* Mon Feb 19 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20231122-5

- edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-4118.patch [RHEL-21157]
- edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch [RHEL-21157]
- edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-2.patch [RHEL-21157]
-  edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-411-3.patch [RHEL-21157]
- edk2-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch [RHEL-21157]
- edk2-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch [RHEL-21704]
- edk2-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch [RHEL-21704]
- edk2-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch [RHEL-21704]
- edk2-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch [RHEL-21704]
- Resolves: RHEL-21157
  (CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-9])
- Resolves: RHEL-21704
  (vGPU VM take several minutes to show tianocore logo if firmware is ovmf)

edk2-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch

@@ -0,0 +1,41 @@
+From 08fc72d06946ef3adebf110c097ed869ab0ed416 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 30 Jan 2024 14:04:39 +0100
+Subject: [PATCH 7/9] MdePkg/ArchitecturalMsr.h: add #defines for MTRR cache
+ types
+
+RH-Author: Gerd Hoffmann <None>
+RH-MergeRequest: 55: OvmfPkg/Sec: Setup MTRR early in the boot process.
+RH-Jira: RHEL-21704
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Commit: [2/4] a568bc2793d677462a2971aae9566a9bbc64b063 (kraxel.rh/centos-src-edk2)
+
+Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-ID: <20240130130441.772484-3-kraxel@redhat.com>
+---
+ MdePkg/Include/Register/Intel/ArchitecturalMsr.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/MdePkg/Include/Register/Intel/ArchitecturalMsr.h b/MdePkg/Include/Register/Intel/ArchitecturalMsr.h
+index 756e7c86ec..08ba949cf7 100644
+--- a/MdePkg/Include/Register/Intel/ArchitecturalMsr.h
++++ b/MdePkg/Include/Register/Intel/ArchitecturalMsr.h
+@@ -2103,6 +2103,13 @@ typedef union {
+ #define MSR_IA32_MTRR_PHYSBASE9  0x00000212
+ /// @}
+ 
++#define MSR_IA32_MTRR_CACHE_UNCACHEABLE      0
++#define MSR_IA32_MTRR_CACHE_WRITE_COMBINING  1
++#define MSR_IA32_MTRR_CACHE_WRITE_THROUGH    4
++#define MSR_IA32_MTRR_CACHE_WRITE_PROTECTED  5
++#define MSR_IA32_MTRR_CACHE_WRITE_BACK       6
++#define MSR_IA32_MTRR_CACHE_INVALID_TYPE     7
++
+ /**
+   MSR information returned for MSR indexes #MSR_IA32_MTRR_PHYSBASE0 to
+   #MSR_IA32_MTRR_PHYSBASE9
+-- 
+2.39.3
+

edk2-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch

@@ -0,0 +1,193 @@
+From 7b1298045185749369115719317dc92f58af92d7 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 30 Jan 2024 14:04:38 +0100
+Subject: [PATCH 6/9] OvmfPkg/Sec: Setup MTRR early in the boot process.
+
+RH-Author: Gerd Hoffmann <None>
+RH-MergeRequest: 55: OvmfPkg/Sec: Setup MTRR early in the boot process.
+RH-Jira: RHEL-21704
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Commit: [1/4] c4061788d34f409944898b48642d610c259161f3 (kraxel.rh/centos-src-edk2)
+
+Specifically before running lzma uncompress of the main firmware volume.
+This is needed to make sure caching is enabled, otherwise the uncompress
+can be extremely slow.
+
+Adapt the ASSERTs and MTRR setup in PlatformInitLib to the changes.
+
+Background:  Depending on virtual machine configuration kvm may uses EPT
+memory types to apply guest MTRR settings.  In case MTRRs are disabled
+kvm will use the uncachable memory type for all mappings.  The
+vmx_get_mt_mask() function in the linux kernel handles this and can be
+found here:
+
+https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/arch/x86/kvm/vmx/vmx.c?h=v6.7.1#n7580
+
+In most VM configurations kvm uses MTRR_TYPE_WRBACK unconditionally.  In
+case the VM has a mdev device assigned that is not the case though.
+
+Before commit e8aa4c6546ad ("UefiCpuPkg/ResetVector: Cache Disable
+should not be set by default in CR0") kvm also ended up using
+MTRR_TYPE_WRBACK due to KVM_X86_QUIRK_CD_NW_CLEARED.  After that commit
+kvm evaluates guest mtrr settings, which why setting up MTRRs early is
+important now.
+
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-ID: <20240130130441.772484-2-kraxel@redhat.com>
+
+[ kraxel: Downstream-only for now.  Timely upstream merge is unlikely
+          due to chinese holidays and rhel-9.4 deadlines are close.
+          QE regression testing passed.  So go with upstream posted
+          series v3 ]
+---
+ OvmfPkg/IntelTdx/Sec/SecMain.c              | 32 +++++++++++++++++++++
+ OvmfPkg/Library/PlatformInitLib/MemDetect.c | 10 +++----
+ OvmfPkg/Sec/SecMain.c                       | 32 +++++++++++++++++++++
+ 3 files changed, 69 insertions(+), 5 deletions(-)
+
+diff --git a/OvmfPkg/IntelTdx/Sec/SecMain.c b/OvmfPkg/IntelTdx/Sec/SecMain.c
+index 42a587adfa..0daddac0a0 100644
+--- a/OvmfPkg/IntelTdx/Sec/SecMain.c
++++ b/OvmfPkg/IntelTdx/Sec/SecMain.c
+@@ -27,6 +27,8 @@
+ #include <Library/TdxHelperLib.h>
+ #include <Library/CcProbeLib.h>
+ #include <Library/PeilessStartupLib.h>
++#include <Register/Intel/ArchitecturalMsr.h>
++#include <Register/Intel/Cpuid.h>
+ 
+ #define SEC_IDT_ENTRY_COUNT  34
+ 
+@@ -48,6 +50,31 @@ IA32_IDT_GATE_DESCRIPTOR  mIdtEntryTemplate = {
+   }
+ };
+ 
++//
++// Enable MTRR early, set default type to write back.
++// Needed to make sure caching is enabled,
++// without this lzma decompress can be very slow.
++//
++STATIC
++VOID
++SecMtrrSetup (
++  VOID
++  )
++{
++  CPUID_VERSION_INFO_EDX           Edx;
++  MSR_IA32_MTRR_DEF_TYPE_REGISTER  DefType;
++
++  AsmCpuid (CPUID_VERSION_INFO, NULL, NULL, NULL, &Edx.Uint32);
++  if (!Edx.Bits.MTRR) {
++    return;
++  }
++
++  DefType.Uint64    = AsmReadMsr64 (MSR_IA32_MTRR_DEF_TYPE);
++  DefType.Bits.Type = 6; /* write back */
++  DefType.Bits.E    = 1; /* enable */
++  AsmWriteMsr64 (MSR_IA32_MTRR_DEF_TYPE, DefType.Uint64);
++}
++
+ VOID
+ EFIAPI
+ SecCoreStartupWithStack (
+@@ -204,6 +231,11 @@ SecCoreStartupWithStack (
+   InitializeApicTimer (0, MAX_UINT32, TRUE, 5);
+   DisableApicTimerInterrupt ();
+ 
++  //
++  // Initialize MTRR
++  //
++  SecMtrrSetup ();
++
+   PeilessStartup (&SecCoreData);
+ 
+   ASSERT (FALSE);
+diff --git a/OvmfPkg/Library/PlatformInitLib/MemDetect.c b/OvmfPkg/Library/PlatformInitLib/MemDetect.c
+index 662e7e85bb..f8d7f5bf1c 100644
+--- a/OvmfPkg/Library/PlatformInitLib/MemDetect.c
++++ b/OvmfPkg/Library/PlatformInitLib/MemDetect.c
+@@ -1035,18 +1035,18 @@ PlatformQemuInitializeRam (
+     MtrrGetAllMtrrs (&MtrrSettings);
+ 
+     //
+-    // MTRRs disabled, fixed MTRRs disabled, default type is uncached
++    // See SecMtrrSetup(), default type should be write back
+     //
+-    ASSERT ((MtrrSettings.MtrrDefType & BIT11) == 0);
++    ASSERT ((MtrrSettings.MtrrDefType & BIT11) != 0);
+     ASSERT ((MtrrSettings.MtrrDefType & BIT10) == 0);
+-    ASSERT ((MtrrSettings.MtrrDefType & 0xFF) == 0);
++    ASSERT ((MtrrSettings.MtrrDefType & 0xFF) == MTRR_CACHE_WRITE_BACK);
+ 
+     //
+     // flip default type to writeback
+     //
+-    SetMem (&MtrrSettings.Fixed, sizeof MtrrSettings.Fixed, 0x06);
++    SetMem (&MtrrSettings.Fixed, sizeof MtrrSettings.Fixed, MTRR_CACHE_WRITE_BACK);
+     ZeroMem (&MtrrSettings.Variables, sizeof MtrrSettings.Variables);
+-    MtrrSettings.MtrrDefType |= BIT11 | BIT10 | 6;
++    MtrrSettings.MtrrDefType |= BIT10;
+     MtrrSetAllMtrrs (&MtrrSettings);
+ 
+     //
+diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c
+index 31da5d0ace..3b7dc7205d 100644
+--- a/OvmfPkg/Sec/SecMain.c
++++ b/OvmfPkg/Sec/SecMain.c
+@@ -30,6 +30,8 @@
+ #include <Ppi/MpInitLibDep.h>
+ #include <Library/TdxHelperLib.h>
+ #include <Library/CcProbeLib.h>
++#include <Register/Intel/ArchitecturalMsr.h>
++#include <Register/Intel/Cpuid.h>
+ #include "AmdSev.h"
+ 
+ #define SEC_IDT_ENTRY_COUNT  34
+@@ -744,6 +746,31 @@ FindAndReportEntryPoints (
+   return;
+ }
+ 
++//
++// Enable MTRR early, set default type to write back.
++// Needed to make sure caching is enabled,
++// without this lzma decompress can be very slow.
++//
++STATIC
++VOID
++SecMtrrSetup (
++  VOID
++  )
++{
++  CPUID_VERSION_INFO_EDX           Edx;
++  MSR_IA32_MTRR_DEF_TYPE_REGISTER  DefType;
++
++  AsmCpuid (CPUID_VERSION_INFO, NULL, NULL, NULL, &Edx.Uint32);
++  if (!Edx.Bits.MTRR) {
++    return;
++  }
++
++  DefType.Uint64    = AsmReadMsr64 (MSR_IA32_MTRR_DEF_TYPE);
++  DefType.Bits.Type = 6; /* write back */
++  DefType.Bits.E    = 1; /* enable */
++  AsmWriteMsr64 (MSR_IA32_MTRR_DEF_TYPE, DefType.Uint64);
++}
++
+ VOID
+ EFIAPI
+ SecCoreStartupWithStack (
+@@ -942,6 +969,11 @@ SecCoreStartupWithStack (
+   InitializeApicTimer (0, MAX_UINT32, TRUE, 5);
+   DisableApicTimerInterrupt ();
+ 
++  //
++  // Initialize MTRR
++  //
++  SecMtrrSetup ();
++
+   //
+   // Initialize Debug Agent to support source level debug in SEC/PEI phases before memory ready.
+   //
+-- 
+2.39.3
+

