commit f21845085956c5486a20f0c384871c316cea574a Author: CentOS Sources Date: Tue May 17 04:46:22 2022 -0400 import edk2-20220126gitbb1bba3d77-3.el9 diff --git a/.edk2.metadata b/.edk2.metadata new file mode 100644 index 0000000..71ce0e1 --- /dev/null +++ b/.edk2.metadata @@ -0,0 +1,2 @@ +ae830c7278f985cb25e90f4687b46c8b22316bef SOURCES/edk2-bb1bba3d77.tar.xz +5a6547a1cc06af387b47642f96718bb0bdc4bbda SOURCES/openssl-rhel-a75722161d20fd632f8875585d3aa066ec5fea93.tar.xz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..345e141 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/edk2-bb1bba3d77.tar.xz +SOURCES/openssl-rhel-a75722161d20fd632f8875585d3aa066ec5fea93.tar.xz diff --git a/SOURCES/0008-BaseTools-do-not-build-BrotliCompress-RH-only.patch b/SOURCES/0008-BaseTools-do-not-build-BrotliCompress-RH-only.patch new file mode 100644 index 0000000..df8d529 --- /dev/null +++ b/SOURCES/0008-BaseTools-do-not-build-BrotliCompress-RH-only.patch @@ -0,0 +1,43 @@ +From cf62a9076777789bc8fef1d6769faeda26615aea Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Thu, 4 Jun 2020 13:34:12 +0200 +Subject: BaseTools: do not build BrotliCompress (RH only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- no change + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- New patch. + +BrotliCompress is not used for building ArmVirtPkg or OvmfPkg platforms. +It depends on one of the upstream Brotli git submodules that we removed +earlier in this rebase series. (See patch "remove upstream edk2's Brotli +submodules (RH only"). + +Do not attempt to build BrotliCompress. + +Signed-off-by: Laszlo Ersek +(cherry picked from commit db8ccca337e2c5722c1d408d2541cf653d3371a2) +--- + BaseTools/Source/C/GNUmakefile | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/BaseTools/Source/C/GNUmakefile b/BaseTools/Source/C/GNUmakefile +index 8c191e0c38..3eae824a1c 100644 +--- a/BaseTools/Source/C/GNUmakefile ++++ b/BaseTools/Source/C/GNUmakefile +@@ -48,7 +48,6 @@ all: makerootdir subdirs + LIBRARIES = Common + VFRAUTOGEN = VfrCompile/VfrLexer.h + APPLICATIONS = \ +- BrotliCompress \ + VfrCompile \ + EfiRom \ + GenFfs \ +-- +2.27.0 + diff --git a/SOURCES/0009-MdeModulePkg-remove-package-private-Brotli-include-p.patch b/SOURCES/0009-MdeModulePkg-remove-package-private-Brotli-include-p.patch new file mode 100644 index 0000000..747e984 --- /dev/null +++ b/SOURCES/0009-MdeModulePkg-remove-package-private-Brotli-include-p.patch @@ -0,0 +1,49 @@ +From 0c26077c3c5265a39ae204ba77843274ff922085 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Thu, 4 Jun 2020 13:39:08 +0200 +Subject: MdeModulePkg: remove package-private Brotli include path (RH only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- no change + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- New patch. + +Originating from upstream commit 58802e02c41b +("MdeModulePkg/BrotliCustomDecompressLib: Make brotli a submodule", +2020-04-16), "MdeModulePkg/MdeModulePkg.dec" contains a package-internal +include path into a Brotli submodule. + +The edk2 build system requires such include paths to resolve successfully, +regardless of the firmware platform being built. Because +BrotliCustomDecompressLib is not consumed by any OvmfPkg or ArmVirtPkg +platforms, and we've removed the submodule earlier in this patch set, +remove the include path too. + +Signed-off-by: Laszlo Ersek +(cherry picked from commit e05e0de713c4a2b8adb6ff9809611f222bfe50ed) +--- + MdeModulePkg/MdeModulePkg.dec | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec +index 463e889e9a..9d69fb86ed 100644 +--- a/MdeModulePkg/MdeModulePkg.dec ++++ b/MdeModulePkg/MdeModulePkg.dec +@@ -24,9 +24,6 @@ + [Includes] + Include + +-[Includes.Common.Private] +- Library/BrotliCustomDecompressLib/brotli/c/include +- + [LibraryClasses] + ## @libraryclass Defines a set of methods to reset whole system. + ResetSystemLib|Include/Library/ResetSystemLib.h +-- +2.27.0 + diff --git a/SOURCES/0010-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch b/SOURCES/0010-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch new file mode 100644 index 0000000..014279b --- /dev/null +++ b/SOURCES/0010-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch @@ -0,0 +1,82 @@ +From a5b59fe4517da90781a43accd05ce5b97ff5de63 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Thu, 20 Feb 2014 22:54:45 +0100 +Subject: OvmfPkg: increase max debug message length to 512 (RHEL only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- no change + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- trivial context difference due to upstream commit 2fe5f2f52918 + ("OvmfPkg/PlatformDebugLibIoPort: Add new APIs", 2019-04-02), resolved + by git-cherry-pick automatically + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- no changes + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like + a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no changes + +Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase: + +- no changes + +Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase: + +- no changes + +Upstream prefers short debug messages (sometimes even limited to 80 +characters), but any line length under 512 characters is just unsuitable +for effective debugging. (For example, config strings in HII routing, +logged by the platform driver "OvmfPkg/PlatformDxe" on DEBUG_VERBOSE +level, can be several hundred characters long.) 512 is an empirically good +value. + +Signed-off-by: Laszlo Ersek +(cherry picked from commit bfe568d18dba15602604f155982e3b73add63dfb) +(cherry picked from commit 29435a32ec9428720c74c454ce9817662e601fb6) +(cherry picked from commit 58e1d1ebb78bfdaf05f4c6e8abf8d4908dfa038a) +(cherry picked from commit 1df2c822c996ad767f2f45570ab2686458f7604a) +(cherry picked from commit 22c9b4e971c70c69b4adf8eb93133824ccb6426a) +(cherry picked from commit a1260c9122c95bcbef1efc5eebe11902767813c2) +(cherry picked from commit e949bab1268f83f0f5815a96cd1cb9dd3b21bfb5) +(cherry picked from commit a95cff0b9573bf23699551beb4786383f697ff1e) +--- + OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c +index dffb20822d..0577c43c3d 100644 +--- a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c ++++ b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c +@@ -21,7 +21,7 @@ + // + // Define the maximum debug and assert message length that this library supports + // +-#define MAX_DEBUG_MESSAGE_LENGTH 0x100 ++#define MAX_DEBUG_MESSAGE_LENGTH 0x200 + + // + // VA_LIST can not initialize to NULL for all compiler, so we use this to +-- +2.27.0 + diff --git a/SOURCES/0011-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch b/SOURCES/0011-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch new file mode 100644 index 0000000..ae3bfc9 --- /dev/null +++ b/SOURCES/0011-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch @@ -0,0 +1,168 @@ +From 419ec8370d8da04c33622cf94cd92b086ec095cb Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 25 Feb 2014 18:40:35 +0100 +Subject: MdeModulePkg: TerminalDxe: add other text resolutions (RHEL only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- no change + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no changes + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- no changes + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- no change + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like + a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- update commit message as requested in + + +Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase: + +- no changes + +Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase: + +- adapt commit 0bc77c63de03 (code and commit message) to upstream commit + 390b95a49c14 ("MdeModulePkg/TerminalDxe: Refine + InitializeTerminalConsoleTextMode", 2017-01-10). + +When the console output is multiplexed to several devices by +ConSplitterDxe, then ConSplitterDxe builds an intersection of text modes +supported by all console output devices. + +Two notable output devices are provided by: +(1) MdeModulePkg/Universal/Console/GraphicsConsoleDxe, +(2) MdeModulePkg/Universal/Console/TerminalDxe. + +GraphicsConsoleDxe supports four modes at most -- see +InitializeGraphicsConsoleTextMode() and "mGraphicsConsoleModeData": + +(1a) 80x25 (required by the UEFI spec as mode 0), +(1b) 80x50 (not necessarily supported, but if it is, then the UEFI spec + requires the driver to provide it as mode 1), +(1c) 100x31 (corresponding to graphics resolution 800x600, which the UEFI + spec requires from all plug-in graphics devices), +(1d) "full screen" resolution, derived form the underlying GOP's + horizontal and vertical resolutions with division by EFI_GLYPH_WIDTH + (8) and EFI_GLYPH_HEIGHT (19), respectively. + +The automatic "full screen resolution" makes GraphicsConsoleDxe's +character console very flexible. However, TerminalDxe (which runs on +serial ports) only provides the following fixed resolutions -- see +InitializeTerminalConsoleTextMode() and "mTerminalConsoleModeData": + +(2a) 80x25 (required by the UEFI spec as mode 0), +(2b) 80x50 (since the character resolution of a serial device cannot be + interrogated easily, this is added unconditionally as mode 1), +(2c) 100x31 (since the character resolution of a serial device cannot be + interrogated easily, this is added unconditionally as mode 2). + +When ConSplitterDxe combines (1) and (2), multiplexing console output to +both video output and serial terminal, the list of commonly supported text +modes (ie. the "intersection") comprises: + +(3a) 80x25, unconditionally, from (1a) and (2a), +(3b) 80x50, if the graphics console provides at least 640x950 pixel + resolution, from (1b) and (2b) +(3c) 100x31, if the graphics device is a plug-in one (because in that case + 800x600 is a mandated pixel resolution), from (1c) and (2c). + +Unfortunately, the "full screen resolution" (1d) of the GOP-based text +console is not available in general. + +Mitigate this problem by extending "mTerminalConsoleModeData" with a +handful of text resolutions that are derived from widespread maximal pixel +resolutions. This way TerminalDxe won't cause ConSplitterDxe to filter out +the most frequent (1d) values from the intersection, and eg. the MODE +command in the UEFI shell will offer the "best" (ie. full screen) +resolution too. + +Upstreaming efforts for this patch have been discontinued; it was clear +from the off-list thread that consensus was impossible to reach. + +Signed-off-by: Laszlo Ersek +(cherry picked from commit 99dc3720ac86059f60156197328cc433603c536e) +(cherry picked from commit d2066c1748f885043026c51dec1bc8d6d406ae8f) +(cherry picked from commit 1facdd58e946c584a3dc1e5be8f2f837b5a7c621) +(cherry picked from commit 28faeb5f94b4866b9da16cf2a1e4e0fc09a26e37) +(cherry picked from commit 4e4e15b80a5b2103eadd495ef4a830d46dd4ed51) +(cherry picked from commit 12cb13a1da913912bd9148ce8f2353a75be77f18) +(cherry picked from commit 82b9edc5fef3a07227a45059bbe821af7b9abd69) +--- + .../Universal/Console/TerminalDxe/Terminal.c | 41 +++++++++++++++++-- + 1 file changed, 38 insertions(+), 3 deletions(-) + +diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c b/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c +index a98b690c8b..ded5513c74 100644 +--- a/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c ++++ b/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c +@@ -115,9 +115,44 @@ TERMINAL_DEV mTerminalDevTemplate = { + }; + + TERMINAL_CONSOLE_MODE_DATA mTerminalConsoleModeData[] = { +- {80, 25}, +- {80, 50}, +- {100, 31}, ++ { 80, 25 }, // from graphics resolution 640 x 480 ++ { 80, 50 }, // from graphics resolution 640 x 960 ++ { 100, 25 }, // from graphics resolution 800 x 480 ++ { 100, 31 }, // from graphics resolution 800 x 600 ++ { 104, 32 }, // from graphics resolution 832 x 624 ++ { 120, 33 }, // from graphics resolution 960 x 640 ++ { 128, 31 }, // from graphics resolution 1024 x 600 ++ { 128, 40 }, // from graphics resolution 1024 x 768 ++ { 144, 45 }, // from graphics resolution 1152 x 864 ++ { 144, 45 }, // from graphics resolution 1152 x 870 ++ { 160, 37 }, // from graphics resolution 1280 x 720 ++ { 160, 40 }, // from graphics resolution 1280 x 760 ++ { 160, 40 }, // from graphics resolution 1280 x 768 ++ { 160, 42 }, // from graphics resolution 1280 x 800 ++ { 160, 50 }, // from graphics resolution 1280 x 960 ++ { 160, 53 }, // from graphics resolution 1280 x 1024 ++ { 170, 40 }, // from graphics resolution 1360 x 768 ++ { 170, 40 }, // from graphics resolution 1366 x 768 ++ { 175, 55 }, // from graphics resolution 1400 x 1050 ++ { 180, 47 }, // from graphics resolution 1440 x 900 ++ { 200, 47 }, // from graphics resolution 1600 x 900 ++ { 200, 63 }, // from graphics resolution 1600 x 1200 ++ { 210, 55 }, // from graphics resolution 1680 x 1050 ++ { 240, 56 }, // from graphics resolution 1920 x 1080 ++ { 240, 63 }, // from graphics resolution 1920 x 1200 ++ { 240, 75 }, // from graphics resolution 1920 x 1440 ++ { 250, 105 }, // from graphics resolution 2000 x 2000 ++ { 256, 80 }, // from graphics resolution 2048 x 1536 ++ { 256, 107 }, // from graphics resolution 2048 x 2048 ++ { 320, 75 }, // from graphics resolution 2560 x 1440 ++ { 320, 84 }, // from graphics resolution 2560 x 1600 ++ { 320, 107 }, // from graphics resolution 2560 x 2048 ++ { 350, 110 }, // from graphics resolution 2800 x 2100 ++ { 400, 126 }, // from graphics resolution 3200 x 2400 ++ { 480, 113 }, // from graphics resolution 3840 x 2160 ++ { 512, 113 }, // from graphics resolution 4096 x 2160 ++ { 960, 227 }, // from graphics resolution 7680 x 4320 ++ { 1024, 227 }, // from graphics resolution 8192 x 4320 + // + // New modes can be added here. + // +-- +2.27.0 + diff --git a/SOURCES/0012-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch b/SOURCES/0012-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch new file mode 100644 index 0000000..1aebc4f --- /dev/null +++ b/SOURCES/0012-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch @@ -0,0 +1,181 @@ +From 88b490682aef3e351e757467999f60a9e6880b24 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 25 Feb 2014 22:40:01 +0100 +Subject: MdeModulePkg: TerminalDxe: set xterm resolution on mode change (RH + only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Resolve harmless conflict in "MdeModulePkg/MdeModulePkg.dec", + originating from new upstream commits + - 45bc28172fbf ("MdeModulePkg.dec: Change PCDs for status code.", + 2020-06-18), + - 0785c619a58a ("MdeModulePkg/Bus/Pci/PciBusDxe: Support PCIe Resizable + BAR Capability", 2021-01-04), + - ef23012e5439 ("MdeModulePkg: Change default value of + PcdPcieResizableBarSupport to FALSE", 2021-01-14). + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- Resolve trivial conflict in "MdeModulePkg/MdeModulePkg.dec", arising + from upstream commit 166830d8f7ca ("MdeModulePkg/dec: add + PcdTcgPfpMeasurementRevision PCD", 2020-01-06). + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- Conflict in "MdeModulePkg/MdeModulePkg.dec" due to upstream commits + - 1103ba946aee ("MdeModulePkg: Add Capsule On Disk related definition.", + 2019-06-26), + - 1c7b3eb84631 ("MdeModulePkg/DxeIpl: Introduce PCD + PcdUse5LevelPageTable", 2019-08-09), + with easy manual resolution. + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- no change + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like + a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no change + +Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase: + +- Refresh downstream-only commit 2909e025db68 against "MdeModulePkg.dec" + context change from upstream commits e043f7895b83 ("MdeModulePkg: Add + PCD PcdPteMemoryEncryptionAddressOrMask", 2017-02-27) and 76081dfcc5b2 + ("MdeModulePkg: Add PROMPT&HELP string of pcd to UNI file", 2017-03-03). + +Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase: + +- refresh commit 519b9751573e against various context changes + +The + + CSI Ps ; Ps ; Ps t + +escape sequence serves for window manipulation. We can use the + + CSI 8 ; ; t + +sequence to adapt eg. the xterm window size to the selected console mode. + +Reference: +Contributed-under: TianoCore Contribution Agreement 1.0 +Signed-off-by: Laszlo Ersek +(cherry picked from commit 2909e025db6878723b49644a8a0cf160d07e6444) +(cherry picked from commit b9c5c901f25e48d68eef6e78a4abca00e153f574) +(cherry picked from commit b7f6115b745de8cbc5214b6ede33c9a8558beb90) +(cherry picked from commit 67415982afdc77922aa37496c981adeb4351acdb) +(cherry picked from commit cfccb98d13e955beb0b93b4a75a973f30c273ffc) +(cherry picked from commit a11602f5e2ef930be5b693ddfd0c789a1bd4c60c) +(cherry picked from commit bc2266f20de5db1636e09a07e4a72c8dbf505f5a) +--- + MdeModulePkg/MdeModulePkg.dec | 4 +++ + .../Console/TerminalDxe/TerminalConOut.c | 30 +++++++++++++++++++ + .../Console/TerminalDxe/TerminalDxe.inf | 2 ++ + 3 files changed, 36 insertions(+) + +diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec +index 9d69fb86ed..08d59dfb3e 100644 +--- a/MdeModulePkg/MdeModulePkg.dec ++++ b/MdeModulePkg/MdeModulePkg.dec +@@ -2076,6 +2076,10 @@ + # @Prompt Enable PCIe Resizable BAR Capability support. + gEfiMdeModulePkgTokenSpaceGuid.PcdPcieResizableBarSupport|FALSE|BOOLEAN|0x10000024 + ++ ## Controls whether TerminalDxe outputs an XTerm resize sequence on terminal ++ # mode change. ++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE|BOOLEAN|0x00010080 ++ + [PcdsPatchableInModule] + ## Specify memory size with page number for PEI code when + # Loading Module at Fixed Address feature is enabled. +diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c +index aae470e956..26156857aa 100644 +--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c ++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c +@@ -7,6 +7,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ + ++#include ++ + #include "Terminal.h" + + // +@@ -80,6 +82,16 @@ CHAR16 mSetCursorPositionString[] = { ESC, '[', '0', '0', ';', '0', '0', 'H', 0 + CHAR16 mCursorForwardString[] = { ESC, '[', '0', '0', 'C', 0 }; + CHAR16 mCursorBackwardString[] = { ESC, '[', '0', '0', 'D', 0 }; + ++// ++// Note that this is an ASCII format string, taking two INT32 arguments: ++// rows, columns. ++// ++// A %d (INT32) format specification can expand to at most 11 characters. ++// ++CHAR8 mResizeTextAreaFormatString[] = "\x1B[8;%d;%dt"; ++#define RESIZE_SEQ_SIZE (sizeof mResizeTextAreaFormatString + 2 * (11 - 2)) ++ ++ + // + // Body of the ConOut functions + // +@@ -506,6 +518,24 @@ TerminalConOutSetMode ( + return EFI_DEVICE_ERROR; + } + ++ if (PcdGetBool (PcdResizeXterm)) { ++ CHAR16 ResizeSequence[RESIZE_SEQ_SIZE]; ++ ++ UnicodeSPrintAsciiFormat ( ++ ResizeSequence, ++ sizeof ResizeSequence, ++ mResizeTextAreaFormatString, ++ (INT32) TerminalDevice->TerminalConsoleModeData[ModeNumber].Rows, ++ (INT32) TerminalDevice->TerminalConsoleModeData[ModeNumber].Columns ++ ); ++ TerminalDevice->OutputEscChar = TRUE; ++ Status = This->OutputString (This, ResizeSequence); ++ TerminalDevice->OutputEscChar = FALSE; ++ if (EFI_ERROR (Status)) { ++ return EFI_DEVICE_ERROR; ++ } ++ } ++ + This->Mode->Mode = (INT32) ModeNumber; + + Status = This->ClearScreen (This); +diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf +index b2a8aeba85..eff6253465 100644 +--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf ++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf +@@ -55,6 +55,7 @@ + DebugLib + PcdLib + BaseLib ++ PrintLib + + [Guids] + ## SOMETIMES_PRODUCES ## Variable:L"ConInDev" +@@ -87,6 +88,7 @@ + [Pcd] + gEfiMdePkgTokenSpaceGuid.PcdDefaultTerminalType ## SOMETIMES_CONSUMES + gEfiMdeModulePkgTokenSpaceGuid.PcdErrorCodeSetVariable ## CONSUMES ++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm ## CONSUMES + + # [Event] + # # Relative timer event set by UnicodeToEfiKey(), used to be one 2 seconds input timeout. +-- +2.27.0 + diff --git a/SOURCES/0013-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch b/SOURCES/0013-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch new file mode 100644 index 0000000..90e6575 --- /dev/null +++ b/SOURCES/0013-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch @@ -0,0 +1,151 @@ +From 8528d0f734c0ad02120358a894e6fe59c6b9a9c2 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Wed, 14 Oct 2015 15:59:06 +0200 +Subject: OvmfPkg: take PcdResizeXterm from the QEMU command line (RH only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been + introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit + to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077. + + We've always patched all those DSC/FDF files in OvmfPkg down-stream that + made sense at least in theory on QEMU. (For example, we've always + patched "OvmfPkgIa32.dsc" and "OvmfPkgIa32.fdf", even though we never + build or ship the pure IA32 firmware platform.) Follow suit with + "AmdSevX64.dsc". + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- Resolve contextual conflict in the DSC files, from upstream commit + b0ed7ebdebd1 ("OvmfPkg: set fixed FlashNvStorage base addresses with -D + SMM_REQUIRE", 2020-03-12). + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- no change + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- no change + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like + a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no change + +Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase: + +- refresh downstream-only commit 8abc2a6ddad2 against context differences + in the DSC files from upstream commit 5e167d7e784c + ("OvmfPkg/PlatformPei: don't allocate reserved mem varstore if + SMM_REQUIRE", 2017-03-12). + +Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase: + +- no changes + +Contributed-under: TianoCore Contribution Agreement 1.0 +Signed-off-by: Laszlo Ersek +(cherry picked from commit 6fa0c4d67c0bb8bde2ddd6db41c19eb0c40b2721) +(cherry picked from commit 8abc2a6ddad25af7e88dc0cf57d55dfb75fbf92d) +(cherry picked from commit b311932d3841c017a0f0fec553edcac365cc2038) +(cherry picked from commit 61914fb81cf624c9028d015533b400b2794e52d3) +(cherry picked from commit 2ebf3cc2ae99275d63bb6efd3c22dec76251a853) +(cherry picked from commit f9b73437b9b231773c1a20e0c516168817a930a2) +(cherry picked from commit 2cc462ee963d0be119bc97bfc9c70d292a40516f) +(cherry picked from commit 51e0de961029af84b5bdbfddcc9762b1819d500f) +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 1 + + OvmfPkg/OvmfPkgIa32.dsc | 1 + + OvmfPkg/OvmfPkgIa32X64.dsc | 1 + + OvmfPkg/OvmfPkgX64.dsc | 1 + + OvmfPkg/PlatformPei/Platform.c | 1 + + OvmfPkg/PlatformPei/PlatformPei.inf | 1 + + 6 files changed, 6 insertions(+) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 5ee5445116..6ea3621225 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -534,6 +534,7 @@ + [PcdsDynamicDefault] + gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0 + ++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0 +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 6a5be97c05..4cacf0ea94 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -594,6 +594,7 @@ + # ($(SMM_REQUIRE) == FALSE) + gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0 + ++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE + !if $(SMM_REQUIRE) == FALSE + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0 +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 71227d1b70..6225f8e095 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -600,6 +600,7 @@ + # ($(SMM_REQUIRE) == FALSE) + gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0 + ++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE + !if $(SMM_REQUIRE) == FALSE + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0 +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 52f7598cf1..b66fc67563 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -600,6 +600,7 @@ + # ($(SMM_REQUIRE) == FALSE) + gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0 + ++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE + !if $(SMM_REQUIRE) == FALSE + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0 +diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c +index df2d9ad015..d0e2c08de9 100644 +--- a/OvmfPkg/PlatformPei/Platform.c ++++ b/OvmfPkg/PlatformPei/Platform.c +@@ -752,6 +752,7 @@ InitializePlatform ( + MemTypeInfoInitialization (); + MemMapInitialization (); + NoexecDxeInitialization (); ++ UPDATE_BOOLEAN_PCD_FROM_FW_CFG (PcdResizeXterm); + } + + InstallClearCacheCallback (); +diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf +index 67eb7aa716..69eb3edad3 100644 +--- a/OvmfPkg/PlatformPei/PlatformPei.inf ++++ b/OvmfPkg/PlatformPei/PlatformPei.inf +@@ -93,6 +93,7 @@ + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize + gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved ++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm + gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode + gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable + gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack +-- +2.27.0 + diff --git a/SOURCES/0014-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch b/SOURCES/0014-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch new file mode 100644 index 0000000..c478b27 --- /dev/null +++ b/SOURCES/0014-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch @@ -0,0 +1,203 @@ +From 2ea50cb9ad392b2df09bfb20d64c7c3c1863e867 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Sun, 26 Jul 2015 08:02:50 +0000 +Subject: ArmVirtPkg: take PcdResizeXterm from the QEMU command line (RH only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- no change + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- Resolve leading context divergence in "ArmVirtPkg/ArmVirtQemu.dsc", + arising from upstream commits: + + - 82662a3b5f56 ("ArmVirtPkg/PlatformPeiLib: discover the TPM base + address from the DT", 2020-03-04) + + - ddd34a818315 ("ArmVirtPkg/ArmVirtQemu: enable TPM2 support in the PEI + phase", 2020-03-04) + + - cdc3fa54184a ("ArmVirtPkg: control PXEv4 / PXEv6 boot support from the + QEMU command line", 2020-04-28) + +- Rework the downstream patch quite a bit, paralleling the upstream work + done for in commit + range 64ab457d1f21..cdc3fa54184a: + + - Refresh copyright year in TerminalPcdProducerLib.{inf,c}. Also replace + open-coded BSDL with "SPDX-License-Identifier: BSD-2-Clause-Patent". + + - Simplify LIBRARY_CLASS: this lib instance is meant to be consumed only + via NULL class resolution (basically: as a plugin), so use NULL for + LIBRARY_CLASS, not "TerminalPcdProducerLib|DXE_DRIVER". + + - Sort the [Packages] section alphabetically in the INF file. + + - Replace the open-coded GetNamedFwCfgBoolean() function with a call to + QemuFwCfgParseBool(), from QemuFwCfgSimpleParserLib. + + - Add the SOMETIMES_PRODUCES usage comment in the [Pcd] section of the + INF file. + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- no change + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- no change + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like + a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no change + +Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase: + +- Refresh downstream-only commit d4564d39dfdb against context changes in + "ArmVirtPkg/ArmVirtQemu.dsc" from upstream commit 7e5f1b673870 + ("ArmVirtPkg/PlatformHasAcpiDtDxe: allow guest level ACPI disable + override", 2017-03-29). + +Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase: + +- Adapt commit 6b97969096a3 to the fact that upstream has deprecated such + setter functions for dynamic PCDs that don't return a status code (such + as PcdSetBool()). Employ PcdSetBoolS(), and assert that it succeeds -- + there's really no circumstance in this case when it could fail. + +Contributed-under: TianoCore Contribution Agreement 1.0 +Signed-off-by: Laszlo Ersek +(cherry picked from commit d4564d39dfdbf74e762af43314005a2c026cb262) +(cherry picked from commit c9081ebe3bcd28e5cce4bf58bd8d4fca12f9af7c) +(cherry picked from commit 8e92730c8e1cdb642b3b3e680e643ff774a90c65) +(cherry picked from commit 9448b6b46267d8d807fac0c648e693171bb34806) +(cherry picked from commit 232fcf06f6b3048b7c2ebd6931f23186b3852f04) +(cherry picked from commit 8338545260fbb423f796d5196faaaf8ff6e1ed99) +(cherry picked from commit a5f7a57bf390f1f340ff1d1f1884a73716817ef1) +--- + ArmVirtPkg/ArmVirtQemu.dsc | 7 +++- + .../TerminalPcdProducerLib.c | 34 +++++++++++++++++++ + .../TerminalPcdProducerLib.inf | 33 ++++++++++++++++++ + 3 files changed, 73 insertions(+), 1 deletion(-) + create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c + create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index 891e065311..e0476ede4f 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -282,6 +282,8 @@ + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0 + !endif + ++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE ++ + [PcdsDynamicHii] + gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS + +@@ -384,7 +386,10 @@ + MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf + MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf + MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf +- MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf ++ MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf { ++ ++ NULL|ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf ++ } + MdeModulePkg/Universal/SerialDxe/SerialDxe.inf + + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf +diff --git a/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c +new file mode 100644 +index 0000000000..bfd3a6a535 +--- /dev/null ++++ b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c +@@ -0,0 +1,34 @@ ++/** @file ++* Plugin library for setting up dynamic PCDs for TerminalDxe, from fw_cfg ++* ++* Copyright (C) 2015-2020, Red Hat, Inc. ++* Copyright (c) 2014, Linaro Ltd. All rights reserved.
++* ++* SPDX-License-Identifier: BSD-2-Clause-Patent ++**/ ++ ++#include ++#include ++#include ++ ++#define UPDATE_BOOLEAN_PCD_FROM_FW_CFG(TokenName) \ ++ do { \ ++ BOOLEAN Setting; \ ++ RETURN_STATUS PcdStatus; \ ++ \ ++ if (!RETURN_ERROR (QemuFwCfgParseBool ( \ ++ "opt/org.tianocore.edk2.aavmf/" #TokenName, &Setting))) { \ ++ PcdStatus = PcdSetBoolS (TokenName, Setting); \ ++ ASSERT_RETURN_ERROR (PcdStatus); \ ++ } \ ++ } while (0) ++ ++RETURN_STATUS ++EFIAPI ++TerminalPcdProducerLibConstructor ( ++ VOID ++ ) ++{ ++ UPDATE_BOOLEAN_PCD_FROM_FW_CFG (PcdResizeXterm); ++ return RETURN_SUCCESS; ++} +diff --git a/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf +new file mode 100644 +index 0000000000..a51dbd1670 +--- /dev/null ++++ b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf +@@ -0,0 +1,33 @@ ++## @file ++# Plugin library for setting up dynamic PCDs for TerminalDxe, from fw_cfg ++# ++# Copyright (C) 2015-2020, Red Hat, Inc. ++# Copyright (c) 2014, Linaro Ltd. All rights reserved.
++# ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++[Defines] ++ INF_VERSION = 0x00010005 ++ BASE_NAME = TerminalPcdProducerLib ++ FILE_GUID = 4a0c5ed7-8c42-4c01-8f4c-7bf258316a96 ++ MODULE_TYPE = BASE ++ VERSION_STRING = 1.0 ++ LIBRARY_CLASS = NULL ++ CONSTRUCTOR = TerminalPcdProducerLibConstructor ++ ++[Sources] ++ TerminalPcdProducerLib.c ++ ++[Packages] ++ MdeModulePkg/MdeModulePkg.dec ++ MdePkg/MdePkg.dec ++ OvmfPkg/OvmfPkg.dec ++ ++[LibraryClasses] ++ DebugLib ++ PcdLib ++ QemuFwCfgSimpleParserLib ++ ++[Pcd] ++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm ## SOMETIMES_PRODUCES +-- +2.27.0 + diff --git a/SOURCES/0015-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch b/SOURCES/0015-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch new file mode 100644 index 0000000..66af3b3 --- /dev/null +++ b/SOURCES/0015-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch @@ -0,0 +1,172 @@ +From ed122866ad1a15f29e0ba570ddb9309917cb0370 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 4 Nov 2014 23:02:53 +0100 +Subject: OvmfPkg: allow exclusion of the shell from the firmware image (RH + only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- No manual / explicit code change is necessary, because the newly + inherited OvmfPkg/AmdSev platform already has its own BUILD_SHELL + build-time macro (feature test flag), with default value FALSE -- from + upstream commit b261a30c900a ("OvmfPkg/AmdSev: add Grub Firmware Volume + Package", 2020-12-14). + +- Contextual differences from new upstream commits 2d8ca4f90eae ("OvmfPkg: + enable HttpDynamicCommand", 2020-10-01) and 5ab6a0e1c8e9 ("OvmfPkg: + introduce VirtioFsDxe", 2020-12-21) have been auto-resolved by + git-cherry-pick. + +- Remove obsolete commit message tags related to downstream patch + management: Message-id, Patchwork-id, O-Subject, Acked-by + (RHBZ#1846481). + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- context difference from upstream commit ec41733cfd10 ("OvmfPkg: add the + 'initrd' dynamic shell command", 2020-03-04) correctly auto-resolved + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- no change + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- update the patch against the following upstream commits: + - 4b888334d234 ("OvmfPkg: Remove EdkShellBinPkg in FDF", 2018-11-19) + - 277a3958d93a ("OvmfPkg: Don't include TftpDynamicCommand in XCODE5 + tool chain", 2018-11-27) + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like + a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no change + +Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase: + +- no changes + +Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase: + +- no changes + +Bugzilla: 1147592 + +When '-D EXCLUDE_SHELL_FROM_FD' is passed to 'build', exclude the shell +binary from the firmware image. + +Peter Jones advised us that firmware vendors for physical systems disable +the memory-mapped, firmware image-contained UEFI shell in +SecureBoot-enabled builds. The reason being that the memory-mapped shell +can always load, it may have direct access to various hardware in the +system, and it can run UEFI shell scripts (which cannot be signed at all). + +Intended use of the new build option: + +- In-tree builds: don't pass '-D EXCLUDE_SHELL_FROM_FD'. The resultant + firmware image will contain a shell binary, independently of SecureBoot + enablement, which is flexible for interactive development. (Ie. no + change for in-tree builds.) + +- RPM builds: pass both '-D SECURE_BOOT_ENABLE' and + '-D EXCLUDE_SHELL_FROM_FD'. The resultant RPM will provide: + + - OVMF_CODE.fd: SecureBoot-enabled firmware, without builtin UEFI shell, + + - OVMF_VARS.fd: variable store template matching OVMF_CODE.fd, + + - UefiShell.iso: a bootable ISO image with the shell on it as default + boot loader. The shell binary will load when SecureBoot is turned off, + and won't load when SecureBoot is turned on (because it is not + signed). + + UefiShell.iso is the reason we're not excluding the shell from the DSC + files as well, only the FDF files -- when '-D EXCLUDE_SHELL_FROM_FD' + is specified, the shell binary needs to be built the same, only it + will be included in UefiShell.iso. + +Signed-off-by: Laszlo Ersek +(cherry picked from commit 9c391def70366cabae08e6008814299c3372fafd) +(cherry picked from commit d9dd9ee42937b2611fe37183cc9ec7f62d946933) +(cherry picked from commit 23df46ebbe7b09451d3a05034acd4d3a25e7177b) +(cherry picked from commit f0303f71d576c51b01c4ff961b429d0e0e707245) +(cherry picked from commit bbd64eb8658e9a33eab4227d9f4e51ad78d9f687) +(cherry picked from commit 8628ef1b8d675ebec39d83834abbe3c8c8c42cf4) +(cherry picked from commit 229c88dc3ded9baeaca8b87767dc5c41c05afd6e) +(cherry picked from commit c2812d7189dee06c780f05a5880eb421c359a687) +--- + OvmfPkg/OvmfPkgIa32.fdf | 2 ++ + OvmfPkg/OvmfPkgIa32X64.fdf | 2 ++ + OvmfPkg/OvmfPkgX64.fdf | 2 ++ + 3 files changed, 6 insertions(+) + +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index 775ea2d710..00ea14adf0 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -290,12 +290,14 @@ INF FatPkg/EnhancedFatDxe/Fat.inf + INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf + INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf + ++!ifndef $(EXCLUDE_SHELL_FROM_FD) + !if $(TOOL_CHAIN_TAG) != "XCODE5" + INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf + INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + !endif + INF ShellPkg/Application/Shell/Shell.inf ++!endif + + INF MdeModulePkg/Logo/LogoDxe.inf + +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index 9d8695922f..e33a40c44e 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -294,12 +294,14 @@ INF FatPkg/EnhancedFatDxe/Fat.inf + INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf + INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf + ++!ifndef $(EXCLUDE_SHELL_FROM_FD) + !if $(TOOL_CHAIN_TAG) != "XCODE5" + INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf + INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + !endif + INF ShellPkg/Application/Shell/Shell.inf ++!endif + + INF MdeModulePkg/Logo/LogoDxe.inf + +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index b6cc3cabdd..85b4b23857 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -310,12 +310,14 @@ INF FatPkg/EnhancedFatDxe/Fat.inf + INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf + INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf + ++!ifndef $(EXCLUDE_SHELL_FROM_FD) + !if $(TOOL_CHAIN_TAG) != "XCODE5" + INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf + INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + !endif + INF ShellPkg/Application/Shell/Shell.inf ++!endif + + INF MdeModulePkg/Logo/LogoDxe.inf + +-- +2.27.0 + diff --git a/SOURCES/0016-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch b/SOURCES/0016-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch new file mode 100644 index 0000000..7f9c554 --- /dev/null +++ b/SOURCES/0016-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch @@ -0,0 +1,93 @@ +From 03a7ff7a8ab80c740dc1ab64b74bb691cadbf84e Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Wed, 14 Oct 2015 13:49:43 +0200 +Subject: ArmPlatformPkg: introduce fixed PCD for early hello message (RH only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- no change + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- no change + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- no change + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like + a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no changes + +Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase: + +- no changes + +Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase: + +- no changes + +Drew has proposed that ARM|AARCH64 platform firmware (especially virtual +machine firmware) print a reasonably early, simple hello message to the +serial port, regardless of debug mask settings. This should inform +interactive users, and provide some rough help in localizing boot +problems, even with restrictive debug masks. + +If a platform doesn't want this feature, it should stick with the default +empty string. + +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1270279 +Downstream only: +. + +Suggested-by: Drew Jones +Contributed-under: TianoCore Contribution Agreement 1.0 +Signed-off-by: Laszlo Ersek +(cherry picked from commit 7ce97b06421434c82095f01a1753a8c9c546cc30) +(cherry picked from commit 20b1f1cbd0590aa71c6d99d35e23cf08e0707750) +(cherry picked from commit 6734b88cf7abcaf42632e3d2fc469b2169dd2f16) +(cherry picked from commit ef77da632559e9baa1c69869e4cbea377068ef27) +(cherry picked from commit 58755c51d3252312d80cbcb97928d71199c2f5e1) +(cherry picked from commit c3f07e323e76856f1b42ea7b8c598ba3201c28a2) +(cherry picked from commit 9f756c1ad83cc81f7d892cd036d59a2b567b02dc) +(cherry picked from commit c75aea7a738ac7fb944c0695a4bfffc3985afaa9) +--- + ArmPlatformPkg/ArmPlatformPkg.dec | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/ArmPlatformPkg/ArmPlatformPkg.dec b/ArmPlatformPkg/ArmPlatformPkg.dec +index 3a25ddcdc8..b2b58553c7 100644 +--- a/ArmPlatformPkg/ArmPlatformPkg.dec ++++ b/ArmPlatformPkg/ArmPlatformPkg.dec +@@ -121,6 +121,13 @@ + ## If set, this will swap settings for HDLCD RED_SELECT and BLUE_SELECT registers + gArmPlatformTokenSpaceGuid.PcdArmHdLcdSwapBlueRedSelect|FALSE|BOOLEAN|0x00000045 + ++ # ++ # Early hello message (ASCII string), printed to the serial port. ++ # If set to the empty string, nothing is printed. ++ # Otherwise, a trailing CRLF should be specified explicitly. ++ # ++ gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage|""|VOID*|0x00000100 ++ + [PcdsFixedAtBuild.common,PcdsDynamic.common] + ## PL031 RealTimeClock + gArmPlatformTokenSpaceGuid.PcdPL031RtcBase|0x0|UINT32|0x00000024 +-- +2.27.0 + diff --git a/SOURCES/0017-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch b/SOURCES/0017-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch new file mode 100644 index 0000000..07079ad --- /dev/null +++ b/SOURCES/0017-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch @@ -0,0 +1,145 @@ +From c82c22df8ab7d2c7078421f4da4ad99e5c04d364 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Wed, 14 Oct 2015 13:59:20 +0200 +Subject: ArmPlatformPkg: PrePeiCore: write early hello message to the serial + port (RH) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- no change + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- no change + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- no change + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like + a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- adapt to upstream commit 7e2a8dfe8a9a ("ArmPlatformPkg/PrePeiCore: seed + temporary stack before entering PEI core", 2017-11-09) -- conflict + resolution in "ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf" + +Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase: + +- no changes + +Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase: + +- no changes + +The FixedPcdGetSize() macro expands to an integer constant, therefore an +optimizing compiler can eliminate the new code, if the platform DSC +doesn't override the empty string (size=1) default of +PcdEarlyHelloMessage. + +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1270279 +Downstream only: +. + +Contributed-under: TianoCore Contribution Agreement 1.0 +Signed-off-by: Laszlo Ersek +(cherry picked from commit b16c4c505ce0e27305235533eac9236aa66f132e) +(cherry picked from commit 742e5bf6d5ce5a1e73879d6e5c0dd00feda7a9ac) +(cherry picked from commit 93d69eb9393cf05af90676253875c59c1bec67fd) +(cherry picked from commit 638594083b191f84f5d9333eb6147a31570f5a5a) +(cherry picked from commit f4b7aae411d88b2b83f85d20ef06a4032a57e7de) +(cherry picked from commit bb71490fdda3b38fa9f071d281b863f9b64363bf) +(cherry picked from commit 8d5a8827aabc67cb2a046697e1a750ca8d9cc453) +(cherry picked from commit 49fe5596cd79c94d903c4d506c563d642ccd69aa) +--- + ArmPlatformPkg/PrePeiCore/MainMPCore.c | 5 +++++ + ArmPlatformPkg/PrePeiCore/MainUniCore.c | 5 +++++ + ArmPlatformPkg/PrePeiCore/PrePeiCore.h | 1 + + ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf | 2 ++ + ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf | 2 ++ + 5 files changed, 15 insertions(+) + +diff --git a/ArmPlatformPkg/PrePeiCore/MainMPCore.c b/ArmPlatformPkg/PrePeiCore/MainMPCore.c +index 859f1adf20..cf9e65bb7c 100644 +--- a/ArmPlatformPkg/PrePeiCore/MainMPCore.c ++++ b/ArmPlatformPkg/PrePeiCore/MainMPCore.c +@@ -111,6 +111,11 @@ PrimaryMain ( + UINTN TemporaryRamBase; + UINTN TemporaryRamSize; + ++ if (FixedPcdGetSize (PcdEarlyHelloMessage) > 1) { ++ SerialPortWrite (FixedPcdGetPtr (PcdEarlyHelloMessage), ++ FixedPcdGetSize (PcdEarlyHelloMessage) - 1); ++ } ++ + CreatePpiList (&PpiListSize, &PpiList); + + // Enable the GIC Distributor +diff --git a/ArmPlatformPkg/PrePeiCore/MainUniCore.c b/ArmPlatformPkg/PrePeiCore/MainUniCore.c +index 220f9b5680..158cc34c77 100644 +--- a/ArmPlatformPkg/PrePeiCore/MainUniCore.c ++++ b/ArmPlatformPkg/PrePeiCore/MainUniCore.c +@@ -29,6 +29,11 @@ PrimaryMain ( + UINTN TemporaryRamBase; + UINTN TemporaryRamSize; + ++ if (FixedPcdGetSize (PcdEarlyHelloMessage) > 1) { ++ SerialPortWrite (FixedPcdGetPtr (PcdEarlyHelloMessage), ++ FixedPcdGetSize (PcdEarlyHelloMessage) - 1); ++ } ++ + CreatePpiList (&PpiListSize, &PpiList); + + // Adjust the Temporary Ram as the new Ppi List (Common + Platform Ppi Lists) is created at +diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCore.h b/ArmPlatformPkg/PrePeiCore/PrePeiCore.h +index 7b155a8a61..e9e283f9ec 100644 +--- a/ArmPlatformPkg/PrePeiCore/PrePeiCore.h ++++ b/ArmPlatformPkg/PrePeiCore/PrePeiCore.h +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #include + #include +diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf b/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf +index fb01dd1a11..a6681c1032 100644 +--- a/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf ++++ b/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf +@@ -69,6 +69,8 @@ + gArmPlatformTokenSpaceGuid.PcdCPUCorePrimaryStackSize + gArmPlatformTokenSpaceGuid.PcdCPUCoreSecondaryStackSize + ++ gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage ++ + gArmTokenSpaceGuid.PcdGicDistributorBase + gArmTokenSpaceGuid.PcdGicInterruptInterfaceBase + gArmTokenSpaceGuid.PcdGicSgiIntId +diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf b/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf +index e9eb092d3a..c98dc82f0c 100644 +--- a/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf ++++ b/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf +@@ -67,4 +67,6 @@ + gArmPlatformTokenSpaceGuid.PcdCPUCorePrimaryStackSize + gArmPlatformTokenSpaceGuid.PcdCPUCoreSecondaryStackSize + ++ gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage ++ + gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack +-- +2.27.0 + diff --git a/SOURCES/0018-ArmVirtPkg-set-early-hello-message-RH-only.patch b/SOURCES/0018-ArmVirtPkg-set-early-hello-message-RH-only.patch new file mode 100644 index 0000000..c8b8361 --- /dev/null +++ b/SOURCES/0018-ArmVirtPkg-set-early-hello-message-RH-only.patch @@ -0,0 +1,82 @@ +From 71a097feaba670e5d6eaebfc593394dee6e71cc9 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Wed, 14 Oct 2015 14:07:17 +0200 +Subject: ArmVirtPkg: set early hello message (RH only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- no change + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- context difference from upstream commit f5cb3767038e + ("ArmVirtPkg/ArmVirtQemu: add ResetSystem PEIM for upcoming TPM2 + support", 2020-03-04) automatically resolved correctly + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- no change + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- resolve context conflict with upstream commit eaa1e98ae31d ("ArmVirtPkg: + don't set PcdCoreCount", 2019-02-13) + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like + a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no changes + +Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase: + +- no changes + +Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase: + +- no changes + +Print a friendly banner on QEMU, regardless of debug mask settings. + +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1270279 +Downstream only: +. + +Contributed-under: TianoCore Contribution Agreement 1.0 +Signed-off-by: Laszlo Ersek +(cherry picked from commit 5d4a15b9019728b2d96322bc679099da49916925) +(cherry picked from commit 179df76dbb0d199bd905236e98775b4059c6502a) +(cherry picked from commit ce3f59d0710c24c162d5222bbf5cd7e36180c80c) +(cherry picked from commit c201a8e6ae28d75f7ba581828b533c3b26fa7f18) +(cherry picked from commit 2d4db6ec70e004cd9ac147615d17033bee5d3b18) +(cherry picked from commit fb2032bbea7e02c426855cf86a323556d493fd8a) +(cherry picked from commit ba73b99d5cb38f87c1a8f0936d515eaaefa3f04b) +(cherry picked from commit 72550e12ae469012a505bf5b98a6543a754028d3) +--- + ArmVirtPkg/ArmVirtQemu.dsc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index e0476ede4f..ec0edf6e7b 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -134,6 +134,7 @@ + gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE) + + [PcdsFixedAtBuild.common] ++ gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage|"UEFI firmware starting.\r\n" + !if $(ARCH) == AARCH64 + gArmTokenSpaceGuid.PcdVFPEnabled|1 + !endif +-- +2.27.0 + diff --git a/SOURCES/0019-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch b/SOURCES/0019-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch new file mode 100644 index 0000000..764e1a6 --- /dev/null +++ b/SOURCES/0019-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch @@ -0,0 +1,121 @@ +From 1ac092c4fa4fef5f1dfe02b4179eb18830564854 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 21 Nov 2017 00:57:45 +0100 +Subject: OvmfPkg: enable DEBUG_VERBOSE (RHEL only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been + introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit + to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077. + +- Remove obsolete commit message tags related to downstream patch + management: Message-id, Patchwork-id, O-Subject, Acked-by, From + (RHBZ#1846481). + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- context difference from upstream commit 46bb81200742 ("OvmfPkg: Make + SOURCE_DEBUG_ENABLE actually need to be set to TRUE", 2019-10-22) + resolved automatically + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- no change + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- no change + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like + a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no changes + +Bugzilla: 1488247 + +Set the DEBUG_VERBOSE bit (0x00400000) in the log mask. We want detailed +debug messages, and code in OvmfPkg logs many messages on the +DEBUG_VERBOSE level. + +Signed-off-by: Laszlo Ersek +Signed-off-by: Paolo Bonzini +(this patch was previously applied as commit 78d3ed73172b5738e32d2b0bc03f7984b9584117) +(cherry picked from commit 7aeeaabc9871f657e65d2b99d81011b4964a1ce9) +(cherry picked from commit a0617a6be1a80966099ddceb010f89202a79ee76) +(cherry picked from commit 759bd3f591e2db699bdef4c7ea4e97c908e7f027) +(cherry picked from commit 7e6d5dc4078c64be6d55d8fc3317c59a91507a50) +(cherry picked from commit 3cb92f9ba18ac79911bd5258ff4f949cc617ae89) +(cherry picked from commit 5ecc18badaabe774d9d0806b027ab63a30c6a2d7) +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +- + OvmfPkg/OvmfPkgIa32.dsc | 2 +- + OvmfPkg/OvmfPkgIa32X64.dsc | 2 +- + OvmfPkg/OvmfPkgX64.dsc | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 6ea3621225..366fa79f62 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -486,7 +486,7 @@ + # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may + # // significantly impact boot performance + # DEBUG_ERROR 0x80000000 // Error +- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F + + !if $(SOURCE_DEBUG_ENABLE) == TRUE + gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 4cacf0ea94..2aacf1a5ff 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -534,7 +534,7 @@ + # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may + # // significantly impact boot performance + # DEBUG_ERROR 0x80000000 // Error +- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F + + !if $(SOURCE_DEBUG_ENABLE) == TRUE + gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 6225f8e095..2613c83adb 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -538,7 +538,7 @@ + # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may + # // significantly impact boot performance + # DEBUG_ERROR 0x80000000 // Error +- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F + + !if $(SOURCE_DEBUG_ENABLE) == TRUE + gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index b66fc67563..d7d34eeef2 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -540,7 +540,7 @@ + # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may + # // significantly impact boot performance + # DEBUG_ERROR 0x80000000 // Error +- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F + + !if $(SOURCE_DEBUG_ENABLE) == TRUE + gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 +-- +2.27.0 + diff --git a/SOURCES/0020-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch b/SOURCES/0020-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch new file mode 100644 index 0000000..3557ef7 --- /dev/null +++ b/SOURCES/0020-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch @@ -0,0 +1,173 @@ +From 7e02a1017ef2f0c798c195c1adcb516c9461d22a Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 21 Nov 2017 00:57:46 +0100 +Subject: OvmfPkg: silence DEBUG_VERBOSE (0x00400000) in + QemuVideoDxe/QemuRamfbDxe (RH) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been + introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit + to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077. + +- Remove obsolete commit message tags related to downstream patch + management: Message-id, Patchwork-id, O-Subject, Acked-by, From + (RHBZ#1846481). + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- Due to upstream commit 4b04d9d73604 ("OvmfPkg: Don't build in + QemuVideoDxe when we have CSM", 2019-06-26), the contexts of + "QemuVideoDxe.inf" / "QemuRamfbDxe.inf" have changed in the DSC files. + Resolve the conflict manually. + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- Upstream commit 1d25ff51af5c ("OvmfPkg: add QemuRamfbDxe", 2018-06-14) + introduced another GOP driver that consumes FrameBufferBltLib, and + thereby produces a large number of (mostly useless) debug messages at + the DEBUG_VERBOSE level. Extend the patch to suppress those messages in + both QemuVideoDxe and QemuRamfbDxe; update the subject accordingly. + QemuRamfbDxe itself doesn't log anything at the VERBOSE level (see also + the original commit message at the bottom of this downstream patch). + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like + a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no changes + +Bugzilla: 1488247 + +In commit 5b2291f9567a ("OvmfPkg: QemuVideoDxe uses +MdeModulePkg/FrameBufferLib"), QemuVideoDxe was rebased to +FrameBufferBltLib. + +The FrameBufferBltLib instance added in commit b1ca386074bd +("MdeModulePkg: Add FrameBufferBltLib library instance") logs many +messages on the VERBOSE level; for example, a normal boot with OVMF can +produce 500+ "VideoFill" messages, dependent on the progress bar, when the +VERBOSE bit is set in PcdDebugPrintErrorLevel. + +QemuVideoDxe itself doesn't log anything at the VERBOSE level, so we lose +none of its messages this way. + +Signed-off-by: Laszlo Ersek +Signed-off-by: Paolo Bonzini +(this patch was previously applied as commit 9b0d031dee7e823f6717bab73e422fbc6f0a6c52) +(cherry picked from commit 9122d5f2e8d8d289064d1e1700cb61964d9931f3) +(cherry picked from commit 7eb3be1d4ccafc26c11fe5afb95cc12b250ce6f0) +(cherry picked from commit bd650684712fb840dbcda5d6eaee065bd9e91fa1) +(cherry picked from commit b06b87f8ffd4fed4ef7eacb13689a9b6d111f850) +(cherry picked from commit c8c3f893e7c3710afe45c46839e97954871536e4) +(cherry picked from commit 1355849ad97c1e4a5c430597a377165a5cc118f7) +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 10 ++++++++-- + OvmfPkg/OvmfPkgIa32.dsc | 10 ++++++++-- + OvmfPkg/OvmfPkgIa32X64.dsc | 10 ++++++++-- + OvmfPkg/OvmfPkgX64.dsc | 10 ++++++++-- + 4 files changed, 32 insertions(+), 8 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 366fa79f62..a289d8a573 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -750,8 +750,14 @@ + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf + MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + +- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + + # +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 2aacf1a5ff..1a5cfa4c6d 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -846,9 +846,15 @@ + MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + !ifndef $(CSM_ENABLE) +- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf ++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + !endif +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + + # +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 2613c83adb..11002ffd95 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -860,9 +860,15 @@ + MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + !ifndef $(CSM_ENABLE) +- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf ++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + !endif +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + + # +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index d7d34eeef2..f176aa4061 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -858,9 +858,15 @@ + MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + !ifndef $(CSM_ENABLE) +- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf ++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + !endif +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + + # +-- +2.27.0 + diff --git a/SOURCES/0021-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch b/SOURCES/0021-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch new file mode 100644 index 0000000..1e8f626 --- /dev/null +++ b/SOURCES/0021-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch @@ -0,0 +1,97 @@ +From e90b3928d862a2dadda7d5c7c8f680f05854bc6f Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Wed, 27 Jan 2016 03:05:18 +0100 +Subject: ArmVirtPkg: silence DEBUG_VERBOSE (0x00400000) in QemuRamfbDxe (RH + only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- no change + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- The previous version of this patch (downstream commit 76b4ac28e975) + caused a regression (RHBZ#1714446), which was fixed up in downstream + commit 5a216abaa737 ("ArmVirtPkg: silence DEBUG_VERBOSE masking + ~0x00400000 in QemuRamfbDxe (RH only)", 2019-08-05). + + Squash the fixup into the original patch. Fuse the commit messages. + (Acked-by tags are not preserved, lest we confuse ourselves while + reviewing this rebase.) + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- new patch, due to upstream commit c64688f36a8b ("ArmVirtPkg: add + QemuRamfbDxe", 2018-06-14) + +QemuRamfbDxe uses FrameBufferLib. The FrameBufferBltLib instance added in +commit b1ca386074bd ("MdeModulePkg: Add FrameBufferBltLib library +instance") logs many messages on the VERBOSE level; for example, a normal +boot with ArmVirtQemu[Kernel] can produce 500+ "VideoFill" messages, +dependent on the progress bar, when the VERBOSE bit is set in +PcdDebugPrintErrorLevel. + +Clear the VERBOSE bit without touching other bits -- those other bits +differ between the "silent" and "verbose" builds, so we can't set them as +constants. + +QemuRamfbDxe itself doesn't log anything at the VERBOSE level, so we lose +none of its messages, with the VERBOSE bit clear. + +Signed-off-by: Laszlo Ersek +(cherry picked from commit 76b4ac28e975bd63c25db903a1d42c47b38cc756) +Reported-by: Andrew Jones +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daude +(cherry picked from commit 5a216abaa737195327235e37563b18a6bf2a74dc) +Signed-off-by: Laszlo Ersek +(cherry picked from commit e5b8152bced2364a1ded0926dbba4d65e23e3f84) +(cherry picked from commit e7f57f154439c1c18ea5030b01f8d7bc492698b2) +--- + ArmVirtPkg/ArmVirtQemu.dsc | 5 ++++- + ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 ++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index ec0edf6e7b..e6fad9f066 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -509,7 +509,10 @@ + # + # Video support + # +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|($(DEBUG_PRINT_ERROR_LEVEL)) & 0xFFBFFFFF ++ } + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + OvmfPkg/PlatformDxe/Platform.inf + +diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc +index a8bb83b288..656c9d99a3 100644 +--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc ++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc +@@ -438,7 +438,10 @@ + # + # Video support + # +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|($(DEBUG_PRINT_ERROR_LEVEL)) & 0xFFBFFFFF ++ } + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + OvmfPkg/PlatformDxe/Platform.inf + +-- +2.27.0 + diff --git a/SOURCES/0022-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch b/SOURCES/0022-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch new file mode 100644 index 0000000..a9b6cf4 --- /dev/null +++ b/SOURCES/0022-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch @@ -0,0 +1,95 @@ +From 619fb46a6790720fa1bd9a1a758471b9d5c018ef Mon Sep 17 00:00:00 2001 +From: Philippe Mathieu-Daude +Date: Thu, 1 Aug 2019 20:43:48 +0200 +Subject: OvmfPkg: QemuRamfbDxe: Do not report DXE failure on Aarch64 silent + builds (RH only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- no change + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- We have to carry this downstream-only patch -- committed originally as + aaaedc1e2cfd -- indefinitely. + +- To avoid confusion, remove the tags from the commit message that had + been added by the downstream maintainer scripts, such as: Message-id, + Patchwork-id, O-Subject, Acked-by. These remain available on the + original downstream commit. The Bugzilla line is preserved, as it + doesn't relate to a specific posting, but to the problem. + +Bugzilla: 1714446 + +To suppress an error message on the silent build when ramfb is +not configured, change QemuRamfbDxe to return EFI_SUCCESS even +when it fails. +Some memory is wasted (driver stays resident without +any good use), but it is mostly harmless, as the memory +is released by the OS after ExitBootServices(). + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daude +(cherry picked from commit aaaedc1e2cfd55ef003fb1b5a37c73a196b26dc7) +Signed-off-by: Laszlo Ersek +(cherry picked from commit aa2b66b18a62d652bdbefae7b5732297294306ca) +(cherry picked from commit deb3451034326b75fd760aba47a5171493ff055e) +--- + OvmfPkg/QemuRamfbDxe/QemuRamfb.c | 14 ++++++++++++++ + OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf | 1 + + 2 files changed, 15 insertions(+) + +diff --git a/OvmfPkg/QemuRamfbDxe/QemuRamfb.c b/OvmfPkg/QemuRamfbDxe/QemuRamfb.c +index 0d49d8bbab..dbf9bcbe16 100644 +--- a/OvmfPkg/QemuRamfbDxe/QemuRamfb.c ++++ b/OvmfPkg/QemuRamfbDxe/QemuRamfb.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -242,6 +243,19 @@ InitializeQemuRamfb ( + + Status = QemuFwCfgFindFile ("etc/ramfb", &mRamfbFwCfgItem, &FwCfgSize); + if (EFI_ERROR (Status)) { ++#if defined (MDE_CPU_AARCH64) ++ // ++ // RHBZ#1714446 ++ // If no ramfb device was configured, this platform DXE driver should ++ // returns EFI_NOT_FOUND, so the DXE Core can unload it. However, even ++ // using a silent build, an error message is issued to the guest console. ++ // Since this confuse users, return success and stay resident. The wasted ++ // guest RAM still gets freed later after ExitBootServices(). ++ // ++ if (GetDebugPrintErrorLevel () == DEBUG_ERROR) { ++ return EFI_SUCCESS; ++ } ++#endif + return EFI_NOT_FOUND; + } + if (FwCfgSize != sizeof (RAMFB_CONFIG)) { +diff --git a/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf b/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf +index e3890b8c20..6ffee5acb2 100644 +--- a/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++++ b/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf +@@ -29,6 +29,7 @@ + BaseLib + BaseMemoryLib + DebugLib ++ DebugPrintErrorLevelLib + DevicePathLib + FrameBufferBltLib + MemoryAllocationLib +-- +2.27.0 + diff --git a/SOURCES/0023-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch b/SOURCES/0023-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch new file mode 100644 index 0000000..ecebb4e --- /dev/null +++ b/SOURCES/0023-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch @@ -0,0 +1,131 @@ +From 009210d2d36584215d31bdbeb7071cf8ff4f1fa5 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 21 Nov 2017 00:57:47 +0100 +Subject: OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in NvmExpressDxe (RH + only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been + introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit + to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077. + +- Remove obsolete commit message tags related to downstream patch + management: Message-id, Patchwork-id, O-Subject, Acked-by, From + (RHBZ#1846481). + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- no change + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- no change + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like + a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no changes + +Bugzilla: 1488247 + +NvmExpressDxe logs all BlockIo read & write calls on the EFI_D_VERBOSE +level. + +Signed-off-by: Laszlo Ersek +Signed-off-by: Paolo Bonzini +(this patch was previously applied as commit 5f432837b9c60c2929b13dda1a1b488d5c3a6d2f) +(cherry picked from commit 33e00146eb878588ad1395d7b1ae38f401729da4) +(cherry picked from commit bd10cabcfcb1bc9a32b05062f4ee3792e27bc2d8) +(cherry picked from commit 5a27af700f49e00608f232f618dedd7bf5e9b3e6) +(cherry picked from commit 58bba429b9ec7b78109940ef945d0dc93f3cd958) +(cherry picked from commit b8d0ebded8c2cf5b266c807519e2d8ccfd66fee6) +(cherry picked from commit ed89844b47f46cfe911f1bf2bda40e537a908502) +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 5 ++++- + OvmfPkg/OvmfPkgIa32.dsc | 5 ++++- + OvmfPkg/OvmfPkgIa32X64.dsc | 5 ++++- + OvmfPkg/OvmfPkgX64.dsc | 5 ++++- + 4 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index a289d8a573..ccdf9b8ce0 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -744,7 +744,10 @@ + OvmfPkg/SataControllerDxe/SataControllerDxe.inf + MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf ++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 1a5cfa4c6d..a0666930d6 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -839,7 +839,10 @@ + OvmfPkg/SataControllerDxe/SataControllerDxe.inf + MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf ++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 11002ffd95..5efeb42bf3 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -853,7 +853,10 @@ + OvmfPkg/SataControllerDxe/SataControllerDxe.inf + MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf ++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index f176aa4061..10fb7d7069 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -851,7 +851,10 @@ + OvmfPkg/SataControllerDxe/SataControllerDxe.inf + MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf ++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +-- +2.27.0 + diff --git a/SOURCES/0024-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch b/SOURCES/0024-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch new file mode 100644 index 0000000..15024d8 --- /dev/null +++ b/SOURCES/0024-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch @@ -0,0 +1,179 @@ +From 7e6632fecb119feaf6c34c794e72a8424792fd3f Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Sat, 16 Nov 2019 17:11:27 +0100 +Subject: CryptoPkg/OpensslLib: list RHEL8-specific OpenSSL files in the INFs + (RH) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1938257 + +- Recreate the patch based on downstream commits: + + - 56c4bb81b311 ("CryptoPkg/OpensslLib: list RHEL8-specific OpenSSL files + in the INFs (RH)", 2020-06-05), + - e81751a1c303 ("CryptoPkg/OpensslLib: Upgrade OpenSSL to 1.1.1g", + 2020-11-23), + - 3e3fe5e62079 ("redhat: bump OpenSSL dist-git submodule to 1.1.1g+ / + RHEL-8.4", 2020-11-23). + + (1) At e81751a1c303, downstream edk2 was in sync with upstream edk2 + consuming OpenSSL 1.1.1g (upstream edk2 commit 8c30327debb2 + ("CryptoPkg/OpensslLib: Upgrade OpenSSL to 1.1.1g", 2020-07-25)). + + Since commit 8c30327debb2, upstream edk2 modified the OpensslLib INF + files, namely + + - CryptoPkg/Library/OpensslLib/OpensslLib.inf + - CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + + in the following commits only: + + - be01087e0780 ("CryptoPkg/Library: Remove the redundant build + option", 2020-08-12), which did not affect the source file list at + all, + + - b5701a4c7a0f ("CryptoPkg: OpensslLib: Use RngLib to generate + entropy in rand_pool", 2020-09-18), which replaced some of the + *edk2-specific* "rand_pool_noise" source files with an RngLib + dependency. + + This means that the list of required, actual OpenSSL source files + has not changed in upstream edk2 since our downstream edk2 commit + e81751a1c303. + + (2) At commit 3e3fe5e62079 (the direct child of e81751a1c303), + downstream edk2's OpenSSL dependency was satisfied with RHEL-8 + OpenSSL at dist-git commit bdd048e929dc ("Two fixes that will be + shipped in RHEL-8.3.0.z", 2020-10-23). + + Since commit bdd048e929dc, RHEL-8 OpenSSL dist-git advanced + (fast-forwarded) to commit a75722161d20 ("Update to version 1.1.1k", + 2021-05-25), which is the current head of the rhel-8.5.0 branch. + (See also .) + + At both dist-git bdd048e929dc and dist-git a75722161d20, I built the + respective RHEL-8 OpenSSL *source* RPM, and prepped the respective + source tree, with "rpmbuild -bp". Subsequently I compared the + prepped source trees recursively. + + - The following files disappeared: + + - 29 backup files created by "patch", + + - the assembly generator perl script called + "ecp_nistz256-avx2.pl", which is not used during the build. + + - The following new files appeared: + + - 18 files directly or indirectly under the "test" subdirectory, + which are not used during the build, + + - 5 backup files created by "patch", + + - 2 DCL scripts used when building OpenSSL on OpenVMS. + + This means that the total list of RHEL-8 OpenSSL source files has + not changed in RHEL-8 OpenSSL dist-git since our downstream edk2 + commit 3e3fe5e62079. + + As a result, copy the "RHEL8-specific OpenSSL file list" sections + verbatim from