From c332a37749f5f091d46133bfe0962ddee4516afa Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 26 Aug 2025 09:24:41 +0000 Subject: [PATCH] Import from CS git --- ...Pkg-Add-Hash2DxeCrypto-to-ArmVirtPkg.patch | 79 ++++ ...2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch | 348 ++++++++++++++++++ ...rmVirtPkg-Add-a-Fallback-RNG-RH-only.patch | 92 +++++ ...spatcher-after-initializing-virtio-r.patch | 45 +++ SOURCES/ovmf-vars-generator | 37 +- SPECS/edk2.spec | 31 +- 6 files changed, 613 insertions(+), 19 deletions(-) create mode 100644 SOURCES/edk2-ArmVirtPkg-Add-Hash2DxeCrypto-to-ArmVirtPkg.patch create mode 100644 SOURCES/edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch create mode 100644 SOURCES/edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch create mode 100644 SOURCES/edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch diff --git a/SOURCES/edk2-ArmVirtPkg-Add-Hash2DxeCrypto-to-ArmVirtPkg.patch b/SOURCES/edk2-ArmVirtPkg-Add-Hash2DxeCrypto-to-ArmVirtPkg.patch new file mode 100644 index 0000000..502ea18 --- /dev/null +++ b/SOURCES/edk2-ArmVirtPkg-Add-Hash2DxeCrypto-to-ArmVirtPkg.patch @@ -0,0 +1,79 @@ +From 2013730b133b5ea78691ede3937b98144673fe1d Mon Sep 17 00:00:00 2001 +From: Flickdm +Date: Mon, 20 May 2024 11:06:38 -0700 +Subject: [PATCH] ArmVirtPkg: Add Hash2DxeCrypto to ArmVirtPkg + +RH-Author: Oliver Steffen +RH-MergeRequest: 112: ArmVirtPkg: Add Hash2DxeCrypto to ArmVirtPkg +RH-Jira: RHEL-71687 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [1/1] c84a2c074eebd93a07079683b5e5cf03d6fcd50f + +This patch adds Hash2DxeCrypto to ArmVirtPkg. The Hash2DxeCrypto is +used to provide the hashing protocol services. + +Cc: Ard Biesheuvel +Cc: Leif Lindholm +Cc: Sami Mujawar +Cc: Gerd Hoffmann + +Signed-off-by: Doug Flick [MSFT] +Reviewed-by: Ard Biesheuvel +(cherry picked from commit e10d83234c7e3caaf940df79f4b302fca3729fb0) +--- + ArmVirtPkg/ArmVirtQemu.dsc | 5 +++++ + ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 5 +++++ + ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 +++++ + 3 files changed, 15 insertions(+) + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index 2b23becf30..5d4b639bf2 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -526,6 +526,11 @@ + MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + ++ # ++ # Hash2 Protocol Support ++ # ++ SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf ++ + # + # TPM2 support + # +diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +index 7c655d384d..b4dc286843 100644 +--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc ++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +@@ -180,6 +180,11 @@ READ_LOCK_STATUS = TRUE + INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + ++ # ++ # Hash2 Protocol producer ++ # ++ INF SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf ++ + # + # TPM2 support + # +diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc +index 344e2c4ed9..dd9230e5b7 100644 +--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc ++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc +@@ -455,6 +455,11 @@ + MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + ++ # ++ # Hash2 Protocol Support ++ # ++ SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf ++ + # + # ACPI Support + # +-- +2.47.1 + diff --git a/SOURCES/edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch b/SOURCES/edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch new file mode 100644 index 0000000..f6d7a16 --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch @@ -0,0 +1,348 @@ +From 8d1a7ee22fc04d2106f08461415ee8bc9c68eee6 Mon Sep 17 00:00:00 2001 +From: Oliver Steffen +Date: Mon, 4 Nov 2024 12:40:12 +0100 +Subject: [PATCH 1/2] OvmfPkg: Add a Fallback RNG (RH