rpms/edk2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import edk2-20200602gitca407c7246bf-2.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-07-28 02:33:26 -04:00 committed by Stepan Oksanichenko
parent 874f8aa2b8
commit aac3168ebc
38 changed files with 972 additions and 2374 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.edk2.metadata
View File

@ -1,2 +1,2 @@
c7ca6a13a5f9e7fe8071010c26a11ba41548308b SOURCES/edk2-37eef91017ad.tar.xz
3a531b4e8864ee52b1e128ac9742b3e9dcec49bf SOURCES/edk2-ca407c7246bf.tar.xz
cb385fc348395c187db3737e532de787ca2a17c9 SOURCES/openssl-rhel-d6c0e6e28ddc793474a3f9234eed50018f6c94ba.tar.xz

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/edk2-37eef91017ad.tar.xz
SOURCES/edk2-ca407c7246bf.tar.xz
SOURCES/openssl-rhel-d6c0e6e28ddc793474a3f9234eed50018f6c94ba.tar.xz

668
SOURCES/0001-CryptoPkg-OpensslLib-Update-process_files.pl-to-gene.patch
View File

@ -1,668 +0,0 @@
From ac1a0b44df858e53be9e8af499e80a459f0cef16 Mon Sep 17 00:00:00 2001
From: Shenglei Zhang <shenglei.zhang@intel.com>
Date: Tue, 29 Oct 2019 15:43:11 +0000
Subject: CryptoPkg/OpensslLib: Update process_files.pl to generate .h files
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
- New patch (cherry-picked from upstream, to be dropped at the next
downstream rebase).
- Upstream moved to OpenSSL_1.1.1b (for TianoCore#1089) in release
edk2-stable201905. As part of that OpenSSL update, "OpensslLib.inf" and
"OpensslLibCrypto.inf" failed to list some new header files.
- As a part of edk2-stable201908, commit 8906f076de35
("CryptoPkg/OpensslLib: Add missing header files in INF file",
2019-08-16) fixed up "OpensslLib.inf" and "OpensslLibCrypto.inf" with
the missing header files, but did so manually.
- The present patch (which is going to be released in edk2-stable201911)
updates "process_files.pl" to list the subject header files
automatically.
- This patch is being backported primarily in order to keep further
backports for the modified files conflict-free. It might also come in
handy once we adopt RHEL8's own OpenSSL version (in case we have to
re-run "process_files.pl" ourselves).
There are missing headers added into INF files at 8906f076de35b222a..
They are now manually added but not auto-generated. So we update the
perl script to enable this feature.
Meanwhile, update the order of the .h files in INF files, which are
auto-generated now.
https://bugzilla.tianocore.org/show_bug.cgi?id=2085
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
(cherry picked from commit 9f4fbd56d43054cc73d722c1643659f9741c0fcf)
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 103 +++++++++---------
.../Library/OpensslLib/OpensslLibCrypto.inf | 96 ++++++++--------
CryptoPkg/Library/OpensslLib/process_files.pl | 28 +++++
3 files changed, 129 insertions(+), 98 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 7432321fd4..dd873a0dcd 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -34,9 +34,7 @@
$(OPENSSL_PATH)/crypto/aes/aes_misc.c
$(OPENSSL_PATH)/crypto/aes/aes_ofb.c
$(OPENSSL_PATH)/crypto/aes/aes_wrap.c
- $(OPENSSL_PATH)/crypto/aes/aes_locl.h
$(OPENSSL_PATH)/crypto/aria/aria.c
- $(OPENSSL_PATH)/crypto/arm_arch.h
$(OPENSSL_PATH)/crypto/asn1/a_bitstr.c
$(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c
$(OPENSSL_PATH)/crypto/asn1/a_digest.c
@@ -101,21 +99,12 @@
$(OPENSSL_PATH)/crypto/asn1/x_sig.c
$(OPENSSL_PATH)/crypto/asn1/x_spki.c
$(OPENSSL_PATH)/crypto/asn1/x_val.c
- $(OPENSSL_PATH)/crypto/asn1/standard_methods.h
- $(OPENSSL_PATH)/crypto/asn1/charmap.h
- $(OPENSSL_PATH)/crypto/asn1/tbl_standard.h
- $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h
- $(OPENSSL_PATH)/crypto/asn1/asn1_locl.h
$(OPENSSL_PATH)/crypto/async/arch/async_null.c
$(OPENSSL_PATH)/crypto/async/arch/async_posix.c
$(OPENSSL_PATH)/crypto/async/arch/async_win.c
$(OPENSSL_PATH)/crypto/async/async.c
$(OPENSSL_PATH)/crypto/async/async_err.c
$(OPENSSL_PATH)/crypto/async/async_wait.c
- $(OPENSSL_PATH)/crypto/async/arch/async_win.h
- $(OPENSSL_PATH)/crypto/async/async_locl.h
- $(OPENSSL_PATH)/crypto/async/arch/async_posix.h
- $(OPENSSL_PATH)/crypto/async/arch/async_null.h
$(OPENSSL_PATH)/crypto/bio/b_addr.c
$(OPENSSL_PATH)/crypto/bio/b_dump.c
$(OPENSSL_PATH)/crypto/bio/b_sock.c
@@ -138,7 +127,6 @@
$(OPENSSL_PATH)/crypto/bio/bss_mem.c
$(OPENSSL_PATH)/crypto/bio/bss_null.c
$(OPENSSL_PATH)/crypto/bio/bss_sock.c
- $(OPENSSL_PATH)/crypto/bio/bio_lcl.h
$(OPENSSL_PATH)/crypto/bn/bn_add.c
$(OPENSSL_PATH)/crypto/bn/bn_asm.c
$(OPENSSL_PATH)/crypto/bn/bn_blind.c
@@ -170,9 +158,6 @@
$(OPENSSL_PATH)/crypto/bn/bn_srp.c
$(OPENSSL_PATH)/crypto/bn/bn_word.c
$(OPENSSL_PATH)/crypto/bn/bn_x931p.c
- $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h
- $(OPENSSL_PATH)/crypto/bn/bn_prime.h
- $(OPENSSL_PATH)/crypto/bn/bn_lcl.h
$(OPENSSL_PATH)/crypto/buffer/buf_err.c
$(OPENSSL_PATH)/crypto/buffer/buffer.c
$(OPENSSL_PATH)/crypto/cmac/cm_ameth.c
@@ -181,7 +166,6 @@
$(OPENSSL_PATH)/crypto/comp/c_zlib.c
$(OPENSSL_PATH)/crypto/comp/comp_err.c
$(OPENSSL_PATH)/crypto/comp/comp_lib.c
- $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
$(OPENSSL_PATH)/crypto/conf/conf_api.c
$(OPENSSL_PATH)/crypto/conf/conf_def.c
$(OPENSSL_PATH)/crypto/conf/conf_err.c
@@ -190,8 +174,6 @@
$(OPENSSL_PATH)/crypto/conf/conf_mod.c
$(OPENSSL_PATH)/crypto/conf/conf_sap.c
$(OPENSSL_PATH)/crypto/conf/conf_ssl.c
- $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
- $(OPENSSL_PATH)/crypto/conf/conf_def.h
$(OPENSSL_PATH)/crypto/cpt_err.c
$(OPENSSL_PATH)/crypto/cryptlib.c
$(OPENSSL_PATH)/crypto/ctype.c
@@ -215,8 +197,6 @@
$(OPENSSL_PATH)/crypto/des/set_key.c
$(OPENSSL_PATH)/crypto/des/str2key.c
$(OPENSSL_PATH)/crypto/des/xcbc_enc.c
- $(OPENSSL_PATH)/crypto/des/spr.h
- $(OPENSSL_PATH)/crypto/des/des_locl.h
$(OPENSSL_PATH)/crypto/dh/dh_ameth.c
$(OPENSSL_PATH)/crypto/dh/dh_asn1.c
$(OPENSSL_PATH)/crypto/dh/dh_check.c
@@ -231,7 +211,6 @@
$(OPENSSL_PATH)/crypto/dh/dh_prn.c
$(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c
$(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c
- $(OPENSSL_PATH)/crypto/dh/dh_locl.h
$(OPENSSL_PATH)/crypto/dso/dso_dl.c
$(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c
$(OPENSSL_PATH)/crypto/dso/dso_err.c
@@ -239,7 +218,6 @@
$(OPENSSL_PATH)/crypto/dso/dso_openssl.c
$(OPENSSL_PATH)/crypto/dso/dso_vms.c
$(OPENSSL_PATH)/crypto/dso/dso_win32.c
- $(OPENSSL_PATH)/crypto/dso/dso_locl.h
$(OPENSSL_PATH)/crypto/ebcdic.c
$(OPENSSL_PATH)/crypto/err/err.c
$(OPENSSL_PATH)/crypto/err/err_prn.c
@@ -304,13 +282,11 @@
$(OPENSSL_PATH)/crypto/evp/pmeth_fn.c
$(OPENSSL_PATH)/crypto/evp/pmeth_gn.c
$(OPENSSL_PATH)/crypto/evp/pmeth_lib.c
- $(OPENSSL_PATH)/crypto/evp/evp_locl.h
$(OPENSSL_PATH)/crypto/ex_data.c
$(OPENSSL_PATH)/crypto/getenv.c
$(OPENSSL_PATH)/crypto/hmac/hm_ameth.c
$(OPENSSL_PATH)/crypto/hmac/hm_pmeth.c
$(OPENSSL_PATH)/crypto/hmac/hmac.c
- $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
$(OPENSSL_PATH)/crypto/init.c
$(OPENSSL_PATH)/crypto/kdf/hkdf.c
$(OPENSSL_PATH)/crypto/kdf/kdf_err.c
@@ -318,13 +294,10 @@
$(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
$(OPENSSL_PATH)/crypto/lhash/lh_stats.c
$(OPENSSL_PATH)/crypto/lhash/lhash.c
- $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
$(OPENSSL_PATH)/crypto/md4/md4_dgst.c
$(OPENSSL_PATH)/crypto/md4/md4_one.c
- $(OPENSSL_PATH)/crypto/md4/md4_locl.h
$(OPENSSL_PATH)/crypto/md5/md5_dgst.c
$(OPENSSL_PATH)/crypto/md5/md5_one.c
- $(OPENSSL_PATH)/crypto/md5/md5_locl.h
$(OPENSSL_PATH)/crypto/mem.c
$(OPENSSL_PATH)/crypto/mem_clr.c
$(OPENSSL_PATH)/crypto/mem_dbg.c
@@ -339,7 +312,6 @@
$(OPENSSL_PATH)/crypto/modes/ofb128.c
$(OPENSSL_PATH)/crypto/modes/wrap128.c
$(OPENSSL_PATH)/crypto/modes/xts128.c
- $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
$(OPENSSL_PATH)/crypto/o_dir.c
$(OPENSSL_PATH)/crypto/o_fips.c
$(OPENSSL_PATH)/crypto/o_fopen.c
@@ -351,9 +323,6 @@
$(OPENSSL_PATH)/crypto/objects/obj_err.c
$(OPENSSL_PATH)/crypto/objects/obj_lib.c
$(OPENSSL_PATH)/crypto/objects/obj_xref.c
- $(OPENSSL_PATH)/crypto/objects/obj_dat.h
- $(OPENSSL_PATH)/crypto/objects/obj_xref.h
- $(OPENSSL_PATH)/crypto/objects/obj_lcl.h
$(OPENSSL_PATH)/crypto/ocsp/ocsp_asn.c
$(OPENSSL_PATH)/crypto/ocsp/ocsp_cl.c
$(OPENSSL_PATH)/crypto/ocsp/ocsp_err.c
@@ -364,7 +333,6 @@
$(OPENSSL_PATH)/crypto/ocsp/ocsp_srv.c
$(OPENSSL_PATH)/crypto/ocsp/ocsp_vfy.c
$(OPENSSL_PATH)/crypto/ocsp/v3_ocsp.c
- $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
$(OPENSSL_PATH)/crypto/pem/pem_all.c
$(OPENSSL_PATH)/crypto/pem/pem_err.c
$(OPENSSL_PATH)/crypto/pem/pem_info.c
@@ -392,7 +360,6 @@
$(OPENSSL_PATH)/crypto/pkcs12/p12_sbag.c
$(OPENSSL_PATH)/crypto/pkcs12/p12_utl.c
$(OPENSSL_PATH)/crypto/pkcs12/pk12err.c
- $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
$(OPENSSL_PATH)/crypto/pkcs7/bio_pk7.c
$(OPENSSL_PATH)/crypto/pkcs7/pk7_asn1.c
$(OPENSSL_PATH)/crypto/pkcs7/pk7_attr.c
@@ -401,7 +368,6 @@
$(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c
$(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c
$(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c
- $(OPENSSL_PATH)/crypto/ppc_arch.h
$(OPENSSL_PATH)/crypto/rand/drbg_ctr.c
$(OPENSSL_PATH)/crypto/rand/drbg_lib.c
$(OPENSSL_PATH)/crypto/rand/rand_egd.c
@@ -410,10 +376,8 @@
$(OPENSSL_PATH)/crypto/rand/rand_unix.c
$(OPENSSL_PATH)/crypto/rand/rand_vms.c
$(OPENSSL_PATH)/crypto/rand/rand_win.c
- $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
$(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
$(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
- $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h
$(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
$(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c
$(OPENSSL_PATH)/crypto/rsa/rsa_chk.c
@@ -436,24 +400,18 @@
$(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c
$(OPENSSL_PATH)/crypto/rsa/rsa_x931.c
$(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c
- $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
- $(OPENSSL_PATH)/crypto/s390x_arch.h
$(OPENSSL_PATH)/crypto/sha/keccak1600.c
$(OPENSSL_PATH)/crypto/sha/sha1_one.c
$(OPENSSL_PATH)/crypto/sha/sha1dgst.c
$(OPENSSL_PATH)/crypto/sha/sha256.c
$(OPENSSL_PATH)/crypto/sha/sha512.c
- $(OPENSSL_PATH)/crypto/sha/sha_locl.h
$(OPENSSL_PATH)/crypto/siphash/siphash.c
$(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
$(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
- $(OPENSSL_PATH)/crypto/siphash/siphash_local.h
$(OPENSSL_PATH)/crypto/sm3/m_sm3.c
$(OPENSSL_PATH)/crypto/sm3/sm3.c
- $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h
$(OPENSSL_PATH)/crypto/sm4/sm4.c
$(OPENSSL_PATH)/crypto/stack/stack.c
- $(OPENSSL_PATH)/crypto/sparc_arch.h
$(OPENSSL_PATH)/crypto/threads_none.c
$(OPENSSL_PATH)/crypto/threads_pthread.c
$(OPENSSL_PATH)/crypto/threads_win.c
@@ -463,8 +421,6 @@
$(OPENSSL_PATH)/crypto/ui/ui_null.c
$(OPENSSL_PATH)/crypto/ui/ui_openssl.c
$(OPENSSL_PATH)/crypto/ui/ui_util.c
- $(OPENSSL_PATH)/crypto/ui/ui_locl.h
- $(OPENSSL_PATH)/crypto/vms_rms.h
$(OPENSSL_PATH)/crypto/uid.c
$(OPENSSL_PATH)/crypto/x509/by_dir.c
$(OPENSSL_PATH)/crypto/x509/by_file.c
@@ -502,7 +458,6 @@
$(OPENSSL_PATH)/crypto/x509/x_req.c
$(OPENSSL_PATH)/crypto/x509/x_x509.c
$(OPENSSL_PATH)/crypto/x509/x_x509a.c
- $(OPENSSL_PATH)/crypto/x509/x509_lcl.h
$(OPENSSL_PATH)/crypto/x509v3/pcy_cache.c
$(OPENSSL_PATH)/crypto/x509v3/pcy_data.c
$(OPENSSL_PATH)/crypto/x509v3/pcy_lib.c
@@ -540,11 +495,57 @@
$(OPENSSL_PATH)/crypto/x509v3/v3_tlsf.c
$(OPENSSL_PATH)/crypto/x509v3/v3_utl.c
$(OPENSSL_PATH)/crypto/x509v3/v3err.c
+ $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
+ $(OPENSSL_PATH)/crypto/dh/dh_locl.h
+ $(OPENSSL_PATH)/crypto/bio/bio_lcl.h
+ $(OPENSSL_PATH)/crypto/conf/conf_def.h
+ $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
+ $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
+ $(OPENSSL_PATH)/crypto/sha/sha_locl.h
+ $(OPENSSL_PATH)/crypto/md5/md5_locl.h
+ $(OPENSSL_PATH)/crypto/store/store_locl.h
+ $(OPENSSL_PATH)/crypto/dso/dso_locl.h
+ $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
+ $(OPENSSL_PATH)/crypto/arm_arch.h
+ $(OPENSSL_PATH)/crypto/mips_arch.h
+ $(OPENSSL_PATH)/crypto/ppc_arch.h
+ $(OPENSSL_PATH)/crypto/s390x_arch.h
+ $(OPENSSL_PATH)/crypto/sparc_arch.h
+ $(OPENSSL_PATH)/crypto/vms_rms.h
+ $(OPENSSL_PATH)/crypto/bn/bn_lcl.h
+ $(OPENSSL_PATH)/crypto/bn/bn_prime.h
+ $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h
+ $(OPENSSL_PATH)/crypto/ui/ui_locl.h
+ $(OPENSSL_PATH)/crypto/md4/md4_locl.h
+ $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h
+ $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h
+ $(OPENSSL_PATH)/crypto/asn1/asn1_locl.h
+ $(OPENSSL_PATH)/crypto/asn1/charmap.h
+ $(OPENSSL_PATH)/crypto/asn1/standard_methods.h
+ $(OPENSSL_PATH)/crypto/asn1/tbl_standard.h
+ $(OPENSSL_PATH)/crypto/evp/evp_locl.h
+ $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
+ $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
+ $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
+ $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
+ $(OPENSSL_PATH)/crypto/x509/x509_lcl.h
+ $(OPENSSL_PATH)/crypto/async/arch/async_null.h
+ $(OPENSSL_PATH)/crypto/async/arch/async_posix.h
+ $(OPENSSL_PATH)/crypto/async/arch/async_win.h
+ $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h
