diff --git a/SOURCES/1000-replace-upstream-references.patch b/SOURCES/1000-replace-upstream-references.patch new file mode 100644 index 0000000..b2eabcd --- /dev/null +++ b/SOURCES/1000-replace-upstream-references.patch @@ -0,0 +1,23 @@ +From a194940b0fc62054430ca36b2bcec473a56745a1 Tue 30 Apr 00:00:00 2001 +From: rpm-build +Date: Tue, 30 Apr 2024 11:58:21 -0700 +Subject: [PATCH] Replace upstream references + +Orabug: 36569119 + +Signed-off-by: John McWalters +Reviewed-by: Laurence Rochfort + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/apps/fipsinstall.c b/CryptoPkg/Library/OpensslLib/openssl/apps/fipsinstall.c +index e978057..67d6957 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/apps/fipsinstall.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/apps/fipsinstall.c +@@ -311,7 +311,7 @@ int fipsinstall_main(int argc, char **argv) + EVP_MAC *mac = NULL; + CONF *conf = NULL; + +- BIO_printf(bio_err, "This command is not enabled in the Red Hat Enterprise Linux OpenSSL build, please consult Red Hat documentation to learn how to enable FIPS mode\n"); ++ BIO_printf(bio_err, "This command is not enabled in the Oracle Linux OpenSSL build, please consult Oracle Linux documentation to learn how to enable FIPS mode\n"); + return 1; + + if ((opts = sk_OPENSSL_STRING_new_null()) == NULL) diff --git a/SOURCES/edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch b/SOURCES/edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch new file mode 100644 index 0000000..bab07f4 --- /dev/null +++ b/SOURCES/edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch @@ -0,0 +1,50 @@ +From effd0f360ea1186b2b6af0aa2420d4bf779d51ef Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 1 Oct 2024 18:40:41 -0400 +Subject: [PATCH 3/3] MdePkg: Fix overflow issue in BasePeCoffLib + +RH-Author: Jon Maloy +RH-MergeRequest: 78: MdePkg: Fix overflow issue in BasePeCoffLib +RH-Jira: RHEL-60833 +RH-Acked-by: Oliver Steffen +RH-Commit: [1/1] 812453d5d03bcd92dfa6aea594af6214569c419e + +JIRA: https://issues.redhat.com/browse/RHEL-60833 +CVE: CVE-2024-38796 +Upstream: Merged + +commit c95233b8525ca6828921affd1496146cff262e65 +Author: Doug Flick +Date: Fri Sep 27 12:08:55 2024 -0700 + + MdePkg: Fix overflow issue in BasePeCoffLib + + The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is + also a UINT32 value. The current code does not check for overflow when + adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a + check to ensure that the addition does not overflow. + + Signed-off-by: Doug Flick + Authored-by: sriraamx gobichettipalayam + +Signed-off-by: Jon Maloy +--- + MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c +index 86ff2e769b..128090d98e 100644 +--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c ++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c +@@ -1054,7 +1054,7 @@ PeCoffLoaderRelocateImage ( + RelocDir = &Hdr.Te->DataDirectory[0]; + } + +- if ((RelocDir != NULL) && (RelocDir->Size > 0)) { ++ if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) { + RelocBase = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset); + RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress ( + ImageContext, +-- +2.39.3 + diff --git a/SOURCES/edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch b/SOURCES/edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch new file mode 100644 index 0000000..c564bbe --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch @@ -0,0 +1,350 @@ +From ff9baf5bf0ef960b9f1bb9668cfe6f3d66b288d0 Mon Sep 17 00:00:00 2001 +From: Oliver Steffen +Date: Mon, 4 Nov 2024 