only) + +RH-Author: Oliver Steffen +RH-MergeRequest: 104: OvmfPkg: Add a Fallback RNG (RH only) +RH-Jira: RHEL-66236 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [1/2] b222642bafac64922f5fc30abf56347fe4a849ed + +Since the pixiefail CVE fix, the network stack requires a random number +generator. +In case there is no hardware random number generator available, +have the Platform Boot Manager install a pseudo RNG to ensure +the network can be used. + +Signed-off-by: Oliver Steffen +--- + .../PlatformBootManagerLib/BdsPlatform.c | 6 + + .../PlatformBootManagerLib/FallbackRng.c | 222 ++++++++++++++++++ + .../PlatformBootManagerLib/FallbackRng.h | 20 ++ + .../PlatformBootManagerLib.inf | 5 + + 4 files changed, 253 insertions(+) + create mode 100644 OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c + create mode 100644 OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h + +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c +index 186401296a..70d648c7e3 100644 +--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c ++++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c +@@ -14,6 +14,7 @@ + #include + #include + ++#include "FallbackRng.h" + + // + // Global data +@@ -446,6 +447,9 @@ PlatformBootManagerBeforeConsole ( + // + VisitAllInstancesOfProtocol (&gEfiPciIoProtocolGuid, ConnectVirtioPciRng, + NULL); ++ ++ FallbackRngCheckAndInstall (); ++ + } + + +@@ -1528,6 +1532,8 @@ PlatformBootManagerAfterConsole ( + + DEBUG ((DEBUG_INFO, "PlatformBootManagerAfterConsole\n")); + ++ FallbackRngPrintWarning (); ++ + if (PcdGetBool (PcdOvmfFlashVariablesEnable)) { + DEBUG ((DEBUG_INFO, "PlatformBdsPolicyBehavior: not restoring NvVars " + "from disk since flash variables appear to be supported.\n")); +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c +new file mode 100644 +index 0000000000..bba60e29d5 +--- /dev/null ++++ b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c +@@ -0,0 +1,222 @@ ++/** @file ++ Copyright (C) 2024, Red Hat, Inc. ++ SPDX-License-Identifier: BSD-2-Clause-Patent ++**/ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "FallbackRng.h" ++ ++typedef struct { ++ EFI_RNG_PROTOCOL Rng; ++ EFI_HANDLE Handle; ++} FALLBACK_RNG_DEV; ++ ++/** ++ Returns information about the random number generation implementation. ++ ++ @param[in] This A pointer to the EFI_RNG_PROTOCOL ++ instance. ++ @param[in,out] RNGAlgorithmListSize On input, the size in bytes of ++ RNGAlgorithmList. ++ On output with a return code of ++ EFI_SUCCESS, the size in bytes of the ++ data returned in RNGAlgorithmList. On ++ output with a return code of ++ EFI_BUFFER_TOO_SMALL, the size of ++ RNGAlgorithmList required to obtain the ++ list. ++ @param[out] RNGAlgorithmList A caller-allocated memory buffer filled ++ by the driver with one EFI_RNG_ALGORITHM ++ element for each supported RNG algorithm. ++ The list must not change across multiple ++ calls to the same driver. The first ++ algorithm in the list is the default ++ algorithm for the driver. ++ ++ @retval EFI_SUCCESS The RNG algorithm list was returned ++ successfully. ++ @retval EFI_UNSUPPORTED The services is not supported by this ++ driver. ++ @retval EFI_DEVICE_ERROR The list of algorithms could not be ++ retrieved due to a hardware or firmware ++ error. ++ @retval EFI_INVALID_PARAMETER One or more of the parameters are ++ incorrect. ++ @retval EFI_BUFFER_TOO_SMALL The buffer RNGAlgorithmList is too small ++ to hold the result. ++ ++**/ ++STATIC ++EFI_STATUS ++EFIAPI ++FallbackRngGetInfo ( ++ IN EFI_RNG_PROTOCOL *This, ++ IN OUT UINTN *RNGAlgorithmListSize, ++ OUT EFI_RNG_ALGORITHM *RNGAlgorithmList ++ ) ++{ ++ if ((This == NULL) || (RNGAlgorithmListSize == NULL)) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ if (*RNGAlgorithmListSize < sizeof (EFI_RNG_ALGORITHM)) { ++ *RNGAlgorithmListSize = sizeof (EFI_RNG_ALGORITHM); ++ return EFI_BUFFER_TOO_SMALL; ++ } ++ ++ if (RNGAlgorithmList == NULL) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ *RNGAlgorithmListSize = sizeof (EFI_RNG_ALGORITHM); ++ CopyGuid (RNGAlgorithmList, &gEfiRngAlgorithmRaw); ++ ++ return EFI_SUCCESS; ++} ++ ++/** ++ Produces and returns an RNG value using either the default or specified RNG ++ algorithm. ++ ++ @param[in] This A pointer to the EFI_RNG_PROTOCOL ++ instance. ++ @param[in] RNGAlgorithm A pointer to the EFI_RNG_ALGORITHM that ++ identifies the RNG algorithm to use. May ++ be NULL in which case the function will ++ use its default RNG algorithm. ++ @param[in] RNGValueLength The length in bytes of the memory buffer ++ pointed to by RNGValue. The driver shall ++ return exactly this numbers of bytes. ++ @param[out] RNGValue A caller-allocated memory buffer filled ++ by the driver with the resulting RNG ++ value. ++ ++ @retval EFI_SUCCESS The RNG value was returned successfully. ++ @retval EFI_UNSUPPORTED The algorithm specified by RNGAlgorithm ++ is not supported by this driver. ++ @retval EFI_DEVICE_ERROR An RNG value could not be retrieved due ++ to a hardware or firmware error. ++ @retval EFI_NOT_READY There is not enough random data available ++ to satisfy the length requested by ++ RNGValueLength. ++ @retval EFI_INVALID_PARAMETER RNGValue is NULL or RNGValueLength is ++ zero. ++ ++**/ ++STATIC ++EFI_STATUS ++EFIAPI ++FallbackRngGetRNG ( ++ IN EFI_RNG_PROTOCOL *This, ++ IN EFI_RNG_ALGORITHM *RNGAlgorithm OPTIONAL, ++ IN UINTN RNGValueLength, ++ OUT UINT8 *RNGValue ++ ) ++{ ++ UINT64 RandomData; ++ EFI_STATUS Status; ++ UINTN i; ++ ++ if ((This == NULL) || (RNGValueLength == 0) || (RNGValue == NULL)) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ // ++ // We only support the raw algorithm, so reject requests for anything else ++ // ++ if ((RNGAlgorithm != NULL) && ++ !CompareGuid (RNGAlgorithm, &gEfiRngAlgorithmRaw)) ++ { ++ return EFI_UNSUPPORTED; ++ } ++ ++ for (i = 0; i < RNGValueLength; ++i) { ++ if (i % 4 == 0) { ++ Status = GetRandomNumber64 (&RandomData); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ } ++ } ++ ++ return EFI_SUCCESS; ++} ++ ++static FALLBACK_RNG_DEV Dev = { ++ .Rng.GetInfo = FallbackRngGetInfo, ++ .Rng.GetRNG = FallbackRngGetRNG, ++ .Handle = NULL, ++}; ++ ++EFI_STATUS ++FallbackRngCheckAndInstall ( ++ ) ++{ ++ EFI_STATUS Status; ++ EFI_HANDLE *HandleBuffer = NULL; ++ UINTN HandleCount = 0; ++ ++ if (Dev.Handle != NULL) { ++ DEBUG ((DEBUG_INFO, "Fallback RNG already installed.\n")); ++ return EFI_ALREADY_STARTED; ++ } ++ ++ Status = gBS->LocateHandleBuffer ( ++ ByProtocol, ++ &gEfiRngProtocolGuid, ++ NULL, ++ &HandleCount, ++ &HandleBuffer ++ ); ++ ++ gBS->FreePool (HandleBuffer); ++ ++ if (Status == EFI_NOT_FOUND) { ++ HandleCount = 0; ++ } else if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "Error locating RNG protocol instances: %r\n", Status)); ++ return Status; ++ } ++ ++ DEBUG ((DEBUG_INFO, "Found %u RNGs\n", HandleCount)); ++ ++ if (HandleCount == 0) { ++ // Install RNG ++ Status = gBS->InstallProtocolInterface ( ++ &Dev.Handle, ++ &gEfiRngProtocolGuid, ++ EFI_NATIVE_INTERFACE, ++ &Dev.Rng ++ ); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "Failed to install fallback RNG: %r\n", Status)); ++ return Status; ++ } ++ ++ gDS->Dispatch (); ++ } ++ ++ return EFI_SUCCESS; ++} ++ ++VOID ++FallbackRngPrintWarning ( ++ ) ++{ ++ if (Dev.Handle != NULL) { ++ Print (L"WARNING: Pseudo Random Number Generator in use - Pixiefail CVE not mitigated!\n"); ++ DEBUG ((DEBUG_WARN, "WARNING: Pseudo Random Number Generator in use - Pixiefail CVE not mitigated!