+ $(OPENSSL_PATH)/crypto/des/des_locl.h
+ $(OPENSSL_PATH)/crypto/des/spr.h
+ $(OPENSSL_PATH)/crypto/siphash/siphash_local.h
+ $(OPENSSL_PATH)/crypto/aes/aes_locl.h
+ $(OPENSSL_PATH)/crypto/async/async_locl.h
+ $(OPENSSL_PATH)/crypto/x509v3/ext_dat.h
$(OPENSSL_PATH)/crypto/x509v3/pcy_int.h
- $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
$(OPENSSL_PATH)/crypto/x509v3/standard_exts.h
- $(OPENSSL_PATH)/crypto/x509v3/ext_dat.h
- $(OPENSSL_PATH)/ms/uplink.h
+ $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
+ $(OPENSSL_PATH)/crypto/objects/obj_dat.h
+ $(OPENSSL_PATH)/crypto/objects/obj_lcl.h
+ $(OPENSSL_PATH)/crypto/objects/obj_xref.h
$(OPENSSL_PATH)/ssl/bio_ssl.c
$(OPENSSL_PATH)/ssl/d1_lib.c
$(OPENSSL_PATH)/ssl/d1_msg.c
@@ -589,13 +590,13 @@
$(OPENSSL_PATH)/ssl/t1_trce.c
$(OPENSSL_PATH)/ssl/tls13_enc.c
$(OPENSSL_PATH)/ssl/tls_srp.c
- $(OPENSSL_PATH)/ssl/record/record_locl.h
$(OPENSSL_PATH)/ssl/statem/statem.h
$(OPENSSL_PATH)/ssl/statem/statem_locl.h
+ $(OPENSSL_PATH)/ssl/packet_locl.h
+ $(OPENSSL_PATH)/ssl/ssl_cert_table.h
$(OPENSSL_PATH)/ssl/ssl_locl.h
$(OPENSSL_PATH)/ssl/record/record.h
- $(OPENSSL_PATH)/ssl/ssl_cert_table.h
- $(OPENSSL_PATH)/ssl/packet_locl.h
+ $(OPENSSL_PATH)/ssl/record/record_locl.h
# Autogenerated files list ends here
ossl_store.c
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 8134b45eda..a1bb560255 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -33,9 +33,7 @@
$(OPENSSL_PATH)/crypto/aes/aes_misc.c
$(OPENSSL_PATH)/crypto/aes/aes_ofb.c
$(OPENSSL_PATH)/crypto/aes/aes_wrap.c
- $(OPENSSL_PATH)/crypto/aes/aes_locl.h
$(OPENSSL_PATH)/crypto/aria/aria.c
- $(OPENSSL_PATH)/crypto/arm_arch.h
$(OPENSSL_PATH)/crypto/asn1/a_bitstr.c
$(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c
$(OPENSSL_PATH)/crypto/asn1/a_digest.c
@@ -100,21 +98,12 @@
$(OPENSSL_PATH)/crypto/asn1/x_sig.c
$(OPENSSL_PATH)/crypto/asn1/x_spki.c
$(OPENSSL_PATH)/crypto/asn1/x_val.c
- $(OPENSSL_PATH)/crypto/asn1/standard_methods.h
- $(OPENSSL_PATH)/crypto/asn1/charmap.h
- $(OPENSSL_PATH)/crypto/asn1/tbl_standard.h
- $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h
- $(OPENSSL_PATH)/crypto/asn1/asn1_locl.h
$(OPENSSL_PATH)/crypto/async/arch/async_null.c
$(OPENSSL_PATH)/crypto/async/arch/async_posix.c
$(OPENSSL_PATH)/crypto/async/arch/async_win.c
- $(OPENSSL_PATH)/crypto/async/arch/async_posix.h
- $(OPENSSL_PATH)/crypto/async/arch/async_null.h
- $(OPENSSL_PATH)/crypto/async/arch/async_win.h
$(OPENSSL_PATH)/crypto/async/async.c
$(OPENSSL_PATH)/crypto/async/async_err.c
$(OPENSSL_PATH)/crypto/async/async_wait.c
- $(OPENSSL_PATH)/crypto/async/async_locl.h
$(OPENSSL_PATH)/crypto/bio/b_addr.c
$(OPENSSL_PATH)/crypto/bio/b_dump.c
$(OPENSSL_PATH)/crypto/bio/b_sock.c
@@ -137,7 +126,6 @@
$(OPENSSL_PATH)/crypto/bio/bss_mem.c
$(OPENSSL_PATH)/crypto/bio/bss_null.c
$(OPENSSL_PATH)/crypto/bio/bss_sock.c
- $(OPENSSL_PATH)/crypto/bio/bio_lcl.h
$(OPENSSL_PATH)/crypto/bn/bn_add.c
$(OPENSSL_PATH)/crypto/bn/bn_asm.c
$(OPENSSL_PATH)/crypto/bn/bn_blind.c
@@ -169,9 +157,6 @@
$(OPENSSL_PATH)/crypto/bn/bn_srp.c
$(OPENSSL_PATH)/crypto/bn/bn_word.c
$(OPENSSL_PATH)/crypto/bn/bn_x931p.c
- $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h
- $(OPENSSL_PATH)/crypto/bn/bn_prime.h
- $(OPENSSL_PATH)/crypto/bn/bn_lcl.h
$(OPENSSL_PATH)/crypto/buffer/buf_err.c
$(OPENSSL_PATH)/crypto/buffer/buffer.c
$(OPENSSL_PATH)/crypto/cmac/cm_ameth.c
@@ -180,7 +165,6 @@
$(OPENSSL_PATH)/crypto/comp/c_zlib.c
$(OPENSSL_PATH)/crypto/comp/comp_err.c
$(OPENSSL_PATH)/crypto/comp/comp_lib.c
- $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
$(OPENSSL_PATH)/crypto/conf/conf_api.c
$(OPENSSL_PATH)/crypto/conf/conf_def.c
$(OPENSSL_PATH)/crypto/conf/conf_err.c
@@ -189,8 +173,6 @@
$(OPENSSL_PATH)/crypto/conf/conf_mod.c
$(OPENSSL_PATH)/crypto/conf/conf_sap.c
$(OPENSSL_PATH)/crypto/conf/conf_ssl.c
- $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
- $(OPENSSL_PATH)/crypto/conf/conf_def.h
$(OPENSSL_PATH)/crypto/cpt_err.c
$(OPENSSL_PATH)/crypto/cryptlib.c
$(OPENSSL_PATH)/crypto/ctype.c
@@ -214,8 +196,6 @@
$(OPENSSL_PATH)/crypto/des/set_key.c
$(OPENSSL_PATH)/crypto/des/str2key.c
$(OPENSSL_PATH)/crypto/des/xcbc_enc.c
- $(OPENSSL_PATH)/crypto/des/spr.h
- $(OPENSSL_PATH)/crypto/des/des_locl.h
$(OPENSSL_PATH)/crypto/dh/dh_ameth.c
$(OPENSSL_PATH)/crypto/dh/dh_asn1.c
$(OPENSSL_PATH)/crypto/dh/dh_check.c
@@ -230,7 +210,6 @@
$(OPENSSL_PATH)/crypto/dh/dh_prn.c
$(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c
$(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c
- $(OPENSSL_PATH)/crypto/dh/dh_locl.h
$(OPENSSL_PATH)/crypto/dso/dso_dl.c
$(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c
$(OPENSSL_PATH)/crypto/dso/dso_err.c
@@ -238,7 +217,6 @@
$(OPENSSL_PATH)/crypto/dso/dso_openssl.c
$(OPENSSL_PATH)/crypto/dso/dso_vms.c
$(OPENSSL_PATH)/crypto/dso/dso_win32.c
- $(OPENSSL_PATH)/crypto/dso/dso_locl.h
$(OPENSSL_PATH)/crypto/ebcdic.c
$(OPENSSL_PATH)/crypto/err/err.c
$(OPENSSL_PATH)/crypto/err/err_prn.c
@@ -280,7 +258,6 @@
$(OPENSSL_PATH)/crypto/evp/evp_pkey.c
$(OPENSSL_PATH)/crypto/evp/m_md2.c
$(OPENSSL_PATH)/crypto/evp/m_md4.c
- $(OPENSSL_PATH)/crypto/md4/md4_locl.h
$(OPENSSL_PATH)/crypto/evp/m_md5.c
$(OPENSSL_PATH)/crypto/evp/m_md5_sha1.c
$(OPENSSL_PATH)/crypto/evp/m_mdc2.c
@@ -304,13 +281,11 @@
$(OPENSSL_PATH)/crypto/evp/pmeth_fn.c
$(OPENSSL_PATH)/crypto/evp/pmeth_gn.c
$(OPENSSL_PATH)/crypto/evp/pmeth_lib.c
- $(OPENSSL_PATH)/crypto/evp/evp_locl.h
$(OPENSSL_PATH)/crypto/ex_data.c
$(OPENSSL_PATH)/crypto/getenv.c
$(OPENSSL_PATH)/crypto/hmac/hm_ameth.c
$(OPENSSL_PATH)/crypto/hmac/hm_pmeth.c
$(OPENSSL_PATH)/crypto/hmac/hmac.c
- $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
$(OPENSSL_PATH)/crypto/init.c
$(OPENSSL_PATH)/crypto/kdf/hkdf.c
$(OPENSSL_PATH)/crypto/kdf/kdf_err.c
@@ -318,12 +293,10 @@
$(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
$(OPENSSL_PATH)/crypto/lhash/lh_stats.c
$(OPENSSL_PATH)/crypto/lhash/lhash.c
- $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
$(OPENSSL_PATH)/crypto/md4/md4_dgst.c
$(OPENSSL_PATH)/crypto/md4/md4_one.c
$(OPENSSL_PATH)/crypto/md5/md5_dgst.c
$(OPENSSL_PATH)/crypto/md5/md5_one.c
- $(OPENSSL_PATH)/crypto/md5/md5_locl.h
$(OPENSSL_PATH)/crypto/mem.c
$(OPENSSL_PATH)/crypto/mem_clr.c
$(OPENSSL_PATH)/crypto/mem_dbg.c
@@ -338,7 +311,6 @@
$(OPENSSL_PATH)/crypto/modes/ofb128.c
$(OPENSSL_PATH)/crypto/modes/wrap128.c
$(OPENSSL_PATH)/crypto/modes/xts128.c
- $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
$(OPENSSL_PATH)/crypto/o_dir.c
$(OPENSSL_PATH)/crypto/o_fips.c
$(OPENSSL_PATH)/crypto/o_fopen.c
@@ -350,9 +322,6 @@
$(OPENSSL_PATH)/crypto/objects/obj_err.c
$(OPENSSL_PATH)/crypto/objects/obj_lib.c
$(OPENSSL_PATH)/crypto/objects/obj_xref.c
- $(OPENSSL_PATH)/crypto/objects/obj_dat.h
- $(OPENSSL_PATH)/crypto/objects/obj_xref.h
- $(OPENSSL_PATH)/crypto/objects/obj_lcl.h
$(OPENSSL_PATH)/crypto/ocsp/ocsp_asn.c
$(OPENSSL_PATH)/crypto/ocsp/ocsp_cl.c
$(OPENSSL_PATH)/crypto/ocsp/ocsp_err.c
@@ -363,7 +332,6 @@
$(OPENSSL_PATH)/crypto/ocsp/ocsp_srv.c
$(OPENSSL_PATH)/crypto/ocsp/ocsp_vfy.c
$(OPENSSL_PATH)/crypto/ocsp/v3_ocsp.c
- $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
$(OPENSSL_PATH)/crypto/pem/pem_all.c
$(OPENSSL_PATH)/crypto/pem/pem_err.c
$(OPENSSL_PATH)/crypto/pem/pem_info.c
@@ -399,8 +367,6 @@
$(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c
$(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c
$(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c
- $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
- $(OPENSSL_PATH)/crypto/ppc_arch.h
$(OPENSSL_PATH)/crypto/rand/drbg_ctr.c
$(OPENSSL_PATH)/crypto/rand/drbg_lib.c
$(OPENSSL_PATH)/crypto/rand/rand_egd.c
@@ -409,10 +375,8 @@
$(OPENSSL_PATH)/crypto/rand/rand_unix.c
$(OPENSSL_PATH)/crypto/rand/rand_vms.c
$(OPENSSL_PATH)/crypto/rand/rand_win.c
- $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
$(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
$(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
- $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h
$(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
$(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c
$(OPENSSL_PATH)/crypto/rsa/rsa_chk.c
@@ -435,24 +399,18 @@
$(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c
$(OPENSSL_PATH)/crypto/rsa/rsa_x931.c
$(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c
- $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
$(OPENSSL_PATH)/crypto/sha/keccak1600.c
$(OPENSSL_PATH)/crypto/sha/sha1_one.c
$(OPENSSL_PATH)/crypto/sha/sha1dgst.c
$(OPENSSL_PATH)/crypto/sha/sha256.c
$(OPENSSL_PATH)/crypto/sha/sha512.c
- $(OPENSSL_PATH)/crypto/sha/sha_locl.h
$(OPENSSL_PATH)/crypto/siphash/siphash.c
$(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
$(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
- $(OPENSSL_PATH)/crypto/siphash/siphash_local.h
$(OPENSSL_PATH)/crypto/sm3/m_sm3.c
$(OPENSSL_PATH)/crypto/sm3/sm3.c
- $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h
$(OPENSSL_PATH)/crypto/sm4/sm4.c
$(OPENSSL_PATH)/crypto/stack/stack.c
- $(OPENSSL_PATH)/crypto/s390x_arch.h
- $(OPENSSL_PATH)/crypto/sparc_arch.h
$(OPENSSL_PATH)/crypto/threads_none.c
$(OPENSSL_PATH)/crypto/threads_pthread.c
$(OPENSSL_PATH)/crypto/threads_win.c
@@ -462,9 +420,7 @@
$(OPENSSL_PATH)/crypto/ui/ui_null.c
$(OPENSSL_PATH)/crypto/ui/ui_openssl.c
$(OPENSSL_PATH)/crypto/ui/ui_util.c
- $(OPENSSL_PATH)/crypto/ui/ui_locl.h
$(OPENSSL_PATH)/crypto/uid.c
- $(OPENSSL_PATH)/crypto/vms_rms.h
$(OPENSSL_PATH)/crypto/x509/by_dir.c
$(OPENSSL_PATH)/crypto/x509/by_file.c
$(OPENSSL_PATH)/crypto/x509/t_crl.c
@@ -501,7 +457,6 @@
$(OPENSSL_PATH)/crypto/x509/x_req.c
$(OPENSSL_PATH)/crypto/x509/x_x509.c
$(OPENSSL_PATH)/crypto/x509/x_x509a.c
- $(OPENSSL_PATH)/crypto/x509/x509_lcl.h
$(OPENSSL_PATH)/crypto/x509v3/pcy_cache.c
$(OPENSSL_PATH)/crypto/x509v3/pcy_data.c
$(OPENSSL_PATH)/crypto/x509v3/pcy_lib.c
@@ -539,10 +494,57 @@
$(OPENSSL_PATH)/crypto/x509v3/v3_tlsf.c
$(OPENSSL_PATH)/crypto/x509v3/v3_utl.c
$(OPENSSL_PATH)/crypto/x509v3/v3err.c
+ $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
+ $(OPENSSL_PATH)/crypto/dh/dh_locl.h
+ $(OPENSSL_PATH)/crypto/bio/bio_lcl.h
+ $(OPENSSL_PATH)/crypto/conf/conf_def.h
+ $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
+ $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
+ $(OPENSSL_PATH)/crypto/sha/sha_locl.h
+ $(OPENSSL_PATH)/crypto/md5/md5_locl.h
+ $(OPENSSL_PATH)/crypto/store/store_locl.h
+ $(OPENSSL_PATH)/crypto/dso/dso_locl.h
+ $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
+ $(OPENSSL_PATH)/crypto/arm_arch.h
+ $(OPENSSL_PATH)/crypto/mips_arch.h
+ $(OPENSSL_PATH)/crypto/ppc_arch.h
+ $(OPENSSL_PATH)/crypto/s390x_arch.h
+ $(OPENSSL_PATH)/crypto/sparc_arch.h
+ $(OPENSSL_PATH)/crypto/vms_rms.h
+ $(OPENSSL_PATH)/crypto/bn/bn_lcl.h
+ $(OPENSSL_PATH)/crypto/bn/bn_prime.h
+ $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h
+ $(OPENSSL_PATH)/crypto/ui/ui_locl.h
+ $(OPENSSL_PATH)/crypto/md4/md4_locl.h
+ $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h
+ $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h
+ $(OPENSSL_PATH)/crypto/asn1/asn1_locl.h
+ $(OPENSSL_PATH)/crypto/asn1/charmap.h
+ $(OPENSSL_PATH)/crypto/asn1/standard_methods.h
+ $(OPENSSL_PATH)/crypto/asn1/tbl_standard.h
+ $(OPENSSL_PATH)/crypto/evp/evp_locl.h
+ $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
+ $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
+ $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
+ $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
+ $(OPENSSL_PATH)/crypto/x509/x509_lcl.h
+ $(OPENSSL_PATH)/crypto/async/arch/async_null.h
+ $(OPENSSL_PATH)/crypto/async/arch/async_posix.h
+ $(OPENSSL_PATH)/crypto/async/arch/async_win.h
+ $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h
+ $(OPENSSL_PATH)/crypto/des/des_locl.h
+ $(OPENSSL_PATH)/crypto/des/spr.h
+ $(OPENSSL_PATH)/crypto/siphash/siphash_local.h
+ $(OPENSSL_PATH)/crypto/aes/aes_locl.h
+ $(OPENSSL_PATH)/crypto/async/async_locl.h
+ $(OPENSSL_PATH)/crypto/x509v3/ext_dat.h
$(OPENSSL_PATH)/crypto/x509v3/pcy_int.h
- $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
$(OPENSSL_PATH)/crypto/x509v3/standard_exts.h
- $(OPENSSL_PATH)/crypto/x509v3/ext_dat.h
+ $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
+ $(OPENSSL_PATH)/crypto/objects/obj_dat.h
+ $(OPENSSL_PATH)/crypto/objects/obj_lcl.h
+ $(OPENSSL_PATH)/crypto/objects/obj_xref.h
# Autogenerated files list ends here
buildinf.h
rand_pool_noise.h
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
index e13c0acb4d..4fe54cd808 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -144,6 +144,34 @@ foreach my $product ((@{$unified_info{libraries}},
}
}
+
+#
+# Update the perl script to generate the missing header files
+#
+my @dir_list = ();
+for (keys %{$unified_info{dirinfo}}){
+ push @dir_list,$_;
+}
+
+my $dir = getcwd();
+my @files = ();
+my @headers = ();
+chdir ("openssl");
+foreach(@dir_list){
+ @files = glob($_."/*.h");
+ push @headers, @files;
+}
+chdir ($dir);
+
+foreach (@headers){
+ if(/ssl/){
+ push @sslfilelist, ' $(OPENSSL_PATH)/' . $_ . "\r\n";
+ next;
+ }
+ push @cryptofilelist, ' $(OPENSSL_PATH)/' . $_ . "\r\n";
+}
+
+
#
# Update OpensslLib.inf with autogenerated file list
#
--
2.18.1