12:40:12 +0100 +Subject: [PATCH] OvmfPkg: Add a Fallback RNG (RH only) + +RH-Author: Oliver Steffen +RH-MergeRequest: 80: OvmfPkg: Add a Fallback RNG (RH only) +RH-Jira: RHEL-65725 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [1/1] 2865ef247c476418c88ba988449841aee4a93bea (osteffen/edk2) + +Since the pixiefail CVE fix, the network stack requires a random number +generator. +In case there is no hardware random number generator available, +have the Platform Boot Manager install a pseudo RNG to ensure +the network can be used. + +Signed-off-by: Oliver Steffen +--- + .../PlatformBootManagerLib/BdsPlatform.c | 7 + + .../PlatformBootManagerLib/FallbackRng.c | 222 ++++++++++++++++++ + .../PlatformBootManagerLib/FallbackRng.h | 20 ++ + .../PlatformBootManagerLib.inf | 5 + + 4 files changed, 254 insertions(+) + create mode 100644 OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c + create mode 100644 OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h + +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c +index d9f61757cf..87d1ac3142 100644 +--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c ++++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c +@@ -15,6 +15,8 @@ + #include + #include + ++#include "FallbackRng.h" ++ + // + // Global data + // +@@ -539,6 +541,9 @@ PlatformBootManagerBeforeConsole ( + ConnectVirtioPciRng, + NULL + ); ++ ++ FallbackRngCheckAndInstall (); ++ + } + + EFI_STATUS +@@ -1778,6 +1783,8 @@ PlatformBootManagerAfterConsole ( + + DEBUG ((DEBUG_INFO, "PlatformBootManagerAfterConsole\n")); + ++ FallbackRngPrintWarning (); ++ + if (PcdGetBool (PcdOvmfFlashVariablesEnable)) { + DEBUG (( + DEBUG_INFO, +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c +new file mode 100644 +index 0000000000..bba60e29d5 +--- /dev/null ++++ b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c +@@ -0,0 +1,222 @@ ++/** @file ++ Copyright (C) 2024, Red Hat, Inc. ++ SPDX-License-Identifier: BSD-2-Clause-Patent ++**/ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "FallbackRng.h" ++ ++typedef struct { ++ EFI_RNG_PROTOCOL Rng; ++ EFI_HANDLE Handle; ++} FALLBACK_RNG_DEV; ++ ++/** ++ Returns information about the random number generation implementation. ++ ++ @param[in] This A pointer to the EFI_RNG_PROTOCOL ++ instance. ++ @param[in,out] RNGAlgorithmListSize On input, the size in bytes of ++ RNGAlgorithmList. ++ On output with a return code of ++ EFI_SUCCESS, the size in bytes of the ++ data returned in RNGAlgorithmList. On ++ output with a return code of ++ EFI_BUFFER_TOO_SMALL, the size of ++ RNGAlgorithmList required to obtain the ++ list. ++ @param[out] RNGAlgorithmList A caller-allocated memory buffer filled ++ by the driver with one EFI_RNG_ALGORITHM ++ element for each supported RNG algorithm. ++ The list must not change across multiple ++ calls to the same driver. The first ++ algorithm in the list is the default ++ algorithm for the driver. ++ ++ @retval EFI_SUCCESS The RNG algorithm list was returned ++ successfully. ++ @retval EFI_UNSUPPORTED The services is not supported by this ++ driver. ++ @retval EFI_DEVICE_ERROR The list of algorithms could not be ++ retrieved due to a hardware or firmware ++ error. ++ @retval EFI_INVALID_PARAMETER One or more of the parameters are ++ incorrect. ++ @retval EFI_BUFFER_TOO_SMALL The buffer RNGAlgorithmList is too small ++ to hold the result. ++ ++**/ ++STATIC ++EFI_STATUS ++EFIAPI ++FallbackRngGetInfo ( ++ IN EFI_RNG_PROTOCOL *This, ++ IN OUT UINTN *RNGAlgorithmListSize, ++ OUT EFI_RNG_ALGORITHM *RNGAlgorithmList ++ ) ++{ ++ if ((This == NULL) || (RNGAlgorithmListSize == NULL)) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ if (*RNGAlgorithmListSize < sizeof (EFI_RNG_ALGORITHM)) { ++ *RNGAlgorithmListSize = sizeof (EFI_RNG_ALGORITHM); ++ return EFI_BUFFER_TOO_SMALL; ++ } ++ ++ if (RNGAlgorithmList == NULL) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ *RNGAlgorithmListSize = sizeof (EFI_RNG_ALGORITHM); ++ CopyGuid (RNGAlgorithmList, &gEfiRngAlgorithmRaw); ++ ++ return EFI_SUCCESS; ++} ++ ++/** ++ Produces and returns an RNG value using either the default or specified RNG ++ algorithm. ++ ++ @param[in] This A pointer to the EFI_RNG_PROTOCOL ++ instance. ++ @param[in] RNGAlgorithm A pointer to the EFI_RNG_ALGORITHM that ++ identifies the RNG algorithm to use. May ++ be NULL in which case the function will ++ use its default RNG algorithm. ++ @param[in] RNGValueLength The length in bytes of the memory buffer ++ pointed to by RNGValue. The driver shall ++ return exactly this numbers of bytes. ++ @param[out] RNGValue A caller-allocated memory buffer filled ++ by the driver with the resulting RNG ++ value. ++ ++ @retval EFI_SUCCESS The RNG value was returned successfully. ++ @retval EFI_UNSUPPORTED The algorithm specified by RNGAlgorithm ++ is not supported by this driver. ++ @retval EFI_DEVICE_ERROR An RNG value could not be retrieved due ++ to a hardware or firmware error. ++ @retval EFI_NOT_READY There is not enough random data available ++ to satisfy the length requested by ++ RNGValueLength. ++ @retval EFI_INVALID_PARAMETER RNGValue is NULL or RNGValueLength is ++ zero. ++ ++**/ ++STATIC ++EFI_STATUS ++EFIAPI ++FallbackRngGetRNG ( ++ IN EFI_RNG_PROTOCOL *This, ++ IN EFI_RNG_ALGORITHM *RNGAlgorithm OPTIONAL, ++ IN UINTN RNGValueLength, ++ OUT UINT8 *RNGValue ++ ) ++{ ++ UINT64 RandomData; ++ EFI_STATUS Status; ++ UINTN i; ++ ++ if ((This == NULL) || (RNGValueLength == 0) || (RNGValue == NULL)) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ // ++ // We only support the raw algorithm, so reject requests for anything else ++ // ++ if ((RNGAlgorithm != NULL) && ++ !CompareGuid (RNGAlgorithm, &gEfiRngAlgorithmRaw)) ++ { ++ return EFI_UNSUPPORTED; ++ } ++ ++ for (i = 0; i < RNGValueLength; ++i) { ++ if (i % 4 == 0) { ++ Status = GetRandomNumber64 (&RandomData); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ } ++ } ++ ++ return EFI_SUCCESS; ++} ++ ++static FALLBACK_RNG_DEV Dev = { ++ .Rng.GetInfo = FallbackRngGetInfo, ++ .Rng.GetRNG = FallbackRngGetRNG, ++ .Handle = NULL, ++}; ++ ++EFI_STATUS ++FallbackRngCheckAndInstall ( ++ ) ++{ ++ EFI_STATUS Status; ++ EFI_HANDLE *HandleBuffer = NULL; ++ UINTN HandleCount = 0; ++ ++ if (Dev.Handle != NULL) { ++ DEBUG ((DEBUG_INFO, "Fallback RNG already installed.\n")); ++ return EFI_ALREADY_STARTED; ++ } ++ ++ Status = gBS->LocateHandleBuffer ( ++ ByProtocol, ++ &gEfiRngProtocolGuid, ++ NULL, ++ &HandleCount, ++ &HandleBuffer ++ ); ++ ++ gBS->FreePool (HandleBuffer); ++ ++ if (Status == EFI_NOT_FOUND) { ++ HandleCount = 0; ++ } else if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "Error locating RNG protocol instances: %r\n", Status)); ++ return Status; ++ } ++ ++ DEBUG ((DEBUG_INFO, "Found %u RNGs\n", HandleCount)); ++ ++ if (HandleCount == 0) { ++ // Install RNG ++ Status = gBS->InstallProtocolInterface ( ++ &Dev.Handle, ++ &gEfiRngProtocolGuid, ++ EFI_NATIVE_INTERFACE, ++ &Dev.Rng ++ ); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "Failed to install fallback RNG: %r\n", Status)); ++ return Status; ++ } ++ ++ gDS->Dispatch (); ++ } ++ ++ return EFI_SUCCESS; ++} ++ ++VOID ++FallbackRngPrintWarning ( ++ ) ++{ ++ if (Dev.Handle != NULL) { ++ Print (L"WARNING: Pseudo Random Number Generator in use - Pixiefail CVE not mitigated!