rpms/edk2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Tue Feb 27 2024 Gerd Hoffmann <kraxel@redhat.com> - 20240214-1

Browse Source 
- Rebase to edk2-stable202302
- Resolves: RHEL-26879
This commit is contained in:
Miroslav Rezanina 2024-03-12 03:30:57 -04:00
parent 9ab668cc6b
commit 9c8fc7cb9a
75 changed files with 521 additions and 12131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
0001-ignore-build-artifacts-generated-files-session-setti.patch
View File

@ -1,83 +0,0 @@
From 21816395a94558c8e5c97f13adbb5ffb909656b8 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 11 Jun 2014 21:55:22 +0200
Subject: [PATCH] ignore build artifacts, generated files, session settings etc
(RHEL only)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- no changes
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- refresh against upstream commit 48760409ccc8 (".gitignore: Ignore python
compiled files, extdeps, and vscode", 2019-11-11)
- add ".AutoGenIdFile.txt" to "Conf/.gitignore", in response to upstream
commit 373298ca0d60 ("BaseTools: Fixed issue for IgnoreAutoGen",
2019-09-10)
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
- no changes
Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
RHEL-8.1/20190308-89910a39dcfd rebase:
- no changes
Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
RHEL-8.0/20180508-ee3198e672e2 rebase:
- reorder the rebase changelog in the commit message so that it reads like
a blog: place more recent entries near the top
- no changes to the patch body
Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
- no changes
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
- Conflict resolution against upstream commit 112f4ada2e6b ("edk2: Add
.DS_Store to .gitignore for macOS", 2017-05-04), in the ".gitignore"
file.
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
- no changes
Notes about the 9ece15a -> c9e5618 rebase:
- Upstream added .gitignore files in the meanwhile, we just need some
light customization. In particular the Conf/ReadMe.txt file should not
be ignored, it is not generated.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 3b9c914f2d6bff6274d5ed45fcf4c757ce27031b)
(cherry picked from commit b66c3c6d11a834dc7cb3ab326f09c6a21c0b81e8)
(cherry picked from commit c94381432988f6137de46772cbd4080d9832c9ad)
(cherry picked from commit 730cc57005e4908fcee29109672284808b21ec1c)
(cherry picked from commit 161184bcb55a670f8f7f8c4147825eb360b73794)
(cherry picked from commit 4eec2bb2176f2deda2b2c44a6f2ea167c5a43433)
(cherry picked from commit ea548c8d0c9d4cd5b8b5200eda8ff6ac220a6307)
(cherry picked from commit 4872f69df8b0460fbbfcd75950d81fdcd213f8c0)
---
Conf/.gitignore | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/Conf/.gitignore b/Conf/.gitignore
index 5e4debcc10..8601fc0cee 100644
--- a/Conf/.gitignore
+++ b/Conf/.gitignore
@@ -1 +1,6 @@
-*
+.AutoGenIdFile.txt
+.cache/
+BuildEnv.sh
+build_rule.txt
+target.txt
+tools_def.txt

121
0002-Remove-submodules.patch
View File

@ -1,121 +0,0 @@
From ff10592d4710f12d601dcfcdd25f28b6941c5141 Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Thu, 24 Mar 2022 03:23:02 -0400
Subject: [PATCH] Remove submodules
Rebase to edk2-stable202311: removing additional submodule:
- CryptoPkg/Library/MbedTlsLib/mbedtls
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Rebase to edk2-stable202305: removing additional submodules:
- MdePkg/Library/BaseFdtLib/libfdt
- MdePkg/Library/MipiSysTLib/mipisyst
- UnitTestFrameworkPkg/Library/GoogleTestLib/googletest
- UnitTestFrameworkPkg/Library/SubhookLib/subhook
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
Upstream edk2 tracks several submodules we do not need in RHEL (removal
done by individual commits in previous RHEL versions):
- openssl: We use RHEL specific openssl submodule later (commit 48f993088e)
- SoftFloat: required only for 32-bit ARM (commit 273787a5c2)
- cmocka: needed for UnitTestFrameworkPkg we do not use (commit a2dca9bcd2)
- oniguruma: rhel do not need this dependency (commit 73f4b42b3a)
- brotli: removed this dependency (commits fcd212ffce, cf62a90767 and ac5782e6ab)
- jansson: we do not depend on JSON parsing or formating (commit c84227659a)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
MdeModulePkg: remove package-private Brotli include path (RH only)
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
- no change
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- New patch.
Originating from upstream commit 58802e02c41b
("MdeModulePkg/BrotliCustomDecompressLib: Make brotli a submodule",
2020-04-16), "MdeModulePkg/MdeModulePkg.dec" contains a package-internal
include path into a Brotli submodule.
The edk2 build system requires such include paths to resolve successfully,
regardless of the firmware platform being built. Because
BrotliCustomDecompressLib is not consumed by any OvmfPkg or ArmVirtPkg
platforms, and we've removed the submodule earlier in this patch set,
remove the include path too.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit e05e0de713c4a2b8adb6ff9809611f222bfe50ed)
---
BaseTools/Source/C/GNUmakefile | 1 -
CryptoPkg/.gitignore | 1 +
MdeModulePkg/MdeModulePkg.dec | 3 ---
MdePkg/MdePkg.dec | 5 -----
4 files changed, 1 insertion(+), 9 deletions(-)
create mode 100644 CryptoPkg/.gitignore
diff --git a/BaseTools/Source/C/GNUmakefile b/BaseTools/Source/C/GNUmakefile
index 5275f657ef..39d7199753 100644
--- a/BaseTools/Source/C/GNUmakefile
+++ b/BaseTools/Source/C/GNUmakefile
@@ -51,7 +51,6 @@ all: makerootdir subdirs
LIBRARIES = Common
VFRAUTOGEN = VfrCompile/VfrLexer.h
APPLICATIONS = \
- BrotliCompress \
VfrCompile \
EfiRom \
GenFfs \
diff --git a/CryptoPkg/.gitignore b/CryptoPkg/.gitignore
new file mode 100644
index 0000000000..68b83272b7
--- /dev/null
+++ b/CryptoPkg/.gitignore
@@ -0,0 +1 @@
+Library/OpensslLib/openssl*/
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index d2fede4f87..265dfec94f 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -26,9 +26,6 @@
Include
Test/Mock/Include
-[Includes.Common.Private]
- Library/BrotliCustomDecompressLib/brotli/c/include
-
[LibraryClasses]
## @libraryclass Defines a set of methods to reset whole system.
ResetSystemLib|Include/Library/ResetSystemLib.h
diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index ac54338089..29f0a6e178 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -29,7 +29,6 @@
Include
Test/UnitTest/Include
Test/Mock/Include
- Library/MipiSysTLib/mipisyst/library/include
[Includes.IA32]
Include/Ia32
@@ -295,10 +294,6 @@
#
FdtLib|Include/Library/FdtLib.h
- ## @libraryclass Provides general mipi sys-T services.
- #
- MipiSysTLib|Include/Library/MipiSysTLib.h
-
## @libraryclass Provides API to output Trace Hub debug message.
#
TraceHubDebugSysTLib|Include/Library/TraceHubDebugSysTLib.h

65
0003-Remove-paths-leading-to-submodules.patch Normal file
View File

@ -0,0 +1,65 @@
From 3ab8a3e323e1bafb82266c0728e60a42d173764f Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Thu, 24 Mar 2022 03:23:02 -0400
Subject: [PATCH] Remove paths leading to submodules
We removed submodules used upstream. However, edk2 build system requires
such include paths to resolve successfully, regardless of the firmware
platform being built.
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
BaseTools/Source/C/GNUmakefile | 1 -
MdeModulePkg/MdeModulePkg.dec | 3 ---
MdePkg/MdePkg.dec | 5 -----
3 files changed, 9 deletions(-)
diff --git a/BaseTools/Source/C/GNUmakefile b/BaseTools/Source/C/GNUmakefile
index 5275f657ef..39d7199753 100644
--- a/BaseTools/Source/C/GNUmakefile
+++ b/BaseTools/Source/C/GNUmakefile
@@ -51,7 +51,6 @@ all: makerootdir subdirs
LIBRARIES = Common
VFRAUTOGEN = VfrCompile/VfrLexer.h
APPLICATIONS = \
- BrotliCompress \
VfrCompile \
EfiRom \
GenFfs \
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index a2cd83345f..98b3acb703 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -26,9 +26,6 @@
Include
Test/Mock/Include
-[Includes.Common.Private]
- Library/BrotliCustomDecompressLib/brotli/c/include
-
[LibraryClasses]
## @libraryclass Defines a set of methods to reset whole system.
ResetSystemLib|Include/Library/ResetSystemLib.h
diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index 0459418906..bb347547f8 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -29,7 +29,6 @@
Include
Test/UnitTest/Include
Test/Mock/Include
- Library/MipiSysTLib/mipisyst/library/include
[Includes.IA32]
Include/Ia32
@@ -295,10 +294,6 @@
#
FdtLib|Include/Library/FdtLib.h
- ## @libraryclass Provides general mipi sys-T services.
- #
- MipiSysTLib|Include/Library/MipiSysTLib.h
-
## @libraryclass Provides API to output Trace Hub debug message.
#
TraceHubDebugSysTLib|Include/Library/TraceHubDebugSysTLib.h

6
0003-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch → 0004-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
View File

@ -1,4 +1,4 @@
From a531e0f3c999670f54926b2579e0721d217a49e0 Mon Sep 17 00:00:00 2001
From 1a8cccb3be265d0c423bbb42511b1d9111b076e0 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 25 Feb 2014 22:40:01 +0100
Subject: [PATCH] MdeModulePkg: TerminalDxe: set xterm resolution on mode
@ -99,10 +99,10 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
3 files changed, 36 insertions(+)
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 265dfec94f..092a8dee2a 100644
index 98b3acb703..71a2967646 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -2158,6 +2158,10 @@
@@ -2164,6 +2164,10 @@
# @Prompt The value is use for Usb Network rate limiting supported.
gEfiMdeModulePkgTokenSpaceGuid.PcdUsbNetworkRateLimitingFactor|100|UINT32|0x10000028

38
0004-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch → 0005-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
View File

@ -1,4 +1,4 @@
From c53aae9d945648b7301efede1dc77bf7b7f4ee1c Mon Sep 17 00:00:00 2001
From cf04a1c13e796013f0cb06447127cf5cf35eb0a0 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 14 Oct 2015 15:59:06 +0200
Subject: [PATCH] OvmfPkg: take PcdResizeXterm from the QEMU command line (RH
@ -83,10 +83,10 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
9 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 302c90e7c2..ef70f5f08c 100644
index a31a89344a..d6bfc43fe5 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -486,6 +486,7 @@
@@ -484,6 +484,7 @@
[PcdsDynamicDefault]
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
@ -95,10 +95,10 @@ index 302c90e7c2..ef70f5f08c 100644
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0
diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc
index c23c7eaf6c..49521ba47c 100644
index b522fa1059..c5fd84027f 100644
--- a/OvmfPkg/CloudHv/CloudHvX64.dsc
+++ b/OvmfPkg/CloudHv/CloudHvX64.dsc
@@ -576,6 +576,7 @@
@@ -579,6 +579,7 @@
# ($(SMM_REQUIRE) == FALSE)
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
@ -107,10 +107,10 @@ index c23c7eaf6c..49521ba47c 100644
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
index 182ec3705d..fd6722499a 100644
index 82e3e41cfc..6d72b80dc9 100644
--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
@@ -482,6 +482,7 @@
@@ -477,6 +477,7 @@
# ($(SMM_REQUIRE) == FALSE)
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
@ -119,10 +119,10 @@ index 182ec3705d..fd6722499a 100644
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0
diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc
index ea1fa3e296..79f14b5c05 100644
index 063324cd05..53222d80be 100644
--- a/OvmfPkg/Microvm/MicrovmX64.dsc
+++ b/OvmfPkg/Microvm/MicrovmX64.dsc
@@ -584,7 +584,7 @@
@@ -582,7 +582,7 @@
# only set when
# ($(SMM_REQUIRE) == FALSE)
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
@ -132,38 +132,38 @@ index ea1fa3e296..79f14b5c05 100644
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index ed3a19feeb..3101a3a4cf 100644
index 28379961a7..4f6dfedc2c 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -604,6 +604,7 @@
@@ -599,6 +599,7 @@
# ($(SMM_REQUIRE) == FALSE)
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
!if $(SMM_REQUIRE) == FALSE
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 16ca139b29..0c174947b7 100644
index 5e9eee628a..923e187942 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -616,6 +616,7 @@
@@ -611,6 +611,7 @@
# ($(SMM_REQUIRE) == FALSE)
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
!if $(SMM_REQUIRE) == FALSE
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index dc1a0942aa..a328726d55 100644
index bf4c7906c4..06b38b1715 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -634,6 +634,7 @@
@@ -629,6 +629,7 @@
# ($(SMM_REQUIRE) == FALSE)
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
!if $(SMM_REQUIRE) == FALSE
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
@ -199,7 +199,7 @@ index f5dc41c3a8..f244dcd24d 100644
InstallClearCacheCallback ();
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index 3934aeed95..d84aefee6d 100644
index ad52be3065..d7d688284b 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -100,6 +100,7 @@

4
0005-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch → 0006-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
View File

@ -1,4 +1,4 @@
From db9d61b18715590fc8956eb5da9b036afbfd9ab9 Mon Sep 17 00:00:00 2001
From 65e47dac7f0c2cc4d5fa2513f4a217a060c9da3c Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Sun, 26 Jul 2015 08:02:50 +0000
Subject: [PATCH] ArmVirtPkg: take PcdResizeXterm from the QEMU command line
@ -96,7 +96,7 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 30e3cfc8b9..7b88b7441f 100644
index e48c75b5e9..181265057e 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -309,6 +309,8 @@

24
0006-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch → 0007-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch
View File

@ -1,4 +1,4 @@
From ccc528cc7a9d5b0029a1ca91cb592c999e9f8c5a Mon Sep 17 00:00:00 2001
From cf51a0c4a259a505f58c1cf626864f41cf3f27ef Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 21 Nov 2017 00:57:45 +0100
Subject: [PATCH] OvmfPkg: enable DEBUG_VERBOSE (RHEL only)
@ -65,10 +65,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index ef70f5f08c..28bdc56227 100644
index d6bfc43fe5..2b4c551773 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -428,7 +428,7 @@
@@ -429,7 +429,7 @@
# DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
# // significantly impact boot performance
# DEBUG_ERROR 0x80000000 // Error
@ -78,41 +78,41 @@ index ef70f5f08c..28bdc56227 100644
!if $(SOURCE_DEBUG_ENABLE) == TRUE
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 3101a3a4cf..c4fc79a851 100644
index 4f6dfedc2c..ae3b446ff2 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -537,7 +537,7 @@
@@ -535,7 +535,7 @@
# DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
# // significantly impact boot performance
# DEBUG_ERROR 0x80000000 // Error
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
!if $(SOURCE_DEBUG_ENABLE) == TRUE
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 0c174947b7..1da23b5389 100644
index 923e187942..4a547f28c0 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -544,7 +544,7 @@
@@ -542,7 +542,7 @@
# DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
# // significantly impact boot performance
# DEBUG_ERROR 0x80000000 // Error
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
!if $(SOURCE_DEBUG_ENABLE) == TRUE
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index a328726d55..4f886ba644 100644
index 06b38b1715..68bd1f6dcb 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -563,7 +563,7 @@
@@ -561,7 +561,7 @@
# DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
# // significantly impact boot performance
# DEBUG_ERROR 0x80000000 // Error
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
!if $(SOURCE_DEBUG_ENABLE) == TRUE
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17

87
0007-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch → 0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch
View File

@ -1,9 +1,13 @@
From 4bb5f3b3473da371b4db99899c1128ae4ff99f6e Mon Sep 17 00:00:00 2001
From 3ece2f792aec743c42c415809846ea1ac1f0aedf Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 21 Nov 2017 00:57:46 +0100
Subject: [PATCH] OvmfPkg: silence DEBUG_VERBOSE (0x00400000) in
QemuVideoDxe/QemuRamfbDxe (RH)
edk2-stable202402 rebase:
- context changes due to CSM support removal.
Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
@ -82,12 +86,12 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
4 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 28bdc56227..cbd48af4dc 100644
index 2b4c551773..f81a0ac375 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -694,8 +694,14 @@
@@ -691,8 +691,14 @@
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
@ -103,68 +107,65 @@ index 28bdc56227..cbd48af4dc 100644
#
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index c4fc79a851..75a61c88e6 100644
index ae3b446ff2..7e07fbfd46 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -850,9 +850,15 @@
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
@@ -828,8 +828,14 @@
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
!ifndef $(CSM_ENABLE)
- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
!endif
- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
+ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
+ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
#
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 1da23b5389..e5ca067d4c 100644
index 4a547f28c0..f28c71a7a8 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -868,9 +868,15 @@
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
@@ -842,8 +842,14 @@
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
!ifndef $(CSM_ENABLE)
- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
!endif
- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
+ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
+ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
#
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 4f886ba644..ad314d86c6 100644
index 68bd1f6dcb..680bdb5f4c 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -936,9 +936,15 @@
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
@@ -910,8 +910,14 @@
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
!ifndef $(CSM_ENABLE)
- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
!endif
- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
+ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
+ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
#

6
0008-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch → 0009-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch
View File

@ -1,4 +1,4 @@
From 72830b010e7b78ef8d74cefcb5c6ad018c653ea6 Mon Sep 17 00:00:00 2001
From 33b60bfb25647368c761ae9d875c481086e147ce Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 27 Jan 2016 03:05:18 +0100
Subject: [PATCH] ArmVirtPkg: silence DEBUG_VERBOSE (0x00400000) in
@ -61,7 +61,7 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 7b88b7441f..fe7b7e1d64 100644
index 181265057e..216b5a09cc 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -547,7 +547,10 @@
@ -77,7 +77,7 @@ index 7b88b7441f..fe7b7e1d64 100644
OvmfPkg/PlatformDxe/Platform.inf
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index b50f8e84a3..4a43892f7d 100644
index 668a65ba64..5f07ed4dcc 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -447,7 +447,10 @@

2
0009-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch → 0010-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch
View File

@ -1,4 +1,4 @@
From 2b84cf52f9a6f24f932bce5548202460f20ca9d0 Mon Sep 17 00:00:00 2001
From d4be04b114213cc9b8ee4ce86a91a1c7e2c3928a Mon Sep 17 00:00:00 2001
From: Philippe Mathieu-Daude <philmd@redhat.com>
Date: Thu, 1 Aug 2019 20:43:48 +0200
Subject: [PATCH] OvmfPkg: QemuRamfbDxe: Do not report DXE failure on Aarch64

42
0010-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch → 0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
View File

@ -1,4 +1,4 @@
From 67230df28e3861c4a7a8fb064a45ed85f015209c Mon Sep 17 00:00:00 2001
From e76b481430fc3ef2398cdbe4d21ce002050aa12b Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 21 Nov 2017 00:57:47 +0100
Subject: [PATCH] OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in NvmExpressDxe
@ -63,10 +63,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
4 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index cbd48af4dc..a0319c1f0a 100644
index f81a0ac375..bdb786d10d 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -688,7 +688,10 @@
@@ -686,7 +686,10 @@
MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
@ -79,50 +79,50 @@ index cbd48af4dc..a0319c1f0a 100644
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 75a61c88e6..34ad4f2777 100644
index 7e07fbfd46..8a8c7a0b37 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -843,7 +843,10 @@
@@ -823,7 +823,10 @@
MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
+ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
+ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index e5ca067d4c..4278ce5e1d 100644
index f28c71a7a8..4bde14a05a 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -861,7 +861,10 @@
@@ -837,7 +837,10 @@
MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
+ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
+ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index ad314d86c6..e41a1b976e 100644
index 680bdb5f4c..a43352ede4 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -929,7 +929,10 @@
@@ -905,7 +905,10 @@
MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
+ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
+ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf

2
0011-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch → 0012-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch
View File

@ -1,4 +1,4 @@
From 9bf175beabab17dae1b5883d528ae3d9d834249b Mon Sep 17 00:00:00 2001
From 47ad6974185793994d69620d989f6d695f513c9c Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 24 Jun 2020 11:31:36 +0200
Subject: [PATCH] OvmfPkg/QemuKernelLoaderFsDxe: suppress error on no "-kernel"

2
0012-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch → 0013-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch
View File

@ -1,4 +1,4 @@
From d3d9a0ea8cdd6a8438a878a859ca0cd416c42ad6 Mon Sep 17 00:00:00 2001
From 26a8f215a1cee1b876105127ad22c68a7c07c6a8 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 24 Jun 2020 11:40:09 +0200
Subject: [PATCH] SecurityPkg/Tcg2Dxe: suppress error on no swtpm in silent

36
0013-OvmfPkg-Remove-EbcDxe-RHEL-only.patch → 0014-OvmfPkg-Remove-EbcDxe-RHEL-only.patch
View File

@ -1,4 +1,4 @@
From ce3ac92a202a0b845654c05449107840edf5d2f9 Mon Sep 17 00:00:00 2001
From 14feac56ff842b1a9940f370ebc624846841faec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Date: Thu, 1 Jul 2021 20:28:49 +0200
Subject: [PATCH] OvmfPkg: Remove EbcDxe (RHEL only)
@ -29,10 +29,10 @@ Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
8 files changed, 8 deletions(-)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index a0319c1f0a..906c1a4332 100644
index bdb786d10d..e565430e6c 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -613,7 +613,6 @@
@@ -611,7 +611,6 @@
!include OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc
}
@ -41,10 +41,10 @@ index a0319c1f0a..906c1a4332 100644
UefiCpuPkg/CpuDxe/CpuDxe.inf
OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index b2ab0c7773..20d31d0e2d 100644
index 9dd4095967..78b4e1d528 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -205,7 +205,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
@@ -206,7 +206,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
@ -53,19 +53,19 @@ index b2ab0c7773..20d31d0e2d 100644
INF UefiCpuPkg/CpuDxe/CpuDxe.inf
INF OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 34ad4f2777..d664b42c67 100644
index 8a8c7a0b37..ee8da63252 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -753,7 +753,6 @@
@@ -746,7 +746,6 @@
!include OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc
}
- MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
UefiCpuPkg/CpuDxe/CpuDxe.inf
!ifdef $(CSM_ENABLE)
OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 383613e54b..236680dec2 100644
index 501b4de469..5e0bc9d2c5 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -216,7 +216,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
@ -75,21 +75,21 @@ index 383613e54b..236680dec2 100644
-INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
INF UefiCpuPkg/CpuDxe/CpuDxe.inf
!ifdef $(CSM_ENABLE)
INF OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 4278ce5e1d..2e0af7698a 100644
index 4bde14a05a..1c7b55a430 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -771,7 +771,6 @@
@@ -760,7 +760,6 @@
!include OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc
}
- MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
UefiCpuPkg/CpuDxe/CpuDxe.inf
!ifdef $(CSM_ENABLE)
OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 3cec3d0c87..3ad2fe5eee 100644
index 74cfb58f06..ed33c906f3 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -217,7 +217,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
@ -99,12 +99,12 @@ index 3cec3d0c87..3ad2fe5eee 100644
-INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
INF UefiCpuPkg/CpuDxe/CpuDxe.inf
!ifdef $(CSM_ENABLE)
INF OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index e41a1b976e..55f6760f4c 100644
index a43352ede4..9807c0a6b4 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -816,7 +816,6 @@
@@ -805,7 +805,6 @@
!include OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc
}
@ -113,7 +113,7 @@ index e41a1b976e..55f6760f4c 100644
UefiCpuPkg/CpuDxe/CpuDxe.inf {
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 9c35b6e848..da4541d747 100644
index f47ab1727e..feb3228ae2 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -239,7 +239,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf

56
0014-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch → 0015-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch
View File

@ -1,4 +1,4 @@
From 536709a91fe5d9bf5bb41bc0ae56cb3e3fa0cf5a Mon Sep 17 00:00:00 2001
From 94f1e0809390547cbfb0ed0e650a773c24b553ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Date: Thu, 1 Jul 2021 20:28:59 +0200
Subject: [PATCH] OvmfPkg: Remove VirtioGpu device driver (RHEL only)
@ -29,10 +29,10 @@ Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
8 files changed, 8 deletions(-)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 906c1a4332..52b0d1062c 100644
index e565430e6c..c000cc8de8 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -704,7 +704,6 @@
@@ -701,7 +701,6 @@
<PcdsFixedAtBuild>
gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
}
@ -41,7 +41,7 @@ index 906c1a4332..52b0d1062c 100644
#
# ISA Support
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 20d31d0e2d..48cc3b00c1 100644
index 78b4e1d528..d6f785c205 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -300,7 +300,6 @@ INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
@ -53,72 +53,72 @@ index 20d31d0e2d..48cc3b00c1 100644
INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf
INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index d664b42c67..d39d9e8c27 100644
index ee8da63252..254d9f13f3 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -861,7 +861,6 @@
<PcdsFixedAtBuild>
gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
}
@@ -838,7 +838,6 @@
<PcdsFixedAtBuild>
gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
}
- OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
#
# ISA Support
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 236680dec2..381735165d 100644
index 5e0bc9d2c5..dec1258714 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -334,7 +334,6 @@ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
!endif
@@ -321,7 +321,6 @@ INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
-INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
INF OvmfPkg/PlatformDxe/Platform.inf
INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 2e0af7698a..0e3de2ec5e 100644
index 1c7b55a430..a3a753bd8b 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -879,7 +879,6 @@
<PcdsFixedAtBuild>
gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
}
@@ -852,7 +852,6 @@
<PcdsFixedAtBuild>
gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
}
- OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
#
# ISA Support
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 3ad2fe5eee..2ca10f7c5e 100644
index ed33c906f3..00bd49c89d 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -340,7 +340,6 @@ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
!endif
@@ -327,7 +327,6 @@ INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
-INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
INF OvmfPkg/PlatformDxe/Platform.inf
INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf
INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 55f6760f4c..c266686361 100644
index 9807c0a6b4..17cc17cbde 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -947,7 +947,6 @@
<PcdsFixedAtBuild>
gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
}
@@ -920,7 +920,6 @@
<PcdsFixedAtBuild>
gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
}
- OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
#
# ISA Support
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index da4541d747..00b3f9d0d8 100644
index feb3228ae2..bee30d8b4f 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -367,7 +367,6 @@ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
!endif
@@ -354,7 +354,6 @@ INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
-INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
INF OvmfPkg/PlatformDxe/Platform.inf

26
0015-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch → 0016-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch
View File

@ -1,4 +1,4 @@
From ff214a87a99084bd91a04711e52ec1bffa911557 Mon Sep 17 00:00:00 2001
From 0a61aba4d91c63ca263f628093331f6178728ad1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Date: Thu, 1 Jul 2021 20:29:13 +0200
Subject: [PATCH] OvmfPkg: Remove VirtioFsDxe filesystem driver (RHEL only)
@ -27,10 +27,10 @@ Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
6 files changed, 6 deletions(-)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index d39d9e8c27..12ed090eab 100644
index 254d9f13f3..ca07b40857 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -836,7 +836,6 @@
@@ -816,7 +816,6 @@
MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
FatPkg/EnhancedFatDxe/Fat.inf
MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
@ -39,10 +39,10 @@ index d39d9e8c27..12ed090eab 100644
MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 381735165d..bd69792100 100644
index dec1258714..55d0f1ae5f 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -296,7 +296,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
@@ -290,7 +290,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
@ -51,10 +51,10 @@ index 381735165d..bd69792100 100644
!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5"
INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 0e3de2ec5e..821423cfe2 100644
index a3a753bd8b..a5322783e5 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -854,7 +854,6 @@
@@ -830,7 +830,6 @@
MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
FatPkg/EnhancedFatDxe/Fat.inf
MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
@ -63,10 +63,10 @@ index 0e3de2ec5e..821423cfe2 100644
MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 2ca10f7c5e..4011682faf 100644
index 00bd49c89d..fba268521b 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -297,7 +297,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
@@ -291,7 +291,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
@ -75,10 +75,10 @@ index 2ca10f7c5e..4011682faf 100644
!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5"
INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index c266686361..ea3f8d73bc 100644
index 17cc17cbde..190431b6fa 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -922,7 +922,6 @@
@@ -898,7 +898,6 @@
MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
FatPkg/EnhancedFatDxe/Fat.inf
MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
@ -87,10 +87,10 @@ index c266686361..ea3f8d73bc 100644
MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 00b3f9d0d8..c53501679a 100644
index bee30d8b4f..cea0e87cbf 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -322,7 +322,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
@@ -316,7 +316,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf

8
0016-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch → 0017-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch
View File

@ -1,4 +1,4 @@
From 7478b17347f2119448467a0ce821a5c5f865a2c8 Mon Sep 17 00:00:00 2001
From 068776b4d85587427fbceebf0e79938eea33f68e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Date: Thu, 1 Jul 2021 20:29:16 +0200
Subject: [PATCH] ArmVirtPkg: Remove VirtioFsDxe filesystem driver (RHEL only)
@ -24,7 +24,7 @@ Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
3 files changed, 3 deletions(-)
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index fe7b7e1d64..f0946821c6 100644
index 216b5a09cc..1e6c76795b 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -465,7 +465,6 @@
@ -36,7 +36,7 @@ index fe7b7e1d64..f0946821c6 100644
#
# Bds
diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
index 9b3e37d5c9..a997063751 100644
index c5d097ffb9..a814653dc4 100644
--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
@@ -84,7 +84,6 @@ READ_LOCK_STATUS = TRUE
@ -48,7 +48,7 @@ index 9b3e37d5c9..a997063751 100644
#
# Status Code Routing
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 4a43892f7d..8fa801dad6 100644
index 5f07ed4dcc..e48bdf8deb 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -365,7 +365,6 @@

32
0017-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch → 0018-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch
View File

@ -1,4 +1,4 @@
From 42c144b94db706be6f01d5fb1537a35cc803daa8 Mon Sep 17 00:00:00 2001
From 6264a265fc50961c8d44a4c04b9c9e5ad07cc86c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Date: Thu, 1 Jul 2021 20:29:19 +0200
Subject: [PATCH] OvmfPkg: Remove UdfDxe filesystem driver (RHEL only)
@ -29,10 +29,10 @@ Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
8 files changed, 8 deletions(-)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 52b0d1062c..41953c119d 100644
index c000cc8de8..75bec7859e 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -681,7 +681,6 @@
@@ -679,7 +679,6 @@
MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
FatPkg/EnhancedFatDxe/Fat.inf
@ -41,7 +41,7 @@ index 52b0d1062c..41953c119d 100644
MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 48cc3b00c1..2f03c80ffd 100644
index d6f785c205..5d0cba1e13 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -274,7 +274,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
@ -53,10 +53,10 @@ index 48cc3b00c1..2f03c80ffd 100644
!if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE
INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 12ed090eab..07176ad930 100644
index ca07b40857..62907e9458 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -835,7 +835,6 @@
@@ -815,7 +815,6 @@
MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
FatPkg/EnhancedFatDxe/Fat.inf
@ -65,10 +65,10 @@ index 12ed090eab..07176ad930 100644
MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index bd69792100..97c808446e 100644
index 55d0f1ae5f..6c324943e4 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -295,7 +295,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
@@ -289,7 +289,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
INF FatPkg/EnhancedFatDxe/Fat.inf
@ -77,10 +77,10 @@ index bd69792100..97c808446e 100644
!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5"
INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 821423cfe2..ba7ed38412 100644
index a5322783e5..28cf5ace70 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -853,7 +853,6 @@
@@ -829,7 +829,6 @@
MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
FatPkg/EnhancedFatDxe/Fat.inf
@ -89,10 +89,10 @@ index 821423cfe2..ba7ed38412 100644
MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 4011682faf..6351ce645b 100644
index fba268521b..a890d4a3e3 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -296,7 +296,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
@@ -290,7 +290,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
INF FatPkg/EnhancedFatDxe/Fat.inf
@ -101,10 +101,10 @@ index 4011682faf..6351ce645b 100644
!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5"
INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index ea3f8d73bc..55f3315241 100644
index 190431b6fa..ca0c007181 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -921,7 +921,6 @@
@@ -897,7 +897,6 @@
MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
FatPkg/EnhancedFatDxe/Fat.inf
@ -113,10 +113,10 @@ index ea3f8d73bc..55f3315241 100644
MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index c53501679a..558a944f20 100644
index cea0e87cbf..48da04eb9c 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -321,7 +321,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
@@ -315,7 +315,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
INF FatPkg/EnhancedFatDxe/Fat.inf

8
0018-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch → 0019-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch
View File

@ -1,4 +1,4 @@
From 34b2ee906d0cce11a8156105777b6ecfaca5feba Mon Sep 17 00:00:00 2001
From 2ddf7702dee6a1a0edab8154b085c36f8d84376f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Date: Thu, 1 Jul 2021 20:29:22 +0200
Subject: [PATCH] ArmVirtPkg: Remove UdfDxe filesystem driver (RHEL only)
@ -24,7 +24,7 @@ Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
3 files changed, 3 deletions(-)
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index f0946821c6..68ad5877ee 100644
index 1e6c76795b..9216faca8d 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -464,7 +464,6 @@
@ -36,7 +36,7 @@ index f0946821c6..68ad5877ee 100644
#
# Bds
diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
index a997063751..dcb1b793d1 100644
index a814653dc4..a411a8f68d 100644
--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
@@ -83,7 +83,6 @@ READ_LOCK_STATUS = TRUE
@ -48,7 +48,7 @@ index a997063751..dcb1b793d1 100644
#
# Status Code Routing
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 8fa801dad6..87e54e682a 100644
index e48bdf8deb..66ad4b6948 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -364,7 +364,6 @@

32
0019-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch → 0020-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch
View File

@ -1,4 +1,4 @@
From aac73e5f62e2305e6578c9b22ae557741bf6532a Mon Sep 17 00:00:00 2001
From 90b02d61d206926d6b2687a4a94f600039ae2e7c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Date: Thu, 1 Jul 2021 20:29:25 +0200
Subject: [PATCH] OvmfPkg: Remove TftpDynamicCommand from shell (RHEL only)
@ -27,11 +27,11 @@ Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
6 files changed, 15 deletions(-)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 07176ad930..0183511722 100644
index 62907e9458..c2fe2e6042 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -913,10 +913,6 @@
!endif
@@ -881,10 +881,6 @@
MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
!if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE
- ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf {
@ -42,10 +42,10 @@ index 07176ad930..0183511722 100644
<PcdsFixedAtBuild>
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 97c808446e..cb95c842fa 100644
index 6c324943e4..32a42c926b 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -297,7 +297,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
@@ -291,7 +291,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5"
@ -54,11 +54,11 @@ index 97c808446e..cb95c842fa 100644
INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index ba7ed38412..66554b42ed 100644
index 28cf5ace70..5d74007599 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -931,10 +931,6 @@
!endif
@@ -895,10 +895,6 @@
MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
!if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE
- ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf {
@ -69,10 +69,10 @@ index ba7ed38412..66554b42ed 100644
<PcdsFixedAtBuild>
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 6351ce645b..592f0fed82 100644
index a890d4a3e3..733f60ce7c 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -298,7 +298,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
@@ -292,7 +292,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5"
@ -81,11 +81,11 @@ index 6351ce645b..592f0fed82 100644
INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 55f3315241..6d1d2bd39b 100644
index ca0c007181..f27932b38d 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -999,10 +999,6 @@
!endif
@@ -963,10 +963,6 @@
MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
!if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE
- ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf {
@ -96,10 +96,10 @@ index 55f3315241..6d1d2bd39b 100644
<PcdsFixedAtBuild>
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 558a944f20..70556f8ace 100644
index 48da04eb9c..f562b5312b 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -323,7 +323,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
@@ -317,7 +317,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5"

8
0020-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch → 0021-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch
View File

@ -1,4 +1,4 @@
From a3493c0945f733e395ea7444f1639a42f8a717f0 Mon Sep 17 00:00:00 2001
From f7abc9b87c6034ada69ed16fc644c578cea5af19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Date: Thu, 1 Jul 2021 20:29:28 +0200
Subject: [PATCH] ArmVirtPkg: Remove TftpDynamicCommand from shell (RHEL only)
@ -23,10 +23,10 @@ Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
2 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index fe6488ee99..5677bad717 100644
index 2bc6a29eb1..33f122f913 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -385,10 +385,9 @@
@@ -388,10 +388,9 @@
#
MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
@ -41,7 +41,7 @@ index fe6488ee99..5677bad717 100644
<PcdsFixedAtBuild>
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
index dcb1b793d1..b1c3fcc66d 100644
index a411a8f68d..4b00524fde 100644
--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
@@ -99,7 +99,6 @@ READ_LOCK_STATUS = TRUE

32
0021-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch → 0022-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch
View File

@ -1,4 +1,4 @@
From 873a03ce289c988d822f1bb420c1e9a0eef5ca56 Mon Sep 17 00:00:00 2001
From ab3da1407691781fb148e53d4b02e996a5dbca2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Date: Thu, 1 Jul 2021 20:29:31 +0200
Subject: [PATCH] OvmfPkg: Remove HttpDynamicCommand from shell (RHEL only)
@ -31,11 +31,11 @@ Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
6 files changed, 15 deletions(-)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 0183511722..970ffbad82 100644
index c2fe2e6042..44139c648c 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -913,10 +913,6 @@
!endif
@@ -881,10 +881,6 @@
MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
!if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE
- ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
@ -46,10 +46,10 @@ index 0183511722..970ffbad82 100644
<PcdsFixedAtBuild>
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index cb95c842fa..891e0e06ef 100644
index 32a42c926b..56520eaf99 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -297,7 +297,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
@@ -291,7 +291,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5"
@ -58,11 +58,11 @@ index cb95c842fa..891e0e06ef 100644
!endif
!if $(BUILD_SHELL) == TRUE
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 66554b42ed..3127e3d18d 100644
index 5d74007599..e2f13499cc 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -931,10 +931,6 @@
!endif
@@ -895,10 +895,6 @@
MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
!if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE
- ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
@ -73,10 +73,10 @@ index 66554b42ed..3127e3d18d 100644
<PcdsFixedAtBuild>
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 592f0fed82..61a827b365 100644
index 733f60ce7c..f04620418b 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -298,7 +298,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
@@ -292,7 +292,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5"
@ -85,11 +85,11 @@ index 592f0fed82..61a827b365 100644
!endif
!if $(BUILD_SHELL) == TRUE
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 6d1d2bd39b..6f078b5b27 100644
index f27932b38d..f1dc48c3be 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -999,10 +999,6 @@
!endif
@@ -963,10 +963,6 @@
MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
!if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE
- ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
@ -100,10 +100,10 @@ index 6d1d2bd39b..6f078b5b27 100644
<PcdsFixedAtBuild>
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 70556f8ace..d2e1c2894f 100644
index f562b5312b..61a3c63166 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -323,7 +323,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
@@ -317,7 +317,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5"

8
0022-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch → 0023-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch
View File

@ -1,4 +1,4 @@
From 4b212f0b5f5d2dbe595e53bc0b553abb90ee288a Mon Sep 17 00:00:00 2001
From 54c22fb545c567b4f99c81170ba8a4fc111e7646 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Date: Thu, 1 Jul 2021 20:29:34 +0200
Subject: [PATCH] ArmVirtPkg: Remove HttpDynamicCommand from shell (RHEL only)
@ -27,10 +27,10 @@ Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
2 files changed, 5 deletions(-)
diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index 5677bad717..d4c001e1bd 100644
index 33f122f913..2b9315f8b3 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -388,10 +388,6 @@
@@ -391,10 +391,6 @@
#
# UEFI application (Shell Embedded Boot Loader)
#
@ -42,7 +42,7 @@ index 5677bad717..d4c001e1bd 100644
<PcdsFixedAtBuild>
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
index b1c3fcc66d..8153558686 100644
index 4b00524fde..aa3acdeae6 100644
--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
@@ -99,7 +99,6 @@ READ_LOCK_STATUS = TRUE