159
SOURCES/0002-CryptoPkg-Upgrade-OpenSSL-to-1.1.1d.patch
View File

@ -1,159 +0,0 @@
From bbda3f776bfcdbcb77b82f1f7fd5dafd798d9784 Mon Sep 17 00:00:00 2001
From: Shenglei Zhang <shenglei.zhang@intel.com>
Date: Mon, 21 Oct 2019 15:53:42 +0800
Subject: CryptoPkg: Upgrade OpenSSL to 1.1.1d
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
- New patch (cherry-picked from upstream, to be dropped at the next
downstream rebase).
- Upstream OpenSSL-1.1.1c contains commit 5fba3afad017 ("Rework DSO API
conditions and configuration option", 2019-04-10). This upstream OpenSSL
change requires edk2 to #define DSO_NONE explicitly.
- The present patch (which is going to be released in edk2-stable201911)
updates "process_files.pl" to generate "dso_conf.h" with the above
macro, and captures the result (i.e. the actual definition of the macro)
in the git tree.
- This patch is being backported primarily for the DSO_NONE macro (OpenSSL
in RHEL-8.2.0 is based on OpenSSL-1.1.1c). The patch could also come in
handy in case we have to re-run "process_files.pl" ourselves.
Upgrade openssl from 1.1.1b to 1.1.1d.
Something needs to be noticed is that, there is a bug existing in the
released 1_1_1d version(894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596),
which causes build failure. So we switch the code base to a usable
version, which is 2 commits later than the stable tag.
Now we use the version c3656cc594daac8167721dde7220f0e59ae146fc.
This log is to fix the build failure.
https://bugzilla.tianocore.org/show_bug.cgi?id=2226
Besides, the absense of "DSO_NONE" in dso_conf.h causes build failure
in OvmfPkg. So update process_files.pl to generate information from
"crypto/include/internal/dso_conf.h.in".
shm.h and utsname.h are added to avoid GCC build failure.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 1bcc65b9a1408cf445b7b3f9499b27d9c235db71)
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
CryptoPkg/Library/Include/internal/dso_conf.h | 16 ++++++++++++++++
CryptoPkg/Library/Include/sys/shm.h | 9 +++++++++
CryptoPkg/Library/Include/sys/utsname.h | 9 +++++++++
CryptoPkg/Library/OpensslLib/openssl | 2 +-
CryptoPkg/Library/OpensslLib/process_files.pl | 17 +++++++++++++++--
5 files changed, 50 insertions(+), 3 deletions(-)
create mode 100644 CryptoPkg/Library/Include/sys/shm.h
create mode 100644 CryptoPkg/Library/Include/sys/utsname.h
diff --git a/CryptoPkg/Library/Include/internal/dso_conf.h b/CryptoPkg/Library/Include/internal/dso_conf.h
index e69de29bb2..43c891588b 100644
--- a/CryptoPkg/Library/Include/internal/dso_conf.h
+++ b/CryptoPkg/Library/Include/internal/dso_conf.h
@@ -0,0 +1,16 @@
+/* WARNING: do not edit! */
+/* Generated from crypto/include/internal/dso_conf.h.in */
+/*
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_DSO_CONF_H
+# define HEADER_DSO_CONF_H
+# define DSO_NONE
+# define DSO_EXTENSION ".so"
+#endif
diff --git a/CryptoPkg/Library/Include/sys/shm.h b/CryptoPkg/Library/Include/sys/shm.h
new file mode 100644
index 0000000000..dc0b8e81c8
--- /dev/null
+++ b/CryptoPkg/Library/Include/sys/shm.h
@@ -0,0 +1,9 @@
+/** @file
+ Include file to support building the third-party cryptographic library.
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <CrtLibSupport.h>
diff --git a/CryptoPkg/Library/Include/sys/utsname.h b/CryptoPkg/Library/Include/sys/utsname.h
new file mode 100644
index 0000000000..dc0b8e81c8
--- /dev/null
+++ b/CryptoPkg/Library/Include/sys/utsname.h
@@ -0,0 +1,9 @@
+/** @file
+ Include file to support building the third-party cryptographic library.
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <CrtLibSupport.h>
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
index 4fe54cd808..bbcfa0d0e7 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -2,7 +2,7 @@
#
# This script runs the OpenSSL Configure script, then processes the
# resulting file list into our local OpensslLib[Crypto].inf and also
-# takes a copy of opensslconf.h.
+# takes copies of opensslconf.h and dso_conf.h.
#
# This only needs to be done once by a developer when updating to a
# new version of OpenSSL (or changing options, etc.). Normal users
@@ -106,6 +106,14 @@ BEGIN {
) == 0 ||
die "Failed to generate opensslconf.h!\n";
+ # Generate dso_conf.h per config data
+ system(
+ "perl -I. -Mconfigdata util/dofile.pl " .
+ "crypto/include/internal/dso_conf.h.in " .
+ "> include/internal/dso_conf.h"
+ ) == 0 ||
+ die "Failed to generate dso_conf.h!\n";
+
chdir($basedir) ||
die "Cannot change to base directory \"" . $basedir . "\"";
@@ -249,12 +257,17 @@ rename( $new_inf_file, $inf_file ) ||
print "Done!";
#
-# Copy opensslconf.h generated from OpenSSL Configuration
+# Copy opensslconf.h and dso_conf.h generated from OpenSSL Configuration
#
print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
$OPENSSL_PATH . "/../../Include/openssl/") ||
die "Cannot copy opensslconf.h!";
+print "Done!";
+print "\n--> Duplicating dso_conf.h into Include/internal ... ";
+copy($OPENSSL_PATH . "/include/internal/dso_conf.h",
+ $OPENSSL_PATH . "/../../Include/internal/") ||
+ die "Cannot copy dso_conf.h!";
print "Done!\n";
print "\nProcessing Files Done!\n";
--
2.18.1

37
SOURCES/0007-BaseTools-do-not-build-BrotliCompress-RH-only.patch Normal file
View File

@ -0,0 +1,37 @@
From db8ccca337e2c5722c1d408d2541cf653d3371a2 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 4 Jun 2020 13:34:12 +0200
Subject: BaseTools: do not build BrotliCompress (RH only)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- New patch.
BrotliCompress is not used for building ArmVirtPkg or OvmfPkg platforms.
It depends on one of the upstream Brotli git submodules that we removed
earlier in this rebase series. (See patch "remove upstream edk2's Brotli
submodules (RH only").
Do not attempt to build BrotliCompress.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
BaseTools/Source/C/GNUmakefile | 1 -
1 file changed, 1 deletion(-)
diff --git a/BaseTools/Source/C/GNUmakefile b/BaseTools/Source/C/GNUmakefile
index df4eb64ea9..52777eaff1 100644
--- a/BaseTools/Source/C/GNUmakefile
+++ b/BaseTools/Source/C/GNUmakefile
@@ -45,7 +45,6 @@ all: makerootdir subdirs
LIBRARIES = Common
VFRAUTOGEN = VfrCompile/VfrLexer.h
APPLICATIONS = \
- BrotliCompress \
VfrCompile \
EfiRom \
GenFfs \
--
2.18.1

43
SOURCES/0008-MdeModulePkg-remove-package-private-Brotli-include-p.patch Normal file
View File

@ -0,0 +1,43 @@
From e05e0de713c4a2b8adb6ff9809611f222bfe50ed Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 4 Jun 2020 13:39:08 +0200
Subject: MdeModulePkg: remove package-private Brotli include path (RH only)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- New patch.
Originating from upstream commit 58802e02c41b
("MdeModulePkg/BrotliCustomDecompressLib: Make brotli a submodule",
2020-04-16), "MdeModulePkg/MdeModulePkg.dec" contains a package-internal
include path into a Brotli submodule.
The edk2 build system requires such include paths to resolve successfully,
regardless of the firmware platform being built. Because
BrotliCustomDecompressLib is not consumed by any OvmfPkg or ArmVirtPkg
platforms, and we've removed the submodule earlier in this patch set,
remove the include path too.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
MdeModulePkg/MdeModulePkg.dec | 3 ---
1 file changed, 3 deletions(-)
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 4f44af6948..031043ec28 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -24,9 +24,6 @@
[Includes]
Include
-[Includes.Common.Private]
- Library/BrotliCustomDecompressLib/brotli/c/include
-
[LibraryClasses]
## @libraryclass Defines a set of methods to reset whole system.
ResetSystemLib|Include/Library/ResetSystemLib.h
--
2.18.1

95
SOURCES/0006-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch → SOURCES/0009-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
View File

@ -1,8 +1,23 @@
From 740d239222c2656ae8eeb2d1cc4802ce5b07f3d2 Mon Sep 17 00:00:00 2001
From cee80878b19e51d9b3c63335c681f152dcc59764 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 11 Jun 2014 23:33:33 +0200
Subject: advertise OpenSSL on TianoCore splash screen / boot logo (RHEL only)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- Replace the open-coded BSDL with "SPDX-License-Identifier:
BSD-2-Clause-Patent" in the following files:
- MdeModulePkg/Logo/Logo-OpenSSL.idf
- MdeModulePkg/Logo/LogoOpenSSLDxe.inf
- MdeModulePkg/Logo/LogoOpenSSLDxe.uni
(This should have been done in the previous rebase, because the same
license block changes had been applied to MdeModulePkg/Logo/ in upstream
commit 9d510e61fcee ("MdeModulePkg: Replace BSD License with BSD+Patent
License", 2019-04-09), part of tag edk2-stable201905.)
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
@ -135,31 +150,32 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 0b2d90347cb016cc71c2de62e941a2a4ab0f35a3)
(cherry picked from commit 8e8ea8811e269cdb31103c70fcd91d2dcfb1755d)
(cherry picked from commit 727c11ecd9f34990312e14f239e6238693619849)
(cherry picked from commit 740d239222c2656ae8eeb2d1cc4802ce5b07f3d2)
---
ArmVirtPkg/ArmVirtQemu.dsc | 2 +-
ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 2 +-
ArmVirtPkg/ArmVirtQemuKernel.dsc | 2 +-
MdeModulePkg/Logo/Logo-OpenSSL.bmp | Bin 0 -> 156342 bytes
MdeModulePkg/Logo/Logo-OpenSSL.idf | 15 +++++++
MdeModulePkg/Logo/LogoOpenSSLDxe.inf | 61 +++++++++++++++++++++++++++
MdeModulePkg/Logo/LogoOpenSSLDxe.uni | 22 ++++++++++
MdeModulePkg/Logo/Logo-OpenSSL.idf | 10 +++++
MdeModulePkg/Logo/LogoOpenSSLDxe.inf | 56 +++++++++++++++++++++++++++
MdeModulePkg/Logo/LogoOpenSSLDxe.uni | 17 ++++++++
OvmfPkg/OvmfPkgIa32.dsc | 2 +-
OvmfPkg/OvmfPkgIa32.fdf | 2 +-
OvmfPkg/OvmfPkgIa32X64.dsc | 2 +-
OvmfPkg/OvmfPkgIa32X64.fdf | 2 +-
OvmfPkg/OvmfPkgX64.dsc | 2 +-
OvmfPkg/OvmfPkgX64.fdf | 2 +-
13 files changed, 107 insertions(+), 9 deletions(-)
13 files changed, 92 insertions(+), 9 deletions(-)
create mode 100644 MdeModulePkg/Logo/Logo-OpenSSL.bmp
create mode 100644 MdeModulePkg/Logo/Logo-OpenSSL.idf
create mode 100644 MdeModulePkg/Logo/LogoOpenSSLDxe.inf
create mode 100644 MdeModulePkg/Logo/LogoOpenSSLDxe.uni
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 7ae6702ac1..a3cc3f26ec 100644
index 3f649c91d8..360094ab6a 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -364,7 +364,7 @@
@@ -424,7 +424,7 @@
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
@ -169,10 +185,10 @@ index 7ae6702ac1..a3cc3f26ec 100644
<LibraryClasses>
NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
index 31f615a9d0..57f2f625fe 100644
index a2f4bd62c8..9b94043085 100644
--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
@@ -176,7 +176,7 @@ READ_LOCK_STATUS = TRUE
@@ -193,7 +193,7 @@ READ_LOCK_STATUS = TRUE
#
# TianoCore logo (splash screen)
#
@ -182,10 +198,10 @@ index 31f615a9d0..57f2f625fe 100644
#
# Ramdisk support
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 3b0f04967a..27e65b7638 100644
index 2a6fd6bc06..d186263e18 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -348,7 +348,7 @@
@@ -363,7 +363,7 @@
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
@ -416,42 +432,32 @@ HcmV?d00001
diff --git a/MdeModulePkg/Logo/Logo-OpenSSL.idf b/MdeModulePkg/Logo/Logo-OpenSSL.idf
new file mode 100644
index 0000000000..a80de29a63
index 0000000000..2a60ac61b7
--- /dev/null
+++ b/MdeModulePkg/Logo/Logo-OpenSSL.idf
@@ -0,0 +1,15 @@
@@ -0,0 +1,10 @@
+// /** @file
+// Platform Logo image definition file.
+//
+// Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
+//
+// This program and the accompanying materials
+// are licensed and made available under the terms and conditions of the BSD License
+// which accompanies this distribution. The full text of the license may be found at
+// http://opensource.org/licenses/bsd-license.php
+// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+#image IMG_LOGO Logo-OpenSSL.bmp
diff --git a/MdeModulePkg/Logo/LogoOpenSSLDxe.inf b/MdeModulePkg/Logo/LogoOpenSSLDxe.inf
new file mode 100644
index 0000000000..2f79d873e2
index 0000000000..d1207663b2
--- /dev/null
+++ b/MdeModulePkg/Logo/LogoOpenSSLDxe.inf
@@ -0,0 +1,61 @@
@@ -0,0 +1,56 @@
+## @file
+# The default logo bitmap picture shown on setup screen.
+#
+# Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+#
+# This program and the accompanying materials
+# are licensed and made available under the terms and conditions of the BSD License
+# which accompanies this distribution. The full text of the license may be found at
+# http://opensource.org/licenses/bsd-license.php
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+#
+##
@ -504,10 +510,10 @@ index 0000000000..2f79d873e2
+ LogoDxeExtra.uni
diff --git a/MdeModulePkg/Logo/LogoOpenSSLDxe.uni b/MdeModulePkg/Logo/LogoOpenSSLDxe.uni
new file mode 100644
index 0000000000..7227ac3910
index 0000000000..6439502b6a
--- /dev/null
+++ b/MdeModulePkg/Logo/LogoOpenSSLDxe.uni
@@ -0,0 +1,22 @@
@@ -0,0 +1,17 @@
+// /** @file
+// The logo bitmap picture (with OpenSSL advertisment) shown on setup screen.
+//
@ -516,12 +522,7 @@ index 0000000000..7227ac3910
+//
+// Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
+//
+// This program and the accompanying materials
+// are licensed and made available under the terms and conditions of the BSD License
+// which accompanies this distribution. The full text of the license may be found at
+// http://opensource.org/licenses/bsd-license.php
+// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
@ -531,10 +532,10 @@ index 0000000000..7227ac3910
+#string STR_MODULE_DESCRIPTION #language en-US "This module provides the logo bitmap picture (with OpenSSL advertisment) shown on setup screen, through EDKII Platform Logo protocol."
+
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 66e944436a..044379e1ed 100644
index d0df9cbbfb..f8317a4f5d 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -688,7 +688,7 @@
@@ -750,7 +750,7 @@
NULL|OvmfPkg/Csm/LegacyBootManagerLib/LegacyBootManagerLib.inf
!endif
}
@ -544,10 +545,10 @@ index 66e944436a..044379e1ed 100644
<LibraryClasses>
NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 785affeb90..326f82384e 100644
index e2b759aa8d..ec64551bcb 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -283,7 +283,7 @@ INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
@@ -294,7 +294,7 @@ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
INF ShellPkg/Application/Shell/Shell.inf
@ -557,10 +558,10 @@ index 785affeb90..326f82384e 100644
#
# Network modules
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 51c2bfb44f..2ff68102d3 100644
index b3ae62fee9..55423d356c 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -701,7 +701,7 @@
@@ -764,7 +764,7 @@
NULL|OvmfPkg/Csm/LegacyBootManagerLib/LegacyBootManagerLib.inf
!endif
}
@ -570,10 +571,10 @@ index 51c2bfb44f..2ff68102d3 100644
<LibraryClasses>
NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 7440707256..aefb6614ad 100644
index bfca1eff9e..2f02ac2d73 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -284,7 +284,7 @@ INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
@@ -295,7 +295,7 @@ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
INF ShellPkg/Application/Shell/Shell.inf
@ -583,10 +584,10 @@ index 7440707256..aefb6614ad 100644
#
# Network modules
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index ba7a758844..3a66d4d424 100644
index f7fe75ebf5..17aeeed96e 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -699,7 +699,7 @@
@@ -760,7 +760,7 @@
NULL|OvmfPkg/Csm/LegacyBootManagerLib/LegacyBootManagerLib.inf
!endif
}
@ -596,10 +597,10 @@ index ba7a758844..3a66d4d424 100644
<LibraryClasses>
NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 7440707256..aefb6614ad 100644
index bfca1eff9e..2f02ac2d73 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -284,7 +284,7 @@ INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
@@ -295,7 +295,7 @@ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
INF ShellPkg/Application/Shell/Shell.inf

10
SOURCES/0007-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch → SOURCES/0010-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch
View File

@ -1,8 +1,13 @@
From e949bab1268f83f0f5815a96cd1cb9dd3b21bfb5 Mon Sep 17 00:00:00 2001
From a95cff0b9573bf23699551beb4786383f697ff1e Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 20 Feb 2014 22:54:45 +0100
Subject: OvmfPkg: increase max debug message length to 512 (RHEL only)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- no change
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
@ -48,12 +53,13 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 1df2c822c996ad767f2f45570ab2686458f7604a)
(cherry picked from commit 22c9b4e971c70c69b4adf8eb93133824ccb6426a)
(cherry picked from commit a1260c9122c95bcbef1efc5eebe11902767813c2)
(cherry picked from commit e949bab1268f83f0f5815a96cd1cb9dd3b21bfb5)
---
OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
index 3dfa3126c3..9451c50c70 100644
index dffb20822d..0577c43c3d 100644
--- a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
+++ b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
@@ -21,7 +21,7 @@

10
SOURCES/0008-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch → SOURCES/0011-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch
View File

@ -1,8 +1,13 @@
From 3aa0316ea1db5416cb528179a3ba5ce37c1279b7 Mon Sep 17 00:00:00 2001
From 99da4393139d428baf09d751af3d072229839126 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 12 Jun 2014 00:17:59 +0200
Subject: OvmfPkg: QemuVideoDxe: enable debug messages in VbeShim (RHEL only)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- no changes
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
@ -54,13 +59,14 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 7046d6040181bb0f76a5ebd680e0dc701c895dba)
(cherry picked from commit 4dd1cc745bc9a8c8b32b5810b40743fed1e36d7e)
(cherry picked from commit bd264265a99c60f45cadaa4109a9db59ae218471)
(cherry picked from commit 3aa0316ea1db5416cb528179a3ba5ce37c1279b7)
---
OvmfPkg/QemuVideoDxe/VbeShim.asm | 2 +-
OvmfPkg/QemuVideoDxe/VbeShim.h | 481 ++++++++++++++++++++-----------
2 files changed, 308 insertions(+), 175 deletions(-)
diff --git a/OvmfPkg/QemuVideoDxe/VbeShim.asm b/OvmfPkg/QemuVideoDxe/VbeShim.asm
index cb2a60d827..26fe1bcc32 100644
index 1d284b2641..0d5cfaf1e4 100644
--- a/OvmfPkg/QemuVideoDxe/VbeShim.asm
+++ b/OvmfPkg/QemuVideoDxe/VbeShim.asm
@@ -12,7 +12,7 @@

62
SOURCES/0012-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch
View File

@ -1,62 +0,0 @@
From 0dd0ad0dcdfd1189ed8aa880765403d1f587cc59 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 12 Apr 2016 20:50:25 +0200
Subject: ArmVirtPkg: QemuFwCfgLib: allow UEFI_DRIVER client modules (RH only)
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
- no change
Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
RHEL-8.1/20190308-89910a39dcfd rebase:
- no change
Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
RHEL-8.0/20180508-ee3198e672e2 rebase:
- reorder the rebase changelog in the commit message so that it reads like
a blog: place more recent entries near the top
- no changes to the patch body
Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
- no change
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
- no changes
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
- no changes
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 8e2153358aa2bba2c91faa87a70beadcaae03fd8)
(cherry picked from commit 5af259a93f4bbee5515ae18638068125e170f2cd)
(cherry picked from commit 22b073005af491eef177ef5f80ffe71c1ebabb03)
(cherry picked from commit f77f1e7dd6013f918c70e089c95b8f4166085fb9)
(cherry picked from commit 762595334aa7ce88412cc77e136db9b41577a699)
(cherry picked from commit f372886be5f1c41677f168be77c484bae5841361)
---
ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf b/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf
index 4d27d7d30b..feceed5f93 100644
--- a/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf
+++ b/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf
@@ -15,7 +15,7 @@
FILE_GUID = B271F41F-B841-48A9-BA8D-545B4BC2E2BF
MODULE_TYPE = BASE
VERSION_STRING = 1.0
- LIBRARY_CLASS = QemuFwCfgLib|DXE_DRIVER
+ LIBRARY_CLASS = QemuFwCfgLib|DXE_DRIVER UEFI_DRIVER
CONSTRUCTOR = QemuFwCfgInitialize
--
2.18.1

12
SOURCES/0009-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch → SOURCES/0012-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch
View File