edk2-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch

@@ -0,0 +1,49 @@
+From 0e2a3df10d784fd38ceee2f6a733032d1333281f Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 30 Jan 2024 14:04:41 +0100
+Subject: [PATCH 9/9] OvmfPkg/Sec: use cache type #defines from
+ ArchitecturalMsr.h
+
+RH-Author: Gerd Hoffmann <None>
+RH-MergeRequest: 55: OvmfPkg/Sec: Setup MTRR early in the boot process.
+RH-Jira: RHEL-21704
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Commit: [4/4] 55f00e3e153ca945ca458e7abc26780a8d83ac85 (kraxel.rh/centos-src-edk2)
+
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-ID: <20240130130441.772484-5-kraxel@redhat.com>
+---
+ OvmfPkg/IntelTdx/Sec/SecMain.c | 2 +-
+ OvmfPkg/Sec/SecMain.c          | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/OvmfPkg/IntelTdx/Sec/SecMain.c b/OvmfPkg/IntelTdx/Sec/SecMain.c
+index 0daddac0a0..c00b852f0e 100644
+--- a/OvmfPkg/IntelTdx/Sec/SecMain.c
++++ b/OvmfPkg/IntelTdx/Sec/SecMain.c
+@@ -70,7 +70,7 @@ SecMtrrSetup (
+   }
+ 
+   DefType.Uint64    = AsmReadMsr64 (MSR_IA32_MTRR_DEF_TYPE);
+-  DefType.Bits.Type = 6; /* write back */
++  DefType.Bits.Type = MSR_IA32_MTRR_CACHE_WRITE_BACK;
+   DefType.Bits.E    = 1; /* enable */
+   AsmWriteMsr64 (MSR_IA32_MTRR_DEF_TYPE, DefType.Uint64);
+ }
+diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c
+index 3b7dc7205d..aa0fa1b1ec 100644
+--- a/OvmfPkg/Sec/SecMain.c
++++ b/OvmfPkg/Sec/SecMain.c
+@@ -766,7 +766,7 @@ SecMtrrSetup (
+   }
+ 
+   DefType.Uint64    = AsmReadMsr64 (MSR_IA32_MTRR_DEF_TYPE);
+-  DefType.Bits.Type = 6; /* write back */
++  DefType.Bits.Type = MSR_IA32_MTRR_CACHE_WRITE_BACK;
+   DefType.Bits.E    = 1; /* enable */
+   AsmWriteMsr64 (MSR_IA32_MTRR_DEF_TYPE, DefType.Uint64);
+ }
+-- 
+2.39.3
+

edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-2.patch

@@ -0,0 +1,273 @@
+From 31ebaa021650c9b23c27f3a7954d33c1ef1e1502 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 13 Feb 2024 16:30:10 -0500
+Subject: [PATCH 3/9] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH
+ 4117/4118 symbol rename
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 53: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
+RH-Jira: RHEL-21157
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [3/5] d18f14e0a7df36223dab179bf7e9556db43f4c55
+
+JIRA: https://issues.redhat.com/browse/RHEL-21157
+CVE: CVE-2022-36764
+Upstream: Merged
+
+commit 40adbb7f628dee79156c679fb0857968b61b7620
+Author: Doug Flick <dougflick@microsoft.com>
+Date:   Wed Jan 17 14:47:20 2024 -0800
+
+    SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117/4118 symbol rename
+
+    Updates the sanitation function names to be lib unique names
+
+    Cc: Jiewen Yao <jiewen.yao@intel.com>
+    Cc: Rahul Kumar <rahul1.kumar@intel.com>
+
+    Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+    Message-Id: <7b18434c8a8b561654efd40ced3becb8b378c8f1.1705529990.git.doug.edk2@gmail.com>
+    Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../DxeTpm2MeasureBootLib.c                   |  8 +++---
+ .../DxeTpm2MeasureBootLibSanitization.c       |  8 +++---
+ .../DxeTpm2MeasureBootLibSanitization.h       |  8 +++---
+ .../DxeTpm2MeasureBootLibSanitizationTest.c   | 26 +++++++++----------
+ 4 files changed, 25 insertions(+), 25 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+index 714cc8e03e..73719f3b96 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+@@ -200,7 +200,7 @@ Tcg2MeasureGptTable (
+                      BlockIo->Media->BlockSize,
+                      (UINT8 *)PrimaryHeader
+                      );
+-  if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
++  if (EFI_ERROR (Status) || EFI_ERROR (Tpm2SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
+     DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n"));
+     FreePool (PrimaryHeader);
+     return EFI_DEVICE_ERROR;
+@@ -209,7 +209,7 @@ Tcg2MeasureGptTable (
+   //
+   // Read the partition entry.
+   //
+-  Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
++  Status = Tpm2SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
+   if (EFI_ERROR (Status)) {
+     FreePool (PrimaryHeader);
+     return EFI_BAD_BUFFER_SIZE;
+@@ -250,7 +250,7 @@ Tcg2MeasureGptTable (
+   //
+   // Prepare Data for Measurement (CcProtocol and Tcg2Protocol)
+   //
+-  Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &TcgEventSize);
++  Status = Tpm2SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &TcgEventSize);
+   if (EFI_ERROR (Status)) {
+     FreePool (PrimaryHeader);
+     FreePool (EntryPtr);
+@@ -420,7 +420,7 @@ Tcg2MeasurePeImage (
+   }
+ 
+   FilePathSize = (UINT32)GetDevicePathSize (FilePath);
+-  Status       = SanitizePeImageEventSize (FilePathSize, &EventSize);
++  Status       = Tpm2SanitizePeImageEventSize (FilePathSize, &EventSize);
+   if (EFI_ERROR (Status)) {
+     return EFI_UNSUPPORTED;
+   }
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+index 2a4d52c6d5..809a3bfd89 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+@@ -63,7 +63,7 @@
+ **/
+ EFI_STATUS
+ EFIAPI
+-SanitizeEfiPartitionTableHeader (
++Tpm2SanitizeEfiPartitionTableHeader (
+   IN CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
+   IN CONST EFI_BLOCK_IO_PROTOCOL       *BlockIo
+   )
+@@ -169,7 +169,7 @@ SanitizeEfiPartitionTableHeader (
+ **/
+ EFI_STATUS
+ EFIAPI
+-SanitizePrimaryHeaderAllocationSize (
++Tpm2SanitizePrimaryHeaderAllocationSize (
+   IN CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
+   OUT UINT32                           *AllocationSize
+   )
+@@ -221,7 +221,7 @@ SanitizePrimaryHeaderAllocationSize (
+     One of the passed parameters was invalid.
+ **/
+ EFI_STATUS
+-SanitizePrimaryHeaderGptEventSize (
++Tpm2SanitizePrimaryHeaderGptEventSize (
+   IN  CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
+   IN  UINTN                             NumberOfPartition,
+   OUT UINT32                            *EventSize
+@@ -292,7 +292,7 @@ SanitizePrimaryHeaderGptEventSize (
+     One of the passed parameters was invalid.
+ **/
+ EFI_STATUS
+-SanitizePeImageEventSize (
++Tpm2SanitizePeImageEventSize (
+   IN  UINT32  FilePathSize,
+   OUT UINT32  *EventSize
+   )
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+index 8f72ba4240..8526bc7537 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+@@ -54,7 +54,7 @@
+ **/
+ EFI_STATUS
+ EFIAPI
+-SanitizeEfiPartitionTableHeader (
++Tpm2SanitizeEfiPartitionTableHeader (
+   IN CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
+   IN CONST EFI_BLOCK_IO_PROTOCOL       *BlockIo
+   );
+@@ -78,7 +78,7 @@ SanitizeEfiPartitionTableHeader (
+ **/
+ EFI_STATUS
+ EFIAPI
+-SanitizePrimaryHeaderAllocationSize (
++Tpm2SanitizePrimaryHeaderAllocationSize (
+   IN CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
+   OUT UINT32                           *AllocationSize
+   );
+@@ -107,7 +107,7 @@ SanitizePrimaryHeaderAllocationSize (
+     One of the passed parameters was invalid.
+ **/
+ EFI_STATUS
+-SanitizePrimaryHeaderGptEventSize (
++Tpm2SanitizePrimaryHeaderGptEventSize (
+   IN  CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
+   IN  UINTN                             NumberOfPartition,
+   OUT UINT32                            *EventSize
+@@ -131,7 +131,7 @@ SanitizePrimaryHeaderGptEventSize (
+     One of the passed parameters was invalid.
+ **/
+ EFI_STATUS
+-SanitizePeImageEventSize (
++Tpm2SanitizePeImageEventSize (
+   IN  UINT32  FilePathSize,
+   OUT UINT32  *EventSize
+   );
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+index 820e99aeb9..50a68e1076 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+@@ -84,27 +84,27 @@ TestSanitizeEfiPartitionTableHeader (
+   PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize);
+ 
+   // Test that a normal PrimaryHeader passes validation
+-  Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
++  Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+   UT_ASSERT_NOT_EFI_ERROR (Status);
+ 
+   // Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR
+   // Should print "Invalid Partition Table Header NumberOfPartitionEntries!""
+   PrimaryHeader.NumberOfPartitionEntries = 0;
+-  Status                                 = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
++  Status                                 = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+   UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
+   PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+ 
+   // Test that when the header size is too small, the function returns EFI_DEVICE_ERROR
+   // Should print "Invalid Partition Table Header Size!"
+   PrimaryHeader.Header.HeaderSize = 0;
+-  Status                          = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
++  Status                          = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+   UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
+   PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
+ 
+   // Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR
+   // should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!"
+   PrimaryHeader.SizeOfPartitionEntry = 1;
+-  Status                             = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
++  Status                             = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+   UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
+ 
+   DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+@@ -137,7 +137,7 @@ TestSanitizePrimaryHeaderAllocationSize (
+   PrimaryHeader.NumberOfPartitionEntries = 5;
+   PrimaryHeader.SizeOfPartitionEntry     = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+ 
+-  Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
++  Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+   UT_ASSERT_NOT_EFI_ERROR (Status);
+ 
+   // Test that the allocation size is correct compared to the existing logic
+@@ -146,19 +146,19 @@ TestSanitizePrimaryHeaderAllocationSize (
+   // Test that an overflow is detected
+   PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
+   PrimaryHeader.SizeOfPartitionEntry     = 5;
+-  Status                                 = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
++  Status                                 = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+   UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+ 
+   // Test the inverse
+   PrimaryHeader.NumberOfPartitionEntries = 5;
+   PrimaryHeader.SizeOfPartitionEntry     = MAX_UINT32;
+-  Status                                 = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
++  Status                                 = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+   UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+ 
+   // Test the worst case scenario
+   PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
+   PrimaryHeader.SizeOfPartitionEntry     = MAX_UINT32;
+-  Status                                 = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
++  Status                                 = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+   UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+ 
+   DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+@@ -196,7 +196,7 @@ TestSanitizePrimaryHeaderGptEventSize (
+   NumberOfPartition = 13;
+ 
+   // that the primary event size is correct
+-  Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
++  Status = Tpm2SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+   UT_ASSERT_NOT_EFI_ERROR (Status);
+ 
+   // Calculate the existing logic event size
+@@ -207,12 +207,12 @@ TestSanitizePrimaryHeaderGptEventSize (
+   UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize);
+ 
+   // Tests that the primary event size may not overflow
+-  Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
++  Status = Tpm2SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
+   UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+ 
+   // Test that the size of partition entries may not overflow
+   PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
+-  Status                             = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
++  Status                             = Tpm2SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+   UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+ 
+   DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+@@ -245,7 +245,7 @@ TestSanitizePeImageEventSize (
+   FilePathSize = 255;
+ 
+   // Test that a normal PE image passes validation
+-  Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
++  Status = Tpm2SanitizePeImageEventSize (FilePathSize, &EventSize);
+   UT_ASSERT_EQUAL (Status, EFI_SUCCESS);
+ 
+   // Test that the event size is correct compared to the existing logic
+@@ -258,7 +258,7 @@ TestSanitizePeImageEventSize (
+   }
+ 
+   // Test that the event size may not overflow
+-  Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
++  Status = Tpm2SanitizePeImageEventSize (MAX_UINT32, &EventSize);
+   UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+ 
+   DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+-- 
+2.39.3
+

edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-4118.patch

@@ -0,0 +1,284 @@
+From 808551c1cb2ac9dc9a6287cbc85b167aa9eb2d7e Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 7 Feb 2024 15:43:10 -0500
+Subject: [PATCH 1/9] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 -
+ CVE 2022-36764
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 53: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
+RH-Jira: RHEL-21157
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [1/5] 50edfd997d089549ac41b9592131ac1212fc3431
+
+JIRA: https://issues.redhat.com/browse/RHEL-21157
+CVE: CVE-2022-36764
+Upstream: Merged
+
+commit c7b27944218130cca3bbb20314ba5b88b5de4aa4
+Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
+Date:   Fri Jan 12 02:16:04 2024 +0800
+
+    SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
+
+    This commit contains the patch files and tests for DxeTpm2MeasureBootLib
+    CVE 2022-36764.
+
+    Cc: Jiewen Yao <jiewen.yao@intel.com>
+
+    Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+    Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../DxeTpm2MeasureBootLib.c                   | 12 ++--
+ .../DxeTpm2MeasureBootLibSanitization.c       | 46 +++++++++++++-
+ .../DxeTpm2MeasureBootLibSanitization.h       | 28 ++++++++-
+ .../DxeTpm2MeasureBootLibSanitizationTest.c   | 60 ++++++++++++++++---
+ 4 files changed, 131 insertions(+), 15 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+index 0475103d6e..714cc8e03e 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+@@ -378,7 +378,6 @@ Exit:
+   @retval EFI_OUT_OF_RESOURCES   No enough resource to measure image.
+   @retval EFI_UNSUPPORTED        ImageType is unsupported or PE image is mal-format.
+   @retval other error value
+-
+ **/
+ EFI_STATUS
+ EFIAPI
+@@ -405,6 +404,7 @@ Tcg2MeasurePeImage (
+   Status    = EFI_UNSUPPORTED;
+   ImageLoad = NULL;
+   EventPtr  = NULL;
++  Tcg2Event = NULL;
+ 
+   Tcg2Protocol = MeasureBootProtocols->Tcg2Protocol;
+   CcProtocol   = MeasureBootProtocols->CcProtocol;
+@@ -420,18 +420,22 @@ Tcg2MeasurePeImage (
+   }
+ 
+   FilePathSize = (UINT32)GetDevicePathSize (FilePath);
++  Status       = SanitizePeImageEventSize (FilePathSize, &EventSize);
++  if (EFI_ERROR (Status)) {
++    return EFI_UNSUPPORTED;
++  }
+ 
+   //
+   // Determine destination PCR by BootPolicy
+   //
+-  EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
+-  EventPtr  = AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event));
++  // from a malicious GPT disk partition
++  EventPtr = AllocateZeroPool (EventSize);
+   if (EventPtr == NULL) {
+     return EFI_OUT_OF_RESOURCES;
+   }
+ 
+   Tcg2Event                       = (EFI_TCG2_EVENT *)EventPtr;
+-  Tcg2Event->Size                 = EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event);
++  Tcg2Event->Size                 = EventSize;
+   Tcg2Event->Header.HeaderSize    = sizeof (EFI_TCG2_EVENT_HEADER);
+   Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
+   ImageLoad                       = (EFI_IMAGE_LOAD_EVENT *)Tcg2Event->Event;
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+index e2309655d3..2a4d52c6d5 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+@@ -151,7 +151,7 @@ SanitizeEfiPartitionTableHeader (
+ }
+ 
+ /**
+-  This function will validate that the allocation size from the primary header is sane
++ This function will validate that the allocation size from the primary header is sane
+   It will check the following:
+     - AllocationSize does not overflow
+ 
+@@ -273,3 +273,47 @@ SanitizePrimaryHeaderGptEventSize (
+ 
+   return EFI_SUCCESS;
+ }
++
++/**
++  This function will validate that the PeImage Event Size from the loaded image is sane
++  It will check the following:
++    - EventSize does not overflow
++
++  @param[in] FilePathSize - Size of the file path.
++  @param[out] EventSize - Pointer to the event size.
++
++  @retval EFI_SUCCESS
++    The event size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    Overflow would have occurred.
++
++  @retval EFI_INVALID_PARAMETER
++    One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePeImageEventSize (
++  IN  UINT32  FilePathSize,
++  OUT UINT32  *EventSize
++  )
++{
++  EFI_STATUS  Status;
++
++  // Replacing logic:
++  // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
++  Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  // Replacing logic:
++  // EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)
++  Status = SafeUint32Add (*EventSize, OFFSET_OF (EFI_TCG2_EVENT, Event), EventSize);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  return EFI_SUCCESS;
++}
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+index 048b738987..8f72ba4240 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+@@ -9,6 +9,9 @@
+   Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse
+   partition data carefully.
+ 
++  Tcg2MeasurePeImage() function will accept untrusted PE/COFF image and validate its
++  data structure within this image buffer before use.
++
+   Copyright (c) Microsoft Corporation.<BR>
+   SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+@@ -110,4 +113,27 @@ SanitizePrimaryHeaderGptEventSize (
+   OUT UINT32                            *EventSize
+   );
+ 
+-#endif // DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_
++/**
++  This function will validate that the PeImage Event Size from the loaded image is sane
++  It will check the following:
++    - EventSize does not overflow
++
++  @param[in] FilePathSize - Size of the file path.
++  @param[out] EventSize - Pointer to the event size.
++
++  @retval EFI_SUCCESS
++    The event size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    Overflow would have occurred.
++
++  @retval EFI_INVALID_PARAMETER
++    One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePeImageEventSize (
++  IN  UINT32  FilePathSize,
++  OUT UINT32  *EventSize
++  );
++
++#endif // DXE_TPM2_MEASURE_BOOT_LIB_VALIDATION_
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+index 3eb9763e3c..820e99aeb9 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+@@ -72,10 +72,10 @@ TestSanitizeEfiPartitionTableHeader (
+   PrimaryHeader.Header.Revision          = DEFAULT_PRIMARY_TABLE_HEADER_REVISION;
+   PrimaryHeader.Header.HeaderSize        = sizeof (EFI_PARTITION_TABLE_HEADER);
+   PrimaryHeader.MyLBA                    = 1;
+-  PrimaryHeader.AlternateLBA             = 2;
+-  PrimaryHeader.FirstUsableLBA           = 3;
+-  PrimaryHeader.LastUsableLBA            = 4;
+-  PrimaryHeader.PartitionEntryLBA        = 5;
++  PrimaryHeader.PartitionEntryLBA        = 2;
++  PrimaryHeader.AlternateLBA             = 3;
++  PrimaryHeader.FirstUsableLBA           = 4;
++  PrimaryHeader.LastUsableLBA            = 5;
+   PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES;
+   PrimaryHeader.SizeOfPartitionEntry     = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+   PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid
+@@ -187,11 +187,6 @@ TestSanitizePrimaryHeaderGptEventSize (
+   EFI_STATUS                  Status;
+   EFI_PARTITION_TABLE_HEADER  PrimaryHeader;
+   UINTN                       NumberOfPartition;
+-  EFI_GPT_DATA                *GptData;
+-  EFI_TCG2_EVENT              *Tcg2Event;
+-
+-  Tcg2Event = NULL;
+-  GptData   = NULL;
+ 
+   // Test that a normal PrimaryHeader passes validation
+   PrimaryHeader.NumberOfPartitionEntries = 5;
+@@ -225,6 +220,52 @@ TestSanitizePrimaryHeaderGptEventSize (
+   return UNIT_TEST_PASSED;
+ }
+ 
++/**
++  This function tests the SanitizePeImageEventSize function.
++  It's intent is to test that the untrusted input from a file path when generating a
++  EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating
++  the event size when allocating space
++
++  @param[in] Context  The unit test context.
++
++  @retval UNIT_TEST_PASSED  The test passed.
++  @retval UNIT_TEST_ERROR_TEST_FAILED  The test failed.
++**/
++UNIT_TEST_STATUS
++EFIAPI
++TestSanitizePeImageEventSize (
++  IN UNIT_TEST_CONTEXT  Context
++  )
++{
++  UINT32      EventSize;
++  UINTN       ExistingLogicEventSize;
++  UINT32      FilePathSize;
++  EFI_STATUS  Status;
++
++  FilePathSize = 255;
++
++  // Test that a normal PE image passes validation
++  Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
++  UT_ASSERT_EQUAL (Status, EFI_SUCCESS);
++
++  // Test that the event size is correct compared to the existing logic
++  ExistingLogicEventSize  = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize;
++  ExistingLogicEventSize += OFFSET_OF (EFI_TCG2_EVENT, Event);
++
++  if (EventSize != ExistingLogicEventSize) {
++    UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize);
++    return UNIT_TEST_ERROR_TEST_FAILED;
++  }
++
++  // Test that the event size may not overflow
++  Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
++  UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
++
++  DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
++
++  return UNIT_TEST_PASSED;
++}
++
+ // *--------------------------------------------------------------------*
+ // *  Unit Test Code Main Function
+ // *--------------------------------------------------------------------*
+@@ -267,6 +308,7 @@ UefiTestMain (
+   AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.Tcg2MeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
+   AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
+   AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
++  AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL);
+ 
+   Status = RunAllTestSuites (Framework);
+ 
+-- 
+2.39.3
+

edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-411-3.patch

@@ -0,0 +1,280 @@
+From bf371de652c1132667666a9534ec2d91f9ea111d Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 13 Feb 2024 16:30:10 -0500
+Subject: [PATCH 4/9] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH
+ 4117/4118 symbol rename
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 53: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
+RH-Jira: RHEL-21157
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [4/5] bf00b368887b50b1ff5578a4491550b5741e3e34
+
+JIRA: https://issues.redhat.com/browse/RHEL-21157
+CVE: CVE-2022-36764
+Upstream: Merged
+
+commit 326db0c9072004dea89427ea3a44393a84966f2b
+Author: Doug Flick <dougflick@microsoft.com>
+Date:   Wed Jan 17 14:47:21 2024 -0800
+
+    SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117/4118 symbol rename
+
+    Updates the sanitation function names to be lib unique names
+
+    Cc: Jiewen Yao <jiewen.yao@intel.com>
+    Cc: Rahul Kumar <rahul1.kumar@intel.com>
+
+    Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+    Message-Id: <355aa846a99ca6ac0f7574cf5982661da0d9fea6.1705529990.git.doug.edk2@gmail.com>
+    Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../DxeTpmMeasureBootLib.c                    |  8 +++---
+ .../DxeTpmMeasureBootLibSanitization.c        | 10 +++----
+ .../DxeTpmMeasureBootLibSanitization.h        |  8 +++---
+ .../DxeTpmMeasureBootLibSanitizationTest.c    | 26 +++++++++----------
+ 4 files changed, 26 insertions(+), 26 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+index a9fc440a09..ac855b8fbb 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+@@ -174,7 +174,7 @@ TcgMeasureGptTable (
+                      BlockIo->Media->BlockSize,
+                      (UINT8 *)PrimaryHeader
+                      );
+-  if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
++  if (EFI_ERROR (Status) || EFI_ERROR (TpmSanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
+     DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n"));
+     FreePool (PrimaryHeader);
+     return EFI_DEVICE_ERROR;
+@@ -183,7 +183,7 @@ TcgMeasureGptTable (
+   //
+   // Read the partition entry.
+   //
+-  Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
++  Status = TpmSanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
+   if (EFI_ERROR (Status)) {
+     FreePool (PrimaryHeader);
+     return EFI_DEVICE_ERROR;
+@@ -224,7 +224,7 @@ TcgMeasureGptTable (
+   //
+   // Prepare Data for Measurement
+   //
+-  Status   = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &EventSize);
++  Status   = TpmSanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &EventSize);
+   TcgEvent = (TCG_PCR_EVENT *)AllocateZeroPool (EventSize);
+   if (TcgEvent == NULL) {
+     FreePool (PrimaryHeader);
+@@ -351,7 +351,7 @@ TcgMeasurePeImage (
+ 
+   // Determine destination PCR by BootPolicy
+   //
+-  Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
++  Status = TpmSanitizePeImageEventSize (FilePathSize, &EventSize);
+   if (EFI_ERROR (Status)) {
+     return EFI_UNSUPPORTED;
+   }
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+index c989851cec..070e4a2c1c 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+@@ -1,5 +1,5 @@
+ /** @file
+-  The library instance provides security service of TPM2 measure boot and
++  The library instance provides security service of TPM measure boot and
+   Confidential Computing (CC) measure boot.
+ 
+   Caution: This file requires additional review when modified.
+@@ -63,7 +63,7 @@
+ **/
+ EFI_STATUS
+ EFIAPI
+-SanitizeEfiPartitionTableHeader (
++TpmSanitizeEfiPartitionTableHeader (
+   IN CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
+   IN CONST EFI_BLOCK_IO_PROTOCOL       *BlockIo
+   )
+@@ -145,7 +145,7 @@ SanitizeEfiPartitionTableHeader (
+ **/
+ EFI_STATUS
+ EFIAPI
+-SanitizePrimaryHeaderAllocationSize (
++TpmSanitizePrimaryHeaderAllocationSize (
+   IN CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
+   OUT UINT32                           *AllocationSize
+   )
+@@ -194,7 +194,7 @@ SanitizePrimaryHeaderAllocationSize (
+     One of the passed parameters was invalid.
+ **/
+ EFI_STATUS
+-SanitizePrimaryHeaderGptEventSize (
++TpmSanitizePrimaryHeaderGptEventSize (
+   IN  CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
+   IN  UINTN                             NumberOfPartition,
+   OUT UINT32                            *EventSize
+@@ -258,7 +258,7 @@ SanitizePrimaryHeaderGptEventSize (
+     One of the passed parameters was invalid.
+ **/
+ EFI_STATUS
+-SanitizePeImageEventSize (
++TpmSanitizePeImageEventSize (
+   IN  UINT32  FilePathSize,
+   OUT UINT32  *EventSize
+   )
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+index 2248495813..db6e9c3752 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+@@ -53,7 +53,7 @@
+ **/
+ EFI_STATUS
+ EFIAPI
+-SanitizeEfiPartitionTableHeader (
++TpmSanitizeEfiPartitionTableHeader (
+   IN CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
+   IN CONST EFI_BLOCK_IO_PROTOCOL       *BlockIo
+   );
+@@ -77,7 +77,7 @@ SanitizeEfiPartitionTableHeader (
+ **/
+ EFI_STATUS
+ EFIAPI
+-SanitizePrimaryHeaderAllocationSize (
++TpmSanitizePrimaryHeaderAllocationSize (
+   IN CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
+   OUT UINT32                           *AllocationSize
+   );
+@@ -105,7 +105,7 @@ SanitizePrimaryHeaderAllocationSize (
+     One of the passed parameters was invalid.
+ **/
+ EFI_STATUS
+-SanitizePrimaryHeaderGptEventSize (
++TpmSanitizePrimaryHeaderGptEventSize (
+   IN  CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
+   IN  UINTN                             NumberOfPartition,
+   OUT UINT32                            *EventSize
+@@ -129,7 +129,7 @@ SanitizePrimaryHeaderGptEventSize (
+     One of the passed parameters was invalid.
+ **/
+ EFI_STATUS
+-SanitizePeImageEventSize (
++TpmSanitizePeImageEventSize (
+   IN  UINT32  FilePathSize,
+   OUT UINT32  *EventSize
+   );
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+index c41498be45..de1740af41 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+@@ -83,27 +83,27 @@ TestSanitizeEfiPartitionTableHeader (
+   PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize);
+ 
+   // Test that a normal PrimaryHeader passes validation
+-  Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
++  Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+   UT_ASSERT_NOT_EFI_ERROR (Status);
+ 
+   // Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR
+   // Should print "Invalid Partition Table Header NumberOfPartitionEntries!""
+   PrimaryHeader.NumberOfPartitionEntries = 0;
+-  Status                                 = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
++  Status                                 = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+   UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
+   PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+ 
+   // Test that when the header size is too small, the function returns EFI_DEVICE_ERROR
+   // Should print "Invalid Partition Table Header Size!"
+   PrimaryHeader.Header.HeaderSize = 0;
+-  Status                          = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
++  Status                          = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+   UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
+   PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
+ 
+   // Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR
+   // should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!"
+   PrimaryHeader.SizeOfPartitionEntry = 1;
+-  Status                             = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
++  Status                             = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+   UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
+ 
+   DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+@@ -136,7 +136,7 @@ TestSanitizePrimaryHeaderAllocationSize (
+   PrimaryHeader.NumberOfPartitionEntries = 5;
+   PrimaryHeader.SizeOfPartitionEntry     = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+ 
+-  Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
++  Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+   UT_ASSERT_NOT_EFI_ERROR (Status);
+ 
+   // Test that the allocation size is correct compared to the existing logic
+@@ -145,19 +145,19 @@ TestSanitizePrimaryHeaderAllocationSize (
+   // Test that an overflow is detected
+   PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
+   PrimaryHeader.SizeOfPartitionEntry     = 5;
+-  Status                                 = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
++  Status                                 = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+   UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+ 
+   // Test the inverse
+   PrimaryHeader.NumberOfPartitionEntries = 5;
+   PrimaryHeader.SizeOfPartitionEntry     = MAX_UINT32;
+-  Status                                 = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
++  Status                                 = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+   UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+ 
+   // Test the worst case scenario
+   PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
+   PrimaryHeader.SizeOfPartitionEntry     = MAX_UINT32;
+-  Status                                 = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
++  Status                                 = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+   UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+ 
+   DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+@@ -195,7 +195,7 @@ TestSanitizePrimaryHeaderGptEventSize (
+   NumberOfPartition = 13;
+ 
+   // that the primary event size is correct
+-  Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
++  Status = TpmSanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+   UT_ASSERT_NOT_EFI_ERROR (Status);
+ 
+   // Calculate the existing logic event size
+@@ -206,12 +206,12 @@ TestSanitizePrimaryHeaderGptEventSize (
+   UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize);
+ 
+   // Tests that the primary event size may not overflow
+-  Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
++  Status = TpmSanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
+   UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+ 
+   // Test that the size of partition entries may not overflow
+   PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
+-  Status                             = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
++  Status                             = TpmSanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+   UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+ 
+   DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+@@ -269,7 +269,7 @@ TestSanitizePeImageEventSize (
+   FilePathSize = 255;
+ 
+   // Test that a normal PE image passes validation
+-  Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
++  Status = TpmSanitizePeImageEventSize (FilePathSize, &EventSize);
+   if (EFI_ERROR (Status)) {
+     UT_LOG_ERROR ("SanitizePeImageEventSize failed with %r\n", Status);
+     goto Exit;
+@@ -285,7 +285,7 @@ TestSanitizePeImageEventSize (
+   }
+ 
+   // Test that the event size may not overflow
+-  Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
++  Status = TpmSanitizePeImageEventSize (MAX_UINT32, &EventSize);
+   if (Status != EFI_BAD_BUFFER_SIZE) {
+     UT_LOG_ERROR ("SanitizePeImageEventSize succeded when it was supposed to fail with %r\n", Status);
+     goto Exit;
+-- 
+2.39.3
+

edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch

@@ -0,0 +1,294 @@
+From c5580cd68acf14c9e8660f6ee2842654479089ae Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 7 Feb 2024 15:43:10 -0500
+Subject: [PATCH 2/9] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 -
+ CVE 2022-36764
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 53: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
+RH-Jira: RHEL-21157
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [2/5] 3945cfd0838c822a3b2cc4b4e315c39a779a7344
+
+JIRA: https://issues.redhat.com/browse/RHEL-21157
+CVE: CVE-2022-36764
+Upstream: Merged
+
+commit 0d341c01eeabe0ab5e76693b36e728b8f538a40e
+Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
+Date:   Fri Jan 12 02:16:05 2024 +0800
+
+    SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
+
+    This commit contains the patch files and tests for DxeTpmMeasureBootLib
+    CVE 2022-36764.
+
+    Cc: Jiewen Yao <jiewen.yao@intel.com>
+
+    Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+    Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../DxeTpmMeasureBootLib.c                    | 13 ++-
+ .../DxeTpmMeasureBootLibSanitization.c        | 44 +++++++++
+ .../DxeTpmMeasureBootLibSanitization.h        | 23 +++++
+ .../DxeTpmMeasureBootLibSanitizationTest.c    | 98 +++++++++++++++++--
+ 4 files changed, 168 insertions(+), 10 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+index 669ab19134..a9fc440a09 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+@@ -17,6 +17,7 @@
+ 
+ Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
++Copyright (c) Microsoft Corporation.<BR>
+ 
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+@@ -345,18 +346,22 @@ TcgMeasurePeImage (
+   ImageLoad     = NULL;
+   SectionHeader = NULL;
+   Sha1Ctx       = NULL;
++  TcgEvent      = NULL;
+   FilePathSize  = (UINT32)GetDevicePathSize (FilePath);
+ 
+-  //
+   // Determine destination PCR by BootPolicy
+   //
+-  EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
+-  TcgEvent  = AllocateZeroPool (EventSize + sizeof (TCG_PCR_EVENT));
++  Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
++  if (EFI_ERROR (Status)) {
++    return EFI_UNSUPPORTED;
++  }
++
++  TcgEvent = AllocateZeroPool (EventSize);
+   if (TcgEvent == NULL) {
+     return EFI_OUT_OF_RESOURCES;
+   }
+ 
+-  TcgEvent->EventSize = EventSize;
++  TcgEvent->EventSize = EventSize - sizeof (TCG_PCR_EVENT_HDR);
+   ImageLoad           = (EFI_IMAGE_LOAD_EVENT *)TcgEvent->Event;
+ 
+   switch (ImageType) {
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+index a3fa46f5e6..c989851cec 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+@@ -239,3 +239,47 @@ SanitizePrimaryHeaderGptEventSize (
+ 
+   return EFI_SUCCESS;
+ }
++
++/**
++  This function will validate that the PeImage Event Size from the loaded image is sane
++  It will check the following:
++    - EventSize does not overflow
++
++  @param[in] FilePathSize - Size of the file path.
++  @param[out] EventSize - Pointer to the event size.
++
++  @retval EFI_SUCCESS
++    The event size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    Overflow would have occurred.
++
++  @retval EFI_INVALID_PARAMETER
++    One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePeImageEventSize (
++  IN  UINT32  FilePathSize,
++  OUT UINT32  *EventSize
++  )
++{
++  EFI_STATUS  Status;
++
++  // Replacing logic:
++  // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
++  Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  // Replacing logic:
++  // EventSize + sizeof (TCG_PCR_EVENT_HDR)
++  Status = SafeUint32Add (*EventSize, sizeof (TCG_PCR_EVENT_HDR), EventSize);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  return EFI_SUCCESS;
++}
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+index 0d9d00c281..2248495813 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+@@ -111,4 +111,27 @@ SanitizePrimaryHeaderGptEventSize (
+   OUT UINT32                            *EventSize
+   );
+ 
++/**
++  This function will validate that the PeImage Event Size from the loaded image is sane
++  It will check the following:
++    - EventSize does not overflow
++
++  @param[in] FilePathSize - Size of the file path.
++  @param[out] EventSize - Pointer to the event size.
++
++  @retval EFI_SUCCESS
++    The event size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    Overflow would have occurred.
++
++  @retval EFI_INVALID_PARAMETER
++    One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePeImageEventSize (
++  IN  UINT32  FilePathSize,
++  OUT UINT32  *EventSize
++  );
++
+ #endif // DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+index eeb928cdb0..c41498be45 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+@@ -1,8 +1,8 @@
+ /** @file
+-This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
++  This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
+ 
+-Copyright (c) Microsoft Corporation.<BR>
+-SPDX-License-Identifier: BSD-2-Clause-Patent
++  Copyright (c) Microsoft Corporation.<BR>
++  SPDX-License-Identifier: BSD-2-Clause-Patent
+ **/
+ 
+ #include <Uefi.h>
+@@ -186,9 +186,6 @@ TestSanitizePrimaryHeaderGptEventSize (
+   EFI_STATUS                  Status;
+   EFI_PARTITION_TABLE_HEADER  PrimaryHeader;
+   UINTN                       NumberOfPartition;
+-  EFI_GPT_DATA                *GptData;
+-
+-  GptData = NULL;
+ 
+   // Test that a normal PrimaryHeader passes validation
+   PrimaryHeader.NumberOfPartitionEntries = 5;
+@@ -222,6 +219,94 @@ TestSanitizePrimaryHeaderGptEventSize (
+   return UNIT_TEST_PASSED;
+ }
+ 
++/**
++  This function tests the SanitizePeImageEventSize function.
++  It's intent is to test that the untrusted input from a file path for an
++  EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating
++  the event size when allocating space.
++
++  @param[in] Context  The unit test context.
++
++  @retval UNIT_TEST_PASSED  The test passed.
++  @retval UNIT_TEST_ERROR_TEST_FAILED  The test failed.
++**/
++UNIT_TEST_STATUS
++EFIAPI
++TestSanitizePeImageEventSize (
++  IN UNIT_TEST_CONTEXT  Context
++  )
++{
++  UINT32                    EventSize;
++  UINTN                     ExistingLogicEventSize;
++  UINT32                    FilePathSize;
++  EFI_STATUS                Status;
++  EFI_DEVICE_PATH_PROTOCOL  DevicePath;
++  EFI_IMAGE_LOAD_EVENT      *ImageLoadEvent;
++  UNIT_TEST_STATUS          TestStatus;
++