315
0023-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch
View File

@ -1,315 +0,0 @@
From 3635ecb975af26d0d4886b862f8cf812b891eb37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Date: Thu, 1 Jul 2021 20:29:39 +0200
Subject: [PATCH] OvmfPkg: Remove LinuxInitrdDynamicShellCommand (RHEL only)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Rebase to edk2-stable202311:
Minor update, context change due to new variable policy shell command.
RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-MergeRequest: 3: Disable features for RHEL9
RH-Commit: [17/19] 491fe1301ea29c7cb56c20272e45614d5fcb6f14
RH-Bugzilla: 1967747
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
Remove the command to register a file in the shell as the
initial ramdisk for a UEFI stubbed kernel, to be booted next.
Note: as further dynamic shell commands might show up upstream,
we intentionally preserve the empty !ifdef'ry context to ease
future downstream rebases.
Suggested-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 4 ----
OvmfPkg/AmdSev/AmdSevX64.fdf | 1 -
OvmfPkg/OvmfPkgIa32.dsc | 32 ++++++++++++++------------------
OvmfPkg/OvmfPkgIa32.fdf | 1 -
OvmfPkg/OvmfPkgIa32X64.dsc | 32 ++++++++++++++------------------
OvmfPkg/OvmfPkgIa32X64.fdf | 1 -
OvmfPkg/OvmfPkgX64.dsc | 32 ++++++++++++++------------------
OvmfPkg/OvmfPkgX64.fdf | 1 -
8 files changed, 42 insertions(+), 62 deletions(-)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 41953c119d..7bb6ffb3f0 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -740,10 +740,6 @@
MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
!if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE
- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
- <PcdsFixedAtBuild>
- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
- }
!endif
OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
OvmfPkg/AmdSev/Grub/Grub.inf
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 2f03c80ffd..0e3d7bea2b 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -276,7 +276,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
!if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE
-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
INF OvmfPkg/AmdSev/Grub/Grub.inf
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 970ffbad82..83adecc374 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -537,7 +537,7 @@
# DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
# // significantly impact boot performance
# DEBUG_ERROR 0x80000000 // Error
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
!if $(SOURCE_DEBUG_ENABLE) == TRUE
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
@@ -604,7 +604,7 @@
# ($(SMM_REQUIRE) == FALSE)
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
- gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
!if $(SMM_REQUIRE) == FALSE
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
@@ -840,25 +840,25 @@
MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
- <PcdsFixedAtBuild>
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
- }
+ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
!ifndef $(CSM_ENABLE)
- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
- <PcdsFixedAtBuild>
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
- }
+ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
!endif
- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
- <PcdsFixedAtBuild>
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
- }
+ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
#
# ISA Support
@@ -917,10 +917,6 @@
<PcdsFixedAtBuild>
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
}
- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
- <PcdsFixedAtBuild>
- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
- }
!endif
!if $(BUILD_SHELL) == TRUE
ShellPkg/Application/Shell/Shell.inf {
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 891e0e06ef..88c57ff5ff 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -297,7 +297,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5"
-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
!if $(BUILD_SHELL) == TRUE
INF ShellPkg/Application/Shell/Shell.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 3127e3d18d..b47cdf63e7 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -544,7 +544,7 @@
# DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
# // significantly impact boot performance
# DEBUG_ERROR 0x80000000 // Error
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
!if $(SOURCE_DEBUG_ENABLE) == TRUE
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
@@ -616,7 +616,7 @@
# ($(SMM_REQUIRE) == FALSE)
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
- gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
!if $(SMM_REQUIRE) == FALSE
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
@@ -858,25 +858,25 @@
MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
- <PcdsFixedAtBuild>
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
- }
+ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
!ifndef $(CSM_ENABLE)
- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
- <PcdsFixedAtBuild>
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
- }
+ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
!endif
- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
- <PcdsFixedAtBuild>
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
- }
+ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
#
# ISA Support
@@ -935,10 +935,6 @@
<PcdsFixedAtBuild>
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
}
- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
- <PcdsFixedAtBuild>
- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
- }
!endif
!if $(BUILD_SHELL) == TRUE
ShellPkg/Application/Shell/Shell.inf {
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 61a827b365..ab5a9bc306 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -298,7 +298,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5"
-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
!if $(BUILD_SHELL) == TRUE
INF ShellPkg/Application/Shell/Shell.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 6f078b5b27..be3824ec1e 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -563,7 +563,7 @@
# DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
# // significantly impact boot performance
# DEBUG_ERROR 0x80000000 // Error
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
!if $(SOURCE_DEBUG_ENABLE) == TRUE
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
@@ -634,7 +634,7 @@
# ($(SMM_REQUIRE) == FALSE)
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
- gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
!if $(SMM_REQUIRE) == FALSE
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
@@ -926,25 +926,25 @@
MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
- <PcdsFixedAtBuild>
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
- }
+ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
!ifndef $(CSM_ENABLE)
- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
- <PcdsFixedAtBuild>
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
- }
+ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
!endif
- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
- <PcdsFixedAtBuild>
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
- }
+ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
#
# ISA Support
@@ -1003,10 +1003,6 @@
<PcdsFixedAtBuild>
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
}
- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
- <PcdsFixedAtBuild>
- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
- }
!endif
!if $(BUILD_SHELL) == TRUE
ShellPkg/Application/Shell/Shell.inf {
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index d2e1c2894f..851399888f 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -323,7 +323,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5"
-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
!if $(BUILD_SHELL) == TRUE
INF ShellPkg/Application/Shell/Shell.inf

147
0024-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch Normal file
View File

@ -0,0 +1,147 @@
From 1025e8342c42c49d9b3bbffd6a923b4cb89ec76a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Date: Thu, 1 Jul 2021 20:29:39 +0200
Subject: [PATCH] OvmfPkg: Remove LinuxInitrdDynamicShellCommand (RHEL only)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Rebase to edk2-stable202311:
Minor update, context change due to new variable policy shell command.
RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-MergeRequest: 3: Disable features for RHEL9
RH-Commit: [17/19] 491fe1301ea29c7cb56c20272e45614d5fcb6f14
RH-Bugzilla: 1967747
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
Remove the command to register a file in the shell as the
initial ramdisk for a UEFI stubbed kernel, to be booted next.
Note: as further dynamic shell commands might show up upstream,
we intentionally preserve the empty !ifdef'ry context to ease
future downstream rebases.
Suggested-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 4 ----
OvmfPkg/AmdSev/AmdSevX64.fdf | 1 -
OvmfPkg/OvmfPkgIa32.dsc | 4 ----
OvmfPkg/OvmfPkgIa32.fdf | 1 -
OvmfPkg/OvmfPkgIa32X64.dsc | 4 ----
OvmfPkg/OvmfPkgIa32X64.fdf | 1 -
OvmfPkg/OvmfPkgX64.dsc | 4 ----
OvmfPkg/OvmfPkgX64.fdf | 1 -
8 files changed, 20 deletions(-)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 75bec7859e..753957bcc4 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -737,10 +737,6 @@
MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
!if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE
- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
- <PcdsFixedAtBuild>
- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
- }
!endif
OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
OvmfPkg/AmdSev/Grub/Grub.inf
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 5d0cba1e13..9b65ebac56 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -276,7 +276,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
!if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE
-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
INF OvmfPkg/AmdSev/Grub/Grub.inf
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 44139c648c..2825acec3e 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -885,10 +885,6 @@
<PcdsFixedAtBuild>
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
}
- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
- <PcdsFixedAtBuild>
- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
- }
!endif
!if $(BUILD_SHELL) == TRUE
ShellPkg/Application/Shell/Shell.inf {
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 56520eaf99..de73cabb6e 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -291,7 +291,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5"
-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
!if $(BUILD_SHELL) == TRUE
INF ShellPkg/Application/Shell/Shell.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index e2f13499cc..f1af88a9b5 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -899,10 +899,6 @@
<PcdsFixedAtBuild>
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
}
- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
- <PcdsFixedAtBuild>
- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
- }
!endif
!if $(BUILD_SHELL) == TRUE
ShellPkg/Application/Shell/Shell.inf {
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index f04620418b..241019cb28 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -292,7 +292,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5"
-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
!if $(BUILD_SHELL) == TRUE
INF ShellPkg/Application/Shell/Shell.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index f1dc48c3be..908895354b 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -967,10 +967,6 @@
<PcdsFixedAtBuild>
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
}
- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
- <PcdsFixedAtBuild>
- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
- }
!endif
!if $(BUILD_SHELL) == TRUE
ShellPkg/Application/Shell/Shell.inf {
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 61a3c63166..c1e7240076 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -317,7 +317,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5"
-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
!if $(BUILD_SHELL) == TRUE
INF ShellPkg/Application/Shell/Shell.inf

8
0024-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch → 0025-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch
View File

@ -1,4 +1,4 @@
From b91bdc055499a46d825b3c6a2613de5c77e3a66d Mon Sep 17 00:00:00 2001
From 1e792bb790474a68c6e63a6e0faa88f8e2647ae3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Date: Thu, 1 Jul 2021 20:29:46 +0200
Subject: [PATCH] ArmVirtPkg: Remove LinuxInitrdDynamicShellCommand (RHEL only)
@ -28,10 +28,10 @@ Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
2 files changed, 3 insertions(+), 8 deletions(-)
diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index d4c001e1bd..fee6e5b17f 100644
index 2b9315f8b3..5d40a3c3c7 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -385,17 +385,13 @@
@@ -388,17 +388,13 @@
#
MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
@ -53,7 +53,7 @@ index d4c001e1bd..fee6e5b17f 100644
<LibraryClasses>
ShellCommandLib|ShellPkg/Library/UefiShellCommandLib/UefiShellCommandLib.inf
diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
index 8153558686..4cd53995d2 100644
index aa3acdeae6..49bd633850 100644
--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
@@ -100,7 +100,6 @@ READ_LOCK_STATUS = TRUE

8
0025-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch → 0026-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch
View File

@ -1,4 +1,4 @@
From 41089770963055b4bc9662ba4204d8ee7907fbcd Mon Sep 17 00:00:00 2001
From d1572c35f13fd69f48c7c5adeb22eff09d3a1189 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 28 Feb 2023 15:47:00 +0100
Subject: [PATCH] UefiCpuPkg/MpInitLib: fix apic mode for cpu hotplug
@ -22,10 +22,10 @@ location_in_specfile: 38
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpInitLib/MpLib.c
index 9a6ec5db5c..14ecc62f2b 100644
index cdfb570e61..7bc93dfa13 100644
--- a/UefiCpuPkg/Library/MpInitLib/MpLib.c
+++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c
@@ -527,7 +527,9 @@ CollectProcessorCount (
@@ -533,7 +533,9 @@ CollectProcessorCount (
//
// Enable x2APIC mode if
// 1. Number of CPU is greater than 255; or
@ -36,7 +36,7 @@ index 9a6ec5db5c..14ecc62f2b 100644
//
X2Apic = FALSE;
if (CpuMpData->CpuCount > 255) {
@@ -535,6 +537,10 @@ CollectProcessorCount (
@@ -541,6 +543,10 @@ CollectProcessorCount (
// If there are more than 255 processor found, force to enable X2APIC
//
X2Apic = TRUE;

2
0026-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch → 0027-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch
View File

@ -1,4 +1,4 @@
From 5870362631ee204936f495b8e60eb2611bb05c3b Mon Sep 17 00:00:00 2001
From 89a0a96bcfe49ca87087850d0b070e351850f6e8 Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Wed, 16 Aug 2023 12:09:40 +0200
Subject: [PATCH] OvmfPkg/AmdSevDxe: Shim Reboot workaround (RHEL only)

85
0027-recreate-import-.distro-directory.patch
View File

@ -1,85 +0,0 @@
From 771ce5bae1eb03240b04dde05a7a40dcec3c8a10 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 11 Jun 2014 20:45:26 +0200
Subject: [PATCH] recreate / import ".distro/" directory
This patch now unites the following downstream commits:
- 18bd1193e7 .distro: simplify WORKSPACE setup
- b00f3398c8 fix tpm build options
- e032ab1675 spec: Centralize non-firmware %install files at the top
- 8501863acc spec: Don't put build output in the top directory
- e6ec0363d3 spec: Factor out OVMF_FLAGS and OVMF_SB_FLAGS
- 596f34c8b6 spec: Use %make_build macro
- 55169e466d spec: Replace RPM_BUILD_ROOT with %{buildroot}
- 69c4c60920 spec: Split out build_iso() function
- ed67da8c85 spec: Add %{qosb_testing} macro
- 44519f5b94 spec: Move %check to between %install and %files
- b37b334dc7 spec: Remove extra 'true' at end of %check
- dd11149c3a spec: Add %{qemu_package} and %{qemu_binary}
- 0f5d4ae0d5 spec: Move -D TPM_ENABLE to common CC_FLAGS
- 84b3fd93f9 spec: Replace ifarch+else conditionals with build_XXX variables
- e97f79e744 spec: Use %autosetup with our required git config options
- 45a347a759 spec: don't conditionalize %package definitions
- acfcfaea1e spec: Add BuildRequires: make
- d917a93f6f spec: remove Group: and %defattr
- f2d3be3ae3 redhat: build UefiShell.iso with xorriso rather than genisoimage
- 3fb4a20f30 redhat: narrow the "qemu-kvm" BuildRequires down to "qemu-kvm-core"
- bfb89c4ae5 redhat: drop Split tool from the edk2-tools subpackage
- ac8be2e0ef redhat: refresh "Makefile.common" for the 8.5 rebase
- 2bd2d18864 redhat: filter out jansson submodule removal hunks
- f13d7899ed recreate / import "redhat/" directory
Merged patches (edk2-stable202202):
- 1a7b1c3b72 spec: adapt specfile to build option changes, disable tpm1
- 96eb388be3 spec: build amdsev variant
- ea34352d41 redhat: bump OpenSSL dist-git submodule to a75722161d20 / RHEL-8.5
Merged patches (edk2-stable202208):
- a60bf3fd10 Adding support for CentOS 9 build
- d3f25d438c OvmfPkg: Update target machines config
- d63f783930 openssl: jump to 8.7.0 branch (2022-07-22)
- 39882ce96d qemu-ovmf-secureboot: Do not use submodule
- 283ef4a67d ovmf-vars-generator: Use max cpu
- b6887ef7e1 Update build target to RHEL 9.2.0
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
Merged patches (edk2-stable202305):
- 5eef16bd65 remove amd-sev feature flag from secure boot builds (rh only)
- cc9e1b6eaa build script update
- 046c1f08e6 PcdDxeNxMemoryProtectionPolicy update
- b9dc1b5365 add aarch64 qcow2 images
- f4e2d6bf41 update json files
- be03b42128 add libvirt version conflict
- dce699b61d add dbx update blob (rh only)
- d8b2407343 spec: apply dbx update (rh only)
- a8a5ef95b5 dbx update, 2023-05-09, black lotus edition
- 310e179053 json descriptors: explicitly set mode = split
- additionally
- update frh.py, add new upstream submodules
- replace egrep with grep -E and fgrep with grep -F in downstream
scripts
- remove git commit sha from package version string
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
Rebase to edk2-stable202311: squash commits:
- 5b833f0c8d Update TargetRelease to support 9.4.0
- 20024b4cbe Use fixed length for short hash for Makefile
- 8618f7367e Updated TargetRelease content to support 9.4.0 only.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
sources | 1 +
1 file changed, 1 insertion(+)
create mode 100644 sources
diff --git a/sources b/sources
new file mode 100644
index 0000000000..ea8c8ad50b
--- /dev/null
+++ b/sources
@@ -0,0 +1 @@
+SHA512 (edk2-ba91d0292e.tar.xz) = 3b21cc39671d28bfeb059da3683751cc5277c63a894b2a05bdfbd2bbe53545c34f04c229becf44f1563f89a738f37ae8f2333076d126a7e94d234bc4bb25454c

2
0029-CryptoPkg-CrtLib-add-stat.h-include-file.patch → 0028-CryptoPkg-CrtLib-add-stat.h-include-file.patch
View File

@ -1,4 +1,4 @@
From 192cc2b49dbccc59f5731e2abc120bed3e06cc32 Mon Sep 17 00:00:00 2001
From 1b7a4cb54f50883fee087fd85b7c9b86b5296fea Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 28 Aug 2023 13:11:02 +0200
Subject: [PATCH] CryptoPkg/CrtLib: add stat.h include file.

27
0028-distro-apply-git-diff-c9s-new_c9s-by-mirek.patch
View File

@ -1,27 +0,0 @@
From c0347206c55c9d4d69b46725e9edbb21448f7494 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 28 Nov 2023 12:11:55 +0100
Subject: [PATCH] distro: apply 'git diff c9s new_c9s' by mirek
Bring .distro toi latest standards for more automatic support.
---
CryptoPkg/.gitignore | 1 -
sources | 1 -
2 files changed, 2 deletions(-)
delete mode 100644 CryptoPkg/.gitignore
delete mode 100644 sources
diff --git a/CryptoPkg/.gitignore b/CryptoPkg/.gitignore
deleted file mode 100644
index 68b83272b7..0000000000
--- a/CryptoPkg/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-Library/OpensslLib/openssl*/
diff --git a/sources b/sources
deleted file mode 100644
index ea8c8ad50b..0000000000
--- a/sources
+++ /dev/null
@@ -1 +0,0 @@
-SHA512 (edk2-ba91d0292e.tar.xz) = 3b21cc39671d28bfeb059da3683751cc5277c63a894b2a05bdfbd2bbe53545c34f04c229becf44f1563f89a738f37ae8f2333076d126a7e94d234bc4bb25454c

2
0030-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch → 0029-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch
View File

@ -1,4 +1,4 @@
From 09ccd0ffae512d7f0a7548cdfbc60e1482153796 Mon Sep 17 00:00:00 2001
From e47e4f4efb118cf38f76c7abc8f1cb537e1f79e5 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 28 Aug 2023 13:27:09 +0200
Subject: [PATCH] CryptoPkg/CrtLib: add access/open/read/write/close syscalls

15
edk2-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch → 0030-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch
View File

@ -1,7 +1,7 @@
From 7b1298045185749369115719317dc92f58af92d7 Mon Sep 17 00:00:00 2001
From 9388cc72866fc379d94cf3dc029292f4246bfe39 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 30 Jan 2024 14:04:38 +0100
Subject: [PATCH 6/9] OvmfPkg/Sec: Setup MTRR early in the boot process.
Subject: [PATCH] OvmfPkg/Sec: Setup MTRR early in the boot process.
RH-Author: Gerd Hoffmann <None>
RH-MergeRequest: 55: OvmfPkg/Sec: Setup MTRR early in the boot process.
@ -40,6 +40,10 @@ Message-ID: <20240130130441.772484-2-kraxel@redhat.com>
due to chinese holidays and rhel-9.4 deadlines are close.
QE regression testing passed. So go with upstream posted
series v3 ]
patch_name: edk2-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch
present_in_specfile: true
location_in_specfile: 49
---
OvmfPkg/IntelTdx/Sec/SecMain.c | 32 +++++++++++++++++++++
OvmfPkg/Library/PlatformInitLib/MemDetect.c | 10 +++----
@ -104,10 +108,10 @@ index 42a587adfa..0daddac0a0 100644
ASSERT (FALSE);
diff --git a/OvmfPkg/Library/PlatformInitLib/MemDetect.c b/OvmfPkg/Library/PlatformInitLib/MemDetect.c
index 662e7e85bb..f8d7f5bf1c 100644
index f042517bb6..313f5e1f7f 100644
--- a/OvmfPkg/Library/PlatformInitLib/MemDetect.c
+++ b/OvmfPkg/Library/PlatformInitLib/MemDetect.c
@@ -1035,18 +1035,18 @@ PlatformQemuInitializeRam (
@@ -1082,18 +1082,18 @@ PlatformQemuInitializeRam (
MtrrGetAllMtrrs (&MtrrSettings);
//
@ -188,6 +192,3 @@ index 31da5d0ace..3b7dc7205d 100644
//
// Initialize Debug Agent to support source level debug in SEC/PEI phases before memory ready.
//
--
2.39.3

169
0031-ArmVirtQemu-Allow-EFI-memory-attributes-protocol-to-.patch
View File

@ -1,169 +0,0 @@
From 0120fb7b5877ab40537fd17e64772f53bc89cd07 Mon Sep 17 00:00:00 2001
From: Ard Biesheuvel <ardb@kernel.org>
Date: Mon, 4 Dec 2023 10:41:08 +0100
Subject: [PATCH] ArmVirtQemu: Allow EFI memory attributes protocol to be
disabled
Shim's PE loader uses the EFI memory attributes protocol in a way that
results in an immediate crash when invoking the loaded image, unless the
base and size of its executable segment are both aligned to 4k.
If this is not the case, it will strip the memory allocation of its
executable permissions, but fail to add them back for the executable
region, resulting in non-executable code. Unfortunately, the PE loader
does not even bother invoking the protocol in this case (as it notices
the misalignment), making it very hard for system firmware to work
around this by attempting to infer the intent of the caller.
So let's introduce a QEMU command line option to indicate that the
protocol should not be exposed at all, and a PCD to set the default for
this option when it is omitted.
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Link: https://gitlab.com/qemu-project/qemu/-/issues/1990
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
(cherry picked from commit cee7ba349c0c1ce489001a338a4e28555728b573)
---
ArmVirtPkg/ArmVirtPkg.dec | 6 ++
.../PlatformBootManagerLib/PlatformBm.c | 64 +++++++++++++++++++
.../PlatformBootManagerLib.inf | 3 +
3 files changed, 73 insertions(+)
diff --git a/ArmVirtPkg/ArmVirtPkg.dec b/ArmVirtPkg/ArmVirtPkg.dec
index 0f2d787327..313aebda90 100644
--- a/ArmVirtPkg/ArmVirtPkg.dec
+++ b/ArmVirtPkg/ArmVirtPkg.dec
@@ -68,3 +68,9 @@
# Cloud Hypervisor has no other way to pass Rsdp address to the guest except use a PCD.
#
gArmVirtTokenSpaceGuid.PcdCloudHvAcpiRsdpBaseAddress|0x0|UINT64|0x00000005
+
+ ##
+ # Whether the EFI memory attributes protocol should be uninstalled before
+ # invoking the OS loader. This may be needed to work around problematic
+ # builds of shim that use the protocol incorrectly.
+ gArmVirtTokenSpaceGuid.PcdUninstallMemAttrProtocol|FALSE|BOOLEAN|0x00000006
diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
index 85c01351b0..8e93f3cfed 100644
--- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
+++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
@@ -16,6 +16,7 @@
#include <Library/PcdLib.h>
#include <Library/PlatformBmPrintScLib.h>
#include <Library/QemuBootOrderLib.h>
+#include <Library/QemuFwCfgSimpleParserLib.h>
#include <Library/TpmPlatformHierarchyLib.h>
#include <Library/UefiBootManagerLib.h>
#include <Protocol/DevicePath.h>
@@ -1111,6 +1112,49 @@ PlatformBootManagerBeforeConsole (
FilterAndProcess (&gEfiPciIoProtocolGuid, IsVirtioPciSerial, SetupVirtioSerial);
}
+/**
+ Uninstall the EFI memory attribute protocol if it exists.
+**/
+STATIC
+VOID
+UninstallEfiMemoryAttributesProtocol (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ EFI_HANDLE Handle;
+ UINTN Size;
+ VOID *MemoryAttributeProtocol;
+
+ Size = sizeof (Handle);
+ Status = gBS->LocateHandle (
+ ByProtocol,
+ &gEfiMemoryAttributeProtocolGuid,
+ NULL,
+ &Size,
+ &Handle
+ );
+
+ if (EFI_ERROR (Status)) {
+ ASSERT (Status == EFI_NOT_FOUND);
+ return;
+ }
+
+ Status = gBS->HandleProtocol (
+ Handle,
+ &gEfiMemoryAttributeProtocolGuid,
+ &MemoryAttributeProtocol
+ );
+ ASSERT_EFI_ERROR (Status);
+
+ Status = gBS->UninstallProtocolInterface (
+ Handle,
+ &gEfiMemoryAttributeProtocolGuid,
+ MemoryAttributeProtocol
+ );
+ ASSERT_EFI_ERROR (Status);
+}
+
/**
Do the platform specific action after the console is ready
Possible things that can be done in PlatformBootManagerAfterConsole:
@@ -1129,12 +1173,32 @@ PlatformBootManagerAfterConsole (
)
{
RETURN_STATUS Status;
+ BOOLEAN Uninstall;
//
// Show the splash screen.
//
BootLogoEnableLogo ();
+ //
+ // Work around shim's terminally broken use of the EFI memory attributes
+ // protocol, by uninstalling it if requested on the QEMU command line.
+ //
+ // E.g.,
+ // -fw_cfg opt/org.tianocore/UninstallMemAttrProtocol,string=y
+ //
+ Uninstall = FixedPcdGetBool (PcdUninstallMemAttrProtocol);
+ QemuFwCfgParseBool ("opt/org.tianocore/UninstallMemAttrProtocol", &Uninstall);
+ DEBUG ((
+ DEBUG_WARN,
+ "%a: %auninstalling EFI memory protocol\n",
+ __func__,
+ Uninstall ? "" : "not "
+ ));
+ if (Uninstall) {
+ UninstallEfiMemoryAttributesProtocol ();
+ }
+
//
// Process QEMU's -kernel command line option. The kernel booted this way
// will receive ACPI tables: in PlatformBootManagerBeforeConsole(), we
diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
index 997eb1a442..70e4ebf94a 100644
--- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
@@ -46,6 +46,7 @@
PcdLib
PlatformBmPrintScLib
QemuBootOrderLib
+ QemuFwCfgSimpleParserLib
QemuLoadImageLib
ReportStatusCodeLib
TpmPlatformHierarchyLib
@@ -55,6 +56,7 @@
UefiRuntimeServicesTableLib
[FixedPcd]
+ gArmVirtTokenSpaceGuid.PcdUninstallMemAttrProtocol
gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate
gEfiMdePkgTokenSpaceGuid.PcdUartDefaultDataBits
gEfiMdePkgTokenSpaceGuid.PcdUartDefaultParity
@@ -73,5 +75,6 @@
[Protocols]
gEfiFirmwareVolume2ProtocolGuid
gEfiGraphicsOutputProtocolGuid
+ gEfiMemoryAttributeProtocolGuid
gEfiPciRootBridgeIoProtocolGuid
gVirtioDeviceProtocolGuid

12
edk2-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch → 0031-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch
View File

@ -1,8 +1,7 @@
From 08fc72d06946ef3adebf110c097ed869ab0ed416 Mon Sep 17 00:00:00 2001
From 625a70fc26d752b0025eae19682b386f44fa089b Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 30 Jan 2024 14:04:39 +0100
Subject: [PATCH 7/9] MdePkg/ArchitecturalMsr.h: add #defines for MTRR cache
types
Subject: [PATCH] MdePkg/ArchitecturalMsr.h: add #defines for MTRR cache types
RH-Author: Gerd Hoffmann <None>
RH-MergeRequest: 55: OvmfPkg/Sec: Setup MTRR early in the boot process.
@ -14,6 +13,10 @@ Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20240130130441.772484-3-kraxel@redhat.com>
patch_name: edk2-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch
present_in_specfile: true
location_in_specfile: 50
---
MdePkg/Include/Register/Intel/ArchitecturalMsr.h | 7 +++++++
1 file changed, 7 insertions(+)
@ -36,6 +39,3 @@ index 756e7c86ec..08ba949cf7 100644
/**
MSR information returned for MSR indexes #MSR_IA32_MTRR_PHYSBASE0 to
#MSR_IA32_MTRR_PHYSBASE9
--
2.39.3

11
edk2-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch → 0032-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch
View File

@ -1,7 +1,7 @@
From 4d3ac0527ceb615a49214b0f7249d9198ddeb53a Mon Sep 17 00:00:00 2001
From d545c8ac6a7c96cb64661b2f5b6fccb97f9c02f8 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 30 Jan 2024 14:04:40 +0100
Subject: [PATCH 8/9] UefiCpuPkg/MtrrLib.h: use cache type #defines from
Subject: [PATCH] UefiCpuPkg/MtrrLib.h: use cache type #defines from
ArchitecturalMsr.h
RH-Author: Gerd Hoffmann <None>
@ -14,6 +14,10 @@ Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20240130130441.772484-4-kraxel@redhat.com>
patch_name: edk2-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch
present_in_specfile: true
location_in_specfile: 51
---
UefiCpuPkg/Include/Library/MtrrLib.h | 26 ++++++++++++++------------
1 file changed, 14 insertions(+), 12 deletions(-)
@ -64,6 +68,3 @@ index 86cc1aab3b..287d249a99 100644
typedef struct {
UINT64 BaseAddress;
--
2.39.3

12
edk2-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch → 0033-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch
View File

@ -1,8 +1,7 @@
From 0e2a3df10d784fd38ceee2f6a733032d1333281f Mon Sep 17 00:00:00 2001
From 77a0448486125a840a33e438e430d8e0844dab81 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 30 Jan 2024 14:04:41 +0100
Subject: [PATCH 9/9] OvmfPkg/Sec: use cache type #defines from
ArchitecturalMsr.h
Subject: [PATCH] OvmfPkg/Sec: use cache type #defines from ArchitecturalMsr.h
RH-Author: Gerd Hoffmann <None>
RH-MergeRequest: 55: OvmfPkg/Sec: Setup MTRR early in the boot process.
@ -13,6 +12,10 @@ RH-Commit: [4/4] 55f00e3e153ca945ca458e7abc26780a8d83ac85 (kraxel.rh/centos-src-
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20240130130441.772484-5-kraxel@redhat.com>
patch_name: edk2-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch
present_in_specfile: true
location_in_specfile: 52
---
OvmfPkg/IntelTdx/Sec/SecMain.c | 2 +-
OvmfPkg/Sec/SecMain.c | 2 +-
@ -44,6 +47,3 @@ index 3b7dc7205d..aa0fa1b1ec 100644
DefType.Bits.E = 1; /* enable */
AsmWriteMsr64 (MSR_IA32_MTRR_DEF_TYPE, DefType.Uint64);
}
--
2.39.3

18
README.rst
View File

@ -1,18 +0,0 @@
===================
EDK2 development
===================
EDK2 is maintained in a `source tree`_ rather than directly in dist-git
using packit service that provides way to develope using regular source code
structure and provides way to generate SRPM and build using koji service.
Developers deliver all changes to source-git using merge request. Only maintainers
will be pushing changes sent to source-git to dist-git.
Each release in dist-git is tagged in the source repository so you can easily
check out the source tree for a build. The tags are in the format
name-version-release, but note release doesn't contain the dist tag since the
source can be built in different build roots (Fedora, CentOS, etc.)
.. _source tree: https://gitlab.com/redhat/centos-stream/src/edk2

170
edk2-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch
View File

@ -1,170 +0,0 @@
From 0d85ac65b3e469e879f687150d0a25e6dbd6cac1 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Thu, 8 Feb 2024 10:35:14 -0500
Subject: [PATCH 02/18] NetworkPkg: : Add Unit tests to CI and create Host Test
DSC
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [2/18] 331bea0d7e46de0e35e595ad08c94eec99c80cd8
JIRA: https://issues.redhat.com/browse/RHEL-21843
CVE: CVE-2023-45230
Upstream: Merged
commit 8014ac2d7bbbc503f5562b51af46bb20ae3d22ff
Author: Doug Flick via groups.io <dougflick=microsoft.com@groups.io>
Date: Fri Jan 26 05:54:44 2024 +0800
NetworkPkg: : Add Unit tests to CI and create Host Test DSC
Adds Host Based testing to the NetworkPkg
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/NetworkPkg.ci.yaml | 7 +-
NetworkPkg/Test/NetworkPkgHostTest.dsc | 98 ++++++++++++++++++++++++++
2 files changed, 104 insertions(+), 1 deletion(-)
create mode 100644 NetworkPkg/Test/NetworkPkgHostTest.dsc
diff --git a/NetworkPkg/NetworkPkg.ci.yaml b/NetworkPkg/NetworkPkg.ci.yaml
index 07dc7abd69..076424eb60 100644
--- a/NetworkPkg/NetworkPkg.ci.yaml
+++ b/NetworkPkg/NetworkPkg.ci.yaml
@@ -24,6 +24,9 @@
"CompilerPlugin": {
"DscPath": "NetworkPkg.dsc"
},
+ "HostUnitTestCompilerPlugin": {
+ "DscPath": "Test/NetworkPkgHostTest.dsc"
+ },
"CharEncodingCheck": {
"IgnoreFiles": []
},
@@ -35,7 +38,9 @@
"CryptoPkg/CryptoPkg.dec"
],
# For host based unit tests
- "AcceptableDependencies-HOST_APPLICATION":[],
+ "AcceptableDependencies-HOST_APPLICATION":[
+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
+ ],
# For UEFI shell based apps
"AcceptableDependencies-UEFI_APPLICATION":[
"ShellPkg/ShellPkg.dec"
diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc
new file mode 100644
index 0000000000..1aeca5c5b3
--- /dev/null
+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc
@@ -0,0 +1,98 @@
+## @file
+# NetworkPkgHostTest DSC file used to build host-based unit tests.
+#
+# Copyright (c) Microsoft Corporation.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+[Defines]
+ PLATFORM_NAME = NetworkPkgHostTest
+ PLATFORM_GUID = 3b68324e-fc07-4d49-9520-9347ede65879
+ PLATFORM_VERSION = 0.1
+ DSC_SPECIFICATION = 0x00010005
+ OUTPUT_DIRECTORY = Build/NetworkPkg/HostTest
+ SUPPORTED_ARCHITECTURES = IA32|X64|AARCH64
+ BUILD_TARGETS = NOOPT
+ SKUID_IDENTIFIER = DEFAULT
+
+!include UnitTestFrameworkPkg/UnitTestFrameworkPkgHost.dsc.inc
+[Packages]
+ MdePkg/MdePkg.dec
+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
+
+[Components]
+ #
+ # Build HOST_APPLICATION that tests NetworkPkg
+ #
+
+# Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests.
+[LibraryClasses]
+ NetLib|NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
+ DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf
+ BaseLib|MdePkg/Library/BaseLib/BaseLib.inf
+ BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
+ DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf
+ HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
+ MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
+ PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
+ PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
+ UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf
+ UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf
+ UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf
+ UefiLib|MdePkg/Library/UefiLib/UefiLib.inf
+ UefiRuntimeServicesTableLib|MdePkg/Library/UefiRuntimeServicesTableLib/UefiRuntimeServicesTableLib.inf
+ UefiHiiServicesLib|MdeModulePkg/Library/UefiHiiServicesLib/UefiHiiServicesLib.inf
+ UefiBootManagerLib|MdeModulePkg/Library/UefiBootManagerLib/UefiBootManagerLib.inf
+ TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf
+ PerformanceLib|MdePkg/Library/BasePerformanceLibNull/BasePerformanceLibNull.inf
+ PeCoffGetEntryPointLib|MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeCoffGetEntryPointLib.inf
+ DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf
+ DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf
+ SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
+ RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
+ VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
+!ifdef CONTINUOUS_INTEGRATION
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+ TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
+!else
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+ TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
+!endif
+ DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
+ FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
+ FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf
+ SortLib|MdeModulePkg/Library/UefiSortLib/UefiSortLib.inf
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+
+!if $(TOOL_CHAIN_TAG) == VS2019 or $(TOOL_CHAIN_TAG) == VS2022
+[LibraryClasses.X64]
+ # Provide StackCookie support lib so that we can link to /GS exports for VS builds
+ RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
+!endif
+
+[LibraryClasses.common.UEFI_DRIVER]
+ HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
+ ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
+ DebugLib|MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf
+[LibraryClasses.common.UEFI_APPLICATION]
+ DebugLib|MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf
+ ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
+[LibraryClasses.ARM, LibraryClasses.AARCH64]
+ #
+ # It is not possible to prevent ARM compiler calls to generic intrinsic functions.
+ # This library provides the instrinsic functions generated by a given compiler.
+ # [LibraryClasses.ARM] and NULL mean link this library into all ARM images.
+ #
+!if $(TOOL_CHAIN_TAG) != VS2017 and $(TOOL_CHAIN_TAG) != VS2015 and $(TOOL_CHAIN_TAG) != VS2019
+ NULL|ArmPkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf
+!endif
+ NULL|MdePkg/Library/BaseStackCheckLib/BaseStackCheckLib.inf
+[LibraryClasses.ARM]
+ RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+[LibraryClasses.RISCV64]
+ RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+
+[PcdsFixedAtBuild]
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2
+ gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType|0x4
--
2.39.3

170
edk2-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch
View File

@ -1,170 +0,0 @@
From 3c1cf95b979cea6b0dee6e107756558a7a71d4ac Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Fri, 16 Feb 2024 10:48:05 -0500
Subject: [PATCH 14/18] NetworkPkg: : Adds a SecurityFix.yaml file
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [14/18] dddbcbe14e38dc1bb03acf4622d6285090c4bb02
JIRA: https://issues.redhat.com/browse/RHEL-21853
CVE: CVE-2022-45235
Upstream: Merged
commit 1d0b95f6457d225c5108302a9da74b4ed7aa5a38
Author: Doug Flick via groups.io <dougflick=microsoft.com@groups.io>
Date: Fri Jan 26 05:54:57 2024 +0800
NetworkPkg: : Adds a SecurityFix.yaml file
This creates / adds a security file that tracks the security fixes
found in this package and can be used to find the fixes that were
applied.
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/SecurityFixes.yaml | 123 ++++++++++++++++++++++++++++++++++
1 file changed, 123 insertions(+)
create mode 100644 NetworkPkg/SecurityFixes.yaml
diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml
new file mode 100644
index 0000000000..7e900483fe
--- /dev/null
+++ b/NetworkPkg/SecurityFixes.yaml
@@ -0,0 +1,123 @@
+## @file
+# Security Fixes for SecurityPkg
+#
+# Copyright (c) Microsoft Corporation
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+CVE_2023_45229:
+ commit_titles:
+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch"
+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests"
+ cve: CVE-2023-45229
+ date_reported: 2023-08-28 13:56 UTC
+ description: "Bug 01 - edk2/NetworkPkg: Out-of-bounds read when processing IA_NA/IA_TA options in a DHCPv6 Advertise message"
+ note:
+ files_impacted:
+ - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c
+ - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h
+ links:
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4534
+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45229
+ - http://www.openwall.com/lists/oss-security/2024/01/16/2
+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
+CVE_2023_45230:
+ commit_titles:
+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch"
+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests"
+ cve: CVE-2023-45230
+ date_reported: 2023-08-28 13:56 UTC
+ description: "Bug 02 - edk2/NetworkPkg: Buffer overflow in the DHCPv6 client via a long Server ID option"
+ note:
+ files_impacted:
+ - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c
+ - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h
+ links:
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4535
+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45230
+ - http://www.openwall.com/lists/oss-security/2024/01/16/2
+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
+CVE_2023_45231:
+ commit_titles:
+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Patch"
+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests"
+ cve: CVE-2023-45231
+ date_reported: 2023-08-28 13:56 UTC
+ description: "Bug 03 - edk2/NetworkPkg: Out-of-bounds read when handling a ND Redirect message with truncated options"
+ note:
+ files_impacted:
+ - NetworkPkg/Ip6Dxe/Ip6Option.c
+ links:
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4536
+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45231
+ - http://www.openwall.com/lists/oss-security/2024/01/16/2
+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
+CVE_2023_45232:
+ commit_titles:
+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch"
+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests"
+ cve: CVE-2023-45232
+ date_reported: 2023-08-28 13:56 UTC
+ description: "Bug 04 - edk2/NetworkPkg: Infinite loop when parsing unknown options in the Destination Options header"
+ note:
+ files_impacted:
+ - NetworkPkg/Ip6Dxe/Ip6Option.c
+ - NetworkPkg/Ip6Dxe/Ip6Option.h
+ links:
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4537
+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45232
+ - http://www.openwall.com/lists/oss-security/2024/01/16/2
+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
+CVE_2023_45233:
+ commit_titles:
+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch"
+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests"
+ cve: CVE-2023-45233
+ date_reported: 2023-08-28 13:56 UTC
+ description: "Bug 05 - edk2/NetworkPkg: Infinite loop when parsing a PadN option in the Destination Options header "
+ note: This was fixed along with CVE-2023-45233
+ files_impacted:
+ - NetworkPkg/Ip6Dxe/Ip6Option.c
+ - NetworkPkg/Ip6Dxe/Ip6Option.h
+ links:
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4538
+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45233
+ - http://www.openwall.com/lists/oss-security/2024/01/16/2
+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
+CVE_2023_45234:
+ commit_titles:
+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Patch"
+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Unit Tests"
+ cve: CVE-2023-45234
+ date_reported: 2023-08-28 13:56 UTC
+ description: "Bug 06 - edk2/NetworkPkg: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message"
+ note:
+ files_impacted:
+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+ links:
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4539
+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45234
+ - http://www.openwall.com/lists/oss-security/2024/01/16/2
+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
+CVE_2023_45235:
+ commit_titles:
+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Patch"
+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Unit Tests"
+ cve: CVE-2023-45235
+ date_reported: 2023-08-28 13:56 UTC
+ description: "Bug 07 - edk2/NetworkPkg: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message"
+ note:
+ files_impacted:
+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h
+ links:
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4540
+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45235
+ - http://www.openwall.com/lists/oss-security/2024/01/16/2
+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
--
2.39.3

69
edk2-NetworkPkg-Dhcp6Dxe-Packet-Length-is-not-updated-bef.patch
View File

@ -1,69 +0,0 @@
From 3ab0e3be00cc74b39db482e33bfe923f70768ae4 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Fri, 16 Feb 2024 10:48:05 -0500
Subject: [PATCH 17/18] NetworkPkg: Dhcp6Dxe: Packet-Length is not updated
before appending
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [17/18] c13c96534ecea4c43ca98cecf0789b07680958ca
JIRA: https://issues.redhat.com/browse/RHEL-21841
CVE: CVE-2023-45229
Upstream: Merged
commit 75deaf5c3c0d164c61653258c331151241bb69d8
Author: Doug Flick <dougflick@microsoft.com>
Date: Tue Feb 13 10:46:02 2024 -0800
NetworkPkg: Dhcp6Dxe: Packet-Length is not updated before appending
In order for Dhcp6AppendIaAddrOption (..) to safely append the IA
Address option, the Packet-Length field must be updated before appending
the option.
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
index e4e0725622..f38e3ee3fe 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
@@ -924,6 +924,11 @@ Dhcp6AppendIaOption (
*PacketCursor += sizeof (T2);
}
+ //
+ // Update the packet length
+ //
+ Packet->Length += BytesNeeded;
+
//
// Fill all the addresses belong to the Ia
//
@@ -935,11 +940,6 @@ Dhcp6AppendIaOption (
}
}
- //
- // Update the packet length
- //
- Packet->Length += BytesNeeded;
-
//
// Fill the value of Ia option length
//
--
2.39.3