@ -1,8 +1,13 @@
From 12cb13a1da913912bd9148ce8f2353a75be77f18 Mon Sep 17 00:00:00 2001
From 82b9edc5fef3a07227a45059bbe821af7b9abd69 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 25 Feb 2014 18:40:35 +0100
Subject: MdeModulePkg: TerminalDxe: add other text resolutions (RHEL only)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- no changes
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
@ -95,15 +100,16 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 1facdd58e946c584a3dc1e5be8f2f837b5a7c621)
(cherry picked from commit 28faeb5f94b4866b9da16cf2a1e4e0fc09a26e37)
(cherry picked from commit 4e4e15b80a5b2103eadd495ef4a830d46dd4ed51)
(cherry picked from commit 12cb13a1da913912bd9148ce8f2353a75be77f18)
---
.../Universal/Console/TerminalDxe/Terminal.c | 41 +++++++++++++++++--
1 file changed, 38 insertions(+), 3 deletions(-)
diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c b/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c
index c76b2c5100..eff9d9787f 100644
index a98b690c8b..ded5513c74 100644
--- a/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c
+++ b/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c
@@ -107,9 +107,44 @@ TERMINAL_DEV mTerminalDevTemplate = {
@@ -115,9 +115,44 @@ TERMINAL_DEV mTerminalDevTemplate = {
};
TERMINAL_CONSOLE_MODE_DATA mTerminalConsoleModeData[] = {

26
SOURCES/0010-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch → SOURCES/0013-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
View File

@ -1,9 +1,16 @@
From a11602f5e2ef930be5b693ddfd0c789a1bd4c60c Mon Sep 17 00:00:00 2001
From bc2266f20de5db1636e09a07e4a72c8dbf505f5a Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 25 Feb 2014 22:40:01 +0100
Subject: MdeModulePkg: TerminalDxe: set xterm resolution on mode change (RH
only)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- Resolve trivial conflict in "MdeModulePkg/MdeModulePkg.dec", arising
from upstream commit 166830d8f7ca ("MdeModulePkg/dec: add
PcdTcgPfpMeasurementRevision PCD", 2020-01-06).
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
@ -59,6 +66,7 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit b7f6115b745de8cbc5214b6ede33c9a8558beb90)
(cherry picked from commit 67415982afdc77922aa37496c981adeb4351acdb)
(cherry picked from commit cfccb98d13e955beb0b93b4a75a973f30c273ffc)
(cherry picked from commit a11602f5e2ef930be5b693ddfd0c789a1bd4c60c)
---
MdeModulePkg/MdeModulePkg.dec | 4 +++
.../Console/TerminalDxe/TerminalConOut.c | 30 +++++++++++++++++++
@ -66,12 +74,12 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
3 files changed, 36 insertions(+)
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 19935c88fa..5690bbd8b3 100644
index 031043ec28..3978a500e5 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -2002,6 +2002,10 @@
# @Prompt Capsule On Disk relocation device path.
gEfiMdeModulePkgTokenSpaceGuid.PcdCodRelocationDevPath|{0xFF}|VOID*|0x0000002f
@@ -1998,6 +1998,10 @@
# @Prompt TCG Platform Firmware Profile revision.
gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision|0|UINT32|0x00010077
+ ## Controls whether TerminalDxe outputs an XTerm resize sequence on terminal
+ # mode change.
@ -81,7 +89,7 @@ index 19935c88fa..5690bbd8b3 100644
## Specify memory size with page number for PEI code when
# Loading Module at Fixed Address feature is enabled.
diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
index 7ef655cca5..1113252df2 100644
index aae470e956..26156857aa 100644
--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
+++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
@@ -7,6 +7,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
@ -110,7 +118,7 @@ index 7ef655cca5..1113252df2 100644
//
// Body of the ConOut functions
//
@@ -502,6 +514,24 @@ TerminalConOutSetMode (
@@ -506,6 +518,24 @@ TerminalConOutSetMode (
return EFI_DEVICE_ERROR;
}
@ -136,7 +144,7 @@ index 7ef655cca5..1113252df2 100644
Status = This->ClearScreen (This);
diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
index 24e164ef4d..d1160ed1c7 100644
index b2a8aeba85..eff6253465 100644
--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
+++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
@@ -55,6 +55,7 @@
@ -147,7 +155,7 @@ index 24e164ef4d..d1160ed1c7 100644
[Guids]
## SOMETIMES_PRODUCES ## Variable:L"ConInDev"
@@ -83,6 +84,7 @@
@@ -87,6 +88,7 @@
[Pcd]
gEfiMdePkgTokenSpaceGuid.PcdDefaultTerminalType ## SOMETIMES_CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdErrorCodeSetVariable ## CONSUMES

38
SOURCES/0011-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch → SOURCES/0014-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
View File

@ -1,8 +1,15 @@
From 2cc462ee963d0be119bc97bfc9c70d292a40516f Mon Sep 17 00:00:00 2001
From 51e0de961029af84b5bdbfddcc9762b1819d500f Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 14 Oct 2015 15:59:06 +0200
Subject: OvmfPkg: take PcdResizeXterm from the QEMU command line (RH only)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- Resolve contextual conflict in the DSC files, from upstream commit
b0ed7ebdebd1 ("OvmfPkg: set fixed FlashNvStorage base addresses with -D
SMM_REQUIRE", 2020-03-12).
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
@ -43,6 +50,7 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 61914fb81cf624c9028d015533b400b2794e52d3)
(cherry picked from commit 2ebf3cc2ae99275d63bb6efd3c22dec76251a853)
(cherry picked from commit f9b73437b9b231773c1a20e0c516168817a930a2)
(cherry picked from commit 2cc462ee963d0be119bc97bfc9c70d292a40516f)
---
OvmfPkg/OvmfPkgIa32.dsc | 1 +
OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
@ -52,47 +60,47 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
5 files changed, 5 insertions(+)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 044379e1ed..accf5c0211 100644
index f8317a4f5d..6ce8a46d4e 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -525,6 +525,7 @@
@@ -574,6 +574,7 @@
# ($(SMM_REQUIRE) == FALSE)
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
!if $(SMM_REQUIRE) == FALSE
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 2ff68102d3..8812da9943 100644
index 55423d356c..89d414cda7 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -531,6 +531,7 @@
@@ -580,6 +580,7 @@
# ($(SMM_REQUIRE) == FALSE)
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
!if $(SMM_REQUIRE) == FALSE
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 3a66d4d424..73e1b7824f 100644
index 17aeeed96e..e567eb76e0 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -530,6 +530,7 @@
@@ -578,6 +578,7 @@
# ($(SMM_REQUIRE) == FALSE)
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
!if $(SMM_REQUIRE) == FALSE
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0
diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c
index 3ba2459872..bbbf1ac2a8 100644
index 96468701e3..14efbabe39 100644
--- a/OvmfPkg/PlatformPei/Platform.c
+++ b/OvmfPkg/PlatformPei/Platform.c
@@ -667,6 +667,7 @@ InitializePlatform (
PeiFvInitialization ();
@@ -748,6 +748,7 @@ InitializePlatform (
MemTypeInfoInitialization ();
MemMapInitialization ();
NoexecDxeInitialization ();
+ UPDATE_BOOLEAN_PCD_FROM_FW_CFG (PcdResizeXterm);
@ -100,10 +108,10 @@ index 3ba2459872..bbbf1ac2a8 100644
InstallClearCacheCallback ();
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index d9fd9c8f05..666803916c 100644
index ff397b3ee9..3a012a7fa4 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -89,6 +89,7 @@
@@ -93,6 +93,7 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
gEfiMdeModulePkgTokenSpaceGuid.PcdPciDisableBusEnumeration

144
SOURCES/0013-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch → SOURCES/0015-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
View File

@ -1,8 +1,42 @@
From 8338545260fbb423f796d5196faaaf8ff6e1ed99 Mon Sep 17 00:00:00 2001
From a5f7a57bf390f1f340ff1d1f1884a73716817ef1 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Sun, 26 Jul 2015 08:02:50 +0000
Subject: ArmVirtPkg: take PcdResizeXterm from the QEMU command line (RH only)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- Resolve leading context divergence in "ArmVirtPkg/ArmVirtQemu.dsc",
arising from upstream commits:
- 82662a3b5f56 ("ArmVirtPkg/PlatformPeiLib: discover the TPM base
address from the DT", 2020-03-04)
- ddd34a818315 ("ArmVirtPkg/ArmVirtQemu: enable TPM2 support in the PEI
phase", 2020-03-04)
- cdc3fa54184a ("ArmVirtPkg: control PXEv4 / PXEv6 boot support from the
QEMU command line", 2020-04-28)
- Rework the downstream patch quite a bit, paralleling the upstream work
done for <https://bugzilla.tianocore.org/show_bug.cgi?id=2681> in commit
range 64ab457d1f21..cdc3fa54184a:
- Refresh copyright year in TerminalPcdProducerLib.{inf,c}. Also replace
open-coded BSDL with "SPDX-License-Identifier: BSD-2-Clause-Patent".
- Simplify LIBRARY_CLASS: this lib instance is meant to be consumed only
via NULL class resolution (basically: as a plugin), so use NULL for
LIBRARY_CLASS, not "TerminalPcdProducerLib|DXE_DRIVER".
- Sort the [Packages] section alphabetically in the INF file.
- Replace the open-coded GetNamedFwCfgBoolean() function with a call to
QemuFwCfgParseBool(), from QemuFwCfgSimpleParserLib.
- Add the SOMETIMES_PRODUCES usage comment in the [Pcd] section of the
INF file.
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
@ -45,28 +79,29 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 8e92730c8e1cdb642b3b3e680e643ff774a90c65)
(cherry picked from commit 9448b6b46267d8d807fac0c648e693171bb34806)
(cherry picked from commit 232fcf06f6b3048b7c2ebd6931f23186b3852f04)
(cherry picked from commit 8338545260fbb423f796d5196faaaf8ff6e1ed99)
---
ArmVirtPkg/ArmVirtQemu.dsc | 7 +-
.../TerminalPcdProducerLib.c | 87 +++++++++++++++++++
.../TerminalPcdProducerLib.inf | 41 +++++++++
3 files changed, 134 insertions(+), 1 deletion(-)
ArmVirtPkg/ArmVirtQemu.dsc | 7 +++-
.../TerminalPcdProducerLib.c | 34 +++++++++++++++++++
.../TerminalPcdProducerLib.inf | 33 ++++++++++++++++++
3 files changed, 73 insertions(+), 1 deletion(-)
create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c
create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index a3cc3f26ec..696b0b5bcd 100644
index 360094ab6a..3345987503 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -237,6 +237,8 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0
gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE
@@ -272,6 +272,8 @@
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0
!endif
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+
[PcdsDynamicHii]
gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS
@@ -314,7 +316,10 @@
@@ -374,7 +376,10 @@
MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf
MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf
MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
@ -80,82 +115,29 @@ index a3cc3f26ec..696b0b5bcd 100644
MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
diff --git a/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c
new file mode 100644
index 0000000000..814ad48199
index 0000000000..bfd3a6a535
--- /dev/null
+++ b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c
@@ -0,0 +1,87 @@
@@ -0,0 +1,34 @@
+/** @file
+* Plugin library for setting up dynamic PCDs for TerminalDxe, from fw_cfg
+*
+* Copyright (C) 2015-2016, Red Hat, Inc.
+* Copyright (C) 2015-2020, Red Hat, Inc.
+* Copyright (c) 2014, Linaro Ltd. All rights reserved.<BR>
+*
+* This program and the accompanying materials are licensed and made available
+* under the terms and conditions of the BSD License which accompanies this
+* distribution. The full text of the license may be found at
+* http://opensource.org/licenses/bsd-license.php
+*
+* THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+* WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
+* IMPLIED.
+*
+* SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/QemuFwCfgLib.h>
+
+STATIC
+RETURN_STATUS
+GetNamedFwCfgBoolean (
+ IN CONST CHAR8 *FwCfgFileName,
+ OUT BOOLEAN *Setting
+ )
+{
+ RETURN_STATUS Status;
+ FIRMWARE_CONFIG_ITEM FwCfgItem;
+ UINTN FwCfgSize;
+ UINT8 Value[3];
+
+ Status = QemuFwCfgFindFile (FwCfgFileName, &FwCfgItem, &FwCfgSize);
+ if (RETURN_ERROR (Status)) {
+ return Status;
+ }
+ if (FwCfgSize > sizeof Value) {
+ return RETURN_BAD_BUFFER_SIZE;
+ }
+ QemuFwCfgSelectItem (FwCfgItem);
+ QemuFwCfgReadBytes (FwCfgSize, Value);
+
+ if ((FwCfgSize == 1) ||
+ (FwCfgSize == 2 && Value[1] == '\n') ||
+ (FwCfgSize == 3 && Value[1] == '\r' && Value[2] == '\n')) {
+ switch (Value[0]) {
+ case '0':
+ case 'n':
+ case 'N':
+ *Setting = FALSE;
+ return RETURN_SUCCESS;
+
+ case '1':
+ case 'y':
+ case 'Y':
+ *Setting = TRUE;
+ return RETURN_SUCCESS;
+
+ default:
+ break;
+ }
+ }
+ return RETURN_PROTOCOL_ERROR;
+}
+#include <Library/QemuFwCfgSimpleParserLib.h>
+
+#define UPDATE_BOOLEAN_PCD_FROM_FW_CFG(TokenName) \
+ do { \
+ BOOLEAN Setting; \
+ RETURN_STATUS PcdStatus; \
+ \
+ if (!RETURN_ERROR (GetNamedFwCfgBoolean ( \
+ if (!RETURN_ERROR (QemuFwCfgParseBool ( \
+ "opt/org.tianocore.edk2.aavmf/" #TokenName, &Setting))) { \
+ PcdStatus = PcdSetBoolS (TokenName, Setting); \
+ ASSERT_RETURN_ERROR (PcdStatus); \
@ -173,25 +155,17 @@ index 0000000000..814ad48199
+}
diff --git a/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
new file mode 100644
index 0000000000..fecb37bcdf
index 0000000000..a51dbd1670
--- /dev/null
+++ b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
@@ -0,0 +1,41 @@
@@ -0,0 +1,33 @@
+## @file
+# Plugin library for setting up dynamic PCDs for TerminalDxe, from fw_cfg
+#
+# Copyright (C) 2015-2016, Red Hat, Inc.
+# Copyright (C) 2015-2020, Red Hat, Inc.
+# Copyright (c) 2014, Linaro Ltd. All rights reserved.<BR>
+#
+# This program and the accompanying materials are licensed and made available
+# under the terms and conditions of the BSD License which accompanies this
+# distribution. The full text of the license may be found at
+# http://opensource.org/licenses/bsd-license.php
+#
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
+# IMPLIED.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
@ -200,24 +174,24 @@ index 0000000000..fecb37bcdf
+ FILE_GUID = 4a0c5ed7-8c42-4c01-8f4c-7bf258316a96
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = TerminalPcdProducerLib|DXE_DRIVER
+ LIBRARY_CLASS = NULL
+ CONSTRUCTOR = TerminalPcdProducerLibConstructor
+
+[Sources]
+ TerminalPcdProducerLib.c
+
+[Packages]
+ MdeModulePkg/MdeModulePkg.dec
+ MdePkg/MdePkg.dec
+ OvmfPkg/OvmfPkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+
+[LibraryClasses]
+ DebugLib
+ PcdLib
+ QemuFwCfgLib
+ QemuFwCfgSimpleParserLib
+
+[Pcd]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm
+ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm ## SOMETIMES_PRODUCES
--
2.18.1

24
SOURCES/0014-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch → SOURCES/0016-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch
View File

@ -1,9 +1,15 @@
From 229c88dc3ded9baeaca8b87767dc5c41c05afd6e Mon Sep 17 00:00:00 2001
From c2812d7189dee06c780f05a5880eb421c359a687 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 4 Nov 2014 23:02:53 +0100
Subject: OvmfPkg: allow exclusion of the shell from the firmware image (RH
only)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- context difference from upstream commit ec41733cfd10 ("OvmfPkg: add the
'initrd' dynamic shell command", 2020-03-04) correctly auto-resolved
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
@ -85,6 +91,7 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit f0303f71d576c51b01c4ff961b429d0e0e707245)
(cherry picked from commit bbd64eb8658e9a33eab4227d9f4e51ad78d9f687)
(cherry picked from commit 8628ef1b8d675ebec39d83834abbe3c8c8c42cf4)
(cherry picked from commit 229c88dc3ded9baeaca8b87767dc5c41c05afd6e)
---
OvmfPkg/OvmfPkgIa32.fdf | 2 ++
OvmfPkg/OvmfPkgIa32X64.fdf | 2 ++
@ -92,16 +99,17 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
3 files changed, 6 insertions(+)
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 326f82384e..dff2fcd9f6 100644
index ec64551bcb..44178a0da7 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -278,10 +278,12 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
@@ -288,11 +288,13 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+!ifndef $(EXCLUDE_SHELL_FROM_FD)
!if $(TOOL_CHAIN_TAG) != "XCODE5"
INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
INF ShellPkg/Application/Shell/Shell.inf
+!endif
@ -109,16 +117,17 @@ index 326f82384e..dff2fcd9f6 100644
INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index aefb6614ad..6684a2e799 100644
index 2f02ac2d73..06259c43d2 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -279,10 +279,12 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
@@ -289,11 +289,13 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+!ifndef $(EXCLUDE_SHELL_FROM_FD)
!if $(TOOL_CHAIN_TAG) != "XCODE5"
INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
INF ShellPkg/Application/Shell/Shell.inf
+!endif
@ -126,16 +135,17 @@ index aefb6614ad..6684a2e799 100644
INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index aefb6614ad..6684a2e799 100644
index 2f02ac2d73..06259c43d2 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -279,10 +279,12 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
@@ -289,11 +289,13 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
INF FatPkg/EnhancedFatDxe/Fat.inf
INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+!ifndef $(EXCLUDE_SHELL_FROM_FD)
!if $(TOOL_CHAIN_TAG) != "XCODE5"
INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
INF ShellPkg/Application/Shell/Shell.inf
+!endif

12
SOURCES/0015-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch → SOURCES/0017-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
View File

@ -1,8 +1,13 @@
From 9f756c1ad83cc81f7d892cd036d59a2b567b02dc Mon Sep 17 00:00:00 2001
From c75aea7a738ac7fb944c0695a4bfffc3985afaa9 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 14 Oct 2015 13:49:43 +0200
Subject: ArmPlatformPkg: introduce fixed PCD for early hello message (RH only)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- no change
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
@ -54,15 +59,16 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit ef77da632559e9baa1c69869e4cbea377068ef27)
(cherry picked from commit 58755c51d3252312d80cbcb97928d71199c2f5e1)
(cherry picked from commit c3f07e323e76856f1b42ea7b8c598ba3201c28a2)
(cherry picked from commit 9f756c1ad83cc81f7d892cd036d59a2b567b02dc)
---
ArmPlatformPkg/ArmPlatformPkg.dec | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/ArmPlatformPkg/ArmPlatformPkg.dec b/ArmPlatformPkg/ArmPlatformPkg.dec
index c8ea183313..bab4804a17 100644
index 696d636aac..1553e1ae92 100644
--- a/ArmPlatformPkg/ArmPlatformPkg.dec
+++ b/ArmPlatformPkg/ArmPlatformPkg.dec
@@ -108,6 +108,13 @@
@@ -104,6 +104,13 @@
## If set, this will swap settings for HDLCD RED_SELECT and BLUE_SELECT registers
gArmPlatformTokenSpaceGuid.PcdArmHdLcdSwapBlueRedSelect|FALSE|BOOLEAN|0x00000045

16
SOURCES/0016-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch → SOURCES/0018-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
View File