++  TestStatus = UNIT_TEST_ERROR_TEST_FAILED;
++
++  // Generate EFI_DEVICE_PATH_PROTOCOL test data
++  DevicePath.Type      = 0;
++  DevicePath.SubType   = 0;
++  DevicePath.Length[0] = 0;
++  DevicePath.Length[1] = 0;
++
++  // Generate EFI_IMAGE_LOAD_EVENT test data
++  ImageLoadEvent = AllocateZeroPool (sizeof (EFI_IMAGE_LOAD_EVENT) + sizeof (EFI_DEVICE_PATH_PROTOCOL));
++  if (ImageLoadEvent == NULL) {
++    DEBUG ((DEBUG_ERROR, "%a: AllocateZeroPool failed\n", __func__));
++    goto Exit;
++  }
++
++  // Populate EFI_IMAGE_LOAD_EVENT54 test data
++  ImageLoadEvent->ImageLocationInMemory = (EFI_PHYSICAL_ADDRESS)0x12345678;
++  ImageLoadEvent->ImageLengthInMemory   = 0x1000;
++  ImageLoadEvent->ImageLinkTimeAddress  = (UINTN)ImageLoadEvent;
++  ImageLoadEvent->LengthOfDevicePath    = sizeof (EFI_DEVICE_PATH_PROTOCOL);
++  CopyMem (ImageLoadEvent->DevicePath, &DevicePath, sizeof (EFI_DEVICE_PATH_PROTOCOL));
++
++  FilePathSize = 255;
++
++  // Test that a normal PE image passes validation
++  Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
++  if (EFI_ERROR (Status)) {
++    UT_LOG_ERROR ("SanitizePeImageEventSize failed with %r\n", Status);
++    goto Exit;
++  }
++
++  // Test that the event size is correct compared to the existing logic
++  ExistingLogicEventSize  = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize;
++  ExistingLogicEventSize += sizeof (TCG_PCR_EVENT_HDR);
++
++  if (EventSize != ExistingLogicEventSize) {
++    UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize);
++    goto Exit;
++  }
++
++  // Test that the event size may not overflow
++  Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
++  if (Status != EFI_BAD_BUFFER_SIZE) {
++    UT_LOG_ERROR ("SanitizePeImageEventSize succeded when it was supposed to fail with %r\n", Status);
++    goto Exit;
++  }
++
++  TestStatus = UNIT_TEST_PASSED;
++Exit:
++
++  if (ImageLoadEvent != NULL) {
++    FreePool (ImageLoadEvent);
++  }
++
++  if (TestStatus == UNIT_TEST_ERROR_TEST_FAILED) {
++    DEBUG ((DEBUG_ERROR, "%a: Test failed\n", __func__));
++  } else {
++    DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
++  }
++
++  return TestStatus;
++}
++
+ // *--------------------------------------------------------------------*
+ // *  Unit Test Code Main Function
+ // *--------------------------------------------------------------------*
+@@ -265,6 +350,7 @@ UefiTestMain (
+   AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.TcgMeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
+   AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
+   AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
++  AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL);
+ 
+   Status = RunAllTestSuites (Framework);
+ 
+-- 
+2.39.3
+

edk2-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch

@@ -0,0 +1,85 @@
+From 95697612d2f1953c691b0914a1669e0fcf179767 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 13 Feb 2024 16:30:10 -0500
+Subject: [PATCH 5/9] SecurityPkg: : Updating SecurityFixes.yaml after symbol
+ rename
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 53: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
+RH-Jira: RHEL-21157
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [5/5] 8e0c9c8c6b6ad05454f138397036954fe36c778c
+
+JIRA: https://issues.redhat.com/browse/RHEL-21157
+CVE: CVE-2022-36764
+Upstream: Merged
+
+commit 264636d8e6983e0f6dc6be2fca9d84ec81315954
+Author: Doug Flick <dougflick@microsoft.com>
+Date:   Wed Jan 17 14:47:22 2024 -0800
+
+    SecurityPkg: : Updating SecurityFixes.yaml after symbol rename
+
+    Adding the new commit titles for the symbol renames
+
+    Cc: Jiewen Yao <jiewen.yao@intel.com>
+    Cc: Rahul Kumar <rahul1.kumar@intel.com>
+
+    Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+    Message-Id: <5e0e851e97459e183420178888d4fcdadc2f1ae1.1705529990.git.doug.edk2@gmail.com>
+    Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ SecurityPkg/SecurityFixes.yaml | 31 ++++++++++++++++++++++++++-----
+ 1 file changed, 26 insertions(+), 5 deletions(-)
+
+diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
+index f9e3e7be74..dc1bb83489 100644
+--- a/SecurityPkg/SecurityFixes.yaml
++++ b/SecurityPkg/SecurityFixes.yaml
+@@ -9,14 +9,35 @@ CVE_2022_36763:
+     - "SecurityPkg: DxeTpm2Measurement: SECURITY PATCH 4117 - CVE 2022-36763"
+     - "SecurityPkg: DxeTpmMeasurement: SECURITY PATCH 4117 - CVE 2022-36763"
+     - "SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml"
++    - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117/4118 symbol rename"
++    - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117/4118 symbol rename"
++    - "SecurityPkg: : Updating SecurityFixes.yaml after symbol rename"
+   cve: CVE-2022-36763
+   date_reported: 2022-10-25 11:31 UTC
+   description: (CVE-2022-36763) - Heap Buffer Overflow in Tcg2MeasureGptTable()
+   note: This patch is related to and supersedes TCBZ2168
+   files_impacted:
+-  - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
+-  - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
++    - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
++    - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
+   links:
+-  - https://bugzilla.tianocore.org/show_bug.cgi?id=4117
+-  - https://bugzilla.tianocore.org/show_bug.cgi?id=2168
+-  - https://bugzilla.tianocore.org/show_bug.cgi?id=1990
++    - https://bugzilla.tianocore.org/show_bug.cgi?id=4117
++    - https://bugzilla.tianocore.org/show_bug.cgi?id=2168
++    - https://bugzilla.tianocore.org/show_bug.cgi?id=1990
++CVE_2022_36764:
++  commit_titles:
++    - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764"
++    - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764"
++    - "SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml"
++    - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117/4118 symbol rename"
++    - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117/4118 symbol rename"
++    - "SecurityPkg: : Updating SecurityFixes.yaml after symbol rename"
++  cve: CVE-2022-36764
++  date_reported: 2022-10-25 12:23 UTC
++  description: Heap Buffer Overflow in Tcg2MeasurePeImage()
++  note:
++  files_impacted:
++    - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
++    - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
++  links:
++    - https://bugzilla.tianocore.org/show_bug.cgi?id=4118
++
+-- 
+2.39.3
+