162
edk2-NetworkPkg-Dhcp6Dxe-Removes-duplicate-check-and-repl.patch
View File

@ -1,162 +0,0 @@
From bb9d1831fd53d43889112a2e30a52b2c4504fdae Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Fri, 16 Feb 2024 10:48:05 -0500
Subject: [PATCH 16/18] NetworkPkg: Dhcp6Dxe: Removes duplicate check and
replaces with macro
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [16/18] 61914482aa965883b1ec3f29cf6143b67e88742a
JIRA: https://issues.redhat.com/browse/RHEL-21841
CVE: CVE-2023-45229
Upstream: Merged
commit af3fad99d6088881562e50149f414f76a5be0140
Author: Doug Flick <dougflick@microsoft.com>
Date: Tue Feb 13 10:46:01 2024 -0800
NetworkPkg: Dhcp6Dxe: Removes duplicate check and replaces with macro
Removes duplicate check after merge
>
> //
> // Verify the PacketCursor is within the packet
> //
> if ( (*PacketCursor < Packet->Dhcp6.Option)
> || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size -
sizeof (EFI_DHCP6_HEADER))))
> {
> return EFI_INVALID_PARAMETER;
> }
>
Converts the check to a macro and replaces all instances of the check
with the macro
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 44 +++++++++++++-----------------
1 file changed, 19 insertions(+), 25 deletions(-)
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
index 705c665c51..e4e0725622 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
@@ -10,6 +10,16 @@
#include "Dhcp6Impl.h"
+//
+// Verifies the packet cursor is within the packet
+// otherwise it is invalid
+//
+#define IS_INVALID_PACKET_CURSOR(PacketCursor, Packet) \
+ (((*PacketCursor) < (Packet)->Dhcp6.Option) || \
+ ((*PacketCursor) >= (Packet)->Dhcp6.Option + ((Packet)->Size - sizeof(EFI_DHCP6_HEADER))) \
+ ) \
+
+
/**
Generate client Duid in the format of Duid-llt.
@@ -638,9 +648,7 @@ Dhcp6AppendOption (
//
// Verify the PacketCursor is within the packet
//
- if ( (*PacketCursor < Packet->Dhcp6.Option)
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
- {
+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) {
return EFI_INVALID_PARAMETER;
}
@@ -657,15 +665,6 @@ Dhcp6AppendOption (
return EFI_BUFFER_TOO_SMALL;
}
- //
- // Verify the PacketCursor is within the packet
- //
- if ( (*PacketCursor < Packet->Dhcp6.Option)
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
- {
- return EFI_INVALID_PARAMETER;
- }
-
WriteUnaligned16 ((UINT16 *)*PacketCursor, OptType);
*PacketCursor += DHCP6_SIZE_OF_OPT_CODE;
WriteUnaligned16 ((UINT16 *)*PacketCursor, OptLen);
@@ -744,9 +743,7 @@ Dhcp6AppendIaAddrOption (
//
// Verify the PacketCursor is within the packet
//
- if ( (*PacketCursor < Packet->Dhcp6.Option)
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
- {
+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) {
return EFI_INVALID_PARAMETER;
}
@@ -877,9 +874,7 @@ Dhcp6AppendIaOption (
//
// Verify the PacketCursor is within the packet
//
- if ( (*PacketCursor < Packet->Dhcp6.Option)
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
- {
+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) {
return EFI_INVALID_PARAMETER;
}
@@ -941,14 +936,14 @@ Dhcp6AppendIaOption (
}
//
- // Fill the value of Ia option length
+ // Update the packet length
//
- *Len = HTONS ((UINT16)(*PacketCursor - (UINT8 *)Len - 2));
+ Packet->Length += BytesNeeded;
//
- // Update the packet length
+ // Fill the value of Ia option length
//
- Packet->Length += BytesNeeded;
+ *Len = HTONS ((UINT16)(*PacketCursor - (UINT8 *)Len - 2));
return EFI_SUCCESS;
}
@@ -957,6 +952,7 @@ Dhcp6AppendIaOption (
Append the appointed Elapsed time option to Buf, and move Buf to the end.
@param[in, out] Packet A pointer to the packet, on success Packet->Length
+ will be updated.
@param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
will be moved to the end of the option.
@param[in] Instance The pointer to the Dhcp6 instance.
@@ -1012,9 +1008,7 @@ Dhcp6AppendETOption (
//
// Verify the PacketCursor is within the packet
//
- if ( (*PacketCursor < Packet->Dhcp6.Option)
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
- {
+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) {
return EFI_INVALID_PARAMETER;
}
--
2.39.3

618
edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch
View File

@ -1,618 +0,0 @@
From c1700b34913109cd9600f58f1fa6b82b08ce3795 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Fri, 9 Feb 2024 17:57:07 -0500
Subject: [PATCH 04/18] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229
Patch
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [4/18] 23b6841dbb01249055b8040d85995c366bd94252
JIRA: https://issues.redhat.com/browse/RHEL-21841
CVE: CVE-2023-45229
Upstream: Merged
commit 1dbb10cc52dc8ef49bb700daa1cefc76b26d52e0
Author: Doug Flick via groups.io <dougflick=microsoft.com@groups.io>
Date: Fri Jan 26 05:54:46 2024 +0800
NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534
Bug Details:
PixieFail Bug #1
CVE-2023-45229
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read
Change Overview:
Introduce Dhcp6SeekInnerOptionSafe which performs checks before seeking
the Inner Option from a DHCP6 Option.
>
> EFI_STATUS
> Dhcp6SeekInnerOptionSafe (
> IN UINT16 IaType,
> IN UINT8 *Option,
> IN UINT32 OptionLen,
> OUT UINT8 **IaInnerOpt,
> OUT UINT16 *IaInnerLen
> );
>
Lots of code cleanup to improve code readability.
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 138 +++++++++++++++++++---
NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 203 +++++++++++++++++++++-----------
2 files changed, 256 insertions(+), 85 deletions(-)
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
index f2422c2f28..220e7c68f1 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
@@ -45,6 +45,20 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE;
#define DHCP6_SERVICE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'S')
#define DHCP6_INSTANCE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'I')
+#define DHCP6_PACKET_ALL 0
+#define DHCP6_PACKET_STATEFUL 1
+#define DHCP6_PACKET_STATELESS 2
+
+#define DHCP6_BASE_PACKET_SIZE 1024
+
+#define DHCP6_PORT_CLIENT 546
+#define DHCP6_PORT_SERVER 547
+
+#define DHCP_CHECK_MEDIA_WAITING_TIME EFI_TIMER_PERIOD_SECONDS(20)
+
+#define DHCP6_INSTANCE_FROM_THIS(Instance) CR ((Instance), DHCP6_INSTANCE, Dhcp6, DHCP6_INSTANCE_SIGNATURE)
+#define DHCP6_SERVICE_FROM_THIS(Service) CR ((Service), DHCP6_SERVICE, ServiceBinding, DHCP6_SERVICE_SIGNATURE)
+
//
// For more information on DHCP options see RFC 8415, Section 21.1
//
@@ -59,12 +73,10 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE;
// | (option-len octets) |
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//
-#define DHCP6_SIZE_OF_OPT_CODE (sizeof(UINT16))
-#define DHCP6_SIZE_OF_OPT_LEN (sizeof(UINT16))
+#define DHCP6_SIZE_OF_OPT_CODE (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpCode))
+#define DHCP6_SIZE_OF_OPT_LEN (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpLen))
-//
// Combined size of Code and Length
-//
#define DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN (DHCP6_SIZE_OF_OPT_CODE + \
DHCP6_SIZE_OF_OPT_LEN)
@@ -73,34 +85,122 @@ STATIC_ASSERT (
"Combined size of Code and Length must be 4 per RFC 8415"
);
-//
// Offset to the length is just past the code
-//
-#define DHCP6_OPT_LEN_OFFSET(a) (a + DHCP6_SIZE_OF_OPT_CODE)
+#define DHCP6_OFFSET_OF_OPT_LEN(a) (a + DHCP6_SIZE_OF_OPT_CODE)
STATIC_ASSERT (
- DHCP6_OPT_LEN_OFFSET (0) == 2,
+ DHCP6_OFFSET_OF_OPT_LEN (0) == 2,
"Offset of length is + 2 past start of option"
);
-#define DHCP6_OPT_DATA_OFFSET(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
+#define DHCP6_OFFSET_OF_OPT_DATA(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
STATIC_ASSERT (
- DHCP6_OPT_DATA_OFFSET (0) == 4,
+ DHCP6_OFFSET_OF_OPT_DATA (0) == 4,
"Offset to option data should be +4 from start of option"
);
+//
+// Identity Association options (both NA (Non-Temporary) and TA (Temporary Association))
+// are defined in RFC 8415 and are a deriviation of a TLV stucture
+// For more information on IA_NA see Section 21.4
+// For more information on IA_TA see Section 21.5
+//
+//
+// The format of IA_NA and IA_TA option:
+//
+// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | OPTION_IA_NA | option-len |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | IAID (4 octets) |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | T1 (only for IA_NA) |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | T2 (only for IA_NA) |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | |
+// . IA_NA-options/IA_TA-options .
+// . .
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+//
+#define DHCP6_SIZE_OF_IAID (sizeof(UINT32))
+#define DHCP6_SIZE_OF_TIME_INTERVAL (sizeof(UINT32))
-#define DHCP6_PACKET_ALL 0
-#define DHCP6_PACKET_STATEFUL 1
-#define DHCP6_PACKET_STATELESS 2
+// Combined size of IAID, T1, and T2
+#define DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 (DHCP6_SIZE_OF_IAID + \
+ DHCP6_SIZE_OF_TIME_INTERVAL + \
+ DHCP6_SIZE_OF_TIME_INTERVAL)
+STATIC_ASSERT (
+ DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 == 12,
+ "Combined size of IAID, T1, T2 must be 12 per RFC 8415"
+ );
-#define DHCP6_BASE_PACKET_SIZE 1024
+// This is the size of IA_TA without options
+#define DHCP6_MIN_SIZE_OF_IA_TA (DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \
+ DHCP6_SIZE_OF_IAID)
+STATIC_ASSERT (
+ DHCP6_MIN_SIZE_OF_IA_TA == 8,
+ "Minimum combined size of IA_TA per RFC 8415"
+ );
-#define DHCP6_PORT_CLIENT 546
-#define DHCP6_PORT_SERVER 547
+// Offset to a IA_TA inner option
+#define DHCP6_OFFSET_OF_IA_TA_INNER_OPT(a) (a + DHCP6_MIN_SIZE_OF_IA_TA)
+STATIC_ASSERT (
+ DHCP6_OFFSET_OF_IA_TA_INNER_OPT (0) == 8,
+ "Offset of IA_TA Inner option is + 8 past start of option"
+ );
-#define DHCP_CHECK_MEDIA_WAITING_TIME EFI_TIMER_PERIOD_SECONDS(20)
+// This is the size of IA_NA without options (16)
+#define DHCP6_MIN_SIZE_OF_IA_NA DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \
+ DHCP6_SIZE_OF_COMBINED_IAID_T1_T2
+STATIC_ASSERT (
+ DHCP6_MIN_SIZE_OF_IA_NA == 16,
+ "Minimum combined size of IA_TA per RFC 8415"
+ );
-#define DHCP6_INSTANCE_FROM_THIS(Instance) CR ((Instance), DHCP6_INSTANCE, Dhcp6, DHCP6_INSTANCE_SIGNATURE)
-#define DHCP6_SERVICE_FROM_THIS(Service) CR ((Service), DHCP6_SERVICE, ServiceBinding, DHCP6_SERVICE_SIGNATURE)
+#define DHCP6_OFFSET_OF_IA_NA_INNER_OPT(a) (a + DHCP6_MIN_SIZE_OF_IA_NA)
+STATIC_ASSERT (
+ DHCP6_OFFSET_OF_IA_NA_INNER_OPT (0) == 16,
+ "Offset of IA_NA Inner option is + 16 past start of option"
+ );
+
+#define DHCP6_OFFSET_OF_IA_NA_T1(a) (a + \
+ DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \
+ DHCP6_SIZE_OF_IAID)
+STATIC_ASSERT (
+ DHCP6_OFFSET_OF_IA_NA_T1 (0) == 8,
+ "Offset of IA_NA Inner option is + 8 past start of option"
+ );
+
+#define DHCP6_OFFSET_OF_IA_NA_T2(a) (a + \
+ DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN +\
+ DHCP6_SIZE_OF_IAID + \
+ DHCP6_SIZE_OF_TIME_INTERVAL)
+STATIC_ASSERT (
+ DHCP6_OFFSET_OF_IA_NA_T2 (0) == 12,
+ "Offset of IA_NA Inner option is + 12 past start of option"
+ );
+
+//
+// For more information see RFC 8415 Section 21.13
+//
+// The format of the Status Code Option:
+//
+// 0 1 2 3
+// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | OPTION_STATUS_CODE | option-len |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | status-code | |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
+// . .
+// . status-message .
+// . .
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+//
+#define DHCP6_OFFSET_OF_STATUS_CODE(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
+STATIC_ASSERT (
+ DHCP6_OFFSET_OF_STATUS_CODE (0) == 4,
+ "Offset of status is + 4 past start of option"
+ );
extern EFI_IPv6_ADDRESS mAllDhcpRelayAndServersAddress;
extern EFI_DHCP6_PROTOCOL gDhcp6ProtocolTemplate;
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
index bf5aa7a769..89d16484a5 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
@@ -598,8 +598,8 @@ Dhcp6UpdateIaInfo (
// The inner options still start with 2 bytes option-code and 2 bytes option-len.
//
if (Instance->Config->IaDescriptor.Type == Dhcp6OptIana) {
- T1 = NTOHL (ReadUnaligned32 ((UINT32 *)(Option + 8)));
- T2 = NTOHL (ReadUnaligned32 ((UINT32 *)(Option + 12)));
+ T1 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T1 (Option))));
+ T2 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T2 (Option))));
//
// Refer to RFC3155 Chapter 22.4. If a client receives an IA_NA with T1 greater than T2,
// and both T1 and T2 are greater than 0, the client discards the IA_NA option and processes
@@ -609,13 +609,14 @@ Dhcp6UpdateIaInfo (
return EFI_DEVICE_ERROR;
}
- IaInnerOpt = Option + 16;
- IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 2))) - 12);
+ IaInnerOpt = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);
+ IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_COMBINED_IAID_T1_T2);
} else {
- T1 = 0;
- T2 = 0;
- IaInnerOpt = Option + 8;
- IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 2))) - 4);
+ T1 = 0;
+ T2 = 0;
+
+ IaInnerOpt = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);
+ IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_IAID);
}
//
@@ -641,7 +642,7 @@ Dhcp6UpdateIaInfo (
Option = Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode);
if (Option != NULL) {
- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 4)));
+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option))));
if (StsCode != Dhcp6StsSuccess) {
return EFI_DEVICE_ERROR;
}
@@ -661,6 +662,87 @@ Dhcp6UpdateIaInfo (
return Status;
}
+/**
+ Seeks the Inner Options from a DHCP6 Option
+
+ @param[in] IaType The type of the IA option.
+ @param[in] Option The pointer to the DHCP6 Option.
+ @param[in] OptionLen The length of the DHCP6 Option.
+ @param[out] IaInnerOpt The pointer to the IA inner option.
+ @param[out] IaInnerLen The length of the IA inner option.
+
+ @retval EFI_SUCCESS Seek the inner option successfully.
+ @retval EFI_DEVICE_ERROR The OptionLen is invalid. On Error,
+ the pointers are not modified
+**/
+EFI_STATUS
+Dhcp6SeekInnerOptionSafe (
+ IN UINT16 IaType,
+ IN UINT8 *Option,
+ IN UINT32 OptionLen,
+ OUT UINT8 **IaInnerOpt,
+ OUT UINT16 *IaInnerLen
+ )
+{
+ UINT16 IaInnerLenTmp;
+ UINT8 *IaInnerOptTmp;
+
+ if (Option == NULL) {
+ ASSERT (Option != NULL);
+ return EFI_DEVICE_ERROR;
+ }
+
+ if (IaInnerOpt == NULL) {
+ ASSERT (IaInnerOpt != NULL);
+ return EFI_DEVICE_ERROR;
+ }
+
+ if (IaInnerLen == NULL) {
+ ASSERT (IaInnerLen != NULL);
+ return EFI_DEVICE_ERROR;
+ }
+
+ if (IaType == Dhcp6OptIana) {
+ // Verify we have a fully formed IA_NA
+ if (OptionLen < DHCP6_MIN_SIZE_OF_IA_NA) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ //
+ IaInnerOptTmp = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);
+
+ // Verify the IaInnerLen is valid.
+ IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN (Option)));
+ if (IaInnerLenTmp < DHCP6_SIZE_OF_COMBINED_IAID_T1_T2) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ IaInnerLenTmp -= DHCP6_SIZE_OF_COMBINED_IAID_T1_T2;
+ } else if (IaType == Dhcp6OptIata) {
+ // Verify the OptionLen is valid.
+ if (OptionLen < DHCP6_MIN_SIZE_OF_IA_TA) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ IaInnerOptTmp = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);
+
+ // Verify the IaInnerLen is valid.
+ IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option))));
+ if (IaInnerLenTmp < DHCP6_SIZE_OF_IAID) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ IaInnerLenTmp -= DHCP6_SIZE_OF_IAID;
+ } else {
+ return EFI_DEVICE_ERROR;
+ }
+
+ *IaInnerOpt = IaInnerOptTmp;
+ *IaInnerLen = IaInnerLenTmp;
+
+ return EFI_SUCCESS;
+}
+
/**
Seek StatusCode Option in package. A Status Code option may appear in the
options field of a DHCP message and/or in the options field of another option.
@@ -684,6 +766,12 @@ Dhcp6SeekStsOption (
UINT8 *IaInnerOpt;
UINT16 IaInnerLen;
UINT16 StsCode;
+ UINT32 OptionLen;
+
+ // OptionLen is the length of the Options excluding the DHCP header.
+ // Length of the EFI_DHCP6_PACKET from the first byte of the Header field to the last
+ // byte of the Option[] field.
+ OptionLen = Packet->Length - sizeof (Packet->Dhcp6.Header);
//
// Seek StatusCode option directly in DHCP message body. That is, search in
@@ -691,12 +779,12 @@ Dhcp6SeekStsOption (
//
*Option = Dhcp6SeekOption (
Packet->Dhcp6.Option,
- Packet->Length - 4,
+ OptionLen,
Dhcp6OptStatusCode
);
if (*Option != NULL) {
- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 4)));
+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_STATUS_CODE (*Option))));
if (StsCode != Dhcp6StsSuccess) {
return EFI_DEVICE_ERROR;
}
@@ -707,7 +795,7 @@ Dhcp6SeekStsOption (
//
*Option = Dhcp6SeekIaOption (
Packet->Dhcp6.Option,
- Packet->Length - sizeof (EFI_DHCP6_HEADER),
+ OptionLen,
&Instance->Config->IaDescriptor
);
if (*Option == NULL) {
@@ -715,52 +803,35 @@ Dhcp6SeekStsOption (
}
//
- // The format of the IA_NA option is:
+ // Calculate the distance from Packet->Dhcp6.Option to the IA option.
//
- // 0 1 2 3
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | OPTION_IA_NA | option-len |
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | IAID (4 octets) |
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | T1 |
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | T2 |
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | |
- // . IA_NA-options .
- // . .
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ // Packet->Size and Packet->Length are both UINT32 type, and Packet->Size is
+ // the size of the whole packet, including the DHCP header, and Packet->Length
+ // is the length of the DHCP message body, excluding the DHCP header.
//
- // The format of the IA_TA option is:
+ // (*Option - Packet->Dhcp6.Option) is the number of bytes from the start of
+ // DHCP6 option area to the start of the IA option.
//
- // 0 1 2 3
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | OPTION_IA_TA | option-len |
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | IAID (4 octets) |
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // | |
- // . IA_TA-options .
- // . .
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ // Dhcp6SeekInnerOptionSafe() is searching starting from the start of the
+ // IA option to the end of the DHCP6 option area, thus subtract the space
+ // up until this option
//
+ OptionLen = OptionLen - (*Option - Packet->Dhcp6.Option);
//
- // sizeof (option-code + option-len + IaId) = 8
- // sizeof (option-code + option-len + IaId + T1) = 12
- // sizeof (option-code + option-len + IaId + T1 + T2) = 16
- //
- // The inner options still start with 2 bytes option-code and 2 bytes option-len.
+ // Seek the inner option
//
- if (Instance->Config->IaDescriptor.Type == Dhcp6OptIana) {
- IaInnerOpt = *Option + 16;
- IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 2))) - 12);
- } else {
- IaInnerOpt = *Option + 8;
- IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 2))) - 4);
+ if (EFI_ERROR (
+ Dhcp6SeekInnerOptionSafe (
+ Instance->Config->IaDescriptor.Type,
+ *Option,
+ OptionLen,
+ &IaInnerOpt,
+ &IaInnerLen
+ )
+ ))
+ {
+ return EFI_DEVICE_ERROR;
}
//
@@ -784,7 +855,7 @@ Dhcp6SeekStsOption (
//
*Option = Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode);
if (*Option != NULL) {
- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 4)));
+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)((DHCP6_OFFSET_OF_STATUS_CODE (*Option)))));
if (StsCode != Dhcp6StsSuccess) {
return EFI_DEVICE_ERROR;
}
@@ -1105,7 +1176,7 @@ Dhcp6SendRequestMsg (
//
Option = Dhcp6SeekOption (
Instance->AdSelect->Dhcp6.Option,
- Instance->AdSelect->Length - 4,
+ Instance->AdSelect->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptServerId
);
if (Option == NULL) {
@@ -1289,7 +1360,7 @@ Dhcp6SendDeclineMsg (
//
Option = Dhcp6SeekOption (
LastReply->Dhcp6.Option,
- LastReply->Length - 4,
+ LastReply->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptServerId
);
if (Option == NULL) {
@@ -1448,7 +1519,7 @@ Dhcp6SendReleaseMsg (
//
Option = Dhcp6SeekOption (
LastReply->Dhcp6.Option,
- LastReply->Length - 4,
+ LastReply->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptServerId
);
if (Option == NULL) {
@@ -1673,7 +1744,7 @@ Dhcp6SendRenewRebindMsg (
Option = Dhcp6SeekOption (
LastReply->Dhcp6.Option,
- LastReply->Length - 4,
+ LastReply->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptServerId
);
if (Option == NULL) {
@@ -2208,7 +2279,7 @@ Dhcp6HandleReplyMsg (
//
Option = Dhcp6SeekOption (
Packet->Dhcp6.Option,
- Packet->Length - 4,
+ Packet->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptRapidCommit
);
@@ -2354,7 +2425,7 @@ Dhcp6HandleReplyMsg (
//
// Any error status code option is found.
//
- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 4)));
+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)((DHCP6_OFFSET_OF_STATUS_CODE (Option)))));
switch (StsCode) {
case Dhcp6StsUnspecFail:
//
@@ -2487,7 +2558,7 @@ Dhcp6SelectAdvertiseMsg (
//
Option = Dhcp6SeekOption (
AdSelect->Dhcp6.Option,
- AdSelect->Length - 4,
+ AdSelect->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptServerUnicast
);
@@ -2498,7 +2569,7 @@ Dhcp6SelectAdvertiseMsg (
return EFI_OUT_OF_RESOURCES;
}
- CopyMem (Instance->Unicast, Option + 4, sizeof (EFI_IPv6_ADDRESS));
+ CopyMem (Instance->Unicast, DHCP6_OFFSET_OF_OPT_DATA (Option), sizeof (EFI_IPv6_ADDRESS));
}
//
@@ -2551,7 +2622,7 @@ Dhcp6HandleAdvertiseMsg (
//
Option = Dhcp6SeekOption (
Packet->Dhcp6.Option,
- Packet->Length - 4,
+ Packet->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptRapidCommit
);
@@ -2645,7 +2716,7 @@ Dhcp6HandleAdvertiseMsg (
CopyMem (Instance->AdSelect, Packet, Packet->Size);
if (Option != NULL) {
- Instance->AdPref = *(Option + 4);
+ Instance->AdPref = *(DHCP6_OFFSET_OF_OPT_DATA (Option));
}
} else {
//
@@ -2714,11 +2785,11 @@ Dhcp6HandleStateful (
//
Option = Dhcp6SeekOption (
Packet->Dhcp6.Option,
- Packet->Length - 4,
+ Packet->Length - DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN,
Dhcp6OptClientId
);
- if ((Option == NULL) || (CompareMem (Option + 4, ClientId->Duid, ClientId->Length) != 0)) {
+ if ((Option == NULL) || (CompareMem (DHCP6_OFFSET_OF_OPT_DATA (Option), ClientId->Duid, ClientId->Length) != 0)) {
goto ON_CONTINUE;
}
@@ -2727,7 +2798,7 @@ Dhcp6HandleStateful (
//
Option = Dhcp6SeekOption (
Packet->Dhcp6.Option,
- Packet->Length - 4,
+ Packet->Length - DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN,
Dhcp6OptServerId
);
@@ -2832,7 +2903,7 @@ Dhcp6HandleStateless (
//
Option = Dhcp6SeekOption (
Packet->Dhcp6.Option,
- Packet->Length - 4,
+ Packet->Length - sizeof (EFI_DHCP6_HEADER),
Dhcp6OptServerId
);
--
2.39.3

257
edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Re.patch
View File

@ -1,257 +0,0 @@
From dcfd5b6e28536e5b28fb4c47ec57f8d106b6b181 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Fri, 16 Feb 2024 10:48:05 -0500
Subject: [PATCH 15/18] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229
Related Patch
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [15/18] e2fe2033c2f90145249d9416a539d5b2fc52596a
JIRA: https://issues.redhat.com/browse/RHEL-21841
CVE: CVE-2023-45229
Upstream: Merged
commit 1c440a5eceedc64e892877eeac0f1a4938f5abbb
Author: Doug Flick <dougflick@microsoft.com>
Date: Tue Feb 13 10:46:00 2024 -0800
NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Related Patch
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4673
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534
This was not part of the Quarkslab bugs however the same pattern
as CVE-2023-45229 exists in Dhcp6UpdateIaInfo.
This patch replaces the code in question with the safe function
created to patch CVE-2023-45229
>
> if (EFI_ERROR (
> Dhcp6SeekInnerOptionSafe (
> Instance->Config->IaDescriptor.Type,
> Option,
> OptionLen,
> &IaInnerOpt,
> &IaInnerLen
> )
> ))
> {
> return EFI_DEVICE_ERROR;
> }
>
Additionally corrects incorrect usage of macro to read the status
> - StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN
(Option)));
> + StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)
DHCP6_OFFSET_OF_STATUS_CODE (Option));
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 70 ++++++++++++++++++++++++++---------
NetworkPkg/Dhcp6Dxe/Dhcp6Io.h | 22 +++++++++++
2 files changed, 75 insertions(+), 17 deletions(-)
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
index 3b8feb4a20..a9bffae353 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
@@ -528,13 +528,23 @@ Dhcp6UpdateIaInfo (
{
EFI_STATUS Status;
UINT8 *Option;
+ UINT32 OptionLen;
UINT8 *IaInnerOpt;
UINT16 IaInnerLen;
UINT16 StsCode;
UINT32 T1;
UINT32 T2;
+ T1 = 0;
+ T2 = 0;
+
ASSERT (Instance->Config != NULL);
+
+ // OptionLen is the length of the Options excluding the DHCP header.
+ // Length of the EFI_DHCP6_PACKET from the first byte of the Header field to the last
+ // byte of the Option[] field.
+ OptionLen = Packet->Length - sizeof (Packet->Dhcp6.Header);
+
//
// If the reply was received in response to a solicit with rapid commit option,
// request, renew or rebind message, the client updates the information it has
@@ -549,13 +559,29 @@ Dhcp6UpdateIaInfo (
//
Option = Dhcp6SeekIaOption (
Packet->Dhcp6.Option,
- Packet->Length - sizeof (EFI_DHCP6_HEADER),
+ OptionLen,
&Instance->Config->IaDescriptor
);
if (Option == NULL) {
return EFI_DEVICE_ERROR;
}
+ //
+ // Calculate the distance from Packet->Dhcp6.Option to the IA option.
+ //
+ // Packet->Size and Packet->Length are both UINT32 type, and Packet->Size is
+ // the size of the whole packet, including the DHCP header, and Packet->Length
+ // is the length of the DHCP message body, excluding the DHCP header.
+ //
+ // (*Option - Packet->Dhcp6.Option) is the number of bytes from the start of
+ // DHCP6 option area to the start of the IA option.
+ //
+ // Dhcp6SeekInnerOptionSafe() is searching starting from the start of the
+ // IA option to the end of the DHCP6 option area, thus subtract the space
+ // up until this option
+ //
+ OptionLen = OptionLen - (UINT32)(Option - Packet->Dhcp6.Option);
+
//
// The format of the IA_NA option is:
//
@@ -591,32 +617,32 @@ Dhcp6UpdateIaInfo (
//
//
- // sizeof (option-code + option-len + IaId) = 8
- // sizeof (option-code + option-len + IaId + T1) = 12
- // sizeof (option-code + option-len + IaId + T1 + T2) = 16
- //
- // The inner options still start with 2 bytes option-code and 2 bytes option-len.
+ // Seek the inner option
//
+ if (EFI_ERROR (
+ Dhcp6SeekInnerOptionSafe (
+ Instance->Config->IaDescriptor.Type,
+ Option,
+ OptionLen,
+ &IaInnerOpt,
+ &IaInnerLen
+ )
+ ))
+ {
+ return EFI_DEVICE_ERROR;
+ }
+
if (Instance->Config->IaDescriptor.Type == Dhcp6OptIana) {
T1 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T1 (Option))));
T2 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T2 (Option))));
//
// Refer to RFC3155 Chapter 22.4. If a client receives an IA_NA with T1 greater than T2,
// and both T1 and T2 are greater than 0, the client discards the IA_NA option and processes
- // the remainder of the message as though the server had not included the invalid IA_NA option.
+ // the remainder of the message as though the server had not included the invalid IA_NA option.
//
if ((T1 > T2) && (T2 > 0)) {
return EFI_DEVICE_ERROR;
}
-
- IaInnerOpt = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);
- IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_COMBINED_IAID_T1_T2);
- } else {
- T1 = 0;
- T2 = 0;
-
- IaInnerOpt = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);
- IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_IAID);
}
//
@@ -642,7 +668,7 @@ Dhcp6UpdateIaInfo (
Option = Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode);
if (Option != NULL) {
- StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option))));
+ StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_STATUS_CODE (Option))));
if (StsCode != Dhcp6StsSuccess) {
return EFI_DEVICE_ERROR;
}
@@ -703,15 +729,21 @@ Dhcp6SeekInnerOptionSafe (
}
if (IaType == Dhcp6OptIana) {
+ //
// Verify we have a fully formed IA_NA
+ //
if (OptionLen < DHCP6_MIN_SIZE_OF_IA_NA) {
return EFI_DEVICE_ERROR;
}
+ //
+ // Get the IA Inner Option and Length
//
IaInnerOptTmp = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);
+ //
// Verify the IaInnerLen is valid.
+ //
IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN (Option)));
if (IaInnerLenTmp < DHCP6_SIZE_OF_COMBINED_IAID_T1_T2) {
return EFI_DEVICE_ERROR;
@@ -719,14 +751,18 @@ Dhcp6SeekInnerOptionSafe (
IaInnerLenTmp -= DHCP6_SIZE_OF_COMBINED_IAID_T1_T2;
} else if (IaType == Dhcp6OptIata) {
+ //
// Verify the OptionLen is valid.
+ //
if (OptionLen < DHCP6_MIN_SIZE_OF_IA_TA) {
return EFI_DEVICE_ERROR;
}
IaInnerOptTmp = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);
+ //
// Verify the IaInnerLen is valid.
+ //
IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option))));
if (IaInnerLenTmp < DHCP6_SIZE_OF_IAID) {
return EFI_DEVICE_ERROR;
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h
index 051a652f2b..ab0e1ac27f 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h
@@ -217,4 +217,26 @@ Dhcp6OnTimerTick (
IN VOID *Context
);
+/**
+ Seeks the Inner Options from a DHCP6 Option
+
+ @param[in] IaType The type of the IA option.
+ @param[in] Option The pointer to the DHCP6 Option.
+ @param[in] OptionLen The length of the DHCP6 Option.
+ @param[out] IaInnerOpt The pointer to the IA inner option.
+ @param[out] IaInnerLen The length of the IA inner option.
+
+ @retval EFI_SUCCESS Seek the inner option successfully.
+ @retval EFI_DEVICE_ERROR The OptionLen is invalid. On Error,
+ the pointers are not modified
+**/
+EFI_STATUS
+Dhcp6SeekInnerOptionSafe (
+ IN UINT16 IaType,
+ IN UINT8 *Option,
+ IN UINT32 OptionLen,
+ OUT UINT8 **IaInnerOpt,
+ OUT UINT16 *IaInnerLen
+ );
+
#endif
--
2.39.3