@ -1,9 +1,14 @@
From 8d5a8827aabc67cb2a046697e1a750ca8d9cc453 Mon Sep 17 00:00:00 2001
From 49fe5596cd79c94d903c4d506c563d642ccd69aa Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 14 Oct 2015 13:59:20 +0200
Subject: ArmPlatformPkg: PrePeiCore: write early hello message to the serial
port (RH)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- no change
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
@ -52,6 +57,7 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 638594083b191f84f5d9333eb6147a31570f5a5a)
(cherry picked from commit f4b7aae411d88b2b83f85d20ef06a4032a57e7de)
(cherry picked from commit bb71490fdda3b38fa9f071d281b863f9b64363bf)
(cherry picked from commit 8d5a8827aabc67cb2a046697e1a750ca8d9cc453)
---
ArmPlatformPkg/PrePeiCore/MainMPCore.c | 5 +++++
ArmPlatformPkg/PrePeiCore/MainUniCore.c | 5 +++++
@ -105,10 +111,10 @@ index 7140c7f5b5..1d69a2b468 100644
#include <PiPei.h>
#include <Ppi/TemporaryRamSupport.h>
diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf b/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
index f2ac45d171..fc93fda965 100644
index fb01dd1a11..a6681c1032 100644
--- a/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
+++ b/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
@@ -67,6 +67,8 @@
@@ -69,6 +69,8 @@
gArmPlatformTokenSpaceGuid.PcdCPUCorePrimaryStackSize
gArmPlatformTokenSpaceGuid.PcdCPUCoreSecondaryStackSize
@ -118,10 +124,10 @@ index f2ac45d171..fc93fda965 100644
gArmTokenSpaceGuid.PcdGicInterruptInterfaceBase
gArmTokenSpaceGuid.PcdGicSgiIntId
diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf b/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
index 84c319c367..46d1b30978 100644
index e9eb092d3a..c98dc82f0c 100644
--- a/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
+++ b/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
@@ -65,4 +65,6 @@
@@ -67,4 +67,6 @@
gArmPlatformTokenSpaceGuid.PcdCPUCorePrimaryStackSize
gArmPlatformTokenSpaceGuid.PcdCPUCoreSecondaryStackSize

16
SOURCES/0017-ArmVirtPkg-set-early-hello-message-RH-only.patch → SOURCES/0019-ArmVirtPkg-set-early-hello-message-RH-only.patch
View File

@ -1,8 +1,15 @@
From ba73b99d5cb38f87c1a8f0936d515eaaefa3f04b Mon Sep 17 00:00:00 2001
From 72550e12ae469012a505bf5b98a6543a754028d3 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 14 Oct 2015 14:07:17 +0200
Subject: ArmVirtPkg: set early hello message (RH only)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- context difference from upstream commit f5cb3767038e
("ArmVirtPkg/ArmVirtQemu: add ResetSystem PEIM for upcoming TPM2
support", 2020-03-04) automatically resolved correctly
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
@ -47,16 +54,17 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit c201a8e6ae28d75f7ba581828b533c3b26fa7f18)
(cherry picked from commit 2d4db6ec70e004cd9ac147615d17033bee5d3b18)
(cherry picked from commit fb2032bbea7e02c426855cf86a323556d493fd8a)
(cherry picked from commit ba73b99d5cb38f87c1a8f0936d515eaaefa3f04b)
---
ArmVirtPkg/ArmVirtQemu.dsc | 1 +
1 file changed, 1 insertion(+)
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 696b0b5bcd..08c7a36339 100644
index 3345987503..57c5b3f898 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -101,6 +101,7 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE
@@ -125,6 +125,7 @@
gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE)
[PcdsFixedAtBuild.common]
+ gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage|"UEFI firmware starting.\r\n"

28
SOURCES/0018-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch → SOURCES/0020-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch
View File

@ -1,8 +1,15 @@
From 3cb92f9ba18ac79911bd5258ff4f949cc617ae89 Mon Sep 17 00:00:00 2001
From 5ecc18badaabe774d9d0806b027ab63a30c6a2d7 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 21 Nov 2017 00:57:45 +0100
Subject: OvmfPkg: enable DEBUG_VERBOSE (RHEL only)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- context difference from upstream commit 46bb81200742 ("OvmfPkg: Make
SOURCE_DEBUG_ENABLE actually need to be set to TRUE", 2019-10-22)
resolved automatically
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
@ -44,6 +51,7 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit a0617a6be1a80966099ddceb010f89202a79ee76)
(cherry picked from commit 759bd3f591e2db699bdef4c7ea4e97c908e7f027)
(cherry picked from commit 7e6d5dc4078c64be6d55d8fc3317c59a91507a50)
(cherry picked from commit 3cb92f9ba18ac79911bd5258ff4f949cc617ae89)
---
OvmfPkg/OvmfPkgIa32.dsc | 2 +-
OvmfPkg/OvmfPkgIa32X64.dsc | 2 +-
@ -51,43 +59,43 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index accf5c0211..759075a815 100644
index 6ce8a46d4e..765ffff312 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -479,7 +479,7 @@
@@ -516,7 +516,7 @@
# DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
# // significantly impact boot performance
# DEBUG_ERROR 0x80000000 // Error
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
!ifdef $(SOURCE_DEBUG_ENABLE)
!if $(SOURCE_DEBUG_ENABLE) == TRUE
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 8812da9943..634e20f09c 100644
index 89d414cda7..277297a964 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -484,7 +484,7 @@
@@ -520,7 +520,7 @@
# DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
# // significantly impact boot performance
# DEBUG_ERROR 0x80000000 // Error
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
!ifdef $(SOURCE_DEBUG_ENABLE)
!if $(SOURCE_DEBUG_ENABLE) == TRUE
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 73e1b7824f..bc5a345a37 100644
index e567eb76e0..5c1597fe3c 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -484,7 +484,7 @@
@@ -520,7 +520,7 @@
# DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
# // significantly impact boot performance
# DEBUG_ERROR 0x80000000 // Error
- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
!ifdef $(SOURCE_DEBUG_ENABLE)
!if $(SOURCE_DEBUG_ENABLE) == TRUE
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
--
2.18.1

20
SOURCES/0019-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch → SOURCES/0021-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch
View File

@ -1,9 +1,14 @@
From c8c3f893e7c3710afe45c46839e97954871536e4 Mon Sep 17 00:00:00 2001
From 1355849ad97c1e4a5c430597a377165a5cc118f7 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 21 Nov 2017 00:57:46 +0100
Subject: OvmfPkg: silence DEBUG_VERBOSE (0x00400000) in
QemuVideoDxe/QemuRamfbDxe (RH)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- no change
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
@ -64,6 +69,7 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 7eb3be1d4ccafc26c11fe5afb95cc12b250ce6f0)
(cherry picked from commit bd650684712fb840dbcda5d6eaee065bd9e91fa1)
(cherry picked from commit b06b87f8ffd4fed4ef7eacb13689a9b6d111f850)
(cherry picked from commit c8c3f893e7c3710afe45c46839e97954871536e4)
---
OvmfPkg/OvmfPkgIa32.dsc | 10 ++++++++--
OvmfPkg/OvmfPkgIa32X64.dsc | 10 ++++++++--
@ -71,10 +77,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
3 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 759075a815..6a07a6af81 100644
index 765ffff312..f5c6cceb4f 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -742,9 +742,15 @@
@@ -811,9 +811,15 @@
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
!ifndef $(CSM_ENABLE)
@ -93,10 +99,10 @@ index 759075a815..6a07a6af81 100644
#
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 634e20f09c..c7f52992e9 100644
index 277297a964..c1e52b0acd 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -755,9 +755,15 @@
@@ -825,9 +825,15 @@
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
!ifndef $(CSM_ENABLE)
@ -115,10 +121,10 @@ index 634e20f09c..c7f52992e9 100644
#
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index bc5a345a37..594ecb5362 100644
index 5c1597fe3c..e65165b9f0 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -753,9 +753,15 @@
@@ -821,9 +821,15 @@
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
!ifndef $(CSM_ENABLE)

16
SOURCES/0020-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch → SOURCES/0022-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch
View File

@ -1,9 +1,14 @@
From e5b8152bced2364a1ded0926dbba4d65e23e3f84 Mon Sep 17 00:00:00 2001
From e7f57f154439c1c18ea5030b01f8d7bc492698b2 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 27 Jan 2016 03:05:18 +0100
Subject: ArmVirtPkg: silence DEBUG_VERBOSE (0x00400000) in QemuRamfbDxe (RH
only)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- no change
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
@ -43,16 +48,17 @@ Suggested-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
(cherry picked from commit 5a216abaa737195327235e37563b18a6bf2a74dc)
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit e5b8152bced2364a1ded0926dbba4d65e23e3f84)
---
ArmVirtPkg/ArmVirtQemu.dsc | 5 ++++-
ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 ++++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 08c7a36339..b3dcdd747b 100644
index 57c5b3f898..dda887b2ae 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -422,7 +422,10 @@
@@ -494,7 +494,10 @@
#
# Video support
#
@ -65,10 +71,10 @@ index 08c7a36339..b3dcdd747b 100644
OvmfPkg/PlatformDxe/Platform.inf
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 27e65b7638..008181055a 100644
index d186263e18..711dd63e20 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -400,7 +400,10 @@
@@ -427,7 +427,10 @@
#
# Video support
#

8
SOURCES/0021-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch → SOURCES/0023-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch
View File

@ -1,9 +1,14 @@
From aa2b66b18a62d652bdbefae7b5732297294306ca Mon Sep 17 00:00:00 2001
From deb3451034326b75fd760aba47a5171493ff055e Mon Sep 17 00:00:00 2001
From: Philippe Mathieu-Daude <philmd@redhat.com>
Date: Thu, 1 Aug 2019 20:43:48 +0200
Subject: OvmfPkg: QemuRamfbDxe: Do not report DXE failure on Aarch64 silent
builds (RH only)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- no change
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
@ -29,6 +34,7 @@ Suggested-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
(cherry picked from commit aaaedc1e2cfd55ef003fb1b5a37c73a196b26dc7)
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit aa2b66b18a62d652bdbefae7b5732297294306ca)
---
OvmfPkg/QemuRamfbDxe/QemuRamfb.c | 14 ++++++++++++++
OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf | 1 +

20
SOURCES/0022-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch → SOURCES/0024-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
View File

@ -1,9 +1,14 @@
From b8d0ebded8c2cf5b266c807519e2d8ccfd66fee6 Mon Sep 17 00:00:00 2001
From ed89844b47f46cfe911f1bf2bda40e537a908502 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 21 Nov 2017 00:57:47 +0100
Subject: OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in NvmExpressDxe (RH
only)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- no change
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
@ -45,6 +50,7 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit bd10cabcfcb1bc9a32b05062f4ee3792e27bc2d8)
(cherry picked from commit 5a27af700f49e00608f232f618dedd7bf5e9b3e6)
(cherry picked from commit 58bba429b9ec7b78109940ef945d0dc93f3cd958)
(cherry picked from commit b8d0ebded8c2cf5b266c807519e2d8ccfd66fee6)
---
OvmfPkg/OvmfPkgIa32.dsc | 5 ++++-
OvmfPkg/OvmfPkgIa32X64.dsc | 5 ++++-
@ -52,10 +58,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
3 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 6a07a6af81..1c56e0948a 100644
index f5c6cceb4f..e8868136d8 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -735,7 +735,10 @@
@@ -804,7 +804,10 @@
OvmfPkg/SataControllerDxe/SataControllerDxe.inf
MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
@ -68,10 +74,10 @@ index 6a07a6af81..1c56e0948a 100644
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index c7f52992e9..29e12c9dff 100644
index c1e52b0acd..d05275a324 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -748,7 +748,10 @@
@@ -818,7 +818,10 @@
OvmfPkg/SataControllerDxe/SataControllerDxe.inf
MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
@ -84,10 +90,10 @@ index c7f52992e9..29e12c9dff 100644
MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 594ecb5362..11fe9f6050 100644
index e65165b9f0..cac4cecf18 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -746,7 +746,10 @@
@@ -814,7 +814,10 @@
OvmfPkg/SataControllerDxe/SataControllerDxe.inf
MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf

42
SOURCES/0033-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch → SOURCES/0025-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch
View File

@ -1,9 +1,28 @@
From 57bd3f146590df8757865d8f2cdd1db3cf3f4d40 Mon Sep 17 00:00:00 2001
From 56c4bb81b311dfcee6a34c81d3e4feeda7f88995 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Sat, 16 Nov 2019 17:11:27 +0100
Subject: CryptoPkg/OpensslLib: list RHEL8-specific OpenSSL files in the INFs
(RH)
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- "OpensslLib.inf":
- Automatic leading context refresh against upstream commit c72ca4666886
("CryptoPkg/OpensslLib: Add "sort" keyword to header file parsing
loop", 2020-03-10).
- Manual trailing context refresh against upstream commit b49a6c8f80d9
("CryptoPkg/OpensslLib: improve INF file consistency", 2019-12-02).
- "OpensslLibCrypto.inf":
- Automatic leading context refresh against upstream commits
8906f076de35 ("CryptoPkg/OpensslLib: Add missing header files in INF
file", 2019-08-16) and 9f4fbd56d430 ("CryptoPkg/OpensslLib: Update
process_files.pl to generate .h files", 2019-10-30).
Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
@ -25,18 +44,19 @@ Note: "process_files.pl" is not re-run at this time manually, because
and will help with future changes too.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 57bd3f146590df8757865d8f2cdd1db3cf3f4d40)
---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 11 +++++++++++
CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 11 +++++++++++
2 files changed, 22 insertions(+)
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index dd873a0dcd..d1c7602b87 100644
index c8ec9454bd..24e790b538 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -598,6 +598,17 @@
$(OPENSSL_PATH)/ssl/record/record.h
$(OPENSSL_PATH)/ssl/record/record_locl.h
@@ -570,6 +570,17 @@
$(OPENSSL_PATH)/ssl/statem/statem.h
$(OPENSSL_PATH)/ssl/statem/statem_locl.h
# Autogenerated files list ends here
+# RHEL8-specific OpenSSL file list starts here
+ $(OPENSSL_PATH)/crypto/evp/kdf_lib.c
@ -49,16 +69,16 @@ index dd873a0dcd..d1c7602b87 100644
+ $(OPENSSL_PATH)/crypto/kdf/sshkdf.c
+ $(OPENSSL_PATH)/crypto/kdf/sskdf.c
+# RHEL8-specific OpenSSL file list ends here
buildinf.h
rand_pool_noise.h
ossl_store.c
rand_pool.c
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index a1bb560255..0785a421dd 100644
index 2f232e3e12..52e70a2d03 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -546,6 +546,17 @@
$(OPENSSL_PATH)/crypto/objects/obj_lcl.h
$(OPENSSL_PATH)/crypto/objects/obj_xref.h
@@ -519,6 +519,17 @@
$(OPENSSL_PATH)/crypto/x509v3/standard_exts.h
$(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
# Autogenerated files list ends here
+# RHEL8-specific OpenSSL file list starts here
+ $(OPENSSL_PATH)/crypto/evp/kdf_lib.c

83
SOURCES/0026-OvmfPkg-X86QemuLoadImageLib-handle-EFI_ACCESS_DENIED.patch Normal file
View File

@ -0,0 +1,83 @@
From bf88198555ce964377a56176de8e5e9b45e43e25 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Sat, 6 Jun 2020 01:16:09 +0200
Subject: OvmfPkg/X86QemuLoadImageLib: handle EFI_ACCESS_DENIED from
LoadImage()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- new patch
- the patch is being upstreamed; it's not a backport because the rebase
deadline is close
- upstream references:
- https://bugzilla.tianocore.org/show_bug.cgi?id=2785
- http://mid.mail-archive.com/20200605235242.32442-1-lersek@redhat.com
- https://edk2.groups.io/g/devel/message/60825
- https://www.redhat.com/archives/edk2-devel-archive/2020-June/msg00344.html
[downstream note ends, upstream commit message starts]
When an image fails Secure Boot validation, LoadImage() returns
EFI_SECURITY_VIOLATION if the platform policy is
DEFER_EXECUTE_ON_SECURITY_VIOLATION.
If the platform policy is DENY_EXECUTE_ON_SECURITY_VIOLATION, then
LoadImage() returns EFI_ACCESS_DENIED (and the image does not remain
loaded).
(Before <https://bugzilla.tianocore.org/show_bug.cgi?id=2129>, this
difference would be masked, as DxeImageVerificationLib would incorrectly
return EFI_SECURITY_VIOLATION for DENY_EXECUTE_ON_SECURITY_VIOLATION as
well.)
In X86QemuLoadImageLib, proceed to the legacy Linux/x86 Boot Protocol upon
seeing EFI_ACCESS_DENIED too.
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2785
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
.../X86QemuLoadImageLib/X86QemuLoadImageLib.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
index ef753be7ea..931553c0c1 100644
--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
+++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
@@ -320,15 +320,21 @@ QemuLoadKernelImage (
case EFI_SECURITY_VIOLATION:
//
- // We are running with UEFI secure boot enabled, and the image failed to
- // authenticate. For compatibility reasons, we fall back to the legacy
- // loader in this case. Since the image has been loaded, we need to unload
- // it before proceeding
+ // Since the image has been loaded, we need to unload it before proceeding
+ // to the EFI_ACCESS_DENIED case below.
//
gBS->UnloadImage (KernelImageHandle);
//
// Fall through
//
+ case EFI_ACCESS_DENIED:
+ //
+ // We are running with UEFI secure boot enabled, and the image failed to
+ // authenticate. For compatibility reasons, we fall back to the legacy
+ // loader in this case.
+ //
+ // Fall through
+ //
case EFI_UNSUPPORTED:
//
// The image is not natively supported or cross-type supported. Let's try
--
2.18.1

