rpms/edk2
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Import OL edk2-20240524-6.0.1.el9_5.3

Browse Source
This commit is contained in:
eabdullin 2024-12-20 13:39:32 +03:00
parent 5aaf34fc91
commit 93d3994249
8 changed files with 711 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
SOURCES/1000-replace-upstream-references.patch Normal file
View File

@ -0,0 +1,23 @@
From a194940b0fc62054430ca36b2bcec473a56745a1 Tue 30 Apr 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 30 Apr 2024 11:58:21 -0700
Subject: [PATCH] Replace upstream references
Orabug: 36569119
Signed-off-by: John McWalters <john.mcwalters@oracle.com>
Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
diff --git a/CryptoPkg/Library/OpensslLib/openssl/apps/fipsinstall.c b/CryptoPkg/Library/OpensslLib/openssl/apps/fipsinstall.c
index e978057..67d6957 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/apps/fipsinstall.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/apps/fipsinstall.c
@@ -311,7 +311,7 @@ int fipsinstall_main(int argc, char **argv)
EVP_MAC *mac = NULL;
CONF *conf = NULL;
- BIO_printf(bio_err, "This command is not enabled in the Red Hat Enterprise Linux OpenSSL build, please consult Red Hat documentation to learn how to enable FIPS mode\n");
+ BIO_printf(bio_err, "This command is not enabled in the Oracle Linux OpenSSL build, please consult Oracle Linux documentation to learn how to enable FIPS mode\n");
return 1;
if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)

50
SOURCES/edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch Normal file
View File

@ -0,0 +1,50 @@
From effd0f360ea1186b2b6af0aa2420d4bf779d51ef Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 1 Oct 2024 18:40:41 -0400
Subject: [PATCH 3/3] MdePkg: Fix overflow issue in BasePeCoffLib
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 78: MdePkg: Fix overflow issue in BasePeCoffLib
RH-Jira: RHEL-60833
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
RH-Commit: [1/1] 812453d5d03bcd92dfa6aea594af6214569c419e
JIRA: https://issues.redhat.com/browse/RHEL-60833
CVE: CVE-2024-38796
Upstream: Merged
commit c95233b8525ca6828921affd1496146cff262e65
Author: Doug Flick <dougflick@microsoft.com>
Date: Fri Sep 27 12:08:55 2024 -0700
MdePkg: Fix overflow issue in BasePeCoffLib
The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is
also a UINT32 value. The current code does not check for overflow when
adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a
check to ensure that the addition does not overflow.
Signed-off-by: Doug Flick <dougflick@microsoft.com>
Authored-by: sriraamx gobichettipalayam <sri..@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
index 86ff2e769b..128090d98e 100644
--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
@@ -1054,7 +1054,7 @@ PeCoffLoaderRelocateImage (
RelocDir = &Hdr.Te->DataDirectory[0];
}
- if ((RelocDir != NULL) && (RelocDir->Size > 0)) {
+ if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) {
RelocBase = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (
ImageContext,
--
2.39.3