\n"); ++ DEBUG ((DEBUG_WARN, "WARNING: Pseudo Random Number Generator in use - Pixiefail CVE not mitigated!\n")); ++ gBS->Stall (2000000); ++ } ++} +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h +new file mode 100644 +index 0000000000..77332bc51c +--- /dev/null ++++ b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h +@@ -0,0 +1,20 @@ ++/** @file ++ Copyright (C) 2024, Red Hat, Inc. ++ SPDX-License-Identifier: BSD-2-Clause-Patent ++**/ ++ ++#ifndef _FALLBACK_RNG_H_ ++#define _FALLBACK_RNG_H_ ++ ++#include ++#include ++ ++EFI_STATUS ++FallbackRngCheckAndInstall ( ++ ); ++ ++VOID ++FallbackRngPrintWarning ( ++ ); ++ ++#endif +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf +index c6ffc1ed9e..211716e30d 100644 +--- a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf ++++ b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf +@@ -25,6 +25,8 @@ + PlatformData.c + QemuKernel.c + BdsPlatform.h ++ FallbackRng.c ++ FallbackRng.h + + [Packages] + MdePkg/MdePkg.dec +@@ -56,6 +58,7 @@ + PlatformBmPrintScLib + Tcg2PhysicalPresenceLib + XenPlatformLib ++ RngLib + + [Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent +@@ -80,6 +83,7 @@ + gEfiDxeSmmReadyToLockProtocolGuid # PROTOCOL SOMETIMES_PRODUCED + gEfiLoadedImageProtocolGuid # PROTOCOL SOMETIMES_PRODUCED + gEfiFirmwareVolume2ProtocolGuid # PROTOCOL SOMETIMES_CONSUMED ++ gEfiRngProtocolGuid # PROTOCOL SOMETIMES_PRODUCED + + [Guids] + gEfiEndOfDxeEventGroupGuid +@@ -87,3 +91,4 @@ + gRootBridgesConnectedEventGroupGuid + gUefiShellFileGuid + gGrubFileGuid ++ gEfiRngAlgorithmRaw +-- +2.39.3 + diff --git a/SOURCES/edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch b/SOURCES/edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch new file mode 100644 index 0000000..f526e0d --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch @@ -0,0 +1,101 @@ +From 9c180326056f489b55999586f3bc1d225eda985e Mon Sep 17 00:00:00 2001 +From: Oliver Steffen +Date: Thu, 7 Nov 2024 11:36:22 +0100 +Subject: [PATCH] OvmfPkg/ArmVirtPkg: Add a Fallback RNG (RH only) + +RH-Author: Oliver Steffen +RH-MergeRequest: 81: OvmfPkg/ArmVirtPkg: Add a Fallback RNG (RH only) +RH-Jira: RHEL-66230 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [1/1] 1c2135c76fa4eb3d64000d3b0161393703dd5dd6 (osteffen/edk2) + +Since the pixiefail CVE fix, the network stack requires a random number +generator. +In case there is no hardware random number generator available, +have the Platform Boot Manager install a pseudo RNG to ensure +the network can be used. + +This patch adds the fallback rng (added on ae9be39436) +also to the PlatformBootManagerLibLight, which is used by ArmVirtPkg. + +Signed-off-by: Oliver Steffen +--- + OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c | 6 ++++++ + .../PlatformBootManagerLibLight/PlatformBootManagerLib.inf | 5 +++++ + 2 files changed, 11 insertions(+) + +diff --git a/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c b/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c +index 8e93f3cfed..8aa1e8e2df 100644 +--- a/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c ++++ b/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include "FallbackRng.h" + + #include "PlatformBm.h" + +@@ -1029,6 +1030,7 @@ PlatformBootManagerBeforeConsole ( + // + FilterAndProcess (&gEfiGraphicsOutputProtocolGuid, NULL, AddOutput); + ++ + // + // Add the hardcoded short-form USB keyboard device path to