565
edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch
View File

@ -1,565 +0,0 @@
From 76930459d2e3f82e10968ec8904e45c8bac77fd8 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Fri, 9 Feb 2024 17:57:07 -0500
Subject: [PATCH 05/18] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229
Unit Tests
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [5/18] 7421b6f8d8e6bc3d8ea4aaf90f65608136b968b2
JIRA: https://issues.redhat.com/browse/RHEL-21841
CVE: CVE-2023-45229
Upstream: Merged
commit 07362769ab7a7d74dbea1c7a7a3662c7b5d1f097
Author: Doug Flick via groups.io <dougflick=microsoft.com@groups.io>
Date: Fri Jan 26 05:54:47 2024 +0800
NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534
These tests confirm that the report bug...
"Out-of-bounds read when processing IA_NA/IA_TA options in a
DHCPv6 Advertise message"
..has been patched.
The following functions are tested to confirm an out of bounds read is
patched and that the correct statuses are returned:
Dhcp6SeekInnerOptionSafe
Dhcp6SeekStsOption
TCBZ4534
CVE-2023-45229
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 2 +-
.../GoogleTest/Dhcp6DxeGoogleTest.inf | 1 +
.../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | 365 +++++++++++++++++-
.../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h | 58 +++
NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 +
5 files changed, 424 insertions(+), 3 deletions(-)
create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
index 89d16484a5..3b8feb4a20 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
@@ -816,7 +816,7 @@ Dhcp6SeekStsOption (
// IA option to the end of the DHCP6 option area, thus subtract the space
// up until this option
//
- OptionLen = OptionLen - (*Option - Packet->Dhcp6.Option);
+ OptionLen = OptionLen - (UINT32)(*Option - Packet->Dhcp6.Option);
//
// Seek the inner option
diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
index 8e9119a371..12532ed30c 100644
--- a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
@@ -18,6 +18,7 @@
[Sources]
Dhcp6DxeGoogleTest.cpp
Dhcp6IoGoogleTest.cpp
+ Dhcp6IoGoogleTest.h
../Dhcp6Io.c
../Dhcp6Utility.c
diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
index 7ee40e4af4..7db253a7b8 100644
--- a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
@@ -13,6 +13,7 @@ extern "C" {
#include <Library/BaseMemoryLib.h>
#include "../Dhcp6Impl.h"
#include "../Dhcp6Utility.h"
+ #include "Dhcp6IoGoogleTest.h"
}
////////////////////////////////////////////////////////////////////////
@@ -21,7 +22,35 @@ extern "C" {
#define DHCP6_PACKET_MAX_LEN 1500
+// This definition is used by this test but is also required to compile
+// by Dhcp6Io.c
+#define DHCPV6_OPTION_IA_NA 3
+#define DHCPV6_OPTION_IA_TA 4
+
+#define SEARCH_PATTERN 0xDEADC0DE
+#define SEARCH_PATTERN_LEN sizeof(SEARCH_PATTERN)
+
////////////////////////////////////////////////////////////////////////
+// Test structures for IA_NA and IA_TA options
+////////////////////////////////////////////////////////////////////////
+typedef struct {
+ UINT16 Code;
+ UINT16 Len;
+ UINT32 IAID;
+} DHCPv6_OPTION;
+
+typedef struct {
+ DHCPv6_OPTION Header;
+ UINT32 T1;
+ UINT32 T2;
+ UINT8 InnerOptions[0];
+} DHCPv6_OPTION_IA_NA;
+
+typedef struct {
+ DHCPv6_OPTION Header;
+ UINT8 InnerOptions[0];
+} DHCPv6_OPTION_IA_TA;
+
////////////////////////////////////////////////////////////////////////
// Symbol Definitions
// These functions are not directly under test - but required to compile
@@ -210,7 +239,7 @@ TEST_F (Dhcp6AppendETOptionTest, InvalidDataExpectBufferTooSmall) {
Status = Dhcp6AppendETOption (
Dhcp6AppendETOptionTest::Packet,
&Cursor,
- &Instance, // Instance is not used in this function
+ &Instance, // Instance is not used in this function
&ElapsedTime
);
@@ -240,7 +269,7 @@ TEST_F (Dhcp6AppendETOptionTest, ValidDataExpectSuccess) {
Status = Dhcp6AppendETOption (
Dhcp6AppendETOptionTest::Packet,
&Cursor,
- &Instance, // Instance is not used in this function
+ &Instance, // Instance is not used in this function
&ElapsedTime
);
@@ -476,3 +505,335 @@ TEST_F (Dhcp6AppendIaOptionTest, IaTaValidDataExpectSuccess) {
// verify that the status is EFI_SUCCESS
ASSERT_EQ (Status, EFI_SUCCESS);
}
+
+////////////////////////////////////////////////////////////////////////
+// Dhcp6SeekInnerOptionSafe Tests
+////////////////////////////////////////////////////////////////////////
+
+// Define a fixture for your tests if needed
+class Dhcp6SeekInnerOptionSafeTest : public ::testing::Test {
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ // Initialize any resources or variables
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ // Clean up any resources or variables
+ }
+};
+
+// Test Description:
+// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IANA option is found.
+TEST_F (Dhcp6SeekInnerOptionSafeTest, IANAValidOptionExpectSuccess) {
+ EFI_STATUS Result;
+ UINT8 Option[sizeof (DHCPv6_OPTION_IA_NA) + SEARCH_PATTERN_LEN] = { 0 };
+ UINT32 OptionLength = sizeof (Option);
+ DHCPv6_OPTION_IA_NA *OptionPtr = (DHCPv6_OPTION_IA_NA *)Option;
+ UINT32 SearchPattern = SEARCH_PATTERN;
+
+ UINTN SearchPatternLength = SEARCH_PATTERN_LEN;
+ UINT8 *InnerOptionPtr = NULL;
+ UINT16 InnerOptionLength = 0;
+
+ OptionPtr->Header.Code = Dhcp6OptIana;
+ OptionPtr->Header.Len = HTONS (4 + 12); // Valid length has to be more than 12
+ OptionPtr->Header.IAID = 0x12345678;
+ OptionPtr->T1 = 0x11111111;
+ OptionPtr->T2 = 0x22222222;
+ CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength);
+
+ Result = Dhcp6SeekInnerOptionSafe (
+ Dhcp6OptIana,
+ Option,
+ OptionLength,
+ &InnerOptionPtr,
+ &InnerOptionLength
+ );
+ ASSERT_EQ (Result, EFI_SUCCESS);
+ ASSERT_EQ (InnerOptionLength, 4);
+ ASSERT_EQ (CompareMem (InnerOptionPtr, &SearchPattern, SearchPatternLength), 0);
+}
+
+// Test Description:
+// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_DEIVCE_ERROR when the IANA option size is invalid.
+TEST_F (Dhcp6SeekInnerOptionSafeTest, IANAInvalidSizeExpectFail) {
+ // Lets add an inner option of bytes we expect to find
+ EFI_STATUS Status;
+ UINT8 Option[sizeof (DHCPv6_OPTION_IA_NA) + SEARCH_PATTERN_LEN] = { 0 };
+ UINT32 OptionLength = sizeof (Option);
+ DHCPv6_OPTION_IA_NA *OptionPtr = (DHCPv6_OPTION_IA_NA *)Option;
+ UINT32 SearchPattern = SEARCH_PATTERN;
+
+ UINTN SearchPatternLength = SEARCH_PATTERN_LEN;
+ UINT8 *InnerOptionPtr = NULL;
+ UINT16 InnerOptionLength = 0;
+
+ OptionPtr->Header.Code = Dhcp6OptIana;
+ OptionPtr->Header.Len = HTONS (4); // Set the length to lower than expected (12)
+ OptionPtr->Header.IAID = 0x12345678;
+ OptionPtr->T1 = 0x11111111;
+ OptionPtr->T2 = 0x22222222;
+ CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength);
+
+ // Set the InnerOptionLength to be less than the size of the option
+ Status = Dhcp6SeekInnerOptionSafe (
+ Dhcp6OptIana,
+ Option,
+ OptionLength,
+ &InnerOptionPtr,
+ &InnerOptionLength
+ );
+ ASSERT_EQ (Status, EFI_DEVICE_ERROR);
+
+ // Now set the OptionLength to be less than the size of the option
+ OptionLength = sizeof (DHCPv6_OPTION_IA_NA) - 1;
+ Status = Dhcp6SeekInnerOptionSafe (
+ Dhcp6OptIana,
+ Option,
+ OptionLength,
+ &InnerOptionPtr,
+ &InnerOptionLength
+ );
+ ASSERT_EQ (Status, EFI_DEVICE_ERROR);
+}
+
+// Test Description:
+// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IATA option is found
+TEST_F (Dhcp6SeekInnerOptionSafeTest, IATAValidOptionExpectSuccess) {
+ // Lets add an inner option of bytes we expect to find
+ EFI_STATUS Status;
+ UINT8 Option[sizeof (DHCPv6_OPTION_IA_TA) + SEARCH_PATTERN_LEN] = { 0 };
+ UINT32 OptionLength = sizeof (Option);
+ DHCPv6_OPTION_IA_TA *OptionPtr = (DHCPv6_OPTION_IA_TA *)Option;
+ UINT32 SearchPattern = SEARCH_PATTERN;
+
+ UINTN SearchPatternLength = SEARCH_PATTERN_LEN;
+ UINT8 *InnerOptionPtr = NULL;
+ UINT16 InnerOptionLength = 0;
+
+ OptionPtr->Header.Code = Dhcp6OptIata;
+ OptionPtr->Header.Len = HTONS (4 + 4); // Valid length has to be more than 4
+ OptionPtr->Header.IAID = 0x12345678;
+ CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength);
+
+ Status = Dhcp6SeekInnerOptionSafe (
+ Dhcp6OptIata,
+ Option,
+ OptionLength,
+ &InnerOptionPtr,
+ &InnerOptionLength
+ );
+ ASSERT_EQ (Status, EFI_SUCCESS);
+ ASSERT_EQ (InnerOptionLength, 4);
+ ASSERT_EQ (CompareMem (InnerOptionPtr, &SearchPattern, SearchPatternLength), 0);
+}
+
+// Test Description:
+// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IATA option size is invalid.
+TEST_F (Dhcp6SeekInnerOptionSafeTest, IATAInvalidSizeExpectFail) {
+ // Lets add an inner option of bytes we expect to find
+ EFI_STATUS Status;
+ UINT8 Option[sizeof (DHCPv6_OPTION_IA_TA) + SEARCH_PATTERN_LEN] = { 0 };
+ UINT32 OptionLength = sizeof (Option);
+ DHCPv6_OPTION_IA_TA *OptionPtr = (DHCPv6_OPTION_IA_TA *)Option;
+ UINT32 SearchPattern = SEARCH_PATTERN;
+
+ UINTN SearchPatternLength = SEARCH_PATTERN_LEN;
+ UINT8 *InnerOptionPtr = NULL;
+ UINT16 InnerOptionLength = 0;
+
+ OptionPtr->Header.Code = Dhcp6OptIata;
+ OptionPtr->Header.Len = HTONS (2); // Set the length to lower than expected (4)
+ OptionPtr->Header.IAID = 0x12345678;
+ CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength);
+
+ Status = Dhcp6SeekInnerOptionSafe (
+ Dhcp6OptIata,
+ Option,
+ OptionLength,
+ &InnerOptionPtr,
+ &InnerOptionLength
+ );
+ ASSERT_EQ (Status, EFI_DEVICE_ERROR);
+
+ // Now lets try modifying the OptionLength to be less than the size of the option
+ OptionLength = sizeof (DHCPv6_OPTION_IA_TA) - 1;
+ Status = Dhcp6SeekInnerOptionSafe (
+ Dhcp6OptIata,
+ Option,
+ OptionLength,
+ &InnerOptionPtr,
+ &InnerOptionLength
+ );
+ ASSERT_EQ (Status, EFI_DEVICE_ERROR);
+}
+
+// Test Description:
+// This test verifies that any other Option Type fails
+TEST_F (Dhcp6SeekInnerOptionSafeTest, InvalidOption) {
+ // Lets add an inner option of bytes we expect to find
+ EFI_STATUS Result;
+ UINT8 Option[sizeof (DHCPv6_OPTION_IA_TA) + SEARCH_PATTERN_LEN] = { 0 };
+ UINT32 OptionLength = sizeof (Option);
+ DHCPv6_OPTION_IA_TA *OptionPtr = (DHCPv6_OPTION_IA_TA *)Option;
+ UINT32 SearchPattern = SEARCH_PATTERN;
+
+ UINTN SearchPatternLength = SEARCH_PATTERN_LEN;
+ UINT8 *InnerOptionPtr = NULL;
+ UINT16 InnerOptionLength = 0;
+
+ OptionPtr->Header.Code = 0xC0DE;
+ OptionPtr->Header.Len = HTONS (2); // Set the length to lower than expected (4)
+ OptionPtr->Header.IAID = 0x12345678;
+ CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength);
+
+ Result = Dhcp6SeekInnerOptionSafe (0xC0DE, Option, OptionLength, &InnerOptionPtr, &InnerOptionLength);
+ ASSERT_EQ (Result, EFI_DEVICE_ERROR);
+}
+
+////////////////////////////////////////////////////////////////////////
+// Dhcp6SeekStsOption Tests
+////////////////////////////////////////////////////////////////////////
+
+#define PACKET_SIZE (1500)
+
+class Dhcp6SeekStsOptionTest : public ::testing::Test {
+public:
+ DHCP6_INSTANCE Instance = { 0 };
+ EFI_DHCP6_PACKET *Packet = NULL;
+ EFI_DHCP6_CONFIG_DATA Config = { 0 };
+
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ // Allocate a packet
+ Packet = (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_SIZE);
+ ASSERT_NE (Packet, nullptr);
+
+ // Initialize the packet
+ Packet->Size = PACKET_SIZE;
+
+ Instance.Config = &Config;
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ // Clean up any resources or variables
+ FreePool (Packet);
+ }
+};
+
+// Test Description:
+// This test verifies that Dhcp6SeekStsOption returns EFI_DEVICE_ERROR when the option is invalid
+// This verifies that the calling function is working as expected
+TEST_F (Dhcp6SeekStsOptionTest, SeekIATAOptionExpectFail) {
+ EFI_STATUS Status;
+ UINT8 *Option = NULL;
+ UINT32 SearchPattern = SEARCH_PATTERN;
+ UINT16 SearchPatternLength = SEARCH_PATTERN_LEN;
+ UINT16 *Len = NULL;
+ EFI_DHCP6_IA Ia = { 0 };
+
+ Ia.Descriptor.Type = DHCPV6_OPTION_IA_TA;
+ Ia.IaAddressCount = 1;
+ Ia.IaAddress[0].PreferredLifetime = 0xDEADBEEF;
+ Ia.IaAddress[0].ValidLifetime = 0xDEADAAAA;
+ Ia.IaAddress[0].IpAddress = mAllDhcpRelayAndServersAddress;
+
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+
+ Option = Dhcp6SeekStsOptionTest::Packet->Dhcp6.Option;
+
+ // Let's append the option to the packet
+ Status = Dhcp6AppendOption (
+ Dhcp6SeekStsOptionTest::Packet,
+ &Option,
+ Dhcp6OptStatusCode,
+ SearchPatternLength,
+ (UINT8 *)&SearchPattern
+ );
+ ASSERT_EQ (Status, EFI_SUCCESS);
+
+ // Inner option length - this will be overwritten later
+ Len = (UINT16 *)(Option + 2);
+
+ // Fill in the inner IA option
+ Status = Dhcp6AppendIaOption (
+ Dhcp6SeekStsOptionTest::Packet,
+ &Option,
+ &Ia,
+ 0x12345678,
+ 0x11111111,
+ 0x22222222
+ );
+ ASSERT_EQ (Status, EFI_SUCCESS);
+
+ // overwrite the len of inner Ia option
+ *Len = HTONS (3);
+
+ Dhcp6SeekStsOptionTest::Instance.Config->IaDescriptor.Type = DHCPV6_OPTION_IA_TA;
+
+ Option = NULL;
+ Status = Dhcp6SeekStsOption (&(Dhcp6SeekStsOptionTest::Instance), Dhcp6SeekStsOptionTest::Packet, &Option);
+
+ ASSERT_EQ (Status, EFI_DEVICE_ERROR);
+}
+
+// Test Description:
+// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IATA option size is invalid.
+TEST_F (Dhcp6SeekStsOptionTest, SeekIANAOptionExpectSuccess) {
+ EFI_STATUS Status = EFI_NOT_FOUND;
+ UINT8 *Option = NULL;
+ UINT32 SearchPattern = SEARCH_PATTERN;
+ UINT16 SearchPatternLength = SEARCH_PATTERN_LEN;
+ EFI_DHCP6_IA Ia = { 0 };
+
+ Ia.Descriptor.Type = DHCPV6_OPTION_IA_NA;
+ Ia.IaAddressCount = 1;
+ Ia.IaAddress[0].PreferredLifetime = 0x11111111;
+ Ia.IaAddress[0].ValidLifetime = 0x22222222;
+ Ia.IaAddress[0].IpAddress = mAllDhcpRelayAndServersAddress;
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+
+ Option = Dhcp6SeekStsOptionTest::Packet->Dhcp6.Option;
+
+ Status = Dhcp6AppendOption (
+ Dhcp6SeekStsOptionTest::Packet,
+ &Option,
+ Dhcp6OptStatusCode,
+ SearchPatternLength,
+ (UINT8 *)&SearchPattern
+ );
+ ASSERT_EQ (Status, EFI_SUCCESS);
+
+ Status = Dhcp6AppendIaOption (
+ Dhcp6SeekStsOptionTest::Packet,
+ &Option,
+ &Ia,
+ 0x12345678,
+ 0x11111111,
+ 0x22222222
+ );
+ ASSERT_EQ (Status, EFI_SUCCESS);
+
+ Dhcp6SeekStsOptionTest::Instance.Config->IaDescriptor.Type = DHCPV6_OPTION_IA_NA;
+
+ Option = NULL;
+ Status = Dhcp6SeekStsOption (&(Dhcp6SeekStsOptionTest::Instance), Dhcp6SeekStsOptionTest::Packet, &Option);
+
+ ASSERT_EQ (Status, EFI_SUCCESS);
+}
diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h
new file mode 100644
index 0000000000..aed3b89082
--- /dev/null
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h
@@ -0,0 +1,58 @@
+/** @file
+ Acts as header for private functions under test in Dhcp6Io.c
+
+ Copyright (c) Microsoft Corporation
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef DHCP6_IO_GOOGLE_TEST_H_
+#define DHCP6_IO_GOOGLE_TEST_H_
+
+////////////////////////////////////////////////////////////////////////////////
+// These are the functions that are being unit tested
+////////////////////////////////////////////////////////////////////////////////
+
+#include <Uefi.h>
+
+/**
+ Seeks the Inner Options from a DHCP6 Option
+
+ @param[in] IaType The type of the IA option.
+ @param[in] Option The pointer to the DHCP6 Option.
+ @param[in] OptionLen The length of the DHCP6 Option.
+ @param[out] IaInnerOpt The pointer to the IA inner option.
+ @param[out] IaInnerLen The length of the IA inner option.
+
+ @retval EFI_SUCCESS Seek the inner option successfully.
+ @retval EFI_DEVICE_ERROR The OptionLen is invalid.
+*/
+EFI_STATUS
+Dhcp6SeekInnerOptionSafe (
+ UINT16 IaType,
+ UINT8 *Option,
+ UINT32 OptionLen,
+ UINT8 **IaInnerOpt,
+ UINT16 *IaInnerLen
+ );
+
+/**
+ Seek StatusCode Option in package. A Status Code option may appear in the
+ options field of a DHCP message and/or in the options field of another option.
+ See details in section 22.13, RFC3315.
+
+ @param[in] Instance The pointer to the Dhcp6 instance.
+ @param[in] Packet The pointer to reply messages.
+ @param[out] Option The pointer to status code option.
+
+ @retval EFI_SUCCESS Seek status code option successfully.
+ @retval EFI_DEVICE_ERROR An unexpected error.
+
+**/
+EFI_STATUS
+Dhcp6SeekStsOption (
+ IN DHCP6_INSTANCE *Instance,
+ IN EFI_DHCP6_PACKET *Packet,
+ OUT UINT8 **Option
+ );
+
+#endif // DHCP6_IO_GOOGLE_TEST_H
diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc
index 20bc90b172..24dee654df 100644
--- a/NetworkPkg/Test/NetworkPkgHostTest.dsc
+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc
@@ -16,6 +16,7 @@
SKUID_IDENTIFIER = DEFAULT
!include UnitTestFrameworkPkg/UnitTestFrameworkPkgHost.dsc.inc
+
[Packages]
MdePkg/MdePkg.dec
UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
--
2.39.3

1631
edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch
View File

File diff suppressed because it is too large Load Diff

630
edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch
View File

@ -1,630 +0,0 @@
From c4b0517aaa38857640b4b08b55803ae8a833c1e7 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Thu, 8 Feb 2024 10:35:14 -0500
Subject: [PATCH 03/18] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230
Unit Tests
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [3/18] 0fe85bcd3683b2424bcd91ad1495d1b79eb07405
JIRA: https://issues.redhat.com/browse/RHEL-21843
CVE: CVE-2023-45230
Upstream: Merged
commit 5f3658197bf29c83b3349b0ab1d99cdb0c3814bc
Author: Doug Flick via groups.io <dougflick=microsoft.com@groups.io>
Date: Fri Jan 26 05:54:45 2024 +0800
NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4535
Confirms that reported issue...
"Buffer overflow in the DHCPv6 client via a long Server ID option"
..has been corrected by the provided patch.
Tests the following functions to ensure they appropriately handle
untrusted data (either too long or too small) to prevent a buffer
overflow:
Dhcp6AppendOption
Dhcp6AppendETOption
Dhcp6AppendIaOption
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../GoogleTest/Dhcp6DxeGoogleTest.cpp | 20 +
.../GoogleTest/Dhcp6DxeGoogleTest.inf | 43 ++
.../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | 478 ++++++++++++++++++
NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 +
4 files changed, 542 insertions(+)
create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp
create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp
new file mode 100644
index 0000000000..9aeced2f91
--- /dev/null
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp
@@ -0,0 +1,20 @@
+/** @file
+ Acts as the main entry point for the tests for the Dhcp6Dxe module.
+
+ Copyright (c) Microsoft Corporation
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <gtest/gtest.h>
+
+////////////////////////////////////////////////////////////////////////////////
+// Run the tests
+////////////////////////////////////////////////////////////////////////////////
+int
+main (
+ int argc,
+ char *argv[]
+ )
+{
+ testing::InitGoogleTest (&argc, argv);
+ return RUN_ALL_TESTS ();
+}
diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
new file mode 100644
index 0000000000..8e9119a371
--- /dev/null
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
@@ -0,0 +1,43 @@
+## @file
+# Unit test suite for the Dhcp6Dxe using Google Test
+#
+# Copyright (c) Microsoft Corporation.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+[Defines]
+ INF_VERSION = 0x00010017
+ BASE_NAME = Dhcp6DxeGoogleTest
+ FILE_GUID = 1D2A4C65-38C8-4C2F-BB60-B5FA49625AA9
+ VERSION_STRING = 1.0
+ MODULE_TYPE = HOST_APPLICATION
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 AARCH64
+#
+[Sources]
+ Dhcp6DxeGoogleTest.cpp
+ Dhcp6IoGoogleTest.cpp
+ ../Dhcp6Io.c
+ ../Dhcp6Utility.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
+ NetworkPkg/NetworkPkg.dec
+
+[LibraryClasses]
+ GoogleTestLib
+ DebugLib
+ NetLib
+ PcdLib
+
+[Protocols]
+ gEfiDhcp6ServiceBindingProtocolGuid
+
+[Pcd]
+ gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType
+
+[Guids]
+ gZeroGuid
diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
new file mode 100644
index 0000000000..7ee40e4af4
--- /dev/null
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
@@ -0,0 +1,478 @@
+/** @file
+ Tests for Dhcp6Io.c.
+
+ Copyright (c) Microsoft Corporation
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <gtest/gtest.h>
+
+extern "C" {
+ #include <Uefi.h>
+ #include <Library/BaseLib.h>
+ #include <Library/DebugLib.h>
+ #include <Library/BaseMemoryLib.h>
+ #include "../Dhcp6Impl.h"
+ #include "../Dhcp6Utility.h"
+}
+
+////////////////////////////////////////////////////////////////////////
+// Defines
+////////////////////////////////////////////////////////////////////////
+
+#define DHCP6_PACKET_MAX_LEN 1500
+
+////////////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////////////
+// Symbol Definitions
+// These functions are not directly under test - but required to compile
+////////////////////////////////////////////////////////////////////////
+
+// This definition is used by this test but is also required to compile
+// by Dhcp6Io.c
+EFI_IPv6_ADDRESS mAllDhcpRelayAndServersAddress = {
+ { 0xFF, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 2 }
+};
+
+EFI_STATUS
+EFIAPI
+UdpIoSendDatagram (
+ IN UDP_IO *UdpIo,
+ IN NET_BUF *Packet,
+ IN UDP_END_POINT *EndPoint OPTIONAL,
+ IN EFI_IP_ADDRESS *Gateway OPTIONAL,
+ IN UDP_IO_CALLBACK CallBack,
+ IN VOID *Context
+ )
+{
+ return EFI_SUCCESS;
+}
+
+EFI_STATUS
+EFIAPI
+UdpIoRecvDatagram (
+ IN UDP_IO *UdpIo,
+ IN UDP_IO_CALLBACK CallBack,
+ IN VOID *Context,
+ IN UINT32 HeadLen
+ )
+{
+ return EFI_SUCCESS;
+}
+
+////////////////////////////////////////////////////////////////////////
+// Dhcp6AppendOptionTest Tests
+////////////////////////////////////////////////////////////////////////
+
+class Dhcp6AppendOptionTest : public ::testing::Test {
+public:
+ UINT8 *Buffer = NULL;
+ EFI_DHCP6_PACKET *Packet;
+
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ // Initialize any resources or variables
+ Buffer = (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN);
+ ASSERT_NE (Buffer, (UINT8 *)NULL);
+
+ Packet = (EFI_DHCP6_PACKET *)Buffer;
+ Packet->Size = DHCP6_PACKET_MAX_LEN;
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ // Clean up any resources or variables
+ if (Buffer != NULL) {
+ FreePool (Buffer);
+ }
+ }
+};
+
+// Test Description:
+// Attempt to append an option to a packet that is too small by a duid that is too large
+TEST_F (Dhcp6AppendOptionTest, InvalidDataExpectBufferTooSmall) {
+ UINT8 *Cursor;
+ EFI_DHCP6_DUID *UntrustedDuid;
+ EFI_STATUS Status;
+
+ UntrustedDuid = (EFI_DHCP6_DUID *)AllocateZeroPool (sizeof (EFI_DHCP6_DUID));
+ ASSERT_NE (UntrustedDuid, (EFI_DHCP6_DUID *)NULL);
+
+ UntrustedDuid->Length = NTOHS (0xFFFF);
+
+ Cursor = Dhcp6AppendOptionTest::Packet->Dhcp6.Option;
+
+ Status = Dhcp6AppendOption (
+ Dhcp6AppendOptionTest::Packet,
+ &Cursor,
+ HTONS (Dhcp6OptServerId),
+ UntrustedDuid->Length,
+ UntrustedDuid->Duid
+ );
+
+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
+}
+
+// Test Description:
+// Attempt to append an option to a packet that is large enough
+TEST_F (Dhcp6AppendOptionTest, ValidDataExpectSuccess) {
+ UINT8 *Cursor;
+ EFI_DHCP6_DUID *UntrustedDuid;
+ EFI_STATUS Status;
+ UINTN OriginalLength;
+
+ UINT8 Duid[6] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05 };
+
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+ OriginalLength = Packet->Length;
+
+ UntrustedDuid = (EFI_DHCP6_DUID *)AllocateZeroPool (sizeof (EFI_DHCP6_DUID));
+ ASSERT_NE (UntrustedDuid, (EFI_DHCP6_DUID *)NULL);
+
+ UntrustedDuid->Length = NTOHS (sizeof (Duid));
+ CopyMem (UntrustedDuid->Duid, Duid, sizeof (Duid));
+
+ Cursor = Dhcp6AppendOptionTest::Packet->Dhcp6.Option;
+
+ Status = Dhcp6AppendOption (
+ Dhcp6AppendOptionTest::Packet,
+ &Cursor,
+ HTONS (Dhcp6OptServerId),
+ UntrustedDuid->Length,
+ UntrustedDuid->Duid
+ );
+
+ ASSERT_EQ (Status, EFI_SUCCESS);
+
+ // verify that the pointer to cursor moved by the expected amount
+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendOptionTest::Packet->Dhcp6.Option + sizeof (Duid) + 4);
+
+ // verify that the length of the packet is now the expected amount
+ ASSERT_EQ (Dhcp6AppendOptionTest::Packet->Length, OriginalLength + sizeof (Duid) + 4);
+}
+
+////////////////////////////////////////////////////////////////////////
+// Dhcp6AppendETOption Tests
+////////////////////////////////////////////////////////////////////////
+
+class Dhcp6AppendETOptionTest : public ::testing::Test {
+public:
+ UINT8 *Buffer = NULL;
+ EFI_DHCP6_PACKET *Packet;
+
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ // Initialize any resources or variables
+ Buffer = (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN);
+ ASSERT_NE (Buffer, (UINT8 *)NULL);
+
+ Packet = (EFI_DHCP6_PACKET *)Buffer;
+ Packet->Size = DHCP6_PACKET_MAX_LEN;
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ // Clean up any resources or variables
+ if (Buffer != NULL) {
+ FreePool (Buffer);
+ }
+ }
+};
+
+// Test Description:
+// Attempt to append an option to a packet that is too small by a duid that is too large
+TEST_F (Dhcp6AppendETOptionTest, InvalidDataExpectBufferTooSmall) {
+ UINT8 *Cursor;
+ EFI_STATUS Status;
+ DHCP6_INSTANCE Instance;
+ UINT16 ElapsedTimeVal;
+ UINT16 *ElapsedTime;
+
+ Cursor = Dhcp6AppendETOptionTest::Packet->Dhcp6.Option;
+ ElapsedTime = &ElapsedTimeVal;
+
+ Packet->Length = Packet->Size - 2;
+
+ Status = Dhcp6AppendETOption (
+ Dhcp6AppendETOptionTest::Packet,
+ &Cursor,
+ &Instance, // Instance is not used in this function
+ &ElapsedTime
+ );
+
+ // verify that we error out because the packet is too small for the option header
+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
+
+ // reset the length
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+}
+
+// Test Description:
+// Attempt to append an option to a packet that is large enough
+TEST_F (Dhcp6AppendETOptionTest, ValidDataExpectSuccess) {
+ UINT8 *Cursor;
+ EFI_STATUS Status;
+ DHCP6_INSTANCE Instance;
+ UINT16 ElapsedTimeVal;
+ UINT16 *ElapsedTime;
+ UINTN ExpectedSize;
+ UINTN OriginalLength;
+
+ Cursor = Dhcp6AppendETOptionTest::Packet->Dhcp6.Option;
+ ElapsedTime = &ElapsedTimeVal;
+ ExpectedSize = 6;
+ OriginalLength = Packet->Length;
+
+ Status = Dhcp6AppendETOption (
+ Dhcp6AppendETOptionTest::Packet,
+ &Cursor,
+ &Instance, // Instance is not used in this function
+ &ElapsedTime
+ );
+
+ // verify that the status is EFI_SUCCESS
+ ASSERT_EQ (Status, EFI_SUCCESS);
+
+ // verify that the pointer to cursor moved by the expected amount
+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendETOptionTest::Packet->Dhcp6.Option + ExpectedSize);
+
+ // verify that the length of the packet is now the expected amount
+ ASSERT_EQ (Dhcp6AppendETOptionTest::Packet->Length, OriginalLength + ExpectedSize);
+}
+
+////////////////////////////////////////////////////////////////////////
+// Dhcp6AppendIaOption Tests
+////////////////////////////////////////////////////////////////////////
+
+class Dhcp6AppendIaOptionTest : public ::testing::Test {
+public:
+ UINT8 *Buffer = NULL;
+ EFI_DHCP6_PACKET *Packet;
+ EFI_DHCP6_IA *Ia;
+
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ // Initialize any resources or variables
+ Buffer = (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN);
+ ASSERT_NE (Buffer, (UINT8 *)NULL);
+
+ Packet = (EFI_DHCP6_PACKET *)Buffer;
+ Packet->Size = DHCP6_PACKET_MAX_LEN;
+
+ Ia = (EFI_DHCP6_IA *)AllocateZeroPool (sizeof (EFI_DHCP6_IA) + sizeof (EFI_DHCP6_IA_ADDRESS) * 2);
+ ASSERT_NE (Ia, (EFI_DHCP6_IA *)NULL);
+
+ CopyMem (Ia->IaAddress, mAllDhcpRelayAndServersAddress.Addr, sizeof (EFI_IPv6_ADDRESS));
+ CopyMem (Ia->IaAddress + 1, mAllDhcpRelayAndServersAddress.Addr, sizeof (EFI_IPv6_ADDRESS));
+
+ Ia->IaAddressCount = 2;
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ // Clean up any resources or variables
+ if (Buffer != NULL) {
+ FreePool (Buffer);
+ }
+
+ if (Ia != NULL) {
+ FreePool (Ia);
+ }
+ }
+};
+
+// Test Description:
+// Attempt to append an option to a packet that doesn't have enough space
+// for the option header
+TEST_F (Dhcp6AppendIaOptionTest, IaNaInvalidDataExpectBufferTooSmall) {
+ UINT8 *Cursor;
+ EFI_STATUS Status;
+
+ Packet->Length = Packet->Size - 2;
+
+ Ia->Descriptor.Type = Dhcp6OptIana;
+ Ia->Descriptor.IaId = 0x12345678;
+
+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
+
+ Status = Dhcp6AppendIaOption (
+ Dhcp6AppendIaOptionTest::Packet,
+ &Cursor,
+ Ia,
+ 0x12345678,
+ 0x11111111,
+ Dhcp6OptIana
+ );
+
+ // verify that we error out because the packet is too small for the option header
+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
+
+ // reset the length
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+}
+
+// Test Description:
+// Attempt to append an option to a packet that doesn't have enough space
+// for the option header
+TEST_F (Dhcp6AppendIaOptionTest, IaTaInvalidDataExpectBufferTooSmall) {
+ UINT8 *Cursor;
+ EFI_STATUS Status;
+
+ // Use up nearly all the space in the packet
+ Packet->Length = Packet->Size - 2;
+
+ Ia->Descriptor.Type = Dhcp6OptIata;
+ Ia->Descriptor.IaId = 0x12345678;
+
+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
+
+ Status = Dhcp6AppendIaOption (
+ Dhcp6AppendIaOptionTest::Packet,
+ &Cursor,
+ Ia,
+ 0,
+ 0,
+ Dhcp6OptIata
+ );
+
+ // verify that we error out because the packet is too small for the option header
+ ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
+
+ // reset the length
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+}
+
+TEST_F (Dhcp6AppendIaOptionTest, IaNaValidDataExpectSuccess) {
+ UINT8 *Cursor;
+ EFI_STATUS Status;
+ UINTN ExpectedSize;
+ UINTN OriginalLength;
+
+ //
+ // 2 bytes for the option header type
+ //
+ ExpectedSize = 2;
+ //
+ // 2 bytes for the option header length
+ //
+ ExpectedSize += 2;
+ //
+ // 4 bytes for the IAID
+ //
+ ExpectedSize += 4;
+ //
+ // + 4 bytes for the T1
+ //
+ ExpectedSize += 4;
+ //
+ // + 4 bytes for the T2
+ //
+ ExpectedSize += 4;
+ //
+ // + (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
+ // + 2 bytes for the option header type
+ // + 2 bytes for the option header length
+ // + sizeof (EFI_DHCP6_IA_ADDRESS) for the IA Address
+ //
+ ExpectedSize += (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
+
+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
+
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+ OriginalLength = Packet->Length;
+
+ Ia->Descriptor.Type = Dhcp6OptIana;
+ Ia->Descriptor.IaId = 0x12345678;
+
+ Status = Dhcp6AppendIaOption (
+ Dhcp6AppendIaOptionTest::Packet,
+ &Cursor,
+ Ia,
+ 0x12345678,
+ 0x12345678,
+ Dhcp6OptIana
+ );
+
+ // verify that the pointer to cursor moved by the expected amount
+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option + ExpectedSize);
+
+ // verify that the length of the packet is now the expected amount
+ ASSERT_EQ (Dhcp6AppendIaOptionTest::Packet->Length, OriginalLength + ExpectedSize);
+
+ // verify that the status is EFI_SUCCESS
+ ASSERT_EQ (Status, EFI_SUCCESS);
+}
+
+TEST_F (Dhcp6AppendIaOptionTest, IaTaValidDataExpectSuccess) {
+ UINT8 *Cursor;
+ EFI_STATUS Status;
+ UINTN ExpectedSize;
+ UINTN OriginalLength;
+
+ //
+ // 2 bytes for the option header type
+ //
+ ExpectedSize = 2;
+ //
+ // 2 bytes for the option header length
+ //
+ ExpectedSize += 2;
+ //
+ // 4 bytes for the IAID
+ //
+ ExpectedSize += 4;
+ //
+ // + (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
+ // + 2 bytes for the option header type
+ // + 2 bytes for the option header length
+ // + sizeof (EFI_DHCP6_IA_ADDRESS) for the IA Address
+ //
+ ExpectedSize += (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
+
+ Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
+
+ Packet->Length = sizeof (EFI_DHCP6_HEADER);
+ OriginalLength = Packet->Length;
+
+ Ia->Descriptor.Type = Dhcp6OptIata;
+ Ia->Descriptor.IaId = 0x12345678;
+
+ Status = Dhcp6AppendIaOption (
+ Dhcp6AppendIaOptionTest::Packet,
+ &Cursor,
+ Ia,
+ 0,
+ 0,
+ Dhcp6OptIata
+ );
+
+ // verify that the pointer to cursor moved by the expected amount
+ ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option + ExpectedSize);
+
+ // verify that the length of the packet is now the expected amount
+ ASSERT_EQ (Dhcp6AppendIaOptionTest::Packet->Length, OriginalLength + ExpectedSize);
+
+ // verify that the status is EFI_SUCCESS
+ ASSERT_EQ (Status, EFI_SUCCESS);
+}
diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc
index 1aeca5c5b3..20bc90b172 100644
--- a/NetworkPkg/Test/NetworkPkgHostTest.dsc
+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc
@@ -24,6 +24,7 @@
#
# Build HOST_APPLICATION that tests NetworkPkg
#
+ NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
# Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests.
[LibraryClasses]
--
2.39.3

78
edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch
View File

@ -1,78 +0,0 @@
From d51f47c8654f44a787d70b675830ebc7a4ea74f6 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Thu, 15 Feb 2024 11:51:09 -0500
Subject: [PATCH 06/18] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [6/18] 58ad218f1216ac1ea34ca01ef8cc21e207e2eaf2
JIRA: https://issues.redhat.com/browse/RHEL-21845
CVE: CVE-2022-45231
Upstream: Merged
commit bbfee34f4188ac00371abe1389ae9c9fb989a0cd
Author: Doug Flick <dougflick@microsoft.com>
Date: Fri Jan 26 05:54:48 2024 +0800
NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536
Bug Overview:
PixieFail Bug #3
CVE-2023-45231
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read
Out-of-bounds read when handling a ND Redirect message with truncated
options
Change Overview:
Adds a check to prevent truncated options from being parsed
+ //
+ // Cannot process truncated options.
+ // Cannot process options with a length of 0 as there is no Type
field.
+ //
+ if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
+ return FALSE;
+ }
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/Ip6Dxe/Ip6Option.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c
index 199eea124d..8718d5d875 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Option.c
+++ b/NetworkPkg/Ip6Dxe/Ip6Option.c
@@ -137,6 +137,14 @@ Ip6IsNDOptionValid (
return FALSE;
}
+ //
+ // Cannot process truncated options.
+ // Cannot process options with a length of 0 as there is no Type field.
+ //
+ if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
+ return FALSE;
+ }
+
Offset = 0;
//
--
2.39.3

277
edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Unit.patch
View File

@ -1,277 +0,0 @@
From a5757e84bd77ad98580c50ba81da2d1daf0f147a Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 14 Feb 2024 12:24:44 -0500
Subject: [PATCH 07/18] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Unit
Tests
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [7/18] 57d08b408b30ea98de1e5dfd74f8892b66c0867c
JIRA: https://issues.redhat.com/browse/RHEL-21845
CVE: CVE-2022-45231
Upstream: Merged
commit 6f77463d72807ec7f4ed6518c3dac29a1040df9f
Author: Doug Flick <dougflick@microsoft.com>
Date: Fri Jan 26 05:54:49 2024 +0800
NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536
Validates that the patch for...
Out-of-bounds read when handling a ND Redirect message with truncated
options
.. has been fixed
Tests the following function to ensure that an out of bounds read does
not occur
Ip6OptionValidation
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp | 20 +++
.../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf | 42 ++++++
.../Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp | 129 ++++++++++++++++++
NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 +
4 files changed, 192 insertions(+)
create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp
create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp
new file mode 100644
index 0000000000..6ebfd5fdfb
--- /dev/null
+++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp
@@ -0,0 +1,20 @@
+/** @file
+ Acts as the main entry point for the tests for the Ip6Dxe module.
+
+ Copyright (c) Microsoft Corporation
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <gtest/gtest.h>
+
+////////////////////////////////////////////////////////////////////////////////
+// Run the tests
+////////////////////////////////////////////////////////////////////////////////
+int
+main (
+ int argc,
+ char *argv[]
+ )
+{
+ testing::InitGoogleTest (&argc, argv);
+ return RUN_ALL_TESTS ();
+}
diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
new file mode 100644
index 0000000000..6e4de0745f
--- /dev/null
+++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
@@ -0,0 +1,42 @@
+## @file
+# Unit test suite for the Ip6Dxe using Google Test
+#
+# Copyright (c) Microsoft Corporation.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+[Defines]
+ INF_VERSION = 0x00010017
+ BASE_NAME = Ip6DxeUnitTest
+ FILE_GUID = 4F05D17D-D3E7-4AAE-820C-576D46D2D34A
+ VERSION_STRING = 1.0
+ MODULE_TYPE = HOST_APPLICATION
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 AARCH64
+#
+[Sources]
+ Ip6DxeGoogleTest.cpp
+ Ip6OptionGoogleTest.cpp
+ ../Ip6Option.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
+ NetworkPkg/NetworkPkg.dec
+
+[LibraryClasses]
+ GoogleTestLib
+ DebugLib
+ NetLib
+ PcdLib
+
+[Protocols]
+ gEfiDhcp6ServiceBindingProtocolGuid
+
+[Pcd]
+ gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType
+
+[Guids]
+ gZeroGuid
diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
new file mode 100644
index 0000000000..f2cd90e1a9
--- /dev/null
+++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
@@ -0,0 +1,129 @@
+/** @file
+ Tests for Ip6Option.c.
+
+ Copyright (c) Microsoft Corporation
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <gtest/gtest.h>
+
+extern "C" {
+ #include <Uefi.h>
+ #include <Library/BaseLib.h>
+ #include <Library/DebugLib.h>
+ #include "../Ip6Impl.h"
+ #include "../Ip6Option.h"
+}
+
+/////////////////////////////////////////////////////////////////////////
+// Defines
+///////////////////////////////////////////////////////////////////////
+
+#define IP6_PREFIX_INFO_OPTION_DATA_LEN 32
+#define OPTION_HEADER_IP6_PREFIX_DATA_LEN (sizeof (IP6_OPTION_HEADER) + IP6_PREFIX_INFO_OPTION_DATA_LEN)
+
+////////////////////////////////////////////////////////////////////////
+// Symbol Definitions
+// These functions are not directly under test - but required to compile
+////////////////////////////////////////////////////////////////////////
+UINT32 mIp6Id;
+
+EFI_STATUS
+Ip6SendIcmpError (
+ IN IP6_SERVICE *IpSb,
+ IN NET_BUF *Packet,
+ IN EFI_IPv6_ADDRESS *SourceAddress OPTIONAL,
+ IN EFI_IPv6_ADDRESS *DestinationAddress,
+ IN UINT8 Type,
+ IN UINT8 Code,
+ IN UINT32 *Pointer OPTIONAL
+ )
+{
+ // ..
+ return EFI_SUCCESS;
+}
+
+////////////////////////////////////////////////////////////////////////
+// Ip6OptionValidation Tests
+////////////////////////////////////////////////////////////////////////
+
+// Define a fixture for your tests if needed
+class Ip6OptionValidationTest : public ::testing::Test {
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ // Initialize any resources or variables
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ // Clean up any resources or variables
+ }
+};
+
+// Test Description:
+// Null option should return false
+TEST_F (Ip6OptionValidationTest, NullOptionShouldReturnFalse) {
+ UINT8 *option = nullptr;
+ UINT16 optionLen = 10; // Provide a suitable length
+
+ EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));
+}
+
+// Test Description:
+// Truncated option should return false
+TEST_F (Ip6OptionValidationTest, TruncatedOptionShouldReturnFalse) {
+ UINT8 option[] = { 0x01 }; // Provide a truncated option
+ UINT16 optionLen = 1;
+
+ EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));
+}
+
+// Test Description:
+// Ip6OptionPrefixInfo Option with zero length should return false
+TEST_F (Ip6OptionValidationTest, OptionWithZeroLengthShouldReturnFalse) {
+ IP6_OPTION_HEADER optionHeader;
+
+ optionHeader.Type = Ip6OptionPrefixInfo;
+ optionHeader.Length = 0;
+ UINT8 option[sizeof (IP6_OPTION_HEADER)];
+
+ CopyMem (option, &optionHeader, sizeof (IP6_OPTION_HEADER));
+ UINT16 optionLen = sizeof (IP6_OPTION_HEADER);
+
+ EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));
+}
+
+// Test Description:
+// Ip6OptionPrefixInfo Option with valid length should return true
+TEST_F (Ip6OptionValidationTest, ValidPrefixInfoOptionShouldReturnTrue) {
+ IP6_OPTION_HEADER optionHeader;
+
+ optionHeader.Type = Ip6OptionPrefixInfo;
+ optionHeader.Length = 4; // Length 4 * 8 = 32
+ UINT8 option[OPTION_HEADER_IP6_PREFIX_DATA_LEN];
+
+ CopyMem (option, &optionHeader, sizeof (IP6_OPTION_HEADER));
+
+ EXPECT_TRUE (Ip6IsNDOptionValid (option, IP6_PREFIX_INFO_OPTION_DATA_LEN));
+}
+
+// Test Description:
+// Ip6OptionPrefixInfo Option with invalid length should return false
+TEST_F (Ip6OptionValidationTest, InvalidPrefixInfoOptionLengthShouldReturnFalse) {
+ IP6_OPTION_HEADER optionHeader;
+
+ optionHeader.Type = Ip6OptionPrefixInfo;
+ optionHeader.Length = 3; // Length 3 * 8 = 24 (Invalid)
+ UINT8 option[sizeof (IP6_OPTION_HEADER)];
+
+ CopyMem (option, &optionHeader, sizeof (IP6_OPTION_HEADER));
+ UINT16 optionLen = sizeof (IP6_OPTION_HEADER);
+
+ EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));
+}
diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc
index 24dee654df..7fa7b0f9d5 100644
--- a/NetworkPkg/Test/NetworkPkgHostTest.dsc
+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc
@@ -26,6 +26,7 @@
# Build HOST_APPLICATION that tests NetworkPkg
#
NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
+ NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
# Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests.
[LibraryClasses]
--
2.39.3