350
SOURCES/edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch Normal file
View File

@ -0,0 +1,350 @@
From ff9baf5bf0ef960b9f1bb9668cfe6f3d66b288d0 Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Mon, 4 Nov 2024 12:40:12 +0100
Subject: [PATCH] OvmfPkg: Add a Fallback RNG (RH only)
RH-Author: Oliver Steffen <osteffen@redhat.com>
RH-MergeRequest: 80: OvmfPkg: Add a Fallback RNG (RH only)
RH-Jira: RHEL-65725
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Commit: [1/1] 2865ef247c476418c88ba988449841aee4a93bea (osteffen/edk2)
Since the pixiefail CVE fix, the network stack requires a random number
generator.
In case there is no hardware random number generator available,
have the Platform Boot Manager install a pseudo RNG to ensure
the network can be used.
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
.../PlatformBootManagerLib/BdsPlatform.c | 7 +
.../PlatformBootManagerLib/FallbackRng.c | 222 ++++++++++++++++++
.../PlatformBootManagerLib/FallbackRng.h | 20 ++
.../PlatformBootManagerLib.inf | 5 +
4 files changed, 254 insertions(+)
create mode 100644 OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c
create mode 100644 OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
index d9f61757cf..87d1ac3142 100644
--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
@@ -15,6 +15,8 @@
#include <Library/Tcg2PhysicalPresenceLib.h>
#include <Library/XenPlatformLib.h>
+#include "FallbackRng.h"
+
//
// Global data
//
@@ -539,6 +541,9 @@ PlatformBootManagerBeforeConsole (
ConnectVirtioPciRng,
NULL
);
+
+ FallbackRngCheckAndInstall ();
+
}
EFI_STATUS
@@ -1778,6 +1783,8 @@ PlatformBootManagerAfterConsole (
DEBUG ((DEBUG_INFO, "PlatformBootManagerAfterConsole\n"));
+ FallbackRngPrintWarning ();
+
if (PcdGetBool (PcdOvmfFlashVariablesEnable)) {
DEBUG ((
DEBUG_INFO,
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c
new file mode 100644
index 0000000000..bba60e29d5
--- /dev/null
+++ b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c
@@ -0,0 +1,222 @@
+/** @file
+ Copyright (C) 2024, Red Hat, Inc.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Uefi/UefiBaseType.h>
+#include <Uefi/UefiSpec.h>
+#include <Protocol/Rng.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/BaseLib.h>
+#include <Library/DebugLib.h>
+#include <Library/RngLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/UefiLib.h>
+#include <Library/PrintLib.h>
+#include <Library/DxeServicesTableLib.h>
+
+#include "FallbackRng.h"
+
+typedef struct {
+ EFI_RNG_PROTOCOL Rng;
+ EFI_HANDLE Handle;
+} FALLBACK_RNG_DEV;
+
+/**
+ Returns information about the random number generation implementation.
+
+ @param[in] This A pointer to the EFI_RNG_PROTOCOL
+ instance.
+ @param[in,out] RNGAlgorithmListSize On input, the size in bytes of
+ RNGAlgorithmList.
+ On output with a return code of
+ EFI_SUCCESS, the size in bytes of the
+ data returned in RNGAlgorithmList. On
+ output with a return code of
+ EFI_BUFFER_TOO_SMALL, the size of
+ RNGAlgorithmList required to obtain the
+ list.
+ @param[out] RNGAlgorithmList A caller-allocated memory buffer filled
+ by the driver with one EFI_RNG_ALGORITHM
+ element for each supported RNG algorithm.
+ The list must not change across multiple
+ calls to the same driver. The first
+ algorithm in the list is the default
+ algorithm for the driver.
+
+ @retval EFI_SUCCESS The RNG algorithm list was returned
+ successfully.
+ @retval EFI_UNSUPPORTED The services is not supported by this
+ driver.
+ @retval EFI_DEVICE_ERROR The list of algorithms could not be
+ retrieved due to a hardware or firmware
+ error.
+ @retval EFI_INVALID_PARAMETER One or more of the parameters are
+ incorrect.
+ @retval EFI_BUFFER_TOO_SMALL The buffer RNGAlgorithmList is too small
+ to hold the result.
+
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+FallbackRngGetInfo (
+ IN EFI_RNG_PROTOCOL *This,
+ IN OUT UINTN *RNGAlgorithmListSize,
+ OUT EFI_RNG_ALGORITHM *RNGAlgorithmList
+ )
+{
+ if ((This == NULL) || (RNGAlgorithmListSize == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (*RNGAlgorithmListSize < sizeof (EFI_RNG_ALGORITHM)) {
+ *RNGAlgorithmListSize = sizeof (EFI_RNG_ALGORITHM);
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
+ if (RNGAlgorithmList == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ *RNGAlgorithmListSize = sizeof (EFI_RNG_ALGORITHM);
+ CopyGuid (RNGAlgorithmList, &gEfiRngAlgorithmRaw);
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Produces and returns an RNG value using either the default or specified RNG
+ algorithm.
+
