* Thu Aug 24 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20230524-3

- edk2-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch [bz#2190244]
- edk2-OvmfPkg-IoMmuDxe-add-locking-to-IoMmuAllocateBounceB.patch [bz#2211060]
- edk2-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch [bz#2218196]
- Resolves: bz#2190244
  ([EDK2] [AMDSERVER 9.3 Bug] OVMF AP Creation Fixes)
- Resolves: bz#2211060
  (SEV-es guest randomly stuck at boot to hard drive screen from powerdown and boot again)
- Resolves: bz#2218196
  (Add vtpm devices with OVMF.amdsev.fd causes VM reset)

edk2-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch

@@ -0,0 +1,88 @@
+From 673ed284a598bf94d39f01f118158e55e5c04645 Mon Sep 17 00:00:00 2001
+From: Michael Roth <michael.roth@amd.com>
+Date: Wed, 16 Aug 2023 15:11:45 -0500
+Subject: [PATCH 1/3] OvmfPkg/AmdSev: fix BdsPlatform.c assertion failure
+ during boot
+
+RH-Author: Gerd Hoffmann <None>
+RH-MergeRequest: 44: OvmfPkg/AmdSev: fix BdsPlatform.c assertion failure during boot
+RH-Bugzilla: 2190244
+RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
+RH-Commit: [1/1] 44f18b2324cbd4aa1840613d9a8d19f0fbec7b1b (kraxel.rh/centos-src-edk2)
+
+Booting an SEV guest with AmdSev OVMF package currently triggers the
+following assertion with QEMU:
+
+  InstallQemuFwCfgTables: installed 7 tables
+  PcRtc: Write 0x20 to CMOS location 0x32
+  [Variable]END_OF_DXE is signaled
+  Initialize variable error flag (FF)
+
+  ASSERT_EFI_ERROR (Status = Not Found)
+  ASSERT [BdsDxe] /home/VT_BUILD/ovmf/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c(1711): !(((INTN)(RETURN_STATUS)(Status)) < 0)
+
+This seems to be due to commit 81dc0d8b4c, which switched to using
+PlatformBootManagerLib instead of PlatformBootManagerLibGrub. That
+pulls in a dependency on gEfiS3SaveStateProtocolGuid provider being
+available (which is asserted for in
+BdsPlatform.c:PlatformBootManagerBeforeConsole()/SaveS3BootScript()),
+but the libraries that provide it aren't currently included in the
+build. Add them similarly to what's done for OvmfPkg.
+
+Fixes: 81dc0d8b4c ("OvmfPkg/AmdSev: stop using PlatformBootManagerLibGrub")
+Cc: Gerd Hoffmann <kraxel@redhat.com>
+Cc: Ray Ni <ray.ni@intel.com>
+Cc: Erdem Aktas <erdemaktas@google.com>
+Cc: James Bottomley <jejb@linux.ibm.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Min Xu <min.m.xu@intel.com>
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Michael Roth <michael.roth@amd.com>
+Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
+Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-ID: <20230816201146.1634348-2-michael.roth@amd.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+List-Archive: https://edk2.groups.io/g/devel/message/107806
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +++
+ OvmfPkg/AmdSev/AmdSevX64.fdf | 2 ++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 427df673f3..8d165ed05a 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -199,6 +199,7 @@
+ 
+   SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
+   OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
++  S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
+ 
+ !include OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc
+ 
+@@ -715,6 +716,8 @@
+   #
+   MdeModulePkg/Universal/Acpi/AcpiTableDxe/AcpiTableDxe.inf
+   OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf
++  MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf
++  MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
+   MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+ 
+   #
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
+index a48c93e2a5..3e6ee61823 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
+@@ -269,6 +269,8 @@ INF  OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.inf
+ 
+ INF  MdeModulePkg/Universal/Acpi/AcpiTableDxe/AcpiTableDxe.inf
+ INF  OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf
++INF  MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf
++INF  MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
+ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+ 
+ INF  FatPkg/EnhancedFatDxe/Fat.inf
+-- 
+2.39.3
+