377
edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Patc.patch
View File

@ -1,377 +0,0 @@
From ff4f1d8227c6c4c89060e24df37defec6d7a07e2 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Thu, 15 Feb 2024 11:51:09 -0500
Subject: [PATCH 08/18] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [8/18] c7bf831954da5b678450f1ba8e34371645959c81
JIRA: https://issues.redhat.com/browse/RHEL-21847
CVE: CVE-2022-45232
Upstream: Merged
JIRA: https://issues.redhat.com/browse/RHEL-21849
CVE: CVE-2022-45233
Upstream: Merged
commit 4df0229ef992d4f2721a8508787ebf9dc81fbd6e
Author: Doug Flick <dougflick@microsoft.com>
Date: Fri Jan 26 05:54:50 2024 +0800
NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538
Bug Details:
PixieFail Bug #4
CVE-2023-45232
CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Infinite loop when parsing unknown options in the Destination Options
header
PixieFail Bug #5
CVE-2023-45233
CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Infinite loop when parsing a PadN option in the Destination Options
header
Change Overview:
Most importantly this change corrects the following incorrect math
and cleans up the code.
> // It is a PadN option
> //
> - Offset = (UINT8)(Offset + *(Option + Offset + 1) + 2);
> + OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length;
> + Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);
> case Ip6OptionSkip:
> - Offset = (UINT8)(Offset + *(Option + Offset + 1));
> OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length;
> Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);
Additionally, this change also corrects incorrect math where the calling
function was calculating the HDR EXT optionLen as a uint8 instead of a
uint16
> - OptionLen = (UINT8)((*Option + 1) * 8 - 2);
> + OptionLen = IP6_HDR_EXT_LEN (*Option) -
IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN;
Additionally this check adds additional logic to santize the incoming
data
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/Ip6Dxe/Ip6Nd.h | 35 ++++++++++++++++
NetworkPkg/Ip6Dxe/Ip6Option.c | 76 ++++++++++++++++++++++++++++++-----
NetworkPkg/Ip6Dxe/Ip6Option.h | 71 ++++++++++++++++++++++++++++++++
3 files changed, 171 insertions(+), 11 deletions(-)
diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.h b/NetworkPkg/Ip6Dxe/Ip6Nd.h
index 860934a167..bf64e9114e 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Nd.h
+++ b/NetworkPkg/Ip6Dxe/Ip6Nd.h
@@ -56,13 +56,48 @@ VOID
VOID *Context
);
+//
+// Per RFC8200 Section 4.2
+//
+// Two of the currently-defined extension headers -- the Hop-by-Hop
+// Options header and the Destination Options header -- carry a variable
+// number of type-length-value (TLV) encoded "options", of the following
+// format:
+//
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
+// | Option Type | Opt Data Len | Option Data
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
+//
+// Option Type 8-bit identifier of the type of option.
+//
+// Opt Data Len 8-bit unsigned integer. Length of the Option
+// Data field of this option, in octets.
+//
+// Option Data Variable-length field. Option-Type-specific
+// data.
+//
typedef struct _IP6_OPTION_HEADER {
+ ///
+ /// identifier of the type of option.
+ ///
UINT8 Type;
+ ///
+ /// Length of the Option Data field of this option, in octets.
+ ///
UINT8 Length;
+ ///
+ /// Option-Type-specific data.
+ ///
} IP6_OPTION_HEADER;
STATIC_ASSERT (sizeof (IP6_OPTION_HEADER) == 2, "IP6_OPTION_HEADER is expected to be exactly 2 bytes long.");
+#define IP6_NEXT_OPTION_OFFSET(offset, length) (offset + sizeof(IP6_OPTION_HEADER) + length)
+STATIC_ASSERT (
+ IP6_NEXT_OPTION_OFFSET (0, 0) == 2,
+ "The next option is minimally the combined size of the option tag and length"
+ );
+
typedef struct _IP6_ETHE_ADDR_OPTION {
UINT8 Type;
UINT8 Length;
diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c
index 8718d5d875..fd97ce116f 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Option.c
+++ b/NetworkPkg/Ip6Dxe/Ip6Option.c
@@ -17,7 +17,8 @@
@param[in] IpSb The IP6 service data.
@param[in] Packet The to be validated packet.
@param[in] Option The first byte of the option.
- @param[in] OptionLen The length of the whole option.
+ @param[in] OptionLen The length of all options, expressed in byte length of octets.
+ Maximum length is 2046 bytes or ((n + 1) * 8) - 2 where n is 255.
@param[in] Pointer Identifies the octet offset within
the invoking packet where the error was detected.
@@ -31,12 +32,33 @@ Ip6IsOptionValid (
IN IP6_SERVICE *IpSb,
IN NET_BUF *Packet,
IN UINT8 *Option,
- IN UINT8 OptionLen,
+ IN UINT16 OptionLen,
IN UINT32 Pointer
)
{
- UINT8 Offset;
- UINT8 OptionType;
+ UINT16 Offset;
+ UINT8 OptionType;
+ UINT8 OptDataLen;
+
+ if (Option == NULL) {
+ ASSERT (Option != NULL);
+ return FALSE;
+ }
+
+ if ((OptionLen <= 0) || (OptionLen > IP6_MAX_EXT_DATA_LENGTH)) {
+ ASSERT (OptionLen > 0 && OptionLen <= IP6_MAX_EXT_DATA_LENGTH);
+ return FALSE;
+ }
+
+ if (Packet == NULL) {
+ ASSERT (Packet != NULL);
+ return FALSE;
+ }
+
+ if (IpSb == NULL) {
+ ASSERT (IpSb != NULL);
+ return FALSE;
+ }
Offset = 0;
@@ -54,7 +76,8 @@ Ip6IsOptionValid (
//
// It is a PadN option
//
- Offset = (UINT8)(Offset + *(Option + Offset + 1) + 2);
+ OptDataLen = ((IP6_OPTION_HEADER *)(Option + Offset))->Length;
+ Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);
break;
case Ip6OptionRouterAlert:
//
@@ -69,7 +92,8 @@ Ip6IsOptionValid (
//
switch (OptionType & Ip6OptionMask) {
case Ip6OptionSkip:
- Offset = (UINT8)(Offset + *(Option + Offset + 1));
+ OptDataLen = ((IP6_OPTION_HEADER *)(Option + Offset))->Length;
+ Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);
break;
case Ip6OptionDiscard:
return FALSE;
@@ -308,7 +332,7 @@ Ip6IsExtsValid (
UINT32 Pointer;
UINT32 Offset;
UINT8 *Option;
- UINT8 OptionLen;
+ UINT16 OptionLen;
BOOLEAN Flag;
UINT8 CountD;
UINT8 CountA;
@@ -385,6 +409,36 @@ Ip6IsExtsValid (
// Fall through
//
case IP6_DESTINATION:
+ //
+ // See https://www.rfc-editor.org/rfc/rfc2460#section-4.2 page 23
+ //
+ // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ // | Next Header | Hdr Ext Len | |
+ // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
+ // | |
+ // . .
+ // . Options .
+ // . .
+ // | |
+ // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ //
+ //
+ // Next Header 8-bit selector. Identifies the type of header
+ // immediately following the Destination Options
+ // header. Uses the same values as the IPv4
+ // Protocol field [RFC-1700 et seq.].
+ //
+ // Hdr Ext Len 8-bit unsigned integer. Length of the
+ // Destination Options header in 8-octet units, not
+ // including the first 8 octets.
+ //
+ // Options Variable-length field, of length such that the
+ // complete Destination Options header is an
+ // integer multiple of 8 octets long. Contains one
+ // or more TLV-encoded options, as described in
+ // section 4.2.
+ //
+
if (*NextHeader == IP6_DESTINATION) {
CountD++;
}
@@ -398,7 +452,7 @@ Ip6IsExtsValid (
Offset++;
Option = ExtHdrs + Offset;
- OptionLen = (UINT8)((*Option + 1) * 8 - 2);
+ OptionLen = IP6_HDR_EXT_LEN (*Option) - sizeof (IP6_EXT_HDR);
Option++;
Offset++;
@@ -430,7 +484,7 @@ Ip6IsExtsValid (
//
// Ignore the routing header and proceed to process the next header.
//
- Offset = Offset + (RoutingHead->HeaderLen + 1) * 8;
+ Offset = Offset + IP6_HDR_EXT_LEN (RoutingHead->HeaderLen);
if (UnFragmentLen != NULL) {
*UnFragmentLen = Offset;
@@ -441,7 +495,7 @@ Ip6IsExtsValid (
// to the packet's source address, pointing to the unrecognized routing
// type.
//
- Pointer = Offset + 2 + sizeof (EFI_IP6_HEADER);
+ Pointer = Offset + sizeof (IP6_EXT_HDR) + sizeof (EFI_IP6_HEADER);
if ((IpSb != NULL) && (Packet != NULL) &&
!IP6_IS_MULTICAST (&Packet->Ip.Ip6->DestinationAddress))
{
@@ -527,7 +581,7 @@ Ip6IsExtsValid (
//
// RFC2402, Payload length is specified in 32-bit words, minus "2".
//
- OptionLen = (UINT8)((*Option + 2) * 4);
+ OptionLen = ((UINT16)(*Option + 2) * 4);
Offset = Offset + OptionLen;
break;
diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.h b/NetworkPkg/Ip6Dxe/Ip6Option.h
index bd8e223c8a..fb07c28f5a 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Option.h
+++ b/NetworkPkg/Ip6Dxe/Ip6Option.h
@@ -12,6 +12,77 @@
#define IP6_FRAGMENT_OFFSET_MASK (~0x3)
+//
+// For more information see RFC 8200, Section 4.3, 4.4, and 4.6
+//
+// This example format is from section 4.6
+// This does not apply to fragment headers
+//
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// | Next Header | Hdr Ext Len | |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
+// | |
+// . .
+// . Header-Specific Data .
+// . .
+// | |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+//
+// Next Header 8-bit selector. Identifies the type of
+// header immediately following the extension
+// header. Uses the same values as the IPv4
+// Protocol field [IANA-PN].
+//
+// Hdr Ext Len 8-bit unsigned integer. Length of the
+// Destination Options header in 8-octet units,
+// not including the first 8 octets.
+
+//
+// These defines apply to the following:
+// 1. Hop by Hop
+// 2. Routing
+// 3. Destination
+//
+typedef struct _IP6_EXT_HDR {
+ ///
+ /// The Next Header field identifies the type of header immediately
+ ///
+ UINT8 NextHeader;
+ ///
+ /// The Hdr Ext Len field specifies the length of the Hop-by-Hop Options
+ ///
+ UINT8 HdrExtLen;
+ ///
+ /// Header-Specific Data
+ ///
+} IP6_EXT_HDR;
+
+STATIC_ASSERT (
+ sizeof (IP6_EXT_HDR) == 2,
+ "The combined size of Next Header and Len is two 8 bit fields"
+ );
+
+//
+// IPv6 extension headers contain an 8-bit length field which describes the size of
+// the header. However, the length field only includes the size of the extension
+// header options, not the size of the first 8 bytes of the header. Therefore, in
+// order to calculate the full size of the extension header, we add 1 (to account
+// for the first 8 bytes omitted by the length field reporting) and then multiply
+// by 8 (since the size is represented in 8-byte units).
+//
+// a is the length field of the extension header (UINT8)
+// The result may be up to 2046 octets (UINT16)
+//
+#define IP6_HDR_EXT_LEN(a) (((UINT16)((UINT8)(a)) + 1) * 8)
+
+// This is the maxmimum length permissible by a extension header
+// Length is UINT8 of 8 octets not including the first 8 octets
+#define IP6_MAX_EXT_DATA_LENGTH (IP6_HDR_EXT_LEN (MAX_UINT8) - sizeof(IP6_EXT_HDR))
+STATIC_ASSERT (
+ IP6_MAX_EXT_DATA_LENGTH == 2046,
+ "Maximum data length is ((MAX_UINT8 + 1) * 8) - 2"
+ );
+
typedef struct _IP6_FRAGMENT_HEADER {
UINT8 NextHeader;
UINT8 Reserved;
--
2.39.3

430
edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Unit.patch
View File

@ -1,430 +0,0 @@
From dab03ad5334af1c93797119f2eeda6ce757461f8 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 14 Feb 2024 20:25:29 -0500
Subject: [PATCH 09/18] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Unit
Tests
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [9/18] f68829a7f34f5a09a02d28cc5cfd109f90c442da
JIRA: https://issues.redhat.com/browse/RHEL-21847
CVE: CVE-2022-45232
Upstream: Merged
commit c9c87f08dd6ace36fa843424522c3558a8374cac
Author: Doug Flick <dougflick@microsoft.com>
Date: Fri Jan 26 05:54:51 2024 +0800
NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538
Unit tests to confirm that..
Infinite loop when parsing unknown options in the Destination Options
header
and
Infinite loop when parsing a PadN option in the Destination Options
header
... have been patched
This patch tests the following functions:
Ip6IsOptionValid
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf | 10 +-
.../Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp | 278 ++++++++++++++++++
.../Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h | 40 +++
3 files changed, 324 insertions(+), 4 deletions(-)
create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h
diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
index 6e4de0745f..ba29dbabad 100644
--- a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
+++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
@@ -1,13 +1,13 @@
## @file
-# Unit test suite for the Ip6Dxe using Google Test
+# Unit test suite for the Ip6DxeGoogleTest using Google Test
#
# Copyright (c) Microsoft Corporation.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
##
[Defines]
INF_VERSION = 0x00010017
- BASE_NAME = Ip6DxeUnitTest
- FILE_GUID = 4F05D17D-D3E7-4AAE-820C-576D46D2D34A
+ BASE_NAME = Ip6DxeGoogleTest
+ FILE_GUID = AE39981C-B7FE-41A8-A9C2-F41910477CA3
VERSION_STRING = 1.0
MODULE_TYPE = HOST_APPLICATION
#
@@ -16,9 +16,11 @@
# VALID_ARCHITECTURES = IA32 X64 AARCH64
#
[Sources]
+ ../Ip6Option.c
+ Ip6OptionGoogleTest.h
Ip6DxeGoogleTest.cpp
Ip6OptionGoogleTest.cpp
- ../Ip6Option.c
+ Ip6OptionGoogleTest.h
[Packages]
MdePkg/MdePkg.dec
diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
index f2cd90e1a9..29f8a4a96e 100644
--- a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
+++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
@@ -12,6 +12,7 @@ extern "C" {
#include <Library/DebugLib.h>
#include "../Ip6Impl.h"
#include "../Ip6Option.h"
+ #include "Ip6OptionGoogleTest.h"
}
/////////////////////////////////////////////////////////////////////////
@@ -127,3 +128,280 @@ TEST_F (Ip6OptionValidationTest, InvalidPrefixInfoOptionLengthShouldReturnFalse)
EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));
}
+
+////////////////////////////////////////////////////////////////////////
+// Ip6IsOptionValid Tests
+////////////////////////////////////////////////////////////////////////
+
+// Define a fixture for your tests if needed
+class Ip6IsOptionValidTest : public ::testing::Test {
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ // Initialize any resources or variables
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ // Clean up any resources or variables
+ }
+};
+
+// Test Description
+// Verify that a NULL option is Invalid
+TEST_F (Ip6IsOptionValidTest, NullOptionShouldReturnTrue) {
+ NET_BUF Packet = { 0 };
+ // we need to define enough of the packet to make the function work
+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
+ IP6_SERVICE *IpSb = NULL;
+
+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IP6_HEADER Ip6Header = { 0 };
+
+ Ip6Header.SourceAddress = SourceAddress;
+ Ip6Header.DestinationAddress = DestinationAddress;
+ Packet.Ip.Ip6 = &Ip6Header;
+
+ EXPECT_FALSE (Ip6IsOptionValid (IpSb, &Packet, NULL, 0, 0));
+}
+
+// Test Description
+// Verify that an unknown option with a length of 0 and type of <unknown> does not cause an infinite loop
+TEST_F (Ip6IsOptionValidTest, VerifyNoInfiniteLoopOnUnknownOptionLength0) {
+ NET_BUF Packet = { 0 };
+ // we need to define enough of the packet to make the function work
+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
+ UINT32 DeadCode = 0xDeadC0de;
+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it
+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode;
+
+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IP6_HEADER Ip6Header = { 0 };
+
+ Ip6Header.SourceAddress = SourceAddress;
+ Ip6Header.DestinationAddress = DestinationAddress;
+ Packet.Ip.Ip6 = &Ip6Header;
+
+ IP6_OPTION_HEADER optionHeader;
+
+ optionHeader.Type = 23; // Unknown Option
+ optionHeader.Length = 0; // This will cause an infinite loop if the function is not working correctly
+
+ // This should be a valid option even though the length is 0
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+}
+
+// Test Description
+// Verify that an unknown option with a length of 1 and type of <unknown> does not cause an infinite loop
+TEST_F (Ip6IsOptionValidTest, VerifyNoInfiniteLoopOnUnknownOptionLength1) {
+ NET_BUF Packet = { 0 };
+ // we need to define enough of the packet to make the function work
+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
+ UINT32 DeadCode = 0xDeadC0de;
+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it
+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode;
+
+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IP6_HEADER Ip6Header = { 0 };
+
+ Ip6Header.SourceAddress = SourceAddress;
+ Ip6Header.DestinationAddress = DestinationAddress;
+ Packet.Ip.Ip6 = &Ip6Header;
+
+ IP6_OPTION_HEADER optionHeader;
+
+ optionHeader.Type = 23; // Unknown Option
+ optionHeader.Length = 1; // This will cause an infinite loop if the function is not working correctly
+
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+}
+
+// Test Description
+// Verify that an unknown option with a length of 2 and type of <unknown> does not cause an infinite loop
+TEST_F (Ip6IsOptionValidTest, VerifyIpSkipUnknownOption) {
+ NET_BUF Packet = { 0 };
+ // we need to define enough of the packet to make the function work
+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
+ UINT32 DeadCode = 0xDeadC0de;
+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it
+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode;
+
+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IP6_HEADER Ip6Header = { 0 };
+
+ Ip6Header.SourceAddress = SourceAddress;
+ Ip6Header.DestinationAddress = DestinationAddress;
+ Packet.Ip.Ip6 = &Ip6Header;
+
+ IP6_OPTION_HEADER optionHeader;
+
+ optionHeader.Type = 23; // Unknown Option
+ optionHeader.Length = 2; // Valid length for an unknown option
+
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+}
+
+// Test Description
+// Verify that Ip6OptionPad1 is valid with a length of 0
+TEST_F (Ip6IsOptionValidTest, VerifyIp6OptionPad1) {
+ NET_BUF Packet = { 0 };
+ // we need to define enough of the packet to make the function work
+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
+ UINT32 DeadCode = 0xDeadC0de;
+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it
+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode;
+
+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IP6_HEADER Ip6Header = { 0 };
+
+ Ip6Header.SourceAddress = SourceAddress;
+ Ip6Header.DestinationAddress = DestinationAddress;
+ Packet.Ip.Ip6 = &Ip6Header;
+
+ IP6_OPTION_HEADER optionHeader;
+
+ optionHeader.Type = Ip6OptionPad1;
+ optionHeader.Length = 0;
+
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+}
+
+// Test Description
+// Verify that Ip6OptionPadN doesn't overflow with various lengths
+TEST_F (Ip6IsOptionValidTest, VerifyIp6OptionPadN) {
+ NET_BUF Packet = { 0 };
+ // we need to define enough of the packet to make the function work
+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
+ UINT32 DeadCode = 0xDeadC0de;
+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it
+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode;
+
+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IP6_HEADER Ip6Header = { 0 };
+
+ Ip6Header.SourceAddress = SourceAddress;
+ Ip6Header.DestinationAddress = DestinationAddress;
+ Packet.Ip.Ip6 = &Ip6Header;
+
+ IP6_OPTION_HEADER optionHeader;
+
+ optionHeader.Type = Ip6OptionPadN;
+ optionHeader.Length = 0xFF;
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+
+ optionHeader.Length = 0xFE;
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+
+ optionHeader.Length = 0xFD;
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+
+ optionHeader.Length = 0xFC;
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+}
+
+// Test Description
+// Verify an unknown option doesn't cause an infinite loop with various lengths
+TEST_F (Ip6IsOptionValidTest, VerifyNoInfiniteLoopOnUnknownOptionLengthAttemptOverflow) {
+ NET_BUF Packet = { 0 };
+ // we need to define enough of the packet to make the function work
+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
+ UINT32 DeadCode = 0xDeadC0de;
+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it
+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode;
+
+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IP6_HEADER Ip6Header = { 0 };
+
+ Ip6Header.SourceAddress = SourceAddress;
+ Ip6Header.DestinationAddress = DestinationAddress;
+ Packet.Ip.Ip6 = &Ip6Header;
+
+ IP6_OPTION_HEADER optionHeader;
+
+ optionHeader.Type = 23; // Unknown Option
+ optionHeader.Length = 0xFF;
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+
+ optionHeader.Length = 0xFE;
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+
+ optionHeader.Length = 0xFD;
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+
+ optionHeader.Length = 0xFC;
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
+}
+
+// Test Description
+// Verify that the function supports multiple options
+TEST_F (Ip6IsOptionValidTest, MultiOptionSupport) {
+ UINT16 HdrLen;
+ NET_BUF Packet = { 0 };
+ // we need to define enough of the packet to make the function work
+ // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
+ UINT32 DeadCode = 0xDeadC0de;
+ // Don't actually use this pointer, just pass it to the function, nothing will be done with it
+ IP6_SERVICE *IpSb = (IP6_SERVICE *)&DeadCode;
+
+ EFI_IPv6_ADDRESS SourceAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IPv6_ADDRESS DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
+ EFI_IP6_HEADER Ip6Header = { 0 };
+
+ Ip6Header.SourceAddress = SourceAddress;
+ Ip6Header.DestinationAddress = DestinationAddress;
+ Packet.Ip.Ip6 = &Ip6Header;
+
+ UINT8 ExtHdr[1024] = { 0 };
+ UINT8 *Cursor = ExtHdr;
+ IP6_OPTION_HEADER *Option = (IP6_OPTION_HEADER *)ExtHdr;
+
+ // Let's start chaining options
+
+ Option->Type = 23; // Unknown Option
+ Option->Length = 0xFC;
+
+ Cursor += sizeof (IP6_OPTION_HEADER) + 0xFC;
+
+ Option = (IP6_OPTION_HEADER *)Cursor;
+ Option->Type = Ip6OptionPad1;
+
+ Cursor += sizeof (1);
+
+ // Type and length aren't processed, instead it just moves the pointer forward by 4 bytes
+ Option = (IP6_OPTION_HEADER *)Cursor;
+ Option->Type = Ip6OptionRouterAlert;
+ Option->Length = 4;
+
+ Cursor += sizeof (IP6_OPTION_HEADER) + 4;
+
+ Option = (IP6_OPTION_HEADER *)Cursor;
+ Option->Type = Ip6OptionPadN;
+ Option->Length = 0xFC;
+
+ Cursor += sizeof (IP6_OPTION_HEADER) + 0xFC;
+
+ Option = (IP6_OPTION_HEADER *)Cursor;
+ Option->Type = Ip6OptionRouterAlert;
+ Option->Length = 4;
+
+ Cursor += sizeof (IP6_OPTION_HEADER) + 4;
+
+ // Total 524
+
+ HdrLen = (UINT16)(Cursor - ExtHdr);
+
+ EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, ExtHdr, HdrLen, 0));
+}
diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h
new file mode 100644
index 0000000000..0509b6ae30
--- /dev/null
+++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h
@@ -0,0 +1,40 @@
+/** @file
+ Exposes the functions needed to test the Ip6Option module.
+
+ Copyright (c) Microsoft Corporation
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef IP6_OPTION_HEADER_GOOGLE_TEST_H_
+#define IP6_OPTION_HEADER_GOOGLE_TEST_H_
+
+#include <Uefi.h>
+#include "../Ip6Impl.h"
+
+/**
+ Validate the IP6 option format for both the packets we received
+ and that we will transmit. It will compute the ICMPv6 error message fields
+ if the option is malformatted.
+
+ @param[in] IpSb The IP6 service data.
+ @param[in] Packet The to be validated packet.
+ @param[in] Option The first byte of the option.
+ @param[in] OptionLen The length of the whole option.
+ @param[in] Pointer Identifies the octet offset within
+ the invoking packet where the error was detected.
+
+
+ @retval TRUE The option is properly formatted.
+ @retval FALSE The option is malformatted.
+
+**/
+BOOLEAN
+Ip6IsOptionValid (
+ IN IP6_SERVICE *IpSb,
+ IN NET_BUF *Packet,
+ IN UINT8 *Option,
+ IN UINT16 OptionLen,
+ IN UINT32 Pointer
+ );
+
+#endif // __IP6_OPTION_HEADER_GOOGLE_TEST_H__
--
2.39.3

168
edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
View File

@ -1,168 +0,0 @@
From 1afdf854f67fbaeea47f15efa0c34c0f1fe6a504 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Fri, 16 Feb 2024 10:48:05 -0500
Subject: [PATCH 10/18] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234
Patch
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [10/18] c7527c63ebe3afb55a2ef78103c1a57de26c36b7
JIRA: https://issues.redhat.com/browse/RHEL-21851
CVE: CVE-2022-45234
Upstream: Merged
commit 1b53515d53d303166b2bbd31e2cc7f16fd0aecd7
Author: Doug Flick <dougflick@microsoft.com>
Date: Fri Jan 26 05:54:52 2024 +0800
NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Patch
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539
Bug Details:
PixieFail Bug #6
CVE-2023-45234
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-119 Improper Restriction of Operations within the Bounds of
a Memory Buffer
Buffer overflow when processing DNS Servers option in a DHCPv6
Advertise message
Change Overview:
Introduces a function to cache the Dns Server and perform sanitizing
on the incoming DnsServerLen to ensure that the length is valid
> + EFI_STATUS
> + PxeBcCacheDnsServerAddresses (
> + IN PXEBC_PRIVATE_DATA *Private,
> + IN PXEBC_DHCP6_PACKET_CACHE *Cache6
> + )
Additional code cleanup
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 71 +++++++++++++++++++++++++---
1 file changed, 65 insertions(+), 6 deletions(-)
diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
index 425e0cf806..2b2d372889 100644
--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
@@ -3,6 +3,7 @@
(C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) Microsoft Corporation
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -1312,6 +1313,65 @@ PxeBcSelectDhcp6Offer (
}
}
+/**
+ Cache the DHCPv6 DNS Server addresses
+
+ @param[in] Private The pointer to PXEBC_PRIVATE_DATA.
+ @param[in] Cache6 The pointer to PXEBC_DHCP6_PACKET_CACHE.
+
+ @retval EFI_SUCCESS Cache the DHCPv6 DNS Server address successfully.
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate resources.
+ @retval EFI_DEVICE_ERROR The DNS Server Address Length provided by a untrusted
+ option is not a multiple of 16 bytes (sizeof (EFI_IPv6_ADDRESS)).
+**/
+EFI_STATUS
+PxeBcCacheDnsServerAddresses (
+ IN PXEBC_PRIVATE_DATA *Private,
+ IN PXEBC_DHCP6_PACKET_CACHE *Cache6
+ )
+{
+ UINT16 DnsServerLen;
+
+ DnsServerLen = NTOHS (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen);
+ //
+ // Make sure that the number is nonzero
+ //
+ if (DnsServerLen == 0) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ //
+ // Make sure the DnsServerlen is a multiple of EFI_IPv6_ADDRESS (16)
+ //
+ if (DnsServerLen % sizeof (EFI_IPv6_ADDRESS) != 0) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ //
+ // This code is currently written to only support a single DNS Server instead
+ // of multiple such as is spec defined (RFC3646, Section 3). The proper behavior
+ // would be to allocate the full space requested, CopyMem all of the data,
+ // and then add a DnsServerCount field to Private and update additional code
+ // that depends on this.
+ //
+ // To support multiple DNS servers the `AllocationSize` would need to be changed to DnsServerLen
+ //
+ // This is tracked in https://bugzilla.tianocore.org/show_bug.cgi?id=1886
+ //
+ Private->DnsServer = AllocateZeroPool (sizeof (EFI_IPv6_ADDRESS));
+ if (Private->DnsServer == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ //
+ // Intentionally only copy over the first server address.
+ // To support multiple DNS servers, the `Length` would need to be changed to DnsServerLen
+ //
+ CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->Data, sizeof (EFI_IPv6_ADDRESS));
+
+ return EFI_SUCCESS;
+}
+
/**
Handle the DHCPv6 offer packet.
@@ -1335,6 +1395,7 @@ PxeBcHandleDhcp6Offer (
UINT32 SelectIndex;
UINT32 Index;
+ ASSERT (Private != NULL);
ASSERT (Private->SelectIndex > 0);
SelectIndex = (UINT32)(Private->SelectIndex - 1);
ASSERT (SelectIndex < PXEBC_OFFER_MAX_NUM);
@@ -1342,15 +1403,13 @@ PxeBcHandleDhcp6Offer (
Status = EFI_SUCCESS;
//
- // First try to cache DNS server address if DHCP6 offer provides.
+ // First try to cache DNS server addresses if DHCP6 offer provides.
//
if (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] != NULL) {
- Private->DnsServer = AllocateZeroPool (NTOHS (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen));
- if (Private->DnsServer == NULL) {
- return EFI_OUT_OF_RESOURCES;
+ Status = PxeBcCacheDnsServerAddresses (Private, Cache6);
+ if (EFI_ERROR (Status)) {
+ return Status;
}
-
- CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->Data, sizeof (EFI_IPv6_ADDRESS));
}
if (Cache6->OfferType == PxeOfferTypeDhcpBinl) {
--
2.39.3

511
edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p2.patch
View File

@ -1,511 +0,0 @@
From d60257df151a6c58aefe74c2d2baee59344318d2 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Fri, 16 Feb 2024 10:48:05 -0500
Subject: [PATCH 11/18] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234
Unit Tests
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [11/18] b917383d597172d4bf75548d9b281d08bf34e299
JIRA: https://issues.redhat.com/browse/RHEL-21851
CVE: CVE-2022-45234
Upstream: Merged
commit 458c582685fc0e8057d2511c5a0394078d988c17
Author: Doug Flick <dougflick@microsoft.com>
Date: Fri Jan 26 05:54:53 2024 +0800
NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Unit Tests
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539
Unit tests to that the bug..
Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise
message
..has been patched
This contains tests for the following functions:
PxeBcHandleDhcp6Offer
PxeBcCacheDnsServerAddresses
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 +
.../GoogleTest/PxeBcDhcp6GoogleTest.cpp | 300 ++++++++++++++++++
.../GoogleTest/PxeBcDhcp6GoogleTest.h | 50 +++
.../GoogleTest/UefiPxeBcDxeGoogleTest.cpp | 19 ++
.../GoogleTest/UefiPxeBcDxeGoogleTest.inf | 48 +++
5 files changed, 418 insertions(+)
create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp
create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc
index 7fa7b0f9d5..a0273c4310 100644
--- a/NetworkPkg/Test/NetworkPkgHostTest.dsc
+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc
@@ -27,6 +27,7 @@
#
NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
+ NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
# Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests.
[LibraryClasses]
diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
new file mode 100644
index 0000000000..8260eeee50
--- /dev/null
+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
@@ -0,0 +1,300 @@
+/** @file
+ Host based unit test for PxeBcDhcp6.c.
+
+ Copyright (c) Microsoft Corporation
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <gtest/gtest.h>
+
+extern "C" {
+ #include <Uefi.h>
+ #include <Library/BaseLib.h>
+ #include <Library/DebugLib.h>
+ #include "../PxeBcImpl.h"
+ #include "../PxeBcDhcp6.h"
+ #include "PxeBcDhcp6GoogleTest.h"
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// Definitions
+///////////////////////////////////////////////////////////////////////////////
+
+#define PACKET_SIZE (1500)
+
+typedef struct {
+ UINT16 OptionCode; // The option code for DHCP6_OPT_SERVER_ID (e.g., 0x03)
+ UINT16 OptionLen; // The length of the option (e.g., 16 bytes)
+ UINT8 ServerId[16]; // The 16-byte DHCPv6 Server Identifier
+} DHCP6_OPTION_SERVER_ID;
+
+///////////////////////////////////////////////////////////////////////////////
+/// Symbol Definitions
+///////////////////////////////////////////////////////////////////////////////
+
+EFI_STATUS
+MockUdpWrite (
+ IN EFI_PXE_BASE_CODE_PROTOCOL *This,
+ IN UINT16 OpFlags,
+ IN EFI_IP_ADDRESS *DestIp,
+ IN EFI_PXE_BASE_CODE_UDP_PORT *DestPort,
+ IN EFI_IP_ADDRESS *GatewayIp OPTIONAL,
+ IN EFI_IP_ADDRESS *SrcIp OPTIONAL,
+ IN OUT EFI_PXE_BASE_CODE_UDP_PORT *SrcPort OPTIONAL,
+ IN UINTN *HeaderSize OPTIONAL,
+ IN VOID *HeaderPtr OPTIONAL,
+ IN UINTN *BufferSize,
+ IN VOID *BufferPtr
+ )
+{
+ return EFI_SUCCESS;
+}
+
+EFI_STATUS
+MockUdpRead (
+ IN EFI_PXE_BASE_CODE_PROTOCOL *This,
+ IN UINT16 OpFlags,
+ IN OUT EFI_IP_ADDRESS *DestIp OPTIONAL,
+ IN OUT EFI_PXE_BASE_CODE_UDP_PORT *DestPort OPTIONAL,
+ IN OUT EFI_IP_ADDRESS *SrcIp OPTIONAL,
+ IN OUT EFI_PXE_BASE_CODE_UDP_PORT *SrcPort OPTIONAL,
+ IN UINTN *HeaderSize OPTIONAL,
+ IN VOID *HeaderPtr OPTIONAL,
+ IN OUT UINTN *BufferSize,
+ IN VOID *BufferPtr
+ )
+{
+ return EFI_SUCCESS;
+}
+
+EFI_STATUS
+MockConfigure (
+ IN EFI_UDP6_PROTOCOL *This,
+ IN EFI_UDP6_CONFIG_DATA *UdpConfigData OPTIONAL
+ )
+{
+ return EFI_SUCCESS;
+}
+
+// Needed by PxeBcSupport
+EFI_STATUS
+EFIAPI
+QueueDpc (
+ IN EFI_TPL DpcTpl,
+ IN EFI_DPC_PROCEDURE DpcProcedure,
+ IN VOID *DpcContext OPTIONAL
+ )
+{
+ return EFI_SUCCESS;
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// PxeBcHandleDhcp6OfferTest Tests
+///////////////////////////////////////////////////////////////////////////////
+
+class PxeBcHandleDhcp6OfferTest : public ::testing::Test {
+public:
+ PXEBC_PRIVATE_DATA Private = { 0 };
+ EFI_UDP6_PROTOCOL Udp6Read;
+ EFI_PXE_BASE_CODE_MODE Mode = { 0 };
+
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ Private.Dhcp6Request = (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_SIZE);
+
+ // Need to setup the EFI_PXE_BASE_CODE_PROTOCOL
+ // The function under test really only needs the following:
+ // UdpWrite
+ // UdpRead
+
+ Private.PxeBc.UdpWrite = (EFI_PXE_BASE_CODE_UDP_WRITE)MockUdpWrite;
+ Private.PxeBc.UdpRead = (EFI_PXE_BASE_CODE_UDP_READ)MockUdpRead;
+
+ // Need to setup EFI_UDP6_PROTOCOL
+ // The function under test really only needs the following:
+ // Configure
+
+ Udp6Read.Configure = (EFI_UDP6_CONFIGURE)MockConfigure;
+ Private.Udp6Read = &Udp6Read;
+
+ // Need to setup the EFI_PXE_BASE_CODE_MODE
+ Private.PxeBc.Mode = &Mode;
+
+ // for this test it doesn't really matter what the Dhcpv6 ack is set to
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ if (Private.Dhcp6Request != NULL) {
+ FreePool (Private.Dhcp6Request);
+ }
+
+ // Clean up any resources or variables
+ }
+};
+
+// Note:
+// Testing PxeBcHandleDhcp6Offer() is difficult because it depends on a
+// properly setup Private structure. Attempting to properly test this function
+// without a signficant refactor is a fools errand. Instead, we will test
+// that we can prevent an overflow in the function.
+TEST_F (PxeBcHandleDhcp6OfferTest, BasicUsageTest) {
+ PXEBC_DHCP6_PACKET_CACHE *Cache6 = NULL;
+ EFI_DHCP6_PACKET_OPTION Option = { 0 };
+
+ Private.SelectIndex = 1; // SelectIndex is 1-based
+ Cache6 = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6;
+
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = &Option;
+ // Setup the DHCPv6 offer packet
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode = DHCP6_OPT_SERVER_ID;
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen = NTOHS (1337);
+
+ ASSERT_EQ (PxeBcHandleDhcp6Offer (&(PxeBcHandleDhcp6OfferTest::Private)), EFI_DEVICE_ERROR);
+}
+
+class PxeBcCacheDnsServerAddressesTest : public ::testing::Test {
+public:
+ PXEBC_PRIVATE_DATA Private = { 0 };
+
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ }
+};
+
+// Test Description
+// Test that we cache the DNS server address from the DHCPv6 offer packet
+TEST_F (PxeBcCacheDnsServerAddressesTest, BasicUsageTest) {
+ UINT8 SearchPattern[16] = { 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF };
+ EFI_DHCP6_PACKET_OPTION *Option;
+ PXEBC_DHCP6_PACKET_CACHE *Cache6 = NULL;
+
+ Option = (EFI_DHCP6_PACKET_OPTION *)AllocateZeroPool (sizeof (EFI_DHCP6_PACKET_OPTION) + sizeof (SearchPattern));
+ ASSERT_NE (Option, nullptr);
+
+ Option->OpCode = DHCP6_OPT_SERVER_ID;
+ Option->OpLen = NTOHS (sizeof (SearchPattern));
+ CopyMem (Option->Data, SearchPattern, sizeof (SearchPattern));
+
+ Private.SelectIndex = 1; // SelectIndex is 1-based
+ Cache6 = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6;
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = Option;
+
+ Private.DnsServer = nullptr;
+
+ ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesTest::Private), Cache6), EFI_SUCCESS);
+ ASSERT_NE (Private.DnsServer, nullptr);
+ ASSERT_EQ (CompareMem (Private.DnsServer, SearchPattern, sizeof (SearchPattern)), 0);
+
+ if (Private.DnsServer) {
+ FreePool (Private.DnsServer);
+ }
+
+ if (Option) {
+ FreePool (Option);
+ }
+}
+// Test Description
+// Test that we can prevent an overflow in the function
+TEST_F (PxeBcCacheDnsServerAddressesTest, AttemptOverflowTest) {
+ EFI_DHCP6_PACKET_OPTION Option = { 0 };
+ PXEBC_DHCP6_PACKET_CACHE *Cache6 = NULL;
+
+ Private.SelectIndex = 1; // SelectIndex is 1-based
+ Cache6 = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6;
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = &Option;
+ // Setup the DHCPv6 offer packet
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode = DHCP6_OPT_SERVER_ID;
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen = NTOHS (1337);
+
+ Private.DnsServer = NULL;
+
+ ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesTest::Private), Cache6), EFI_DEVICE_ERROR);
+ ASSERT_EQ (Private.DnsServer, nullptr);
+
+ if (Private.DnsServer) {
+ FreePool (Private.DnsServer);
+ }
+}
+
+// Test Description
+// Test that we can prevent an underflow in the function
+TEST_F (PxeBcCacheDnsServerAddressesTest, AttemptUnderflowTest) {
+ EFI_DHCP6_PACKET_OPTION Option = { 0 };
+ PXEBC_DHCP6_PACKET_CACHE *Cache6 = NULL;
+
+ Private.SelectIndex = 1; // SelectIndex is 1-based
+ Cache6 = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6;
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = &Option;
+ // Setup the DHCPv6 offer packet
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode = DHCP6_OPT_SERVER_ID;
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen = NTOHS (2);
+
+ Private.DnsServer = NULL;
+
+ ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesTest::Private), Cache6), EFI_DEVICE_ERROR);
+ ASSERT_EQ (Private.DnsServer, nullptr);
+
+ if (Private.DnsServer) {
+ FreePool (Private.DnsServer);
+ }
+}
+
+// Test Description
+// Test that we can handle recursive dns (multiple dns entries)
+TEST_F (PxeBcCacheDnsServerAddressesTest, MultipleDnsEntries) {
+ EFI_DHCP6_PACKET_OPTION Option = { 0 };
+ PXEBC_DHCP6_PACKET_CACHE *Cache6 = NULL;
+
+ Private.SelectIndex = 1; // SelectIndex is 1-based
+ Cache6 = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6;
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = &Option;
+ // Setup the DHCPv6 offer packet
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode = DHCP6_OPT_SERVER_ID;
+
+ EFI_IPv6_ADDRESS addresses[2] = {
+ // 2001:db8:85a3::8a2e:370:7334
+ { 0x20, 0x01, 0x0d, 0xb8, 0x85, 0xa3, 0x00, 0x00, 0x00, 0x00, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x34 },
+ // fe80::d478:91c3:ecd7:4ff9
+ { 0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd4, 0x78, 0x91, 0xc3, 0xec, 0xd7, 0x4f, 0xf9 }
+ };
+
+ CopyMem (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->Data, &addresses, sizeof (addresses));
+
+ Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen = NTOHS (sizeof (addresses));
+
+ Private.DnsServer = NULL;
+
+ ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesTest::Private), Cache6), EFI_SUCCESS);
+
+ ASSERT_NE (Private.DnsServer, nullptr);
+
+ //
+ // This is expected to fail until DnsServer supports multiple DNS servers
+ //
+ // This is tracked in https://bugzilla.tianocore.org/show_bug.cgi?id=1886
+ //
+ // Disabling:
+ // ASSERT_EQ (CompareMem(Private.DnsServer, &addresses, sizeof(addresses)), 0);
+
+ if (Private.DnsServer) {
+ FreePool (Private.DnsServer);
+ }
+}
diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
new file mode 100644
index 0000000000..b17c314791
--- /dev/null
+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
@@ -0,0 +1,50 @@
+/** @file
+ This file exposes the internal interfaces which may be unit tested
+ for the PxeBcDhcp6Dxe driver.
+
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef PXE_BC_DHCP6_GOOGLE_TEST_H_
+#define PXE_BC_DHCP6_GOOGLE_TEST_H_
+
+//
+// Minimal includes needed to compile
+//
+#include <Uefi.h>
+#include "../PxeBcImpl.h"
+
+/**
+ Handle the DHCPv6 offer packet.
+
+ @param[in] Private The pointer to PXEBC_PRIVATE_DATA.
+
+ @retval EFI_SUCCESS Handled the DHCPv6 offer packet successfully.
+ @retval EFI_NO_RESPONSE No response to the following request packet.
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate resources.
+ @retval EFI_BUFFER_TOO_SMALL Can't cache the offer pacet.
+
+**/
+EFI_STATUS
+PxeBcHandleDhcp6Offer (
+ IN PXEBC_PRIVATE_DATA *Private
+ );
+
+/**
+ Cache the DHCPv6 Server address
+
+ @param[in] Private The pointer to PXEBC_PRIVATE_DATA.
+ @param[in] Cache6 The pointer to PXEBC_DHCP6_PACKET_CACHE.
+
+ @retval EFI_SUCCESS Cache the DHCPv6 Server address successfully.
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate resources.
+ @retval EFI_DEVICE_ERROR Failed to cache the DHCPv6 Server address.
+**/
+EFI_STATUS
+PxeBcCacheDnsServerAddresses (
+ IN PXEBC_PRIVATE_DATA *Private,
+ IN PXEBC_DHCP6_PACKET_CACHE *Cache6
+ );
+
+#endif // PXE_BC_DHCP6_GOOGLE_TEST_H_
diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp
new file mode 100644
index 0000000000..cc4fdf525b
--- /dev/null
+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp
@@ -0,0 +1,19 @@
+/** @file
+ Acts as the main entry point for the tests for the UefiPxeBcDxe module.
+ Copyright (c) Microsoft Corporation
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <gtest/gtest.h>
+
+////////////////////////////////////////////////////////////////////////////////
+// Run the tests
+////////////////////////////////////////////////////////////////////////////////
+int
+main (
+ int argc,
+ char *argv[]
+ )
+{
+ testing::InitGoogleTest (&argc, argv);
+ return RUN_ALL_TESTS ();
+}
diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
new file mode 100644
index 0000000000..301dcdf611
--- /dev/null
+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
@@ -0,0 +1,48 @@
+## @file
+# Unit test suite for the UefiPxeBcDxe using Google Test
+#
+# Copyright (c) Microsoft Corporation.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+[Defines]
+INF_VERSION = 0x00010005
+BASE_NAME = UefiPxeBcDxeGoogleTest
+FILE_GUID = 77D45C64-EC1E-4174-887B-886E89FD1EDF
+MODULE_TYPE = HOST_APPLICATION
+VERSION_STRING = 1.0
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ UefiPxeBcDxeGoogleTest.cpp
+ PxeBcDhcp6GoogleTest.cpp
+ PxeBcDhcp6GoogleTest.h
+ ../PxeBcDhcp6.c
+ ../PxeBcSupport.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
+ NetworkPkg/NetworkPkg.dec
+
+[LibraryClasses]
+ GoogleTestLib
+ DebugLib
+ NetLib
+ PcdLib
+
+[Protocols]
+ gEfiDhcp6ServiceBindingProtocolGuid
+ gEfiDns6ServiceBindingProtocolGuid
+ gEfiDns6ProtocolGuid
+
+[Pcd]
+ gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType
+
+[Guids]
+ gZeroGuid
--
2.39.3