+ @param[in] This A pointer to the EFI_RNG_PROTOCOL
+ instance.
+ @param[in] RNGAlgorithm A pointer to the EFI_RNG_ALGORITHM that
+ identifies the RNG algorithm to use. May
+ be NULL in which case the function will
+ use its default RNG algorithm.
+ @param[in] RNGValueLength The length in bytes of the memory buffer
+ pointed to by RNGValue. The driver shall
+ return exactly this numbers of bytes.
+ @param[out] RNGValue A caller-allocated memory buffer filled
+ by the driver with the resulting RNG
+ value.
+
+ @retval EFI_SUCCESS The RNG value was returned successfully.
+ @retval EFI_UNSUPPORTED The algorithm specified by RNGAlgorithm
+ is not supported by this driver.
+ @retval EFI_DEVICE_ERROR An RNG value could not be retrieved due
+ to a hardware or firmware error.
+ @retval EFI_NOT_READY There is not enough random data available
+ to satisfy the length requested by
+ RNGValueLength.
+ @retval EFI_INVALID_PARAMETER RNGValue is NULL or RNGValueLength is
+ zero.
+
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+FallbackRngGetRNG (
+ IN EFI_RNG_PROTOCOL *This,
+ IN EFI_RNG_ALGORITHM *RNGAlgorithm OPTIONAL,
+ IN UINTN RNGValueLength,
+ OUT UINT8 *RNGValue
+ )
+{
+ UINT64 RandomData;
+ EFI_STATUS Status;
+ UINTN i;
+
+ if ((This == NULL) || (RNGValueLength == 0) || (RNGValue == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // We only support the raw algorithm, so reject requests for anything else
+ //
+ if ((RNGAlgorithm != NULL) &&
+ !CompareGuid (RNGAlgorithm, &gEfiRngAlgorithmRaw))
+ {
+ return EFI_UNSUPPORTED;
+ }
+
+ for (i = 0; i < RNGValueLength; ++i) {
+ if (i % 4 == 0) {
+ Status = GetRandomNumber64 (&RandomData);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ }
+ }
+
+ return EFI_SUCCESS;
+}
+
+static FALLBACK_RNG_DEV Dev = {
+ .Rng.GetInfo = FallbackRngGetInfo,
+ .Rng.GetRNG = FallbackRngGetRNG,
+ .Handle = NULL,
+};
+
+EFI_STATUS
+FallbackRngCheckAndInstall (
+ )
+{
+ EFI_STATUS Status;
+ EFI_HANDLE *HandleBuffer = NULL;
+ UINTN HandleCount = 0;
+
+ if (Dev.Handle != NULL) {
+ DEBUG ((DEBUG_INFO, "Fallback RNG already installed.\n"));
+ return EFI_ALREADY_STARTED;
+ }
+
+ Status = gBS->LocateHandleBuffer (
+ ByProtocol,
+ &gEfiRngProtocolGuid,
+ NULL,
+ &HandleCount,
+ &HandleBuffer
+ );
+
+ gBS->FreePool (HandleBuffer);
+
+ if (Status == EFI_NOT_FOUND) {
+ HandleCount = 0;
+ } else if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Error locating RNG protocol instances: %r\n", Status));
+ return Status;
+ }
+
+ DEBUG ((DEBUG_INFO, "Found %u RNGs\n", HandleCount));
+
+ if (HandleCount == 0) {
+ // Install RNG
+ Status = gBS->InstallProtocolInterface (
+ &Dev.Handle,
+ &gEfiRngProtocolGuid,
+ EFI_NATIVE_INTERFACE,
+ &Dev.Rng
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Failed to install fallback RNG: %r\n", Status));
+ return Status;
+ }
+
+ gDS->Dispatch ();
+ }
+
+ return EFI_SUCCESS;
+}
+
+VOID
+FallbackRngPrintWarning (
+ )
+{
+ if (Dev.Handle != NULL) {
+ Print (L"WARNING: Pseudo Random Number Generator in use - Pixiefail CVE not mitigated!\n");
+ DEBUG ((DEBUG_WARN, "WARNING: Pseudo Random Number Generator in use - Pixiefail CVE not mitigated!\n"));
+ gBS->Stall (2000000);
+ }
+}
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h
new file mode 100644
index 0000000000..77332bc51c
--- /dev/null
+++ b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h
@@ -0,0 +1,20 @@
+/** @file
+ Copyright (C) 2024, Red Hat, Inc.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef _FALLBACK_RNG_H_
+#define _FALLBACK_RNG_H_
+
+#include <Uefi/UefiBaseType.h>
+#include <Uefi/UefiSpec.h>
+
+EFI_STATUS
+FallbackRngCheckAndInstall (
+ );
+
+VOID
+FallbackRngPrintWarning (
+ );
+
+#endif
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
index c6ffc1ed9e..211716e30d 100644
--- a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+++ b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
@@ -25,6 +25,8 @@
PlatformData.c
QemuKernel.c
BdsPlatform.h
+ FallbackRng.c
+ FallbackRng.h
[Packages]
MdePkg/MdePkg.dec
@@ -56,6 +58,7 @@
PlatformBmPrintScLib
Tcg2PhysicalPresenceLib
XenPlatformLib
+ RngLib
[Pcd]
gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent
@@ -80,6 +83,7 @@
gEfiDxeSmmReadyToLockProtocolGuid # PROTOCOL SOMETIMES_PRODUCED
gEfiLoadedImageProtocolGuid # PROTOCOL SOMETIMES_PRODUCED
gEfiFirmwareVolume2ProtocolGuid # PROTOCOL SOMETIMES_CONSUMED
+ gEfiRngProtocolGuid # PROTOCOL SOMETIMES_PRODUCED
[Guids]
gEfiEndOfDxeEventGroupGuid
@@ -87,3 +91,4 @@
gRootBridgesConnectedEventGroupGuid
gUefiShellFileGuid
gGrubFileGuid
+ gEfiRngAlgorithmRaw
--
2.39.3