edk2-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch

@@ -0,0 +1,69 @@
+From 4d3ac0527ceb615a49214b0f7249d9198ddeb53a Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 30 Jan 2024 14:04:40 +0100
+Subject: [PATCH 8/9] UefiCpuPkg/MtrrLib.h: use cache type #defines from
+ ArchitecturalMsr.h
+
+RH-Author: Gerd Hoffmann <None>
+RH-MergeRequest: 55: OvmfPkg/Sec: Setup MTRR early in the boot process.
+RH-Jira: RHEL-21704
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Commit: [3/4] 8b766c97b247a8665662697534455c19423ff23c (kraxel.rh/centos-src-edk2)
+
+Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-ID: <20240130130441.772484-4-kraxel@redhat.com>
+---
+ UefiCpuPkg/Include/Library/MtrrLib.h | 26 ++++++++++++++------------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/UefiCpuPkg/Include/Library/MtrrLib.h b/UefiCpuPkg/Include/Library/MtrrLib.h
+index 86cc1aab3b..287d249a99 100644
+--- a/UefiCpuPkg/Include/Library/MtrrLib.h
++++ b/UefiCpuPkg/Include/Library/MtrrLib.h
+@@ -9,6 +9,8 @@
+ #ifndef  _MTRR_LIB_H_
+ #define  _MTRR_LIB_H_
+ 
++#include <Register/Intel/ArchitecturalMsr.h>
++
+ //
+ // According to IA32 SDM, MTRRs number and MSR offset are always consistent
+ // for IA32 processor family
+@@ -82,20 +84,20 @@ typedef struct _MTRR_SETTINGS_ {
+ // Memory cache types
+ //
+ typedef enum {
+-  CacheUncacheable    = 0,
+-  CacheWriteCombining = 1,
+-  CacheWriteThrough   = 4,
+-  CacheWriteProtected = 5,
+-  CacheWriteBack      = 6,
+-  CacheInvalid        = 7
++  CacheUncacheable    = MSR_IA32_MTRR_CACHE_UNCACHEABLE,
++  CacheWriteCombining = MSR_IA32_MTRR_CACHE_WRITE_COMBINING,
++  CacheWriteThrough   = MSR_IA32_MTRR_CACHE_WRITE_THROUGH,
++  CacheWriteProtected = MSR_IA32_MTRR_CACHE_WRITE_PROTECTED,
++  CacheWriteBack      = MSR_IA32_MTRR_CACHE_WRITE_BACK,
++  CacheInvalid        = MSR_IA32_MTRR_CACHE_INVALID_TYPE,
+ } MTRR_MEMORY_CACHE_TYPE;
+ 
+-#define  MTRR_CACHE_UNCACHEABLE      0
+-#define  MTRR_CACHE_WRITE_COMBINING  1
+-#define  MTRR_CACHE_WRITE_THROUGH    4
+-#define  MTRR_CACHE_WRITE_PROTECTED  5
+-#define  MTRR_CACHE_WRITE_BACK       6
+-#define  MTRR_CACHE_INVALID_TYPE     7
++#define  MTRR_CACHE_UNCACHEABLE      MSR_IA32_MTRR_CACHE_UNCACHEABLE
++#define  MTRR_CACHE_WRITE_COMBINING  MSR_IA32_MTRR_CACHE_WRITE_COMBINING
++#define  MTRR_CACHE_WRITE_THROUGH    MSR_IA32_MTRR_CACHE_WRITE_THROUGH
++#define  MTRR_CACHE_WRITE_PROTECTED  MSR_IA32_MTRR_CACHE_WRITE_PROTECTED
++#define  MTRR_CACHE_WRITE_BACK       MSR_IA32_MTRR_CACHE_WRITE_BACK
++#define  MTRR_CACHE_INVALID_TYPE     MSR_IA32_MTRR_CACHE_INVALID_TYPE
+ 
+ typedef struct {
+   UINT64                    BaseAddress;
+-- 
+2.39.3
+

edk2.spec

@@ -20,7 +20,7 @@ ExclusiveArch: x86_64 aarch64
 
 Name:       edk2
 Version:    %{GITDATE}
-Release:    4%{?dist}
+Release:    5%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    BSD-2-Clause-Patent and Apache-2.0 and MIT
 URL:        http://www.tianocore.org
@@ -102,6 +102,24 @@ Patch41: edk2-OvmfPkg-VirtNorFlashDxe-allow-larger-writes-without-.patch
 Patch42: edk2-OvmfPkg-VirtNorFlashDxe-ValidateFvHeader-unwritten-s.patch
 # For RHEL-20963 - [rhel9] guest fails to boot due to ASSERT error
 Patch43: edk2-OvmfPkg-VirtNorFlashDxe-move-DoErase-code-block-into.patch
+# For RHEL-21157 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-9]
+Patch44: edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-4118.patch
+# For RHEL-21157 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-9]
+Patch45: edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch
+# For RHEL-21157 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-9]
+Patch46: edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-2.patch
+# For RHEL-21157 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-9]
+Patch47: edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-411-3.patch
+# For RHEL-21157 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-9]
+Patch48: edk2-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch
+# For RHEL-21704 - vGPU VM take several minutes to show tianocore logo if firmware is ovmf
+Patch49: edk2-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch
+# For RHEL-21704 - vGPU VM take several minutes to show tianocore logo if firmware is ovmf
+Patch50: edk2-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch
+# For RHEL-21704 - vGPU VM take several minutes to show tianocore logo if firmware is ovmf
+Patch51: edk2-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch
+# For RHEL-21704 - vGPU VM take several minutes to show tianocore logo if firmware is ovmf
+Patch52: edk2-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch
 
 # python3-devel and libuuid-devel are required for building tools.
 # python3-devel is also needed for varstore template generation and
@@ -435,6 +453,21 @@ install -m 0644 \
 
 
 %changelog
+* Mon Feb 19 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20231122-5
+- edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-4118.patch [RHEL-21157]
+- edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch [RHEL-21157]
+- edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-2.patch [RHEL-21157]
+- edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-411-3.patch [RHEL-21157]
+- edk2-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch [RHEL-21157]
+- edk2-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch [RHEL-21704]
+- edk2-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch [RHEL-21704]
+- edk2-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch [RHEL-21704]
+- edk2-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch [RHEL-21704]
+- Resolves: RHEL-21157
+  (CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-9])
+- Resolves: RHEL-21704
+  (vGPU VM take several minutes to show tianocore logo if firmware is ovmf)
+
 * Wed Jan 31 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20231122-4
 - edk2-OvmfPkg-VirtNorFlashDxe-add-casts-to-UINTN-and-UINT3.patch [RHEL-20963]
 - edk2-OvmfPkg-VirtNorFlashDxe-clarify-block-write-logic-fi.patch [RHEL-20963]