the INF files, at downstream commit e81751a1c303. (I used + the "git checkout -p e81751a1c303 -- Library/OpensslLib/OpensslLib.inf + CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf" command.) + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- "OpensslLib.inf": + + - Automatic leading context refresh against upstream commit c72ca4666886 + ("CryptoPkg/OpensslLib: Add "sort" keyword to header file parsing + loop", 2020-03-10). + + - Manual trailing context refresh against upstream commit b49a6c8f80d9 + ("CryptoPkg/OpensslLib: improve INF file consistency", 2019-12-02). + +- "OpensslLibCrypto.inf": + + - Automatic leading context refresh against upstream commits + 8906f076de35 ("CryptoPkg/OpensslLib: Add missing header files in INF + file", 2019-08-16) and 9f4fbd56d430 ("CryptoPkg/OpensslLib: Update + process_files.pl to generate .h files", 2019-10-30). + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- new patch + +The downstream changes in RHEL8's OpenSSL package, for example in +"openssl-1.1.1-evp-kdf.patch", introduce new files, and even move some +preexistent code into those new files. In order to avoid undefined +references in link editing, we have to list the new files. + +Note: "process_files.pl" is not re-run at this time manually, because + +(a) "process_files.pl" would pollute the file list (and some of the + auto-generated header files) with RHEL8-specific FIPS artifacts, which + are explicitly unwanted in edk2, + +(b) The RHEL OpenSSL maintainer, Tomas Mraz, identified this specific set + of files in , + and will help with future changes too. + +Signed-off-by: Laszlo Ersek +(cherry picked from commit 57bd3f146590df8757865d8f2cdd1db3cf3f4d40) +(cherry picked from commit 56c4bb81b311dfcee6a34c81d3e4feeda7f88995) +--- + CryptoPkg/Library/OpensslLib/OpensslLib.inf | 11 +++++++++++ + CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 11 +++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf +index d84bde056a..19913a4ac6 100644 +--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf ++++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf +@@ -570,6 +570,17 @@ + $(OPENSSL_PATH)/ssl/statem/statem.h + $(OPENSSL_PATH)/ssl/statem/statem_local.h + # Autogenerated files list ends here ++# RHEL8-specific OpenSSL file list starts here ++ $(OPENSSL_PATH)/crypto/evp/kdf_lib.c ++ $(OPENSSL_PATH)/crypto/evp/pkey_kdf.c ++ $(OPENSSL_PATH)/crypto/kdf/kbkdf.c ++ $(OPENSSL_PATH)/crypto/kdf/kdf_local.h ++ $(OPENSSL_PATH)/crypto/kdf/kdf_util.c ++ $(OPENSSL_PATH)/crypto/kdf/krb5kdf.c ++ $(OPENSSL_PATH)/crypto/kdf/pbkdf2.c ++ $(OPENSSL_PATH)/crypto/kdf/sshkdf.c ++ $(OPENSSL_PATH)/crypto/kdf/sskdf.c ++# RHEL8-specific OpenSSL file list ends here + buildinf.h + ossl_store.c + rand_pool.c +diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf +index cdeed0d073..5057857e8d 100644 +--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf ++++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf +@@ -519,6 +519,17 @@ + $(OPENSSL_PATH)/crypto/x509v3/standard_exts.h + $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h + # Autogenerated files list ends here ++# RHEL8-specific OpenSSL file list starts here ++ $(OPENSSL_PATH)/crypto/evp/kdf_lib.c ++ $(OPENSSL_PATH)/crypto/evp/pkey_kdf.c ++ $(OPENSSL_PATH)/crypto/kdf/kbkdf.c ++ $(OPENSSL_PATH)/crypto/kdf/kdf_local.h ++ $(OPENSSL_PATH)/crypto/kdf/kdf_util.c ++ $(OPENSSL_PATH)/crypto/kdf/krb5kdf.c ++ $(OPENSSL_PATH)/crypto/kdf/pbkdf2.c ++ $(OPENSSL_PATH)/crypto/kdf/sshkdf.c ++ $(OPENSSL_PATH)/crypto/kdf/sskdf.c ++# RHEL8-specific OpenSSL file list ends here + buildinf.h + ossl_store.c + rand_pool.c +-- +2.27.0 + diff --git a/SOURCES/0025-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch b/SOURCES/0025-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch new file mode 100644 index 0000000..0cbb9cf --- /dev/null +++ b/SOURCES/0025-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch @@ -0,0 +1,83 @@ +From 9e7da28d166fb4b5b434b444c655d522c9f32b1a Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Wed, 24 Jun 2020 11:31:36 +0200 +Subject: OvmfPkg/QemuKernelLoaderFsDxe: suppress error on no "-kernel" in + silent aa64 build (RH) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Remove obsolete commit message tags related to downstream patch + management: Message-id, Patchwork-id, O-Subject, Acked-by, From, + RH-Acked-by, RH-Author (RHBZ#1846481). + +Bugzilla: 1844682 + +If the "-kernel" QEMU option is not used, then QemuKernelLoaderFsDxe +should return EFI_NOT_FOUND, so that the DXE Core can unload it. However, +the associated error message, logged by the DXE Core to the serial +console, is not desired in the silent edk2-aarch64 build, given that the +absence of "-kernel" is nothing out of the ordinary. Therefore, return +success and stay resident. The wasted guest RAM still gets freed after +ExitBootServices(). + +(Inspired by RHEL-8.1.0 commit aaaedc1e2cfd.) + +Signed-off-by: Laszlo Ersek +Signed-off-by: Miroslav Rezanina +(cherry picked from commit 9adcdf493ebbd11efb74e2905ab5f6c8996e096d) +--- + .../QemuKernelLoaderFsDxe.c | 17 +++++++++++++++++ + .../QemuKernelLoaderFsDxe.inf | 1 + + 2 files changed, 18 insertions(+) + +diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +index 6832d563bc..08ed67f5ff 100644 +--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c ++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1054,6 +1055,22 @@ QemuKernelLoaderFsDxeEntrypoint ( + + if (KernelBlob->Data == NULL) { + Status = EFI_NOT_FOUND; ++#if defined (MDE_CPU_AARCH64) ++ // ++ // RHBZ#1844682 ++ // ++ // If the "-kernel" QEMU option is not being used, this platform DXE driver ++ // should return EFI_NOT_FOUND, so that the DXE Core can unload it. ++ // However, the associated error message, logged by the DXE Core to the ++ // serial console, is not desired in the silent edk2-aarch64 build, given ++ // that the absence of "-kernel" is nothing out of the ordinary. Therefore, ++ // return success and stay resident. The wasted guest RAM still gets freed ++ // after ExitBootServices(). ++ // ++ if (GetDebugPrintErrorLevel () == DEBUG_ERROR) { ++ Status = EFI_SUCCESS; ++ } ++#endif + goto FreeBlobs; + } + +diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf +index 7b35adb8e0..e0331c6e2c 100644 +--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf ++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf +@@ -28,6 +28,7 @@ + BaseLib + BaseMemoryLib + DebugLib ++ DebugPrintErrorLevelLib + DevicePathLib + MemoryAllocationLib + QemuFwCfgLib +-- +2.27.0 + diff --git a/SOURCES/0026-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch b/SOURCES/0026-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch new file mode 100644 index 0000000..826dab6 --- /dev/null +++ b/SOURCES/0026-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch @@ -0,0 +1,82 @@ +From 2b01209a816fce5004012a033c1e9f679f8768db Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Wed, 24 Jun 2020 11:40:09 +0200 +Subject: SecurityPkg/Tcg2Dxe: suppress error on no swtpm in silent aa64 build + (RH) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Remove obsolete commit message tags related to downstream patch + management: Message-id, Patchwork-id, O-Subject, Acked-by, From, + RH-Acked-by, RH-Author (RHBZ#1846481). + +Bugzilla: 1844682 + +If swtpm / vTPM2 is not being used, Tcg2Dxe should return EFI_UNSUPPORTED, +so that the DXE Core can unload it. However, the associated error message, +logged by the DXE Core to the serial console, is not desired in the silent +edk2-aarch64 build, given that the absence of swtpm / vTPM2 is nothing out +of the ordinary. Therefore, return success and stay resident. The wasted +guest RAM still gets freed after ExitBootServices(). + +(Inspired by RHEL-8.1.0 commit aaaedc1e2cfd.) + +Signed-off-by: Laszlo Ersek +Signed-off-by: Miroslav Rezanina +(cherry picked from commit cbce29f7749477e271f9764fed82de94724af5df) +--- + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c | 17 +++++++++++++++++ + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf | 1 + + 2 files changed, 18 insertions(+) + +diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c +index 6d17616c1c..f1a97d4b2d 100644 +--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c ++++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c +@@ -28,6 +28,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + #include + + #include ++#include + #include + #include + #include +@@ -2642,6 +2643,22 @@ DriverEntry ( + if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceNoneGuid) || + CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid)){ + DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n")); ++#if defined (MDE_CPU_AARCH64) ++ // ++ // RHBZ#1844682 ++ // ++ // If swtpm / vTPM2 is not being used, this driver should return ++ // EFI_UNSUPPORTED, so that the DXE Core can unload it. However, the ++ // associated error message, logged by the DXE Core to the serial console, ++ // is not desired in the silent edk2-aarch64 build, given that the absence ++ // of swtpm / vTPM2 is nothing out of the ordinary. Therefore, return ++ // success and stay resident. The wasted guest RAM still gets freed after ++ // ExitBootServices(). ++ // ++ if (GetDebugPrintErrorLevel () == DEBUG_ERROR) { ++ return EFI_SUCCESS; ++ } ++#endif + return EFI_UNSUPPORTED; + } + +diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +index 7dc7a2683d..3bc8833931 100644 +--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf ++++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +@@ -55,6 +55,7 @@ + UefiRuntimeServicesTableLib + BaseMemoryLib + DebugLib ++ DebugPrintErrorLevelLib + Tpm2CommandLib + PrintLib + UefiLib +-- +2.27.0 + diff --git a/SOURCES/0029-OvmfPkg-Remove-PrintDxe-RHEL-only.patch b/SOURCES/0029-OvmfPkg-Remove-PrintDxe-RHEL-only.patch new file mode 100644 index 0000000..588ad08 --- /dev/null +++ b/SOURCES/0029-OvmfPkg-Remove-PrintDxe-RHEL-only.patch @@ -0,0 +1,129 @@ +From ec59dc81bfaeb07ff114a956359161b29ca128fe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:28:43 +0200 +Subject: OvmfPkg: Remove PrintDxe (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [1/19] 84921eec8867fc1986401a301700baf31ba66293 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +The Print service driver is not used by OVMF, remove it. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 1 - + OvmfPkg/AmdSev/AmdSevX64.fdf | 1 - + OvmfPkg/OvmfPkgIa32.dsc | 1 - + OvmfPkg/OvmfPkgIa32.fdf | 1 - + OvmfPkg/OvmfPkgIa32X64.dsc | 1 - + OvmfPkg/OvmfPkgIa32X64.fdf | 1 - + OvmfPkg/OvmfPkgX64.dsc | 1 - + OvmfPkg/OvmfPkgX64.fdf | 1 - + 8 files changed, 8 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index ccdf9b8ce0..0cd0a50090 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -732,7 +732,6 @@ + DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf + PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + } +- MdeModulePkg/Universal/PrintDxe/PrintDxe.inf + MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf + MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf + MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index 5662609886..5a84393b00 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -245,7 +245,6 @@ INF MdeModulePkg/Universal/BdsDxe/BdsDxe.inf + INF MdeModulePkg/Application/UiApp/UiApp.inf + INF OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf + INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf +-INF MdeModulePkg/Universal/PrintDxe/PrintDxe.inf + INF MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf + INF MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf + INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index a0666930d6..d729a7bef7 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -826,7 +826,6 @@ + DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf + PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + } +- MdeModulePkg/Universal/PrintDxe/PrintDxe.inf + MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf + MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf + MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index 00ea14adf0..bf76546356 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -255,7 +255,6 @@ INF MdeModulePkg/Universal/BdsDxe/BdsDxe.inf + INF MdeModulePkg/Application/UiApp/UiApp.inf + INF OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf + INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf +-INF MdeModulePkg/Universal/PrintDxe/PrintDxe.inf + INF MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf + INF MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf + INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 5efeb42bf3..ad18b3f365 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -840,7 +840,6 @@ + DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf + PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + } +- MdeModulePkg/Universal/PrintDxe/PrintDxe.inf + MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf + MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf + MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index e33a40c44e..2523aa2d52 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -259,7 +259,6 @@ INF MdeModulePkg/Universal/BdsDxe/BdsDxe.inf + INF MdeModulePkg/Application/UiApp/UiApp.inf + INF OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf + INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf +-INF MdeModulePkg/Universal/PrintDxe/PrintDxe.inf + INF MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf + INF MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf + INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 10fb7d7069..161de784ac 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -838,7 +838,6 @@ + DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf + PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + } +- MdeModulePkg/Universal/PrintDxe/PrintDxe.inf + MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf + MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf + MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index 85b4b23857..f9249b0b5f 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -275,7 +275,6 @@ INF MdeModulePkg/Universal/BdsDxe/BdsDxe.inf + INF MdeModulePkg/Application/UiApp/UiApp.inf + INF OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf + INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf +-INF MdeModulePkg/Universal/PrintDxe/PrintDxe.inf + INF MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf + INF MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf + INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf +-- +2.27.0 + diff --git a/SOURCES/0030-OvmfPkg-Remove-EbcDxe-RHEL-only.patch b/SOURCES/0030-OvmfPkg-Remove-EbcDxe-RHEL-only.patch new file mode 100644 index 0000000..d7cbdfa --- /dev/null +++ b/SOURCES/0030-OvmfPkg-Remove-EbcDxe-RHEL-only.patch @@ -0,0 +1,129 @@ +From ff2f54341791a5b95edc7b782f5f2713e4c12588 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:28:49 +0200 +Subject: OvmfPkg: Remove EbcDxe (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [2/19] 6777c3dc453e4aecddc20216f783ba2a5acccaa0 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +Remove EFI Byte Code interpreter. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 1 - + OvmfPkg/AmdSev/AmdSevX64.fdf | 1 - + OvmfPkg/OvmfPkgIa32.dsc | 1 - + OvmfPkg/OvmfPkgIa32.fdf | 1 - + OvmfPkg/OvmfPkgIa32X64.dsc | 1 - + OvmfPkg/OvmfPkgIa32X64.fdf | 1 - + OvmfPkg/OvmfPkgX64.dsc | 1 - + OvmfPkg/OvmfPkgX64.fdf | 1 - + 8 files changed, 8 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 0cd0a50090..d72a995159 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -670,7 +670,6 @@ + !endif + } + +- MdeModulePkg/Universal/EbcDxe/EbcDxe.inf + OvmfPkg/8259InterruptControllerDxe/8259.inf + UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf + UefiCpuPkg/CpuDxe/CpuDxe.inf +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index 5a84393b00..2a077ac5bd 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -205,7 +205,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf + + INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf + INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf +-INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf + INF OvmfPkg/8259InterruptControllerDxe/8259.inf + INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf + INF UefiCpuPkg/CpuDxe/CpuDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index d729a7bef7..e847cfad96 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -753,7 +753,6 @@ + !endif + } + +- MdeModulePkg/Universal/EbcDxe/EbcDxe.inf + OvmfPkg/8259InterruptControllerDxe/8259.inf + UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf + UefiCpuPkg/CpuDxe/CpuDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index bf76546356..b65f7306a8 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -211,7 +211,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf + + INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf + INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf +-INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf + INF OvmfPkg/8259InterruptControllerDxe/8259.inf + INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf + INF UefiCpuPkg/CpuDxe/CpuDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index ad18b3f365..b00b7682dd 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -767,7 +767,6 @@ + !endif + } + +- MdeModulePkg/Universal/EbcDxe/EbcDxe.inf + OvmfPkg/8259InterruptControllerDxe/8259.inf + UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf + UefiCpuPkg/CpuDxe/CpuDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index 2523aa2d52..b145c0ca3e 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -215,7 +215,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf + + INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf + INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf +-INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf + INF OvmfPkg/8259InterruptControllerDxe/8259.inf + INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf + INF UefiCpuPkg/CpuDxe/CpuDxe.inf +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 161de784ac..2f61405fbf 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -765,7 +765,6 @@ + !endif + } + +- MdeModulePkg/Universal/EbcDxe/EbcDxe.inf + OvmfPkg/8259InterruptControllerDxe/8259.inf + UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf + UefiCpuPkg/CpuDxe/CpuDxe.inf +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index f9249b0b5f..f82cba3934 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -231,7 +231,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf + + INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf + INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf +-INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf + INF OvmfPkg/8259InterruptControllerDxe/8259.inf + INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf + INF UefiCpuPkg/CpuDxe/CpuDxe.inf +-- +2.27.0 + diff --git a/SOURCES/0031-ArmVirtPkg-Remove-EbcDxe-RHEL-only.patch b/SOURCES/0031-ArmVirtPkg-Remove-EbcDxe-RHEL-only.patch new file mode 100644 index 0000000..46de278 --- /dev/null +++ b/SOURCES/0031-ArmVirtPkg-Remove-EbcDxe-RHEL-only.patch @@ -0,0 +1,56 @@ +From 550baa5312b42e21332da86982a7f291528150e8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:28:54 +0200 +Subject: ArmVirtPkg: Remove EbcDxe (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [3/19] 5ca7af1a505c16cc568a444398254aca06ca65aa +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +Remove EFI Byte Code interpreter. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + ArmVirtPkg/ArmVirt.dsc.inc | 5 ----- + ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 5 ----- + 2 files changed, 10 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc +index 5a1598d90c..2fd8d31611 100644 +--- a/ArmVirtPkg/ArmVirt.dsc.inc ++++ b/ArmVirtPkg/ArmVirt.dsc.inc +@@ -420,8 +420,3 @@ + + NULL|EmbeddedPkg/Library/PlatformHasAcpiLib/PlatformHasAcpiLib.inf + } +- +- # +- # EBC support +- # +- MdeModulePkg/Universal/EbcDxe/EbcDxe.inf +diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +index f6a538df72..520d531518 100644 +--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc ++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +@@ -146,11 +146,6 @@ READ_LOCK_STATUS = TRUE + INF MdeModulePkg/Universal/Acpi/AcpiTableDxe/AcpiTableDxe.inf + INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf + INF OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpiPlatformDxe.inf +- +- # +- # EBC support +- # +- INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf + !endif + + # +-- +2.27.0 + diff --git a/SOURCES/0032-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch b/SOURCES/0032-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch new file mode 100644 index 0000000..98de3a3 --- /dev/null +++ b/SOURCES/0032-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch @@ -0,0 +1,129 @@ +From caf276302ed4b008e99749ed858db3bcf6501640 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:28:59 +0200 +Subject: OvmfPkg: Remove VirtioGpu device driver (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [4/19] f0a41317291f2e9e3b5bd3125149c3866f23ab08 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +QemuVideoDxe binds virtio-vga, so VirtioGpu is not needed. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 1 - + OvmfPkg/AmdSev/AmdSevX64.fdf | 1 - + OvmfPkg/OvmfPkgIa32.dsc | 1 - + OvmfPkg/OvmfPkgIa32.fdf | 1 - + OvmfPkg/OvmfPkgIa32X64.dsc | 1 - + OvmfPkg/OvmfPkgIa32X64.fdf | 1 - + OvmfPkg/OvmfPkgX64.dsc | 1 - + OvmfPkg/OvmfPkgX64.fdf | 1 - + 8 files changed, 8 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index d72a995159..74e87f1b08 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -759,7 +759,6 @@ + + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F + } +- OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + + # + # ISA Support +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index 2a077ac5bd..d09a193d09 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -299,7 +299,6 @@ INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + + INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf +-INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + INF OvmfPkg/PlatformDxe/Platform.inf + INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf + INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index e847cfad96..f8ff1c2792 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -856,7 +856,6 @@ + + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F + } +- OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + + # + # ISA Support +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index b65f7306a8..ea7a3f893c 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -324,7 +324,6 @@ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + !endif + + INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf +-INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + INF OvmfPkg/PlatformDxe/Platform.inf + INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf + +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index b00b7682dd..4b5f362780 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -870,7 +870,6 @@ + + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F + } +- OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + + # + # ISA Support +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index b145c0ca3e..3c33f0eadd 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -333,7 +333,6 @@ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + !endif + + INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf +-INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + INF OvmfPkg/PlatformDxe/Platform.inf + INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf + INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 2f61405fbf..89dcdb8bba 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -868,7 +868,6 @@ + + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F + } +- OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + + # + # ISA Support +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index f82cba3934..e7bf0da02b 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -349,7 +349,6 @@ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + !endif + + INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf +-INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + INF OvmfPkg/PlatformDxe/Platform.inf + INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf + INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf +-- +2.27.0 + diff --git a/SOURCES/0033-OvmfPkg-Remove-QemuRamfbDxe-display-device-driver-RH.patch b/SOURCES/0033-OvmfPkg-Remove-QemuRamfbDxe-display-device-driver-RH.patch new file mode 100644 index 0000000..02318a9 --- /dev/null +++ b/SOURCES/0033-OvmfPkg-Remove-QemuRamfbDxe-display-device-driver-RH.patch @@ -0,0 +1,141 @@ +From 5f2032eca0be1191d8485eeba4005f4d0a3af879 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 2 Jul 2021 20:15:40 +0200 +Subject: OvmfPkg: Remove QemuRamfbDxe display device driver (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [5/19] 657c6d4406600a34ad57cd0f93018716d73f2cd1 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +The ramfb display device driver is not needed for RHEL. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 4 ---- + OvmfPkg/AmdSev/AmdSevX64.fdf | 1 - + OvmfPkg/OvmfPkgIa32.dsc | 4 ---- + OvmfPkg/OvmfPkgIa32.fdf | 1 - + OvmfPkg/OvmfPkgIa32X64.dsc | 4 ---- + OvmfPkg/OvmfPkgIa32X64.fdf | 1 - + OvmfPkg/OvmfPkgX64.dsc | 4 ---- + OvmfPkg/OvmfPkgX64.fdf | 1 - + 8 files changed, 20 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 74e87f1b08..154e318e87 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -755,10 +755,6 @@ + + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F + } +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { +- +- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F +- } + + # + # ISA Support +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index d09a193d09..cd86f60270 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -298,7 +298,6 @@ INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + +-INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf + INF OvmfPkg/PlatformDxe/Platform.inf + INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf + INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index f8ff1c2792..3061d0d796 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -852,10 +852,6 @@ + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F + } + !endif +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { +- +- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F +- } + + # + # ISA Support +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index ea7a3f893c..e55c88c84d 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -323,7 +323,6 @@ INF RuleOverride=CSM OvmfPkg/Csm/Csm16/Csm16.inf + INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + !endif + +-INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf + INF OvmfPkg/PlatformDxe/Platform.inf + INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf + +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 4b5f362780..01adc7b648 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -866,10 +866,6 @@ + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F + } + !endif +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { +- +- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F +- } + + # + # ISA Support +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index 3c33f0eadd..43a96cc78a 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -332,7 +332,6 @@ INF RuleOverride=CSM OvmfPkg/Csm/Csm16/Csm16.inf + INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + !endif + +-INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf + INF OvmfPkg/PlatformDxe/Platform.inf + INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf + INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 89dcdb8bba..bcbc17fba4 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -864,10 +864,6 @@ + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F + } + !endif +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { +- +- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F +- } + + # + # ISA Support +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index e7bf0da02b..e992ed5f37 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -348,7 +348,6 @@ INF RuleOverride=CSM OvmfPkg/Csm/Csm16/Csm16.inf + INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + !endif + +-INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf + INF OvmfPkg/PlatformDxe/Platform.inf + INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf + INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf +-- +2.27.0 + diff --git a/SOURCES/0034-ArmVirtPkg-Remove-QemuRamfbDxe-display-device-driver.patch b/SOURCES/0034-ArmVirtPkg-Remove-QemuRamfbDxe-display-device-driver.patch new file mode 100644 index 0000000..28c535a --- /dev/null +++ b/SOURCES/0034-ArmVirtPkg-Remove-QemuRamfbDxe-display-device-driver.patch @@ -0,0 +1,71 @@ +From 9dc5af1a38fffff9f377c8eddf517be621bb6cda Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:29:02 +0200 +Subject: ArmVirtPkg: Remove QemuRamfbDxe display device driver (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [6/19] 4e08ed3eb98f0901ae033d76c12b62d89f67f6e7 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +The ramfb display device driver is only potentially needed for +aarch64 Windows guests, which are not supported by RHEL. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + ArmVirtPkg/ArmVirtQemu.dsc | 4 ---- + ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 - + ArmVirtPkg/ArmVirtQemuKernel.dsc | 4 ---- + 3 files changed, 9 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index e6fad9f066..6677283c21 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -509,10 +509,6 @@ + # + # Video support + # +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { +- +- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|($(DEBUG_PRINT_ERROR_LEVEL)) & 0xFFBFFFFF +- } + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + OvmfPkg/PlatformDxe/Platform.inf + +diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +index 520d531518..2b51ac4a6d 100644 +--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc ++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +@@ -161,7 +161,6 @@ READ_LOCK_STATUS = TRUE + # + # Video support + # +- INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf + INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + INF OvmfPkg/PlatformDxe/Platform.inf + +diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc +index 656c9d99a3..1ab8d6b999 100644 +--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc ++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc +@@ -438,10 +438,6 @@ + # + # Video support + # +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { +- +- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|($(DEBUG_PRINT_ERROR_LEVEL)) & 0xFFBFFFFF +- } + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + OvmfPkg/PlatformDxe/Platform.inf + +-- +2.27.0 + diff --git a/SOURCES/0035-OvmfPkg-Remove-NvmExpressDxe-device-driver-RHEL-only.patch b/SOURCES/0035-OvmfPkg-Remove-NvmExpressDxe-device-driver-RHEL-only.patch new file mode 100644 index 0000000..669de2c --- /dev/null +++ b/SOURCES/0035-OvmfPkg-Remove-NvmExpressDxe-device-driver-RHEL-only.patch @@ -0,0 +1,141 @@ +From a66385d84b6b156d09fc6c8a62297a684b4c39d9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:29:06 +0200 +Subject: OvmfPkg: Remove NvmExpressDxe device driver (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [7/19] 9af37e4e6ad4604d5ebe67ff77cc236664590fe2 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +There is no real known use case for the NVME driver. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 4 ---- + OvmfPkg/AmdSev/AmdSevX64.fdf | 1 - + OvmfPkg/OvmfPkgIa32.dsc | 4 ---- + OvmfPkg/OvmfPkgIa32.fdf | 1 - + OvmfPkg/OvmfPkgIa32X64.dsc | 4 ---- + OvmfPkg/OvmfPkgIa32X64.fdf | 1 - + OvmfPkg/OvmfPkgX64.dsc | 4 ---- + OvmfPkg/OvmfPkgX64.fdf | 1 - + 8 files changed, 20 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 154e318e87..7d69eba83b 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -742,10 +742,6 @@ + OvmfPkg/SataControllerDxe/SataControllerDxe.inf + MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { +- +- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F +- } + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index cd86f60270..45e9a345b7 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -253,7 +253,6 @@ INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf + INF OvmfPkg/SataControllerDxe/SataControllerDxe.inf + INF MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + INF MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +-INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf + INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 3061d0d796..b947e817a5 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -837,10 +837,6 @@ + OvmfPkg/SataControllerDxe/SataControllerDxe.inf + MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { +- +- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F +- } + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index e55c88c84d..bfed32ddd3 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -263,7 +263,6 @@ INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf + INF OvmfPkg/SataControllerDxe/SataControllerDxe.inf + INF MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + INF MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +-INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf + INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 01adc7b648..7e86a9872e 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -851,10 +851,6 @@ + OvmfPkg/SataControllerDxe/SataControllerDxe.inf + MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { +- +- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F +- } + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index 43a96cc78a..5965d4367a 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -267,7 +267,6 @@ INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf + INF OvmfPkg/SataControllerDxe/SataControllerDxe.inf + INF MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + INF MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +-INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf + INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index bcbc17fba4..952b831548 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -849,10 +849,6 @@ + OvmfPkg/SataControllerDxe/SataControllerDxe.inf + MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { +- +- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F +- } + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index e992ed5f37..4e382f7912 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -283,7 +283,6 @@ INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf + INF OvmfPkg/SataControllerDxe/SataControllerDxe.inf + INF MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + INF MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +-INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf + INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +-- +2.27.0 + diff --git a/SOURCES/0036-ArmVirtPkg-Remove-NvmExpressDxe-device-driver-RHEL-o.patch b/SOURCES/0036-ArmVirtPkg-Remove-NvmExpressDxe-device-driver-RHEL-o.patch new file mode 100644 index 0000000..8ddc0ab --- /dev/null +++ b/SOURCES/0036-ArmVirtPkg-Remove-NvmExpressDxe-device-driver-RHEL-o.patch @@ -0,0 +1,76 @@ +From c165681779351c785d6e1946d6b861b71d07fb3f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:29:10 +0200 +Subject: ArmVirtPkg: Remove NvmExpressDxe device driver (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [8/19] d07dd11cb7a59c5af361ff5f801b7cfe421bce14 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +There is no real known use case for the NVME driver. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + ArmVirtPkg/ArmVirtQemu.dsc | 5 ----- + ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 5 ----- + ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 ----- + 3 files changed, 15 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index 6677283c21..dff238fbdd 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -476,11 +476,6 @@ + MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf + MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf + +- # +- # NVME Driver +- # +- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf +- + # + # SMBIOS Support + # +diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +index 2b51ac4a6d..9449daa5af 100644 +--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc ++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +@@ -127,11 +127,6 @@ READ_LOCK_STATUS = TRUE + INF MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf + INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf + +- # +- # NVME Driver +- # +- INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf +- + # + # SMBIOS Support + # +diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc +index 1ab8d6b999..1603a635a9 100644 +--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc ++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc +@@ -405,11 +405,6 @@ + MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf + MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf + +- # +- # NVME Driver +- # +- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf +- + # + # SMBIOS Support + # +-- +2.27.0 + diff --git a/SOURCES/0037-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch b/SOURCES/0037-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch new file mode 100644 index 0000000..ea21ce1 --- /dev/null +++ b/SOURCES/0037-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch @@ -0,0 +1,103 @@ +From a1872bcc0413a84cebe61b52fe99e5ef0d6ccca5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:29:13 +0200 +Subject: OvmfPkg: Remove VirtioFsDxe filesystem driver (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [9/19] b40d8a6b9c38568a74fb922b12bbae9f0e721f95 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +Remove the virtio-fs driver. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + OvmfPkg/OvmfPkgIa32.dsc | 1 - + OvmfPkg/OvmfPkgIa32.fdf | 1 - + OvmfPkg/OvmfPkgIa32X64.dsc | 1 - + OvmfPkg/OvmfPkgIa32X64.fdf | 1 - + OvmfPkg/OvmfPkgX64.dsc | 1 - + OvmfPkg/OvmfPkgX64.fdf | 1 - + 6 files changed, 6 deletions(-) + +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index b947e817a5..7ed4218f3f 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -831,7 +831,6 @@ + MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf + FatPkg/EnhancedFatDxe/Fat.inf + MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf +- OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf + MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf + MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf + OvmfPkg/SataControllerDxe/SataControllerDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index bfed32ddd3..0c90dc9ddf 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -285,7 +285,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour + + INF FatPkg/EnhancedFatDxe/Fat.inf + INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf +-INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf + + !ifndef $(EXCLUDE_SHELL_FROM_FD) + !if $(TOOL_CHAIN_TAG) != "XCODE5" +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 7e86a9872e..080351bfe4 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -845,7 +845,6 @@ + MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf + FatPkg/EnhancedFatDxe/Fat.inf + MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf +- OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf + MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf + MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf + OvmfPkg/SataControllerDxe/SataControllerDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index 5965d4367a..0d23401372 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -289,7 +289,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour + + INF FatPkg/EnhancedFatDxe/Fat.inf + INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf +-INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf + + !ifndef $(EXCLUDE_SHELL_FROM_FD) + !if $(TOOL_CHAIN_TAG) != "XCODE5" +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 952b831548..fa2e439c39 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -843,7 +843,6 @@ + MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf + FatPkg/EnhancedFatDxe/Fat.inf + MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf +- OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf + MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf + MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf + OvmfPkg/SataControllerDxe/SataControllerDxe.inf +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index 4e382f7912..244c1d6ef2 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -305,7 +305,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour + + INF FatPkg/EnhancedFatDxe/Fat.inf + INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf +-INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf + + !ifndef $(EXCLUDE_SHELL_FROM_FD) + !if $(TOOL_CHAIN_TAG) != "XCODE5" +-- +2.27.0 + diff --git a/SOURCES/0038-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch b/SOURCES/0038-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch new file mode 100644 index 0000000..8990611 --- /dev/null +++ b/SOURCES/0038-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch @@ -0,0 +1,64 @@ +From 772e5687d7ffeb88e98f49d8aa499180114d3c32 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:29:16 +0200 +Subject: ArmVirtPkg: Remove VirtioFsDxe filesystem driver (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [10/19] 808ad4385c24fbf34fb0ba359808e6d364e1d030 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +Remove the virtio-fs driver. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + ArmVirtPkg/ArmVirtQemu.dsc | 1 - + ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 - + ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 - + 3 files changed, 3 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index dff238fbdd..feac352b65 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -427,7 +427,6 @@ + MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf + FatPkg/EnhancedFatDxe/Fat.inf + MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf +- OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf + + # + # Bds +diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +index 9449daa5af..8cab9bec9a 100644 +--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc ++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +@@ -84,7 +84,6 @@ READ_LOCK_STATUS = TRUE + INF FatPkg/EnhancedFatDxe/Fat.inf + INF MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf + INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf +- INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf + + # + # Status Code Routing +diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc +index 1603a635a9..b365ac0f99 100644 +--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc ++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc +@@ -356,7 +356,6 @@ + MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf + FatPkg/EnhancedFatDxe/Fat.inf + MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf +- OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf + + # + # Bds +-- +2.27.0 + diff --git a/SOURCES/0039-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch b/SOURCES/0039-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch new file mode 100644 index 0000000..18e3377 --- /dev/null +++ b/SOURCES/0039-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch @@ -0,0 +1,129 @@ +From 5c6129a2e68f7914a374f8efadc71a959ac2cc0b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:29:19 +0200 +Subject: OvmfPkg: Remove UdfDxe filesystem driver (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [11/19] 21614de37221fca27d4eec0f03c5c8bce5911af3 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +Remove the UDF driver. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 1 - + OvmfPkg/AmdSev/AmdSevX64.fdf | 1 - + OvmfPkg/OvmfPkgIa32.dsc | 1 - + OvmfPkg/OvmfPkgIa32.fdf | 1 - + OvmfPkg/OvmfPkgIa32X64.dsc | 1 - + OvmfPkg/OvmfPkgIa32X64.fdf | 1 - + OvmfPkg/OvmfPkgX64.dsc | 1 - + OvmfPkg/OvmfPkgX64.fdf | 1 - + 8 files changed, 8 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 7d69eba83b..35691989bd 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -736,7 +736,6 @@ + MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf + MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf + FatPkg/EnhancedFatDxe/Fat.inf +- MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf + MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf + MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf + OvmfPkg/SataControllerDxe/SataControllerDxe.inf +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index 45e9a345b7..52cb301d43 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -272,7 +272,6 @@ INF OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpiPlatformDxe.inf + INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf + + INF FatPkg/EnhancedFatDxe/Fat.inf +-INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf + + !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE + INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 7ed4218f3f..47dc58b2f2 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -830,7 +830,6 @@ + MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf + MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf + FatPkg/EnhancedFatDxe/Fat.inf +- MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf + MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf + MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf + OvmfPkg/SataControllerDxe/SataControllerDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index 0c90dc9ddf..04bd804471 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -284,7 +284,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf + INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf + + INF FatPkg/EnhancedFatDxe/Fat.inf +-INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf + + !ifndef $(EXCLUDE_SHELL_FROM_FD) + !if $(TOOL_CHAIN_TAG) != "XCODE5" +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 080351bfe4..dc5c6681c5 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -844,7 +844,6 @@ + MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf + MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf + FatPkg/EnhancedFatDxe/Fat.inf +- MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf + MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf + MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf + OvmfPkg/SataControllerDxe/SataControllerDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index 0d23401372..36433d984c 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -288,7 +288,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf + INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf + + INF FatPkg/EnhancedFatDxe/Fat.inf +-INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf + + !ifndef $(EXCLUDE_SHELL_FROM_FD) + !if $(TOOL_CHAIN_TAG) != "XCODE5" +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index fa2e439c39..17a11f81ae 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -842,7 +842,6 @@ + MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf + MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf + FatPkg/EnhancedFatDxe/Fat.inf +- MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf + MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf + MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf + OvmfPkg/SataControllerDxe/SataControllerDxe.inf +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index 244c1d6ef2..ed0d60b5e0 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -304,7 +304,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf + INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf + + INF FatPkg/EnhancedFatDxe/Fat.inf +-INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf + + !ifndef $(EXCLUDE_SHELL_FROM_FD) + !if $(TOOL_CHAIN_TAG) != "XCODE5" +-- +2.27.0 + diff --git a/SOURCES/0040-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch b/SOURCES/0040-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch new file mode 100644 index 0000000..be8a548 --- /dev/null +++ b/SOURCES/0040-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch @@ -0,0 +1,64 @@ +From f5f031cd20029999856279428960eec8cb70b833 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:29:22 +0200 +Subject: ArmVirtPkg: Remove UdfDxe filesystem driver (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [12/19] fcadb6a747b65e4d449d48131c9a2eeed4bd3c9a +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +Remove the UDF driver. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + ArmVirtPkg/ArmVirtQemu.dsc | 1 - + ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 - + ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 - + 3 files changed, 3 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index feac352b65..07d3723589 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -426,7 +426,6 @@ + MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf + MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf + FatPkg/EnhancedFatDxe/Fat.inf +- MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf + + # + # Bds +diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +index 8cab9bec9a..41392521a1 100644 +--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc ++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +@@ -83,7 +83,6 @@ READ_LOCK_STATUS = TRUE + INF MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf + INF FatPkg/EnhancedFatDxe/Fat.inf + INF MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf +- INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf + + # + # Status Code Routing +diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc +index b365ac0f99..609f44dc24 100644 +--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc ++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc +@@ -355,7 +355,6 @@ + MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf + MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf + FatPkg/EnhancedFatDxe/Fat.inf +- MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf + + # + # Bds +-- +2.27.0 + diff --git a/SOURCES/0041-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch b/SOURCES/0041-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch new file mode 100644 index 0000000..a790794 --- /dev/null +++ b/SOURCES/0041-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch @@ -0,0 +1,112 @@ +From db62fdc2ea07ba0796820c0f4aaa02e3a36c0b27 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:29:25 +0200 +Subject: OvmfPkg: Remove TftpDynamicCommand from shell (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [13/19] cf9ef346386ac89fa05b29d429d8d1b27cf0e3b0 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +Remove the command to download files in the shell via TFTP. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + OvmfPkg/OvmfPkgIa32.dsc | 4 ---- + OvmfPkg/OvmfPkgIa32.fdf | 1 - + OvmfPkg/OvmfPkgIa32X64.dsc | 4 ---- + OvmfPkg/OvmfPkgIa32X64.fdf | 1 - + OvmfPkg/OvmfPkgX64.dsc | 4 ---- + OvmfPkg/OvmfPkgX64.fdf | 1 - + 6 files changed, 15 deletions(-) + +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 47dc58b2f2..3e7cd1f0ff 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -910,10 +910,6 @@ + !endif + + !if $(TOOL_CHAIN_TAG) != "XCODE5" +- ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } + ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index 04bd804471..61c3db7a13 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -287,7 +287,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf + + !ifndef $(EXCLUDE_SHELL_FROM_FD) + !if $(TOOL_CHAIN_TAG) != "XCODE5" +-INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf + INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + !endif +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index dc5c6681c5..450db0b473 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -924,10 +924,6 @@ + !endif + + !if $(TOOL_CHAIN_TAG) != "XCODE5" +- ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } + ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index 36433d984c..56781d84e4 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -291,7 +291,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf + + !ifndef $(EXCLUDE_SHELL_FROM_FD) + !if $(TOOL_CHAIN_TAG) != "XCODE5" +-INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf + INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + !endif +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 17a11f81ae..07d028b294 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -922,10 +922,6 @@ + !endif + + !if $(TOOL_CHAIN_TAG) != "XCODE5" +- ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } + ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index ed0d60b5e0..959736a1be 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -307,7 +307,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf + + !ifndef $(EXCLUDE_SHELL_FROM_FD) + !if $(TOOL_CHAIN_TAG) != "XCODE5" +-INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf + INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + !endif +-- +2.27.0 + diff --git a/SOURCES/0042-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch b/SOURCES/0042-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch new file mode 100644 index 0000000..4c7024d --- /dev/null +++ b/SOURCES/0042-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch @@ -0,0 +1,57 @@ +From 94302ccc1de9b13cb6dc28af3e077e0b09052460 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:29:28 +0200 +Subject: ArmVirtPkg: Remove TftpDynamicCommand from shell (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [14/19] 12436014941bd4a7c99a26d779ebdcd75f169403 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +Remove the command to download files in the shell via TFTP. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + ArmVirtPkg/ArmVirt.dsc.inc | 7 +++---- + ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 - + 2 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc +index 2fd8d31611..56c55eb473 100644 +--- a/ArmVirtPkg/ArmVirt.dsc.inc ++++ b/ArmVirtPkg/ArmVirt.dsc.inc +@@ -377,10 +377,9 @@ + # + MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf + +- ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } ++ # ++ # UEFI application (Shell Embedded Boot Loader) ++ # + ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +index 41392521a1..89e0bad645 100644 +--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc ++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +@@ -98,7 +98,6 @@ READ_LOCK_STATUS = TRUE + INF OvmfPkg/VirtioRngDxe/VirtioRng.inf + + INF ShellPkg/Application/Shell/Shell.inf +- INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf + INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + +-- +2.27.0 + diff --git a/SOURCES/0043-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch b/SOURCES/0043-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch new file mode 100644 index 0000000..0701c9b --- /dev/null +++ b/SOURCES/0043-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch @@ -0,0 +1,112 @@ +From 266042abbae5f40f3a45e88601a27096734163da Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:29:31 +0200 +Subject: OvmfPkg: Remove HttpDynamicCommand from shell (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [15/19] 1911cf04f27467ef1175b1976864c1111d93d19e +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +Remove the command to download files in the shell via HTTP(S). + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + OvmfPkg/OvmfPkgIa32.dsc | 4 ---- + OvmfPkg/OvmfPkgIa32.fdf | 1 - + OvmfPkg/OvmfPkgIa32X64.dsc | 4 ---- + OvmfPkg/OvmfPkgIa32X64.fdf | 1 - + OvmfPkg/OvmfPkgX64.dsc | 4 ---- + OvmfPkg/OvmfPkgX64.fdf | 1 - + 6 files changed, 15 deletions(-) + +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 3e7cd1f0ff..1a14d8125b 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -910,10 +910,6 @@ + !endif + + !if $(TOOL_CHAIN_TAG) != "XCODE5" +- ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } + OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index 61c3db7a13..bdb8bd2388 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -287,7 +287,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf + + !ifndef $(EXCLUDE_SHELL_FROM_FD) + !if $(TOOL_CHAIN_TAG) != "XCODE5" +-INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf + INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + !endif + INF ShellPkg/Application/Shell/Shell.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 450db0b473..a528e35e99 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -924,10 +924,6 @@ + !endif + + !if $(TOOL_CHAIN_TAG) != "XCODE5" +- ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } + OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index 56781d84e4..2bb9c91909 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -291,7 +291,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf + + !ifndef $(EXCLUDE_SHELL_FROM_FD) + !if $(TOOL_CHAIN_TAG) != "XCODE5" +-INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf + INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + !endif + INF ShellPkg/Application/Shell/Shell.inf +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 07d028b294..8b4963b022 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -922,10 +922,6 @@ + !endif + + !if $(TOOL_CHAIN_TAG) != "XCODE5" +- ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } + OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index 959736a1be..9d1dfb1cee 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -307,7 +307,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf + + !ifndef $(EXCLUDE_SHELL_FROM_FD) + !if $(TOOL_CHAIN_TAG) != "XCODE5" +-INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf + INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + !endif + INF ShellPkg/Application/Shell/Shell.inf +-- +2.27.0 + diff --git a/SOURCES/0044-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch b/SOURCES/0044-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch new file mode 100644 index 0000000..4092e92 --- /dev/null +++ b/SOURCES/0044-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch @@ -0,0 +1,54 @@ +From e2844c290619d4a0d835a0e0756d07eca0493ddb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:29:34 +0200 +Subject: ArmVirtPkg: Remove HttpDynamicCommand from shell (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [16/19] 07a74f1fdcdbb9a31d25ce9760edcd852e9574c3 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +Remove the command to download files in the shell via HTTP(S). + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + ArmVirtPkg/ArmVirt.dsc.inc | 4 ---- + ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 - + 2 files changed, 5 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc +index 56c55eb473..0e221c22c9 100644 +--- a/ArmVirtPkg/ArmVirt.dsc.inc ++++ b/ArmVirtPkg/ArmVirt.dsc.inc +@@ -380,10 +380,6 @@ + # + # UEFI application (Shell Embedded Boot Loader) + # +- ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } + OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +index 89e0bad645..add13fc39d 100644 +--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc ++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +@@ -98,7 +98,6 @@ READ_LOCK_STATUS = TRUE + INF OvmfPkg/VirtioRngDxe/VirtioRng.inf + + INF ShellPkg/Application/Shell/Shell.inf +- INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf + INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + + # +-- +2.27.0 + diff --git a/SOURCES/0045-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch b/SOURCES/0045-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch new file mode 100644 index 0000000..19509d0 --- /dev/null +++ b/SOURCES/0045-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch @@ -0,0 +1,146 @@ +From 855afbe9bf9ebb68f9cdb3ace57ce99e5614375f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:29:39 +0200 +Subject: OvmfPkg: Remove LinuxInitrdDynamicShellCommand (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [17/19] 491fe1301ea29c7cb56c20272e45614d5fcb6f14 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +Remove the command to register a file in the shell as the +initial ramdisk for a UEFI stubbed kernel, to be booted next. + +Note: as further dynamic shell commands might show up upstream, +we intentionally preserve the empty !ifdef'ry context to ease +future downstream rebases. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 4 ---- + OvmfPkg/AmdSev/AmdSevX64.fdf | 1 - + OvmfPkg/OvmfPkgIa32.dsc | 4 ---- + OvmfPkg/OvmfPkgIa32.fdf | 1 - + OvmfPkg/OvmfPkgIa32X64.dsc | 4 ---- + OvmfPkg/OvmfPkgIa32X64.fdf | 1 - + OvmfPkg/OvmfPkgX64.dsc | 4 ---- + OvmfPkg/OvmfPkgX64.fdf | 1 - + 8 files changed, 20 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 35691989bd..88b65b9f59 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -785,10 +785,6 @@ + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE +- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } + !endif + OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf + OvmfPkg/AmdSev/Grub/Grub.inf +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index 52cb301d43..325570c5a3 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -274,7 +274,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour + INF FatPkg/EnhancedFatDxe/Fat.inf + + !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE +-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + !endif + INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf + INF OvmfPkg/AmdSev/Grub/Grub.inf +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 1a14d8125b..fa42d919be 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -910,10 +910,6 @@ + !endif + + !if $(TOOL_CHAIN_TAG) != "XCODE5" +- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } + !endif + ShellPkg/Application/Shell/Shell.inf { + +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index bdb8bd2388..51433836d6 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -287,7 +287,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf + + !ifndef $(EXCLUDE_SHELL_FROM_FD) + !if $(TOOL_CHAIN_TAG) != "XCODE5" +-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + !endif + INF ShellPkg/Application/Shell/Shell.inf + !endif +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index a528e35e99..ef962565f8 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -924,10 +924,6 @@ + !endif + + !if $(TOOL_CHAIN_TAG) != "XCODE5" +- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } + !endif + ShellPkg/Application/Shell/Shell.inf { + +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index 2bb9c91909..a50f80e1e9 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -291,7 +291,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf + + !ifndef $(EXCLUDE_SHELL_FROM_FD) + !if $(TOOL_CHAIN_TAG) != "XCODE5" +-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + !endif + INF ShellPkg/Application/Shell/Shell.inf + !endif +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 8b4963b022..ba9f9833b0 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -922,10 +922,6 @@ + !endif + + !if $(TOOL_CHAIN_TAG) != "XCODE5" +- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } + !endif + ShellPkg/Application/Shell/Shell.inf { + +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index 9d1dfb1cee..dd1c6eded9 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -307,7 +307,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf + + !ifndef $(EXCLUDE_SHELL_FROM_FD) + !if $(TOOL_CHAIN_TAG) != "XCODE5" +-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + !endif + INF ShellPkg/Application/Shell/Shell.inf + !endif +-- +2.27.0 + diff --git a/SOURCES/0046-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch b/SOURCES/0046-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch new file mode 100644 index 0000000..b113e6d --- /dev/null +++ b/SOURCES/0046-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch @@ -0,0 +1,55 @@ +From 74043040b2535bd098ab6089d0ec2ef19c6abeea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:29:46 +0200 +Subject: ArmVirtPkg: Remove LinuxInitrdDynamicShellCommand (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [18/19] 8f4e4007108462533e3d2050b84d8830073a7c0d +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +Remove the command to register a file in the shell as the initial +ramdisk for a UEFI stubbed kernel, to be booted next. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + ArmVirtPkg/ArmVirt.dsc.inc | 4 ---- + ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 - + 2 files changed, 5 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc +index 0e221c22c9..040878939b 100644 +--- a/ArmVirtPkg/ArmVirt.dsc.inc ++++ b/ArmVirtPkg/ArmVirt.dsc.inc +@@ -380,10 +380,6 @@ + # + # UEFI application (Shell Embedded Boot Loader) + # +- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } + ShellPkg/Application/Shell/Shell.inf { + + ShellCommandLib|ShellPkg/Library/UefiShellCommandLib/UefiShellCommandLib.inf +diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +index add13fc39d..82b015d77d 100644 +--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc ++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +@@ -98,7 +98,6 @@ READ_LOCK_STATUS = TRUE + INF OvmfPkg/VirtioRngDxe/VirtioRng.inf + + INF ShellPkg/Application/Shell/Shell.inf +- INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + + # + # Bds +-- +2.27.0 + diff --git a/SOURCES/LICENSE.qosb b/SOURCES/LICENSE.qosb new file mode 100644 index 0000000..9849381 --- /dev/null +++ b/SOURCES/LICENSE.qosb @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2017 Patrick Uiterwijk + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/SOURCES/RedHatSecureBootPkKek1.pem b/SOURCES/RedHatSecureBootPkKek1.pem new file mode 100644 index 0000000..d302362 --- /dev/null +++ b/SOURCES/RedHatSecureBootPkKek1.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDoDCCAoigAwIBAgIJAP71iOjzlsDxMA0GCSqGSIb3DQEBCwUAMFExKzApBgNV +BAMTIlJlZCBIYXQgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkgMSkxIjAgBgkqhkiG +9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMTQxMDMxMTExNTM3WhcNMzcx +MDI1MTExNTM3WjBRMSswKQYDVQQDEyJSZWQgSGF0IFNlY3VyZSBCb290IChQSy9L +RUsga2V5IDEpMSIwIAYJKoZIhvcNAQkBFhNzZWNhbGVydEByZWRoYXQuY29tMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkB+Ee42865cmgm2Iq4rJjGhw ++d9LB7I3gwsCyGdoMJ7j8PCZSrhZV8ZB9jiL/mZMSek3N5IumAEeWxRQ5qiNJQ31 +huarMMtAFuqNixaGcEM38s7Akd9xFI6ZDom2TG0kHozkL08l0LoG+MboGRh2cx2B +bajYBc86yHsoyDajFg0pjJmaaNyrwE2Nv1q7K6k5SwSXHPk2u8U6hgSur9SCe+Cr +3kkFaPz2rmgabJBNVxk8ZGYD9sdSm/eUz5NqoWjJqs+Za7yqXgjnORz3+A+6Bn7x +y+h23f4i2q06Xls06rPJ4E0EKX64YLkF77XZF1hWFmC5MDLwNkrD8nmNEkBw8wID +AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy +YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPOlg4/8ZoQp7o0L0jUIutNWccuww +HwYDVR0jBBgwFoAUPOlg4/8ZoQp7o0L0jUIutNWccuwwDQYJKoZIhvcNAQELBQAD +ggEBAFxNkoi0gl8drYsR7N8GpnqlK583VQyNbgUArbcMQYlpz9ZlBptReNKtx7+c +3AVzf+ceORO06rYwfUB1q5xDC9+wwhu/MOD0/sDbYiGY9sWv3jtPSQrmHvmGsD8N +1tRGN9tUdF7/EcJgxnBYxRxv7LLYbm/DvDOHOKTzRGScNDsolCZ4J58WF+g7aQol +qXM2fp43XOzoP9uR+RKzPc7n3RXDrowFIGGbld6br/qxXBzll+fDNBGF9YonJqRw +NuwM9oM9kPc28/nzFdSQYr5TtK/TSa/v9HPoe3bkRCo3uoGkmQw6MSRxoOTktxrL +R+SqIs/vdWGA40O3SFdzET14m2k= +-----END CERTIFICATE----- diff --git a/SOURCES/edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch b/SOURCES/edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch new file mode 100644 index 0000000..2a92c02 --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch @@ -0,0 +1,51 @@ +From c4096f74a41bde4fc62576222e0c9622152d7701 Mon Sep 17 00:00:00 2001 +From: Pawel Polawski +Date: Tue, 4 Jan 2022 15:16:40 +0800 +Subject: [PATCH 2/2] OvmfPkg/AmdSev/SecretPei: Mark SEV launch secret area as + reserved + +RH-Author: Pawel Polawski +RH-MergeRequest: 10: OvmfPkg/AmdSev/SecretPei: Mark SEV launch secret area as reserved +RH-Commit: [1/1] a8f099d508e2e7b39697945acaa767c43577b1e6 (elkoniu/edk2) +RH-Bugzilla: 2041754 +RH-Acked-by: Oliver Steffen +RH-Acked-by: Gerd Hoffmann + +Mark the SEV launch secret MEMFD area as reserved, which will allow the +guest OS to use it during the lifetime of the OS, without creating +copies of the sensitive content. + +Cc: Ard Biesheuvel +Cc: Jordan Justen +Cc: Gerd Hoffmann +Cc: Brijesh Singh +Cc: Erdem Aktas +Cc: James Bottomley +Cc: Jiewen Yao +Cc: Min Xu +Cc: Tom Lendacky +Cc: Tobin Feldman-Fitzthum +Signed-off-by: Dov Murik +Acked-by: Gerd Hoffmann +Acked-by: Jiewen Yao +Reviewed-by: Brijesh Singh +--- + OvmfPkg/AmdSev/SecretPei/SecretPei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c b/OvmfPkg/AmdSev/SecretPei/SecretPei.c +index db94c26b54..6bf1a55dea 100644 +--- a/OvmfPkg/AmdSev/SecretPei/SecretPei.c ++++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c +@@ -19,7 +19,7 @@ InitializeSecretPei ( + BuildMemoryAllocationHob ( + PcdGet32 (PcdSevLaunchSecretBase), + ALIGN_VALUE (PcdGet32 (PcdSevLaunchSecretSize), EFI_PAGE_SIZE), +- EfiBootServicesData ++ EfiReservedMemoryType + ); + + return EFI_SUCCESS; +-- +2.27.0 + diff --git a/SOURCES/edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch b/SOURCES/edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch new file mode 100644 index 0000000..44dc3e4 --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch @@ -0,0 +1,158 @@ +From 0ecb863aaca8d71a35763645ced278589666ada2 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 15 Dec 2021 12:39:19 +0100 +Subject: [PATCH 4/6] OvmfPkg: create Tcg12ConfigPei.inf + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 9: backport tpm build updates, disable tpm 1.2 support +RH-Commit: [4/6] 92926b9a05aaff38aab9a2aeee211be736863ab9 (kraxel/centos-edk2) +RH-Bugzilla: 1935497 +RH-Acked-by: Oliver Steffen + +Split Tcg2ConfigPei.inf into two variants: Tcg12ConfigPei.inf with +TPM 1.2 support included and Tcg2ConfigPei.inf supporting TPM 2.0 only. +This allows x86 builds to choose whenever TPM 1.2 support should be +included or not by picking the one or the other inf file. + +Switch x86 builds to Tcg12ConfigPei.inf, so they continue to +have TPM 1.2 support. + +No functional change. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Stefan Berger +Tested-by: Stefan Berger +(cherry picked from commit b81938877276e808b6535e612b320eee559c4c2f) +--- + OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 2 +- + OvmfPkg/OvmfTpmPei.fdf.inc | 2 +- + OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf | 56 +++++++++++++++++++++++ + OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 11 +---- + 4 files changed, 59 insertions(+), 12 deletions(-) + create mode 100644 OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf + +diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc +index 99fa7c13b3..87d491da50 100644 +--- a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc ++++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc +@@ -4,7 +4,7 @@ + + !if $(TPM_ENABLE) == TRUE + OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +- OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf ++ OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf + SecurityPkg/Tcg/TcgPei/TcgPei.inf + SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf { + +diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc +index 9aefd73d21..709a608cc3 100644 +--- a/OvmfPkg/OvmfTpmPei.fdf.inc ++++ b/OvmfPkg/OvmfTpmPei.fdf.inc +@@ -4,7 +4,7 @@ + + !if $(TPM_ENABLE) == TRUE + INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +-INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf ++INF OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf + INF SecurityPkg/Tcg/TcgPei/TcgPei.inf + INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf + INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +diff --git a/OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf b/OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf +new file mode 100644 +index 0000000000..e8e0b88e60 +--- /dev/null ++++ b/OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf +@@ -0,0 +1,56 @@ ++## @file ++# Set TPM device type - supports TPM 1.2 and 2.0 ++# ++# In SecurityPkg, this module initializes the TPM device type based on a UEFI ++# variable and/or hardware detection. In OvmfPkg, the module only performs TPM ++# hardware detection. ++# ++# Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