101
SOURCES/edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch Normal file
View File

@ -0,0 +1,101 @@
From 9c180326056f489b55999586f3bc1d225eda985e Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Thu, 7 Nov 2024 11:36:22 +0100
Subject: [PATCH] OvmfPkg/ArmVirtPkg: Add a Fallback RNG (RH only)
RH-Author: Oliver Steffen <osteffen@redhat.com>
RH-MergeRequest: 81: OvmfPkg/ArmVirtPkg: Add a Fallback RNG (RH only)
RH-Jira: RHEL-66230
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Commit: [1/1] 1c2135c76fa4eb3d64000d3b0161393703dd5dd6 (osteffen/edk2)
Since the pixiefail CVE fix, the network stack requires a random number
generator.
In case there is no hardware random number generator available,
have the Platform Boot Manager install a pseudo RNG to ensure
the network can be used.
This patch adds the fallback rng (added on ae9be39436)
also to the PlatformBootManagerLibLight, which is used by ArmVirtPkg.
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c | 6 ++++++
.../PlatformBootManagerLibLight/PlatformBootManagerLib.inf | 5 +++++
2 files changed, 11 insertions(+)
diff --git a/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c b/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c
index 8e93f3cfed..8aa1e8e2df 100644
--- a/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c
+++ b/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c
@@ -30,6 +30,7 @@
#include <Guid/GlobalVariable.h>
#include <Guid/RootBridgesConnectedEventGroup.h>
#include <Guid/SerialPortLibVendor.h>
+#include "FallbackRng.h"
#include "PlatformBm.h"
@@ -1029,6 +1030,7 @@ PlatformBootManagerBeforeConsole (
//
FilterAndProcess (&gEfiGraphicsOutputProtocolGuid, NULL, AddOutput);
+
//
// Add the hardcoded short-form USB keyboard device path to ConIn.
//
@@ -1110,6 +1112,8 @@ PlatformBootManagerBeforeConsole (
//
FilterAndProcess (&gVirtioDeviceProtocolGuid, IsVirtioSerial, SetupVirtioSerial);
FilterAndProcess (&gEfiPciIoProtocolGuid, IsVirtioPciSerial, SetupVirtioSerial);
+
+ FallbackRngCheckAndInstall ();
}
/**
@@ -1175,6 +1179,8 @@ PlatformBootManagerAfterConsole (
RETURN_STATUS Status;
BOOLEAN Uninstall;
+ FallbackRngPrintWarning ();
+
//
// Show the splash screen.
//
diff --git a/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBootManagerLib.inf b/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBootManagerLib.inf
index 8e7cd5605f..4583c05ef4 100644
--- a/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBootManagerLib.inf
+++ b/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBootManagerLib.inf
@@ -27,6 +27,8 @@
PlatformBm.c
PlatformBm.h
QemuKernel.c
+ ../PlatformBootManagerLib/FallbackRng.h
+ ../PlatformBootManagerLib/FallbackRng.c
[Packages]
MdeModulePkg/MdeModulePkg.dec
@@ -53,6 +55,7 @@
UefiBootServicesTableLib
UefiLib
UefiRuntimeServicesTableLib
+ RngLib
[FixedPcd]
gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate
@@ -70,6 +73,7 @@
gEfiGlobalVariableGuid
gRootBridgesConnectedEventGroupGuid
gUefiShellFileGuid
+ gEfiRngAlgorithmRaw
[Protocols]
gEfiFirmwareVolume2ProtocolGuid
@@ -77,3 +81,4 @@
gEfiMemoryAttributeProtocolGuid
gEfiPciRootBridgeIoProtocolGuid
gVirtioDeviceProtocolGuid
+ gEfiRngProtocolGuid
--
2.39.3