ConIn. + // +@@ -1110,6 +1112,8 @@ PlatformBootManagerBeforeConsole ( + // + FilterAndProcess (&gVirtioDeviceProtocolGuid, IsVirtioSerial, SetupVirtioSerial); + FilterAndProcess (&gEfiPciIoProtocolGuid, IsVirtioPciSerial, SetupVirtioSerial); ++ ++ FallbackRngCheckAndInstall (); + } + + /** +@@ -1175,6 +1179,8 @@ PlatformBootManagerAfterConsole ( + RETURN_STATUS Status; + BOOLEAN Uninstall; + ++ FallbackRngPrintWarning (); ++ + // + // Show the splash screen. + // +diff --git a/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBootManagerLib.inf b/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBootManagerLib.inf +index 8e7cd5605f..4583c05ef4 100644 +--- a/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBootManagerLib.inf ++++ b/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBootManagerLib.inf +@@ -27,6 +27,8 @@ + PlatformBm.c + PlatformBm.h + QemuKernel.c ++ ../PlatformBootManagerLib/FallbackRng.h ++ ../PlatformBootManagerLib/FallbackRng.c + + [Packages] + MdeModulePkg/MdeModulePkg.dec +@@ -53,6 +55,7 @@ + UefiBootServicesTableLib + UefiLib + UefiRuntimeServicesTableLib ++ RngLib + + [FixedPcd] + gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate +@@ -70,6 +73,7 @@ + gEfiGlobalVariableGuid + gRootBridgesConnectedEventGroupGuid + gUefiShellFileGuid ++ gEfiRngAlgorithmRaw + + [Protocols] + gEfiFirmwareVolume2ProtocolGuid +@@ -77,3 +81,4 @@ + gEfiMemoryAttributeProtocolGuid + gEfiPciRootBridgeIoProtocolGuid + gVirtioDeviceProtocolGuid ++ gEfiRngProtocolGuid +-- +2.39.3 + diff --git a/SOURCES/edk2-OvmfPkg-QemuVideoDxe-ignore-display-resolutions-smal.patch b/SOURCES/edk2-OvmfPkg-QemuVideoDxe-ignore-display-resolutions-smal.patch new file mode 100644 index 0000000..5be4623 --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-QemuVideoDxe-ignore-display-resolutions-smal.patch @@ -0,0 +1,65 @@ +From 126d004ce8884b68621394a62cf8a467c34d5d5b Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 23 Aug 2024 14:36:16 +0200 +Subject: [PATCH 2/3] OvmfPkg/QemuVideoDxe: ignore display resolutions smaller + than 640x480 + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 72: ignore display resolutions smaller than 640x480 +RH-Jira: RHEL-56248 +RH-Acked-by: Oliver Steffen +RH-Commit: [2/2] 376e5213497c007cd88bd8f7df9980d28f0fd143 (kraxel.rh/centos-src-edk2) + +GraphicsConsoleDxe will assert in case the resolution is too small. + +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 391666da2c1dc5671bbb3393079d86f46e3435af) +--- + OvmfPkg/QemuVideoDxe/Initialize.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/OvmfPkg/QemuVideoDxe/Initialize.c b/OvmfPkg/QemuVideoDxe/Initialize.c +index 050ae878ec..2d1f50637f 100644 +--- a/OvmfPkg/QemuVideoDxe/Initialize.c ++++ b/OvmfPkg/QemuVideoDxe/Initialize.c +@@ -293,6 +293,8 @@ QemuVideoBochsEdid ( + ) + { + EFI_STATUS Status; ++ UINT32 X; ++ UINT32 Y; + + if (Private->Variant != QEMU_VIDEO_BOCHS_MMIO) { + return; +@@ -344,16 +346,24 @@ QemuVideoBochsEdid ( + return; + } + +- *XRes = Private->Edid[56] | ((Private->Edid[58] & 0xf0) << 4); +- *YRes = Private->Edid[59] | ((Private->Edid[61] & 0xf0) << 4); ++ X = Private->Edid[56] | ((Private->Edid[58] & 0xf0) << 4); ++ Y = Private->Edid[59] | ((Private->Edid[61] & 0xf0) << 4); + DEBUG (( + DEBUG_INFO, + "%a: default resolution: %dx%d\n", + __func__, +- *XRes, +- *YRes ++ X, ++ Y + )); + ++ if ((X < 640) || (Y < 480)) { ++ /* ignore hint, GraphicsConsoleDxe needs 640x480 or larger */ ++ return; ++ } ++ ++ *XRes = X; ++ *YRes = Y; ++ + if (PcdGet8 (PcdVideoResolutionSource) == 0) { + Status = PcdSet32S (PcdVideoHorizontalResolution, *XRes); + ASSERT_RETURN_ERROR (Status); +-- +2.39.3 + diff --git a/SOURCES/edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch b/SOURCES/edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch new file mode 100644 index 0000000..c5bf10a --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch @@ -0,0 +1,45 @@ +From 47d6a4638ea73965ce1a43248e27b688dddc26ee Mon Sep 17 00:00:00 2001 +From: Oliver Steffen +Date: Mon, 4 Nov 2024 19:00:11 +0100 +Subject: [PATCH] OvmfPkg: Rerun dispatcher after initializing virtio-rng + +RH-Author: Oliver Steffen +RH-MergeRequest: 84: OvmfPkg: Rerun dispatcher after initializing virtio-rng +RH-Jira: RHEL-58631 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [1/1] d663321aab28f000c279bfac6dbaaa378678532e (osteffen/edk2) + +Since the pixiefail CVE fix the network stack requires a hardware +random number generator. This can currently be a modern CPU supporting +the RDRAND instruction or a virtio-rng device. +The latter is initialized during the BDS phase. +To ensure all depending (network) modules are also started, we need to +run the dispatcher once more after the device was initialized. +Without this, network boot is not available under certain hardware +configurations. + +Fixes: 4c4ceb2ceb ("NetworkPkg: SECURITY PATCH CVE-2023-45237") + +Analysed-by: Stefano Garzarella +Suggested-by: Gerd Hoffmann +Signed-off-by: Oliver Steffen +--- + OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c +index 87d1ac3142..1f1298eb0b 100644 +--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c ++++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c +@@ -675,6 +675,8 @@ ConnectVirtioPciRng ( + if (EFI_ERROR (Status)) { + goto Error; + } ++ ++ gDS->Dispatch (); + } + + return EFI_SUCCESS; +-- +2.45.1 + diff --git a/SOURCES/edk2-OvmfPkg-VirtioGpuDxe-ignore-display-resolutions-smal.patch b/SOURCES/edk2-OvmfPkg-VirtioGpuDxe-ignore-display-resolutions-smal.patch new file mode 100644 index 0000000..111c4a6 --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-VirtioGpuDxe-ignore-display-resolutions-smal.patch @@ -0,0 +1,37 @@ +From f53820c753be836a79d5743d4181f6827e12bcdf Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 23 Aug 2024 14:35:53 +0200 +Subject: [PATCH 1/3] OvmfPkg/VirtioGpuDxe: ignore display resolutions smaller + than 640x480 + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 72: ignore display resolutions smaller than 640x480 +RH-Jira: RHEL-56248 +RH-Acked-by: Oliver Steffen +RH-Commit: [1/2] 1d63fc76f46a6adb49e6c9447563d70ff9728b04 (kraxel.rh/centos-src-edk2) + +GraphicsConsoleDxe will assert in case the resolution is too small. + +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 58035e8b5e11cfe2b9e6428d14c7817b6b1c83a2) +--- + OvmfPkg/VirtioGpuDxe/Gop.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/OvmfPkg/VirtioGpuDxe/Gop.c b/OvmfPkg/VirtioGpuDxe/Gop.c +index f64dfce5f4..d767114bbb 100644 +--- a/OvmfPkg/VirtioGpuDxe/Gop.c ++++ b/OvmfPkg/VirtioGpuDxe/Gop.c +@@ -265,7 +265,8 @@ GopInitialize ( + // query host for display resolution + // + GopNativeResolution (VgpuGop, &XRes, &YRes); +- if ((XRes == 0) || (YRes == 0)) { ++ if ((XRes < 640) || (YRes < 480)) { ++ /* ignore hint, GraphicsConsoleDxe needs 640x480 or larger */ + return; + } + +-- +2.39.3 + diff --git a/SPECS/edk2.spec b/SPECS/edk2.spec index 0de183b..ed19a68 100644 --- a/SPECS/edk2.spec +++ b/SPECS/edk2.spec @@ -21,7 +21,7 @@ ExclusiveArch: x86_64 aarch64 Name: edk2 Version: %{GITDATE} -Release: 6%{?dist} +Release: 6.0.1%{?dist}.3 Summary: UEFI firmware for 64-bit