurityPkg/Test/SecurityPkgHostTest.dsc b/SecurityPkg/Test/SecurityPkgHostTest.dsc -index 788c1ab6fe..1655e573ea 100644 ---- a/SecurityPkg/Test/SecurityPkgHostTest.dsc -+++ b/SecurityPkg/Test/SecurityPkgHostTest.dsc -@@ -27,6 +27,7 @@ - SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf - SecurityPkg/Test/Mock/Library/GoogleTest/MockPlatformPKProtectionLib/MockPlatformPKProtectionLib.inf - SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf -+ SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf - - # - # Build SecurityPkg HOST_APPLICATION Tests --- -2.39.3 - diff --git a/SOURCES/edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch b/SOURCES/edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch deleted file mode 100644 index 73e23fd..0000000 --- a/SOURCES/edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch +++ /dev/null @@ -1,294 +0,0 @@ -From c5580cd68acf14c9e8660f6ee2842654479089ae Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Wed, 7 Feb 2024 15:43:10 -0500 -Subject: [PATCH 2/9] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - - CVE 2022-36764 - -RH-Author: Jon Maloy -RH-MergeRequest: 53: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764 -RH-Jira: RHEL-21157 -RH-Acked-by: Laszlo Ersek -RH-Acked-by: Gerd Hoffmann -RH-Commit: [2/5] 3945cfd0838c822a3b2cc4b4e315c39a779a7344 - -JIRA: https://issues.redhat.com/browse/RHEL-21157 -CVE: CVE-2022-36764 -Upstream: Merged - -commit 0d341c01eeabe0ab5e76693b36e728b8f538a40e -Author: Douglas Flick [MSFT] -Date: Fri Jan 12 02:16:05 2024 +0800 - - SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764 - - This commit contains the patch files and tests for DxeTpmMeasureBootLib - CVE 2022-36764. - - Cc: Jiewen Yao - - Signed-off-by: Doug Flick [MSFT] - Reviewed-by: Jiewen Yao - -Signed-off-by: Jon Maloy ---- - .../DxeTpmMeasureBootLib.c | 13 ++- - .../DxeTpmMeasureBootLibSanitization.c | 44 +++++++++ - .../DxeTpmMeasureBootLibSanitization.h | 23 +++++ - .../DxeTpmMeasureBootLibSanitizationTest.c | 98 +++++++++++++++++-- - 4 files changed, 168 insertions(+), 10 deletions(-) - -diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c -index 669ab19134..a9fc440a09 100644 ---- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c -+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c -@@ -17,6 +17,7 @@ - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
- SPDX-License-Identifier: BSD-2-Clause-Patent -+Copyright (c) Microsoft Corporation.
- - Copyright (c) Microsoft Corporation.
- SPDX-License-Identifier: BSD-2-Clause-Patent -@@ -345,18 +346,22 @@ TcgMeasurePeImage ( - ImageLoad = NULL; - SectionHeader = NULL; - Sha1Ctx = NULL; -+ TcgEvent = NULL; - FilePathSize = (UINT32)GetDevicePathSize (FilePath); - -- // - // Determine destination PCR by BootPolicy - // -- EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize; -- TcgEvent = AllocateZeroPool (EventSize + sizeof (TCG_PCR_EVENT)); -+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize); -+ if (EFI_ERROR (Status)) { -+ return EFI_UNSUPPORTED; -+ } -+ -+ TcgEvent = AllocateZeroPool (EventSize); - if (TcgEvent == NULL) { - return EFI_OUT_OF_RESOURCES; - } - -- TcgEvent->EventSize = EventSize; -+ TcgEvent->EventSize = EventSize - sizeof (TCG_PCR_EVENT_HDR); - ImageLoad = (EFI_IMAGE_LOAD_EVENT *)TcgEvent->Event; - - switch (ImageType) { -diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c -index a3fa46f5e6..c989851cec 100644 ---- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c -+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c -@@ -239,3 +239,47 @@ SanitizePrimaryHeaderGptEventSize ( - - return EFI_SUCCESS; - } -+ -+/** -+ This function will validate that the PeImage Event Size from the loaded image is sane -+ It will check the following: -+ - EventSize does not overflow -+ -+ @param[in] FilePathSize - Size of the file path. -+ @param[out] EventSize - Pointer to the event size. -+ -+ @retval EFI_SUCCESS -+ The event size is valid. -+ -+ @retval EFI_OUT_OF_RESOURCES -+ Overflow would have occurred. -+ -+ @retval EFI_INVALID_PARAMETER -+ One of the passed parameters was invalid. -+**/ -+EFI_STATUS -+SanitizePeImageEventSize ( -+ IN UINT32 FilePathSize, -+ OUT UINT32 *EventSize -+ ) -+{ -+ EFI_STATUS Status; -+ -+ // Replacing logic: -+ // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize; -+ Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n")); -+ return EFI_BAD_BUFFER_SIZE; -+ } -+ -+ // Replacing logic: -+ // EventSize + sizeof (TCG_PCR_EVENT_HDR) -+ Status = SafeUint32Add (*EventSize, sizeof (TCG_PCR_EVENT_HDR), EventSize); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n")); -+ return EFI_BAD_BUFFER_SIZE; -+ } -+ -+ return EFI_SUCCESS; -+} -diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h -index 0d9d00c281..2248495813 100644 ---- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h -+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h -@@ -111,4 +111,27 @@ SanitizePrimaryHeaderGptEventSize ( - OUT UINT32 *EventSize - ); - -+/** -+ This function will validate that the PeImage Event Size from the loaded image is sane -+ It will check the following: -+ - EventSize does not overflow -+ -+ @param[in] FilePathSize - Size of the file path. -+ @param[out] EventSize - Pointer to the event size. -+ -+ @retval EFI_SUCCESS -+ The event size is valid. -+ -+ @retval EFI_OUT_OF_RESOURCES -+ Overflow would have occurred. -+ -+ @retval EFI_INVALID_PARAMETER -+ One of the passed parameters was invalid. -+**/ -+EFI_STATUS -+SanitizePeImageEventSize ( -+ IN UINT32 FilePathSize, -+ OUT UINT32 *EventSize -+ ); -+ - #endif // DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_ -diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c -index eeb928cdb0..c41498be45 100644 ---- a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c -+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c -@@ -1,8 +1,8 @@ - /** @file --This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c. -+ This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c. - --Copyright (c) Microsoft Corporation.