65
SOURCES/edk2-OvmfPkg-QemuVideoDxe-ignore-display-resolutions-smal.patch Normal file
View File

@ -0,0 +1,65 @@
From 126d004ce8884b68621394a62cf8a467c34d5d5b Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 23 Aug 2024 14:36:16 +0200
Subject: [PATCH 2/3] OvmfPkg/QemuVideoDxe: ignore display resolutions smaller
than 640x480
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
RH-MergeRequest: 72: ignore display resolutions smaller than 640x480
RH-Jira: RHEL-56248
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
RH-Commit: [2/2] 376e5213497c007cd88bd8f7df9980d28f0fd143 (kraxel.rh/centos-src-edk2)
GraphicsConsoleDxe will assert in case the resolution is too small.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 391666da2c1dc5671bbb3393079d86f46e3435af)
---
OvmfPkg/QemuVideoDxe/Initialize.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/OvmfPkg/QemuVideoDxe/Initialize.c b/OvmfPkg/QemuVideoDxe/Initialize.c
index 050ae878ec..2d1f50637f 100644
--- a/OvmfPkg/QemuVideoDxe/Initialize.c
+++ b/OvmfPkg/QemuVideoDxe/Initialize.c
@@ -293,6 +293,8 @@ QemuVideoBochsEdid (
)
{
EFI_STATUS Status;
+ UINT32 X;
+ UINT32 Y;
if (Private->Variant != QEMU_VIDEO_BOCHS_MMIO) {
return;
@@ -344,16 +346,24 @@ QemuVideoBochsEdid (
return;
}
- *XRes = Private->Edid[56] | ((Private->Edid[58] & 0xf0) << 4);
- *YRes = Private->Edid[59] | ((Private->Edid[61] & 0xf0) << 4);
+ X = Private->Edid[56] | ((Private->Edid[58] & 0xf0) << 4);
+ Y = Private->Edid[59] | ((Private->Edid[61] & 0xf0) << 4);
DEBUG ((
DEBUG_INFO,
"%a: default resolution: %dx%d\n",
__func__,
- *XRes,
- *YRes
+ X,
+ Y
));
+ if ((X < 640) || (Y < 480)) {
+ /* ignore hint, GraphicsConsoleDxe needs 640x480 or larger */
+ return;
+ }
+
+ *XRes = X;
+ *YRes = Y;
+
if (PcdGet8 (PcdVideoResolutionSource) == 0) {
Status = PcdSet32S (PcdVideoHorizontalResolution, *XRes);
ASSERT_RETURN_ERROR (Status);
--
2.39.3