257
edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p3.patch
View File

@ -1,257 +0,0 @@
From b57bd437db8cff7b7a206e3cd694b7821014ba53 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Fri, 16 Feb 2024 10:48:05 -0500
Subject: [PATCH 12/18] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235
Patch
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [12/18] 310a770792d1a81dbf54ee372f926541309492e8
JIRA: https://issues.redhat.com/browse/RHEL-21853
CVE: CVE-2022-45235
Upstream: Merged
commit fac297724e6cc343430cd0104e55cd7a96d1151e
Author: Doug Flick <dougflick@microsoft.com>
Date: Fri Jan 26 05:54:55 2024 +0800
NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Patch
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540
Bug Details:
PixieFail Bug #7
CVE-2023-45235
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-119 Improper Restriction of Operations within the Bounds of
a Memory Buffer
Buffer overflow when handling Server ID option from a DHCPv6 proxy
Advertise message
Change Overview:
Performs two checks
1. Checks that the length of the duid is accurate
> + //
> + // Check that the minimum and maximum requirements are met
> + //
> + if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) ||
(OpLen > PXEBC_MAX_SIZE_OF_DUID)) {
> + Status = EFI_INVALID_PARAMETER;
> + goto ON_ERROR;
> + }
2. Ensures that the amount of data written to the buffer is tracked and
never exceeds that
> + //
> + // Check that the option length is valid.
> + //
> + if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN)
> DiscoverLenNeeded) {
> + Status = EFI_OUT_OF_RESOURCES;
> + goto ON_ERROR;
> + }
Additional code clean up and fix for memory leak in case Option was NULL
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 77 ++++++++++++++++++++++------
NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h | 17 ++++++
2 files changed, 78 insertions(+), 16 deletions(-)
diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
index 2b2d372889..7fd1281c11 100644
--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
@@ -887,6 +887,7 @@ PxeBcRequestBootService (
EFI_STATUS Status;
EFI_DHCP6_PACKET *IndexOffer;
UINT8 *Option;
+ UINTN DiscoverLenNeeded;
PxeBc = &Private->PxeBc;
Request = Private->Dhcp6Request;
@@ -899,7 +900,8 @@ PxeBcRequestBootService (
return EFI_DEVICE_ERROR;
}
- Discover = AllocateZeroPool (sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET));
+ DiscoverLenNeeded = sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET);
+ Discover = AllocateZeroPool (DiscoverLenNeeded);
if (Discover == NULL) {
return EFI_OUT_OF_RESOURCES;
}
@@ -924,16 +926,34 @@ PxeBcRequestBootService (
DHCP6_OPT_SERVER_ID
);
if (Option == NULL) {
- return EFI_NOT_FOUND;
+ Status = EFI_NOT_FOUND;
+ goto ON_ERROR;
}
//
// Add Server ID Option.
//
OpLen = NTOHS (((EFI_DHCP6_PACKET_OPTION *)Option)->OpLen);
- CopyMem (DiscoverOpt, Option, OpLen + 4);
- DiscoverOpt += (OpLen + 4);
- DiscoverLen += (OpLen + 4);
+
+ //
+ // Check that the minimum and maximum requirements are met
+ //
+ if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) || (OpLen > PXEBC_MAX_SIZE_OF_DUID)) {
+ Status = EFI_INVALID_PARAMETER;
+ goto ON_ERROR;
+ }
+
+ //
+ // Check that the option length is valid.
+ //
+ if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN) > DiscoverLenNeeded) {
+ Status = EFI_OUT_OF_RESOURCES;
+ goto ON_ERROR;
+ }
+
+ CopyMem (DiscoverOpt, Option, OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+ DiscoverOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+ DiscoverLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
}
while (RequestLen < Request->Length) {
@@ -944,16 +964,24 @@ PxeBcRequestBootService (
(OpCode != DHCP6_OPT_SERVER_ID)
)
{
+ //
+ // Check that the option length is valid.
+ //
+ if (DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN > DiscoverLenNeeded) {
+ Status = EFI_OUT_OF_RESOURCES;
+ goto ON_ERROR;
+ }
+
//
// Copy all the options except IA option and Server ID
//
- CopyMem (DiscoverOpt, RequestOpt, OpLen + 4);
- DiscoverOpt += (OpLen + 4);
- DiscoverLen += (OpLen + 4);
+ CopyMem (DiscoverOpt, RequestOpt, OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+ DiscoverOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+ DiscoverLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
}
- RequestOpt += (OpLen + 4);
- RequestLen += (OpLen + 4);
+ RequestOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+ RequestLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
}
//
@@ -2154,6 +2182,7 @@ PxeBcDhcp6Discover (
UINT16 OpLen;
UINT32 Xid;
EFI_STATUS Status;
+ UINTN DiscoverLenNeeded;
PxeBc = &Private->PxeBc;
Mode = PxeBc->Mode;
@@ -2169,7 +2198,8 @@ PxeBcDhcp6Discover (
return EFI_DEVICE_ERROR;
}
- Discover = AllocateZeroPool (sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET));
+ DiscoverLenNeeded = sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET);
+ Discover = AllocateZeroPool (DiscoverLenNeeded);
if (Discover == NULL) {
return EFI_OUT_OF_RESOURCES;
}
@@ -2185,22 +2215,37 @@ PxeBcDhcp6Discover (
DiscoverLen = sizeof (EFI_DHCP6_HEADER);
RequestLen = DiscoverLen;
+ //
+ // The request packet is generated by the UEFI network stack. In the DHCP4 DORA and DHCP6 SARR sequence,
+ // the first (discover in DHCP4 and solicit in DHCP6) and third (request in both DHCP4 and DHCP6) are
+ // generated by the DHCP client (the UEFI network stack in this case). By the time this function executes,
+ // the DHCP sequence already has been executed once (see UEFI Specification Figures 24.2 and 24.3), with
+ // Private->Dhcp6Request being a cached copy of the DHCP6 request packet that UEFI network stack previously
+ // generated and sent.
+ //
+ // Therefore while this code looks like it could overflow, in practice it's not possible.
+ //
while (RequestLen < Request->Length) {
OpCode = NTOHS (((EFI_DHCP6_PACKET_OPTION *)RequestOpt)->OpCode);
OpLen = NTOHS (((EFI_DHCP6_PACKET_OPTION *)RequestOpt)->OpLen);
if ((OpCode != EFI_DHCP6_IA_TYPE_NA) &&
(OpCode != EFI_DHCP6_IA_TYPE_TA))
{
+ if (DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN > DiscoverLenNeeded) {
+ Status = EFI_OUT_OF_RESOURCES;
+ goto ON_ERROR;
+ }
+
//
// Copy all the options except IA option.
//
- CopyMem (DiscoverOpt, RequestOpt, OpLen + 4);
- DiscoverOpt += (OpLen + 4);
- DiscoverLen += (OpLen + 4);
+ CopyMem (DiscoverOpt, RequestOpt, OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+ DiscoverOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+ DiscoverLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
}
- RequestOpt += (OpLen + 4);
- RequestLen += (OpLen + 4);
+ RequestOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+ RequestLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
}
Status = PxeBc->UdpWrite (
diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h
index c86f6d391b..6357d27fae 100644
--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h
+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h
@@ -34,6 +34,23 @@
#define PXEBC_ADDR_START_DELIMITER '['
#define PXEBC_ADDR_END_DELIMITER ']'
+//
+// A DUID consists of a 2-octet type code represented in network byte
+// order, followed by a variable number of octets that make up the
+// actual identifier. The length of the DUID (not including the type
+// code) is at least 1 octet and at most 128 octets.
+//
+#define PXEBC_MIN_SIZE_OF_DUID (sizeof(UINT16) + 1)
+#define PXEBC_MAX_SIZE_OF_DUID (sizeof(UINT16) + 128)
+
+//
+// This define represents the combineds code and length field from
+// https://datatracker.ietf.org/doc/html/rfc3315#section-22.1
+//
+#define PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN \
+ (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpCode) + \
+ sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpLen))
+
#define GET_NEXT_DHCP6_OPTION(Opt) \
(EFI_DHCP6_PACKET_OPTION *) ((UINT8 *) (Opt) + \
sizeof (EFI_DHCP6_PACKET_OPTION) + (NTOHS ((Opt)->OpLen)) - 1)
--
2.39.3

409
edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p4.patch
View File

@ -1,409 +0,0 @@
From 59b9d468ebf6be2a5c53d7979c12040f9b41c2c2 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Fri, 16 Feb 2024 10:48:05 -0500
Subject: [PATCH 13/18] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235
Unit Tests
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [13/18] 074410155526b2ee2a74cf161ea46385932da059
JIRA: https://issues.redhat.com/browse/RHEL-21853
CVE: CVE-2022-45235
Upstream: Merged
commit ff2986358f75d8f58ef08a66fe673539c9c48f41
Author: Doug Flick <dougflick@microsoft.com>
Date: Fri Jan 26 05:54:56 2024 +0800
NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Unit Tests
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540
Unit tests to confirm that the bug..
Buffer overflow when handling Server ID option from a DHCPv6 proxy
Advertise message
..has been patched.
This patch contains unit tests for the following functions:
PxeBcRequestBootService
PxeBcDhcp6Discover
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/Test/NetworkPkgHostTest.dsc | 5 +-
.../GoogleTest/PxeBcDhcp6GoogleTest.cpp | 278 +++++++++++++++++-
.../GoogleTest/PxeBcDhcp6GoogleTest.h | 18 ++
3 files changed, 298 insertions(+), 3 deletions(-)
diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc
index a0273c4310..fa301a7a52 100644
--- a/NetworkPkg/Test/NetworkPkgHostTest.dsc
+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc
@@ -27,7 +27,10 @@
#
NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
- NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
+ NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf {
+ <LibraryClasses>
+ UefiRuntimeServicesTableLib|MdePkg/Test/Mock/Library/GoogleTest/MockUefiRuntimeServicesTableLib/MockUefiRuntimeServicesTableLib.inf
+ }
# Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests.
[LibraryClasses]
diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
index 8260eeee50..bd423ebadf 100644
--- a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
@@ -4,7 +4,9 @@
Copyright (c) Microsoft Corporation
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
-#include <gtest/gtest.h>
+#include <Library/GoogleTestLib.h>
+#include <GoogleTest/Library/MockUefiLib.h>
+#include <GoogleTest/Library/MockUefiRuntimeServicesTableLib.h>
extern "C" {
#include <Uefi.h>
@@ -19,7 +21,8 @@ extern "C" {
// Definitions
///////////////////////////////////////////////////////////////////////////////
-#define PACKET_SIZE (1500)
+#define PACKET_SIZE (1500)
+#define REQUEST_OPTION_LENGTH (120)
typedef struct {
UINT16 OptionCode; // The option code for DHCP6_OPT_SERVER_ID (e.g., 0x03)
@@ -76,6 +79,26 @@ MockConfigure (
}
// Needed by PxeBcSupport
+EFI_STATUS
+PxeBcDns6 (
+ IN PXEBC_PRIVATE_DATA *Private,
+ IN CHAR16 *HostName,
+ OUT EFI_IPv6_ADDRESS *IpAddress
+ )
+{
+ return EFI_SUCCESS;
+}
+
+UINT32
+PxeBcBuildDhcp6Options (
+ IN PXEBC_PRIVATE_DATA *Private,
+ OUT EFI_DHCP6_PACKET_OPTION **OptList,
+ IN UINT8 *Buffer
+ )
+{
+ return EFI_SUCCESS;
+}
+
EFI_STATUS
EFIAPI
QueueDpc (
@@ -159,6 +182,10 @@ TEST_F (PxeBcHandleDhcp6OfferTest, BasicUsageTest) {
ASSERT_EQ (PxeBcHandleDhcp6Offer (&(PxeBcHandleDhcp6OfferTest::Private)), EFI_DEVICE_ERROR);
}
+///////////////////////////////////////////////////////////////////////////////
+// PxeBcCacheDnsServerAddresses Tests
+///////////////////////////////////////////////////////////////////////////////
+
class PxeBcCacheDnsServerAddressesTest : public ::testing::Test {
public:
PXEBC_PRIVATE_DATA Private = { 0 };
@@ -298,3 +325,250 @@ TEST_F (PxeBcCacheDnsServerAddressesTest, MultipleDnsEntries) {
FreePool (Private.DnsServer);
}
}
+
+///////////////////////////////////////////////////////////////////////////////
+// PxeBcRequestBootServiceTest Test Cases
+///////////////////////////////////////////////////////////////////////////////
+
+class PxeBcRequestBootServiceTest : public ::testing::Test {
+public:
+ PXEBC_PRIVATE_DATA Private = { 0 };
+ EFI_UDP6_PROTOCOL Udp6Read;
+
+protected:
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ Private.Dhcp6Request = (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_SIZE);
+
+ // Need to setup the EFI_PXE_BASE_CODE_PROTOCOL
+ // The function under test really only needs the following:
+ // UdpWrite
+ // UdpRead
+
+ Private.PxeBc.UdpWrite = (EFI_PXE_BASE_CODE_UDP_WRITE)MockUdpWrite;
+ Private.PxeBc.UdpRead = (EFI_PXE_BASE_CODE_UDP_READ)MockUdpRead;
+
+ // Need to setup EFI_UDP6_PROTOCOL
+ // The function under test really only needs the following:
+ // Configure
+
+ Udp6Read.Configure = (EFI_UDP6_CONFIGURE)MockConfigure;
+ Private.Udp6Read = &Udp6Read;
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ if (Private.Dhcp6Request != NULL) {
+ FreePool (Private.Dhcp6Request);
+ }
+
+ // Clean up any resources or variables
+ }
+};
+
+TEST_F (PxeBcRequestBootServiceTest, ServerDiscoverBasicUsageTest) {
+ PxeBcRequestBootServiceTest::Private.OfferBuffer[0].Dhcp6.OfferType = PxeOfferTypeProxyBinl;
+
+ DHCP6_OPTION_SERVER_ID Server = { 0 };
+
+ Server.OptionCode = HTONS (DHCP6_OPT_SERVER_ID);
+ Server.OptionLen = HTONS (16); // valid length
+ UINT8 Index = 0;
+
+ EFI_DHCP6_PACKET *Packet = (EFI_DHCP6_PACKET *)&Private.OfferBuffer[Index].Dhcp6.Packet.Offer;
+
+ UINT8 *Cursor = (UINT8 *)(Packet->Dhcp6.Option);
+
+ CopyMem (Cursor, &Server, sizeof (Server));
+ Cursor += sizeof (Server);
+
+ // Update the packet length
+ Packet->Length = (UINT16)(Cursor - (UINT8 *)Packet);
+ Packet->Size = PACKET_SIZE;
+
+ ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Private), Index), EFI_SUCCESS);
+}
+
+TEST_F (PxeBcRequestBootServiceTest, AttemptDiscoverOverFlowExpectFailure) {
+ PxeBcRequestBootServiceTest::Private.OfferBuffer[0].Dhcp6.OfferType = PxeOfferTypeProxyBinl;
+
+ DHCP6_OPTION_SERVER_ID Server = { 0 };
+
+ Server.OptionCode = HTONS (DHCP6_OPT_SERVER_ID);
+ Server.OptionLen = HTONS (1500); // This length would overflow without a check
+ UINT8 Index = 0;
+
+ EFI_DHCP6_PACKET *Packet = (EFI_DHCP6_PACKET *)&Private.OfferBuffer[Index].Dhcp6.Packet.Offer;
+
+ UINT8 *Cursor = (UINT8 *)(Packet->Dhcp6.Option);
+
+ CopyMem (Cursor, &Server, sizeof (Server));
+ Cursor += sizeof (Server);
+
+ // Update the packet length
+ Packet->Length = (UINT16)(Cursor - (UINT8 *)Packet);
+ Packet->Size = PACKET_SIZE;
+
+ // This is going to be stopped by the duid overflow check
+ ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Private), Index), EFI_INVALID_PARAMETER);
+}
+
+TEST_F (PxeBcRequestBootServiceTest, RequestBasicUsageTest) {
+ EFI_DHCP6_PACKET_OPTION RequestOpt = { 0 }; // the data section doesn't really matter
+
+ RequestOpt.OpCode = HTONS (0x1337);
+ RequestOpt.OpLen = 0; // valid length
+
+ UINT8 Index = 0;
+
+ EFI_DHCP6_PACKET *Packet = (EFI_DHCP6_PACKET *)&Private.Dhcp6Request[Index];
+
+ UINT8 *Cursor = (UINT8 *)(Packet->Dhcp6.Option);
+
+ CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt));
+ Cursor += sizeof (RequestOpt);
+
+ // Update the packet length
+ Packet->Length = (UINT16)(Cursor - (UINT8 *)Packet);
+ Packet->Size = PACKET_SIZE;
+
+ ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Private), Index), EFI_SUCCESS);
+}
+
+TEST_F (PxeBcRequestBootServiceTest, AttemptRequestOverFlowExpectFailure) {
+ EFI_DHCP6_PACKET_OPTION RequestOpt = { 0 }; // the data section doesn't really matter
+
+ RequestOpt.OpCode = HTONS (0x1337);
+ RequestOpt.OpLen = 1500; // this length would overflow without a check
+
+ UINT8 Index = 0;
+
+ EFI_DHCP6_PACKET *Packet = (EFI_DHCP6_PACKET *)&Private.Dhcp6Request[Index];
+
+ UINT8 *Cursor = (UINT8 *)(Packet->Dhcp6.Option);
+
+ CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt));
+ Cursor += sizeof (RequestOpt);
+
+ // Update the packet length
+ Packet->Length = (UINT16)(Cursor - (UINT8 *)Packet);
+ Packet->Size = PACKET_SIZE;
+
+ ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Private), Index), EFI_OUT_OF_RESOURCES);
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// PxeBcDhcp6Discover Test
+///////////////////////////////////////////////////////////////////////////////
+
+class PxeBcDhcp6DiscoverTest : public ::testing::Test {
+public:
+ PXEBC_PRIVATE_DATA Private = { 0 };
+ EFI_UDP6_PROTOCOL Udp6Read;
+
+protected:
+ MockUefiRuntimeServicesTableLib RtServicesMock;
+
+ // Add any setup code if needed
+ virtual void
+ SetUp (
+ )
+ {
+ Private.Dhcp6Request = (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_SIZE);
+
+ // Need to setup the EFI_PXE_BASE_CODE_PROTOCOL
+ // The function under test really only needs the following:
+ // UdpWrite
+ // UdpRead
+
+ Private.PxeBc.UdpWrite = (EFI_PXE_BASE_CODE_UDP_WRITE)MockUdpWrite;
+ Private.PxeBc.UdpRead = (EFI_PXE_BASE_CODE_UDP_READ)MockUdpRead;
+
+ // Need to setup EFI_UDP6_PROTOCOL
+ // The function under test really only needs the following:
+ // Configure
+
+ Udp6Read.Configure = (EFI_UDP6_CONFIGURE)MockConfigure;
+ Private.Udp6Read = &Udp6Read;
+ }
+
+ // Add any cleanup code if needed
+ virtual void
+ TearDown (
+ )
+ {
+ if (Private.Dhcp6Request != NULL) {
+ FreePool (Private.Dhcp6Request);
+ }
+
+ // Clean up any resources or variables
+ }
+};
+
+// Test Description
+// This will cause an overflow by an untrusted packet during the option parsing
+TEST_F (PxeBcDhcp6DiscoverTest, BasicOverflowTest) {
+ EFI_IPv6_ADDRESS DestIp = { 0 };
+ EFI_DHCP6_PACKET_OPTION RequestOpt = { 0 }; // the data section doesn't really matter
+
+ RequestOpt.OpCode = HTONS (0x1337);
+ RequestOpt.OpLen = HTONS (0xFFFF); // overflow
+
+ UINT8 *Cursor = (UINT8 *)(Private.Dhcp6Request->Dhcp6.Option);
+
+ CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt));
+ Cursor += sizeof (RequestOpt);
+
+ Private.Dhcp6Request->Length = (UINT16)(Cursor - (UINT8 *)Private.Dhcp6Request);
+
+ EXPECT_CALL (RtServicesMock, gRT_GetTime)
+ .WillOnce (::testing::Return (0));
+
+ ASSERT_EQ (
+ PxeBcDhcp6Discover (
+ &(PxeBcDhcp6DiscoverTest::Private),
+ 0,
+ NULL,
+ FALSE,
+ (EFI_IP_ADDRESS *)&DestIp
+ ),
+ EFI_OUT_OF_RESOURCES
+ );
+}
+
+// Test Description
+// This will test that we can handle a packet with a valid option length
+TEST_F (PxeBcDhcp6DiscoverTest, BasicUsageTest) {
+ EFI_IPv6_ADDRESS DestIp = { 0 };
+ EFI_DHCP6_PACKET_OPTION RequestOpt = { 0 }; // the data section doesn't really matter
+
+ RequestOpt.OpCode = HTONS (0x1337);
+ RequestOpt.OpLen = HTONS (0x30);
+
+ UINT8 *Cursor = (UINT8 *)(Private.Dhcp6Request->Dhcp6.Option);
+
+ CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt));
+ Cursor += sizeof (RequestOpt);
+
+ Private.Dhcp6Request->Length = (UINT16)(Cursor - (UINT8 *)Private.Dhcp6Request);
+
+ EXPECT_CALL (RtServicesMock, gRT_GetTime)
+ .WillOnce (::testing::Return (0));
+
+ ASSERT_EQ (
+ PxeBcDhcp6Discover (
+ &(PxeBcDhcp6DiscoverTest::Private),
+ 0,
+ NULL,
+ FALSE,
+ (EFI_IP_ADDRESS *)&DestIp
+ ),
+ EFI_SUCCESS
+ );
+}
diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
index b17c314791..0d825e4425 100644
--- a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
@@ -47,4 +47,22 @@ PxeBcCacheDnsServerAddresses (
IN PXEBC_DHCP6_PACKET_CACHE *Cache6
);
+/**
+ Build and send out the request packet for the bootfile, and parse the reply.
+
+ @param[in] Private The pointer to PxeBc private data.
+ @param[in] Index PxeBc option boot item type.
+
+ @retval EFI_SUCCESS Successfully discovered the boot file.
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate resources.
+ @retval EFI_NOT_FOUND Can't get the PXE reply packet.
+ @retval Others Failed to discover the boot file.
+
+**/
+EFI_STATUS
+PxeBcRequestBootService (
+ IN PXEBC_PRIVATE_DATA *Private,
+ IN UINT32 Index
+ );
+
#endif // PXE_BC_DHCP6_GOOGLE_TEST_H_
--
2.39.3

51
edk2-NetworkPkg-Updating-SecurityFixes.yaml.patch
View File

@ -1,51 +0,0 @@
From ababd8837103d4e504cc5d044a13fb9516543795 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Fri, 16 Feb 2024 10:48:05 -0500
Subject: [PATCH 18/18] NetworkPkg: : Updating SecurityFixes.yaml
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [18/18] e77d4ea79359b99e7d1073251d67909c2bfdb879
JIRA: https://issues.redhat.com/browse/RHEL-21841
CVE: CVE-2023-45229
Upstream: Merged
commit 5fd3078a2e08f607dc86a16c1b184b6e30a34a49
Author: Doug Flick <dougflick@microsoft.com>
Date: Tue Feb 13 10:46:03 2024 -0800
NetworkPkg: : Updating SecurityFixes.yaml
This captures the related security change for Dhcp6Dxe that is related
to CVE-2023-45229
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/SecurityFixes.yaml | 1 +
1 file changed, 1 insertion(+)
diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml
index 7e900483fe..fa42025e0d 100644
--- a/NetworkPkg/SecurityFixes.yaml
+++ b/NetworkPkg/SecurityFixes.yaml
@@ -8,6 +8,7 @@ CVE_2023_45229:
commit_titles:
- "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch"
- "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests"
+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Related Patch"
cve: CVE-2023-45229
date_reported: 2023-08-28 13:56 UTC
description: "Bug 01 - edk2/NetworkPkg: Out-of-bounds read when processing IA_NA/IA_TA options in a DHCPv6 Advertise message"
--
2.39.3

52
edk2-OvmfPkg-RiscVVirt-use-gEfiAuthenticatedVariableGuid-.patch
View File

@ -1,52 +0,0 @@
From 390efa52b8c2b61bcc6f24cc9f3b805798150b6e Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 9 Jan 2024 12:29:00 +0100
Subject: [PATCH 1/3] OvmfPkg/RiscVVirt: use gEfiAuthenticatedVariableGuid
unconditionally
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
ArmVirt and OVMF are doing the same.
See commit d92eaabefbe0 ("OvmfPkg: simplify VARIABLE_STORE_HEADER
generation") for details.
Suggested-by: László Érsek <lersek@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Sunil V L <sunilvl@ventanamicro.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20240109112902.30002-2-kraxel@redhat.com>
(cherry picked from commit 3b1ddbddeee64cee5aba4f0170fbf5e4781d4879)
---
OvmfPkg/RiscVVirt/VarStore.fdf.inc | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/OvmfPkg/RiscVVirt/VarStore.fdf.inc b/OvmfPkg/RiscVVirt/VarStore.fdf.inc
index aba32315cc..6679c246b3 100644
--- a/OvmfPkg/RiscVVirt/VarStore.fdf.inc
+++ b/OvmfPkg/RiscVVirt/VarStore.fdf.inc
@@ -36,19 +36,12 @@ DATA = {
# Blockmap[1]: End
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
## This is the VARIABLE_STORE_HEADER
-!if $(SECURE_BOOT_ENABLE) == TRUE
+ # It is compatible with SECURE_BOOT_ENABLE == FALSE as well.
# Signature: gEfiAuthenticatedVariableGuid =
# { 0xaaf32c78, 0x947b, 0x439a,
# { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}
0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,
0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,
-!else
- # Signature: gEfiVariableGuid =
- # { 0xddcf3616, 0x3275, 0x4164,
- # { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}
- 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,
- 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,
-!endif
# Size: 0x40000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) -
# 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0x3FFB8
# This can speed up the Variable Dispatch a bit.
--
2.39.3

48
edk2-OvmfPkg-VirtNorFlashDxe-ValidateFvHeader-unwritten-s.patch
View File

@ -1,48 +0,0 @@
From cfcef96bb3c63342d4fb87cf0cda8e9dcaef9b2b Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 16 Jan 2024 18:11:04 +0100
Subject: [PATCH 5/6] OvmfPkg/VirtNorFlashDxe: ValidateFvHeader: unwritten
state is EOL too
RH-Author: Gerd Hoffmann <None>
RH-MergeRequest: 52: OvmfPkg/VirtNorFlashDxe: backport more fixes.
RH-Jira: RHEL-20963
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Commit: [5/6] 24a9f2d03eeaf61ea8f0ea5a40f0921994b08688 (kraxel.rh/centos-src-edk2)
It is possible to find variable entries with State being 0xff, i.e. not
updated since flash block erase. This indicates the variable driver
could not complete the header write while appending a new entry, and
therefore State was not set to VAR_HEADER_VALID_ONLY.
This can only happen at the end of the variable list, so treat this as
additional "end of variable list" condition.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20240116171105.37831-6-kraxel@redhat.com>
(cherry picked from commit 735d0a5e2e25c1577bf9bea7826da937ca38169d)
---
OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c
index 8fcd999ac6..c8b5e0be13 100644
--- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c
+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c
@@ -302,6 +302,11 @@ ValidateFvHeader (
break;
}
+ if (VarHeader->State == 0xff) {
+ DEBUG ((DEBUG_INFO, "%a: end of var list (unwritten state)\n", __func__));
+ break;
+ }
+
VarName = NULL;
switch (VarHeader->State) {
// usage: State = VAR_HEADER_VALID_ONLY
--
2.39.3

74
edk2-OvmfPkg-VirtNorFlashDxe-add-a-loop-for-NorFlashWrite.patch
View File

@ -1,74 +0,0 @@
From a82176278e664c3955197d1e076188471d88a422 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 16 Jan 2024 18:11:02 +0100
Subject: [PATCH 3/6] OvmfPkg/VirtNorFlashDxe: add a loop for
NorFlashWriteBuffer calls.
RH-Author: Gerd Hoffmann <None>
RH-MergeRequest: 52: OvmfPkg/VirtNorFlashDxe: backport more fixes.
RH-Jira: RHEL-20963
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Commit: [3/6] 993426855451252f1126348e107e386b07314bfd (kraxel.rh/centos-src-edk2)
Replace the two NorFlashWriteBuffer() calls with a loop containing a
single NorFlashWriteBuffer() call.
With the changes in place the code is able to handle updates larger
than two P30_MAX_BUFFER_SIZE_IN_BYTES blocks, even though the patch
does not actually change the size limit.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20240116171105.37831-4-kraxel@redhat.com>
(cherry picked from commit 28ffd726894f11a587a6ac7f71a4c4af341e24d2)
---
OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c | 21 ++++++++-------------
1 file changed, 8 insertions(+), 13 deletions(-)
diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
index 88a4d2c23f..3d1343b381 100644
--- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
@@ -521,6 +521,7 @@ NorFlashWriteSingleBlock (
UINTN BlockAddress;
UINT8 *OrigData;
UINTN Start, End;
+ UINT32 Index, Count;
DEBUG ((DEBUG_BLKIO, "NorFlashWriteSingleBlock(Parameters: Lba=%ld, Offset=0x%x, *NumBytes=0x%x, Buffer @ 0x%08x)\n", Lba, Offset, *NumBytes, Buffer));
@@ -621,23 +622,17 @@ NorFlashWriteSingleBlock (
goto Exit;
}
- Status = NorFlashWriteBuffer (
- Instance,
- BlockAddress + Start,
- P30_MAX_BUFFER_SIZE_IN_BYTES,
- Instance->ShadowBuffer
- );
- if (EFI_ERROR (Status)) {
- goto Exit;
- }
-
- if ((End - Start) > P30_MAX_BUFFER_SIZE_IN_BYTES) {
+ Count = (End - Start) / P30_MAX_BUFFER_SIZE_IN_BYTES;
+ for (Index = 0; Index < Count; Index++) {
Status = NorFlashWriteBuffer (
Instance,
- BlockAddress + Start + P30_MAX_BUFFER_SIZE_IN_BYTES,
+ BlockAddress + Start + Index * P30_MAX_BUFFER_SIZE_IN_BYTES,
P30_MAX_BUFFER_SIZE_IN_BYTES,
- Instance->ShadowBuffer + P30_MAX_BUFFER_SIZE_IN_BYTES
+ Instance->ShadowBuffer + Index * P30_MAX_BUFFER_SIZE_IN_BYTES
);
+ if (EFI_ERROR (Status)) {
+ goto Exit;
+ }
}
Exit:
--
2.39.3

56
edk2-OvmfPkg-VirtNorFlashDxe-add-casts-to-UINTN-and-UINT3.patch
View File

@ -1,56 +0,0 @@
From 74d2d4b58efe72b931bd2979254cb0fa02a38276 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 16 Jan 2024 18:11:00 +0100
Subject: [PATCH 1/6] OvmfPkg/VirtNorFlashDxe: add casts to UINTN and UINT32
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Gerd Hoffmann <None>
RH-MergeRequest: 52: OvmfPkg/VirtNorFlashDxe: backport more fixes.
RH-Jira: RHEL-20963
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Commit: [1/6] ad54e96a5f20907ac591fcfcc0961d353953c4f1 (kraxel.rh/centos-src-edk2)
This is needed to avoid bit operations being applied to signed integers.
Suggested-by: László Érsek <lersek@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20240116171105.37831-2-kraxel@redhat.com>
(cherry picked from commit 0395045ae307c43a41f72ca9a8bf4eb8f16b2fe0)
---
OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c | 2 +-
OvmfPkg/VirtNorFlashDxe/VirtNorFlash.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
index 1afd60ce66..7f4743b003 100644
--- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
@@ -581,7 +581,7 @@ NorFlashWriteSingleBlock (
// contents, while checking whether the old version had any bits cleared
// that we want to set. In that case, we will need to erase the block first.
for (CurOffset = 0; CurOffset < *NumBytes; CurOffset++) {
- if (~OrigData[CurOffset] & Buffer[CurOffset]) {
+ if (~(UINT32)OrigData[CurOffset] & (UINT32)Buffer[CurOffset]) {
goto DoErase;
}
diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.h b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.h
index b7f5d208b2..455eafacc2 100644
--- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.h
+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.h
@@ -61,7 +61,7 @@
#define P30_MAX_BUFFER_SIZE_IN_BYTES ((UINTN)128)
#define P30_MAX_BUFFER_SIZE_IN_WORDS (P30_MAX_BUFFER_SIZE_IN_BYTES/((UINTN)4))
#define MAX_BUFFERED_PROG_ITERATIONS 10000000
-#define BOUNDARY_OF_32_WORDS 0x7F
+#define BOUNDARY_OF_32_WORDS ((UINTN)0x7F)
// CFI Addresses
#define P30_CFI_ADDR_QUERY_UNIQUE_QRY 0x10
--
2.39.3

66
edk2-OvmfPkg-VirtNorFlashDxe-allow-larger-writes-without-.patch
View File

@ -1,66 +0,0 @@
From 75774a03a6e0d2f5ca8103bab8d7d31e40624edd Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 16 Jan 2024 18:11:03 +0100
Subject: [PATCH 4/6] OvmfPkg/VirtNorFlashDxe: allow larger writes without
block erase
RH-Author: Gerd Hoffmann <None>
RH-MergeRequest: 52: OvmfPkg/VirtNorFlashDxe: backport more fixes.
RH-Jira: RHEL-20963
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Commit: [4/6] 4bc6828b395ef708201a49001348bb61a0108339 (kraxel.rh/centos-src-edk2)
Raise the limit for writes without block erase from two to four
P30_MAX_BUFFER_SIZE_IN_BYTES blocks. With this in place almost all efi
variable updates are handled without block erase. With the old limit
some variable updates (with device paths) took the block erase code
path.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20240116171105.37831-5-kraxel@redhat.com>
(cherry picked from commit b25733c97442513890ae6bb8e10fd340f13844a7)
---
OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
index 3d1343b381..3d1d20daa1 100644
--- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
@@ -550,13 +550,15 @@ NorFlashWriteSingleBlock (
return EFI_BAD_BUFFER_SIZE;
}
- // Pick P30_MAX_BUFFER_SIZE_IN_BYTES (== 128 bytes) as a good start for word
- // operations as opposed to erasing the block and writing the data regardless
- // if an erase is really needed. It looks like most individual NV variable
- // writes are smaller than 128 bytes.
- // To avoid pathological cases were a 2 byte write is disregarded because it
- // occurs right at a 128 byte buffered write alignment boundary, permit up to
- // twice the max buffer size, and perform two writes if needed.
+ // Pick 4 * P30_MAX_BUFFER_SIZE_IN_BYTES (== 512 bytes) as a good
+ // start for word operations as opposed to erasing the block and
+ // writing the data regardless if an erase is really needed.
+ //
+ // Many NV variable updates are small enough for a a single
+ // P30_MAX_BUFFER_SIZE_IN_BYTES block write. In case the update is
+ // larger than a single block, or the update crosses a
+ // P30_MAX_BUFFER_SIZE_IN_BYTES boundary (as shown in the diagram
+ // below), or both, we might have to write two or more blocks.
//
// 0 128 256
// [----------------|----------------]
@@ -578,7 +580,7 @@ NorFlashWriteSingleBlock (
Start = Offset & ~BOUNDARY_OF_32_WORDS;
End = ALIGN_VALUE (Offset + *NumBytes, P30_MAX_BUFFER_SIZE_IN_BYTES);
- if ((End - Start) <= (2 * P30_MAX_BUFFER_SIZE_IN_BYTES)) {
+ if ((End - Start) <= (4 * P30_MAX_BUFFER_SIZE_IN_BYTES)) {
// Check to see if we need to erase before programming the data into NOR.
// If the destination bits are only changing from 1s to 0s we can just write.
// After a block is erased all bits in the block is set to 1.
--
2.39.3

111
edk2-OvmfPkg-VirtNorFlashDxe-clarify-block-write-logic-fi.patch
View File

@ -1,111 +0,0 @@
From ef99dec08d51bad7be0f84942443a8a0e1412c87 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 16 Jan 2024 18:11:01 +0100
Subject: [PATCH 2/6] OvmfPkg/VirtNorFlashDxe: clarify block write logic & fix
shadowbuffer reads
RH-Author: Gerd Hoffmann <None>
RH-MergeRequest: 52: OvmfPkg/VirtNorFlashDxe: backport more fixes.
RH-Jira: RHEL-20963
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Commit: [2/6] e2f2231fd1b7b702aa5372e790c1d2c06ca79f74 (kraxel.rh/centos-src-edk2)
Introduce 'Start' and 'End' variables to make it easier to follow the
logic and code flow. Also add a ascii art diagram (based on a
suggestion by Laszlo).
This also fixes the 'Size' calculation for the NorFlashRead() call.
Without this patch the code will read only one instead of two
P30_MAX_BUFFER_SIZE_IN_BYTES blocks in case '*NumBytes' is smaller than
P30_MAX_BUFFER_SIZE_IN_BYTES but 'Offset + *NumBytes' is not, i.e. the
update range crosses a P30_MAX_BUFFER_SIZE_IN_BYTES boundary.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20240116171105.37831-3-kraxel@redhat.com>
(cherry picked from commit 35d8ea8097794b522149688b5cfaf8364bc44d54)
---
OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c | 36 ++++++++++++++++++++------
1 file changed, 28 insertions(+), 8 deletions(-)
diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
index 7f4743b003..88a4d2c23f 100644
--- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
@@ -520,6 +520,7 @@ NorFlashWriteSingleBlock (
UINTN BlockSize;
UINTN BlockAddress;
UINT8 *OrigData;
+ UINTN Start, End;
DEBUG ((DEBUG_BLKIO, "NorFlashWriteSingleBlock(Parameters: Lba=%ld, Offset=0x%x, *NumBytes=0x%x, Buffer @ 0x%08x)\n", Lba, Offset, *NumBytes, Buffer));
@@ -555,7 +556,28 @@ NorFlashWriteSingleBlock (
// To avoid pathological cases were a 2 byte write is disregarded because it
// occurs right at a 128 byte buffered write alignment boundary, permit up to
// twice the max buffer size, and perform two writes if needed.
- if ((*NumBytes + (Offset & BOUNDARY_OF_32_WORDS)) <= (2 * P30_MAX_BUFFER_SIZE_IN_BYTES)) {
+ //
+ // 0 128 256
+ // [----------------|----------------]
+ // ^ ^ ^ ^
+ // | | | |
+ // | | | End, the next "word" boundary beyond
+ // | | | the (logical) update
+ // | | |
+ // | | (Offset & BOUNDARY_OF_32_WORDS) + NumBytes;
+ // | | i.e., the relative offset inside (or just past)
+ // | | the *double-word* such that it is the
+ // | | *exclusive* end of the (logical) update.
+ // | |
+ // | Offset & BOUNDARY_OF_32_WORDS; i.e., Offset within the "word";
+ // | this is where the (logical) update is supposed to start
+ // |
+ // Start = Offset & ~BOUNDARY_OF_32_WORDS; i.e., Offset truncated to "word" boundary
+
+ Start = Offset & ~BOUNDARY_OF_32_WORDS;
+ End = ALIGN_VALUE (Offset + *NumBytes, P30_MAX_BUFFER_SIZE_IN_BYTES);
+
+ if ((End - Start) <= (2 * P30_MAX_BUFFER_SIZE_IN_BYTES)) {
// Check to see if we need to erase before programming the data into NOR.
// If the destination bits are only changing from 1s to 0s we can just write.
// After a block is erased all bits in the block is set to 1.
@@ -565,8 +587,8 @@ NorFlashWriteSingleBlock (
Status = NorFlashRead (
Instance,
Lba,
- Offset & ~BOUNDARY_OF_32_WORDS,
- (*NumBytes | BOUNDARY_OF_32_WORDS) + 1,
+ Start,
+ End - Start,
Instance->ShadowBuffer
);
if (EFI_ERROR (Status)) {
@@ -601,7 +623,7 @@ NorFlashWriteSingleBlock (
Status = NorFlashWriteBuffer (
Instance,
- BlockAddress + (Offset & ~BOUNDARY_OF_32_WORDS),
+ BlockAddress + Start,
P30_MAX_BUFFER_SIZE_IN_BYTES,
Instance->ShadowBuffer
);
@@ -609,12 +631,10 @@ NorFlashWriteSingleBlock (
goto Exit;
}
- if ((*NumBytes + (Offset & BOUNDARY_OF_32_WORDS)) > P30_MAX_BUFFER_SIZE_IN_BYTES) {
- BlockAddress += P30_MAX_BUFFER_SIZE_IN_BYTES;
-
+ if ((End - Start) > P30_MAX_BUFFER_SIZE_IN_BYTES) {
Status = NorFlashWriteBuffer (
Instance,
- BlockAddress + (Offset & ~BOUNDARY_OF_32_WORDS),
+ BlockAddress + Start + P30_MAX_BUFFER_SIZE_IN_BYTES,
P30_MAX_BUFFER_SIZE_IN_BYTES,
Instance->ShadowBuffer + P30_MAX_BUFFER_SIZE_IN_BYTES
);
--
2.39.3