++# Copyright (C) 2018, Red Hat, Inc. ++# ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++[Defines] ++ INF_VERSION = 0x00010005 ++ BASE_NAME = Tcg2ConfigPei ++ FILE_GUID = 8AD3148F-945F-46B4-8ACD-71469EA73945 ++ MODULE_TYPE = PEIM ++ VERSION_STRING = 1.0 ++ ENTRY_POINT = Tcg2ConfigPeimEntryPoint ++ ++[Sources] ++ Tcg2ConfigPeim.c ++ Tpm12Support.h ++ Tpm12Support.c ++ ++[Packages] ++ MdePkg/MdePkg.dec ++ MdeModulePkg/MdeModulePkg.dec ++ OvmfPkg/OvmfPkg.dec ++ SecurityPkg/SecurityPkg.dec ++ ++[LibraryClasses] ++ PeimEntryPoint ++ DebugLib ++ PeiServicesLib ++ Tpm2DeviceLib ++ BaseLib ++ Tpm12DeviceLib ++ ++[Guids] ++ gEfiTpmDeviceSelectedGuid ## PRODUCES ## GUID # Used as a PPI GUID ++ gEfiTpmDeviceInstanceTpm20DtpmGuid ## SOMETIMES_CONSUMES ++ gEfiTpmDeviceInstanceTpm12Guid ## SOMETIMES_CONSUMES ++ ++[Ppis] ++ gPeiTpmInitializationDonePpiGuid ## SOMETIMES_PRODUCES ++ ++[Pcd] ++ gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid ## PRODUCES ++ ++[Depex.IA32, Depex.X64] ++ gOvmfTpmMmioAccessiblePpiGuid ++ ++[Depex.ARM, Depex.AARCH64] ++ gOvmfTpmDiscoveredPpiGuid +diff --git a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +index 39d1deeed1..51078c9813 100644 +--- a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf ++++ b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +@@ -1,5 +1,5 @@ + ## @file +-# Set TPM device type ++# Set TPM device type - supports TPM 2.0 only + # + # In SecurityPkg, this module initializes the TPM device type based on a UEFI + # variable and/or hardware detection. In OvmfPkg, the module only performs TPM +@@ -22,11 +22,6 @@ + [Sources] + Tcg2ConfigPeim.c + Tpm12Support.h +- +-[Sources.IA32, Sources.X64] +- Tpm12Support.c +- +-[Sources.ARM, Sources.AARCH64] + Tpm12SupportNull.c + + [Packages] +@@ -41,10 +36,6 @@ + PeiServicesLib + Tpm2DeviceLib + +-[LibraryClasses.IA32, LibraryClasses.X64] +- BaseLib +- Tpm12DeviceLib +- + [Guids] + gEfiTpmDeviceSelectedGuid ## PRODUCES ## GUID # Used as a PPI GUID + gEfiTpmDeviceInstanceTpm20DtpmGuid ## SOMETIMES_CONSUMES +-- +2.27.0 + diff --git a/SOURCES/edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch b/SOURCES/edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch new file mode 100644 index 0000000..d77387a --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch @@ -0,0 +1,151 @@ +From 505473655db4b91e4a0ac732069968f9eddabc51 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 15 Dec 2021 12:39:18 +0100 +Subject: [PATCH 3/6] OvmfPkg: drop TPM_CONFIG_ENABLE + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 9: backport tpm build updates, disable tpm 1.2 support +RH-Commit: [3/6] be335526f74358d4af21fbd35cc7008b227ebb23 (kraxel/centos-edk2) +RH-Bugzilla: 1935497 +RH-Acked-by: Oliver Steffen + +Drop TPM_CONFIG_ENABLE config option. Including TPM support in the +build without also including the TPM configuration menu is not useful. + +Suggested-by: Stefan Berger +Signed-off-by: Gerd Hoffmann +Tested-by: Stefan Berger +(cherry picked from commit 5711ff4d0b56ff4c58dc7a780e706bc58aed2253) +--- + OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 2 -- + OvmfPkg/OvmfTpmDefines.dsc.inc | 1 - + OvmfPkg/OvmfTpmDxe.fdf.inc | 2 -- + OvmfPkg/OvmfTpmPcdsHii.dsc.inc | 2 +- + OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml | 6 +++--- + OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml | 6 +++--- + OvmfPkg/PlatformCI/ReadMe.md | 2 +- + 7 files changed, 8 insertions(+), 13 deletions(-) + +diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +index d5c2586118..e025d85a58 100644 +--- a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc ++++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +@@ -14,9 +14,7 @@ + NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf + } +-!if $(TPM_CONFIG_ENABLE) == TRUE + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +-!endif + SecurityPkg/Tcg/TcgDxe/TcgDxe.inf { + + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf +diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc +index 51da7508b3..5df4a331fb 100644 +--- a/OvmfPkg/OvmfTpmDefines.dsc.inc ++++ b/OvmfPkg/OvmfTpmDefines.dsc.inc +@@ -3,4 +3,3 @@ + ## + + DEFINE TPM_ENABLE = FALSE +- DEFINE TPM_CONFIG_ENABLE = FALSE +diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc +index 9dcdaaf01c..32eef24638 100644 +--- a/OvmfPkg/OvmfTpmDxe.fdf.inc ++++ b/OvmfPkg/OvmfTpmDxe.fdf.inc +@@ -6,7 +6,5 @@ + INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf + INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf + INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +-!if $(TPM_CONFIG_ENABLE) == TRUE + INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf + !endif +-!endif +diff --git a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc +index 164bc9c7fc..2e02a5b4cb 100644 +--- a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc ++++ b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc +@@ -2,7 +2,7 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE ++!if $(TPM_ENABLE) == TRUE + gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS + !endif +diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml +index 7117b86b81..1774423580 100644 +--- a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml ++++ b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml +@@ -95,21 +95,21 @@ jobs: + OVMF_IA32X64_FULL_DEBUG: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "DEBUG" + Run.Flags: $(run_flags) + Run: $(should_run) + OVMF_IA32X64_FULL_RELEASE: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "RELEASE" + Run.Flags: $(run_flags) + Run: $(should_run) + OVMF_IA32X64_FULL_NOOPT: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "NOOPT" + Run.Flags: $(run_flags) + Run: $(should_run) +diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml +index 2e07a3d889..09f9851312 100644 +--- a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml ++++ b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml +@@ -94,14 +94,14 @@ jobs: + OVMF_IA32X64_FULL_DEBUG: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "DEBUG" + Run.Flags: $(run_flags) + Run: $(should_run) + OVMF_IA32X64_FULL_RELEASE: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "RELEASE" + Run.Flags: $(run_flags) + Run: $(should_run) +@@ -112,7 +112,7 @@ jobs: + # OVMF_IA32X64_FULL_NOOPT: + # Build.File: "$(package)/PlatformCI/PlatformBuild.py" + # Build.Arch: "IA32,X64" +- # Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ # Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + # Build.Target: "NOOPT" + # Run.Flags: $(run_flags) + # Run: $(should_run) +diff --git a/OvmfPkg/PlatformCI/ReadMe.md b/OvmfPkg/PlatformCI/ReadMe.md +index 2ce9007dbe..44aa7c4a9d 100644 +--- a/OvmfPkg/PlatformCI/ReadMe.md ++++ b/OvmfPkg/PlatformCI/ReadMe.md +@@ -14,7 +14,7 @@ supported and are described below. + | IA32 | IA32 | OvmfPkgIa32.dsc | None | + | X64 | X64 | OvmfPkgIa64.dsc | None | + | IA32 X64 | PEI-IA32 DXE-X64 | OvmfPkgIa32X64.dsc | None | +-| IA32 X64 Full | PEI-IA32 DXE-X64 | OvmfPkgIa32X64.dsc | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM_ENABLE=1 TPM_CONFIG_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 | ++| IA32 X64 Full | PEI-IA32 DXE-X64 | OvmfPkgIa32X64.dsc | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 | + + ## EDK2 Developer environment + +-- +2.27.0 + diff --git a/SOURCES/edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch b/SOURCES/edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch new file mode 100644 index 0000000..cc6af03 --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch @@ -0,0 +1,993 @@ +From 02544e617ce4dfffff15dab47463484ccdc9a51f Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 15 Dec 2021 12:39:17 +0100 +Subject: [PATCH 2/6] OvmfPkg: move tcg configuration to dsc and fdf include + files + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 9: backport tpm build updates, disable tpm 1.2 support +RH-Commit: [2/6] d811b2cf266baa0fa3f958af0b80bb208f3fe27c (kraxel/centos-edk2) +RH-Bugzilla: 1935497 +RH-Acked-by: Oliver Steffen + +With this in place the tpm configuration is not duplicated for each of +our four ovmf config variants (ia32, ia32x64, x64, amdsev) and it is +easier to keep them all in sync when updating the tpm configuration. + +No functional change. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Stefan Berger +(cherry picked from commit b47575801e1903e8b316d01840572ce2681cf2c6) + +[ kraxel: solve conflict in OvmfPkg/AmdSev/AmdSevX64.dsc ] +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 85 ++++----------------------- + OvmfPkg/AmdSev/AmdSevX64.fdf | 17 +----- + OvmfPkg/OvmfPkgIa32.dsc | 88 ++++------------------------ + OvmfPkg/OvmfPkgIa32.fdf | 17 +----- + OvmfPkg/OvmfPkgIa32X64.dsc | 85 ++++----------------------- + OvmfPkg/OvmfPkgIa32X64.fdf | 17 +----- + OvmfPkg/OvmfPkgX64.dsc | 85 ++++----------------------- + OvmfPkg/OvmfPkgX64.fdf | 17 +----- + OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 28 +++++++++ + OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 22 +++++++ + OvmfPkg/OvmfTpmDefines.dsc.inc | 6 ++ + OvmfPkg/OvmfTpmDxe.fdf.inc | 12 ++++ + OvmfPkg/OvmfTpmLibs.dsc.inc | 14 +++++ + OvmfPkg/OvmfTpmLibsDxe.dsc.inc | 8 +++ + OvmfPkg/OvmfTpmLibsPeim.dsc.inc | 9 +++ + OvmfPkg/OvmfTpmPcds.dsc.inc | 7 +++ + OvmfPkg/OvmfTpmPcdsHii.dsc.inc | 8 +++ + OvmfPkg/OvmfTpmPei.fdf.inc | 11 ++++ + OvmfPkg/OvmfTpmSecurityStub.dsc.inc | 8 +++ + 19 files changed, 185 insertions(+), 359 deletions(-) + create mode 100644 OvmfPkg/OvmfTpmComponentsDxe.dsc.inc + create mode 100644 OvmfPkg/OvmfTpmComponentsPei.dsc.inc + create mode 100644 OvmfPkg/OvmfTpmDefines.dsc.inc + create mode 100644 OvmfPkg/OvmfTpmDxe.fdf.inc + create mode 100644 OvmfPkg/OvmfTpmLibs.dsc.inc + create mode 100644 OvmfPkg/OvmfTpmLibsDxe.dsc.inc + create mode 100644 OvmfPkg/OvmfTpmLibsPeim.dsc.inc + create mode 100644 OvmfPkg/OvmfTpmPcds.dsc.inc + create mode 100644 OvmfPkg/OvmfTpmPcdsHii.dsc.inc + create mode 100644 OvmfPkg/OvmfTpmPei.fdf.inc + create mode 100644 OvmfPkg/OvmfTpmSecurityStub.dsc.inc + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 88b65b9f59..8610602ddb 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -32,8 +32,8 @@ + # -D FLAG=VALUE + # + DEFINE SOURCE_DEBUG_ENABLE = FALSE +- DEFINE TPM_ENABLE = FALSE +- DEFINE TPM_CONFIG_ENABLE = FALSE ++ ++!include OvmfPkg/OvmfTpmDefines.dsc.inc + + # + # Shell can be useful for debugging but should not be enabled for production +@@ -203,16 +203,7 @@ + SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf + OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf + +-!if $(TPM_ENABLE) == TRUE +- Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf +- Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf +- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf +- Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf +- TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf +-!else +- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf +- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf +-!endif ++!include OvmfPkg/OvmfTpmLibs.dsc.inc + + [LibraryClasses.common] + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +@@ -286,11 +277,7 @@ + PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf + QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf + +-!if $(TPM_ENABLE) == TRUE +- BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf +-!endif ++!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc + + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf + +@@ -371,10 +358,8 @@ + MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf + QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf + QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf +-!if $(TPM_ENABLE) == TRUE +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf +-!endif ++ ++!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc + + [LibraryClasses.common.UEFI_APPLICATION] + PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf +@@ -576,15 +561,10 @@ + + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 + +-!if $(TPM_ENABLE) == TRUE +- gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} +-!endif ++!include OvmfPkg/OvmfTpmPcds.dsc.inc + + [PcdsDynamicHii] +-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE +- gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS +- gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS +-!endif ++!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc + + ################################################################################ + # +@@ -625,24 +605,7 @@ + UefiCpuPkg/CpuMpPei/CpuMpPei.inf + OvmfPkg/AmdSev/SecretPei/SecretPei.inf + +-!if $(TPM_ENABLE) == TRUE +- OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +- OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +- SecurityPkg/Tcg/TcgPei/TcgPei.inf +- SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf { +- +- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf +- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf +- } +- SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf { +- +- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +- } +-!endif ++!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc + + # + # DXE Phase modules +@@ -664,10 +627,7 @@ + + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + +-!if $(TPM_ENABLE) == TRUE +- NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf +- NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf +-!endif ++!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc + } + + OvmfPkg/8259InterruptControllerDxe/8259.inf +@@ -830,27 +790,4 @@ + # + # TPM support + # +-!if $(TPM_ENABLE) == TRUE +- SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { +- +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf +- NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf +- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf +- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf +- } +-!if $(TPM_CONFIG_ENABLE) == TRUE +- SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +-!endif +- SecurityPkg/Tcg/TcgDxe/TcgDxe.inf { +- +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf +- } +- SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { +- +- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +- } +-!endif ++!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index 325570c5a3..3f2329dab4 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -156,13 +156,7 @@ INF UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf + INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf + INF OvmfPkg/AmdSev/SecretPei/SecretPei.inf + +-!if $(TPM_ENABLE) == TRUE +-INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +-INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +-INF SecurityPkg/Tcg/TcgPei/TcgPei.inf +-INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf +-INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +-!endif ++!include OvmfPkg/OvmfTpmPei.fdf.inc + + ################################################################################ + +@@ -311,14 +305,7 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + # + # TPM support + # +-!if $(TPM_ENABLE) == TRUE +-INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf +-INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +-INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +-!if $(TPM_CONFIG_ENABLE) == TRUE +-INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +-!endif +-!endif ++!include OvmfPkg/OvmfTpmDxe.fdf.inc + + ################################################################################ + +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index fa42d919be..904176ccfc 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -32,10 +32,10 @@ + DEFINE SECURE_BOOT_ENABLE = FALSE + DEFINE SMM_REQUIRE = FALSE + DEFINE SOURCE_DEBUG_ENABLE = FALSE +- DEFINE TPM_ENABLE = FALSE +- DEFINE TPM_CONFIG_ENABLE = FALSE + DEFINE LOAD_X64_ON_IA32_ENABLE = FALSE + ++!include OvmfPkg/OvmfTpmDefines.dsc.inc ++ + # + # Network definition + # +@@ -229,16 +229,7 @@ + SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf + OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf + +-!if $(TPM_ENABLE) == TRUE +- Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf +- Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf +- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf +- Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf +- TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf +-!else +- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf +- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf +-!endif ++!include OvmfPkg/OvmfTpmLibs.dsc.inc + + [LibraryClasses.common] + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +@@ -309,11 +300,7 @@ + PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf + QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf + +-!if $(TPM_ENABLE) == TRUE +- BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf +-!endif ++!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc + + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf + +@@ -401,10 +388,8 @@ + MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf + QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf + QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf +-!if $(TPM_ENABLE) == TRUE +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf +-!endif ++ ++!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc + + [LibraryClasses.common.UEFI_APPLICATION] + PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf +@@ -643,19 +628,14 @@ + + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 + +-!if $(TPM_ENABLE) == TRUE +- gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} +-!endif ++!include OvmfPkg/OvmfTpmPcds.dsc.inc + + # IPv4 and IPv6 PXE Boot support. + gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01 + gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01 + + [PcdsDynamicHii] +-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE +- gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS +- gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS +-!endif ++!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc + + ################################################################################ + # +@@ -705,24 +685,7 @@ + !endif + UefiCpuPkg/CpuMpPei/CpuMpPei.inf + +-!if $(TPM_ENABLE) == TRUE +- OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +- OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +- SecurityPkg/Tcg/TcgPei/TcgPei.inf +- SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf { +- +- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf +- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf +- } +- SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf { +- +- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +- } +-!endif ++!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc + + # + # DXE Phase modules +@@ -747,10 +710,7 @@ + !if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf + !endif +-!if $(TPM_ENABLE) == TRUE +- NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf +- NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf +-!endif ++!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc + } + + OvmfPkg/8259InterruptControllerDxe/8259.inf +@@ -1004,31 +964,5 @@ + # + # TPM support + # +-!if $(TPM_ENABLE) == TRUE +- SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { +- +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf +- NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf +- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf +- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf +- } +-!if $(TPM_CONFIG_ENABLE) == TRUE +- SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +-!endif +- SecurityPkg/Tcg/TcgDxe/TcgDxe.inf { +- +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf +- } +- SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { +- +- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +- } +-!endif ++!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc + +-!if $(LOAD_X64_ON_IA32_ENABLE) == TRUE +- OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf +-!endif +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index 51433836d6..8ba9ffc83e 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -161,13 +161,7 @@ INF OvmfPkg/SmmAccess/SmmAccessPei.inf + !endif + INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf + +-!if $(TPM_ENABLE) == TRUE +-INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +-INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +-INF SecurityPkg/Tcg/TcgPei/TcgPei.inf +-INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf +-INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +-!endif ++!include OvmfPkg/OvmfTpmPei.fdf.inc + + ################################################################################ + +@@ -353,14 +347,7 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + # + # TPM support + # +-!if $(TPM_ENABLE) == TRUE +-INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf +-INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +-INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +-!if $(TPM_CONFIG_ENABLE) == TRUE +-INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +-!endif +-!endif ++!include OvmfPkg/OvmfTpmDxe.fdf.inc + + !if $(LOAD_X64_ON_IA32_ENABLE) == TRUE + INF OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index ef962565f8..aebd8980e4 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -32,8 +32,8 @@ + DEFINE SECURE_BOOT_ENABLE = FALSE + DEFINE SMM_REQUIRE = FALSE + DEFINE SOURCE_DEBUG_ENABLE = FALSE +- DEFINE TPM_ENABLE = FALSE +- DEFINE TPM_CONFIG_ENABLE = FALSE ++ ++!include OvmfPkg/OvmfTpmDefines.dsc.inc + + # + # Network definition +@@ -233,16 +233,7 @@ + SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf + OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf + +-!if $(TPM_ENABLE) == TRUE +- Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf +- Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf +- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf +- Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf +- TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf +-!else +- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf +- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf +-!endif ++!include OvmfPkg/OvmfTpmLibs.dsc.inc + + [LibraryClasses.common] + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +@@ -313,11 +304,7 @@ + PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf + QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf + +-!if $(TPM_ENABLE) == TRUE +- BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf +-!endif ++!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc + + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf + +@@ -405,10 +392,8 @@ + MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf + QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf + QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf +-!if $(TPM_ENABLE) == TRUE +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf +-!endif ++ ++!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc + + [LibraryClasses.common.UEFI_APPLICATION] + PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf +@@ -655,9 +640,7 @@ + + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 + +-!if $(TPM_ENABLE) == TRUE +- gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} +-!endif ++!include OvmfPkg/OvmfTpmPcds.dsc.inc + + [PcdsDynamicDefault.X64] + # IPv4 and IPv6 PXE Boot support. +@@ -665,10 +648,7 @@ + gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01 + + [PcdsDynamicHii] +-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE +- gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS +- gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS +-!endif ++!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc + + ################################################################################ + # +@@ -718,24 +698,7 @@ + !endif + UefiCpuPkg/CpuMpPei/CpuMpPei.inf + +-!if $(TPM_ENABLE) == TRUE +- OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +- OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +- SecurityPkg/Tcg/TcgPei/TcgPei.inf +- SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf { +- +- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf +- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf +- } +- SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf { +- +- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +- } +-!endif ++!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc + + [Components.X64] + # +@@ -761,10 +724,7 @@ + !if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf + !endif +-!if $(TPM_ENABLE) == TRUE +- NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf +- NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf +-!endif ++!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc + } + + OvmfPkg/8259InterruptControllerDxe/8259.inf +@@ -1019,27 +979,4 @@ + # + # TPM support + # +-!if $(TPM_ENABLE) == TRUE +- SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { +- +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf +- NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf +- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf +- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf +- } +-!if $(TPM_CONFIG_ENABLE) == TRUE +- SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +-!endif +- SecurityPkg/Tcg/TcgDxe/TcgDxe.inf { +- +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf +- } +- SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { +- +- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +- } +-!endif ++!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index a50f80e1e9..65d2600016 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -164,13 +164,7 @@ INF OvmfPkg/SmmAccess/SmmAccessPei.inf + !endif + INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf + +-!if $(TPM_ENABLE) == TRUE +-INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +-INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +-INF SecurityPkg/Tcg/TcgPei/TcgPei.inf +-INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf +-INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +-!endif ++!include OvmfPkg/OvmfTpmPei.fdf.inc + + ################################################################################ + +@@ -363,14 +357,7 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + # + # TPM support + # +-!if $(TPM_ENABLE) == TRUE +-INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf +-INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +-INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +-!if $(TPM_CONFIG_ENABLE) == TRUE +-INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +-!endif +-!endif ++!include OvmfPkg/OvmfTpmDxe.fdf.inc + + ################################################################################ + +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index ba9f9833b0..e85ac3d682 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -32,8 +32,8 @@ + DEFINE SECURE_BOOT_ENABLE = FALSE + DEFINE SMM_REQUIRE = FALSE + DEFINE SOURCE_DEBUG_ENABLE = FALSE +- DEFINE TPM_ENABLE = FALSE +- DEFINE TPM_CONFIG_ENABLE = FALSE ++ ++!include OvmfPkg/OvmfTpmDefines.dsc.inc + + # + # Network definition +@@ -233,16 +233,7 @@ + SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf + OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf + +-!if $(TPM_ENABLE) == TRUE +- Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf +- Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf +- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf +- Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf +- TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf +-!else +- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf +- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf +-!endif ++!include OvmfPkg/OvmfTpmLibs.dsc.inc + + [LibraryClasses.common] + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +@@ -315,11 +306,7 @@ + PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf + QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf + +-!if $(TPM_ENABLE) == TRUE +- BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf +-!endif ++!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc + + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf + +@@ -407,10 +394,8 @@ + MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf + QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf + QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf +-!if $(TPM_ENABLE) == TRUE +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf +-!endif ++ ++!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc + + [LibraryClasses.common.UEFI_APPLICATION] + PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf +@@ -655,19 +640,14 @@ + + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 + +-!if $(TPM_ENABLE) == TRUE +- gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} +-!endif ++!include OvmfPkg/OvmfTpmPcds.dsc.inc + + # IPv4 and IPv6 PXE Boot support. + gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01 + gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01 + + [PcdsDynamicHii] +-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE +- gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS +- gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS +-!endif ++!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc + + ################################################################################ + # +@@ -717,24 +697,7 @@ + !endif + UefiCpuPkg/CpuMpPei/CpuMpPei.inf + +-!if $(TPM_ENABLE) == TRUE +- OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +- OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +- SecurityPkg/Tcg/TcgPei/TcgPei.inf +- SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf { +- +- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf +- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf +- } +- SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf { +- +- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +- } +-!endif ++!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc + + # + # DXE Phase modules +@@ -758,10 +721,7 @@ + + !if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +-!endif +-!if $(TPM_ENABLE) == TRUE +- NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf +- NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf ++!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc + !endif + } + +@@ -1017,27 +977,4 @@ + # + # TPM support + # +-!if $(TPM_ENABLE) == TRUE +- SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { +- +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf +- NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf +- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf +- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf +- } +-!if $(TPM_CONFIG_ENABLE) == TRUE +- SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +-!endif +- SecurityPkg/Tcg/TcgDxe/TcgDxe.inf { +- +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf +- } +- SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { +- +- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +- } +-!endif ++!