edk2-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch

@@ -0,0 +1,120 @@
+From 9f0b4df867e6a2d56838e4048be245eac3fcc18e Mon Sep 17 00:00:00 2001
+From: Oliver Steffen <osteffen@redhat.com>
+Date: Wed, 16 Aug 2023 12:09:40 +0200
+Subject: [PATCH 3/3] OvmfPkg/AmdSevDxe: Shim Reboot workaround (RHEL only)
+
+RH-Author: Oliver Steffen <osteffen@redhat.com>
+RH-MergeRequest: 46: OvmfPkg/AmdSevDxe: Shim Reboot workaround (RHEL only)
+RH-Bugzilla: 2218196
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [1/1] 9bf3bb989e36253aa34bf82ecfe8faa7312e8d22 (osteffen/edk2)
+
+Add a callback at the end of the Dxe phase that sets the
+"FB_NO_REBOOT" variable under the Shim GUID.
+This is a workaround for a boot loop in case a confidential
+guest that uses shim is booted with a vtpm device present.
+
+BZ 2218196
+
+Signed-off-by: Oliver Steffen <osteffen@redhat.com>
+---
+ OvmfPkg/AmdSevDxe/AmdSevDxe.c   | 42 +++++++++++++++++++++++++++++++++
+ OvmfPkg/AmdSevDxe/AmdSevDxe.inf |  2 ++
+ 2 files changed, 44 insertions(+)
+
+diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
+index db3675ae86..f639c093a2 100644
+--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c
++++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
+@@ -19,6 +19,7 @@
+ #include <Library/MemoryAllocationLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
+ #include <Guid/ConfidentialComputingSevSnpBlob.h>
++#include <Guid/GlobalVariable.h>
+ #include <Library/PcdLib.h>
+ #include <Pi/PrePiDxeCis.h>
+ #include <Protocol/SevMemoryAcceptance.h>
+@@ -28,6 +29,10 @@
+ // Present, initialized, tested bits defined in MdeModulePkg/Core/Dxe/DxeMain.h
+ #define EFI_MEMORY_INTERNAL_MASK  0x0700000000000000ULL
+ 
++static EFI_GUID  ShimLockGuid = {
++  0x605dab50, 0xe046, 0x4300, { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 }
++};
++
+ STATIC
+ EFI_STATUS
+ AllocateConfidentialComputingBlob (
+@@ -191,6 +196,32 @@ STATIC EDKII_MEMORY_ACCEPT_PROTOCOL  mMemoryAcceptProtocol = {
+   AmdSevMemoryAccept
+ };
+ 
++VOID
++EFIAPI
++PopulateVarstore (
++  EFI_EVENT  Event,
++  VOID       *Context
++  )
++{
++  EFI_SYSTEM_TABLE  *SystemTable = (EFI_SYSTEM_TABLE *)Context;
++  EFI_STATUS        Status;
++
++  DEBUG ((DEBUG_INFO, "Populating Varstore\n"));
++  UINT32  data = 1;
++
++  Status = SystemTable->RuntimeServices->SetVariable (
++                                           L"FB_NO_REBOOT",
++                                           &ShimLockGuid,
++                                           EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
++                                           sizeof (data),
++                                           &data
++                                           );
++  ASSERT_EFI_ERROR (Status);
++
++  Status = SystemTable->BootServices->CloseEvent (Event);
++  ASSERT_EFI_ERROR (Status);
++}
++
+ EFI_STATUS
+ EFIAPI
+ AmdSevDxeEntryPoint (
+@@ -203,6 +234,7 @@ AmdSevDxeEntryPoint (
+   UINTN                                     NumEntries;
+   UINTN                                     Index;
+   CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION  *SnpBootDxeTable;
++  EFI_EVENT                                 PopulateVarstoreEvent;
+ 
+   //
+   // Do nothing when SEV is not enabled
+@@ -361,5 +393,15 @@ AmdSevDxeEntryPoint (
+                   );
+   }
+ 
++  Status = gBS->CreateEventEx (
++                  EVT_NOTIFY_SIGNAL,
++                  TPL_CALLBACK,
++                  PopulateVarstore,
++                  SystemTable,
++                  &gEfiEndOfDxeEventGroupGuid,
++                  &PopulateVarstoreEvent
++                  );
++  ASSERT_EFI_ERROR (Status);
++
+   return EFI_SUCCESS;
+ }
+diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+index e7c7d526c9..09cbd2b0ca 100644
+--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
++++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+@@ -54,6 +54,8 @@
+ [Guids]
+   gConfidentialComputingSevSnpBlobGuid
+   gEfiEventBeforeExitBootServicesGuid
++  gEfiEndOfDxeEventGroupGuid              ## CONSUMES ## Event
++
+ 
+ [Pcd]
+   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId
+-- 
+2.39.3
+