132
edk2-OvmfPkg-VirtNorFlashDxe-move-DoErase-code-block-into.patch
View File

@ -1,132 +0,0 @@
From 0429352edb21bd20b8192aec3f484361f4dc3b33 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 16 Jan 2024 18:11:05 +0100
Subject: [PATCH 6/6] OvmfPkg/VirtNorFlashDxe: move DoErase code block into new
function
RH-Author: Gerd Hoffmann <None>
RH-MergeRequest: 52: OvmfPkg/VirtNorFlashDxe: backport more fixes.
RH-Jira: RHEL-20963
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Commit: [6/6] 9a25dbbd0d9881664f8ce30efb95c63099785204 (kraxel.rh/centos-src-edk2)
Move the DoErase code block into a separate function, call the function
instead of jumping around with goto.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20240116171105.37831-7-kraxel@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit b481b00f593ef37695ee14271453320ed02a1256)
---
OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c | 76 ++++++++++++++++++--------
1 file changed, 52 insertions(+), 24 deletions(-)
diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
index 3d1d20daa1..e6aaed27ce 100644
--- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
@@ -502,6 +502,38 @@ NorFlashRead (
return EFI_SUCCESS;
}
+STATIC
+EFI_STATUS
+NorFlashWriteSingleBlockWithErase (
+ IN NOR_FLASH_INSTANCE *Instance,
+ IN EFI_LBA Lba,
+ IN UINTN Offset,
+ IN OUT UINTN *NumBytes,
+ IN UINT8 *Buffer
+ )
+{
+ EFI_STATUS Status;
+
+ // Read NOR Flash data into shadow buffer
+ Status = NorFlashReadBlocks (Instance, Lba, Instance->BlockSize, Instance->ShadowBuffer);
+ if (EFI_ERROR (Status)) {
+ // Return one of the pre-approved error statuses
+ return EFI_DEVICE_ERROR;
+ }
+
+ // Put the data at the appropriate location inside the buffer area
+ CopyMem ((VOID *)((UINTN)Instance->ShadowBuffer + Offset), Buffer, *NumBytes);
+
+ // Write the modified buffer back to the NorFlash
+ Status = NorFlashWriteBlocks (Instance, Lba, Instance->BlockSize, Instance->ShadowBuffer);
+ if (EFI_ERROR (Status)) {
+ // Return one of the pre-approved error statuses
+ return EFI_DEVICE_ERROR;
+ }
+
+ return EFI_SUCCESS;
+}
+
/*
Write a full or portion of a block. It must not span block boundaries; that is,
Offset + *NumBytes <= Instance->BlockSize.
@@ -607,7 +639,14 @@ NorFlashWriteSingleBlock (
// that we want to set. In that case, we will need to erase the block first.
for (CurOffset = 0; CurOffset < *NumBytes; CurOffset++) {
if (~(UINT32)OrigData[CurOffset] & (UINT32)Buffer[CurOffset]) {
- goto DoErase;
+ Status = NorFlashWriteSingleBlockWithErase (
+ Instance,
+ Lba,
+ Offset,
+ NumBytes,
+ Buffer
+ );
+ return Status;
}
OrigData[CurOffset] = Buffer[CurOffset];
@@ -636,33 +675,22 @@ NorFlashWriteSingleBlock (
goto Exit;
}
}
-
-Exit:
- // Put device back into Read Array mode
- SEND_NOR_COMMAND (Instance->DeviceBaseAddress, 0, P30_CMD_READ_ARRAY);
-
+ } else {
+ Status = NorFlashWriteSingleBlockWithErase (
+ Instance,
+ Lba,
+ Offset,
+ NumBytes,
+ Buffer
+ );
return Status;
}
-DoErase:
- // Read NOR Flash data into shadow buffer
- Status = NorFlashReadBlocks (Instance, Lba, BlockSize, Instance->ShadowBuffer);
- if (EFI_ERROR (Status)) {
- // Return one of the pre-approved error statuses
- return EFI_DEVICE_ERROR;
- }
-
- // Put the data at the appropriate location inside the buffer area
- CopyMem ((VOID *)((UINTN)Instance->ShadowBuffer + Offset), Buffer, *NumBytes);
-
- // Write the modified buffer back to the NorFlash
- Status = NorFlashWriteBlocks (Instance, Lba, BlockSize, Instance->ShadowBuffer);
- if (EFI_ERROR (Status)) {
- // Return one of the pre-approved error statuses
- return EFI_DEVICE_ERROR;
- }
+Exit:
+ // Put device back into Read Array mode
+ SEND_NOR_COMMAND (Instance->DeviceBaseAddress, 0, P30_CMD_READ_ARRAY);
- return EFI_SUCCESS;
+ return Status;
}
EFI_STATUS
--
2.39.3

210
edk2-OvmfPkg-VirtNorFlashDxe-sanity-check-variables.patch
View File

@ -1,210 +0,0 @@
From d557e973e4a400325f68014e463201a5b48c1547 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 9 Jan 2024 12:29:02 +0100
Subject: [PATCH 3/3] OvmfPkg/VirtNorFlashDxe: sanity-check variables
Extend the ValidateFvHeader function, additionally to the header checks
walk over the list of variables and sanity check them.
In case we find inconsistencies indicating variable store corruption
return EFI_NOT_FOUND so the variable store will be re-initialized.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20240109112902.30002-4-kraxel@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
[lersek@redhat.com: fix StartId initialization/assignment coding style]
(cherry picked from commit 4a443f73fd67ca8caaf0a3e1a01f8231b330d2e0)
---
OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf | 1 +
OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c | 149 +++++++++++++++++++-
2 files changed, 145 insertions(+), 5 deletions(-)
diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf
index 2a3d4a218e..f549400280 100644
--- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf
+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf
@@ -34,6 +34,7 @@
DxeServicesTableLib
HobLib
IoLib
+ SafeIntLib
UefiBootServicesTableLib
UefiDriverEntryPoint
UefiLib
diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c
index 9a614ae4b2..8fcd999ac6 100644
--- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c
+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c
@@ -12,6 +12,7 @@
#include <Library/BaseMemoryLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/PcdLib.h>
+#include <Library/SafeIntLib.h>
#include <Library/UefiLib.h>
#include <Guid/NvVarStoreFormatted.h>
@@ -185,11 +186,12 @@ ValidateFvHeader (
IN NOR_FLASH_INSTANCE *Instance
)
{
- UINT16 Checksum;
- EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader;
- VARIABLE_STORE_HEADER *VariableStoreHeader;
- UINTN VariableStoreLength;
- UINTN FvLength;
+ UINT16 Checksum;
+ CONST EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader;
+ CONST VARIABLE_STORE_HEADER *VariableStoreHeader;
+ UINTN VarOffset;
+ UINTN VariableStoreLength;
+ UINTN FvLength;
FwVolHeader = (EFI_FIRMWARE_VOLUME_HEADER *)Instance->RegionBaseAddress;
@@ -258,6 +260,143 @@ ValidateFvHeader (
return EFI_NOT_FOUND;
}
+ //
+ // check variables
+ //
+ DEBUG ((DEBUG_INFO, "%a: checking variables\n", __func__));
+ VarOffset = sizeof (*VariableStoreHeader);
+ for ( ; ;) {
+ UINTN VarHeaderEnd;
+ UINTN VarNameEnd;
+ UINTN VarEnd;
+ UINTN VarPadding;
+ CONST AUTHENTICATED_VARIABLE_HEADER *VarHeader;
+ CONST CHAR16 *VarName;
+ CONST CHAR8 *VarState;
+ RETURN_STATUS Status;
+
+ Status = SafeUintnAdd (VarOffset, sizeof (*VarHeader), &VarHeaderEnd);
+ if (RETURN_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__));
+ return EFI_NOT_FOUND;
+ }
+
+ if (VarHeaderEnd >= VariableStoreHeader->Size) {
+ if (VarOffset <= VariableStoreHeader->Size - sizeof (UINT16)) {
+ CONST UINT16 *StartId;
+
+ StartId = (VOID *)((UINTN)VariableStoreHeader + VarOffset);
+ if (*StartId == 0x55aa) {
+ DEBUG ((DEBUG_ERROR, "%a: startid at invalid location\n", __func__));
+ return EFI_NOT_FOUND;
+ }
+ }
+
+ DEBUG ((DEBUG_INFO, "%a: end of var list (no space left)\n", __func__));
+ break;
+ }
+
+ VarHeader = (VOID *)((UINTN)VariableStoreHeader + VarOffset);
+ if (VarHeader->StartId != 0x55aa) {
+ DEBUG ((DEBUG_INFO, "%a: end of var list (no startid)\n", __func__));
+ break;
+ }
+
+ VarName = NULL;
+ switch (VarHeader->State) {
+ // usage: State = VAR_HEADER_VALID_ONLY
+ case VAR_HEADER_VALID_ONLY:
+ VarState = "header-ok";
+ VarName = L"<unknown>";
+ break;
+
+ // usage: State = VAR_ADDED
+ case VAR_ADDED:
+ VarState = "ok";
+ break;
+
+ // usage: State &= VAR_IN_DELETED_TRANSITION
+ case VAR_ADDED &VAR_IN_DELETED_TRANSITION:
+ VarState = "del-in-transition";
+ break;
+
+ // usage: State &= VAR_DELETED
+ case VAR_ADDED &VAR_DELETED:
+ case VAR_ADDED &VAR_DELETED &VAR_IN_DELETED_TRANSITION:
+ VarState = "deleted";
+ break;
+
+ default:
+ DEBUG ((
+ DEBUG_ERROR,
+ "%a: invalid variable state: 0x%x\n",
+ __func__,
+ VarHeader->State
+ ));
+ return EFI_NOT_FOUND;
+ }
+
+ Status = SafeUintnAdd (VarHeaderEnd, VarHeader->NameSize, &VarNameEnd);
+ if (RETURN_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__));
+ return EFI_NOT_FOUND;
+ }
+
+ Status = SafeUintnAdd (VarNameEnd, VarHeader->DataSize, &VarEnd);
+ if (RETURN_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__));
+ return EFI_NOT_FOUND;
+ }
+
+ if (VarEnd > VariableStoreHeader->Size) {
+ DEBUG ((
+ DEBUG_ERROR,
+ "%a: invalid variable size: 0x%Lx + 0x%Lx + 0x%x + 0x%x > 0x%x\n",
+ __func__,
+ (UINT64)VarOffset,
+ (UINT64)(sizeof (*VarHeader)),
+ VarHeader->NameSize,
+ VarHeader->DataSize,
+ VariableStoreHeader->Size
+ ));
+ return EFI_NOT_FOUND;
+ }
+
+ if (((VarHeader->NameSize & 1) != 0) ||
+ (VarHeader->NameSize < 4))
+ {
+ DEBUG ((DEBUG_ERROR, "%a: invalid name size\n", __func__));
+ return EFI_NOT_FOUND;
+ }
+
+ if (VarName == NULL) {
+ VarName = (VOID *)((UINTN)VariableStoreHeader + VarHeaderEnd);
+ if (VarName[VarHeader->NameSize / 2 - 1] != L'\0') {
+ DEBUG ((DEBUG_ERROR, "%a: name is not null terminated\n", __func__));
+ return EFI_NOT_FOUND;
+ }
+ }
+
+ DEBUG ((
+ DEBUG_VERBOSE,
+ "%a: +0x%04Lx: name=0x%x data=0x%x guid=%g '%s' (%a)\n",
+ __func__,
+ (UINT64)VarOffset,
+ VarHeader->NameSize,
+ VarHeader->DataSize,
+ &VarHeader->VendorGuid,
+ VarName,
+ VarState
+ ));
+
+ VarPadding = (4 - (VarEnd & 3)) & 3;
+ Status = SafeUintnAdd (VarEnd, VarPadding, &VarOffset);
+ if (RETURN_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__));
+ return EFI_NOT_FOUND;
+ }
+ }
+
return EFI_SUCCESS;
}
--
2.39.3

42
edk2-OvmfPkg-VirtNorFlashDxe-stop-accepting-gEfiVariableG.patch
View File

@ -1,42 +0,0 @@
From 77047a56601aaa955a12030343bdee973b9d393d Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 9 Jan 2024 12:29:01 +0100
Subject: [PATCH 2/3] OvmfPkg/VirtNorFlashDxe: stop accepting gEfiVariableGuid
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Only accept gEfiAuthenticatedVariableGuid when checking the variable
store header in ValidateFvHeader().
The edk2 code base has been switched to use the authenticated varstore
format unconditionally (even in case secure boot is not used or
supported) a few years ago.
Suggested-by: László Érsek <lersek@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20240109112902.30002-3-kraxel@redhat.com>
(cherry picked from commit ae22b2f136bcbd27135a5f4dd76d3a68a172d00e)
---
OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c
index 5ee98e9b59..9a614ae4b2 100644
--- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c
+++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c
@@ -239,9 +239,7 @@ ValidateFvHeader (
VariableStoreHeader = (VARIABLE_STORE_HEADER *)((UINTN)FwVolHeader + FwVolHeader->HeaderLength);
// Check the Variable Store Guid
- if (!CompareGuid (&VariableStoreHeader->Signature, &gEfiVariableGuid) &&
- !CompareGuid (&VariableStoreHeader->Signature, &gEfiAuthenticatedVariableGuid))
- {
+ if (!CompareGuid (&VariableStoreHeader->Signature, &gEfiAuthenticatedVariableGuid)) {
DEBUG ((
DEBUG_INFO,
"%a: Variable Store Guid non-compatible\n",
--
2.39.3

68
edk2-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch
View File

@ -1,68 +0,0 @@
From b3a9b8a85e2782600b4fd26d08a4d15826cadcf7 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 17 Jan 2024 12:20:52 -0500
Subject: [PATCH 3/3] SecurityPkg: : Adding CVE 2022-36763 to
SecurityFixes.yaml
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 51: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117 - CVE 2022-36763
RH-Jira: RHEL-21155
RH-Acked-by: Gerd Hoffmann <None>
RH-Commit: [3/3] 0763dad29bb6b9b3832b166bbabe15e84ed7208c
JIRA: https://issues.redhat.com/browse/RHEL-21155
Upstream: Merged
CVE: CVE-2022-36763
commit 1ddcb9fc6b4164e882687b031e8beacfcf7df29e
Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
Date: Fri Jan 12 02:16:03 2024 +0800
SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml
This creates / adds a security file that tracks the security fixes
found in this package and can be used to find the fixes that were
applied.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
SecurityPkg/SecurityFixes.yaml | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
create mode 100644 SecurityPkg/SecurityFixes.yaml
diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
new file mode 100644
index 0000000000..f9e3e7be74
--- /dev/null
+++ b/SecurityPkg/SecurityFixes.yaml
@@ -0,0 +1,22 @@
+## @file
+# Security Fixes for SecurityPkg
+#
+# Copyright (c) Microsoft Corporation
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+CVE_2022_36763:
+ commit_titles:
+ - "SecurityPkg: DxeTpm2Measurement: SECURITY PATCH 4117 - CVE 2022-36763"
+ - "SecurityPkg: DxeTpmMeasurement: SECURITY PATCH 4117 - CVE 2022-36763"
+ - "SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml"
+ cve: CVE-2022-36763
+ date_reported: 2022-10-25 11:31 UTC
+ description: (CVE-2022-36763) - Heap Buffer Overflow in Tcg2MeasureGptTable()
+ note: This patch is related to and supersedes TCBZ2168
+ files_impacted:
+ - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
+ - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
+ links:
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4117
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=2168
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=1990
--
2.39.3

273
edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-2.patch
View File

@ -1,273 +0,0 @@
From 31ebaa021650c9b23c27f3a7954d33c1ef1e1502 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 13 Feb 2024 16:30:10 -0500
Subject: [PATCH 3/9] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH
4117/4118 symbol rename
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 53: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
RH-Jira: RHEL-21157
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Gerd Hoffmann <None>
RH-Commit: [3/5] d18f14e0a7df36223dab179bf7e9556db43f4c55
JIRA: https://issues.redhat.com/browse/RHEL-21157
CVE: CVE-2022-36764
Upstream: Merged
commit 40adbb7f628dee79156c679fb0857968b61b7620
Author: Doug Flick <dougflick@microsoft.com>
Date: Wed Jan 17 14:47:20 2024 -0800
SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117/4118 symbol rename
Updates the sanitation function names to be lib unique names
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Message-Id: <7b18434c8a8b561654efd40ced3becb8b378c8f1.1705529990.git.doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../DxeTpm2MeasureBootLib.c | 8 +++---
.../DxeTpm2MeasureBootLibSanitization.c | 8 +++---
.../DxeTpm2MeasureBootLibSanitization.h | 8 +++---
.../DxeTpm2MeasureBootLibSanitizationTest.c | 26 +++++++++----------
4 files changed, 25 insertions(+), 25 deletions(-)
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
index 714cc8e03e..73719f3b96 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
@@ -200,7 +200,7 @@ Tcg2MeasureGptTable (
BlockIo->Media->BlockSize,
(UINT8 *)PrimaryHeader
);
- if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
+ if (EFI_ERROR (Status) || EFI_ERROR (Tpm2SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n"));
FreePool (PrimaryHeader);
return EFI_DEVICE_ERROR;
@@ -209,7 +209,7 @@ Tcg2MeasureGptTable (
//
// Read the partition entry.
//
- Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
if (EFI_ERROR (Status)) {
FreePool (PrimaryHeader);
return EFI_BAD_BUFFER_SIZE;
@@ -250,7 +250,7 @@ Tcg2MeasureGptTable (
//
// Prepare Data for Measurement (CcProtocol and Tcg2Protocol)
//
- Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &TcgEventSize);
+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &TcgEventSize);
if (EFI_ERROR (Status)) {
FreePool (PrimaryHeader);
FreePool (EntryPtr);
@@ -420,7 +420,7 @@ Tcg2MeasurePeImage (
}
FilePathSize = (UINT32)GetDevicePathSize (FilePath);
- Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ Status = Tpm2SanitizePeImageEventSize (FilePathSize, &EventSize);
if (EFI_ERROR (Status)) {
return EFI_UNSUPPORTED;
}
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
index 2a4d52c6d5..809a3bfd89 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
@@ -63,7 +63,7 @@
**/
EFI_STATUS
EFIAPI
-SanitizeEfiPartitionTableHeader (
+Tpm2SanitizeEfiPartitionTableHeader (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
)
@@ -169,7 +169,7 @@ SanitizeEfiPartitionTableHeader (
**/
EFI_STATUS
EFIAPI
-SanitizePrimaryHeaderAllocationSize (
+Tpm2SanitizePrimaryHeaderAllocationSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
OUT UINT32 *AllocationSize
)
@@ -221,7 +221,7 @@ SanitizePrimaryHeaderAllocationSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePrimaryHeaderGptEventSize (
+Tpm2SanitizePrimaryHeaderGptEventSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN UINTN NumberOfPartition,
OUT UINT32 *EventSize
@@ -292,7 +292,7 @@ SanitizePrimaryHeaderGptEventSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePeImageEventSize (
+Tpm2SanitizePeImageEventSize (
IN UINT32 FilePathSize,
OUT UINT32 *EventSize
)
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
index 8f72ba4240..8526bc7537 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
@@ -54,7 +54,7 @@
**/
EFI_STATUS
EFIAPI
-SanitizeEfiPartitionTableHeader (
+Tpm2SanitizeEfiPartitionTableHeader (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
);
@@ -78,7 +78,7 @@ SanitizeEfiPartitionTableHeader (
**/
EFI_STATUS
EFIAPI
-SanitizePrimaryHeaderAllocationSize (
+Tpm2SanitizePrimaryHeaderAllocationSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
OUT UINT32 *AllocationSize
);
@@ -107,7 +107,7 @@ SanitizePrimaryHeaderAllocationSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePrimaryHeaderGptEventSize (
+Tpm2SanitizePrimaryHeaderGptEventSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN UINTN NumberOfPartition,
OUT UINT32 *EventSize
@@ -131,7 +131,7 @@ SanitizePrimaryHeaderGptEventSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePeImageEventSize (
+Tpm2SanitizePeImageEventSize (
IN UINT32 FilePathSize,
OUT UINT32 *EventSize
);
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
index 820e99aeb9..50a68e1076 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
@@ -84,27 +84,27 @@ TestSanitizeEfiPartitionTableHeader (
PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize);
// Test that a normal PrimaryHeader passes validation
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_NOT_EFI_ERROR (Status);
// Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR
// Should print "Invalid Partition Table Header NumberOfPartitionEntries!""
PrimaryHeader.NumberOfPartitionEntries = 0;
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
// Test that when the header size is too small, the function returns EFI_DEVICE_ERROR
// Should print "Invalid Partition Table Header Size!"
PrimaryHeader.Header.HeaderSize = 0;
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
// Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR
// should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!"
PrimaryHeader.SizeOfPartitionEntry = 1;
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = Tpm2SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
@@ -137,7 +137,7 @@ TestSanitizePrimaryHeaderAllocationSize (
PrimaryHeader.NumberOfPartitionEntries = 5;
PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_NOT_EFI_ERROR (Status);
// Test that the allocation size is correct compared to the existing logic
@@ -146,19 +146,19 @@ TestSanitizePrimaryHeaderAllocationSize (
// Test that an overflow is detected
PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
PrimaryHeader.SizeOfPartitionEntry = 5;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
// Test the inverse
PrimaryHeader.NumberOfPartitionEntries = 5;
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
// Test the worst case scenario
PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = Tpm2SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
@@ -196,7 +196,7 @@ TestSanitizePrimaryHeaderGptEventSize (
NumberOfPartition = 13;
// that the primary event size is correct
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
UT_ASSERT_NOT_EFI_ERROR (Status);
// Calculate the existing logic event size
@@ -207,12 +207,12 @@ TestSanitizePrimaryHeaderGptEventSize (
UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize);
// Tests that the primary event size may not overflow
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
// Test that the size of partition entries may not overflow
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ Status = Tpm2SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
@@ -245,7 +245,7 @@ TestSanitizePeImageEventSize (
FilePathSize = 255;
// Test that a normal PE image passes validation
- Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ Status = Tpm2SanitizePeImageEventSize (FilePathSize, &EventSize);
UT_ASSERT_EQUAL (Status, EFI_SUCCESS);
// Test that the event size is correct compared to the existing logic
@@ -258,7 +258,7 @@ TestSanitizePeImageEventSize (
}
// Test that the event size may not overflow
- Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
+ Status = Tpm2SanitizePeImageEventSize (MAX_UINT32, &EventSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
--
2.39.3

1010
edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch
View File

File diff suppressed because it is too large Load Diff

284
edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-4118.patch
View File

@ -1,284 +0,0 @@
From 808551c1cb2ac9dc9a6287cbc85b167aa9eb2d7e Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 7 Feb 2024 15:43:10 -0500
Subject: [PATCH 1/9] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 -
CVE 2022-36764
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 53: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
RH-Jira: RHEL-21157
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Gerd Hoffmann <None>
RH-Commit: [1/5] 50edfd997d089549ac41b9592131ac1212fc3431
JIRA: https://issues.redhat.com/browse/RHEL-21157
CVE: CVE-2022-36764
Upstream: Merged
commit c7b27944218130cca3bbb20314ba5b88b5de4aa4
Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
Date: Fri Jan 12 02:16:04 2024 +0800
SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
This commit contains the patch files and tests for DxeTpm2MeasureBootLib
CVE 2022-36764.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../DxeTpm2MeasureBootLib.c | 12 ++--
.../DxeTpm2MeasureBootLibSanitization.c | 46 +++++++++++++-
.../DxeTpm2MeasureBootLibSanitization.h | 28 ++++++++-
.../DxeTpm2MeasureBootLibSanitizationTest.c | 60 ++++++++++++++++---
4 files changed, 131 insertions(+), 15 deletions(-)
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
index 0475103d6e..714cc8e03e 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
@@ -378,7 +378,6 @@ Exit:
@retval EFI_OUT_OF_RESOURCES No enough resource to measure image.
@retval EFI_UNSUPPORTED ImageType is unsupported or PE image is mal-format.
@retval other error value
-
**/
EFI_STATUS
EFIAPI
@@ -405,6 +404,7 @@ Tcg2MeasurePeImage (
Status = EFI_UNSUPPORTED;
ImageLoad = NULL;
EventPtr = NULL;
+ Tcg2Event = NULL;
Tcg2Protocol = MeasureBootProtocols->Tcg2Protocol;
CcProtocol = MeasureBootProtocols->CcProtocol;
@@ -420,18 +420,22 @@ Tcg2MeasurePeImage (
}
FilePathSize = (UINT32)GetDevicePathSize (FilePath);
+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ if (EFI_ERROR (Status)) {
+ return EFI_UNSUPPORTED;
+ }
//
// Determine destination PCR by BootPolicy
//
- EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
- EventPtr = AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event));
+ // from a malicious GPT disk partition
+ EventPtr = AllocateZeroPool (EventSize);
if (EventPtr == NULL) {
return EFI_OUT_OF_RESOURCES;
}
Tcg2Event = (EFI_TCG2_EVENT *)EventPtr;
- Tcg2Event->Size = EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event);
+ Tcg2Event->Size = EventSize;
Tcg2Event->Header.HeaderSize = sizeof (EFI_TCG2_EVENT_HEADER);
Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
ImageLoad = (EFI_IMAGE_LOAD_EVENT *)Tcg2Event->Event;
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
index e2309655d3..2a4d52c6d5 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
@@ -151,7 +151,7 @@ SanitizeEfiPartitionTableHeader (
}
/**
- This function will validate that the allocation size from the primary header is sane
+ This function will validate that the allocation size from the primary header is sane
It will check the following:
- AllocationSize does not overflow
@@ -273,3 +273,47 @@ SanitizePrimaryHeaderGptEventSize (
return EFI_SUCCESS;
}
+
+/**
+ This function will validate that the PeImage Event Size from the loaded image is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ @param[in] FilePathSize - Size of the file path.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePeImageEventSize (
+ IN UINT32 FilePathSize,
+ OUT UINT32 *EventSize
+ )
+{
+ EFI_STATUS Status;
+
+ // Replacing logic:
+ // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
+ Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ // Replacing logic:
+ // EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)
+ Status = SafeUint32Add (*EventSize, OFFSET_OF (EFI_TCG2_EVENT, Event), EventSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ return EFI_SUCCESS;
+}
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
index 048b738987..8f72ba4240 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
@@ -9,6 +9,9 @@
Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse
partition data carefully.
+ Tcg2MeasurePeImage() function will accept untrusted PE/COFF image and validate its
+ data structure within this image buffer before use.
+
Copyright (c) Microsoft Corporation.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -110,4 +113,27 @@ SanitizePrimaryHeaderGptEventSize (
OUT UINT32 *EventSize
);
-#endif // DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_
+/**
+ This function will validate that the PeImage Event Size from the loaded image is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ @param[in] FilePathSize - Size of the file path.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePeImageEventSize (
+ IN UINT32 FilePathSize,
+ OUT UINT32 *EventSize
+ );
+
+#endif // DXE_TPM2_MEASURE_BOOT_LIB_VALIDATION_
diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
index 3eb9763e3c..820e99aeb9 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
@@ -72,10 +72,10 @@ TestSanitizeEfiPartitionTableHeader (
PrimaryHeader.Header.Revision = DEFAULT_PRIMARY_TABLE_HEADER_REVISION;
PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
PrimaryHeader.MyLBA = 1;
- PrimaryHeader.AlternateLBA = 2;
- PrimaryHeader.FirstUsableLBA = 3;
- PrimaryHeader.LastUsableLBA = 4;
- PrimaryHeader.PartitionEntryLBA = 5;
+ PrimaryHeader.PartitionEntryLBA = 2;
+ PrimaryHeader.AlternateLBA = 3;
+ PrimaryHeader.FirstUsableLBA = 4;
+ PrimaryHeader.LastUsableLBA = 5;
PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES;
PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid
@@ -187,11 +187,6 @@ TestSanitizePrimaryHeaderGptEventSize (
EFI_STATUS Status;
EFI_PARTITION_TABLE_HEADER PrimaryHeader;
UINTN NumberOfPartition;
- EFI_GPT_DATA *GptData;
- EFI_TCG2_EVENT *Tcg2Event;
-
- Tcg2Event = NULL;
- GptData = NULL;
// Test that a normal PrimaryHeader passes validation
PrimaryHeader.NumberOfPartitionEntries = 5;
@@ -225,6 +220,52 @@ TestSanitizePrimaryHeaderGptEventSize (
return UNIT_TEST_PASSED;
}
+/**
+ This function tests the SanitizePeImageEventSize function.
+ It's intent is to test that the untrusted input from a file path when generating a
+ EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating
+ the event size when allocating space
+
+ @param[in] Context The unit test context.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestSanitizePeImageEventSize (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ UINT32 EventSize;
+ UINTN ExistingLogicEventSize;
+ UINT32 FilePathSize;
+ EFI_STATUS Status;
+
+ FilePathSize = 255;
+
+ // Test that a normal PE image passes validation
+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ UT_ASSERT_EQUAL (Status, EFI_SUCCESS);
+
+ // Test that the event size is correct compared to the existing logic
+ ExistingLogicEventSize = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize;
+ ExistingLogicEventSize += OFFSET_OF (EFI_TCG2_EVENT, Event);
+
+ if (EventSize != ExistingLogicEventSize) {
+ UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize);
+ return UNIT_TEST_ERROR_TEST_FAILED;
+ }
+
+ // Test that the event size may not overflow
+ Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+
+ return UNIT_TEST_PASSED;
+}
+
// *--------------------------------------------------------------------*
// * Unit Test Code Main Function
// *--------------------------------------------------------------------*
@@ -267,6 +308,7 @@ UefiTestMain (
AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.Tcg2MeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
+ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL);
Status = RunAllTestSuites (Framework);
--
2.39.3

280
edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-411-3.patch
View File

@ -1,280 +0,0 @@
From bf371de652c1132667666a9534ec2d91f9ea111d Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 13 Feb 2024 16:30:10 -0500
Subject: [PATCH 4/9] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH
4117/4118 symbol rename
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 53: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
RH-Jira: RHEL-21157
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Gerd Hoffmann <None>
RH-Commit: [4/5] bf00b368887b50b1ff5578a4491550b5741e3e34
JIRA: https://issues.redhat.com/browse/RHEL-21157
CVE: CVE-2022-36764
Upstream: Merged
commit 326db0c9072004dea89427ea3a44393a84966f2b
Author: Doug Flick <dougflick@microsoft.com>
Date: Wed Jan 17 14:47:21 2024 -0800
SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117/4118 symbol rename
Updates the sanitation function names to be lib unique names
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Message-Id: <355aa846a99ca6ac0f7574cf5982661da0d9fea6.1705529990.git.doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../DxeTpmMeasureBootLib.c | 8 +++---
.../DxeTpmMeasureBootLibSanitization.c | 10 +++----
.../DxeTpmMeasureBootLibSanitization.h | 8 +++---
.../DxeTpmMeasureBootLibSanitizationTest.c | 26 +++++++++----------
4 files changed, 26 insertions(+), 26 deletions(-)
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
index a9fc440a09..ac855b8fbb 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
@@ -174,7 +174,7 @@ TcgMeasureGptTable (
BlockIo->Media->BlockSize,
(UINT8 *)PrimaryHeader
);
- if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
+ if (EFI_ERROR (Status) || EFI_ERROR (TpmSanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n"));
FreePool (PrimaryHeader);
return EFI_DEVICE_ERROR;
@@ -183,7 +183,7 @@ TcgMeasureGptTable (
//
// Read the partition entry.
//
- Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
+ Status = TpmSanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
if (EFI_ERROR (Status)) {
FreePool (PrimaryHeader);
return EFI_DEVICE_ERROR;
@@ -224,7 +224,7 @@ TcgMeasureGptTable (
//
// Prepare Data for Measurement
//
- Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &EventSize);
+ Status = TpmSanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &EventSize);
TcgEvent = (TCG_PCR_EVENT *)AllocateZeroPool (EventSize);
if (TcgEvent == NULL) {
FreePool (PrimaryHeader);
@@ -351,7 +351,7 @@ TcgMeasurePeImage (
// Determine destination PCR by BootPolicy
//
- Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ Status = TpmSanitizePeImageEventSize (FilePathSize, &EventSize);
if (EFI_ERROR (Status)) {
return EFI_UNSUPPORTED;
}
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
index c989851cec..070e4a2c1c 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
@@ -1,5 +1,5 @@
/** @file
- The library instance provides security service of TPM2 measure boot and
+ The library instance provides security service of TPM measure boot and
Confidential Computing (CC) measure boot.
Caution: This file requires additional review when modified.
@@ -63,7 +63,7 @@
**/
EFI_STATUS
EFIAPI
-SanitizeEfiPartitionTableHeader (
+TpmSanitizeEfiPartitionTableHeader (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
)
@@ -145,7 +145,7 @@ SanitizeEfiPartitionTableHeader (
**/
EFI_STATUS
EFIAPI
-SanitizePrimaryHeaderAllocationSize (
+TpmSanitizePrimaryHeaderAllocationSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
OUT UINT32 *AllocationSize
)
@@ -194,7 +194,7 @@ SanitizePrimaryHeaderAllocationSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePrimaryHeaderGptEventSize (
+TpmSanitizePrimaryHeaderGptEventSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN UINTN NumberOfPartition,
OUT UINT32 *EventSize
@@ -258,7 +258,7 @@ SanitizePrimaryHeaderGptEventSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePeImageEventSize (
+TpmSanitizePeImageEventSize (
IN UINT32 FilePathSize,
OUT UINT32 *EventSize
)
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
index 2248495813..db6e9c3752 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
@@ -53,7 +53,7 @@
**/
EFI_STATUS
EFIAPI
-SanitizeEfiPartitionTableHeader (
+TpmSanitizeEfiPartitionTableHeader (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
);
@@ -77,7 +77,7 @@ SanitizeEfiPartitionTableHeader (
**/
EFI_STATUS
EFIAPI
-SanitizePrimaryHeaderAllocationSize (
+TpmSanitizePrimaryHeaderAllocationSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
OUT UINT32 *AllocationSize
);
@@ -105,7 +105,7 @@ SanitizePrimaryHeaderAllocationSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePrimaryHeaderGptEventSize (
+TpmSanitizePrimaryHeaderGptEventSize (
IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
IN UINTN NumberOfPartition,
OUT UINT32 *EventSize
@@ -129,7 +129,7 @@ SanitizePrimaryHeaderGptEventSize (
One of the passed parameters was invalid.
**/
EFI_STATUS
-SanitizePeImageEventSize (
+TpmSanitizePeImageEventSize (
IN UINT32 FilePathSize,
OUT UINT32 *EventSize
);
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
index c41498be45..de1740af41 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
@@ -83,27 +83,27 @@ TestSanitizeEfiPartitionTableHeader (
PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize);
// Test that a normal PrimaryHeader passes validation
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_NOT_EFI_ERROR (Status);
// Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR
// Should print "Invalid Partition Table Header NumberOfPartitionEntries!""
PrimaryHeader.NumberOfPartitionEntries = 0;
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
// Test that when the header size is too small, the function returns EFI_DEVICE_ERROR
// Should print "Invalid Partition Table Header Size!"
PrimaryHeader.Header.HeaderSize = 0;
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
// Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR
// should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!"
PrimaryHeader.SizeOfPartitionEntry = 1;
- Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ Status = TpmSanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
@@ -136,7 +136,7 @@ TestSanitizePrimaryHeaderAllocationSize (
PrimaryHeader.NumberOfPartitionEntries = 5;
PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_NOT_EFI_ERROR (Status);
// Test that the allocation size is correct compared to the existing logic
@@ -145,19 +145,19 @@ TestSanitizePrimaryHeaderAllocationSize (
// Test that an overflow is detected
PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
PrimaryHeader.SizeOfPartitionEntry = 5;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
// Test the inverse
PrimaryHeader.NumberOfPartitionEntries = 5;
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
// Test the worst case scenario
PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
- Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ Status = TpmSanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
@@ -195,7 +195,7 @@ TestSanitizePrimaryHeaderGptEventSize (
NumberOfPartition = 13;
// that the primary event size is correct
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ Status = TpmSanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
UT_ASSERT_NOT_EFI_ERROR (Status);
// Calculate the existing logic event size
@@ -206,12 +206,12 @@ TestSanitizePrimaryHeaderGptEventSize (
UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize);
// Tests that the primary event size may not overflow
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
+ Status = TpmSanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
// Test that the size of partition entries may not overflow
PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
- Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ Status = TpmSanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
@@ -269,7 +269,7 @@ TestSanitizePeImageEventSize (
FilePathSize = 255;
// Test that a normal PE image passes validation
- Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ Status = TpmSanitizePeImageEventSize (FilePathSize, &EventSize);
if (EFI_ERROR (Status)) {
UT_LOG_ERROR ("SanitizePeImageEventSize failed with %r\n", Status);
goto Exit;
@@ -285,7 +285,7 @@ TestSanitizePeImageEventSize (
}
// Test that the event size may not overflow
- Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
+ Status = TpmSanitizePeImageEventSize (MAX_UINT32, &EventSize);
if (Status != EFI_BAD_BUFFER_SIZE) {
UT_LOG_ERROR ("SanitizePeImageEventSize succeded when it was supposed to fail with %r\n", Status);
goto Exit;
--
2.39.3