\n")); ++ gBS->Stall (2000000); ++ } ++} +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h +new file mode 100644 +index 0000000000..77332bc51c +--- /dev/null ++++ b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h +@@ -0,0 +1,20 @@ ++/** @file ++ Copyright (C) 2024, Red Hat, Inc. ++ SPDX-License-Identifier: BSD-2-Clause-Patent ++**/ ++ ++#ifndef _FALLBACK_RNG_H_ ++#define _FALLBACK_RNG_H_ ++ ++#include ++#include ++ ++EFI_STATUS ++FallbackRngCheckAndInstall ( ++ ); ++ ++VOID ++FallbackRngPrintWarning ( ++ ); ++ ++#endif +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf +index c249a3cf1e..154b0b6c88 100644 +--- a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf ++++ b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf +@@ -25,6 +25,8 @@ + PlatformData.c + QemuKernel.c + BdsPlatform.h ++ FallbackRng.c ++ FallbackRng.h + + [Packages] + MdePkg/MdePkg.dec +@@ -56,6 +58,7 @@ + PlatformBmPrintScLib + Tcg2PhysicalPresenceLib + XenPlatformLib ++ RngLib + + [Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent +@@ -78,9 +81,11 @@ + gEfiDxeSmmReadyToLockProtocolGuid # PROTOCOL SOMETIMES_PRODUCED + gEfiLoadedImageProtocolGuid # PROTOCOL SOMETIMES_PRODUCED + gEfiFirmwareVolume2ProtocolGuid # PROTOCOL SOMETIMES_CONSUMED ++ gEfiRngProtocolGuid # PROTOCOL SOMETIMES_PRODUCED + + [Guids] + gEfiEndOfDxeEventGroupGuid + gEfiGlobalVariableGuid + gRootBridgesConnectedEventGroupGuid + gUefiShellFileGuid ++ gEfiRngAlgorithmRaw +-- +2.45.2 + diff --git a/SOURCES/edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch b/SOURCES/edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch new file mode 100644 index 0000000..1bd8655 --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch @@ -0,0 +1,92 @@ +From c465cf5cf3fbd09caf82d2c34fc6f127f5648b48 Mon Sep 17 00:00:00 2001 +From: Oliver Steffen +Date: Thu, 7 Nov 2024 11:36:22 +0100 +Subject: [PATCH 2/2] OvmfPkg/ArmVirtPkg: Add a Fallback RNG (RH only) + +RH-Author: Oliver Steffen +RH-MergeRequest: 104: OvmfPkg: Add a Fallback RNG (RH only) +RH-Jira: RHEL-66236 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [2/2] d7748d697e522ab5ef70702da53241db71e602fe + +Since the pixiefail CVE fix, the network stack requires a random number +generator. +In case there is no hardware random number generator available, +have the Platform Boot Manager install a pseudo RNG to ensure +the network can be used. + +This patch adds the fallback rng which was introduced in a +previous commit also to the ArmVirtPkg PlatformBootManagerLib. + +Signed-off-by: Oliver Steffen +--- + ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c | 5 +++++ + .../PlatformBootManagerLib/PlatformBootManagerLib.inf | 5 +++++ + 2 files changed, 10 insertions(+) + +diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c +index 1848042f86..c4cfbfc7f6 100644 +--- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c ++++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include "FallbackRng.h" + + #include "PlatformBm.h" + +@@ -793,6 +794,8 @@ PlatformBootManagerBeforeConsole ( + // instances on Virtio PCI RNG devices. + // + FilterAndProcess (&gEfiPciIoProtocolGuid, IsVirtioPciRng, Connect); ++ ++ FallbackRngCheckAndInstall (); + } + + /** +@@ -814,6 +817,8 @@ PlatformBootManagerAfterConsole ( + { + RETURN_STATUS Status; + ++ FallbackRngPrintWarning (); ++ + // + // Show the splash screen. + // +diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf +index 997eb1a442..d4ea9bef60 100644 +--- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf ++++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf +@@ -27,6 +27,8 @@ + PlatformBm.c + PlatformBm.h + QemuKernel.c ++ ../../../OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h ++ ../../../OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c + + [Packages] + ArmVirtPkg/ArmVirtPkg.dec +@@ -53,6 +55,7 @@ + UefiBootServicesTableLib + UefiLib + UefiRuntimeServicesTableLib ++ RngLib + + [FixedPcd] + gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate +@@ -69,9 +72,11 @@ + gEfiGlobalVariableGuid + gRootBridgesConnectedEventGroupGuid + gUefiShellFileGuid ++ gEfiRngAlgorithmRaw + + [Protocols] + gEfiFirmwareVolume2ProtocolGuid + gEfiGraphicsOutputProtocolGuid + gEfiPciRootBridgeIoProtocolGuid + gVirtioDeviceProtocolGuid ++ gEfiRngProtocolGuid +-- +2.45.2 + diff --git a/SOURCES/edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch b/SOURCES/edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch new file mode 100644 index 0000000..37e62ae --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch @@ -0,0 +1,45 @@ +From a56ec52966412cd44dd2427ba569d1e7b89a6c6d Mon Sep 17 00:00:00 2001 +From: Oliver Steffen +Date: Mon, 4 Nov 2024 19:00:11 +0100 +Subject: [PATCH] OvmfPkg: Rerun dispatcher after initializing virtio-rng + +RH-Author: Oliver Steffen +RH-MergeRequest: 106: OvmfPkg: Rerun dispatcher after initializing virtio-rng +RH-Jira: RHEL-66188 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [1/1] a62e445ae8e45d656aaa2ea5f1875541e658f1d8 + +Since the pixiefail CVE fix the network stack requires a hardware +random number generator. This can currently be a modern CPU supporting +the RDRAND instruction or a virtio-rng device. +The latter is initialized during the BDS phase. +To ensure all depending (network) modules are also started, we need to +run the dispatcher once more after the device was initialized. +Without this, network boot is not available under certain hardware +configurations. + +Fixes: 4c4ceb2ceb ("NetworkPkg: SECURITY PATCH CVE-2023-45237") + +Analysed-by: Stefano Garzarella +Suggested-by: Gerd Hoffmann +Signed-off-by: Oliver Steffen +--- + OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c +index 70d648c7e3..eb97d67b62 100644 +--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c ++++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c +@@ -558,6 +558,8 @@ ConnectVirtioPciRng ( + if (EFI_ERROR (Status)) { + goto Error; + } ++ ++ gDS->Dispatch (); + } + return EFI_SUCCESS; + +-- +2.45.2 + diff --git a/SOURCES/ovmf-vars-generator b/SOURCES/ovmf-vars-generator index 111e438..fe92d10 100755 --- a/SOURCES/ovmf-vars-generator +++ b/SOURCES/ovmf-vars-generator @@ -46,6 +46,7 @@ def generate_qemu_cmd(args, readonly, *extra_args): args.qemu_binary, '-machine', machinetype, '-display', 'none', + '-no-reboot', '-no-user-config', '-nodefaults', '-m', '768', @@ -104,20 +105,18 @@ def enroll_keys(args): stdout=subprocess.PIPE, stderr=subprocess.STDOUT) logging.info('Performing enrollment') - # Wait until the UEFI shell starts (first line is printed) - read = p.stdout.readline() - if b'char device redirected' in read: + + while True: read = p.stdout.readline() - # Skip passed QEMU warnings, like the following one we see in Ubuntu: - # qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.vmx [bit 5] - while b'qemu-system-x86_64: warning:' in read: - read = p.stdout.readline() - if args.print_output: - print(strip_special(read), end='') - print() - # Send the escape char to enter the UEFI shell early - p.stdin.write(b'\x1b') - p.stdin.flush() + if args.print_output: + print(strip_special(read), end='') + print() + # due to line buffering this actually waits until the 5 sec + # delay is over and the efi shell is ready to accept input. + if b'Press' in read: + break + + # # And then run the following three commands from the UEFI shell: # change into the first file system device; install the default # keys and certificates, and reboot @@ -127,11 +126,13 @@ def enroll_keys(args): p.stdin.flush() while True: read = p.stdout.readline() - if args.print_output: + if