45
SOURCES/edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch Normal file
View File

@ -0,0 +1,45 @@
From 47d6a4638ea73965ce1a43248e27b688dddc26ee Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Mon, 4 Nov 2024 19:00:11 +0100
Subject: [PATCH] OvmfPkg: Rerun dispatcher after initializing virtio-rng
RH-Author: Oliver Steffen <osteffen@redhat.com>
RH-MergeRequest: 84: OvmfPkg: Rerun dispatcher after initializing virtio-rng
RH-Jira: RHEL-58631
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Commit: [1/1] d663321aab28f000c279bfac6dbaaa378678532e (osteffen/edk2)
Since the pixiefail CVE fix the network stack requires a hardware
random number generator. This can currently be a modern CPU supporting
the RDRAND instruction or a virtio-rng device.
The latter is initialized during the BDS phase.
To ensure all depending (network) modules are also started, we need to
run the dispatcher once more after the device was initialized.
Without this, network boot is not available under certain hardware
configurations.
Fixes: 4c4ceb2ceb ("NetworkPkg: SECURITY PATCH CVE-2023-45237")
Analysed-by: Stefano Garzarella <sgarzare@redhat.com>
Suggested-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
index 87d1ac3142..1f1298eb0b 100644
--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
@@ -675,6 +675,8 @@ ConnectVirtioPciRng (
if (EFI_ERROR (Status)) {
goto Error;
}
+
+ gDS->Dispatch ();
}
return EFI_SUCCESS;
--
2.45.1

37
SOURCES/edk2-OvmfPkg-VirtioGpuDxe-ignore-display-resolutions-smal.patch Normal file
View File

@ -0,0 +1,37 @@
From f53820c753be836a79d5743d4181f6827e12bcdf Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 23 Aug 2024 14:35:53 +0200
Subject: [PATCH 1/3] OvmfPkg/VirtioGpuDxe: ignore display resolutions smaller
than 640x480
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
RH-MergeRequest: 72: ignore display resolutions smaller than 640x480
RH-Jira: RHEL-56248
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
RH-Commit: [1/2] 1d63fc76f46a6adb49e6c9447563d70ff9728b04 (kraxel.rh/centos-src-edk2)
GraphicsConsoleDxe will assert in case the resolution is too small.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 58035e8b5e11cfe2b9e6428d14c7817b6b1c83a2)
---
OvmfPkg/VirtioGpuDxe/Gop.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/VirtioGpuDxe/Gop.c b/OvmfPkg/VirtioGpuDxe/Gop.c
index f64dfce5f4..d767114bbb 100644
--- a/OvmfPkg/VirtioGpuDxe/Gop.c
+++ b/OvmfPkg/VirtioGpuDxe/Gop.c
@@ -265,7 +265,8 @@ GopInitialize (
// query host for display resolution
//
GopNativeResolution (VgpuGop, &XRes, &YRes);
- if ((XRes == 0) || (YRes == 0)) {
+ if ((XRes < 640) || (YRes < 480)) {
+ /* ignore hint, GraphicsConsoleDxe needs 640x480 or larger */
return;
}
--
2.39.3