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index dd1c6eded9..e5cbae2073 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -180,13 +180,7 @@ INF OvmfPkg/SmmAccess/SmmAccessPei.inf + !endif + INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf + +-!if $(TPM_ENABLE) == TRUE +-INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +-INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +-INF SecurityPkg/Tcg/TcgPei/TcgPei.inf +-INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf +-INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +-!endif ++!include OvmfPkg/OvmfTpmPei.fdf.inc + + ################################################################################ + +@@ -379,14 +373,7 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + # + # TPM support + # +-!if $(TPM_ENABLE) == TRUE +-INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf +-INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +-INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +-!if $(TPM_CONFIG_ENABLE) == TRUE +-INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +-!endif +-!endif ++!include OvmfPkg/OvmfTpmDxe.fdf.inc + + ################################################################################ + +diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +new file mode 100644 +index 0000000000..d5c2586118 +--- /dev/null ++++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +@@ -0,0 +1,28 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE ++ SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { ++ ++ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf ++ NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf ++ HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf ++ } ++!if $(TPM_CONFIG_ENABLE) == TRUE ++ SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf ++!endif ++ SecurityPkg/Tcg/TcgDxe/TcgDxe.inf { ++ ++ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf ++ } ++ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { ++ ++ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf ++ } ++!endif +diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc +new file mode 100644 +index 0000000000..99fa7c13b3 +--- /dev/null ++++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc +@@ -0,0 +1,22 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE ++ OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf ++ OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf ++ SecurityPkg/Tcg/TcgPei/TcgPei.inf ++ SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf { ++ ++ HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf ++ } ++ SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf { ++ ++ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf ++ } ++!endif +diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc +new file mode 100644 +index 0000000000..51da7508b3 +--- /dev/null ++++ b/OvmfPkg/OvmfTpmDefines.dsc.inc +@@ -0,0 +1,6 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++ DEFINE TPM_ENABLE = FALSE ++ DEFINE TPM_CONFIG_ENABLE = FALSE +diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc +new file mode 100644 +index 0000000000..9dcdaaf01c +--- /dev/null ++++ b/OvmfPkg/OvmfTpmDxe.fdf.inc +@@ -0,0 +1,12 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE ++INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf ++INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf ++INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf ++!if $(TPM_CONFIG_ENABLE) == TRUE ++INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf ++!endif ++!endif +diff --git a/OvmfPkg/OvmfTpmLibs.dsc.inc b/OvmfPkg/OvmfTpmLibs.dsc.inc +new file mode 100644 +index 0000000000..50100f2c03 +--- /dev/null ++++ b/OvmfPkg/OvmfTpmLibs.dsc.inc +@@ -0,0 +1,14 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE ++ Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf ++ Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf ++ Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf ++ Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf ++ TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf ++!else ++ Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf ++ TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf ++!endif +diff --git a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc +new file mode 100644 +index 0000000000..67d5027aba +--- /dev/null ++++ b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc +@@ -0,0 +1,8 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE ++ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf ++ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf ++!endif +diff --git a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc +new file mode 100644 +index 0000000000..4e84e3dcaa +--- /dev/null ++++ b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc +@@ -0,0 +1,9 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE ++ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf ++ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf ++ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf ++!endif +diff --git a/OvmfPkg/OvmfTpmPcds.dsc.inc b/OvmfPkg/OvmfTpmPcds.dsc.inc +new file mode 100644 +index 0000000000..0e7f83c04b +--- /dev/null ++++ b/OvmfPkg/OvmfTpmPcds.dsc.inc +@@ -0,0 +1,7 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE ++ gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} ++!endif +diff --git a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc +new file mode 100644 +index 0000000000..164bc9c7fc +--- /dev/null ++++ b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc +@@ -0,0 +1,8 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE ++ gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS ++ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS ++!endif +diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc +new file mode 100644 +index 0000000000..9aefd73d21 +--- /dev/null ++++ b/OvmfPkg/OvmfTpmPei.fdf.inc +@@ -0,0 +1,11 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE ++INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf ++INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf ++INF SecurityPkg/Tcg/TcgPei/TcgPei.inf ++INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf ++INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf ++!endif +diff --git a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc +new file mode 100644 +index 0000000000..4bd4066843 +--- /dev/null ++++ b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc +@@ -0,0 +1,8 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE ++ NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf ++ NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf ++!endif +-- +2.27.0 + diff --git a/SOURCES/edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch b/SOURCES/edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch new file mode 100644 index 0000000..6920cec --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch @@ -0,0 +1,33 @@ +From 9948bb7e9e693b4add121964ec724d4db09df352 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 15 Dec 2021 12:39:16 +0100 +Subject: [PATCH 1/6] OvmfPkg: remove unused TPM options from MicrovmX64.dsc + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 9: backport tpm build updates, disable tpm 1.2 support +RH-Commit: [1/6] cce6ba5501b413c0eb87ac452a53818e68dfa630 (kraxel/centos-edk2) +RH-Bugzilla: 1935497 +RH-Acked-by: Oliver Steffen + +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 3a72ec71cd83f0f5ad2f1d3c78527f4b247da75f) +--- + OvmfPkg/Microvm/MicrovmX64.dsc | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc +index 617f925395..c58c4c35d4 100644 +--- a/OvmfPkg/Microvm/MicrovmX64.dsc ++++ b/OvmfPkg/Microvm/MicrovmX64.dsc +@@ -32,8 +32,6 @@ + DEFINE SECURE_BOOT_ENABLE = FALSE + DEFINE SMM_REQUIRE = FALSE + DEFINE SOURCE_DEBUG_ENABLE = FALSE +- DEFINE TPM_ENABLE = FALSE +- DEFINE TPM_CONFIG_ENABLE = FALSE + + # + # Network definition +-- +2.27.0 + diff --git a/SOURCES/edk2-OvmfPkg-rework-TPM-configuration.patch b/SOURCES/edk2-OvmfPkg-rework-TPM-configuration.patch new file mode 100644 index 0000000..6843741 --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-rework-TPM-configuration.patch @@ -0,0 +1,293 @@ +From 5787adaccb16e4af7df661d6c7eb3197c7f14218 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 15 Dec 2021 12:39:20 +0100 +Subject: [PATCH 5/6] OvmfPkg: rework TPM configuration + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 9: backport tpm build updates, disable tpm 1.2 support +RH-Commit: [5/6] 81ed86c6993e8cca4fabf5f471e198134b907562 (kraxel/centos-edk2) +RH-Bugzilla: 1935497 +RH-Acked-by: Oliver Steffen + +Rename TPM_ENABLE to TPM2_ENABLE so naming is in line with the +ArmVirtPkg config option name. + +Add separate TPM1_ENABLE option for TPM 1.2 support. + +Signed-off-by: Gerd Hoffmann +Tested-by: Stefan Berger +(cherry picked from commit 4de8d61bcec02a13ceed84f92b0cf3ea58adf9c5) +--- + OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 4 +++- + OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 6 +++++- + OvmfPkg/OvmfTpmDefines.dsc.inc | 5 ++++- + OvmfPkg/OvmfTpmDxe.fdf.inc | 4 +++- + OvmfPkg/OvmfTpmLibs.dsc.inc | 4 +++- + OvmfPkg/OvmfTpmLibsDxe.dsc.inc | 4 +++- + OvmfPkg/OvmfTpmLibsPeim.dsc.inc | 4 +++- + OvmfPkg/OvmfTpmPcds.dsc.inc | 2 +- + OvmfPkg/OvmfTpmPcdsHii.dsc.inc | 2 +- + OvmfPkg/OvmfTpmPei.fdf.inc | 6 +++++- + OvmfPkg/OvmfTpmSecurityStub.dsc.inc | 4 +++- + OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml | 6 +++--- + OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml | 6 +++--- + OvmfPkg/PlatformCI/ReadMe.md | 2 +- + 14 files changed, 41 insertions(+), 18 deletions(-) + +diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +index e025d85a58..75ae09571e 100644 +--- a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc ++++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +@@ -2,7 +2,7 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { + + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf +@@ -15,10 +15,12 @@ + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf + } + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf ++!if $(TPM1_ENABLE) == TRUE + SecurityPkg/Tcg/TcgDxe/TcgDxe.inf { + + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf + } ++!endif + SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { + + TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc +index 87d491da50..fa486eed82 100644 +--- a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc ++++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc +@@ -2,10 +2,14 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE + OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf ++!if $(TPM1_ENABLE) == TRUE + OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf + SecurityPkg/Tcg/TcgPei/TcgPei.inf ++!else ++ OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf ++!endif + SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf { + + HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf +diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc +index 5df4a331fb..a65564d8d9 100644 +--- a/OvmfPkg/OvmfTpmDefines.dsc.inc ++++ b/OvmfPkg/OvmfTpmDefines.dsc.inc +@@ -2,4 +2,7 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +- DEFINE TPM_ENABLE = FALSE ++ DEFINE TPM2_ENABLE = FALSE ++ ++ # has no effect unless TPM2_ENABLE == TRUE ++ DEFINE TPM1_ENABLE = TRUE +diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc +index 32eef24638..7fc2bf8590 100644 +--- a/OvmfPkg/OvmfTpmDxe.fdf.inc ++++ b/OvmfPkg/OvmfTpmDxe.fdf.inc +@@ -2,8 +2,10 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE ++!if $(TPM1_ENABLE) == TRUE + INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf ++!endif + INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf + INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf + INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +diff --git a/OvmfPkg/OvmfTpmLibs.dsc.inc b/OvmfPkg/OvmfTpmLibs.dsc.inc +index 50100f2c03..418747b134 100644 +--- a/OvmfPkg/OvmfTpmLibs.dsc.inc ++++ b/OvmfPkg/OvmfTpmLibs.dsc.inc +@@ -2,8 +2,10 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE ++!if $(TPM1_ENABLE) == TRUE + Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf ++!endif + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf + Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf + Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf +diff --git a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc +index 67d5027aba..1d66cdac77 100644 +--- a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc ++++ b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc +@@ -2,7 +2,9 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE ++!if $(TPM1_ENABLE) == TRUE + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf ++!endif + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf + !endif +diff --git a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc +index 4e84e3dcaa..03caccd7c6 100644 +--- a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc ++++ b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc +@@ -2,8 +2,10 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf ++!if $(TPM1_ENABLE) == TRUE + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf ++!endif + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf + !endif +diff --git a/OvmfPkg/OvmfTpmPcds.dsc.inc b/OvmfPkg/OvmfTpmPcds.dsc.inc +index 0e7f83c04b..0d55d62737 100644 +--- a/OvmfPkg/OvmfTpmPcds.dsc.inc ++++ b/OvmfPkg/OvmfTpmPcds.dsc.inc +@@ -2,6 +2,6 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} + !endif +diff --git a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc +index 2e02a5b4cb..e842253235 100644 +--- a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc ++++ b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc +@@ -2,7 +2,7 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE + gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS + !endif +diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc +index 709a608cc3..9f8b9bdd5b 100644 +--- a/OvmfPkg/OvmfTpmPei.fdf.inc ++++ b/OvmfPkg/OvmfTpmPei.fdf.inc +@@ -2,10 +2,14 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE + INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf ++!if $(TPM1_ENABLE) == TRUE + INF OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf + INF SecurityPkg/Tcg/TcgPei/TcgPei.inf ++!else ++INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf ++!endif + INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf + INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf + !endif +diff --git a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc +index 4bd4066843..e9ab2fca7b 100644 +--- a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc ++++ b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc +@@ -2,7 +2,9 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE ++!if $(TPM1_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf ++!endif + NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf + !endif +diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml +index 1774423580..8df31298f5 100644 +--- a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml ++++ b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml +@@ -95,21 +95,21 @@ jobs: + OVMF_IA32X64_FULL_DEBUG: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "DEBUG" + Run.Flags: $(run_flags) + Run: $(should_run) + OVMF_IA32X64_FULL_RELEASE: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "RELEASE" + Run.Flags: $(run_flags) + Run: $(should_run) + OVMF_IA32X64_FULL_NOOPT: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "NOOPT" + Run.Flags: $(run_flags) + Run: $(should_run) +diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml +index 09f9851312..68b5d951e9 100644 +--- a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml ++++ b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml +@@ -94,14 +94,14 @@ jobs: + OVMF_IA32X64_FULL_DEBUG: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "DEBUG" + Run.Flags: $(run_flags) + Run: $(should_run) + OVMF_IA32X64_FULL_RELEASE: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "RELEASE" + Run.Flags: $(run_flags) + Run: $(should_run) +@@ -112,7 +112,7 @@ jobs: + # OVMF_IA32X64_FULL_NOOPT: + # Build.File: "$(package)/PlatformCI/PlatformBuild.py" + # Build.Arch: "IA32,X64" +- # Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ # Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + # Build.Target: "NOOPT" + # Run.Flags: $(run_flags) + # Run: $(should_run) +diff --git a/OvmfPkg/PlatformCI/ReadMe.md b/OvmfPkg/PlatformCI/ReadMe.md +index 44aa7c4a9d..1216dee126 100644 +--- a/OvmfPkg/PlatformCI/ReadMe.md ++++ b/OvmfPkg/PlatformCI/ReadMe.md +@@ -14,7 +14,7 @@ supported and are described below. + | IA32 | IA32 | OvmfPkgIa32.dsc | None | + | X64 | X64 | OvmfPkgIa64.dsc | None | + | IA32 X64 | PEI-IA32 DXE-X64 | OvmfPkgIa32X64.dsc | None | +-| IA32 X64 Full | PEI-IA32 DXE-X64 | OvmfPkgIa32X64.dsc | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 | ++| IA32 X64 Full | PEI-IA32 DXE-X64 | OvmfPkgIa32X64.dsc | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM1_ENABLE=1 TPM2_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 | + + ## EDK2 Developer environment + +-- +2.27.0 + diff --git a/SOURCES/edk2-aarch64-verbose.json b/SOURCES/edk2-aarch64-verbose.json new file mode 100644 index 0000000..ceec878 --- /dev/null +++ b/SOURCES/edk2-aarch64-verbose.json @@ -0,0 +1,31 @@ +{ + "description": "UEFI firmware for ARM64 virtual machines, verbose logs", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2/aarch64/vars-template-pflash.raw", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + "verbose-static" + ], + "tags": [ + + ] +} diff --git a/SOURCES/edk2-aarch64.json b/SOURCES/edk2-aarch64.json new file mode 100644 index 0000000..c5a73cb --- /dev/null +++ b/SOURCES/edk2-aarch64.json @@ -0,0 +1,31 @@ +{ + "description": "UEFI firmware for ARM64 virtual machines", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.raw", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2/aarch64/vars-template-pflash.raw", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + + ], + "tags": [ + + ] +} diff --git a/SOURCES/edk2-ovmf-amdsev.json b/SOURCES/edk2-ovmf-amdsev.json new file mode 100644 index 0000000..a5fbf85 --- /dev/null +++ b/SOURCES/edk2-ovmf-amdsev.json @@ -0,0 +1,30 @@ +{ + "description": "OVMF with SEV-ES support", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "mode": "stateless", + "executable": { + "filename": "/usr/share/edk2/ovmf/OVMF.amdsev.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-rhel8.5.0" + ] + } + ], + "features": [ + "amd-sev", + "amd-sev-es", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/SOURCES/edk2-ovmf-cc.json b/SOURCES/edk2-ovmf-cc.json new file mode 100644 index 0000000..2e52745 --- /dev/null +++ b/SOURCES/edk2-ovmf-cc.json @@ -0,0 +1,33 @@ +{ + "description": "OVMF with SEV-ES support", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2/ovmf/OVMF_CODE.cc.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-rhel8.5.0" + ] + } + ], + "features": [ + "amd-sev", + "amd-sev-es", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/SOURCES/edk2-ovmf-sb.json b/SOURCES/edk2-ovmf-sb.json new file mode 100644 index 0000000..a0203e8 --- /dev/null +++ b/SOURCES/edk2-ovmf-sb.json @@ -0,0 +1,36 @@ +{ + "description": "OVMF with SB+SMM, SB enabled, MS certs enrolled", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "amd-sev", + "enrolled-keys", + "requires-smm", + "secure-boot", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/SOURCES/edk2-ovmf.json b/SOURCES/edk2-ovmf.json new file mode 100644 index 0000000..74d00e3 --- /dev/null +++ b/SOURCES/edk2-ovmf.json @@ -0,0 +1,35 @@ +{ + "description": "OVMF with SB+SMM, empty varstore", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "amd-sev", + "requires-smm", + "secure-boot", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/SOURCES/ovmf-vars-generator b/SOURCES/ovmf-vars-generator new file mode 100755 index 0000000..111e438 --- /dev/null +++ b/SOURCES/ovmf-vars-generator @@ -0,0 +1,295 @@ +#!/bin/python3 +# Copyright (C) 2017 Red Hat +# Authors: +# - Patrick Uiterwijk +# - Kashyap Chamarthy +# +# Licensed under MIT License, for full text see LICENSE +# +# Purpose: Launch a QEMU guest and enroll ithe UEFI keys into an OVMF +# variables ("VARS") file. Then boot a Linux kernel with QEMU. +# Finally, perform a check to verify if Secure Boot +# is enabled. + +from __future__ import print_function + +import argparse +import os +import logging +import tempfile +import shutil +import string +import subprocess + + +def strip_special(line): + return ''.join([c for c in str(line) if c in string.printable]) + + +def generate_qemu_cmd(args, readonly, *extra_args): + if args.disable_smm: + machinetype = 'pc' + else: + machinetype = 'q35,smm=on' + machinetype += ',accel=%s' % ('kvm' if args.enable_kvm else 'tcg') + + if args.oem_string is None: + oemstrings = [] + else: + oemstring_values = [ + ",value=" + s.replace(",", ",,") for s in args.oem_string ] + oemstrings = [ + '-smbios', + "type=11" + ''.join(oemstring_values) ] + + return [ + args.qemu_binary, + '-machine', machinetype, + '-display', 'none', + '-no-user-config', + '-nodefaults', + '-m', '768', + '-smp', '2,sockets=2,cores=1,threads=1', + '-chardev', 'pty,id=charserial1', + '-device', 'isa-serial,chardev=charserial1,id=serial1', + '-global', 'driver=cfi.pflash01,property=secure,value=%s' % ( + 'off' if args.disable_smm else 'on'), + '-drive', + 'file=%s,if=pflash,format=raw,unit=0,readonly=on' % ( + args.ovmf_binary), + '-drive', + 'file=%s,if=pflash,format=raw,unit=1,readonly=%s' % ( + args.out_temp, 'on' if readonly else 'off'), + '-serial', 'stdio'] + oemstrings + list(extra_args) + + +def download(url, target, suffix, no_download): + istemp = False + if target and os.path.exists(target): + return target, istemp + if not target: + temped = tempfile.mkstemp(prefix='qosb.', suffix='.%s' % suffix) + os.close(temped[0]) + target = temped[1] + istemp = True + if no_download: + raise Exception('%s did not exist, but downloading was disabled' % + target) + import requests + logging.debug('Downloading %s to %s', url, target) + r = requests.get(url, stream=True) + with open(target, 'wb') as f: + for chunk in r.iter_content(chunk_size=1024): + if chunk: + f.write(chunk) + return target, istemp + + +def enroll_keys(args): + shutil.copy(args.ovmf_template_vars, args.out_temp) + + logging.info('Starting enrollment') + + cmd = generate_qemu_cmd( + args, + False, + '-drive', + 'file=%s,format=raw,if=none,media=cdrom,id=drive-cd1,' + 'readonly=on' % args.uefi_shell_iso, + '-device', + 'ide-cd,drive=drive-cd1,id=cd1,' + 'bootindex=1') + p = subprocess.Popen(cmd, + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT) + logging.info('Performing enrollment') + # Wait until the UEFI shell starts (first line is printed) + read = p.stdout.readline() + if b'char device redirected' in read: + read = p.stdout.readline() + # Skip passed QEMU warnings, like the following one we see in Ubuntu: + # qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.vmx [bit 5] + while b'qemu-system-x86_64: warning:' in read: + read = p.stdout.readline() + if args.print_output: + print(strip_special(read), end='') + print() + # Send the escape char to enter the UEFI shell early + p.stdin.write(b'\x1b') + p.stdin.flush() + # And then run the following three commands from the UEFI shell: + # change into the first file system device; install the default + # keys and certificates, and reboot + p.stdin.write(b'fs0:\r\n') + p.stdin.write(b'EnrollDefaultKeys.efi\r\n') + p.stdin.write(b'reset -s\r\n') + p.stdin.flush() + while True: + read = p.stdout.readline() + if args.print_output: + print('OUT: %s' % strip_special(read), end='') + print() + if b'info: success' in read: + break + p.wait() + if args.print_output: + print(strip_special(p.stdout.read()), end='') + logging.info('Finished enrollment') + + +def test_keys(args): + logging.info('Grabbing test kernel') + kernel, kerneltemp = download(args.kernel_url, args.kernel_path, + 'kernel', args.no_download) + + logging.info('Starting verification') + try: + cmd = generate_qemu_cmd( + args, + True, + '-append', 'console=tty0 console=ttyS0,115200n8', + '-kernel', kernel) + p = subprocess.Popen(cmd, + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT) + logging.info('Performing verification') + while True: + read = p.stdout.readline() + if args.print_output: + print('OUT: %s' % strip_special(read), end='') + print() + if b'Secure boot disabled' in read: + raise Exception('Secure Boot was disabled') + elif b'Secure boot enabled' in read: + logging.info('Confirmed: Secure Boot is enabled') + break + elif b'Kernel is locked down from EFI secure boot' in read: + logging.info('Confirmed: Secure Boot is enabled') + break + p.kill() + if args.print_output: + print(strip_special(p.stdout.read()), end='') + logging.info('Finished verification') + finally: + if kerneltemp: + os.remove(kernel) + + +def parse_args(): + parser = argparse.ArgumentParser() + parser.add_argument('output', help='Filename for output vars file') + parser.add_argument('--out-temp', help=argparse.SUPPRESS) + parser.add_argument('--force', help='Overwrite existing output file', + action='store_true') + parser.add_argument('--print-output', help='Print the QEMU guest output', + action='store_true') + parser.add_argument('--verbose', '-v', help='Increase verbosity', + action='count') + parser.add_argument('--quiet', '-q', help='Decrease verbosity', + action='count') + parser.add_argument('--qemu-binary', help='QEMU binary path', + default='/usr/bin/qemu-system-x86_64') + parser.add_argument('--enable-kvm', help='Enable KVM acceleration', + action='store_true') + parser.add_argument('--ovmf-binary', help='OVMF secureboot code file', + default='/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd') + parser.add_argument('--ovmf-template-vars', help='OVMF empty vars file', + default='/usr/share/edk2/ovmf/OVMF_VARS.fd') + parser.add_argument('--uefi-shell-iso', help='Path to uefi shell iso', + default='/usr/share/edk2/ovmf/UefiShell.iso') + parser.add_argument('--skip-enrollment', + help='Skip enrollment, only test', action='store_true') + parser.add_argument('--skip-testing', + help='Skip testing generated "VARS" file', + action='store_true') + parser.add_argument('--kernel-path', + help='Specify a consistent path for kernel') + parser.add_argument('--no-download', action='store_true', + help='Never download a kernel') + parser.add_argument('--fedora-version', + help='Fedora version to get kernel for checking', + default='27') + parser.add_argument('--kernel-url', help='Kernel URL', + default='https://download.fedoraproject.org/pub/fedora' + '/linux/releases/%(version)s/Everything/x86_64' + '/os/images/pxeboot/vmlinuz') + parser.add_argument('--disable-smm', + help=('Don\'t restrict varstore pflash writes to ' + 'guest code that executes in SMM. Use this ' + 'option only if your OVMF binary doesn\'t have ' + 'the edk2 SMM driver stack built into it ' + '(possibly because your QEMU binary lacks SMM ' + 'emulation). Note that without restricting ' + 'varstore pflash writes to guest code that ' + 'executes in SMM, a malicious guest kernel, ' + 'used for testing, could undermine Secure ' + 'Boot.'), + action='store_true') + parser.add_argument('--oem-string', + help=('Pass the argument to the guest as a string in ' + 'the SMBIOS Type 11 (OEM Strings) table. ' + 'Multiple occurrences of this option are ' + 'collected into a single SMBIOS Type 11 table. ' + 'A pure ASCII string argument is strongly ' + 'suggested.'), + action='append') + args = parser.parse_args() + args.kernel_url = args.kernel_url % {'version': args.fedora_version} + + validate_args(args) + return args + + +def validate_args(args): + if (os.path.exists(args.output) + and not args.force + and not args.skip_enrollment): + raise Exception('%s already exists' % args.output) + + if args.skip_enrollment and not os.path.exists(args.output): + raise Exception('%s does not yet exist' % args.output) + + verbosity = (args.verbose or 1) - (args.quiet or 0) + if verbosity >= 2: + logging.basicConfig(level=logging.DEBUG) + elif verbosity == 1: + logging.basicConfig(level=logging.INFO) + elif verbosity < 0: + logging.basicConfig(level=logging.ERROR) + else: + logging.basicConfig(level=logging.WARN) + + if args.skip_enrollment: + args.out_temp = args.output + else: + temped = tempfile.mkstemp(prefix='qosb.', suffix='.vars') + os.close(temped[0]) + args.out_temp = temped[1] + logging.debug('Temp output: %s', args.out_temp) + + +def move_to_dest(args): + shutil.copy(args.out_temp, args.output) + os.remove(args.out_temp) + + +def main(): + args = parse_args() + if not args.skip_enrollment: + enroll_keys(args) + if not args.skip_testing: + test_keys(args) + if not args.skip_enrollment: + move_to_dest(args) + if args.skip_testing: + logging.info('Created %s' % args.output) + else: + logging.info('Created and verified %s' % args.output) + else: + logging.info('Verified %s', args.output) + + +if __name__ == '__main__': + main() diff --git a/SOURCES/ovmf-whitepaper-c770f8c.txt b/SOURCES/ovmf-whitepaper-c770f8c.txt new file mode 100644 index 0000000..ba727b4 --- /dev/null +++ b/SOURCES/ovmf-whitepaper-c770f8c.txt @@ -0,0 +1,2422 @@ +Open Virtual Machine Firmware (OVMF) Status Report +July 2014 (with updates in August 2014 - January 2015) + +Author: Laszlo Ersek +Copyright (C) 2014-2015, Red Hat, Inc. +CC BY-SA 4.0 + +Abstract +-------- + +The Unified Extensible Firmware Interface (UEFI) is a specification that +defines a software interface between an operating system and platform firmware. +UEFI is designed to replace the Basic Input/Output System (BIOS) firmware +interface. + +Hardware platform vendors have been increasingly adopting the UEFI +Specification to govern their boot firmware developments. OVMF (Open Virtual +Machine Firmware), a sub-project of Intel's EFI Development Kit II (edk2), +enables UEFI support for Ia32 and X64 Virtual Machines. + +This paper reports on the status of the OVMF project, treats features and +limitations, gives end-user hints, and examines some areas in-depth. + +Keywords: ACPI, boot options, CSM, edk2, firmware, flash, fw_cfg, KVM, memory +map, non-volatile variables, OVMF, PCD, QEMU, reset vector, S3, Secure Boot, +Smbios, SMM, TianoCore, UEFI, VBE shim, Virtio + +Table of Contents +----------------- + +- Motivation +- Scope +- Example qemu invocation +- Installation of OVMF guests with virt-manager and virt-install +- Supported guest operating systems +- Compatibility Support Module (CSM) +- Phases of the boot process +- Project structure +- Platform Configuration Database (PCD) +- Firmware image structure +- S3 (suspend to RAM and resume) +- A comprehensive memory map of OVMF +- Known Secure Boot limitations +- Variable store and LockBox in SMRAM +- Select features + - X64-specific reset vector for OVMF + - Client library for QEMU's firmware configuration interface + - Guest ACPI tables + - Guest SMBIOS tables + - Platform-specific boot policy + - Virtio drivers + - Platform Driver + - Video driver +- Afterword + +Motivation +---------- + +OVMF extends the usual benefits of virtualization to UEFI. Reasons to use OVMF +include: + +- Legacy-free guests. A UEFI-based environment eliminates dependencies on + legacy address spaces and devices. This is especially beneficial when used + with physically assigned devices where the legacy operating mode is + troublesome to support, ex. assigned graphics cards operating in legacy-free, + non-VGA mode in the guest. + +- Future proof guests. The x86 market is steadily moving towards a legacy-free + platform and guest operating systems may eventually require a UEFI + environment. OVMF provides that next generation firmware support for such + applications. + +- GUID partition tables (GPTs). MBR partition tables represent partition + offsets and sizes with 32-bit integers, in units of 512 byte sectors. This + limits the addressable portion of the disk to 2 TB. GPT represents logical + block addresses with 64 bits. + +- Liberating boot loader binaries from residing in contested and poorly defined + space between the partition table and the partitions. + +- Support for booting off disks (eg. pass-through physical SCSI devices) with a + 4kB physical and logical sector size, i.e. which don't have 512-byte block + emulation. + +- Development and testing of Secure Boot-related features in guest operating + systems. Although OVMF's Secure Boot implementation is currently not secure + against malicious UEFI drivers, UEFI applications, and guest kernels, + trusted guest code that only uses standard UEFI interfaces will find a valid + Secure Boot environment under OVMF, with working key enrollment and signature + validation. This enables development and testing of portable, Secure + Boot-related guest code. + +- Presence of non-volatile UEFI variables. This furthers development and + testing of OS installers, UEFI boot loaders, and unique, dependent guest OS + features. For example, an efivars-backed pstore (persistent storage) + file system works under Linux. + +- Altogether, a near production-level UEFI environment for virtual machines + when Secure Boot is not required. + +Scope +----- + +UEFI and especially Secure Boot have been topics fraught with controversy and +political activism. This paper sidesteps these aspects and strives to focus on +use cases, hands-on information for end users, and technical details. + +Unless stated otherwise, the expression "X supports Y" means "X is technically +compatible with interfaces provided or required by Y". It does not imply +support as an activity performed by natural persons or companies. + +We discuss the status of OVMF at a state no earlier than edk2 SVN revision +16158. The paper concentrates on upstream projects and communities, but +occasionally it pans out about OVMF as it is planned to be shipped (as +Technical Preview) in Red Hat Enterprise Linux 7.1. Such digressions are marked +with the [RHEL] margin notation. + +Although other VMMs and accelerators are known to support (or plan to support) +OVMF to various degrees -- for example, VirtualBox, Xen, BHyVe --, we'll +emphasize OVMF on qemu/KVM, because QEMU and KVM have always been Red Hat's +focus wrt. OVMF. + +The recommended upstream QEMU version is 2.1+. The recommended host Linux +kernel (KVM) version is 3.10+. The recommended QEMU machine type is +"qemu-system-x86_64 -M pc-i440fx-2.1" or later. + +The term "TianoCore" is used interchangeably with "edk2" in this paper. + +Example qemu invocation +----------------------- + +The following commands give a quick foretaste of installing a UEFI operating +system on OVMF, relying only on upstream edk2 and qemu. + +- Clone and build OVMF: + + git clone https://github.com/tianocore/edk2.git + cd edk2 + nice OvmfPkg/build.sh -a X64 -n $(getconf _NPROCESSORS_ONLN) + + (Note that this ad-hoc build will not include the Secure Boot feature.) + +- The build output file, "OVMF.fd", includes not only the executable firmware + code, but the non-volatile variable store as well. For this reason, make a + VM-specific copy of the build output (the variable store should be private to + the virtual machine): + + cp Build/OvmfX64/DEBUG_GCC4?