184
SOURCES/0027-Revert-OvmfPkg-use-generic-QEMU-image-loader-for-sec.patch Normal file
View File

@ -0,0 +1,184 @@
From 74e5313dfa6719f7990c7e175e035d17c9b3f657 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Fri, 5 Jun 2020 23:44:43 +0200
Subject: Revert "OvmfPkg: use generic QEMU image loader for secure boot
enabled builds"
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
- new patch (to be dropped later, hopefully)
This reverts commit ced77332cab626f35fbdb36630be27303d289d79.
Upstream commit ced77332cab6 ("OvmfPkg: use generic QEMU image loader for
secure boot enabled builds", 2020-03-05) changes the "Secure Boot threat
model" in a way that is incompatible with at least two use cases.
Namely, OVMF has always considered kernel images direct-booted via fw_cfg
as trusted, bypassing Secure Boot validation. While that approach is
rooted in a technicality (namely, OVMF doesn't load such images with the
LoadImage() UEFI boot service / through the UEFI stub, but with the
Linux/x86 Boot Protocol), that doesn't mean it's wrong. The direct-booted
kernel from fw_cfg comes from the host side, and Secure Boot in the guest
is a barrier between the guest firmware and the guest operating system --
it's not a barrier between host and guest.
Upstream commit ced77332cab6 points out that the above (historical) OVMF
behavior differs from ArmVirtQemu's -- the latter direct-boots kernels
from fw_cfg with the LoadImage() / StartImage() boot services. While that
difference indeed exists between OVMF and ArmVirtQemu, it's not relevant
for RHEL downstream. That's because we never build the ArmVirtQemu
firmware with the Secure Boot feature, so LoadImage() can never reject the
direct-booted kernel due to a signing issue.
Subjecting a kernel direct-booted via fw_cfg to Secure Boot verification
breaks at least two use cases with OVMF:
- It breaks the %check stage in the SPEC file.
In that stage, we use the "ovmf-vars-generator" utility from the
"qemu-ovmf-secureboot" project, for verifying whether the Secure Boot
operational mode is enabled. The guest kernel is supposed to boot, and
to print "Secure boot enabled".
As guest kernel, we pick whatever host kernel is available in the Brew
build root. The kernel in question may be a publicly released RHEL
kernel, signed with "Red Hat Secure Boot (signing key 1)", or a
development build, signed for example with "Red Hat Secure Boot Signing
3 (beta)". Either way, none of these keys are accepted by the
certificates that were enrolled by "ovmf-vars-generator" /
"EnrollDefaultKeys.efi" in the %build stage. Therefore, the %check stage
fails.
- It breaks "virt-install --location NETWORK-URL" Linux guest
installations, if the variable store template used for the new domain
has the Secure Boot operational mode enabled. "virt-install --location"
fetches the kernel from the remote OS tree, and passes it to the guest
firmware via fw_cfg. Therefore the above symptom appears (even for
publicly released OSes).
Importantly, if the user downloads the installer ISO of the publicly
released Fedora / RHEL OS, and exposes the ISO to the guest for example
as a virtio-scsi CD-ROM, then the installation with "virt-install"
(without "--location") does succeed. That's because that way, "shim" is
booted first, from the UEFI-bootable CD-ROM. "Shim" does pass Secure
Boot verification against the Microsoft certificates, and then it is
"shim" that accepts the "Red Hat Secure Boot (signing key 1)" signature
on the guest kernel.
Some ways to approach this problem (without reverting upstream commit
ced77332cab6):
- Equip "ovmf-vars-generator" / "EnrollDefaultKeys.efi" to enroll the
public half of "Red Hat Secure Boot (signing key 1)" in the %build
stage. Use a publicly released RHEL kernel in the %check stage.
Downsides:
- The Brew build root does not offer any particular released RHEL
kernel, so either the %check stage would have to download it, or the
SRPM would have to bundle it. However, Brew build environments do not
have unfettered network access (rightly so), so the download wouldn't
work. Furthermore, for bundling with the SRPM, such a kernel image
could be considered too large.
- Does not solve the "virt-install --location" issue for other vendors'
signed kernels.
- Invoke "ovmf-vars-generator" / "EnrollDefaultKeys.efi" multiple times
during %build, to create multiple varstore templates. One that would
accept publicly released RHEL kernels, and another to accept development
kernels. Don't try to use a particular guest kernel for verification;
instead, check what kernel Brew offers in the build environment, and use
the varstore template matching *that* kernel.
Downsides:
- It may be considered useless to perform %check with a varstore
template that is *not* the one that we ship.
- Does not solve the "virt-install --location" issue for other vendors'
signed kernels.
- Sign the RHEL kernels such that the currently enrolled certificates
accept them.
Downsides:
- Not feasible at all; it would require Microsoft to sign our kernels.
"Shim" exists exactly to eliminate such signing requirements.
- Modify "virt-install --location NETWORK-URL" such that it download a
complete (UEFI-bootable) installer ISO image, rather than broken-out
vmlinuz / initrd files. In other words, replace direct (fw_cfg) kernel
boot with a CD-ROM / "shim" boot, internally to "virt-install".
Downsides:
- Defeats the goal of "virt-install --location NETWORK-URL", and defeats
the network installation method of (for example) Anaconda.
For now, revert upstream commit ced77332cab6, in order to return to the
model we had used in RHEL-8.2 and before. The following ticket has been
filed to investigate the problem separately:
<https://bugzilla.redhat.com/show_bug.cgi?id=1844653>.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/OvmfPkgIa32.dsc | 4 ----
OvmfPkg/OvmfPkgIa32X64.dsc | 4 ----
OvmfPkg/OvmfPkgX64.dsc | 4 ----
3 files changed, 12 deletions(-)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index e8868136d8..5b1e757cb9 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -379,11 +379,7 @@
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
- QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
-!else
QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
-!endif
!if $(TPM_ENABLE) == TRUE
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index d05275a324..5dffc32105 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -383,11 +383,7 @@
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
- QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
-!else
QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
-!endif
!if $(TPM_ENABLE) == TRUE
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index cac4cecf18..a2a76fdeea 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -383,11 +383,7 @@
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
- QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
-!else
QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
-!endif
!if $(TPM_ENABLE) == TRUE
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
--
2.18.1

338
SOURCES/edk2-CryptoPkg-Crt-import-inet_pton.c-CVE-2019-14553.patch
View File

@ -1,338 +0,0 @@
From 3c9574af677c24b969c3baa6a527dabaf97f11a2 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Mon, 2 Dec 2019 12:31:53 +0100
Subject: [PATCH 5/9] CryptoPkg/Crt: import "inet_pton.c" (CVE-2019-14553)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <20191117220052.15700-6-lersek@redhat.com>
Patchwork-id: 92461
O-Subject: [RHEL-8.2.0 edk2 PATCH 5/9] CryptoPkg/Crt: import "inet_pton.c" (CVE-2019-14553)
Bugzilla: 1536624
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
For TianoCore BZ#1734, StdLib has been moved from the edk2 project to the
edk2-libc project, in commit 964f432b9b0a ("edk2: Remove AppPkg, StdLib,
StdLibPrivateInternalFiles", 2019-04-29).
We'd like to use the inet_pton() function in CryptoPkg. Resurrect the
"inet_pton.c" file from just before the StdLib removal, as follows:
$ git show \
964f432b9b0a^:StdLib/BsdSocketLib/inet_pton.c \
> CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c
The inet_pton() function is only intended for the DXE phase at this time,
therefore only the "BaseCryptLib" instance INF file receives the new file.
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
(cherry picked from commit 8d16ef8269b2ff373d8da674e59992adfdc032d3)
---
CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf | 1 +
CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c | 257 +++++++++++++++++++++
CryptoPkg/Library/Include/CrtLibSupport.h | 1 +
3 files changed, 259 insertions(+)
create mode 100644 CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 8d4988e..b5cfd8b 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -58,6 +58,7 @@
SysCall/CrtWrapper.c
SysCall/TimerWrapper.c
SysCall/BaseMemAllocation.c
+ SysCall/inet_pton.c
[Sources.Ia32]
Rand/CryptRandTsc.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c b/CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c
new file mode 100644
index 0000000..32e1ab8
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c
@@ -0,0 +1,257 @@
+/* Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 1999, 2000
+ * Intel Corporation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ *
+ * This product includes software developed by Intel Corporation and
+ * its contributors.
+ *
+ * 4. Neither the name of Intel Corporation or its contributors may be
+ * used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION AND CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char rcsid[] = "$Id: inet_pton.c,v 1.1.1.1 2003/11/19 01:51:30 kyu3 Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <string.h>
+#include <errno.h>
+
+/*
+ * WARNING: Don't even consider trying to compile this on a system where
+ * sizeof(int) < 4. sizeof(int) > 4 is fine; all the world's not a VAX.
+ */
+
+static int inet_pton4 (const char *src, u_char *dst);
+static int inet_pton6 (const char *src, u_char *dst);
+
+/* int
+ * inet_pton(af, src, dst)
+ * convert from presentation format (which usually means ASCII printable)
+ * to network format (which is usually some kind of binary format).
+ * return:
+ * 1 if the address was valid for the specified address family
+ * 0 if the address wasn't valid (`dst' is untouched in this case)
+ * -1 if some other error occurred (`dst' is untouched in this case, too)
+ * author:
+ * Paul Vixie, 1996.
+ */
+int
+inet_pton(
+ int af,
+ const char *src,
+ void *dst
+ )
+{
+ switch (af) {
+ case AF_INET:
+ return (inet_pton4(src, dst));
+ case AF_INET6:
+ return (inet_pton6(src, dst));
+ default:
+ errno = EAFNOSUPPORT;
+ return (-1);
+ }
+ /* NOTREACHED */
+}
+
+/* int
+ * inet_pton4(src, dst)
+ * like inet_aton() but without all the hexadecimal and shorthand.
+ * return:
+ * 1 if `src' is a valid dotted quad, else 0.
+ * notice:
+ * does not touch `dst' unless it's returning 1.
+ * author:
+ * Paul Vixie, 1996.
+ */
+static int
+inet_pton4(
+ const char *src,
+ u_char *dst
+ )
+{
+ static const char digits[] = "0123456789";
+ int saw_digit, octets, ch;
+ u_char tmp[NS_INADDRSZ], *tp;
+
+ saw_digit = 0;
+ octets = 0;
+ *(tp = tmp) = 0;
+ while ((ch = *src++) != '\0') {
+ const char *pch;
+
+ if ((pch = strchr(digits, ch)) != NULL) {
+ u_int new = *tp * 10 + (u_int)(pch - digits);
+
+ if (new > 255)
+ return (0);
+ *tp = (u_char)new;
+ if (! saw_digit) {
+ if (++octets > 4)
+ return (0);
+ saw_digit = 1;
+ }
+ } else if (ch == '.' && saw_digit) {
+ if (octets == 4)
+ return (0);
+ *++tp = 0;
+ saw_digit = 0;
+ } else
+ return (0);
+ }
+ if (octets < 4)
+ return (0);
+
+ memcpy(dst, tmp, NS_INADDRSZ);
+ return (1);
+}
+
+/* int
+ * inet_pton6(src, dst)
+ * convert presentation level address to network order binary form.
+ * return:
+ * 1 if `src' is a valid [RFC1884 2.2] address, else 0.
+ * notice:
+ * (1) does not touch `dst' unless it's returning 1.
+ * (2) :: in a full address is silently ignored.
+ * credit:
+ * inspired by Mark Andrews.
+ * author:
+ * Paul Vixie, 1996.
+ */
+static int
+inet_pton6(
+ const char *src,
+ u_char *dst
+ )
+{
+ static const char xdigits_l[] = "0123456789abcdef",
+ xdigits_u[] = "0123456789ABCDEF";
+ u_char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
+ const char *xdigits, *curtok;
+ int ch, saw_xdigit;
+ u_int val;
+
+ memset((tp = tmp), '\0', NS_IN6ADDRSZ);
+ endp = tp + NS_IN6ADDRSZ;
+ colonp = NULL;
+ /* Leading :: requires some special handling. */
+ if (*src == ':')
+ if (*++src != ':')
+ return (0);
+ curtok = src;
+ saw_xdigit = 0;
+ val = 0;
+ while ((ch = *src++) != '\0') {
+ const char *pch;
+
+ if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
+ pch = strchr((xdigits = xdigits_u), ch);
+ if (pch != NULL) {
+ val <<= 4;
+ val |= (pch - xdigits);
+ if (val > 0xffff)
+ return (0);
+ saw_xdigit = 1;
+ continue;
+ }
+ if (ch == ':') {
+ curtok = src;
+ if (!saw_xdigit) {
+ if (colonp)
+ return (0);
+ colonp = tp;
+ continue;
+ }
+ if (tp + NS_INT16SZ > endp)
+ return (0);
+ *tp++ = (u_char) (val >> 8) & 0xff;
+ *tp++ = (u_char) val & 0xff;
+ saw_xdigit = 0;
+ val = 0;
+ continue;
+ }
+ if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
+ inet_pton4(curtok, tp) > 0) {
+ tp += NS_INADDRSZ;
+ saw_xdigit = 0;
+ break; /* '\0' was seen by inet_pton4(). */
+ }
+ return (0);
+ }
+ if (saw_xdigit) {
+ if (tp + NS_INT16SZ > endp)
+ return (0);
+ *tp++ = (u_char) (val >> 8) & 0xff;
+ *tp++ = (u_char) val & 0xff;
+ }
+ if (colonp != NULL) {
+ /*
+ * Since some memmove()'s erroneously fail to handle
+ * overlapping regions, we'll do the shift by hand.
+ */
+ const int n = (int)(tp - colonp);
+ int i;
+
+ for (i = 1; i <= n; i++) {
+ endp[- i] = colonp[n - i];
+ colonp[n - i] = 0;
+ }
+ tp = endp;
+ }
+ if (tp != endp)
+ return (0);
+ memcpy(dst, tmp, NS_IN6ADDRSZ);
+ return (1);
+}
diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/Include/CrtLibSupport.h
index e603fad..5a20ba6 100644
--- a/CryptoPkg/Library/Include/CrtLibSupport.h
+++ b/CryptoPkg/Library/Include/CrtLibSupport.h
@@ -192,6 +192,7 @@ void abort (void) __attribute__((__noreturn__));
#else
void abort (void);
#endif
+int inet_pton (int, const char *, void *);
//
// Macros that directly map functions to BaseLib, BaseMemoryLib, and DebugLib functions
--
1.8.3.1

188
SOURCES/edk2-CryptoPkg-Crt-satisfy-inet_pton.c-dependencies-CVE-2.patch
View File

@ -1,188 +0,0 @@
From 1ab1024f94401300fe9a1d5cdce6c15a2b091e02 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Mon, 2 Dec 2019 12:31:50 +0100
Subject: [PATCH 4/9] CryptoPkg/Crt: satisfy "inet_pton.c" dependencies
(CVE-2019-14553)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <20191117220052.15700-5-lersek@redhat.com>
Patchwork-id: 92453
O-Subject: [RHEL-8.2.0 edk2 PATCH 4/9] CryptoPkg/Crt: satisfy "inet_pton.c" dependencies (CVE-2019-14553)
Bugzilla: 1536624
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
In a later patch in this series, we're going to resurrect "inet_pton.c"
(originally from the StdLib package). That source file has a number of
standard C and BSD socket dependencies. Provide those dependencies here:
- The header files below will simply #include <CrtLibSupport.h>:
- arpa/inet.h
- arpa/nameser.h
- netinet/in.h
- sys/param.h
- sys/socket.h
- EAFNOSUPPORT comes from "StdLib/Include/errno.h", at commit
e2d3a25f1a31; which is the commit immediately preceding the removal of
StdLib from edk2 (964f432b9b0a).
Note that the other error macro, which we alread #define, namely EINVAL,
has a value (22) that also matches "StdLib/Include/errno.h".
- The AF_INET and AF_INET6 address family macros come from
"StdLib/Include/sys/socket.h".
- The NS_INT16SZ, NS_INADDRSZ and NS_IN6ADDRSZ macros come from
"StdLib/Include/arpa/nameser.h".
- The "u_int" and "u_char" types come from "StdLib/Include/sys/types.h".
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
(cherry picked from commit 2ac41c12c0d4b3d3ee8f905ab80da019e784de00)
---
CryptoPkg/Library/Include/CrtLibSupport.h | 16 ++++++++++++++++
CryptoPkg/Library/Include/arpa/inet.h | 9 +++++++++
CryptoPkg/Library/Include/arpa/nameser.h | 9 +++++++++
CryptoPkg/Library/Include/netinet/in.h | 9 +++++++++
CryptoPkg/Library/Include/sys/param.h | 9 +++++++++
CryptoPkg/Library/Include/sys/socket.h | 9 +++++++++
6 files changed, 61 insertions(+)
create mode 100644 CryptoPkg/Library/Include/arpa/inet.h
create mode 100644 CryptoPkg/Library/Include/arpa/nameser.h
create mode 100644 CryptoPkg/Library/Include/netinet/in.h
create mode 100644 CryptoPkg/Library/Include/sys/param.h
create mode 100644 CryptoPkg/Library/Include/sys/socket.h
diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/Include/CrtLibSupport.h
index b90da20..e603fad 100644
--- a/CryptoPkg/Library/Include/CrtLibSupport.h
+++ b/CryptoPkg/Library/Include/CrtLibSupport.h
@@ -74,6 +74,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
// Definitions for global constants used by CRT library routines
//
#define EINVAL 22 /* Invalid argument */
+#define EAFNOSUPPORT 47 /* Address family not supported by protocol family */
#define INT_MAX 0x7FFFFFFF /* Maximum (signed) int value */
#define LONG_MAX 0X7FFFFFFFL /* max value for a long */
#define LONG_MIN (-LONG_MAX-1) /* min value for a long */
@@ -81,13 +82,28 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#define CHAR_BIT 8 /* Number of bits in a char */
//
+// Address families.
+//
+#define AF_INET 2 /* internetwork: UDP, TCP, etc. */
+#define AF_INET6 24 /* IP version 6 */
+
+//
+// Define constants based on RFC0883, RFC1034, RFC 1035
+//
+#define NS_INT16SZ 2 /*%< #/bytes of data in a u_int16_t */
+#define NS_INADDRSZ 4 /*%< IPv4 T_A */
+#define NS_IN6ADDRSZ 16 /*%< IPv6 T_AAAA */
+
+//
// Basic types mapping
//
typedef UINTN size_t;
+typedef UINTN u_int;
typedef INTN ssize_t;
typedef INT32 time_t;
typedef UINT8 __uint8_t;
typedef UINT8 sa_family_t;
+typedef UINT8 u_char;
typedef UINT32 uid_t;
typedef UINT32 gid_t;
diff --git a/CryptoPkg/Library/Include/arpa/inet.h b/CryptoPkg/Library/Include/arpa/inet.h
new file mode 100644
index 0000000..988e4e0
--- /dev/null
+++ b/CryptoPkg/Library/Include/arpa/inet.h
@@ -0,0 +1,9 @@
+/** @file
+ Include file to support building third-party standard C / BSD sockets code.
+
+ Copyright (C) 2019, Red Hat, Inc.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <CrtLibSupport.h>
diff --git a/CryptoPkg/Library/Include/arpa/nameser.h b/CryptoPkg/Library/Include/arpa/nameser.h
new file mode 100644
index 0000000..988e4e0
--- /dev/null
+++ b/CryptoPkg/Library/Include/arpa/nameser.h
@@ -0,0 +1,9 @@
+/** @file
+ Include file to support building third-party standard C / BSD sockets code.
+
+ Copyright (C) 2019, Red Hat, Inc.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <CrtLibSupport.h>
diff --git a/CryptoPkg/Library/Include/netinet/in.h b/CryptoPkg/Library/Include/netinet/in.h
new file mode 100644
index 0000000..988e4e0
--- /dev/null
+++ b/CryptoPkg/Library/Include/netinet/in.h
@@ -0,0 +1,9 @@
+/** @file
+ Include file to support building third-party standard C / BSD sockets code.
+
+ Copyright (C) 2019, Red Hat, Inc.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <CrtLibSupport.h>
diff --git a/CryptoPkg/Library/Include/sys/param.h b/CryptoPkg/Library/Include/sys/param.h
new file mode 100644
index 0000000..988e4e0
--- /dev/null
+++ b/CryptoPkg/Library/Include/sys/param.h
@@ -0,0 +1,9 @@
+/** @file
+ Include file to support building third-party standard C / BSD sockets code.
+
+ Copyright (C) 2019, Red Hat, Inc.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <CrtLibSupport.h>
diff --git a/CryptoPkg/Library/Include/sys/socket.h b/CryptoPkg/Library/Include/sys/socket.h
new file mode 100644
index 0000000..988e4e0
--- /dev/null
+++ b/CryptoPkg/Library/Include/sys/socket.h
@@ -0,0 +1,9 @@
+/** @file
+ Include file to support building third-party standard C / BSD sockets code.
+
+ Copyright (C) 2019, Red Hat, Inc.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <CrtLibSupport.h>
--
1.8.3.1