41
SPECS/edk2.spec
View File

@ -21,7 +21,7 @@ ExclusiveArch: x86_64 aarch64
Name: edk2 Name: edk2
Version: %{GITDATE} Version: %{GITDATE}
Release: 6%{?dist} Release: 6.0.1%{?dist}.3
Summary: UEFI firmware for 64-bit virtual machines Summary: UEFI firmware for 64-bit virtual machines
License: BSD-2-Clause-Patent and Apache-2.0 and MIT License: BSD-2-Clause-Patent and Apache-2.0 and MIT
URL: http://www.tianocore.org URL: http://www.tianocore.org
@ -50,6 +50,9 @@ Source45: 60-edk2-ovmf-x64-inteltdx.json
Source80: edk2-build.py Source80: edk2-build.py
Source82: edk2-build.rhel-9 Source82: edk2-build.rhel-9
#Oracle patch
Source1000: 1000-replace-upstream-references.patch
Source90: DBXUpdate-%{DBXDATE}.x64.bin Source90: DBXUpdate-%{DBXDATE}.x64.bin
Patch1: 0003-Remove-paths-leading-to-submodules.patch Patch1: 0003-Remove-paths-leading-to-submodules.patch
Patch2: 0004-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch Patch2: 0004-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
@ -101,6 +104,18 @@ Patch42: edk2-AmdSevDxe-Fix-the-shim-fallback-reboot-workaround-fo.patch
Patch43: edk2-UefiCpuPkg-PiSmmCpuDxeSmm-skip-PatchInstructionX86-c.patch Patch43: edk2-UefiCpuPkg-PiSmmCpuDxeSmm-skip-PatchInstructionX86-c.patch
# For RHEL-56974 - qemu-kvm: warning: Blocked re-entrant IO on MemoryRegion: acpi-cpu-hotplug at addr: 0x0 [rhel-9] # For RHEL-56974 - qemu-kvm: warning: Blocked re-entrant IO on MemoryRegion: acpi-cpu-hotplug at addr: 0x0 [rhel-9]
Patch44: edk2-OvmfPkg-CpuHotplugSmm-delay-SMM-exit.patch Patch44: edk2-OvmfPkg-CpuHotplugSmm-delay-SMM-exit.patch
# For RHEL-56248 - 507x510 display resolution should not crash the firmware [edk2,rhel-9.6]
Patch45: edk2-OvmfPkg-VirtioGpuDxe-ignore-display-resolutions-smal.patch
# For RHEL-56248 - 507x510 display resolution should not crash the firmware [edk2,rhel-9.6]
Patch46: edk2-OvmfPkg-QemuVideoDxe-ignore-display-resolutions-smal.patch
# For RHEL-60833 - CVE-2024-38796 edk2: Integer overflows in PeCoffLoaderRelocateImage [rhel-9.6]
Patch47: edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
# For RHEL-65725 - [Regression] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-9.6]
Patch48: edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch
# For RHEL-66230 - [Regression] [aarch64] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-9.6]
Patch49: edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch
# For RHEL-58631 - [Regression] HTTP Boot fails to work with edk2-ovmf-20231122-6.el9_4.2 and greater
Patch50: edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch
# python3-devel and libuuid-devel are required for building tools. # python3-devel and libuuid-devel are required for building tools.
# python3-devel is also needed for varstore template generation and # python3-devel is also needed for varstore template generation and
@ -211,6 +226,9 @@ cp -a -- %{SOURCE80} %{SOURCE82} .
cp -a -- %{SOURCE90} . cp -a -- %{SOURCE90} .
tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x
#Apply Oracle patches
patch -p1 < %{SOURCE1000}
# Done by %setup, but we do not use it for the auxiliary tarballs # Done by %setup, but we do not use it for the auxiliary tarballs
chmod -Rf a+rX,u+w,g-w,o-w . chmod -Rf a+rX,u+w,g-w,o-w .
@ -435,6 +453,27 @@ install -m 0644 \
%changelog %changelog
* Thu Dec 19 2024 Alex Burmashev <alexander.burmashev@oracle.com> - 20240524-6.0.1.el9_5.3
- edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch [RHEL-58631]
- Resolves: RHEL-58631
([Regression] HTTP Boot fails to work with edk2-ovmf-20231122-6.el9_4.2 and greater)
- edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch [RHEL-66230]
- Resolves: RHEL-66230
([Regression] [aarch64] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-9.6])
- edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch [RHEL-65725]
- Resolves: RHEL-65725
([Regression] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-9.6])
- edk2-OvmfPkg-VirtioGpuDxe-ignore-display-resolutions-smal.patch [RHEL-56248]
- edk2-OvmfPkg-QemuVideoDxe-ignore-display-resolutions-smal.patch [RHEL-56248]
- edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch [RHEL-60833]
- Resolves: RHEL-56248
(507x510 display resolution should not crash the firmware [edk2,rhel-9.6])
- Resolves: RHEL-60833
(CVE-2024-38796 edk2: Integer overflows in PeCoffLoaderRelocateImage [rhel-9.6])
* Tue Nov 12 2024 EL Errata <el-errata_ww@oracle.com> - 20240524-6.0.1
- Replace upstream references [Orabug:36569119]
* Fri Sep 13 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20240524-6 * Fri Sep 13 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20240524-6
- edk2-OvmfPkg-CpuHotplugSmm-delay-SMM-exit.patch [RHEL-56974] - edk2-OvmfPkg-CpuHotplugSmm-delay-SMM-exit.patch [RHEL-56974]
- edk2-Bumped-openssl-submodule-version-to-0205b5898872.patch [RHEL-55336] - edk2-Bumped-openssl-submodule-version-to-0205b5898872.patch [RHEL-55336]