--SPDX-License-Identifier: BSD-2-Clause-Patent -+ Copyright (c) Microsoft Corporation.
-+ SPDX-License-Identifier: BSD-2-Clause-Patent - **/ - - #include -@@ -186,9 +186,6 @@ TestSanitizePrimaryHeaderGptEventSize ( - EFI_STATUS Status; - EFI_PARTITION_TABLE_HEADER PrimaryHeader; - UINTN NumberOfPartition; -- EFI_GPT_DATA *GptData; -- -- GptData = NULL; - - // Test that a normal PrimaryHeader passes validation - PrimaryHeader.NumberOfPartitionEntries = 5; -@@ -222,6 +219,94 @@ TestSanitizePrimaryHeaderGptEventSize ( - return UNIT_TEST_PASSED; - } - -+/** -+ This function tests the SanitizePeImageEventSize function. -+ It's intent is to test that the untrusted input from a file path for an -+ EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating -+ the event size when allocating space. -+ -+ @param[in] Context The unit test context. -+ -+ @retval UNIT_TEST_PASSED The test passed. -+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed. -+**/ -+UNIT_TEST_STATUS -+EFIAPI -+TestSanitizePeImageEventSize ( -+ IN UNIT_TEST_CONTEXT Context -+ ) -+{ -+ UINT32 EventSize; -+ UINTN ExistingLogicEventSize; -+ UINT32 FilePathSize; -+ EFI_STATUS Status; -+ EFI_DEVICE_PATH_PROTOCOL DevicePath; -+ EFI_IMAGE_LOAD_EVENT *ImageLoadEvent; -+ UNIT_TEST_STATUS TestStatus; -+ -+ TestStatus = UNIT_TEST_ERROR_TEST_FAILED; -+ -+ // Generate EFI_DEVICE_PATH_PROTOCOL test data -+ DevicePath.Type = 0; -+ DevicePath.SubType = 0; -+ DevicePath.Length[0] = 0; -+ DevicePath.Length[1] = 0; -+ -+ // Generate EFI_IMAGE_LOAD_EVENT test data -+ ImageLoadEvent = AllocateZeroPool (sizeof (EFI_IMAGE_LOAD_EVENT) + sizeof (EFI_DEVICE_PATH_PROTOCOL)); -+ if (ImageLoadEvent == NULL) { -+ DEBUG ((DEBUG_ERROR, "%a: AllocateZeroPool failed\n", __func__)); -+ goto Exit; -+ } -+ -+ // Populate EFI_IMAGE_LOAD_EVENT54 test data -+ ImageLoadEvent->ImageLocationInMemory = (EFI_PHYSICAL_ADDRESS)0x12345678; -+ ImageLoadEvent->ImageLengthInMemory = 0x1000; -+ ImageLoadEvent->ImageLinkTimeAddress = (UINTN)ImageLoadEvent; -+ ImageLoadEvent->LengthOfDevicePath = sizeof (EFI_DEVICE_PATH_PROTOCOL); -+ CopyMem (ImageLoadEvent->DevicePath, &DevicePath, sizeof (EFI_DEVICE_PATH_PROTOCOL)); -+ -+ FilePathSize = 255; -+ -+ // Test that a normal PE image passes validation -+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize); -+ if (EFI_ERROR (Status)) { -+ UT_LOG_ERROR ("SanitizePeImageEventSize failed with %r\n", Status); -+ goto Exit; -+ } -+ -+ // Test that the event size is correct compared to the existing logic -+ ExistingLogicEventSize = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize; -+ ExistingLogicEventSize += sizeof (TCG_PCR_EVENT_HDR); -+ -+ if (EventSize != ExistingLogicEventSize) { -+ UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize); -+ goto Exit; -+ } -+ -+ // Test that the event size may not overflow -+ Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize); -+ if (Status != EFI_BAD_BUFFER_SIZE) { -+ UT_LOG_ERROR ("SanitizePeImageEventSize succeded when it was supposed to fail with %r\n", Status); -+ goto Exit; -+ } -+ -+ TestStatus = UNIT_TEST_PASSED; -+Exit: -+ -+ if (ImageLoadEvent != NULL) { -+ FreePool (ImageLoadEvent); -+ } -+ -+ if (TestStatus == UNIT_TEST_ERROR_TEST_FAILED) { -+ DEBUG ((DEBUG_ERROR, "%a: Test failed\n", __func__)); -+ } else { -+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__)); -+ } -+ -+ return TestStatus; -+} -+ - // *--------------------------------------------------------------------* - // * Unit Test Code Main Function - // *--------------------------------------------------------------------* -@@ -265,6 +350,7 @@ UefiTestMain ( - AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.TcgMeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL); - AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL); - AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL); -+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL); - - Status = RunAllTestSuites (Framework); - --- -2.39.3 - diff --git a/SOURCES/edk2-SecurityPkg-RngDxe-add-rng-test.patch b/SOURCES/edk2-SecurityPkg-RngDxe-add-rng-test.patch deleted file mode 100644 index cc703ac..0000000 --- a/SOURCES/edk2-SecurityPkg-RngDxe-add-rng-test.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 7719d41979ef6e376d183c70cd47951ff5bf6ef1 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Thu, 20 Jun 2024 10:33:43 -0400 -Subject: [PATCH 5/8] SecurityPkg/RngDxe: add rng test - -RH-Author: Jon Maloy -RH-MergeRequest: 75: NetworkPkg: SECURITY PATCH CVE-2023-45236 and CVE-2023-45237 -RH-Jira: RHEL-40270 RHEL-40272 -RH-Acked-by: Gerd Hoffmann -RH-Commit: [5/8] 84a58daaed0ee81ebed501392be33338da575df6 - -JIRA: https://issues.redhat.com/browse/RHEL-40270 -Upstream: Merged -CVE: CVE-2023-45237 - -commit a61bc0accb8a76edba4f073fdc7bafc908df045d -Author: Gerd Hoffmann -Date: Fri May 31 09:49:13 2024 +0200 - - SecurityPkg/RngDxe: add rng test - - Check whenever RngLib actually returns random numbers, only return - a non-zero number of Algorithms if that is the case. - - This has the effect that RndDxe loads and installs EFI_RNG_PROTOCOL - only in case it can actually deliver random numbers. - - Signed-off-by: Gerd Hoffmann - -Signed-off-by: Jon Maloy - -Check whenever RngLib actually returns random numbers, only return -a non-zero number of Algorithms if that is the case. - -This has the effect that RndDxe loads and installs EFI_RNG_PROTOCOL -only in case it can actually deliver random numbers. - -Signed-off-by: Gerd Hoffmann ---- - SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c -index 7e06e16e4b..285b5f46e7 100644 ---- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c -+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c -@@ -23,6 +23,7 @@ - - #include - #include -+#include - - #include "RngDxeInternals.h" - -@@ -43,7 +44,12 @@ GetAvailableAlgorithms ( - VOID - ) - { -- mAvailableAlgoArrayCount = RNG_ALGORITHM_COUNT; -+ UINT64 RngTest; -+ -+ if (GetRandomNumber64 (&RngTest)) { -+ mAvailableAlgoArrayCount = RNG_ALGORITHM_COUNT; -+ } -+ - return EFI_SUCCESS; - } - --- -2.39.3 - diff --git a/SOURCES/edk2-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch b/SOURCES/edk2-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch deleted file mode 100644 index a2bc41c..0000000 --- a/SOURCES/edk2-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 95697612d2f1953c691b0914a1669e0fcf179767 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Tue, 13 Feb 2024 16:30:10 -0500 -Subject: [PATCH 5/9] SecurityPkg: : Updating SecurityFixes.yaml after symbol - rename - -RH-Author: Jon Maloy -RH-MergeRequest: 53: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764 -RH-Jira: RHEL-21157 -RH-Acked-by: Laszlo Ersek -RH-Acked-by: Gerd Hoffmann -RH-Commit: [5/5] 8e0c9c8c6b6ad05454f138397036954fe36c778c - -JIRA: https://issues.redhat.com/browse/RHEL-21157 -CVE: CVE-2022-36764 -Upstream: Merged - -commit 264636d8e6983e0f6dc6be2fca9d84ec81315954 -Author: Doug Flick -Date: Wed Jan 17 14:47:22 2024 -0800 - - SecurityPkg: : Updating SecurityFixes.yaml after symbol rename - - Adding the new commit titles for the symbol renames - - Cc: Jiewen Yao - Cc: Rahul Kumar - - Signed-off-by: Doug Flick [MSFT] - Message-Id: <5e0e851e97459e183420178888d4fcdadc2f1ae1.1705529990.git.doug.edk2@gmail.com> - Reviewed-by: Jiewen Yao - -Signed-off-by: Jon Maloy ---- - SecurityPkg/SecurityFixes.yaml | 31 ++++++++++++++++++++++++++----- - 1 file changed, 26 insertions(+), 5 deletions(-) - -diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml -index f9e3e7be74..dc1bb83489 100644 ---- a/SecurityPkg/SecurityFixes.yaml -+++ b/SecurityPkg/SecurityFixes.yaml -@@ -9,14 +9,35 @@ CVE_2022_36763: - - "SecurityPkg: DxeTpm2Measurement: SECURITY PATCH 4117 - CVE 2022-36763" - - "SecurityPkg: DxeTpmMeasurement: SECURITY PATCH 4117 - CVE 2022-36763" - - "SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml" -+ - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117/4118 symbol rename" -+ - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117/4118 symbol rename" -+ - "SecurityPkg: : Updating SecurityFixes.yaml after symbol rename" - cve: CVE-2022-36763 - date_reported: 2022-10-25 11:31 UTC - description: (CVE-2022-36763) - Heap Buffer Overflow in Tcg2MeasureGptTable() - note: This patch is related to and supersedes TCBZ2168 - files_impacted: -- - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c -- - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c -+ - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c -+ - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c - links: -- - https://bugzilla.tianocore.org/show_bug.cgi?id=4117 -- - https://bugzilla.tianocore.org/show_bug.cgi?id=2168 -- - https://bugzilla.tianocore.org/show_bug.cgi?id=1990 -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4117 -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=2168 -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=1990 -+CVE_2022_36764: -+ commit_titles: -+ - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764" -+ - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764" -+ - "SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml" -+ - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117/4118 symbol rename" -+ - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117/4118 symbol rename" -+ - "SecurityPkg: : Updating SecurityFixes.yaml after symbol rename" -+ cve: CVE-2022-36764 -+ date_reported: 2022-10-25 12:23 UTC -+ description: Heap Buffer Overflow in Tcg2MeasurePeImage() -+ note: -+ files_impacted: -+ - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c -+ - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c -+ links: -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4118 -+ --- -2.39.3 - diff --git a/SOURCES/edk2-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch b/SOURCES/edk2-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch deleted file mode 100644 index d1e773f..0000000 --- a/SOURCES/edk2-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch +++ /dev/null @@ -1,148 +0,0 @@ -From 0ef57f5f435ee1909d14da24cd1c3edc91fef405 Mon Sep 17 00:00:00 2001 -From: Jon Maloy -Date: Sat, 6 Apr 2024 11:00:29 -0400 -Subject: [PATCH 2/2] StandaloneMmPkg/Hob: Integer Overflow in CreateHob() - -RH-Author: Jon Maloy -RH-MergeRequest: 69: EmbeddedPkg/Hob: Integer Overflow in CreateHob() -RH-Jira: RHEL-30156 -RH-Acked-by: Oliver Steffen -RH-Acked-by: Gerd Hoffmann -RH-Commit: [2/2] 3c3454688975f62041dd8d3393f0bba5ec3b71f1 - -JIRA: https://issues.redhat.com/browse/RHEL-30156 -CVE: CVE-2022-36765 -Upstream: Merged - -commit 9a75b030cf27d2530444e9a2f9f11867f79bf679 -Author: Gua Guo -Date: Thu Jan 11 13:03:26 2024 +0800 - - StandaloneMmPkg/Hob: Integer Overflow in CreateHob() - - REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166 - - Fix integer overflow in various CreateHob instances. - Fixes: CVE-2022-36765 - - The CreateHob() function aligns the requested size to 8 - performing the following operation: - ``` - HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); - ``` - - No checks are performed to ensure this value doesn't - overflow, and could lead to CreateHob() returning a smaller - HOB than requested, which could lead to OOB HOB accesses. - - Reported-by: Marc Beatove - Reviewed-by: Ard Biesheuvel - Cc: Sami Mujawar - Reviewed-by: Ray Ni - Cc: John Mathew - Authored-by: Gerd Hoffmann - Signed-off-by: Gua Guo - -Signed-off-by: Jon Maloy ---- - .../Arm/StandaloneMmCoreHobLib.c | 35 +++++++++++++++++++ - 1 file changed, 35 insertions(+) - -diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c -index 1550e1babc..59473e28fe 100644 ---- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c -+++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c -@@ -34,6 +34,13 @@ CreateHob ( - - HandOffHob = GetHobList (); - -+ // -+ // Check Length to avoid data overflow. -+ // -+ if (HobLength > MAX_UINT16 - 0x7) { -+ return NULL; -+ } -+ - HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); - - FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom; -@@ -89,6 +96,10 @@ BuildModuleHob ( - ); - - Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE)); -+ ASSERT (Hob != NULL); -+ if (Hob == NULL) { -+ return; -+ } - - CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid); - Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule; -@@ -129,6 +140,9 @@ BuildResourceDescriptorHob ( - - Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR)); - ASSERT (Hob != NULL); -+ if (Hob == NULL) { -+ return; -+ } - - Hob->ResourceType = ResourceType; - Hob->ResourceAttribute = ResourceAttribute; -@@ -167,6 +181,11 @@ BuildGuidHob ( - ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE))); - - Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength)); -+ ASSERT (Hob != NULL); -+ if (Hob == NULL) { -+ return NULL; -+ } -+ - CopyGuid (&Hob->Name, Guid); - return Hob + 1; - } -@@ -226,6 +245,10 @@ BuildFvHob ( - EFI_HOB_FIRMWARE_VOLUME *Hob; - - Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME)); -+ ASSERT (Hob != NULL); -+ if (Hob == NULL) { -+ return; -+ } - - Hob->BaseAddress = BaseAddress; - Hob->Length = Length; -@@ -255,6 +278,10 @@ BuildFv2Hob ( - EFI_HOB_FIRMWARE_VOLUME2 *Hob; - - Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2)); -+ ASSERT (Hob != NULL); -+ if (Hob == NULL) { -+ return; -+ } - - Hob->BaseAddress = BaseAddress; - Hob->Length = Length; -@@ -282,6 +309,10 @@ BuildCpuHob ( - EFI_HOB_CPU *Hob; - - Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU)); -+ ASSERT (Hob != NULL); -+ if (Hob == NULL) { -+ return; -+ } - - Hob->SizeOfMemorySpace = SizeOfMemorySpace; - Hob->SizeOfIoSpace = SizeOfIoSpace; -@@ -319,6 +350,10 @@ BuildMemoryAllocationHob ( - ); - - Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION)); -+ ASSERT (Hob != NULL); -+ if (Hob == NULL) { -+ return; -+ } - - ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID)); - Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress; --- -2.39.3 - diff --git a/SOURCES/edk2-UefiCpuPkg-PiSmmCpuDxeSmm-skip-PatchInstructionX86-c.patch b/SOURCES/edk2-UefiCpuPkg-PiSmmCpuDxeSmm-skip-PatchInstructionX86-c.patch new file mode 100644 index 0000000..6e09d72 --- /dev/null +++ b/SOURCES/edk2-UefiCpuPkg-PiSmmCpuDxeSmm-skip-PatchInstructionX86-c.patch @@ -0,0 +1,142 @@ +From c4aa4797fafa3a627205eaa346401e399d4a7146 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 27 Aug 2024 12:06:15 +0200 +Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: skip PatchInstructionX86 calls if + not needed. + +RH-Author: Oliver Steffen +RH-MergeRequest: 71: UefiCpuPkg/PiSmmCpuDxeSmm: skip PatchInstructionX86 calls if not needed. +RH-Jira: RHEL-45847 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [1/1] 70ceffb2c1e695276af87d3aa334fe9be8e2e90e (osteffen/edk2) + +Add the new global mMsrIa32MiscEnableSupported variable to track +whenever support for the IA32_MISC_ENABLE MSR is present or not. + +Add new local PatchingNeeded variable to CheckFeatureSupported() +to track if patching the SMM setup code is needed or not. + +Issue PatchInstructionX86() calls only if needed, i.e. if one of +the *Supported variables has been updated. + +Result is that on a typical SMP machine where all processors are +identical the PatchInstructionX86() calls are issued only once, +when checking the first processor. Specifically this avoids +PatchInstructionX86() being called in OVMF on CPU hotplug. That +is important because instruction patching at runtime does not not +work and leads to page faults. + +This fixes CPU hotplug on OVMF not working with AMD cpus. + +Fixes: 6b3a89a9fdb5 ("OvmfPkg/PlatformPei: Relocate SmBases in PEI phase") +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 17ff8960848b2cb2e49fffb3dfbacd08865786a4) +--- + UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c | 49 +++++++++++++++++++++----- + 1 file changed, 40 insertions(+), 9 deletions(-) + +diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c +index 8142d3ceac..8e299fd29a 100644 +--- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c ++++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c +@@ -40,6 +40,11 @@ BOOLEAN mXdEnabled = FALSE; + // + BOOLEAN mBtsSupported = TRUE; + ++// ++// The flag indicates if MSR_IA32_MISC_ENABLE is supported by processor ++// ++BOOLEAN mMsrIa32MiscEnableSupported = TRUE; ++ + // + // The flag indicates if SMM profile starts to record data. + // +@@ -904,18 +909,23 @@ CheckFeatureSupported ( + UINT32 RegEcx; + UINT32 RegEdx; + MSR_IA32_MISC_ENABLE_REGISTER MiscEnableMsr; ++ BOOLEAN PatchingNeeded = FALSE; + + if ((PcdGet32 (PcdControlFlowEnforcementPropertyMask) != 0) && mCetSupported) { + AsmCpuid (CPUID_SIGNATURE, &RegEax, NULL, NULL, NULL); + if (RegEax >= CPUID_STRUCTURED_EXTENDED_FEATURE_FLAGS) { + AsmCpuidEx (CPUID_STRUCTURED_EXTENDED_FEATURE_FLAGS, CPUID_STRUCTURED_EXTENDED_FEATURE_FLAGS_SUB_LEAF_INFO, NULL, NULL, &RegEcx, NULL); + if ((RegEcx & CPUID_CET_SS) == 0) { +- mCetSupported = FALSE; +- PatchInstructionX86 (mPatchCetSupported, mCetSupported, 1); ++ if (mCetSupported) { ++ mCetSupported = FALSE; ++ PatchingNeeded = TRUE; ++ } + } + } else { +- mCetSupported = FALSE; +- PatchInstructionX86 (mPatchCetSupported, mCetSupported, 1); ++ if (mCetSupported) { ++ mCetSupported = FALSE; ++ PatchingNeeded = TRUE; ++ } + } + } + +@@ -925,8 +935,10 @@ CheckFeatureSupported ( + // + // Extended CPUID functions are not supported on this processor. + // +- mXdSupported = FALSE; +- PatchInstructionX86 (gPatchXdSupported, mXdSupported, 1); ++ if (mXdSupported) { ++ mXdSupported = FALSE; ++ PatchingNeeded = TRUE; ++ } + } + + AsmCpuid (CPUID_EXTENDED_CPU_SIG, NULL, NULL, NULL, &RegEdx); +@@ -934,15 +946,20 @@ CheckFeatureSupported ( + // + // Execute Disable Bit feature is not supported on this processor. + // +- mXdSupported = FALSE; +- PatchInstructionX86 (gPatchXdSupported, mXdSupported, 1); ++ if (mXdSupported) { ++ mXdSupported = FALSE; ++ PatchingNeeded = TRUE; ++ } + } + + if (StandardSignatureIsAuthenticAMD ()) { + // + // AMD processors do not support MSR_IA32_MISC_ENABLE + // +- PatchInstructionX86 (gPatchMsrIa32MiscEnableSupported, FALSE, 1); ++ if (mMsrIa32MiscEnableSupported) { ++ mMsrIa32MiscEnableSupported = FALSE; ++ PatchingNeeded = TRUE; ++ } + } + } + +@@ -966,6 +983,20 @@ CheckFeatureSupported ( + } + } + } ++ ++ if (PatchingNeeded) { ++ if (!mCetSupported) { ++ PatchInstructionX86 (mPatchCetSupported, mCetSupported, 1); ++ } ++ ++ if (!mXdSupported) { ++ PatchInstructionX86 (gPatchXdSupported, mXdSupported, 1); ++ } ++ ++ if (!mMsrIa32MiscEnableSupported) { ++ PatchInstructionX86 (gPatchMsrIa32MiscEnableSupported, FALSE, 1); ++ } ++ } + } + + /** +-- +2.39.3 + diff --git a/SPECS/edk2.spec b/SPECS/edk2.spec index 7fcf7a4..0de183b 100644 --- a/SPECS/edk2.spec +++ b/SPECS/edk2.spec @@ -1,8 +1,9 @@ ExclusiveArch: x86_64 aarch64 -%define GITDATE 20231122 -%define GITCOMMIT 8736b8fdca -%define TOOLCHAIN GCC5 +# edk2-stable202405 +%define GITDATE 20240524 +%define GITCOMMIT 3e722403cd +%define TOOLCHAIN GCC %define OPENSSL_VER 3.0.7 %define OPENSSL_HASH 0205b589887203b065154ddc8e8107c4ac8625a1 @@ -20,7 +21,7 @@ ExclusiveArch: x86_64 aarch64 Name: edk2 Version: %{GITDATE} -Release: 6%{?dist}.4 +Release: 6%{?dist} Summary: UEFI firmware for 64-bit virtual machines License: BSD-2-Clause-Patent and Apache-2.0 and MIT URL: http://www.tianocore.org @@ -50,254 +51,56 @@ Source80: edk2-build.py Source82: edk2-build.rhel-9 Source90: DBXUpdate-%{DBXDATE}.x64.bin -Patch1: 0001-ignore-build-artifacts-generated-files-session-setti.patch -Patch2: 0002-Remove-submodules.patch -Patch3: 0003-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch -Patch4: 0004-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch -Patch5: 0005-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch -Patch6: 0006-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch -Patch7: 0007-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch -Patch8: 0008-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch -Patch9: 0009-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch -Patch10: 0010-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch -Patch11: 0011-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch -Patch12: 0012-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch -Patch13: 0013-OvmfPkg-Remove-EbcDxe-RHEL-only.patch -Patch14: 0014-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch -Patch15: 0015-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch -Patch16: 0016-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch -Patch17: 0017-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch -Patch18: 0018-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch -Patch19: 0019-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch -Patch20: 0020-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch -Patch21: 0021-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch -Patch22: 0022-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch -Patch23: 0023-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch -Patch24: 0024-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch -Patch25: 0025-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch -Patch26: 0026-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch -Patch27: 0027-recreate-import-.distro-directory.patch -Patch28: 0028-distro-apply-git-diff-c9s-new_c9s-by-mirek.patch -Patch29: 0029-CryptoPkg-CrtLib-add-stat.h-include-file.patch -Patch30: 0030-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch -Patch31: 0031-ArmVirtQemu-Allow-EFI-memory-attributes-protocol-to-.patch -Patch32: edk2-OvmfPkg-RiscVVirt-use-gEfiAuthenticatedVariableGuid-.patch -Patch33: edk2-OvmfPkg-VirtNorFlashDxe-stop-accepting-gEfiVariableG.patch -Patch34: edk2-OvmfPkg-VirtNorFlashDxe-sanity-check-variables.patch -# For RHEL-21155 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-9] -Patch35: edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch -# For RHEL-21155 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-9] -Patch36: edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch -# For RHEL-21155 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-9] -Patch37: edk2-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch -# For RHEL-20963 - [rhel9] guest fails to boot due to ASSERT error -Patch38: edk2-OvmfPkg-VirtNorFlashDxe-add-casts-to-UINTN-and-UINT3.patch -# For RHEL-20963 - [rhel9] guest fails to boot due to ASSERT error -Patch39: edk2-OvmfPkg-VirtNorFlashDxe-clarify-block-write-logic-fi.patch -# For RHEL-20963 - [rhel9] guest fails to boot due to ASSERT error -Patch40: edk2-OvmfPkg-VirtNorFlashDxe-add-a-loop-for-NorFlashWrite.patch -# For RHEL-20963 - [rhel9] guest fails to boot due to ASSERT error -Patch41: edk2-OvmfPkg-VirtNorFlashDxe-allow-larger-writes-without-.patch -# For RHEL-20963 - [rhel9] guest fails to boot due to ASSERT error -Patch42: edk2-OvmfPkg-VirtNorFlashDxe-ValidateFvHeader-unwritten-s.patch -# For RHEL-20963 - [rhel9] guest fails to boot due to ASSERT error -Patch43: edk2-OvmfPkg-VirtNorFlashDxe-move-DoErase-code-block-into.patch -# For RHEL-21157 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-9] -Patch44: edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-4118.patch -# For RHEL-21157 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-9] -Patch45: edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch -# For RHEL-21157 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-9] -Patch46: edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-2.patch -# For RHEL-21157 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-9] -Patch47: edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-411-3.patch -# For RHEL-21157 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-9] -Patch48: edk2-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch -# For RHEL-21704 - vGPU VM take several minutes to show tianocore logo if firmware is ovmf -Patch49: edk2-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch -# For RHEL-21704 - vGPU VM take several minutes to show tianocore logo if firmware is ovmf -Patch50: edk2-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch -# For RHEL-21704 - vGPU VM take several minutes to show tianocore logo if firmware is ovmf -Patch51: edk2-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch -# For RHEL-21704 - vGPU VM take several minutes to