86
SOURCES/edk2-CryptoPkg-Crt-turn-strchr-into-a-function-CVE-2019-1.patch
View File

@ -1,86 +0,0 @@
From 697cb1880b624f83bc9e926c3614d070eb365f06 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Mon, 2 Dec 2019 12:31:47 +0100
Subject: [PATCH 3/9] CryptoPkg/Crt: turn strchr() into a function
(CVE-2019-14553)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <20191117220052.15700-4-lersek@redhat.com>
Patchwork-id: 92458
O-Subject: [RHEL-8.2.0 edk2 PATCH 3/9] CryptoPkg/Crt: turn strchr() into a function (CVE-2019-14553)
Bugzilla: 1536624
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
According to the ISO C standard, strchr() is a function. We #define it as
a macro. Unfortunately, our macro evaluates the first argument ("str")
twice. If the expression passed for "str" has side effects, the behavior
may be undefined.
In a later patch in this series, we're going to resurrect "inet_pton.c"
(originally from the StdLib package), which calls strchr() just like that:
strchr((xdigits = xdigits_l), ch)
strchr((xdigits = xdigits_u), ch)
To enable this kind of function call, turn strchr() into a function.
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
(cherry picked from commit eb520d94dba7369d1886cd5522d5a2c36fb02209)
---
CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c | 5 +++++
CryptoPkg/Library/Include/CrtLibSupport.h | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
index 71a2ef3..42235ab 100644
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
@@ -115,6 +115,11 @@ QuickSortWorker (
// -- String Manipulation Routines --
//
+char *strchr(const char *str, int ch)
+{
+ return ScanMem8 (str, AsciiStrSize (str), (UINT8)ch);
+}
+
/* Scan a string for the last occurrence of a character */
char *strrchr (const char *str, int c)
{
diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/Include/CrtLibSupport.h
index 5806f50..b90da20 100644
--- a/CryptoPkg/Library/Include/CrtLibSupport.h
+++ b/CryptoPkg/Library/Include/CrtLibSupport.h
@@ -147,6 +147,7 @@ int isupper (int);
int tolower (int);
int strcmp (const char *, const char *);
int strncasecmp (const char *, const char *, size_t);
+char *strchr (const char *, int);
char *strrchr (const char *, int);
unsigned long strtoul (const char *, char **, int);
long strtol (const char *, char **, int);
@@ -188,7 +189,6 @@ void abort (void);
#define strcpy(strDest,strSource) AsciiStrCpyS(strDest,MAX_STRING_SIZE,strSource)
#define strncpy(strDest,strSource,count) AsciiStrnCpyS(strDest,MAX_STRING_SIZE,strSource,(UINTN)count)
#define strcat(strDest,strSource) AsciiStrCatS(strDest,MAX_STRING_SIZE,strSource)
-#define strchr(str,ch) ScanMem8((VOID *)(str),AsciiStrSize(str),(UINT8)ch)
#define strncmp(string1,string2,count) (int)(AsciiStrnCmp(string1,string2,(UINTN)(count)))
#define strcasecmp(str1,str2) (int)AsciiStriCmp(str1,str2)
#define sprintf(buf,...) AsciiSPrint(buf,MAX_STRING_SIZE,__VA_ARGS__)
--
1.8.3.1

134
SOURCES/edk2-CryptoPkg-TlsLib-Add-the-new-API-TlsSetVerifyHost-CV.patch
View File

@ -1,134 +0,0 @@
From 3885ce313d1d06359aa76b085668c1391d8a5f50 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Mon, 2 Dec 2019 12:31:43 +0100
Subject: [PATCH 2/9] CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost"
(CVE-2019-14553)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <20191117220052.15700-3-lersek@redhat.com>
Patchwork-id: 92460
O-Subject: [RHEL-8.2.0 edk2 PATCH 2/9] CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost" (CVE-2019-14553)
Bugzilla: 1536624
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
In the patch, we add the new API "TlsSetVerifyHost" for the TLS
protocol to set the specified host name that need to be verified.
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20190927034441.3096-3-Jiaxin.wu@intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
(cherry picked from commit 2ca74e1a175232cc201798e27437700adc7fb07e)
---
CryptoPkg/Include/Library/TlsLib.h | 20 +++++++++++++++++++
CryptoPkg/Library/TlsLib/TlsConfig.c | 38 +++++++++++++++++++++++++++++++++++-
2 files changed, 57 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library/TlsLib.h
index 9875cb6..3af7d4b 100644
--- a/CryptoPkg/Include/Library/TlsLib.h
+++ b/CryptoPkg/Include/Library/TlsLib.h
@@ -397,6 +397,26 @@ TlsSetVerify (
);
/**
+ Set the specified host name to be verified.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Flags The setting flags during the validation.
+ @param[in] HostName The specified host name to be verified.
+
+ @retval EFI_SUCCESS The HostName setting was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_ABORTED Invalid HostName setting.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetVerifyHost (
+ IN VOID *Tls,
+ IN UINT32 Flags,
+ IN CHAR8 *HostName
+ );
+
+/**
Sets a TLS/SSL session ID to be used during TLS/SSL connect.
This function sets a session ID to be used when the TLS/SSL connection is
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c
index 74b577d..2bf5aee 100644
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
@@ -1,7 +1,7 @@
/** @file
SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.
-Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -498,6 +498,42 @@ TlsSetVerify (
}
/**
+ Set the specified host name to be verified.
+
+ @param[in] Tls Pointer to the TLS object.
+ @param[in] Flags The setting flags during the validation.
+ @param[in] HostName The specified host name to be verified.
+
+ @retval EFI_SUCCESS The HostName setting was set successfully.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval EFI_ABORTED Invalid HostName setting.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetVerifyHost (
+ IN VOID *Tls,
+ IN UINT32 Flags,
+ IN CHAR8 *HostName
+ )
+{
+ TLS_CONNECTION *TlsConn;
+
+ TlsConn = (TLS_CONNECTION *) Tls;
+ if (TlsConn == NULL || TlsConn->Ssl == NULL || HostName == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ SSL_set_hostflags(TlsConn->Ssl, Flags);
+
+ if (SSL_set1_host(TlsConn->Ssl, HostName) == 0) {
+ return EFI_ABORTED;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
Sets a TLS/SSL session ID to be used during TLS/SSL connect.
This function sets a session ID to be used when the TLS/SSL connection is
--
1.8.3.1

100
SOURCES/edk2-CryptoPkg-TlsLib-TlsSetVerifyHost-parse-IP-address-l.patch
View File

@ -1,100 +0,0 @@
From 970b5f67512e00fb26765a14b4a1cb8a8a04276d Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Mon, 2 Dec 2019 12:31:57 +0100
Subject: [PATCH 6/9] CryptoPkg/TlsLib: TlsSetVerifyHost: parse IP address
literals as such (CVE-2019-14553)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <20191117220052.15700-7-lersek@redhat.com>
Patchwork-id: 92452
O-Subject: [RHEL-8.2.0 edk2 PATCH 6/9] CryptoPkg/TlsLib: TlsSetVerifyHost: parse IP address literals as such (CVE-2019-14553)
Bugzilla: 1536624
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Using the inet_pton() function that we imported in the previous patches,
recognize if "HostName" is an IP address literal, and then parse it into
binary representation. Passing the latter to OpenSSL for server
certificate validation is important, per RFC-2818
<https://tools.ietf.org/html/rfc2818#section-3.1>:
> In some cases, the URI is specified as an IP address rather than a
> hostname. In this case, the iPAddress subjectAltName must be present in
> the certificate and must exactly match the IP in the URI.
Note: we cannot use X509_VERIFY_PARAM_set1_ip_asc() because in the OpenSSL
version that is currently consumed by edk2, said function depends on
sscanf() for parsing IPv4 literals. In
"CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c", we only provide an
empty -- always failing -- stub for sscanf(), however.
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Suggested-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
(cherry picked from commit 1e72b1fb2ec597caedb5170079bb213f6d67f32a)
---
CryptoPkg/Library/TlsLib/TlsConfig.c | 28 ++++++++++++++++++++++++----
1 file changed, 24 insertions(+), 4 deletions(-)
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c
index 2bf5aee..307eb57 100644
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
@@ -517,7 +517,11 @@ TlsSetVerifyHost (
IN CHAR8 *HostName
)
{
- TLS_CONNECTION *TlsConn;
+ TLS_CONNECTION *TlsConn;
+ X509_VERIFY_PARAM *VerifyParam;
+ UINTN BinaryAddressSize;
+ UINT8 BinaryAddress[MAX (NS_INADDRSZ, NS_IN6ADDRSZ)];
+ INTN ParamStatus;
TlsConn = (TLS_CONNECTION *) Tls;
if (TlsConn == NULL || TlsConn->Ssl == NULL || HostName == NULL) {
@@ -526,11 +530,27 @@ TlsSetVerifyHost (
SSL_set_hostflags(TlsConn->Ssl, Flags);
- if (SSL_set1_host(TlsConn->Ssl, HostName) == 0) {
- return EFI_ABORTED;
+ VerifyParam = SSL_get0_param (TlsConn->Ssl);
+ ASSERT (VerifyParam != NULL);
+
+ BinaryAddressSize = 0;
+ if (inet_pton (AF_INET6, HostName, BinaryAddress) == 1) {
+ BinaryAddressSize = NS_IN6ADDRSZ;
+ } else if (inet_pton (AF_INET, HostName, BinaryAddress) == 1) {
+ BinaryAddressSize = NS_INADDRSZ;
}
- return EFI_SUCCESS;
+ if (BinaryAddressSize > 0) {
+ DEBUG ((DEBUG_VERBOSE, "%a:%a: parsed \"%a\" as an IPv%c address "
+ "literal\n", gEfiCallerBaseName, __FUNCTION__, HostName,
+ (UINTN)((BinaryAddressSize == NS_IN6ADDRSZ) ? '6' : '4')));
+ ParamStatus = X509_VERIFY_PARAM_set1_ip (VerifyParam, BinaryAddress,
+ BinaryAddressSize);
+ } else {
+ ParamStatus = X509_VERIFY_PARAM_set1_host (VerifyParam, HostName, 0);
+ }
+
+ return (ParamStatus == 1) ? EFI_SUCCESS : EFI_ABORTED;
}
/**
--
1.8.3.1

156
SOURCES/edk2-MdePkg-Include-Protocol-Tls.h-Add-the-data-type-of-E.patch
View File

@ -1,156 +0,0 @@
From 22ebe3ff84003e9256759e230ac68da35c6d77a2 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Mon, 2 Dec 2019 12:31:37 +0100
Subject: [PATCH 1/9] MdePkg/Include/Protocol/Tls.h: Add the data type of
EfiTlsVerifyHost (CVE-2019-14553)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <20191117220052.15700-2-lersek@redhat.com>
Patchwork-id: 92457
O-Subject: [RHEL-8.2.0 edk2 PATCH 1/9] MdePkg/Include/Protocol/Tls.h: Add the data type of EfiTlsVerifyHost (CVE-2019-14553)
Bugzilla: 1536624
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
In the patch, we add the new data type named "EfiTlsVerifyHost" and
the EFI_TLS_VERIFY_HOST_FLAG for the TLS protocol consumer (HTTP)
to enable the host name check so as to avoid the potential
Man-In-The-Middle attack.
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20190927034441.3096-2-Jiaxin.wu@intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
(cherry picked from commit 31efec82796cb950e99d1622aa9c0eb8380613a0)
---
MdePkg/Include/Protocol/Tls.h | 68 ++++++++++++++++++++++++++++++++++++-------
1 file changed, 57 insertions(+), 11 deletions(-)
diff --git a/MdePkg/Include/Protocol/Tls.h b/MdePkg/Include/Protocol/Tls.h
index bf1b672..af524ae 100644
--- a/MdePkg/Include/Protocol/Tls.h
+++ b/MdePkg/Include/Protocol/Tls.h
@@ -42,10 +42,6 @@ typedef struct _EFI_TLS_PROTOCOL EFI_TLS_PROTOCOL;
///
typedef enum {
///
- /// Session Configuration
- ///
-
- ///
/// TLS session Version. The corresponding Data is of type EFI_TLS_VERSION.
///
EfiTlsVersion,
@@ -86,11 +82,6 @@ typedef enum {
/// The corresponding Data is of type EFI_TLS_SESSION_STATE.
///
EfiTlsSessionState,
-
- ///
- /// Session information
- ///
-
///
/// TLS session data client random.
/// The corresponding Data is of type EFI_TLS_RANDOM.
@@ -106,9 +97,15 @@ typedef enum {
/// The corresponding Data is of type EFI_TLS_MASTER_SECRET.
///
EfiTlsKeyMaterial,
+ ///
+ /// TLS session hostname for validation which is used to verify whether the name
+ /// within the peer certificate matches a given host name.
+ /// This parameter is invalid when EfiTlsVerifyMethod is EFI_TLS_VERIFY_NONE.
+ /// The corresponding Data is of type EFI_TLS_VERIFY_HOST.
+ ///
+ EfiTlsVerifyHost,
EfiTlsSessionDataTypeMaximum
-
} EFI_TLS_SESSION_DATA_TYPE;
///
@@ -178,7 +175,8 @@ typedef UINT32 EFI_TLS_VERIFY;
///
#define EFI_TLS_VERIFY_PEER 0x1
///
-/// TLS session will fail peer certificate is absent.
+/// EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT is only meaningful in the server mode.
+/// TLS session will fail if client certificate is absent.
///
#define EFI_TLS_VERIFY_FAIL_IF_NO_PEER_CERT 0x2
///
@@ -188,6 +186,54 @@ typedef UINT32 EFI_TLS_VERIFY;
#define EFI_TLS_VERIFY_CLIENT_ONCE 0x4
///
+/// EFI_TLS_VERIFY_HOST_FLAG
+///
+typedef UINT32 EFI_TLS_VERIFY_HOST_FLAG;
+///
+/// There is no additional flags set for hostname validation.
+/// Wildcards are supported and they match only in the left-most label.
+///
+#define EFI_TLS_VERIFY_FLAG_NONE 0x00
+///
+/// Always check the Subject Distinguished Name (DN) in the peer certificate even if the
+/// certificate contains Subject Alternative Name (SAN).
+///
+#define EFI_TLS_VERIFY_FLAG_ALWAYS_CHECK_SUBJECT 0x01
+///
+/// Disable the match of all wildcards.
+///
+#define EFI_TLS_VERIFY_FLAG_NO_WILDCARDS 0x02
+///
+/// Disable the "*" as wildcard in labels that have a prefix or suffix (e.g. "www*" or "*www").
+///
+#define EFI_TLS_VERIFY_FLAG_NO_PARTIAL_WILDCARDS 0x04
+///
+/// Allow the "*" to match more than one labels. Otherwise, only matches a single label.
+///
+#define EFI_TLS_VERIFY_FLAG_MULTI_LABEL_WILDCARDS 0x08
+///
+/// Restrict to only match direct child sub-domains which start with ".".
+/// For example, a name of ".example.com" would match "www.example.com" with this flag,
+/// but would not match "www.sub.example.com".
+///
+#define EFI_TLS_VERIFY_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
+///
+/// Never check the Subject Distinguished Name (DN) even there is no
+/// Subject Alternative Name (SAN) in the certificate.
+///
+#define EFI_TLS_VERIFY_FLAG_NEVER_CHECK_SUBJECT 0x20
+
+///
+/// EFI_TLS_VERIFY_HOST
+///
+#pragma pack (1)
+typedef struct {
+ EFI_TLS_VERIFY_HOST_FLAG Flags;
+ CHAR8 *HostName;
+} EFI_TLS_VERIFY_HOST;
+#pragma pack ()
+
+///
/// EFI_TLS_RANDOM
/// Note: The definition of EFI_TLS_RANDOM is from "RFC 5246 A.4.1.
/// Hello Messages".
--
1.8.3.1

99
SOURCES/edk2-NetworkPkg-HttpDxe-Set-the-HostName-for-the-verifica.patch
View File

@ -1,99 +0,0 @@
From d28c0053e94b8e721307ac1698d86e5dfb328e6d Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Mon, 2 Dec 2019 12:32:04 +0100
Subject: [PATCH 8/9] NetworkPkg/HttpDxe: Set the HostName for the verification
(CVE-2019-14553)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <20191117220052.15700-9-lersek@redhat.com>
Patchwork-id: 92459
O-Subject: [RHEL-8.2.0 edk2 PATCH 8/9] NetworkPkg/HttpDxe: Set the HostName for the verification (CVE-2019-14553)
Bugzilla: 1536624
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Set the HostName by consuming TLS protocol to enable the host name
check so as to avoid the potential Man-In-The-Middle attack.
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20190927034441.3096-5-Jiaxin.wu@intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit e2fc50812895b17e8b23f5a9c43cde29531b200f)
---
NetworkPkg/HttpDxe/HttpProto.h | 1 +
NetworkPkg/HttpDxe/HttpsSupport.c | 21 +++++++++++++++++----
2 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/NetworkPkg/HttpDxe/HttpProto.h b/NetworkPkg/HttpDxe/HttpProto.h
index 6e1f517..34308e0 100644
--- a/NetworkPkg/HttpDxe/HttpProto.h
+++ b/NetworkPkg/HttpDxe/HttpProto.h
@@ -82,6 +82,7 @@ typedef struct {
EFI_TLS_VERSION Version;
EFI_TLS_CONNECTION_END ConnectionEnd;
EFI_TLS_VERIFY VerifyMethod;
+ EFI_TLS_VERIFY_HOST VerifyHost;
EFI_TLS_SESSION_STATE SessionState;
} TLS_CONFIG_DATA;
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index 988bbcb..5dfb13b 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -623,13 +623,16 @@ TlsConfigureSession (
//
// TlsConfigData initialization
//
- HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
- HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
- HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
+ HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
+ HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
+ HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
+ HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
+ HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
//
// EfiTlsConnectionEnd,
- // EfiTlsVerifyMethod
+ // EfiTlsVerifyMethod,
+ // EfiTlsVerifyHost,
// EfiTlsSessionState
//
Status = HttpInstance->Tls->SetSessionData (
@@ -654,6 +657,16 @@ TlsConfigureSession (
Status = HttpInstance->Tls->SetSessionData (
HttpInstance->Tls,
+ EfiTlsVerifyHost,
+ &HttpInstance->TlsConfigData.VerifyHost,
+ sizeof (EFI_TLS_VERIFY_HOST)
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ Status = HttpInstance->Tls->SetSessionData (
+ HttpInstance->Tls,
EfiTlsSessionState,
&(HttpInstance->TlsConfigData.SessionState),
sizeof (EFI_TLS_SESSION_STATE)
--
1.8.3.1

117
SOURCES/edk2-NetworkPkg-TlsDxe-Add-the-support-of-host-validation.patch
View File

@ -1,117 +0,0 @@
From 24a4a1d62ae749c197f36d72f645c7142f368e6a Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Mon, 2 Dec 2019 12:32:00 +0100
Subject: [PATCH 7/9] NetworkPkg/TlsDxe: Add the support of host validation to
TlsDxe driver (CVE-2019-14553)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <20191117220052.15700-8-lersek@redhat.com>
Patchwork-id: 92456
O-Subject: [RHEL-8.2.0 edk2 PATCH 7/9] NetworkPkg/TlsDxe: Add the support of host validation to TlsDxe driver (CVE-2019-14553)
Bugzilla: 1536624
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
The new data type named "EfiTlsVerifyHost" and the
EFI_TLS_VERIFY_HOST_FLAG are supported in TLS protocol.
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20190927034441.3096-4-Jiaxin.wu@intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 703e7ab21ff8fda9ababf7751d59bd28ad5da947)
---
NetworkPkg/TlsDxe/TlsProtocol.c | 44 ++++++++++++++++++++++++++++++++++++++---
1 file changed, 41 insertions(+), 3 deletions(-)
diff --git a/NetworkPkg/TlsDxe/TlsProtocol.c b/NetworkPkg/TlsDxe/TlsProtocol.c
index a7a993f..001e540 100644
--- a/NetworkPkg/TlsDxe/TlsProtocol.c
+++ b/NetworkPkg/TlsDxe/TlsProtocol.c
@@ -1,7 +1,7 @@
/** @file
Implementation of EFI TLS Protocol Interfaces.
- Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -56,12 +56,16 @@ TlsSetSessionData (
UINT16 *CipherId;
CONST EFI_TLS_CIPHER *TlsCipherList;
UINTN CipherCount;
+ CONST EFI_TLS_VERIFY_HOST *TlsVerifyHost;
+ EFI_TLS_VERIFY VerifyMethod;
+ UINTN VerifyMethodSize;
UINTN Index;
EFI_TPL OldTpl;
- Status = EFI_SUCCESS;
- CipherId = NULL;
+ Status = EFI_SUCCESS;
+ CipherId = NULL;
+ VerifyMethodSize = sizeof (EFI_TLS_VERIFY);
if (This == NULL || Data == NULL || DataSize == 0) {
return EFI_INVALID_PARAMETER;
@@ -149,6 +153,40 @@ TlsSetSessionData (
TlsSetVerify (Instance->TlsConn, *((UINT32 *) Data));
break;
+ case EfiTlsVerifyHost:
+ if (DataSize != sizeof (EFI_TLS_VERIFY_HOST)) {
+ Status = EFI_INVALID_PARAMETER;
+ goto ON_EXIT;
+ }
+
+ TlsVerifyHost = (CONST EFI_TLS_VERIFY_HOST *) Data;
+
+ if ((TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_ALWAYS_CHECK_SUBJECT) != 0 &&
+ (TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_NEVER_CHECK_SUBJECT) != 0) {
+ Status = EFI_INVALID_PARAMETER;
+ goto ON_EXIT;
+ }
+
+ if ((TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_NO_WILDCARDS) != 0 &&
+ ((TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_NO_PARTIAL_WILDCARDS) != 0 ||
+ (TlsVerifyHost->Flags & EFI_TLS_VERIFY_FLAG_MULTI_LABEL_WILDCARDS) != 0)) {
+ Status = EFI_INVALID_PARAMETER;
+ goto ON_EXIT;
+ }
+
+ Status = This->GetSessionData (This, EfiTlsVerifyMethod, &VerifyMethod, &VerifyMethodSize);
+ if (EFI_ERROR (Status)) {
+ goto ON_EXIT;
+ }
+
+ if ((VerifyMethod & EFI_TLS_VERIFY_PEER) == 0) {
+ Status = EFI_INVALID_PARAMETER;
+ goto ON_EXIT;
+ }
+
+ Status = TlsSetVerifyHost (Instance->TlsConn, TlsVerifyHost->Flags, TlsVerifyHost->HostName);
+
+ break;
case EfiTlsSessionID:
if (DataSize != sizeof (EFI_TLS_SESSION_ID)) {
Status = EFI_INVALID_PARAMETER;
--
1.8.3.1