args.print_output and len(read): print('OUT: %s' % strip_special(read), end='') print() if b'info: success' in read: break + elif b'Reset with ' in read: + break p.wait() if args.print_output: print(strip_special(p.stdout.read()), end='') @@ -157,7 +158,7 @@ def test_keys(args): logging.info('Performing verification') while True: read = p.stdout.readline() - if args.print_output: + if args.print_output and len(read): print('OUT: %s' % strip_special(read), end='') print() if b'Secure boot disabled' in read: @@ -212,9 +213,9 @@ def parse_args(): help='Fedora version to get kernel for checking', default='27') parser.add_argument('--kernel-url', help='Kernel URL', - default='https://download.fedoraproject.org/pub/fedora' - '/linux/releases/%(version)s/Everything/x86_64' - '/os/images/pxeboot/vmlinuz') + default='https://archives.fedoraproject.org/pub' + '/archive/fedora/linux/releases/%(version)s' + '/Everything/x86_64/os/images/pxeboot/vmlinuz') parser.add_argument('--disable-smm', help=('Don\'t restrict varstore pflash writes to ' 'guest code that executes in SMM. Use this ' diff --git a/SPECS/edk2.spec b/SPECS/edk2.spec index 379ee21..605e836 100644 --- a/SPECS/edk2.spec +++ b/SPECS/edk2.spec @@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64 Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 13%{?dist}.4 +Release: 13%{?dist}.8 Summary: UEFI firmware for 64-bit virtual machines Group: Applications/Emulators License: BSD-2-Clause-Patent and OpenSSL and MIT @@ -388,6 +388,14 @@ Patch115: edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch Patch116: edk2-OvmfPkg-Add-Hash2DxeCrypto-to-OvmfPkg.patch # For RHEL-60830 - CVE-2024-38796 edk2: Integer overflows in PeCoffLoaderRelocateImage [rhel-8.10.z] Patch117: edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch +# For RHEL-66236 - [Regression] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-8.10] +Patch118: edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch +# For RHEL-66236 - [Regression] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-8.10] +Patch119: edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch +# For RHEL-66188 - [Regression] HTTP Boot fails to work with edk2-ovmf-20231122-6.el9_4.2 and greater [rhel-8.10] +Patch120: edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch +# For RHEL-71687 - [Regression] HTTP boot not available [aarch64] [rhel-8.10.z] +Patch121: edk2-ArmVirtPkg-Add-Hash2DxeCrypto-to-ArmVirtPkg.patch # python3-devel and libuuid-devel are required for building tools. @@ -834,6 +842,27 @@ true %endif %changelog +* Mon Jan 06 2025 Jon Maloy - 20220126gitbb1bba3d77-13.el8.8 +- edk2-ArmVirtPkg-Add-Hash2DxeCrypto-to-ArmVirtPkg.patch [RHEL-71687] +- Resolves: RHEL-71687 + ([Regression] HTTP boot not available [aarch64] [rhel-8.10.z]) + +* Fri Dec 06 2024 Jon Maloy - 20220126gitbb1bba3d77-13.el8.7 +- edk2-redhat-Fix-ovmf-vars-generator-RH-only.patch [RHEL-66236] +- Resolves: RHEL-66236 + ([Regression] HTTP Boot fails to work with edk2-ovmf-20231122-6.el9_4.2 and greater [rhel-8.10]) + +* Fri Nov 29 2024 Jon Maloy - 20220126gitbb1bba3d77-13.el8.6 +- edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch [RHEL-66188] +- Resolves: RHEL-66188 + ([Regression] HTTP Boot fails to work with edk2-ovmf-20231122-6.el9_4.2 and greater [rhel-8.10]) + +* Thu Nov 14 2024 Jon Maloy - 20220126gitbb1bba3d77-13.el8.5 +- edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch [RHEL-66236] +- edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch [RHEL-66236] +- Resolves: RHEL-66236 + ([Regression] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-8.10]) + * Tue Oct 29 2024 Jon Maloy - 20220126gitbb1bba3d77-13.el8.4 - edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch [RHEL-60830] - Resolves: RHEL-60830