show tianocore logo if firmware is ovmf -Patch52: edk2-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch -# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9] -# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9] -# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9] -# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9] -# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9] -Patch53: edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch -# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9] -# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9] -# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9] -# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9] -# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9] -Patch54: edk2-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch -# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9] -# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9] -# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9] -# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9] -# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9] -Patch55: edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch -# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9] -# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9] -# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9] -# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9] -# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9] -Patch56: edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch -# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9] -# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9] -# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9] -# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9] -# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9] -Patch57: edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch -# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9] -# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9] -# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9] -# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9] -# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9] -Patch58: edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch -# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9] -# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9] -# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9] -# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9] -# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9] -Patch59: edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Unit.patch -# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9] -# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9] -# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9] -# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9] -# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9] -Patch60: edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Patc.patch -# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9] -# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9] -# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9] -# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9] -# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9] -Patch61: edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Unit.patch -# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9] -# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9] -# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9] -# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9] -# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9] -Patch62: edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch -# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9] -# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9] -# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9] -# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9] -# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9] -Patch63: edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p2.patch -# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9] -# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9] -# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9] -# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9] -# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9] -Patch64: edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p3.patch -# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9] -# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9] -# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9] -# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9] -# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9] -Patch65: edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p4.patch -# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9] -# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9] -# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9] -# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9] -# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9] -Patch66: edk2-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch -# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9] -# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9] -# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9] -# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9] -# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9] -Patch67: edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Re.patch -# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9] -# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9] -# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9] -# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9] -# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9] -Patch68: edk2-NetworkPkg-Dhcp6Dxe-Removes-duplicate-check-and-repl.patch -# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9] -# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9] -# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9] -# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9] -# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9] -Patch69: edk2-NetworkPkg-Dhcp6Dxe-Packet-Length-is-not-updated-bef.patch -# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9] -# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9] -# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9] -# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9] -# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9] -# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9] -Patch70: edk2-NetworkPkg-Updating-SecurityFixes.yaml.patch -# For RHEL-30156 - CVE-2022-36765 edk2: integer overflow in CreateHob() could lead to HOB OOB R/W [rhel-9.4.z] -Patch71: edk2-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch -# For RHEL-30156 - CVE-2022-36765 edk2: integer overflow in CreateHob() could lead to HOB OOB R/W [rhel-9.4.z] -Patch72: edk2-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch -# For RHEL-40270 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z] -# For RHEL-40272 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z] -Patch73: edk2-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch -# For RHEL-40270 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z] -# For RHEL-40272 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z] -Patch74: edk2-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch -# For RHEL-40270 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z] -# For RHEL-40272 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z] -Patch75: edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch -# For RHEL-40270 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z] -# For RHEL-40272 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z] -Patch76: edk2-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch -# For RHEL-40270 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z] -# For RHEL-40272 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z] -Patch77: edk2-SecurityPkg-RngDxe-add-rng-test.patch -# For RHEL-40270 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z] -# For RHEL-40272 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z] -Patch78: edk2-OvmfPkg-wire-up-RngDxe.patch -# For RHEL-40270 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z] -# For RHEL-40272 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z] -Patch79: edk2-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch -# For RHEL-40270 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z] -# For RHEL-40272 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z] -Patch80: edk2-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch -# For RHEL-46976 - No http boot support on edk2-ovmf-20231122-6.el9_4.2 -Patch81: edk2-OvmfPkg-Add-Hash2DxeCrypto-to-OvmfPkg.patch -# For RHEL-54188 - [RHEL-9.4.z] edk2 hit Failed to generate random data -Patch82: edk2-NetworkPkg-DxeNetLib-adjust-PseudoRandom-error-loggi.patch -# For RHEL-54188 - [RHEL-9.4.z] edk2 hit Failed to generate random data -Patch83: edk2-NetworkPkg-DxeNetLib-Reword-PseudoRandom-error-loggi.patch +Patch1: 0003-Remove-paths-leading-to-submodules.patch +Patch2: 0004-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch +Patch3: 0005-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch +Patch4: 0006-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch +Patch5: 0007-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch +Patch6: 0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch +Patch7: 0009-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch +Patch8: 0010-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch +Patch9: 0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch +Patch10: 0012-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch +Patch11: 0013-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch +Patch12: 0014-OvmfPkg-Remove-EbcDxe-RHEL-only.patch +Patch13: 0015-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch +Patch14: 0016-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch +Patch15: 0017-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch +Patch16: 0018-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch +Patch17: 0019-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch +Patch18: 0020-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch +Patch19: 0021-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch +Patch20: 0022-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch +Patch21: 0023-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch +Patch22: 0024-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch +Patch23: 0025-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch +Patch24: 0026-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch +Patch25: 0027-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch +Patch26: 0028-CryptoPkg-CrtLib-add-stat.h-include-file.patch +Patch27: 0029-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch +Patch28: 0030-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch +Patch29: 0031-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch +Patch30: 0032-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch +Patch31: 0033-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch +Patch32: 0034-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch +Patch33: 0035-OvmfPkg-add-morlock-support.patch +Patch34: 0036-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch +Patch35: 0037-SecurityPkg-RngDxe-add-rng-test.patch +Patch36: 0038-OvmfPkg-wire-up-RngDxe.patch +Patch37: 0039-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch +Patch38: 0040-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch +# For RHEL-43442 - edk2 disconnects abnormally before loading the kernel +Patch39: edk2-MdeModulePkg-Warn-if-out-of-flash-space-when-writing.patch +# For RHEL-45899 - [RHEL-9.5.0] edk2 hit Failed to generate random data +Patch40: edk2-NetworkPkg-DxeNetLib-adjust-PseudoRandom-error-loggi.patch +# For RHEL-45899 - [RHEL-9.5.0] edk2 hit Failed to generate random data +Patch41: edk2-NetworkPkg-DxeNetLib-Reword-PseudoRandom-error-loggi.patch +# For RHEL-56081 - [EDK2] Shim fallback reboot workaround might not work on SNP +Patch42: edk2-AmdSevDxe-Fix-the-shim-fallback-reboot-workaround-fo.patch +# For RHEL-45847 - [RHEL9.5] Hotplug vcpu to a guest cause guest kernel panic +Patch43: edk2-UefiCpuPkg-PiSmmCpuDxeSmm-skip-PatchInstructionX86-c.patch +# For RHEL-56974 - qemu-kvm: warning: Blocked re-entrant IO on MemoryRegion: acpi-cpu-hotplug at addr: 0x0 [rhel-9] +Patch44: edk2-OvmfPkg-CpuHotplugSmm-delay-SMM-exit.patch # python3-devel and libuuid-devel are required for building tools. # python3-devel is also needed for varstore template generation and @@ -458,6 +261,7 @@ python3 CryptoPkg/Library/OpensslLib/configure.py mkdir -p CryptoPkg/Library/MbedTlsLib/mbedtls/include mkdir -p CryptoPkg/Library/MbedTlsLib/mbedtls/include/mbedtls mkdir -p CryptoPkg/Library/MbedTlsLib/mbedtls/library +mkdir -p SecurityPkg/DeviceSecurity/SpdmLib/libspdm/include %if %{build_ovmf} ./edk2-build.py --config edk2-build.rhel-9 -m ovmf --release-date "$RELEASE_DATE" @@ -631,39 +435,66 @@ install -m 0644 \ %changelog -* Wed Sep 18 2024 Jon Maloy - 20231122-6.el9_4.4 -- edk2-Bumped-openssl-submodule-version-to-0205b5898872.patch [RHEL-55337] -- Resolves: RHEL-55337 - (CVE-2024-6119 edk2/openssl: Possible denial of service in X.509 name checks [rhel-9.4.z]) +* Fri Sep 13 2024 Miroslav Rezanina - 20240524-6 +- edk2-OvmfPkg-CpuHotplugSmm-delay-SMM-exit.patch [RHEL-56974] +- edk2-Bumped-openssl-submodule-version-to-0205b5898872.patch [RHEL-55336] +- Resolves: RHEL-56974 + (qemu-kvm: warning: Blocked re-entrant IO on MemoryRegion: acpi-cpu-hotplug at addr: 0x0 [rhel-9]) +- Resolves: RHEL-55336 + (CVE-2024-6119 edk2/openssl: Possible denial of service in X.509 name checks [rhel-9.5]) -* Tue Aug 20 2024 Miroslav Rezanina - 20231122-6.el9_4.3 -- edk2-OvmfPkg-Add-Hash2DxeCrypto-to-OvmfPkg.patch [RHEL-46976] -- edk2-NetworkPkg-DxeNetLib-adjust-PseudoRandom-error-loggi.patch [RHEL-54188] -- edk2-NetworkPkg-DxeNetLib-Reword-PseudoRandom-error-loggi.patch [RHEL-54188] -- Resolves: RHEL-46976 - (No http boot support on edk2-ovmf-20231122-6.el9_4.2) -- Resolves: RHEL-54188 - ([RHEL-9.4.z] edk2 hit Failed to generate random data) +* Mon Sep 09 2024 Miroslav Rezanina - 20240524-5 +- edk2-UefiCpuPkg-PiSmmCpuDxeSmm-skip-PatchInstructionX86-c.patch [RHEL-45847] +- Resolves: RHEL-45847 + ([RHEL9.5] Hotplug vcpu to a guest cause guest kernel panic) -* Mon Jul 01 2024 Miroslav Rezanina - 20231122-6.el9_4.2 -- edk2-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch [RHEL-40270 RHEL-40272] -- edk2-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch [RHEL-40270 RHEL-40272] -- edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch [RHEL-40270 RHEL-40272] -- edk2-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch [RHEL-40270 RHEL-40272] -- edk2-SecurityPkg-RngDxe-add-rng-test.patch [RHEL-40270 RHEL-40272] -- edk2-OvmfPkg-wire-up-RngDxe.patch [RHEL-40270 RHEL-40272] -- edk2-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch [RHEL-40270 RHEL-40272] -- edk2-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch [RHEL-40270 RHEL-40272] -- Resolves: RHEL-40270 - (CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z]) -- Resolves: RHEL-40272 - (CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z]) +* Mon Sep 02 2024 Miroslav Rezanina - 20240524-4 +- edk2-AmdSevDxe-Fix-the-shim-fallback-reboot-workaround-fo.patch [RHEL-56081] +- Resolves: RHEL-56081 + ([EDK2] Shim fallback reboot workaround might not work on SNP) -* Wed Apr 10 2024 Miroslav Rezanina - 20231122-6.el9_4.1 -- edk2-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch [RHEL-30156] -- edk2-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch [RHEL-30156] -- Resolves: RHEL-30156 - (CVE-2022-36765 edk2: integer overflow in CreateHob() could lead to HOB OOB R/W [rhel-9.4.z]) +* Tue Aug 20 2024 Miroslav Rezanina - 20240524-3 +- edk2-NetworkPkg-DxeNetLib-adjust-PseudoRandom-error-loggi.patch [RHEL-45899] +- edk2-NetworkPkg-DxeNetLib-Reword-PseudoRandom-error-loggi.patch [RHEL-45899] +- Resolves: RHEL-45899 + ([RHEL-9.5.0] edk2 hit Failed to generate random data) + +* Thu Jul 25 2024 Miroslav Rezanina - 20240524-2 +- edk2-MdeModulePkg-Warn-if-out-of-flash-space-when-writing.patch [RHEL-43442] +- Resolves: RHEL-43442 + (edk2 disconnects abnormally before loading the kernel) + +* Thu Jun 20 2024 Miroslav Rezanina - 20240524-1 +- Rebase to edk2-stable202405 +- Bumo openssl to 8e5beb77088b +- Resolves: RHEL-32486 + (rebase to edk2-stable202405 [rhel-9]) +- Resolves: RHEL-36446 + (edk2: enable MOR [rhel-9]) +- Resolves: RHEL-21653 + (CVE-2023-6237 edk2: openssl: Excessive time spent checking invalid RSA public keys [rhel-9]) +- Resolves: RHEL-21150 + (CVE-2023-6129 edk2: mysql: openssl: POLY1305 MAC implementation corrupts vector registers on PowerPC) +- Resolves: RHEL-22490 + (CVE-2024-0727 edk2: openssl: denial of service via null dereference [rhel-9]) + +* Mon Apr 08 2024 Miroslav Rezanina - 20240214-2 +- edk2-OvmfPkg-PlatformPei-log-a-warning-when-memory-is-tig.patch [RHEL-22202] +- edk2-OvmfPkg-PlatformPei-consider-AP-stacks-for-pei-memor.patch [RHEL-22202] +- edk2-OvmfPkg-PlatformPei-rewrite-page-table-calculation.patch [RHEL-22202] +- edk2-OvmfPkg-PlatformPei-log-pei-memory-cap-details.patch [RHEL-22202] +- edk2-UefiCpuPkg-MpInitLib-Add-support-for-multiple-HOBs-t.patch [RHEL-22202] +- edk2-UefiCpuPkg-MpInitLib-Add-support-for-multiple-HOBs-t.p2.patch [RHEL-22202] +- edk2-UefiCpuPkg-MpInitLib-Add-support-for-multiple-HOBs-t.p3.patch [RHEL-22202] +- edk2-UefiCpuPkg-MpInitLib-Add-support-for-multiple-HOBs-t.p4.patch [RHEL-22202] +- edk2-UefiCpuPkg-MpInitLib-Add-support-for-multiple-HOBs-t.p5.patch [RHEL-22202] +- edk2-UefiCpuPkg-MpInitLib-return-early-in-GetBspNumber.patch [RHEL-22202] +- Resolves: RHEL-22202 + ([EDK2] Support booting with 4096 vcpus) + +* Tue Feb 27 2024 Gerd Hoffmann - 20240214-1 +- Rebase to edk2-stable202302 +- Resolves: RHEL-26879 * Thu Feb 22 2024 Miroslav Rezanina - 20231122-6 - edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853]