edk2-OvmfPkg-IoMmuDxe-add-locking-to-IoMmuAllocateBounceB.patch

@@ -0,0 +1,79 @@
+From 7f3f6e3088655e33600aacd886aa51d19c01c59a Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 19 Jul 2023 18:31:29 +0200
+Subject: [PATCH 2/3] OvmfPkg/IoMmuDxe: add locking to
+ IoMmuAllocateBounceBuffer
+
+RH-Author: Gerd Hoffmann <None>
+RH-MergeRequest: 45: OvmfPkg/IoMmuDxe: add locking to IoMmuAllocateBounceBuffer
+RH-Bugzilla: 2211060
+RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
+RH-Commit: [1/1] c4998c57651df23342a0cd6e8982bf59f306da83 (kraxel.rh/centos-src-edk2)
+
+Searching for an unused bounce buffer in mReservedMemBitmap and
+reserving the buffer by flipping the bit is a critical section
+which must not be interrupted.  Raise the TPL level to ensure
+that.
+
+Without this fix it can happen that IoMmuDxe hands out the same
+bounce buffer twice, causing trouble down the road.  Seen happening
+in practice with VirtioNetDxe setting up the network interface (and
+calling into IoMmuDxe from a polling timer callback) in parallel with
+Boot Manager doing some disk I/O.  An ASSERT() in VirtioNet caught
+the buffer inconsistency.
+
+Full story with lots of details and discussions is available here:
+https://bugzilla.redhat.com/show_bug.cgi?id=2211060
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit a52044a9e602bc168cdf5d73a48952bfc9edb521)
+---
+ OvmfPkg/IoMmuDxe/IoMmuBuffer.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/OvmfPkg/IoMmuDxe/IoMmuBuffer.c b/OvmfPkg/IoMmuDxe/IoMmuBuffer.c
+index c8f6cf4818..103003cae3 100644
+--- a/OvmfPkg/IoMmuDxe/IoMmuBuffer.c
++++ b/OvmfPkg/IoMmuDxe/IoMmuBuffer.c
+@@ -367,7 +367,9 @@ IoMmuAllocateBounceBuffer (
+ {
+   EFI_STATUS  Status;
+   UINT32      ReservedMemBitmap;
++  EFI_TPL     OldTpl;
+ 
++  OldTpl            = gBS->RaiseTPL (TPL_NOTIFY);
+   ReservedMemBitmap = 0;
+   Status            = InternalAllocateBuffer (
+                         Type,
+@@ -378,6 +380,7 @@ IoMmuAllocateBounceBuffer (
+                         );
+   MapInfo->ReservedMemBitmap = ReservedMemBitmap;
+   mReservedMemBitmap        |= ReservedMemBitmap;
++  gBS->RestoreTPL (OldTpl);
+ 
+   ASSERT (Status == EFI_SUCCESS);
+ 
+@@ -395,6 +398,8 @@ IoMmuFreeBounceBuffer (
+   IN OUT     MAP_INFO  *MapInfo
+   )
+ {
++  EFI_TPL  OldTpl;
++
+   if (MapInfo->ReservedMemBitmap == 0) {
+     gBS->FreePages (MapInfo->PlainTextAddress, MapInfo->NumberOfPages);
+   } else {
+@@ -407,9 +412,11 @@ IoMmuFreeBounceBuffer (
+       mReservedMemBitmap,
+       mReservedMemBitmap & ((UINT32)(~MapInfo->ReservedMemBitmap))
+       ));
++    OldTpl                     = gBS->RaiseTPL (TPL_NOTIFY);
+     MapInfo->PlainTextAddress  = 0;
+     mReservedMemBitmap        &= (UINT32)(~MapInfo->ReservedMemBitmap);
+     MapInfo->ReservedMemBitmap = 0;
++    gBS->RestoreTPL (OldTpl);
+   }
+ 
+   return EFI_SUCCESS;
+-- 
+2.39.3
+

edk2.spec

@@ -18,7 +18,7 @@ ExclusiveArch: x86_64 aarch64
 
 Name:       edk2
 Version:    %{GITDATE}
-Release:    2%{?dist}
+Release:    3%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    BSD-2-Clause-Patent and OpenSSL and MIT
 URL:        http://www.tianocore.org
@@ -101,6 +101,12 @@ Patch39: edk2-OvmfPkg-PlatformInitLib-check-PcdUse1GPageTable.patch
 Patch40: edk2-OvmfPkg-OvmfPkgIa32X64-enable-1G-pages.patch
 # For RHEL-644 - enable gigabyte pages
 Patch41: edk2-OvmfPkg-MicrovmX64-enable-1G-pages.patch
+# For bz#2190244 - [EDK2] [AMDSERVER 9.3 Bug] OVMF AP Creation Fixes
+Patch42: edk2-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch
+# For bz#2211060 - SEV-es guest randomly stuck at boot to hard drive screen from powerdown and boot again
+Patch43: edk2-OvmfPkg-IoMmuDxe-add-locking-to-IoMmuAllocateBounceB.patch
+# For bz#2218196 - Add vtpm devices with OVMF.amdsev.fd causes VM reset
+Patch44: edk2-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch
 
 
 # python3-devel and libuuid-devel are required for building tools.
@@ -420,6 +426,17 @@ install -m 0644 \
 
 
 %changelog
+* Thu Aug 24 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20230524-3
+- edk2-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch [bz#2190244]
+- edk2-OvmfPkg-IoMmuDxe-add-locking-to-IoMmuAllocateBounceB.patch [bz#2211060]
+- edk2-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch [bz#2218196]
+- Resolves: bz#2190244
+  ([EDK2] [AMDSERVER 9.3 Bug] OVMF AP Creation Fixes)
+- Resolves: bz#2211060
+  (SEV-es guest randomly stuck at boot to hard drive screen from powerdown and boot again)
+- Resolves: bz#2218196
+  (Add vtpm devices with OVMF.amdsev.fd causes VM reset)
+
 * Mon Jul 10 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20230524-2
 - edk2-ArmVirt-add-VirtioSerialDxe-to-ArmVirtQemu-builds.patch [RHEL-643]
 - edk2-ArmVirt-PlatformBootManagerLib-factor-out-IsVirtio.patch [RHEL-643]