virtual machines License: BSD-2-Clause-Patent and Apache-2.0 and MIT URL: http://www.tianocore.org @@ -50,6 +50,9 @@ Source45: 60-edk2-ovmf-x64-inteltdx.json Source80: edk2-build.py Source82: edk2-build.rhel-9 +#Oracle patch +Source1000: 1000-replace-upstream-references.patch + Source90: DBXUpdate-%{DBXDATE}.x64.bin Patch1: 0003-Remove-paths-leading-to-submodules.patch Patch2: 0004-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch @@ -101,6 +104,18 @@ Patch42: edk2-AmdSevDxe-Fix-the-shim-fallback-reboot-workaround-fo.patch Patch43: edk2-UefiCpuPkg-PiSmmCpuDxeSmm-skip-PatchInstructionX86-c.patch # For RHEL-56974 - qemu-kvm: warning: Blocked re-entrant IO on MemoryRegion: acpi-cpu-hotplug at addr: 0x0 [rhel-9] Patch44: edk2-OvmfPkg-CpuHotplugSmm-delay-SMM-exit.patch +# For RHEL-56248 - 507x510 display resolution should not crash the firmware [edk2,rhel-9.6] +Patch45: edk2-OvmfPkg-VirtioGpuDxe-ignore-display-resolutions-smal.patch +# For RHEL-56248 - 507x510 display resolution should not crash the firmware [edk2,rhel-9.6] +Patch46: edk2-OvmfPkg-QemuVideoDxe-ignore-display-resolutions-smal.patch +# For RHEL-60833 - CVE-2024-38796 edk2: Integer overflows in PeCoffLoaderRelocateImage [rhel-9.6] +Patch47: edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch +# For RHEL-65725 - [Regression] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-9.6] +Patch48: edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch +# For RHEL-66230 - [Regression] [aarch64] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-9.6] +Patch49: edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch +# For RHEL-58631 - [Regression] HTTP Boot fails to work with edk2-ovmf-20231122-6.el9_4.2 and greater +Patch50: edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch # python3-devel and libuuid-devel are required for building tools. # python3-devel is also needed for varstore template generation and @@ -211,6 +226,9 @@ cp -a -- %{SOURCE80} %{SOURCE82} . cp -a -- %{SOURCE90} . tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x +#Apply Oracle patches +patch -p1 < %{SOURCE1000} + # Done by %setup, but we do not use it for the auxiliary tarballs chmod -Rf a+rX,u+w,g-w,o-w . @@ -435,6 +453,27 @@ install -m 0644 \ %changelog +* Thu Dec 19 2024 Alex Burmashev - 20240524-6.0.1.el9_5.3 +- edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch [RHEL-58631] +- Resolves: RHEL-58631 + ([Regression] HTTP Boot fails to work with edk2-ovmf-20231122-6.el9_4.2 and greater) +- edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch [RHEL-66230] +- Resolves: RHEL-66230 + ([Regression] [aarch64] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-9.6]) +- edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch [RHEL-65725] +- Resolves: RHEL-65725 + ([Regression] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-9.6]) +- edk2-OvmfPkg-VirtioGpuDxe-ignore-display-resolutions-smal.patch [RHEL-56248] +- edk2-OvmfPkg-QemuVideoDxe-ignore-display-resolutions-smal.patch [RHEL-56248] +- edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch [RHEL-60833] +- Resolves: RHEL-56248 + (507x510 display resolution should not crash the firmware [edk2,rhel-9.6]) +- Resolves: RHEL-60833 + (CVE-2024-38796 edk2: Integer overflows in PeCoffLoaderRelocateImage [rhel-9.6]) + +* Tue Nov 12 2024 EL Errata - 20240524-6.0.1 +- Replace upstream references [Orabug:36569119] + * Fri Sep 13 2024 Miroslav Rezanina - 20240524-6 - edk2-OvmfPkg-CpuHotplugSmm-delay-SMM-exit.patch [RHEL-56974] - edk2-Bumped-openssl-submodule-version-to-0205b5898872.patch [RHEL-55336]