914
edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch
View File

@ -1,914 +0,0 @@
From 8876f4f55b37e84f918282aba190fdd36eeb5f2a Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 17 Jan 2024 12:20:52 -0500
Subject: [PATCH 2/3] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117 -
CVE 2022-36763
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 51: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117 - CVE 2022-36763
RH-Jira: RHEL-21155
RH-Acked-by: Gerd Hoffmann <None>
RH-Commit: [2/3] 50a9b8392352266a5f0b7af2d6c82f829da8983b
JIRA: https://issues.redhat.com/browse/RHEL-21155
Upstream: Merged
CVE: CVE-2022-36763
commit 4776a1b39ee08fc45c70c1eab5a0195f325000d3
Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
Date: Fri Jan 12 02:16:02 2024 +0800
SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117 - CVE 2022-36763
This commit contains the patch files and tests for DxeTpmMeasureBootLib
CVE 2022-36763.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../DxeTpmMeasureBootLib.c | 40 ++-
.../DxeTpmMeasureBootLib.inf | 4 +-
.../DxeTpmMeasureBootLibSanitization.c | 241 ++++++++++++++
.../DxeTpmMeasureBootLibSanitization.h | 114 +++++++
.../DxeTpmMeasureBootLibSanitizationTest.c | 301 ++++++++++++++++++
...eTpmMeasureBootLibSanitizationTestHost.inf | 28 ++
SecurityPkg/SecurityPkg.ci.yaml | 1 +
SecurityPkg/Test/SecurityPkgHostTest.dsc | 1 +
8 files changed, 716 insertions(+), 14 deletions(-)
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
index 220393dd2b..669ab19134 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
@@ -18,6 +18,8 @@
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
+Copyright (c) Microsoft Corporation.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <PiDxe.h>
@@ -40,6 +42,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/SecurityManagementLib.h>
#include <Library/HobLib.h>
+#include "DxeTpmMeasureBootLibSanitization.h"
+
//
// Flag to check GPT partition. It only need be measured once.
//
@@ -136,6 +140,9 @@ TcgMeasureGptTable (
UINT32 EventSize;
UINT32 EventNumber;
EFI_PHYSICAL_ADDRESS EventLogLastEntry;
+ UINT32 AllocSize;
+
+ GptData = NULL;
if (mMeasureGptCount > 0) {
return EFI_SUCCESS;
@@ -166,8 +173,8 @@ TcgMeasureGptTable (
BlockIo->Media->BlockSize,
(UINT8 *)PrimaryHeader
);
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "Failed to Read Partition Table Header!\n"));
+ if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
+ DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n"));
FreePool (PrimaryHeader);
return EFI_DEVICE_ERROR;
}
@@ -175,7 +182,13 @@ TcgMeasureGptTable (
//
// Read the partition entry.
//
- EntryPtr = (UINT8 *)AllocatePool (PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry);
+ Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
+ if (EFI_ERROR (Status)) {
+ FreePool (PrimaryHeader);
+ return EFI_DEVICE_ERROR;
+ }
+
+ EntryPtr = (UINT8 *)AllocatePool (AllocSize);
if (EntryPtr == NULL) {
FreePool (PrimaryHeader);
return EFI_OUT_OF_RESOURCES;
@@ -185,7 +198,7 @@ TcgMeasureGptTable (
DiskIo,
BlockIo->Media->MediaId,
MultU64x32 (PrimaryHeader->PartitionEntryLBA, BlockIo->Media->BlockSize),
- PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry,
+ AllocSize,
EntryPtr
);
if (EFI_ERROR (Status)) {
@@ -210,9 +223,8 @@ TcgMeasureGptTable (
//
// Prepare Data for Measurement
//
- EventSize = (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions)
- + NumberOfPartition * PrimaryHeader->SizeOfPartitionEntry);
- TcgEvent = (TCG_PCR_EVENT *)AllocateZeroPool (EventSize + sizeof (TCG_PCR_EVENT_HDR));
+ Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &EventSize);
+ TcgEvent = (TCG_PCR_EVENT *)AllocateZeroPool (EventSize);
if (TcgEvent == NULL) {
FreePool (PrimaryHeader);
FreePool (EntryPtr);
@@ -221,7 +233,7 @@ TcgMeasureGptTable (
TcgEvent->PCRIndex = 5;
TcgEvent->EventType = EV_EFI_GPT_EVENT;
- TcgEvent->EventSize = EventSize;
+ TcgEvent->EventSize = EventSize - sizeof (TCG_PCR_EVENT_HDR);
GptData = (EFI_GPT_DATA *)TcgEvent->Event;
//
@@ -361,11 +373,13 @@ TcgMeasurePeImage (
TcgEvent->PCRIndex = 2;
break;
default:
- DEBUG ((
- DEBUG_ERROR,
- "TcgMeasurePeImage: Unknown subsystem type %d",
- ImageType
- ));
+ DEBUG (
+ (
+ DEBUG_ERROR,
+ "TcgMeasurePeImage: Unknown subsystem type %d",
+ ImageType
+ )
+ );
goto Finish;
}
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
index ebab6f7c1e..414c654d15 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
@@ -32,6 +32,8 @@
[Sources]
DxeTpmMeasureBootLib.c
+ DxeTpmMeasureBootLibSanitization.c
+ DxeTpmMeasureBootLibSanitization.h
[Packages]
MdePkg/MdePkg.dec
@@ -41,6 +43,7 @@
[LibraryClasses]
BaseMemoryLib
+ SafeIntLib
DebugLib
MemoryAllocationLib
DevicePathLib
@@ -59,4 +62,3 @@
gEfiFirmwareVolumeBlockProtocolGuid ## SOMETIMES_CONSUMES
gEfiBlockIoProtocolGuid ## SOMETIMES_CONSUMES
gEfiDiskIoProtocolGuid ## SOMETIMES_CONSUMES
-
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
new file mode 100644
index 0000000000..a3fa46f5e6
--- /dev/null
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
@@ -0,0 +1,241 @@
+/** @file
+ The library instance provides security service of TPM2 measure boot and
+ Confidential Computing (CC) measure boot.
+
+ Caution: This file requires additional review when modified.
+ This library will have external input - PE/COFF image and GPT partition.
+ This external input must be validated carefully to avoid security issue like
+ buffer overflow, integer overflow.
+
+ This file will pull out the validation logic from the following functions, in an
+ attempt to validate the untrusted input in the form of unit tests
+
+ These are those functions:
+
+ DxeTpmMeasureBootLibImageRead() function will make sure the PE/COFF image content
+ read is within the image buffer.
+
+ Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse
+ partition data carefully.
+
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <Uefi.h>
+#include <Uefi/UefiSpec.h>
+#include <Library/SafeIntLib.h>
+#include <Library/UefiLib.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseLib.h>
+#include <IndustryStandard/UefiTcgPlatform.h>
+#include <Protocol/BlockIo.h>
+#include <Library/MemoryAllocationLib.h>
+
+#include "DxeTpmMeasureBootLibSanitization.h"
+
+#define GPT_HEADER_REVISION_V1 0x00010000
+
+/**
+ This function will validate the EFI_PARTITION_TABLE_HEADER structure is safe to parse
+ However this function will not attempt to verify the validity of the GPT partition
+ It will check the following:
+ - Signature
+ - Revision
+ - AlternateLBA
+ - FirstUsableLBA
+ - LastUsableLBA
+ - PartitionEntryLBA
+ - NumberOfPartitionEntries
+ - SizeOfPartitionEntry
+ - BlockIo
+
+ @param[in] PrimaryHeader
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+
+ @param[in] BlockIo
+ Pointer to the EFI_BLOCK_IO_PROTOCOL structure.
+
+ @retval EFI_SUCCESS
+ The EFI_PARTITION_TABLE_HEADER structure is valid.
+
+ @retval EFI_INVALID_PARAMETER
+ The EFI_PARTITION_TABLE_HEADER structure is invalid.
+**/
+EFI_STATUS
+EFIAPI
+SanitizeEfiPartitionTableHeader (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
+ )
+{
+ // Verify that the input parameters are safe to use
+ if (PrimaryHeader == NULL) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header!\n"));
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if ((BlockIo == NULL) || (BlockIo->Media == NULL)) {
+ DEBUG ((DEBUG_ERROR, "Invalid BlockIo!\n"));
+ return EFI_INVALID_PARAMETER;
+ }
+
+ // The signature must be EFI_PTAB_HEADER_ID ("EFI PART" in ASCII)
+ if (PrimaryHeader->Header.Signature != EFI_PTAB_HEADER_ID) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ // The version must be GPT_HEADER_REVISION_V1 (0x00010000)
+ if (PrimaryHeader->Header.Revision != GPT_HEADER_REVISION_V1) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header Revision!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ // The HeaderSize must be greater than or equal to 92 and must be less than or equal to the logical block size
+ if ((PrimaryHeader->Header.HeaderSize < sizeof (EFI_PARTITION_TABLE_HEADER)) || (PrimaryHeader->Header.HeaderSize > BlockIo->Media->BlockSize)) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header HeaderSize!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ // check that the PartitionEntryLBA greater than the Max LBA
+ // This will be used later for multiplication
+ if (PrimaryHeader->PartitionEntryLBA > DivU64x32 (MAX_UINT64, BlockIo->Media->BlockSize)) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header PartitionEntryLBA!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ // Check that the number of partition entries is greater than zero
+ if (PrimaryHeader->NumberOfPartitionEntries == 0) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header NumberOfPartitionEntries!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ // SizeOfPartitionEntry must be 128, 256, 512... improper size may lead to accessing uninitialized memory
+ if ((PrimaryHeader->SizeOfPartitionEntry < 128) || ((PrimaryHeader->SizeOfPartitionEntry & (PrimaryHeader->SizeOfPartitionEntry - 1)) != 0)) {
+ DEBUG ((DEBUG_ERROR, "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ // This check is to prevent overflow when calculating the allocation size for the partition entries
+ // This check will be used later for multiplication
+ if (PrimaryHeader->NumberOfPartitionEntries > DivU64x32 (MAX_UINT64, PrimaryHeader->SizeOfPartitionEntry)) {
+ DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header NumberOfPartitionEntries!\n"));
+ return EFI_DEVICE_ERROR;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ This function will validate that the allocation size from the primary header is sane
+ It will check the following:
+ - AllocationSize does not overflow
+
+ @param[in] PrimaryHeader
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+
+ @param[out] AllocationSize
+ Pointer to the allocation size.
+
+ @retval EFI_SUCCESS
+ The allocation size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ The allocation size is invalid.
+**/
+EFI_STATUS
+EFIAPI
+SanitizePrimaryHeaderAllocationSize (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ OUT UINT32 *AllocationSize
+ )
+{
+ EFI_STATUS Status;
+
+ if (PrimaryHeader == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (AllocationSize == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ // Replacing logic:
+ // PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry;
+ Status = SafeUint32Mult (PrimaryHeader->NumberOfPartitionEntries, PrimaryHeader->SizeOfPartitionEntry, AllocationSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Allocation Size would have overflowed!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ This function will validate that the Gpt Event Size calculated from the primary header is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ Important: This function includes the entire length of the allocated space, including the
+ TCG_PCR_EVENT_HDR. When hashing the buffer allocated with this size, the caller must subtract
+ the size of the TCG_PCR_EVENT_HDR from the size of the buffer before hashing.
+
+ @param[in] PrimaryHeader - Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+ @param[in] NumberOfPartition - Number of partitions.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePrimaryHeaderGptEventSize (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ IN UINTN NumberOfPartition,
+ OUT UINT32 *EventSize
+ )
+{
+ EFI_STATUS Status;
+ UINT32 SafeNumberOfPartitions;
+
+ if (PrimaryHeader == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (EventSize == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ // We shouldn't even attempt to perform the multiplication if the number of partitions is greater than the maximum value of UINT32
+ Status = SafeUintnToUint32 (NumberOfPartition, &SafeNumberOfPartitions);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "NumberOfPartition would have overflowed!\n"));
+ return EFI_INVALID_PARAMETER;
+ }
+
+ // Replacing logic:
+ // (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions) + NumberOfPartition * PrimaryHeader.SizeOfPartitionEntry + sizeof (TCG_PCR_EVENT_HDR));
+ Status = SafeUint32Mult (SafeNumberOfPartitions, PrimaryHeader->SizeOfPartitionEntry, EventSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Event Size would have overflowed!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ Status = SafeUint32Add (
+ sizeof (TCG_PCR_EVENT_HDR) +
+ OFFSET_OF (EFI_GPT_DATA, Partitions),
+ *EventSize,
+ EventSize
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Event Size would have overflowed because of GPTData!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ return EFI_SUCCESS;
+}
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
new file mode 100644
index 0000000000..0d9d00c281
--- /dev/null
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
@@ -0,0 +1,114 @@
+/** @file
+ This file includes the function prototypes for the sanitization functions.
+
+ These are those functions:
+
+ DxeTpmMeasureBootLibImageRead() function will make sure the PE/COFF image content
+ read is within the image buffer.
+
+ TcgMeasurePeImage() function will accept untrusted PE/COFF image and validate its
+ data structure within this image buffer before use.
+
+ TcgMeasureGptTable() function will receive untrusted GPT partition table, and parse
+ partition data carefully.
+
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
+#define DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
+
+#include <Uefi.h>
+#include <Uefi/UefiSpec.h>
+#include <Protocol/BlockIo.h>
+#include <IndustryStandard/UefiTcgPlatform.h>
+
+/**
+ This function will validate the EFI_PARTITION_TABLE_HEADER structure is safe to parse
+ However this function will not attempt to verify the validity of the GPT partition
+ It will check the following:
+ - Signature
+ - Revision
+ - AlternateLBA
+ - FirstUsableLBA
+ - LastUsableLBA
+ - PartitionEntryLBA
+ - NumberOfPartitionEntries
+ - SizeOfPartitionEntry
+ - BlockIo
+
+ @param[in] PrimaryHeader
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+
+ @param[in] BlockIo
+ Pointer to the EFI_BLOCK_IO_PROTOCOL structure.
+
+ @retval EFI_SUCCESS
+ The EFI_PARTITION_TABLE_HEADER structure is valid.
+
+ @retval EFI_INVALID_PARAMETER
+ The EFI_PARTITION_TABLE_HEADER structure is invalid.
+**/
+EFI_STATUS
+EFIAPI
+SanitizeEfiPartitionTableHeader (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ IN CONST EFI_BLOCK_IO_PROTOCOL *BlockIo
+ );
+
+/**
+ This function will validate that the allocation size from the primary header is sane
+ It will check the following:
+ - AllocationSize does not overflow
+
+ @param[in] PrimaryHeader
+ Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+
+ @param[out] AllocationSize
+ Pointer to the allocation size.
+
+ @retval EFI_SUCCESS
+ The allocation size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ The allocation size is invalid.
+**/
+EFI_STATUS
+EFIAPI
+SanitizePrimaryHeaderAllocationSize (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ OUT UINT32 *AllocationSize
+ );
+
+/**
+ This function will validate that the Gpt Event Size calculated from the primary header is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ Important: This function includes the entire length of the allocated space, including the
+ TCG_PCR_EVENT_HDR. When hashing the buffer allocated with this size, the caller must subtract
+ the size of the TCG_PCR_EVENT_HDR from the size of the buffer before hashing.
+
+ @param[in] PrimaryHeader - Pointer to the EFI_PARTITION_TABLE_HEADER structure.
+ @param[in] NumberOfPartition - Number of partitions.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePrimaryHeaderGptEventSize (
+ IN CONST EFI_PARTITION_TABLE_HEADER *PrimaryHeader,
+ IN UINTN NumberOfPartition,
+ OUT UINT32 *EventSize
+ );
+
+#endif // DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
new file mode 100644
index 0000000000..eeb928cdb0
--- /dev/null
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
@@ -0,0 +1,301 @@
+/** @file
+This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
+
+Copyright (c) Microsoft Corporation.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Uefi.h>
+#include <Library/UefiLib.h>
+#include <Library/DebugLib.h>
+#include <Library/UnitTestLib.h>
+#include <Protocol/BlockIo.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <IndustryStandard/UefiTcgPlatform.h>
+
+#include "../DxeTpmMeasureBootLibSanitization.h"
+
+#define UNIT_TEST_NAME "DxeTpmMeasureBootLibSanitizationTest"
+#define UNIT_TEST_VERSION "1.0"
+
+#define DEFAULT_PRIMARY_TABLE_HEADER_REVISION 0x00010000
+#define DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES 1
+#define DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY 128
+
+/**
+ This function tests the SanitizeEfiPartitionTableHeader function.
+ It's intent is to test that a malicious EFI_PARTITION_TABLE_HEADER
+ structure will not cause undefined or unexpected behavior.
+
+ In general the TPM should still be able to measure the data, but
+ be the header should be sanitized to prevent any unexpected behavior.
+
+ @param[in] Context The unit test context.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestSanitizeEfiPartitionTableHeader (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ EFI_STATUS Status;
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;
+ EFI_BLOCK_IO_PROTOCOL BlockIo;
+ EFI_BLOCK_IO_MEDIA BlockMedia;
+
+ // Generate EFI_BLOCK_IO_MEDIA test data
+ BlockMedia.MediaId = 1;
+ BlockMedia.RemovableMedia = FALSE;
+ BlockMedia.MediaPresent = TRUE;
+ BlockMedia.LogicalPartition = FALSE;
+ BlockMedia.ReadOnly = FALSE;
+ BlockMedia.WriteCaching = FALSE;
+ BlockMedia.BlockSize = 512;
+ BlockMedia.IoAlign = 1;
+ BlockMedia.LastBlock = 0;
+
+ // Generate EFI_BLOCK_IO_PROTOCOL test data
+ BlockIo.Revision = 1;
+ BlockIo.Media = &BlockMedia;
+ BlockIo.Reset = NULL;
+ BlockIo.ReadBlocks = NULL;
+ BlockIo.WriteBlocks = NULL;
+ BlockIo.FlushBlocks = NULL;
+
+ // Geneate EFI_PARTITION_TABLE_HEADER test data
+ PrimaryHeader.Header.Signature = EFI_PTAB_HEADER_ID;
+ PrimaryHeader.Header.Revision = DEFAULT_PRIMARY_TABLE_HEADER_REVISION;
+ PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
+ PrimaryHeader.MyLBA = 1;
+ PrimaryHeader.AlternateLBA = 2;
+ PrimaryHeader.FirstUsableLBA = 3;
+ PrimaryHeader.LastUsableLBA = 4;
+ PrimaryHeader.PartitionEntryLBA = 5;
+ PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES;
+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+ PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid
+
+ // Calculate the CRC32 of the PrimaryHeader
+ PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize);
+
+ // Test that a normal PrimaryHeader passes validation
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ UT_ASSERT_NOT_EFI_ERROR (Status);
+
+ // Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR
+ // Should print "Invalid Partition Table Header NumberOfPartitionEntries!""
+ PrimaryHeader.NumberOfPartitionEntries = 0;
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
+ PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+
+ // Test that when the header size is too small, the function returns EFI_DEVICE_ERROR
+ // Should print "Invalid Partition Table Header Size!"
+ PrimaryHeader.Header.HeaderSize = 0;
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
+ PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
+
+ // Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR
+ // should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!"
+ PrimaryHeader.SizeOfPartitionEntry = 1;
+ Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
+ UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
+
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+
+ return UNIT_TEST_PASSED;
+}
+
+/**
+ This function tests the SanitizePrimaryHeaderAllocationSize function.
+ It's intent is to test that the untrusted input from a EFI_PARTITION_TABLE_HEADER
+ structure will not cause an overflow when calculating the allocation size.
+
+ @param[in] Context The unit test context.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestSanitizePrimaryHeaderAllocationSize (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ UINT32 AllocationSize;
+
+ EFI_STATUS Status;
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;
+
+ // Test that a normal PrimaryHeader passes validation
+ PrimaryHeader.NumberOfPartitionEntries = 5;
+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ UT_ASSERT_NOT_EFI_ERROR (Status);
+
+ // Test that the allocation size is correct compared to the existing logic
+ UT_ASSERT_EQUAL (AllocationSize, PrimaryHeader.NumberOfPartitionEntries * PrimaryHeader.SizeOfPartitionEntry);
+
+ // Test that an overflow is detected
+ PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
+ PrimaryHeader.SizeOfPartitionEntry = 5;
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ // Test the inverse
+ PrimaryHeader.NumberOfPartitionEntries = 5;
+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ // Test the worst case scenario
+ PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
+ Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+
+ return UNIT_TEST_PASSED;
+}
+
+/**
+ This function tests the SanitizePrimaryHeaderGptEventSize function.
+ It's intent is to test that the untrusted input from a EFI_GPT_DATA structure
+ will not cause an overflow when calculating the event size.
+
+ @param[in] Context The unit test context.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestSanitizePrimaryHeaderGptEventSize (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ UINT32 EventSize;
+ UINT32 ExistingLogicEventSize;
+ EFI_STATUS Status;
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;
+ UINTN NumberOfPartition;
+ EFI_GPT_DATA *GptData;
+
+ GptData = NULL;
+
+ // Test that a normal PrimaryHeader passes validation
+ PrimaryHeader.NumberOfPartitionEntries = 5;
+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+
+ // set the number of partitions
+ NumberOfPartition = 13;
+
+ // that the primary event size is correct
+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ UT_ASSERT_NOT_EFI_ERROR (Status);
+
+ // Calculate the existing logic event size
+ ExistingLogicEventSize = (UINT32)(sizeof (TCG_PCR_EVENT_HDR) + OFFSET_OF (EFI_GPT_DATA, Partitions)
+ + NumberOfPartition * PrimaryHeader.SizeOfPartitionEntry);
+
+ // Check that the event size is correct
+ UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize);
+
+ // Tests that the primary event size may not overflow
+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ // Test that the size of partition entries may not overflow
+ PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
+ Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
+ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
+
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+
+ return UNIT_TEST_PASSED;
+}
+
+// *--------------------------------------------------------------------*
+// * Unit Test Code Main Function
+// *--------------------------------------------------------------------*
+
+/**
+ This function acts as the entry point for the unit tests.
+
+ @param argc - The number of command line arguments
+ @param argv - The command line arguments
+
+ @return int - The status of the test
+**/
+EFI_STATUS
+EFIAPI
+UefiTestMain (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ UNIT_TEST_FRAMEWORK_HANDLE Framework;
+ UNIT_TEST_SUITE_HANDLE TcgMeasureBootLibValidationTestSuite;
+
+ Framework = NULL;
+
+ DEBUG ((DEBUG_INFO, "%a: TestMain() - Start\n", UNIT_TEST_NAME));
+
+ Status = InitUnitTestFramework (&Framework, UNIT_TEST_NAME, gEfiCallerBaseName, UNIT_TEST_VERSION);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a: Failed in InitUnitTestFramework. Status = %r\n", UNIT_TEST_NAME, Status));
+ goto EXIT;
+ }
+
+ Status = CreateUnitTestSuite (&TcgMeasureBootLibValidationTestSuite, Framework, "TcgMeasureBootLibValidationTestSuite", "Common.TcgMeasureBootLibValidation", NULL, NULL);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%s: Failed in CreateUnitTestSuite for TcgMeasureBootLibValidationTestSuite\n", UNIT_TEST_NAME));
+ Status = EFI_OUT_OF_RESOURCES;
+ goto EXIT;
+ }
+
+ // -----------Suite---------------------------------Description----------------------------Class----------------------------------Test Function------------------------Pre---Clean-Context
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.TcgMeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
+
+ Status = RunAllTestSuites (Framework);
+
+EXIT:
+ if (Framework != NULL) {
+ FreeUnitTestFramework (Framework);
+ }
+
+ DEBUG ((DEBUG_INFO, "%a: TestMain() - End\n", UNIT_TEST_NAME));
+ return Status;
+}
+
+///
+/// Avoid ECC error for function name that starts with lower case letter
+///
+#define DxeTpmMeasureBootLibUnitTestMain main
+
+/**
+ Standard POSIX C entry point for host based unit test execution.
+
+ @param[in] Argc Number of arguments
+ @param[in] Argv Array of pointers to arguments
+
+ @retval 0 Success
+ @retval other Error
+**/
+INT32
+DxeTpmMeasureBootLibUnitTestMain (
+ IN INT32 Argc,
+ IN CHAR8 *Argv[]
+ )
+{
+ return (INT32)UefiTestMain ();
+}
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
new file mode 100644
index 0000000000..47b0811b00
--- /dev/null
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
@@ -0,0 +1,28 @@
+## @file
+# This file builds the unit tests for DxeTpmMeasureBootLib
+#
+# Copyright (C) Microsoft Corporation.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+ INF_VERSION = 0x00010006
+ BASE_NAME = DxeTpmMeasuredBootLibTest
+ FILE_GUID = eb01bc38-309c-4d3e-967e-9f078c90772f
+ MODULE_TYPE = HOST_APPLICATION
+ VERSION_STRING = 1.0
+ ENTRY_POINT = main
+
+[Sources]
+ DxeTpmMeasureBootLibSanitizationTest.c
+ ../DxeTpmMeasureBootLibSanitization.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+
+[LibraryClasses]
+ BaseLib
+ DebugLib
+ UnitTestLib
+ PrintLib
+ SafeIntLib
diff --git a/SecurityPkg/SecurityPkg.ci.yaml b/SecurityPkg/SecurityPkg.ci.yaml
index 24389531af..53e5b1fd8e 100644
--- a/SecurityPkg/SecurityPkg.ci.yaml
+++ b/SecurityPkg/SecurityPkg.ci.yaml
@@ -17,6 +17,7 @@
"ExceptionList": [
"8005", "gRT",
"8001", "DxeTpm2MeasureBootLibUnitTestMain",
+ "8001", "DxeTpmMeasureBootLibUnitTestMain"
],
## Both file path and directory path are accepted.
"IgnoreFiles": [
diff --git a/SecurityPkg/Test/SecurityPkgHostTest.dsc b/SecurityPkg/Test/SecurityPkgHostTest.dsc
index 788c1ab6fe..1655e573ea 100644
--- a/SecurityPkg/Test/SecurityPkgHostTest.dsc
+++ b/SecurityPkg/Test/SecurityPkgHostTest.dsc
@@ -27,6 +27,7 @@
SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf
SecurityPkg/Test/Mock/Library/GoogleTest/MockPlatformPKProtectionLib/MockPlatformPKProtectionLib.inf
SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf
+ SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
#
# Build SecurityPkg HOST_APPLICATION Tests
--
2.39.3

294
edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch
View File

@ -1,294 +0,0 @@
From c5580cd68acf14c9e8660f6ee2842654479089ae Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 7 Feb 2024 15:43:10 -0500
Subject: [PATCH 2/9] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 -
CVE 2022-36764
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 53: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
RH-Jira: RHEL-21157
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Gerd Hoffmann <None>
RH-Commit: [2/5] 3945cfd0838c822a3b2cc4b4e315c39a779a7344
JIRA: https://issues.redhat.com/browse/RHEL-21157
CVE: CVE-2022-36764
Upstream: Merged
commit 0d341c01eeabe0ab5e76693b36e728b8f538a40e
Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
Date: Fri Jan 12 02:16:05 2024 +0800
SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
This commit contains the patch files and tests for DxeTpmMeasureBootLib
CVE 2022-36764.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../DxeTpmMeasureBootLib.c | 13 ++-
.../DxeTpmMeasureBootLibSanitization.c | 44 +++++++++
.../DxeTpmMeasureBootLibSanitization.h | 23 +++++
.../DxeTpmMeasureBootLibSanitizationTest.c | 98 +++++++++++++++++--
4 files changed, 168 insertions(+), 10 deletions(-)
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
index 669ab19134..a9fc440a09 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
@@ -17,6 +17,7 @@
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
+Copyright (c) Microsoft Corporation.<BR>
Copyright (c) Microsoft Corporation.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -345,18 +346,22 @@ TcgMeasurePeImage (
ImageLoad = NULL;
SectionHeader = NULL;
Sha1Ctx = NULL;
+ TcgEvent = NULL;
FilePathSize = (UINT32)GetDevicePathSize (FilePath);
- //
// Determine destination PCR by BootPolicy
//
- EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
- TcgEvent = AllocateZeroPool (EventSize + sizeof (TCG_PCR_EVENT));
+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ if (EFI_ERROR (Status)) {
+ return EFI_UNSUPPORTED;
+ }
+
+ TcgEvent = AllocateZeroPool (EventSize);
if (TcgEvent == NULL) {
return EFI_OUT_OF_RESOURCES;
}
- TcgEvent->EventSize = EventSize;
+ TcgEvent->EventSize = EventSize - sizeof (TCG_PCR_EVENT_HDR);
ImageLoad = (EFI_IMAGE_LOAD_EVENT *)TcgEvent->Event;
switch (ImageType) {
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
index a3fa46f5e6..c989851cec 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
@@ -239,3 +239,47 @@ SanitizePrimaryHeaderGptEventSize (
return EFI_SUCCESS;
}
+
+/**
+ This function will validate that the PeImage Event Size from the loaded image is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ @param[in] FilePathSize - Size of the file path.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePeImageEventSize (
+ IN UINT32 FilePathSize,
+ OUT UINT32 *EventSize
+ )
+{
+ EFI_STATUS Status;
+
+ // Replacing logic:
+ // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
+ Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ // Replacing logic:
+ // EventSize + sizeof (TCG_PCR_EVENT_HDR)
+ Status = SafeUint32Add (*EventSize, sizeof (TCG_PCR_EVENT_HDR), EventSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ return EFI_SUCCESS;
+}
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
index 0d9d00c281..2248495813 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
@@ -111,4 +111,27 @@ SanitizePrimaryHeaderGptEventSize (
OUT UINT32 *EventSize
);
+/**
+ This function will validate that the PeImage Event Size from the loaded image is sane
+ It will check the following:
+ - EventSize does not overflow
+
+ @param[in] FilePathSize - Size of the file path.
+ @param[out] EventSize - Pointer to the event size.
+
+ @retval EFI_SUCCESS
+ The event size is valid.
+
+ @retval EFI_OUT_OF_RESOURCES
+ Overflow would have occurred.
+
+ @retval EFI_INVALID_PARAMETER
+ One of the passed parameters was invalid.
+**/
+EFI_STATUS
+SanitizePeImageEventSize (
+ IN UINT32 FilePathSize,
+ OUT UINT32 *EventSize
+ );
+
#endif // DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
index eeb928cdb0..c41498be45 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
@@ -1,8 +1,8 @@
/** @file
-This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
+ This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
-Copyright (c) Microsoft Corporation.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <Uefi.h>
@@ -186,9 +186,6 @@ TestSanitizePrimaryHeaderGptEventSize (
EFI_STATUS Status;
EFI_PARTITION_TABLE_HEADER PrimaryHeader;
UINTN NumberOfPartition;
- EFI_GPT_DATA *GptData;
-
- GptData = NULL;
// Test that a normal PrimaryHeader passes validation
PrimaryHeader.NumberOfPartitionEntries = 5;
@@ -222,6 +219,94 @@ TestSanitizePrimaryHeaderGptEventSize (
return UNIT_TEST_PASSED;
}
+/**
+ This function tests the SanitizePeImageEventSize function.
+ It's intent is to test that the untrusted input from a file path for an
+ EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating
+ the event size when allocating space.
+
+ @param[in] Context The unit test context.
+
+ @retval UNIT_TEST_PASSED The test passed.
+ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestSanitizePeImageEventSize (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ UINT32 EventSize;
+ UINTN ExistingLogicEventSize;
+ UINT32 FilePathSize;
+ EFI_STATUS Status;
+ EFI_DEVICE_PATH_PROTOCOL DevicePath;
+ EFI_IMAGE_LOAD_EVENT *ImageLoadEvent;
+ UNIT_TEST_STATUS TestStatus;
+
+ TestStatus = UNIT_TEST_ERROR_TEST_FAILED;
+
+ // Generate EFI_DEVICE_PATH_PROTOCOL test data
+ DevicePath.Type = 0;
+ DevicePath.SubType = 0;
+ DevicePath.Length[0] = 0;
+ DevicePath.Length[1] = 0;
+
+ // Generate EFI_IMAGE_LOAD_EVENT test data
+ ImageLoadEvent = AllocateZeroPool (sizeof (EFI_IMAGE_LOAD_EVENT) + sizeof (EFI_DEVICE_PATH_PROTOCOL));
+ if (ImageLoadEvent == NULL) {
+ DEBUG ((DEBUG_ERROR, "%a: AllocateZeroPool failed\n", __func__));
+ goto Exit;
+ }
+
+ // Populate EFI_IMAGE_LOAD_EVENT54 test data
+ ImageLoadEvent->ImageLocationInMemory = (EFI_PHYSICAL_ADDRESS)0x12345678;
+ ImageLoadEvent->ImageLengthInMemory = 0x1000;
+ ImageLoadEvent->ImageLinkTimeAddress = (UINTN)ImageLoadEvent;
+ ImageLoadEvent->LengthOfDevicePath = sizeof (EFI_DEVICE_PATH_PROTOCOL);
+ CopyMem (ImageLoadEvent->DevicePath, &DevicePath, sizeof (EFI_DEVICE_PATH_PROTOCOL));
+
+ FilePathSize = 255;
+
+ // Test that a normal PE image passes validation
+ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
+ if (EFI_ERROR (Status)) {
+ UT_LOG_ERROR ("SanitizePeImageEventSize failed with %r\n", Status);
+ goto Exit;
+ }
+
+ // Test that the event size is correct compared to the existing logic
+ ExistingLogicEventSize = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize;
+ ExistingLogicEventSize += sizeof (TCG_PCR_EVENT_HDR);
+
+ if (EventSize != ExistingLogicEventSize) {
+ UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize);
+ goto Exit;
+ }
+
+ // Test that the event size may not overflow
+ Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
+ if (Status != EFI_BAD_BUFFER_SIZE) {
+ UT_LOG_ERROR ("SanitizePeImageEventSize succeded when it was supposed to fail with %r\n", Status);
+ goto Exit;
+ }
+
+ TestStatus = UNIT_TEST_PASSED;
+Exit:
+
+ if (ImageLoadEvent != NULL) {
+ FreePool (ImageLoadEvent);
+ }
+
+ if (TestStatus == UNIT_TEST_ERROR_TEST_FAILED) {
+ DEBUG ((DEBUG_ERROR, "%a: Test failed\n", __func__));
+ } else {
+ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
+ }
+
+ return TestStatus;
+}
+
// *--------------------------------------------------------------------*
// * Unit Test Code Main Function
// *--------------------------------------------------------------------*
@@ -265,6 +350,7 @@ UefiTestMain (
AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.TcgMeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL);
Status = RunAllTestSuites (Framework);
--
2.39.3

85
edk2-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch
View File

@ -1,85 +0,0 @@
From 95697612d2f1953c691b0914a1669e0fcf179767 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 13 Feb 2024 16:30:10 -0500
Subject: [PATCH 5/9] SecurityPkg: : Updating SecurityFixes.yaml after symbol
rename
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 53: SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
RH-Jira: RHEL-21157
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Gerd Hoffmann <None>
RH-Commit: [5/5] 8e0c9c8c6b6ad05454f138397036954fe36c778c
JIRA: https://issues.redhat.com/browse/RHEL-21157
CVE: CVE-2022-36764
Upstream: Merged
commit 264636d8e6983e0f6dc6be2fca9d84ec81315954
Author: Doug Flick <dougflick@microsoft.com>
Date: Wed Jan 17 14:47:22 2024 -0800
SecurityPkg: : Updating SecurityFixes.yaml after symbol rename
Adding the new commit titles for the symbol renames
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Message-Id: <5e0e851e97459e183420178888d4fcdadc2f1ae1.1705529990.git.doug.edk2@gmail.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
SecurityPkg/SecurityFixes.yaml | 31 ++++++++++++++++++++++++++-----
1 file changed, 26 insertions(+), 5 deletions(-)
diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
index f9e3e7be74..dc1bb83489 100644
--- a/SecurityPkg/SecurityFixes.yaml
+++ b/SecurityPkg/SecurityFixes.yaml
@@ -9,14 +9,35 @@ CVE_2022_36763:
- "SecurityPkg: DxeTpm2Measurement: SECURITY PATCH 4117 - CVE 2022-36763"
- "SecurityPkg: DxeTpmMeasurement: SECURITY PATCH 4117 - CVE 2022-36763"
- "SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml"
+ - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117/4118 symbol rename"
+ - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117/4118 symbol rename"
+ - "SecurityPkg: : Updating SecurityFixes.yaml after symbol rename"
cve: CVE-2022-36763
date_reported: 2022-10-25 11:31 UTC
description: (CVE-2022-36763) - Heap Buffer Overflow in Tcg2MeasureGptTable()
note: This patch is related to and supersedes TCBZ2168
files_impacted:
- - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
- - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
+ - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
+ - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
links:
- - https://bugzilla.tianocore.org/show_bug.cgi?id=4117
- - https://bugzilla.tianocore.org/show_bug.cgi?id=2168
- - https://bugzilla.tianocore.org/show_bug.cgi?id=1990
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4117
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=2168
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=1990
+CVE_2022_36764:
+ commit_titles:
+ - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764"
+ - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764"
+ - "SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml"
+ - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117/4118 symbol rename"
+ - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117/4118 symbol rename"
+ - "SecurityPkg: : Updating SecurityFixes.yaml after symbol rename"
+ cve: CVE-2022-36764
+ date_reported: 2022-10-25 12:23 UTC
+ description: Heap Buffer Overflow in Tcg2MeasurePeImage()
+ note:
+ files_impacted:
+ - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
+ - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
+ links:
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4118
+
--
2.39.3

258
edk2.spec
View File

@ -1,8 +1,9 @@
ExclusiveArch: x86_64 aarch64
%define GITDATE 20231122
%define GITCOMMIT 8736b8fdca
%define TOOLCHAIN GCC5
# edk2-stable202402
%define GITDATE 20240214
%define GITCOMMIT edc6681206
%define TOOLCHAIN GCC
%define OPENSSL_VER 3.0.7
%define OPENSSL_HASH db0287935122edceb91dcda8dfb53b4090734e22
@ -20,7 +21,7 @@ ExclusiveArch: x86_64 aarch64
Name: edk2
Version: %{GITDATE}
Release: 6%{?dist}
Release: 1%{?dist}
Summary: UEFI firmware for 64-bit virtual machines
License: BSD-2-Clause-Patent and Apache-2.0 and MIT
URL: http://www.tianocore.org
@ -50,220 +51,37 @@ Source80: edk2-build.py
Source82: edk2-build.rhel-9
Source90: DBXUpdate-%{DBXDATE}.x64.bin
Patch1: 0001-ignore-build-artifacts-generated-files-session-setti.patch
Patch2: 0002-Remove-submodules.patch
Patch3: 0003-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
Patch4: 0004-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
Patch5: 0005-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
Patch6: 0006-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch
Patch7: 0007-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch
Patch8: 0008-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch
Patch9: 0009-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch
Patch10: 0010-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
Patch11: 0011-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch
Patch12: 0012-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch
Patch13: 0013-OvmfPkg-Remove-EbcDxe-RHEL-only.patch
Patch14: 0014-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch
Patch15: 0015-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch
Patch16: 0016-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch
Patch17: 0017-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch
Patch18: 0018-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch
Patch19: 0019-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch
Patch20: 0020-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch
Patch21: 0021-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch
Patch22: 0022-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch
Patch23: 0023-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch
Patch24: 0024-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch
Patch25: 0025-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch
Patch26: 0026-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch
Patch27: 0027-recreate-import-.distro-directory.patch
Patch28: 0028-distro-apply-git-diff-c9s-new_c9s-by-mirek.patch
Patch29: 0029-CryptoPkg-CrtLib-add-stat.h-include-file.patch
Patch30: 0030-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch
Patch31: 0031-ArmVirtQemu-Allow-EFI-memory-attributes-protocol-to-.patch
Patch32: edk2-OvmfPkg-RiscVVirt-use-gEfiAuthenticatedVariableGuid-.patch
Patch33: edk2-OvmfPkg-VirtNorFlashDxe-stop-accepting-gEfiVariableG.patch
Patch34: edk2-OvmfPkg-VirtNorFlashDxe-sanity-check-variables.patch
# For RHEL-21155 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-9]
Patch35: edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch
# For RHEL-21155 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-9]
Patch36: edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch
# For RHEL-21155 - CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-9]
Patch37: edk2-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch
# For RHEL-20963 - [rhel9] guest fails to boot due to ASSERT error
Patch38: edk2-OvmfPkg-VirtNorFlashDxe-add-casts-to-UINTN-and-UINT3.patch
# For RHEL-20963 - [rhel9] guest fails to boot due to ASSERT error
Patch39: edk2-OvmfPkg-VirtNorFlashDxe-clarify-block-write-logic-fi.patch
# For RHEL-20963 - [rhel9] guest fails to boot due to ASSERT error
Patch40: edk2-OvmfPkg-VirtNorFlashDxe-add-a-loop-for-NorFlashWrite.patch
# For RHEL-20963 - [rhel9] guest fails to boot due to ASSERT error
Patch41: edk2-OvmfPkg-VirtNorFlashDxe-allow-larger-writes-without-.patch
# For RHEL-20963 - [rhel9] guest fails to boot due to ASSERT error
Patch42: edk2-OvmfPkg-VirtNorFlashDxe-ValidateFvHeader-unwritten-s.patch
# For RHEL-20963 - [rhel9] guest fails to boot due to ASSERT error
Patch43: edk2-OvmfPkg-VirtNorFlashDxe-move-DoErase-code-block-into.patch
# For RHEL-21157 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-9]
Patch44: edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-4118.patch
# For RHEL-21157 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-9]
Patch45: edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch
# For RHEL-21157 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-9]
Patch46: edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-2.patch
# For RHEL-21157 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-9]
Patch47: edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-411-3.patch
# For RHEL-21157 - CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-9]
Patch48: edk2-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch
# For RHEL-21704 - vGPU VM take several minutes to show tianocore logo if firmware is ovmf
Patch49: edk2-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch
# For RHEL-21704 - vGPU VM take several minutes to show tianocore logo if firmware is ovmf
Patch50: edk2-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch
# For RHEL-21704 - vGPU VM take several minutes to show tianocore logo if firmware is ovmf
Patch51: edk2-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch
# For RHEL-21704 - vGPU VM take several minutes to show tianocore logo if firmware is ovmf
Patch52: edk2-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch
# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]
# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]
# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]
# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch53: edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch
# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]
# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]
# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]
# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch54: edk2-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch
# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]
# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]
# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]
# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch55: edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch
# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]
# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]
# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]
# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch56: edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch
# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]
# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]
# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]
# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch57: edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch
# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]
# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]
# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]
# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch58: edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch
# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]
# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]
# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]
# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch59: edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Unit.patch
# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]
# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]
# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]
# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch60: edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Patc.patch
# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]
# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]
# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]
# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch61: edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Unit.patch
# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]
# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]
# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]
# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch62: edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]
# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]
# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]
# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch63: edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p2.patch
# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]
# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]
# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]
# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch64: edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p3.patch
# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]
# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]
# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]
# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch65: edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p4.patch
# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]
# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]
# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]
# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch66: edk2-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch
# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]
# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]
# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]
# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch67: edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Re.patch
# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]
# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]
# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]
# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch68: edk2-NetworkPkg-Dhcp6Dxe-Removes-duplicate-check-and-repl.patch
# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]
# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]
# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]
# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch69: edk2-NetworkPkg-Dhcp6Dxe-Packet-Length-is-not-updated-bef.patch
# For RHEL-21841 - CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21843 - CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]
# For RHEL-21845 - CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]
# For RHEL-21847 - CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]
# For RHEL-21849 - TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]
# For RHEL-21851 - CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]
# For RHEL-21853 - TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]
Patch70: edk2-NetworkPkg-Updating-SecurityFixes.yaml.patch
Patch1: 0003-Remove-paths-leading-to-submodules.patch
Patch2: 0004-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
Patch3: 0005-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
Patch4: 0006-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
Patch5: 0007-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch
Patch6: 0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch
Patch7: 0009-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch
Patch8: 0010-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch
Patch9: 0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
Patch10: 0012-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch
Patch11: 0013-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch
Patch12: 0014-OvmfPkg-Remove-EbcDxe-RHEL-only.patch
Patch13: 0015-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch
Patch14: 0016-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch
Patch15: 0017-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch
Patch16: 0018-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch
Patch17: 0019-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch
Patch18: 0020-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch
Patch19: 0021-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch
Patch20: 0022-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch
Patch21: 0023-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch
Patch22: 0024-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch
Patch23: 0025-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch
Patch24: 0026-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch
Patch25: 0027-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch
Patch26: 0028-CryptoPkg-CrtLib-add-stat.h-include-file.patch
Patch27: 0029-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch
Patch28: 0030-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch
Patch29: 0031-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch
Patch30: 0032-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch
Patch31: 0033-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch
# python3-devel and libuuid-devel are required for building tools.
# python3-devel is also needed for varstore template generation and
@ -597,6 +415,10 @@ install -m 0644 \
%changelog
* Tue Feb 27 2024 Gerd Hoffmann <kraxel@redhat.com> - 20240214-1
- Rebase to edk2-stable202302
- Resolves: RHEL-26879
* Thu Feb 22 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20231122-6
- edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853]
- edk2-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853]

4
sources
View File

@ -1,3 +1,3 @@
SHA512 (DBXUpdate-20230509.x64.bin) = 71fb6e8cd6918126b3acd78b95651913336df372e13fdfdfdd20d5d23f0e509050c6c88c8a2c43f8ac44f987df86bd45174bb3065d5a7a8c7e3b8772fd06d624
SHA512 (edk2-8736b8fdca.tar.xz) = c1573986081f54c43f848b0344b30fe7a388b6d17b87a0411028319827a6cd7a20a694cde6d51b84f6ae15f69b2b70858253396fd61f7c043624d754d14f4724
SHA512 (openssl-rhel-db0287935122edceb91dcda8dfb53b4090734e22.tar.xz) = 693f4d1d79337ed0676cc13e35efaf918f3527cf1c6f7076dcf836e5e43a18bfe16dfe97ef76407c3c014c9ae9a6f34149745f41b4b5393d85cd36de20d56d69
SHA512 (edk2-edc6681206.tar.xz) = 6cb8812ae80702125f3b7ac3721eaed805eaa7997f486012fa4b83ac5b6a422ca31f8b34b7cc712750ab5d402d9d6e3f9d9aacf3dc9065833afc3fe555bb9021
SHA512 (openssl-rhel-db0287935122edceb91dcda8dfb53b4090734e22.tar.xz) = 7958f06cd36b74215feec13a11c86026568f51650d598e048d94598cdc227ac7d2b97eceb1910f3c19e3525c3199b8b5a438b5098156871f9feb3550f677ca58