50
SOURCES/edk2-OvmfPkg-GenericQemuLoadImageLib-log-Not-Found-at-INF.patch Normal file
View File

@ -0,0 +1,50 @@
From 135d3d4b4ff12927f7b0c44e067fd42ceae83bb7 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 24 Jun 2020 11:37:50 +0200
Subject: [PATCH 2/3] OvmfPkg/GenericQemuLoadImageLib: log "Not Found" at INFO
level
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <20200615080105.11859-3-lersek@redhat.com>
Patchwork-id: 97533
O-Subject: [RHEL-8.3.0 edk2 PATCH 2/3] OvmfPkg/GenericQemuLoadImageLib: log "Not Found" at INFO level
Bugzilla: 1844682
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
gBS->LoadImage() returning EFI_NOT_FOUND is an expected condition; it
means that QEMU wasn't started with "-kernel". Log this status code as
INFO rather than ERROR.
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20200609105414.12474-1-lersek@redhat.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
(cherry picked from commit 14c7ed8b51f60097ad771277da69f74b22a7a759)
---
.../Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c b/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c
index 14c8417d43..114db7e844 100644
--- a/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c
+++ b/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c
@@ -106,7 +106,8 @@ QemuLoadKernelImage (
goto UnloadImage;
default:
- DEBUG ((DEBUG_ERROR, "%a: LoadImage(): %r\n", __FUNCTION__, Status));
+ DEBUG ((Status == EFI_NOT_FOUND ? DEBUG_INFO : DEBUG_ERROR,
+ "%a: LoadImage(): %r\n", __FUNCTION__, Status));
return Status;
}
--
2.27.0

85
SOURCES/edk2-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch Normal file
View File

@ -0,0 +1,85 @@
From 9adcdf493ebbd11efb74e2905ab5f6c8996e096d Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 24 Jun 2020 11:31:36 +0200
Subject: [PATCH 1/3] OvmfPkg/QemuKernelLoaderFsDxe: suppress error on no
"-kernel" in silent aa64 build (RH)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <20200615080105.11859-2-lersek@redhat.com>
Patchwork-id: 97532
O-Subject: [RHEL-8.3.0 edk2 PATCH 1/3] OvmfPkg/QemuKernelLoaderFsDxe: suppress error on no "-kernel" in silent aa64 build (RH)
Bugzilla: 1844682
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
If the "-kernel" QEMU option is not used, then QemuKernelLoaderFsDxe
should return EFI_NOT_FOUND, so that the DXE Core can unload it. However,
the associated error message, logged by the DXE Core to the serial
console, is not desired in the silent edk2-aarch64 build, given that the
absence of "-kernel" is nothing out of the ordinary. Therefore, return
success and stay resident. The wasted guest RAM still gets freed after
ExitBootServices().
(Inspired by RHEL-8.1.0 commit aaaedc1e2cfd.)
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
.../QemuKernelLoaderFsDxe.c | 17 +++++++++++++++++
.../QemuKernelLoaderFsDxe.inf | 1 +
2 files changed, 18 insertions(+)
diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
index b09ff6a359..ec0244d61b 100644
--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
@@ -18,6 +18,7 @@
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h>
+#include <Library/DebugPrintErrorLevelLib.h>
#include <Library/DevicePathLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/QemuFwCfgLib.h>
@@ -1039,6 +1040,22 @@ QemuKernelLoaderFsDxeEntrypoint (
if (KernelBlob->Data == NULL) {
Status = EFI_NOT_FOUND;
+#if defined (MDE_CPU_AARCH64)
+ //
+ // RHBZ#1844682
+ //
+ // If the "-kernel" QEMU option is not being used, this platform DXE driver
+ // should return EFI_NOT_FOUND, so that the DXE Core can unload it.
+ // However, the associated error message, logged by the DXE Core to the
+ // serial console, is not desired in the silent edk2-aarch64 build, given
+ // that the absence of "-kernel" is nothing out of the ordinary. Therefore,
+ // return success and stay resident. The wasted guest RAM still gets freed
+ // after ExitBootServices().
+ //
+ if (GetDebugPrintErrorLevel () == DEBUG_ERROR) {
+ Status = EFI_SUCCESS;
+ }
+#endif
goto FreeBlobs;
}
diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
index 7b35adb8e0..e0331c6e2c 100644
--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
@@ -28,6 +28,7 @@
BaseLib
BaseMemoryLib
DebugLib
+ DebugPrintErrorLevelLib
DevicePathLib
MemoryAllocationLib
QemuFwCfgLib
--
2.27.0

84
SOURCES/edk2-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch Normal file
View File

@ -0,0 +1,84 @@
From cbce29f7749477e271f9764fed82de94724af5df Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 24 Jun 2020 11:40:09 +0200
Subject: [PATCH 3/3] SecurityPkg/Tcg2Dxe: suppress error on no swtpm in silent
aa64 build (RH)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <20200615080105.11859-4-lersek@redhat.com>
Patchwork-id: 97534
O-Subject: [RHEL-8.3.0 edk2 PATCH 3/3] SecurityPkg/Tcg2Dxe: suppress error on no swtpm in silent aa64 build (RH)
Bugzilla: 1844682
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
If swtpm / vTPM2 is not being used, Tcg2Dxe should return EFI_UNSUPPORTED,
so that the DXE Core can unload it. However, the associated error message,
logged by the DXE Core to the serial console, is not desired in the silent
edk2-aarch64 build, given that the absence of swtpm / vTPM2 is nothing out
of the ordinary. Therefore, return success and stay resident. The wasted
guest RAM still gets freed after ExitBootServices().
(Inspired by RHEL-8.1.0 commit aaaedc1e2cfd.)
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c | 17 +++++++++++++++++
SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf | 1 +
2 files changed, 18 insertions(+)
diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
index 9a5f987e68..da2153cb25 100644
--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
+++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
@@ -28,6 +28,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Protocol/ResetNotification.h>
#include <Library/DebugLib.h>
+#include <Library/DebugPrintErrorLevelLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/UefiDriverEntryPoint.h>
@@ -2642,6 +2643,22 @@ DriverEntry (
if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceNoneGuid) ||
CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid)){
DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n"));
+#if defined (MDE_CPU_AARCH64)
+ //
+ // RHBZ#1844682
+ //
+ // If swtpm / vTPM2 is not being used, this driver should return
+ // EFI_UNSUPPORTED, so that the DXE Core can unload it. However, the
+ // associated error message, logged by the DXE Core to the serial console,
+ // is not desired in the silent edk2-aarch64 build, given that the absence
+ // of swtpm / vTPM2 is nothing out of the ordinary. Therefore, return
+ // success and stay resident. The wasted guest RAM still gets freed after
+ // ExitBootServices().
+ //
+ if (GetDebugPrintErrorLevel () == DEBUG_ERROR) {
+ return EFI_SUCCESS;
+ }
+#endif
return EFI_UNSUPPORTED;
}
diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
index 576cf80d06..851471afb7 100644
--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
@@ -55,6 +55,7 @@
UefiRuntimeServicesTableLib
BaseMemoryLib
DebugLib
+ DebugPrintErrorLevelLib
Tpm2CommandLib
PrintLib
UefiLib
--
2.27.0

132
SPECS/edk2.spec
View File

@ -1,13 +1,13 @@
ExclusiveArch: x86_64 aarch64
%define GITDATE 20190829
%define GITCOMMIT 37eef91017ad
%define GITDATE 20200602
%define GITCOMMIT ca407c7246bf
%define TOOLCHAIN GCC5
%define OPENSSL_VER 1.1.1c
Name: edk2
Version: %{GITDATE}git%{GITCOMMIT}
Release: 4%{?dist}
Release: 2%{?dist}
Summary: UEFI firmware for 64-bit virtual machines
Group: Applications/Emulators
License: BSD-2-Clause-Patent and OpenSSL and MIT
@ -29,42 +29,33 @@ Source11: edk2-aarch64.json
Source12: edk2-ovmf-sb.json
Source13: edk2-ovmf.json
Patch0001: 0001-CryptoPkg-OpensslLib-Update-process_files.pl-to-gene.patch
Patch0002: 0002-CryptoPkg-Upgrade-OpenSSL-to-1.1.1d.patch
Patch0006: 0006-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
Patch0007: 0007-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch
Patch0008: 0008-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch
Patch0009: 0009-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch
Patch0010: 0010-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
Patch0011: 0011-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
Patch0012: 0012-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch
Patch0013: 0013-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
Patch0014: 0014-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch
Patch0015: 0015-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
Patch0016: 0016-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
Patch0017: 0017-ArmVirtPkg-set-early-hello-message-RH-only.patch
Patch0018: 0018-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch
Patch0019: 0019-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch
Patch0020: 0020-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch
Patch0021: 0021-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch
Patch0022: 0022-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
Patch0033: 0033-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch
# For bz#1536624 - HTTPS enablement in OVMF
Patch34: edk2-MdePkg-Include-Protocol-Tls.h-Add-the-data-type-of-E.patch
# For bz#1536624 - HTTPS enablement in OVMF
Patch35: edk2-CryptoPkg-TlsLib-Add-the-new-API-TlsSetVerifyHost-CV.patch
# For bz#1536624 - HTTPS enablement in OVMF
Patch36: edk2-CryptoPkg-Crt-turn-strchr-into-a-function-CVE-2019-1.patch
# For bz#1536624 - HTTPS enablement in OVMF
Patch37: edk2-CryptoPkg-Crt-satisfy-inet_pton.c-dependencies-CVE-2.patch
# For bz#1536624 - HTTPS enablement in OVMF
Patch38: edk2-CryptoPkg-Crt-import-inet_pton.c-CVE-2019-14553.patch
# For bz#1536624 - HTTPS enablement in OVMF
Patch39: edk2-CryptoPkg-TlsLib-TlsSetVerifyHost-parse-IP-address-l.patch
# For bz#1536624 - HTTPS enablement in OVMF
Patch40: edk2-NetworkPkg-TlsDxe-Add-the-support-of-host-validation.patch
# For bz#1536624 - HTTPS enablement in OVMF
Patch41: edk2-NetworkPkg-HttpDxe-Set-the-HostName-for-the-verifica.patch
Patch0007: 0007-BaseTools-do-not-build-BrotliCompress-RH-only.patch
Patch0008: 0008-MdeModulePkg-remove-package-private-Brotli-include-p.patch
Patch0009: 0009-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
Patch0010: 0010-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch
Patch0011: 0011-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch
Patch0012: 0012-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch
Patch0013: 0013-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
Patch0014: 0014-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
Patch0015: 0015-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
Patch0016: 0016-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch
Patch0017: 0017-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
Patch0018: 0018-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
Patch0019: 0019-ArmVirtPkg-set-early-hello-message-RH-only.patch
Patch0020: 0020-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch
Patch0021: 0021-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch
Patch0022: 0022-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch
Patch0023: 0023-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch
Patch0024: 0024-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
Patch0025: 0025-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch
Patch0026: 0026-OvmfPkg-X86QemuLoadImageLib-handle-EFI_ACCESS_DENIED.patch
Patch0027: 0027-Revert-OvmfPkg-use-generic-QEMU-image-loader-for-sec.patch
# For bz#1844682 - silent build of edk2-aarch64 logs DEBUG_ERROR messages that don't actually report serious errors
Patch28: edk2-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch
# For bz#1844682 - silent build of edk2-aarch64 logs DEBUG_ERROR messages that don't actually report serious errors
Patch29: edk2-OvmfPkg-GenericQemuLoadImageLib-log-Not-Found-at-INF.patch
# For bz#1844682 - silent build of edk2-aarch64 logs DEBUG_ERROR messages that don't actually report serious errors
Patch30: edk2-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch
# python3-devel and libuuid-devel are required for building tools.
@ -218,6 +209,7 @@ chmod -Rf a+rX,u+w,g-w,o-w .
export PYTHON_COMMAND=%{__python3}
source ./edksetup.sh
make -C "$EDK_TOOLS_PATH" \
%{?_smp_mflags} \
EXTRA_OPTFLAGS="%{optflags}" \
EXTRA_LDFLAGS="%{__global_ldflags}"
@ -234,13 +226,15 @@ CC_FLAGS="$CC_FLAGS -D NETWORK_HTTP_BOOT_ENABLE -D NETWORK_TLS_ENABLE"
%ifarch x86_64
# Build with neither SB nor SMM; include UEFI shell.
build ${CC_FLAGS} -D TPM2_ENABLE -D FD_SIZE_4MB -a X64 \
build ${CC_FLAGS} -D TPM_ENABLE -D FD_SIZE_4MB -a X64 \
-D PVSCSI_ENABLE=FALSE -D MPT_SCSI_ENABLE=FALSE \
-p OvmfPkg/OvmfPkgX64.dsc
# Build with SB and SMM; exclude UEFI shell.
build -D SECURE_BOOT_ENABLE -D EXCLUDE_SHELL_FROM_FD ${CC_FLAGS} \
-a IA32 -a X64 -p OvmfPkg/OvmfPkgIa32X64.dsc -D SMM_REQUIRE \
-D TPM2_ENABLE -D FD_SIZE_4MB
-D PVSCSI_ENABLE=FALSE -D MPT_SCSI_ENABLE=FALSE \
-D TPM_ENABLE -D FD_SIZE_4MB
# Sanity check: the varstore templates must be identical.
cmp Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \
@ -294,6 +288,7 @@ cmp Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \
# Build with a verbose debug mask first, and stash the binary.
build ${CC_FLAGS} -a AARCH64 \
-p ArmVirtPkg/ArmVirtQemu.dsc \
-D TPM2_ENABLE \
-D DEBUG_PRINT_ERROR_LEVEL=0x8040004F
cp -a Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.fd \
QEMU_EFI.verbose.fd
@ -301,6 +296,7 @@ cp -a Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.fd \
# Rebuild with a silent (errors only) debug mask.
build ${CC_FLAGS} -a AARCH64 \
-p ArmVirtPkg/ArmVirtQemu.dsc \
-D TPM2_ENABLE \
-D DEBUG_PRINT_ERROR_LEVEL=0x80000000
%endif
@ -464,7 +460,6 @@ install BaseTools/Scripts/GccBase.lds \
%files tools
%license License.txt
%license License-History.txt
%{_bindir}/Brotli
%{_bindir}/DevicePath
%{_bindir}/EfiRom
%{_bindir}/GenCrc32
@ -510,6 +505,56 @@ true
%endif
%changelog
* Wed Jun 24 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-2.el8
- edk2-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch [bz#1844682]
- edk2-OvmfPkg-GenericQemuLoadImageLib-log-Not-Found-at-INF.patch [bz#1844682]
- edk2-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch [bz#1844682]
- Resolves: bz#1844682
(silent build of edk2-aarch64 logs DEBUG_ERROR messages that don't actually report serious errors)
* Sat Jun 13 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-1.el8
- Rebase to edk2-stable202005 [bz#1817035]
- Resolves: bz#1817035
((edk2-rebase-rhel-8.3) - rebase edk2 to upstream tag edk2-stable202005 for RHEL-8.3)
* Fri Mar 27 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-9.el8
- edk2-OvmfPkg-QemuVideoDxe-unbreak-secondary-vga-and-bochs.patch [bz#1806359]
- Resolves: bz#1806359
(bochs-display cannot show graphic wihout driver attach)
* Tue Feb 18 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-8.el8
- edk2-MdeModulePkg-Enable-Disable-S3BootScript-dynamically.patch [bz#1801274]
- edk2-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch [bz#1801274]
- Resolves: bz#1801274
(CVE-2019-14563 edk2: numeric truncation in MdeModulePkg/PiDxeS3BootScriptLib [rhel-8])
* Tue Feb 11 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-7.el8
- edk2-SecurityPkg-Fix-spelling-errors-PARTIAL-PICK.patch [bz#1751993]
- edk2-SecurityPkg-DxeImageVerificationHandler-simplify-Ver.patch [bz#1751993]
- edk2-SecurityPkg-DxeImageVerificationHandler-remove-else-.patch [bz#1751993]
- edk2-SecurityPkg-DxeImageVerificationHandler-keep-PE-COFF.patch [bz#1751993]
- edk2-SecurityPkg-DxeImageVerificationHandler-narrow-down-.patch [bz#1751993]
- edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-o.patch [bz#1751993]
- edk2-SecurityPkg-DxeImageVerificationHandler-remove-super.patch [bz#1751993]
- edk2-SecurityPkg-DxeImageVerificationHandler-unnest-AddIm.patch [bz#1751993]
- edk2-SecurityPkg-DxeImageVerificationHandler-eliminate-St.patch [bz#1751993]
- edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-f.patch [bz#1751993]
- edk2-SecurityPkg-DxeImageVerificationHandler-fix-imgexec-.patch [bz#1751993]
- edk2-SecurityPkg-DxeImageVerificationHandler-fix-defer-vs.patch [bz#1751993]
- Resolves: bz#1751993
(DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8])
* Tue Jan 21 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-6.el8
- edk2-UefiCpuPkg-PiSmmCpuDxeSmm-fix-2M-4K-page-splitting-r.patch [bz#1789335]
- Resolves: bz#1789335
(VM with edk2 can't boot when setting memory with '-m 2001')
* Thu Jan 16 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-5.el8
- edk2-MdeModulePkg-UefiBootManagerLib-log-reserved-mem-all.patch [bz#1789797]
- edk2-NetworkPkg-HttpDxe-fix-32-bit-truncation-in-HTTPS-do.patch [bz#1789797]
- Resolves: bz#1789797
(Backport upstream patch series: "UefiBootManagerLib, HttpDxe: tweaks for large HTTP(S) downloads" to improve HTTP(S) Boot experience with large (4GiB+) files)
* Wed Dec 11 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-4.el8
- edk2-redhat-set-guest-RAM-size-to-768M-for-SB-varstore-te.patch [bz#1778301]
- edk2-redhat-re-enable-Secure-Boot-varstore-template-verif.patch [bz#1778301]
@ -562,6 +607,9 @@ true
- Resolves: bz#1600230
([RHEL 8.1] RFE: provide firmware descriptor meta-files for the edk2-ovmf and edk2-aarch64 firmware images)
* Mon Apr 08 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20190308git89910a39dcfd-1.el8
- Rebase to edk2-20190308git89910a39dcfd
* Mon Jan 21 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-9.el8
- edk2-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch [bz#1662184]
- edk2-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch [bz#1662184]