/FV/OVMF.fd fedora.flash + + (The variable store and the firmware executable are also available in the + build output as separate files: "OVMF_VARS.fd" and "OVMF_CODE.fd". This + enables central management and updates of the firmware executable, while each + virtual machine can retain its own variable store.) + +- Download a Fedora LiveCD: + + wget https://dl.fedoraproject.org/pub/fedora/linux/releases/20/Live/x86_64/Fedora-Live-Xfce-x86_64-20-1.iso + +- Create a virtual disk (qcow2 format, 20 GB in size): + + qemu-img create -f qcow2 fedora.img 20G + +- Create the following qemu wrapper script under the name "fedora.sh": + + # Basic virtual machine properties: a recent i440fx machine type, KVM + # acceleration, 2048 MB RAM, two VCPUs. + OPTS="-M pc-i440fx-2.1 -enable-kvm -m 2048 -smp 2" + + # The OVMF binary, including the non-volatile variable store, appears as a + # "normal" qemu drive on the host side, and it is exposed to the guest as a + # persistent flash device. + OPTS="$OPTS -drive if=pflash,format=raw,file=fedora.flash" + + # The hard disk is exposed to the guest as a virtio-block device. OVMF has a + # driver stack that supports such a disk. We specify this disk as first boot + # option. OVMF recognizes the boot order specification. + OPTS="$OPTS -drive id=disk0,if=none,format=qcow2,file=fedora.img" + OPTS="$OPTS -device virtio-blk-pci,drive=disk0,bootindex=0" + + # The Fedora installer disk appears as an IDE CD-ROM in the guest. This is + # the 2nd boot option. + OPTS="$OPTS -drive id=cd0,if=none,format=raw,readonly" + OPTS="$OPTS,file=Fedora-Live-Xfce-x86_64-20-1.iso" + OPTS="$OPTS -device ide-cd,bus=ide.1,drive=cd0,bootindex=1" + + # The following setting enables S3 (suspend to RAM). OVMF supports S3 + # suspend/resume. + OPTS="$OPTS -global PIIX4_PM.disable_s3=0" + + # OVMF emits a number of info / debug messages to the QEMU debug console, at + # ioport 0x402. We configure qemu so that the debug console is indeed + # available at that ioport. We redirect the host side of the debug console to + # a file. + OPTS="$OPTS -global isa-debugcon.iobase=0x402 -debugcon file:fedora.ovmf.log" + + # QEMU accepts various commands and queries from the user on the monitor + # interface. Connect the monitor with the qemu process's standard input and + # output. + OPTS="$OPTS -monitor stdio" + + # A USB tablet device in the guest allows for accurate pointer tracking + # between the host and the guest. + OPTS="$OPTS -device piix3-usb-uhci -device usb-tablet" + + # Provide the guest with a virtual network card (virtio-net). + # + # Normally, qemu provides the guest with a UEFI-conformant network driver + # from the iPXE project, in the form of a PCI expansion ROM. For this test, + # we disable the expansion ROM and allow OVMF's built-in virtio-net driver to + # take effect. + # + # On the host side, we use the SLIRP ("user") network backend, which has + # relatively low performance, but it doesn't require extra privileges from + # the user executing qemu. + OPTS="$OPTS -netdev id=net0,type=user" + OPTS="$OPTS -device virtio-net-pci,netdev=net0,romfile=" + + # A Spice QXL GPU is recommended as the primary VGA-compatible display + # device. It is a full-featured virtual video card, with great operating + # system driver support. OVMF supports it too. + OPTS="$OPTS -device qxl-vga" + + qemu-system-x86_64 $OPTS + +- Start the Fedora guest: + + sh fedora.sh + +- The above command can be used for both installation and later boots of the + Fedora guest. + +- In order to verify basic OVMF network connectivity: + + - Assuming that the non-privileged user running qemu belongs to group G + (where G is a numeric identifier), ensure as root on the host that the + group range in file "/proc/sys/net/ipv4/ping_group_range" includes G. + + - As the non-privileged user, boot the guest as usual. + + - On the TianoCore splash screen, press ESC. + + - Navigate to Boot Manager | EFI Internal Shell + + - In the UEFI Shell, issue the following commands: + + ifconfig -s eth0 dhcp + ping A.B.C.D + + where A.B.C.D is a public IPv4 address in dotted decimal notation that your + host can reach. + + - Type "quit" at the (qemu) monitor prompt. + +Installation of OVMF guests with virt-manager and virt-install +-------------------------------------------------------------- + +(1) Assuming OVMF has been installed on the host with the following files: + - /usr/share/OVMF/OVMF_CODE.fd + - /usr/share/OVMF/OVMF_VARS.fd + + locate the "nvram" stanza in "/etc/libvirt/qemu.conf", and edit it as + follows: + + nvram = [ "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd" ] + +(2) Restart libvirtd with your Linux distribution's service management tool; + for example, + + systemctl restart libvirtd + +(3) In virt-manager, proceed with the guest installation as usual: + - select File | New Virtual Machine, + - advance to Step 5 of 5, + - in Step 5, check "Customize configuration before install", + - click Finish; + - in the customization dialog, select Overview | Firmware, and choose UEFI, + - click Apply and Begin Installation. + +(4) With virt-install: + + LDR="loader=/usr/share/OVMF/OVMF_CODE.fd,loader_ro=yes,loader_type=pflash" + virt-install \ + --name fedora20 \ + --memory 2048 \ + --vcpus 2 \ + --os-variant fedora20 \ + --boot hd,cdrom,$LDR \ + --disk size=20 \ + --disk path=Fedora-Live-Xfce-x86_64-20-1.iso,device=cdrom,bus=scsi + +(5) A popular, distribution-independent, bleeding-edge OVMF package is + available under , courtesy of Gerd Hoffmann. + + The "edk2.git-ovmf-x64" package provides the following files, among others: + - /usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd + - /usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd + + When using this package, adapt steps (1) and (4) accordingly. + +(6) Additionally, the "edk2.git-ovmf-x64" package seeks to simplify the + enablement of Secure Boot in a virtual machine (strictly for development + and testing purposes). + + - Boot the virtual machine off the CD-ROM image called + "/usr/share/edk2.git/ovmf-x64/UefiShell.iso"; before or after installing + the main guest operating system. + + - When the UEFI shell appears, issue the following commands: + + EnrollDefaultKeys.efi + reset -s + + - The EnrollDefaultKeys.efi utility enrolls the following keys: + + - A static example X.509 certificate (CN=TestCommonName) as Platform Key + and first Key Exchange Key. + + The private key matching this certificate has been destroyed (but you + shouldn't trust this statement). + + - "Microsoft Corporation KEK CA 2011" as second Key Exchange Key + (SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30). + + - "Microsoft Windows Production PCA 2011" as first DB entry + (SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d). + + - "Microsoft Corporation UEFI CA 2011" as second DB entry + (SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3). + + These keys suffice to boot released versions of popular Linux + distributions (through the shim.efi utility), and Windows 8 and Windows + Server 2012 R2, in Secure Boot mode. + +Supported guest operating systems +--------------------------------- + +Upstream OVMF does not favor some guest operating systems over others for +political or ideological reasons. However, some operating systems are harder to +obtain and/or technically more difficult to support. The general expectation is +that recent UEFI OSes should just work. Please consult the "OvmfPkg/README" +file. + +The following guest OSes were tested with OVMF: +- Red Hat Enterprise Linux 6 +- Red Hat Enterprise Linux 7 +- Fedora 18 +- Fedora 19 +- Fedora 20 +- Windows Server 2008 R2 SP1 +- Windows Server 2012 +- Windows 8 + +Notes about Windows Server 2008 R2 (paraphrasing the "OvmfPkg/README" file): + +- QEMU should be started with one of the "-device qxl-vga" and "-device VGA" + options. + +- Only one video mode, 1024x768x32, is supported at OS runtime. + + Please refer to the section about QemuVideoDxe (OVMF's built-in video driver) + for more details on this limitation. + +- The qxl-vga video card is recommended ("-device qxl-vga"). After booting the + installed guest OS, select the video card in Device Manager, and upgrade the + video driver to the QXL XDDM one. + + The QXL XDDM driver can be downloaded from + , under Guest | Windows binaries. + + This driver enables additional graphics resolutions at OS runtime, and + provides S3 (suspend/resume) capability. + +Notes about Windows Server 2012 and Windows 8: + +- QEMU should be started with the "-device qxl-vga,revision=4" option (or a + later revision, if available). + +- The guest OS's builtin video driver inherits the video mode / frame buffer + from OVMF. There's no way to change the resolution at OS runtime. + + For this reason, a platform driver has been developed for OVMF, which allows + users to change the preferred video mode in the firmware. Please refer to the + section about PlatformDxe for details. + +- It is recommended to upgrade the guest OS's video driver to the QXL WDDM one, + via Device Manager. + + Binaries for the QXL WDDM driver can be found at + (pick a version greater than or + equal to 0.6), while the source code resides at + . + + This driver enables additional graphics resolutions at OS runtime, and + provides S3 (suspend/resume) capability. + +Compatibility Support Module (CSM) +---------------------------------- + +Collaboration between SeaBIOS and OVMF developers has enabled SeaBIOS to be +built as a Compatibility Support Module, and OVMF to embed and use it. + +Benefits of a SeaBIOS CSM include: + +- The ability to boot legacy (non-UEFI) operating systems, such as legacy Linux + systems, Windows 7, OpenBSD 5.2, FreeBSD 8/9, NetBSD, DragonflyBSD, Solaris + 10/11. + +- Legacy (non-UEFI-compliant) PCI expansion ROMs, such as a VGA BIOS, mapped by + QEMU in emulated devices' ROM BARs, are loaded and executed by OVMF. + + For example, this grants the Windows Server 2008 R2 SP1 guest's native, + legacy video driver access to all modes of all QEMU video cards. + +Building the CSM target of the SeaBIOS source tree is out of scope for this +report. Additionally, upstream OVMF does not enable the CSM by default. + +Interested users and developers should look for OVMF's "-D CSM_ENABLE" +build-time option, and check out the continuous +integration repository, which provides CSM-enabled OVMF builds. + +[RHEL] The "OVMF_CODE.fd" firmware image made available on the Red Hat + Enterprise Linux 7.1 host does not include a Compatibility Support + Module, for the following reasons: + + - Virtual machines running officially supported, legacy guest operating + systems should just use the standalone SeaBIOS firmware. Firmware + selection is flexible in virtualization, see eg. "Installation of OVMF + guests with virt-manager and virt-install" above. + + - The 16-bit thunking interface between OVMF and SeaBIOS is very complex + and presents a large debugging and support burden, based on past + experience. + + - Secure Boot is incompatible with CSM. + + - Inter-project dependencies should be minimized whenever possible. + + - Using the default QXL video card, the Windows 2008 R2 SP1 guest can be + installed with its built-in, legacy video driver. Said driver will + select the only available video mode, 1024x768x32. After installation, + the video driver can be upgraded to the full-featured QXL XDDM driver. + +Phases of the boot process +-------------------------- + +The PI and UEFI specifications, and Intel's UEFI and EDK II Learning and +Development materials provide ample information on PI and UEFI concepts. The +following is an absolutely minimal, rough glossary that is included only to +help readers new to PI and UEFI understand references in later, OVMF-specific +sections. We defer heavily to the official specifications and the training +materials, and frequently quote them below. + +A central concept to mention early is the GUID -- globally unique identifier. A +GUID is a 128-bit number, written as XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX, +where each X stands for a hexadecimal nibble. GUIDs are used to name everything +in PI and in UEFI. Programmers introduce new GUIDs with the "uuidgen" utility, +and standards bodies standardize well-known services by positing their GUIDs. + +The boot process is roughly divided in the following phases: + +- Reset vector code. + +- SEC: Security phase. This phase is the root of firmware integrity. + +- PEI: Pre-EFI Initialization. This phase performs "minimal processor, chipset + and platform configuration for the purpose of discovering memory". Modules in + PEI collectively save their findings about the platform in a list of HOBs + (hand-off blocks). + + When developing PEI code, the Platform Initialization (PI) specification + should be consulted. + +- DXE: Driver eXecution Environment, pronounced as "Dixie". This "is the phase + where the bulk of the booting occurs: devices are enumerated and initialized, + UEFI services are supported, and protocols and drivers are implemented. Also, + the tables that create the UEFI interface are produced". + + On the PEI/DXE boundary, the HOBs produced by PEI are consumed. For example, + this is how the memory space map is configured initially. + +- BDS: Boot Device Selection. It is "responsible for determining how and where + you want to boot the operating system". + + When developing DXE and BDS code, it is mainly the UEFI specification that + should be consulted. When speaking about DXE, BDS is frequently considered to + be a part of it. + +The following concepts are tied to specific boot process phases: + +- PEIM: a PEI Module (pronounced "PIM"). A binary module running in the PEI + phase, consuming some PPIs and producing other PPIs, and producing HOBs. + +- PPI: PEIM-to-PEIM interface. A structure of function pointers and related + data members that establishes a PEI service, or an instance of a PEI service. + PPIs are identified by GUID. + + An example is EFI_PEI_S3_RESUME2_PPI (6D582DBC-DB85-4514-8FCC-5ADF6227B147). + +- DXE driver: a binary module running in the DXE and BDS phases, consuming some + protocols and producing other protocols. + +- Protocol: A structure of function pointers and related data members that + establishes a DXE service, or an instance of a DXE service. Protocols are + identified by GUID. + + An example is EFI_BLOCK_IO_PROTOCOL (964E5B21-6459-11D2-8E39-00A0C969723B). + +- Architectural protocols: a set of standard protocols that are foundational to + the working of a UEFI system. Each architectural protocol has at most one + instance. Architectural protocols are implemented by a subset of DXE drivers. + DXE drivers explicitly list the set of protocols (including architectural + protocols) that they need to work. UEFI drivers can only be loaded once all + architectural protocols have become available during the DXE phase. + + An example is EFI_VARIABLE_WRITE_ARCH_PROTOCOL + (6441F818-6362-4E44-B570-7DBA31DD2453). + +Project structure +----------------- + +The term "OVMF" usually denotes the project (community and development effort) +that provide and maintain the subject matter UEFI firmware for virtual +machines. However the term is also frequently applied to the firmware binary +proper that a virtual machine executes. + +OVMF emerges as a compilation of several modules from the edk2 source +repository. "edk2" stands for EFI Development Kit II; it is a "modern, +feature-rich, cross-platform firmware development environment for the UEFI and +PI specifications". + +The composition of OVMF is dictated by the following build control files: + + OvmfPkg/OvmfPkgIa32.dsc + OvmfPkg/OvmfPkgIa32.fdf + + OvmfPkg/OvmfPkgIa32X64.dsc + OvmfPkg/OvmfPkgIa32X64.fdf + + OvmfPkg/OvmfPkgX64.dsc + OvmfPkg/OvmfPkgX64.fdf + +The format of these files is described in the edk2 DSC and FDF specifications. +Roughly, the DSC file determines: +- library instance resolutions for library class requirements presented by the + modules to be compiled, +- the set of modules to compile. + +The FDF file roughly determines: +- what binary modules (compilation output files, precompiled binaries, graphics + image files, verbatim binary sections) to include in the firmware image, +- how to lay out the firmware image. + +The Ia32 flavor of these files builds a firmware where both PEI and DXE phases +are 32-bit. The Ia32X64 flavor builds a firmware where the PEI phase consists +of 32-bit modules, and the DXE phase is 64-bit. The X64 flavor builds a purely +64-bit firmware. + +The word size of the DXE phase must match the word size of the runtime OS -- a +32-bit DXE can't cooperate with a 64-bit OS, and a 64-bit DXE can't work a +32-bit OS. + +OVMF pulls together modules from across the edk2 tree. For example: + +- common drivers and libraries that are platform independent are usually + located under MdeModulePkg and MdePkg, + +- common but hardware-specific drivers and libraries that match QEMU's + pc-i440fx-* machine type are pulled in from IntelFrameworkModulePkg, + PcAtChipsetPkg and UefiCpuPkg, + +- the platform independent UEFI Shell is built from ShellPkg, + +- OvmfPkg includes drivers and libraries that are useful for virtual machines + and may or may not be specific to QEMU's pc-i440fx-* machine type. + +Platform Configuration Database (PCD) +------------------------------------- + +Like the "Phases of the boot process" section, this one introduces a concept in +very raw form. We defer to the PCD related edk2 specifications, and we won't +discuss implementation details here. Our purpose is only to offer the reader a +usable (albeit possibly inaccurate) definition, so that we can refer to PCDs +later on. + +Colloquially, when we say "PCD", we actually mean "PCD entry"; that is, an +entry stored in the Platform Configuration Database. + +The Platform Configuration Database is +- a firmware-wide +- name-value store +- of scalars and buffers +- where each entry may be + - build-time constant, or + - run-time dynamic, or + - theoretically, a middle option: patchable in the firmware file itself, + using a dedicated tool. (OVMF does not utilize externally patchable + entries.) + +A PCD entry is declared in the DEC file of the edk2 top-level Package directory +whose modules (drivers and libraries) are the primary consumers of the PCD +entry. (See for example OvmfPkg/OvmfPkg.dec). Basically, a PCD in a DEC file +exposes a simple customization point. + +Interest in a PCD entry is communicated to the build system by naming the PCD +entry in the INF file of the interested module (application, driver or +library). The module may read and -- dependent on the PCD entry's category -- +write the PCD entry. + +Let's investigate the characteristics of the Database and the PCD entries. + +- Firmware-wide: technically, all modules may access all entries they are + interested in, assuming they advertise their interest in their INF files. + With careful design, PCDs enable inter-driver propagation of (simple) system + configuration. PCDs are available in both PEI and DXE. + + (UEFI drivers meant to be portable (ie. from third party vendors) are not + supposed to use PCDs, since PCDs qualify internal to the specific edk2 + firmware in question.) + +- Name-value store of scalars and buffers: each PCD has a symbolic name, and a + fixed scalar type (UINT16, UINT32 etc), or VOID* for buffers. Each PCD entry + belongs to a namespace, where a namespace is (obviously) a GUID, defined in + the DEC file. + +- A DEC file can permit several categories for a PCD: + - build-time constant ("FixedAtBuild"), + - patchable in the firmware image ("PatchableInModule", unused in OVMF), + - runtime modifiable ("Dynamic"). + +The platform description file (DSC) of a top-level Package directory may choose +the exact category for a given PCD entry that its modules wish to use, and +assign a default (or constant) initial value to it. + +In addition, the edk2 build system too can initialize PCD entries to values +that it calculates while laying out the flash device image. Such PCD +assignments are described in the FDF control file. + +Firmware image structure +------------------------ + +(We assume the common X64 choice for both PEI and DXE, and the default DEBUG +build target.) + +The OvmfPkg/OvmfPkgX64.fdf file defines the following layout for the flash +device image "OVMF.fd": + + Description Compression type Size + ------------------------------ ---------------------- ------- + Non-volatile data storage open-coded binary data 128 KB + Variable store 56 KB + Event log 4 KB + Working block 4 KB + Spare area 64 KB + + FVMAIN_COMPACT uncompressed 1712 KB + FV Firmware File System file LZMA compressed + PEIFV uncompressed 896 KB + individual PEI modules uncompressed + DXEFV uncompressed 8192 KB + individual DXE modules uncompressed + + SECFV uncompressed 208 KB + SEC driver + reset vector code + +The top-level image consists of three regions (three firmware volumes): +- non-volatile data store (128 KB), +- main firmware volume (FVMAIN_COMPACT, 1712 KB), +- firmware volume containing the reset vector code and the SEC phase code (208 + KB). + +In total, the OVMF.fd file has size 128 KB + 1712 KB + 208 KB == 2 MB. + +(1) The firmware volume with non-volatile data store (128 KB) has the following + internal structure, in blocks of 4 KB: + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ L: event log + LIVE | varstore |L|W| W: working block + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + SPARE | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + The first half of this firmware volume is "live", while the second half is + "spare". The spare half is important when the variable driver reclaims + unused storage and reorganizes the variable store. + + The live half dedicates 14 blocks (56 KB) to the variable store itself. On + top of those, one block is set aside for an event log, and one block is + used as the working block of the fault tolerant write protocol. Fault + tolerant writes are used to recover from an occasional (virtual) power loss + during variable updates. + + The blocks in this firmware volume are accessed, in stacking order from + least abstract to most abstract, by: + + - EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL (provided by + OvmfPkg/QemuFlashFvbServicesRuntimeDxe), + + - EFI_FAULT_TOLERANT_WRITE_PROTOCOL (provided by + MdeModulePkg/Universal/FaultTolerantWriteDxe), + + - architectural protocols instrumental to the runtime UEFI variable + services: + - EFI_VARIABLE_ARCH_PROTOCOL, + - EFI_VARIABLE_WRITE_ARCH_PROTOCOL. + + In a non-secure boot build, the DXE driver providing these architectural + protocols is MdeModulePkg/Universal/Variable/RuntimeDxe. In a secure boot + build, where authenticated variables are available, the DXE driver + offering these protocols is SecurityPkg/VariableAuthenticated/RuntimeDxe. + +(2) The main firmware volume (FVMAIN_COMPACT, 1712 KB) embeds further firmware + volumes. The outermost layer is a Firmware File System (FFS), carrying a + single file. This file holds an LZMA-compressed section, which embeds two + firmware volumes: PEIFV (896 KB) with PEIMs, and DXEFV (8192 KB) with DXE + and UEFI drivers. + + This scheme enables us to build 896 KB worth of PEI drivers and 8192 KB + worth of DXE and UEFI drivers, compress them all with LZMA in one go, and + store the compressed result in 1712 KB, saving room in the flash device. + +(3) The SECFV firmware volume (208 KB) is not compressed. It carries the + "volume top file" with the reset vector code, to end at 4 GB in + guest-physical address space, and the SEC phase driver (OvmfPkg/Sec). + + The last 16 bytes of the volume top file (mapped directly under 4 GB) + contain a NOP slide and a jump instruction. This is where QEMU starts + executing the firmware, at address 0xFFFF_FFF0. The reset vector and the + SEC driver run from flash directly. + + The SEC driver locates FVMAIN_COMPACT in the flash, and decompresses the + main firmware image to RAM. The rest of OVMF (PEI, DXE, BDS phases) run + from RAM. + +As already mentioned, the OVMF.fd file is mapped by qemu's +"hw/block/pflash_cfi01.c" device just under 4 GB in guest-physical address +space, according to the command line option + + -drive if=pflash,format=raw,file=fedora.flash + +(refer to the Example qemu invocation). This is a "ROMD device", which can +switch out of "ROMD mode" and back into it. + +Namely, in the default ROMD mode, the guest-physical address range backed by +the flash device reads and executes as ROM (it does not trap from KVM to QEMU). +The first write access in this mode traps to QEMU, and flips the device out of +ROMD mode. + +In non-ROMD mode, the flash chip is programmed by storing CFI (Common Flash +Interface) command values at the flash-covered addresses; both reads and writes +trap to QEMU, and the flash contents are modified and synchronized to the +host-side file. A special CFI command flips the flash device back to ROMD mode. + +Qemu implements the above based on the KVM_CAP_READONLY_MEM / KVM_MEM_READONLY +KVM features, and OVMF puts it to use in its EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL +implementation, under "OvmfPkg/QemuFlashFvbServicesRuntimeDxe". + +IMPORTANT: Never pass OVMF.fd to qemu with the -bios option. That option maps +the firmware image as ROM into the guest's address space, and forces OVMF to +emulate non-volatile variables with a fallback driver that is bound to have +insufficient and confusing semantics. + +The 128 KB firmware volume with the variable store, discussed under (1), is +also built as a separate host-side file, named "OVMF_VARS.fd". The "rest" is +built into a third file, "OVMF_CODE.fd", which is only 1920 KB in size. The +variable store is mapped into its usual location, at 4 GB - 2 MB = 0xFFE0_0000, +through the following qemu options: + + -drive if=pflash,format=raw,readonly,file=OVMF_CODE.fd \ + -drive if=pflash,format=raw,file=fedora.varstore.fd + +This way qemu configures two flash chips consecutively, with start addresses +growing downwards, which is transparent to OVMF. + +[RHEL] Red Hat Enterprise Linux 7.1 ships a Secure Boot-enabled, X64, DEBUG + firmware only. Furthermore, only the split files ("OVMF_VARS.fd" and + "OVMF_CODE.fd") are available. + +S3 (suspend to RAM and resume) +------------------------------ + +As noted in Example qemu invocation, the + + -global PIIX4_PM.disable_s3=0 + +command line option tells qemu and OVMF if the user would like to enable S3 +support. (This is corresponds to the /domain/pm/suspend-to-mem/@enabled libvirt +domain XML attribute.) + +Implementing / orchestrating S3 was a considerable community effort in OVMF. A +detailed description exceeds the scope of this report; we only make a few +statements. + +(1) S3-related PPIs and protocols are well documented in the PI specification. + +(2) Edk2 contains most modules that are needed to implement S3 on a given + platform. One abstraction that is central to the porting / extending of the + S3-related modules to a new platform is the LockBox library interface, + which a specific platform can fill in by implementing its own LockBox + library instance. + + The LockBox library provides a privileged name-value store (to be addressed + by GUIDs). The privilege separation stretches between the firmware and the + operating system. That is, the S3-related machinery of the firmware saves + some items in the LockBox securely, under well-known GUIDs, before booting + the operating system. During resume (which is a form of warm reset), the + firmware is activated again, and retrieves items from the LockBox. Before + jumping to the OS's resume vector, the LockBox is secured again. + + We'll return to this later when we separately discuss SMRAM and SMM. + +(3) During resume, the DXE and later phases are never reached; only the reset + vector, and the SEC and PEI phases of the firmware run. The platform is + supposed to detect a resume in progress during PEI, and to store that fact + in the BootMode field of the Phase Handoff Information Table (PHIT) HOB. + OVMF keys this off the CMOS, see OvmfPkg/PlatformPei. + + At the end of PEI, the DXE IPL PEIM (Initial Program Load PEI Module, see + MdeModulePkg/Core/DxeIplPeim) examines the Boot Mode, and if it says "S3 + resume in progress", then the IPL branches to the PEIM that exports + EFI_PEI_S3_RESUME2_PPI (provided by UefiCpuPkg/Universal/Acpi/S3Resume2Pei) + rather than loading the DXE core. + + S3Resume2Pei executes the technical steps of the resumption, relying on the + contents of the LockBox. + +(4) During first boot (or after a normal platform reset), when DXE does run, + hardware drivers in the DXE phase are encouraged to "stash" their hardware + configuration steps (eg. accesses to PCI config space, I/O ports, memory + mapped addresses, and so on) in a centrally maintained, so called "S3 boot + script". Hardware accesses are represented with opcodes of a special binary + script language. + + This boot script is to be replayed during resume, by S3Resume2Pei. The + general goal is to bring back hardware devices -- which have been powered + off during suspend -- to their original after-first-boot state, and in + particular, to do so quickly. + + At the moment, OVMF saves only one opcode in the S3 resume boot script: an + INFORMATION opcode, with contents 0xDEADBEEF (in network byte order). The + consensus between Linux developers seems to be that boot firmware is only + responsible for restoring basic chipset state, which OVMF does during PEI + anyway, independently of S3 vs. normal reset. (One example is the power + management registers of the i440fx chipset.) Device and peripheral state is + the responsibility of the runtime operating system. + + Although an experimental OVMF S3 boot script was at one point captured for + the virtual Cirrus VGA card, such a boot script cannot follow eg. video + mode changes effected by the OS. Hence the operating system can never avoid + restoring device state, and most Linux display drivers (eg. stdvga, QXL) + already cover S3 resume fully. + + The XDDM and WDDM driver models used under Windows OSes seem to recognize + this notion of runtime OS responsibility as well. (See the list of OSes + supported by OVMF in a separate section.) + +(5) The S3 suspend/resume data flow in OVMF is included here tersely, for + interested developers. + + (a) BdsLibBootViaBootOption() + EFI_ACPI_S3_SAVE_PROTOCOL [AcpiS3SaveDxe] + - saves ACPI S3 Context to LockBox ---------------------+ + (including FACS address -- FACS ACPI table | + contains OS waking vector) | + | + - prepares boot script: | + EFI_S3_SAVE_STATE_PROTOCOL.Write() [S3SaveStateDxe] | + S3BootScriptLib [PiDxeS3BootScriptLib] | + - opcodes & arguments are saved in NVS. --+ | + | | + - issues a notification by installing | | + EFI_DXE_SMM_READY_TO_LOCK_PROTOCOL | | + | | + (b) EFI_S3_SAVE_STATE_PROTOCOL [S3SaveStateDxe] | | + S3BootScriptLib [PiDxeS3BootScriptLib] | | + - closes script with special opcode <---------+ | + - script is available in non-volatile memory | + via PcdS3BootScriptTablePrivateDataPtr --+ | + | | + BootScriptExecutorDxe | | + S3BootScriptLib [PiDxeS3BootScriptLib] | | + - Knows about boot script location by <----+ | + synchronizing with the other library | + instance via | + PcdS3BootScriptTablePrivateDataPtr. | + - Copies relocated image of itself to | + reserved memory. --------------------------------+ | + - Saved image contains pointer to boot script. ---|--+ | + | | | + Runtime: | | | + | | | + (c) OS is booted, writes OS waking vector to FACS, | | | + suspends machine | | | + | | | + S3 Resume (PEI): | | | + | | | + (d) PlatformPei sets S3 Boot Mode based on CMOS | | | + | | | + (e) DXE core is skipped and EFI_PEI_S3_RESUME2 is | | | + called as last step of PEI | | | + | | | + (f) S3Resume2Pei retrieves from LockBox: | | | + - ACPI S3 Context (path to FACS) <------------------|--|--+ + | | | + +------------------|--|--+ + - Boot Script Executor Image <----------------------+ | | + | | + (g) BootScriptExecutorDxe | | + S3BootScriptLib [PiDxeS3BootScriptLib] | | + - executes boot script <-----------------------------+ | + | + (h) OS waking vector available from ACPI S3 Context / FACS <--+ + is called + +A comprehensive memory map of OVMF +---------------------------------- + +The following section gives a detailed analysis of memory ranges below 4 GB +that OVMF statically uses. + +In the rightmost column, the PCD entry is identified by which the source refers +to the address or size in question. + +The flash-covered range has been discussed previously in "Firmware image +structure", therefore we include it only for completeness. Due to the fact that +this range is always backed by a memory mapped device (and never RAM), it is +unaffected by S3 (suspend to RAM and resume). + ++--------------------------+ 4194304 KB +| | +| SECFV | size: 208 KB +| | ++--------------------------+ 4194096 KB +| | +| FVMAIN_COMPACT | size: 1712 KB +| | ++--------------------------+ 4192384 KB +| | +| variable store | size: 64 KB PcdFlashNvStorageFtwSpareSize +| spare area | +| | ++--------------------------+ 4192320 KB PcdOvmfFlashNvStorageFtwSpareBase +| | +| FTW working block | size: 4 KB PcdFlashNvStorageFtwWorkingSize +| | ++--------------------------+ 4192316 KB PcdOvmfFlashNvStorageFtwWorkingBase +| | +| Event log of | size: 4 KB PcdOvmfFlashNvStorageEventLogSize +| non-volatile storage | +| | ++--------------------------+ 4192312 KB PcdOvmfFlashNvStorageEventLogBase +| | +| variable store | size: 56 KB PcdFlashNvStorageVariableSize +| | ++--------------------------+ 4192256 KB PcdOvmfFlashNvStorageVariableBase + +The flash-mapped image of OVMF.fd covers the entire structure above (2048 KB). + +When using the split files, the address 4192384 KB +(PcdOvmfFlashNvStorageFtwSpareBase + PcdFlashNvStorageFtwSpareSize) is the +boundary between the mapped images of OVMF_VARS.fd (56 KB + 4 KB + 4 KB + 64 KB += 128 KB) and OVMF_CODE.fd (1712 KB + 208 KB = 1920 KB). + +With regard to RAM that is statically used by OVMF, S3 (suspend to RAM and +resume) complicates matters. Many ranges have been introduced only to support +S3, hence for all ranges below, the following questions will be audited: + +(a) when and how a given range is initialized after first boot of the VM, +(b) how it is protected from memory allocations during DXE, +(c) how it is protected from the OS, +(d) how it is accessed on the S3 resume path, +(e) how it is accessed on the warm reset path. + +Importantly, the term "protected" is meant as protection against inadvertent +reallocations and overwrites by co-operating DXE and OS modules. It does not +imply security against malicious code. + ++--------------------------+ 17408 KB +| | +|DXEFV from FVMAIN_COMPACT | size: 8192 KB PcdOvmfDxeMemFvSize +| decompressed firmware | +| volume with DXE modules | +| | ++--------------------------+ 9216 KB PcdOvmfDxeMemFvBase +| | +|PEIFV from FVMAIN_COMPACT | size: 896 KB PcdOvmfPeiMemFvSize +| decompressed firmware | +| volume with PEI modules | +| | ++--------------------------+ 8320 KB PcdOvmfPeiMemFvBase +| | +| permanent PEI memory for | size: 32 KB PcdS3AcpiReservedMemorySize +| the S3 resume path | +| | ++--------------------------+ 8288 KB PcdS3AcpiReservedMemoryBase +| | +| temporary SEC/PEI heap | size: 32 KB PcdOvmfSecPeiTempRamSize +| and stack | +| | ++--------------------------+ 8256 KB PcdOvmfSecPeiTempRamBase +| | +| unused | size: 32 KB +| | ++--------------------------+ 8224 KB +| | +| SEC's table of | size: 4 KB PcdGuidedExtractHandlerTableSize +| GUIDed section handlers | +| | ++--------------------------+ 8220 KB PcdGuidedExtractHandlerTableAddress +| | +| LockBox storage | size: 4 KB PcdOvmfLockBoxStorageSize +| | ++--------------------------+ 8216 KB PcdOvmfLockBoxStorageBase +| | +| early page tables on X64 | size: 24 KB PcdOvmfSecPageTablesSize +| | ++--------------------------+ 8192 KB PcdOvmfSecPageTablesBase + +(1) Early page tables on X64: + + (a) when and how it is initialized after first boot of the VM + + The range is filled in during the SEC phase + [OvmfPkg/ResetVector/Ia32/PageTables64.asm]. The CR3 register is verified + against the base address in SecCoreStartupWithStack() + [OvmfPkg/Sec/SecMain.c]. + + (b) how it is protected from memory allocations during DXE + + If S3 was enabled on the QEMU command line (see "-global + PIIX4_PM.disable_s3=0" earlier), then InitializeRamRegions() + [OvmfPkg/PlatformPei/MemDetect.c] protects the range with an AcpiNVS memory + allocation HOB, in PEI. + + If S3 was disabled, then this range is not protected. DXE's own page tables + are first built while still in PEI (see HandOffToDxeCore() + [MdeModulePkg/Core/DxeIplPeim/X64/DxeLoadFunc.c]). Those tables are located + in permanent PEI memory. After CR3 is switched over to them (which occurs + before jumping to the DXE core entry point), we don't have to preserve the + initial tables. + + (c) how it is protected from the OS + + If S3 is enabled, then (1b) reserves it from the OS too. + + If S3 is disabled, then the range needs no protection. + + (d) how it is accessed on the S3 resume path + + It is rewritten same as in (1a), which is fine because (1c) reserved it. + + (e) how it is accessed on the warm reset path + + It is rewritten same as in (1a). + +(2) LockBox storage: + + (a) when and how it is initialized after first boot of the VM + + InitializeRamRegions() [OvmfPkg/PlatformPei/MemDetect.c] zeroes out the + area during PEI. This is correct but not strictly necessary, since on first + boot the area is zero-filled anyway. + + The LockBox signature of the area is filled in by the PEI module or DXE + driver that has been linked against OVMF's LockBoxLib and is run first. The + signature is written in LockBoxLibInitialize() + [OvmfPkg/Library/LockBoxLib/LockBoxLib.c]. + + Any module calling SaveLockBox() [OvmfPkg/Library/LockBoxLib/LockBoxLib.c] + will co-populate this area. + + (b) how it is protected from memory allocations during DXE + + If S3 is enabled, then InitializeRamRegions() + [OvmfPkg/PlatformPei/MemDetect.c] protects the range as AcpiNVS. + + Otherwise, the range is covered with a BootServicesData memory allocation + HOB. + + (c) how it is protected from the OS + + If S3 is enabled, then (2b) protects it sufficiently. + + Otherwise the range requires no runtime protection, and the + BootServicesData allocation type from (2b) ensures that the range will be + released to the OS. + + (d) how it is accessed on the S3 resume path + + The S3 Resume PEIM restores data from the LockBox, which has been correctly + protected in (2c). + + (e) how it is accessed on the warm reset path + + InitializeRamRegions() [OvmfPkg/PlatformPei/MemDetect.c] zeroes out the + range during PEI, effectively emptying the LockBox. Modules will + re-populate the LockBox as described in (2a). + +(3) SEC's table of GUIDed section handlers + + (a) when and how it is initialized after first boot of the VM + + The following two library instances are linked into SecMain: + - IntelFrameworkModulePkg/Library/LzmaCustomDecompressLib, + - MdePkg/Library/BaseExtractGuidedSectionLib. + + The first library registers its LZMA decompressor plugin (which is a called + a "section handler") by calling the second library: + + LzmaDecompressLibConstructor() [GuidedSectionExtraction.c] + ExtractGuidedSectionRegisterHandlers() [BaseExtractGuidedSectionLib.c] + + The second library maintains its table of registered "section handlers", to + be indexed by GUID, in this fixed memory area, independently of S3 + enablement. + + (The decompression of FVMAIN_COMPACT's FFS file section that contains the + PEIFV and DXEFV firmware volumes occurs with the LZMA decompressor + registered above. See (6) and (7) below.) + + (b) how it is protected from memory allocations during DXE + + There is no need to protect this area from DXE: because nothing else in + OVMF links against BaseExtractGuidedSectionLib, the area loses its + significance as soon as OVMF progresses from SEC to PEI, therefore DXE is + allowed to overwrite the region. + + (c) how it is protected from the OS + + When S3 is enabled, we cover the range with an AcpiNVS memory allocation + HOB in InitializeRamRegions(). + + When S3 is disabled, the range is not protected. + + (d) how it is accessed on the S3 resume path + + The table of registered section handlers is again managed by + BaseExtractGuidedSectionLib linked into SecMain exclusively. Section + handler registrations update the table in-place (based on GUID matches). + + (e) how it is accessed on the warm reset path + + If S3 is enabled, then the OS won't damage the table (due to (3c)), thus + see (3d). + + If S3 is disabled, then the OS has most probably overwritten the range with + its own data, hence (3a) -- complete reinitialization -- will come into + effect, based on the table signature check in BaseExtractGuidedSectionLib. + +(4) temporary SEC/PEI heap and stack + + (a) when and how it is initialized after first boot of the VM + + The range is configured in [OvmfPkg/Sec/X64/SecEntry.S] and + SecCoreStartupWithStack() [OvmfPkg/Sec/SecMain.c]. The stack half is read & + written by the CPU transparently. The heap half is used for memory + allocations during PEI. + + Data is migrated out (to permanent PEI stack & memory) in (or soon after) + PublishPeiMemory() [OvmfPkg/PlatformPei/MemDetect.c]. + + (b) how it is protected from memory allocations during DXE + + It is not necessary to protect this range during DXE because its use ends + still in PEI. + + (c) how it is protected from the OS + + If S3 is enabled, then InitializeRamRegions() + [OvmfPkg/PlatformPei/MemDetect.c] reserves it as AcpiNVS. + + If S3 is disabled, then the range doesn't require protection. + + (d) how it is accessed on the S3 resume path + + Same as in (4a), except the target area of the migration triggered by + PublishPeiMemory() [OvmfPkg/PlatformPei/MemDetect.c] is different -- see + (5). + + (e) how it is accessed on the warm reset path + + Same as in (4a). The stack and heap halves both may contain garbage, but it + doesn't matter. + +(5) permanent PEI memory for the S3 resume path + + (a) when and how it is initialized after first boot of the VM + + No particular initialization or use. + + (b) how it is protected from memory allocations during DXE + + We don't need to protect this area during DXE. + + (c) how it is protected from the OS + + When S3 is enabled, InitializeRamRegions() + [OvmfPkg/PlatformPei/MemDetect.c] makes sure the OS stays away by covering + the range with an AcpiNVS memory allocation HOB. + + When S3 is disabled, the range needs no protection. + + (d) how it is accessed on the S3 resume path + + PublishPeiMemory() installs the range as permanent RAM for PEI. The range + will serve as stack and will satisfy allocation requests during the rest of + PEI. OS data won't overlap due to (5c). + + (e) how it is accessed on the warm reset path + + Same as (5a). + +(6) PEIFV -- decompressed firmware volume with PEI modules + + (a) when and how it is initialized after first boot of the VM + + DecompressMemFvs() [OvmfPkg/Sec/SecMain.c] populates the area, by + decompressing the flash-mapped FVMAIN_COMPACT volume's contents. (Refer to + "Firmware image structure".) + + (b) how it is protected from memory allocations during DXE + + When S3 is disabled, PeiFvInitialization() [OvmfPkg/PlatformPei/Fv.c] + covers the range with a BootServicesData memory allocation HOB. + + When S3 is enabled, the same is coverage is ensured, just with the stronger + AcpiNVS memory allocation type. + + (c) how it is protected from the OS + + When S3 is disabled, it is not necessary to keep the range from the OS. + + Otherwise the AcpiNVS type allocation from (6b) provides coverage. + + (d) how it is accessed on the S3 resume path + + Rather than decompressing it again from FVMAIN_COMPACT, GetS3ResumePeiFv() + [OvmfPkg/Sec/SecMain.c] reuses the protected area for parsing / execution + from (6c). + + (e) how it is accessed on the warm reset path + + Same as (6a). + +(7) DXEFV -- decompressed firmware volume with DXE modules + + (a) when and how it is initialized after first boot of the VM + + Same as (6a). + + (b) how it is protected from memory allocations during DXE + + PeiFvInitialization() [OvmfPkg/PlatformPei/Fv.c] covers the range with a + BootServicesData memory allocation HOB. + + (c) how it is protected from the OS + + The OS is allowed to release and reuse this range. + + (d) how it is accessed on the S3 resume path + + It's not; DXE never runs during S3 resume. + + (e) how it is accessed on the warm reset path + + Same as in (7a). + +Known Secure Boot limitations +----------------------------- + +Under "Motivation" we've mentioned that OVMF's Secure Boot implementation is +not suitable for production use yet -- it's only good for development and +testing of standards-conformant, non-malicious guest code (UEFI and operating +system alike). + +Now that we've examined the persistent flash device, the workings of S3, and +the memory map, we can discuss two currently known shortcomings of OVMF's +Secure Boot that in fact make it insecure. (Clearly problems other than these +two might exist; the set of issues considered here is not meant to be +exhaustive.) + +One trait of Secure Boot is tamper-evidence. Secure Boot may not prevent +malicious modification of software components (for example, operating system +drivers), but by being the root of integrity on a platform, it can catch (or +indirectly contribute to catching) unauthorized changes, by way of signature +and certificate checks at the earliest phases of boot. + +If an attacker can tamper with key material stored in authenticated and/or +boot-time only persistent variables (for example, PK, KEK, db, dbt, dbx), then +the intended security of this scheme is compromised. The UEFI 2.4A +specification says + +- in section 28.3.4: + + Platform Keys: + + The public key must be stored in non-volatile storage which is tamper and + delete resistant. + + Key Exchange Keys: + + The public key must be stored in non-volatile storage which is tamper + resistant. + +- in section 28.6.1: + + The signature database variables db, dbt, and dbx must be stored in + tamper-resistant non-volatile storage. + +(1) The combination of QEMU, KVM, and OVMF does not provide this kind of + resistance. The variable store in the emulated flash chip is directly + accessible to, and reprogrammable by, UEFI drivers, applications, and + operating systems. + +(2) Under "S3 (suspend to RAM and resume)" we pointed out that the LockBox + storage must be similarly secure and tamper-resistant. + + On the S3 resume path, the PEIM providing EFI_PEI_S3_RESUME2_PPI + (UefiCpuPkg/Universal/Acpi/S3Resume2Pei) restores and interprets data from + the LockBox that has been saved there during boot. This PEIM, being part of + the firmware, has full access to the platform. If an operating system can + tamper with the contents of the LockBox, then at the next resume the + platform's integrity might be subverted. + + OVMF stores the LockBox in normal guest RAM (refer to the memory map + section above). Operating systems and third party UEFI drivers and UEFI + applications that respect the UEFI memory map will not inadvertently + overwrite the LockBox storage, but there's nothing to prevent eg. a + malicious kernel from modifying the LockBox. + +One means to address these issues is SMM and SMRAM (System Management Mode and +System Management RAM). + +During boot and resume, the firmware can enter and leave SMM and access SMRAM. +Before the DXE phase is left, and control is transferred to the BDS phase (when +third party UEFI drivers and applications can be loaded, and an operating +system can be loaded), SMRAM is locked in hardware, and subsequent modules +cannot access it directly. (See EFI_DXE_SMM_READY_TO_LOCK_PROTOCOL.) + +Once SMRAM has been locked, UEFI drivers and the operating system can enter SMM +by raising a System Management Interrupt (SMI), at which point trusted code +(part of the platform firmware) takes control. SMRAM is also unlocked by +platform reset, at which point the boot firmware takes control again. + +Variable store and LockBox in SMRAM +----------------------------------- + +Edk2 provides almost all components to implement the variable store and the +LockBox in SMRAM. In this section we summarize ideas for utilizing those +facilities. + +The SMRAM and SMM infrastructure in edk2 is built up as follows: + +(1) The platform hardware provides SMM / SMI / SMRAM. + + Qemu/KVM doesn't support these features currently and should implement them + in the longer term. + +(2) The platform vendor (in this case, OVMF developers) implement device + drivers for the platform's System Management Mode: + + - EFI_SMM_CONTROL2_PROTOCOL: for raising a synchronous (and/or) periodic + SMI(s); that is, for entering SMM. + + - EFI_SMM_ACCESS2_PROTOCOL: for describing and accessing SMRAM. + + These protocols are documented in the PI Specification, Volume 4. + +(3) The platform DSC file is to include the following platform-independent + modules: + + - MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf: SMM Initial Program Load + - MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf: SMM Core + +(4) At this point, modules of type DXE_SMM_DRIVER can be loaded. + + Such drivers are privileged. They run in SMM, have access to SMRAM, and are + separated and switched from other drivers through SMIs. Secure + communication between unprivileged (non-SMM) and privileged (SMM) drivers + happens through EFI_SMM_COMMUNICATION_PROTOCOL (implemented by the SMM + Core, see (3)). + + DXE_SMM_DRIVER modules must sanitize their input (coming from unprivileged + drivers) carefully. + +(5) The authenticated runtime variable services driver (for Secure Boot builds) + is located under "SecurityPkg/VariableAuthenticated/RuntimeDxe". OVMF + currently builds the driver (a DXE_RUNTIME_DRIVER module) with the + "VariableRuntimeDxe.inf" control file (refer to "OvmfPkg/OvmfPkgX64.dsc"), + which does not use SMM. + + The directory includes two more INF files: + + - VariableSmm.inf -- module type: DXE_SMM_DRIVER. A privileged driver that + runs in SMM and has access to SMRAM. + + - VariableSmmRuntimeDxe.inf -- module type: DXE_RUNTIME_DRIVER. A + non-privileged driver that implements the variable runtime services + (replacing the current "VariableRuntimeDxe.inf" file) by communicating + with the above privileged SMM half via EFI_SMM_COMMUNICATION_PROTOCOL. + +(6) An SMRAM-based LockBox implementation needs to be discussed in two parts, + because the LockBox is accessed in both PEI and DXE. + + (a) During DXE, drivers save data in the LockBox. A save operation is + layered as follows: + + - The unprivileged driver wishing to store data in the LockBox links + against the "MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxDxeLib.inf" + library instance. + + The library allows the unprivileged driver to format requests for the + privileged SMM LockBox driver (see below), and to parse responses. + + - The privileged SMM LockBox driver is built from + "MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.inf". This + driver has module type DXE_SMM_DRIVER and can access SMRAM. + + The driver delegates command parsing and response formatting to + "MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.inf". + + - The above two halves (unprivileged and privileged) mirror what we've + seen in case of the variable service drivers, under (5). + + (b) In PEI, the S3 Resume PEIM (UefiCpuPkg/Universal/Acpi/S3Resume2Pei) + retrieves data from the LockBox. + + Presumably, S3Resume2Pei should be considered an "unprivileged PEIM", + and the SMRAM access should be layered as seen in DXE. Unfortunately, + edk2 does not implement all of the layers in PEI -- the code either + doesn't exist, or it is not open source: + + role | DXE: protocol/module | PEI: PPI/module + -------------+--------------------------------+------------------------------ + unprivileged | any | S3Resume2Pei.inf + driver | | + -------------+--------------------------------+------------------------------ + command | LIBRARY_CLASS = LockBoxLib | LIBRARY_CLASS = LockBoxLib + formatting | | + and response | SmmLockBoxDxeLib.inf | SmmLockBoxPeiLib.inf + parsing | | + -------------+--------------------------------+------------------------------ + privilege | EFI_SMM_COMMUNICATION_PROTOCOL | EFI_PEI_SMM_COMMUNICATION_PPI + separation | | + | PiSmmCore.inf | missing! + -------------+--------------------------------+------------------------------ + platform SMM | EFI_SMM_CONTROL2_PROTOCOL | PEI_SMM_CONTROL_PPI + and SMRAM | EFI_SMM_ACCESS2_PROTOCOL | PEI_SMM_ACCESS_PPI + access | | + | to be done in OVMF | to be done in OVMF + -------------+--------------------------------+------------------------------ + command | LIBRARY_CLASS = LockBoxLib | LIBRARY_CLASS = LockBoxLib + parsing and | | + response | SmmLockBoxSmmLib.inf | missing! + formatting | | + -------------+--------------------------------+------------------------------ + privileged | SmmLockBox.inf | missing! + LockBox | | + driver | | + + Alternatively, in the future OVMF might be able to provide a LockBoxLib + instance (an SmmLockBoxPeiLib substitute) for S3Resume2Pei that + accesses SMRAM directly, eliminating the need for deeper layers in the + stack (that is, EFI_PEI_SMM_COMMUNICATION_PPI and deeper). + + In fact, a "thin" EFI_PEI_SMM_COMMUNICATION_PPI implementation whose + sole Communicate() member invariably returns EFI_NOT_STARTED would + cause the current SmmLockBoxPeiLib library instance to directly perform + full-depth SMRAM access and LockBox search, obviating the "missing" + cells. (With reference to A Tour Beyond BIOS: Implementing S3 Resume + with EDK2, by Jiewen Yao and Vincent Zimmer, October 2014.) + +Select features +--------------- + +In this section we'll browse the top-level "OvmfPkg" package directory, and +discuss the more interesting drivers and libraries that have not been mentioned +thus far. + +X64-specific reset vector for OVMF +.................................. + +The "OvmfPkg/ResetVector" directory customizes the reset vector (found in +"UefiCpuPkg/ResetVector/Vtf0") for "OvmfPkgX64.fdf", that is, when the SEC/PEI +phases run in 64-bit (ie. long) mode. + +The reset vector's control flow looks roughly like: + + resetVector [Ia16/ResetVectorVtf0.asm] + EarlyBspInitReal16 [Ia16/Init16.asm] + Main16 [Main.asm] + EarlyInit16 [Ia16/Init16.asm] + + ; Transition the processor from + ; 16-bit real mode to 32-bit flat mode + TransitionFromReal16To32BitFlat [Ia16/Real16ToFlat32.asm] + + ; Search for the + ; Boot Firmware Volume (BFV) + Flat32SearchForBfvBase [Ia32/SearchForBfvBase.asm] + + ; Search for the SEC entry point + Flat32SearchForSecEntryPoint [Ia32/SearchForSecEntry.asm] + + %ifdef ARCH_IA32 + ; Jump to the 32-bit SEC entry point + %else + ; Transition the processor + ; from 32-bit flat mode + ; to 64-bit flat mode + Transition32FlatTo64Flat [Ia32/Flat32ToFlat64.asm] + + SetCr3ForPageTables64 [Ia32/PageTables64.asm] + ; set CR3 to page tables + ; built into the ROM image + + ; enable PAE + ; set LME + ; enable paging + + ; Jump to the 64-bit SEC entry point + %endif + +On physical platforms, the initial page tables referenced by +SetCr3ForPageTables64 are built statically into the flash device image, and are +present in ROM at runtime. This is fine on physical platforms because the +pre-built page table entries have the Accessed and Dirty bits set from the +start. + +Accordingly, for OVMF running in long mode on qemu/KVM, the initial page tables +were mapped as a KVM_MEM_READONLY slot, as part of QEMU's pflash device (refer +to "Firmware image structure" above). + +In spite of the Accessed and Dirty bits being pre-set in the read-only, +in-flash PTEs, in a virtual machine attempts are made to update said PTE bits, +differently from physical hardware. The component attempting to update the +read-only PTEs can be one of the following: + +- The processor itself, if it supports nested paging, and the user enables that + processor feature, + +- KVM code implementing shadow paging, otherwise. + +The first case presents no user-visible symptoms, but the second case (KVM, +shadow paging) used to cause a triple fault, prior to Linux commit ba6a354 +("KVM: mmu: allow page tables to be in read-only slots"). + +For compatibility with earlier KVM versions, the OvmfPkg/ResetVector directory +adapts the generic reset vector code as follows: + + Transition32FlatTo64Flat [UefiCpuPkg/.../Ia32/Flat32ToFlat64.asm] + + SetCr3ForPageTables64 [OvmfPkg/ResetVector/Ia32/PageTables64.asm] + + ; dynamically build the initial page tables in RAM, at address + ; PcdOvmfSecPageTablesBase (refer to the memory map above), + ; identity-mapping the first 4 GB of address space + + ; set CR3 to PcdOvmfSecPageTablesBase + + ; enable PAE + ; set LME + ; enable paging + +This way the PTEs that earlier KVM versions try to update (during shadow +paging) are located in a read-write memory slot, and the write attempts +succeed. + +Client library for QEMU's firmware configuration interface +.......................................................... + +QEMU provides a write-only, 16-bit wide control port, and a read-write, 8-bit +wide data port for exchanging configuration elements with the firmware. + +The firmware writes a selector (a key) to the control port (0x510), and then +reads the corresponding configuration data (produced by QEMU) from the data +port (0x511). + +If the selected entry is writable, the firmware may overwrite it. If QEMU has +associated a callback with the entry, then when the entry is completely +rewritten, QEMU runs the callback. (OVMF does not rewrite any entries at the +moment.) + +A number of selector values (keys) are predefined. In particular, key 0x19 +selects (returns) a directory of { name, selector, size } triplets, roughly +speaking. + +The firmware can request configuration elements by well-known name as well, by +looking up the selector value first in the directory, by name, and then writing +the selector to the control port. The number of bytes to read subsequently from +the data port is known from the directory entry's "size" field. + +By convention, directory entries (well-known symbolic names of configuration +elements) are formatted as POSIX pathnames. For example, the array selected by +the "etc/system-states" name indicates (among other things) whether the user +enabled S3 support in QEMU. + +The above interface is called "fw_cfg". + +The binary data associated with a symbolic name is called an "fw_cfg file". + +OVMF's fw_cfg client library is found in "OvmfPkg/Library/QemuFwCfgLib". OVMF +discovers many aspects of the virtual system with it; we refer to a few +examples below. + +Guest ACPI tables +................. + +An operating system discovers a good amount of its hardware by parsing ACPI +tables, and by interpreting ACPI objects and methods. On physical hardware, the +platform vendor's firmware installs ACPI tables in memory that match both the +hardware present in the system and the user's firmware configuration ("BIOS +setup"). + +Under qemu/KVM, the owner of the (virtual) hardware configuration is QEMU. +Hardware can easily be reconfigured on the command line. Furthermore, features +like CPU hotplug, PCI hotplug, memory hotplug are continuously developed for +QEMU, and operating systems need direct ACPI support to exploit these features. + +For this reason, QEMU builds its own ACPI tables dynamically, in a +self-descriptive manner, and exports them to the firmware through a complex, +multi-file fw_cfg interface. It is rooted in the "etc/table-loader" fw_cfg +file. (Further details of this interface are out of scope for this report.) + +OVMF's AcpiPlatformDxe driver fetches the ACPI tables, and installs them for +the guest OS with the EFI_ACPI_TABLE_PROTOCOL (which is in turn provided by the +generic "MdeModulePkg/Universal/Acpi/AcpiTableDxe" driver). + +For earlier QEMU versions and machine types (which we generally don't recommend +for OVMF; see "Scope"), the "OvmfPkg/AcpiTables" directory contains a few +static ACPI table templates. When the "etc/table-loader" fw_cfg file is +unavailable, AcpiPlatformDxe installs these default tables (with a little bit +of dynamic patching). + +When OVMF runs in a Xen domU, AcpiTableDxe also installs ACPI tables that +originate from the hypervisor's environment. + +Guest SMBIOS tables +................... + +Quoting the SMBIOS Reference Specification, + + [...] the System Management BIOS Reference Specification addresses how + motherboard and system vendors present management information about their + products in a standard format [...] + +In practice SMBIOS tables are just another set of tables that the platform +vendor's firmware installs in RAM for the operating system, and, importantly, +for management applications running on the OS. Without rehashing the "Guest +ACPI tables" section in full, let's map the OVMF roles seen there from ACPI to +SMBIOS: + + role | ACPI | SMBIOS + -------------------------+-------------------------+------------------------- + fw_cfg file | etc/table-loader | etc/smbios/smbios-tables + -------------------------+-------------------------+------------------------- + OVMF driver | AcpiPlatformDxe | SmbiosPlatformDxe + under "OvmfPkg" | | + -------------------------+-------------------------+------------------------- + Underlying protocol, | EFI_ACPI_TABLE_PROTOCOL | EFI_SMBIOS_PROTOCOL + implemented by generic | | + driver under | Acpi/AcpiTableDxe | SmbiosDxe + "MdeModulePkg/Universal" | | + -------------------------+-------------------------+------------------------- + default tables available | yes | [RHEL] yes, Type0 and + for earlier QEMU machine | | Type1 tables + types, with hot-patching | | + -------------------------+-------------------------+------------------------- + tables fetched in Xen | yes | yes + domUs | | + +Platform-specific boot policy +............................. + +OVMF's BDS (Boot Device Selection) phase is implemented by +IntelFrameworkModulePkg/Universal/BdsDxe. Roughly speaking, this large driver: + +- provides the EFI BDS architectural protocol (which DXE transfers control to + after dispatching all DXE drivers), + +- connects drivers to devices, + +- enumerates boot devices, + +- auto-generates boot options, + +- provides "BIOS setup" screens, such as: + + - Boot Manager, for booting an option, + + - Boot Maintenance Manager, for adding, deleting, and reordering boot + options, changing console properties etc, + + - Device Manager, where devices can register configuration forms, including + + - Secure Boot configuration forms, + + - OVMF's Platform Driver form (see under PlatformDxe). + +Firmware that includes the "IntelFrameworkModulePkg/Universal/BdsDxe" driver +can customize its behavior by providing an instance of the PlatformBdsLib +library class. The driver links against this platform library, and the +platform library can call Intel's BDS utility functions from +"IntelFrameworkModulePkg/Library/GenericBdsLib". + +OVMF's PlatformBdsLib instance can be found in +"OvmfPkg/Library/PlatformBdsLib". The main function where the BdsDxe driver +enters the library is PlatformBdsPolicyBehavior(). We mention two OVMF +particulars here. + +(1) OVMF is capable of loading kernel images directly from fw_cfg, matching + QEMU's -kernel, -initrd, and -append command line options. This feature is + useful for rapid, repeated Linux kernel testing, and is implemented in the + following call tree: + + PlatformBdsPolicyBehavior() [OvmfPkg/Library/PlatformBdsLib/BdsPlatform.c] + TryRunningQemuKernel() [OvmfPkg/Library/PlatformBdsLib/QemuKernel.c] + LoadLinux*() [OvmfPkg/Library/LoadLinuxLib/Linux.c] + + OvmfPkg/Library/LoadLinuxLib ports the efilinux bootloader project into + OvmfPkg. + +(2) OVMF seeks to comply with the boot order specification passed down by QEMU + over fw_cfg. + + (a) About Boot Modes + + During the PEI phase, OVMF determines and stores the Boot Mode in the + PHIT HOB (already mentioned in "S3 (suspend to RAM and resume)"). The + boot mode is supposed to influence the rest of the system, for example it + distinguishes S3 resume (BOOT_ON_S3_RESUME) from a "normal" boot. + + In general, "normal" boots can be further differentiated from each other; + for example for speed reasons. When the firmware can tell during PEI that + the chassis has not been opened since last power-up, then it might want + to save time by not connecting all devices and not enumerating all boot + options from scratch; it could just rely on the stored results of the + last enumeration. The matching BootMode value, to be set during PEI, + would be BOOT_ASSUMING_NO_CONFIGURATION_CHANGES. + + OVMF only sets one of the following two boot modes, based on CMOS + contents: + - BOOT_ON_S3_RESUME, + - BOOT_WITH_FULL_CONFIGURATION. + + For BOOT_ON_S3_RESUME, please refer to "S3 (suspend to RAM and resume)". + The other boot mode supported by OVMF, BOOT_WITH_FULL_CONFIGURATION, is + an appropriate "catch-all" for a virtual machine, where hardware can + easily change from boot to boot. + + (b) Auto-generation of boot options + + Accordingly, when not resuming from S3 sleep (*), OVMF always connects + all devices, and enumerates all bootable devices as new boot options + (non-volatile variables called Boot####). + + (*) During S3 resume, DXE is not reached, hence BDS isn't either. + + The auto-enumerated boot options are stored in the BootOrder non-volatile + variable after any preexistent options. (Boot options may exist before + auto-enumeration eg. because the user added them manually with the Boot + Maintenance Manager or the efibootmgr utility. They could also originate + from an earlier auto-enumeration.) + + PlatformBdsPolicyBehavior() [OvmfPkg/.../BdsPlatform.c] + TryRunningQemuKernel() [OvmfPkg/.../QemuKernel.c] + BdsLibConnectAll() [IntelFrameworkModulePkg/.../BdsConnect.c] + BdsLibEnumerateAllBootOption() [IntelFrameworkModulePkg/.../BdsBoot.c] + BdsLibBuildOptionFromHandle() [IntelFrameworkModulePkg/.../BdsBoot.c] + BdsLibRegisterNewOption() [IntelFrameworkModulePkg/.../BdsMisc.c] + // + // Append the new option number to the original option order + // + + (c) Relative UEFI device paths in boot options + + The handling of relative ("short-form") UEFI device paths is best + demonstrated through an example, and by quoting the UEFI 2.4A + specification. + + A short-form hard drive UEFI device path could be (displaying each device + path node on a separate line for readability): + + HD(1,GPT,14DD1CC5-D576-4BBF-8858-BAF877C8DF61,0x800,0x64000)/ + \EFI\fedora\shim.efi + + This device path lacks prefix nodes (eg. hardware or messaging type + nodes) that would lead to the hard drive. During load option processing, + the above short-form or relative device path could be matched against the + following absolute device path: + + PciRoot(0x0)/ + Pci(0x4,0x0)/ + HD(1,GPT,14DD1CC5-D576-4BBF-8858-BAF877C8DF61,0x800,0x64000)/ + \EFI\fedora\shim.efi + + The motivation for this type of device path matching / completion is to + allow the user to move around the hard drive (for example, to plug a + controller in a different PCI slot, or to expose the block device on a + different iSCSI path) and still enable the firmware to find the hard + drive. + + The UEFI specification says, + + 9.3.6 Media Device Path + 9.3.6.1 Hard Drive + + [...] Section 3.1.2 defines special rules for processing the Hard + Drive Media Device Path. These special rules enable a disk's location + to change and still have the system boot from the disk. [...] + + 3.1.2 Load Option Processing + + [...] The boot manager must [...] support booting from a short-form + device path that starts with the first element being a hard drive + media device path [...]. The boot manager must use the GUID or + signature and partition number in the hard drive device path to match + it to a device in the system. If the drive supports the GPT + partitioning scheme the GUID in the hard drive media device path is + compared with the UniquePartitionGuid field of the GUID Partition + Entry [...]. If the drive supports the PC-AT MBR scheme the signature + in the hard drive media device path is compared with the + UniqueMBRSignature in the Legacy Master Boot Record [...]. If a + signature match is made, then the partition number must also be + matched. The hard drive device path can be appended to the matching + hardware device path and normal boot behavior can then be used. If + more than one device matches the hard drive device path, the boot + manager will pick one arbitrarily. Thus the operating system must + ensure the uniqueness of the signatures on hard drives to guarantee + deterministic boot behavior. + + Edk2 implements and exposes the device path completion logic in the + already referenced "IntelFrameworkModulePkg/Library/GenericBdsLib" + library, in the BdsExpandPartitionPartialDevicePathToFull() function. + + (d) Filtering and reordering the boot options based on fw_cfg + + Once we have an "all-inclusive", partly preexistent, partly freshly + auto-generated boot option list from bullet (b), OVMF loads QEMU's + requested boot order from fw_cfg, and filters and reorders the list from + (b) with it: + + PlatformBdsPolicyBehavior() [OvmfPkg/.../BdsPlatform.c] + TryRunningQemuKernel() [OvmfPkg/.../QemuKernel.c] + BdsLibConnectAll() [IntelFrameworkModulePkg/.../BdsConnect.c] + BdsLibEnumerateAllBootOption() [IntelFrameworkModulePkg/.../BdsBoot.c] + SetBootOrderFromQemu() [OvmfPkg/.../QemuBootOrder.c] + + According to the (preferred) "-device ...,bootindex=N" and the (legacy) + '-boot order=drives' command line options, QEMU requests a boot order + from the firmware through the "bootorder" fw_cfg file. (For a bootindex + example, refer to the "Example qemu invocation" section.) + + This fw_cfg file consists of OpenFirmware (OFW) device paths -- note: not + UEFI device paths! --, one per line. An example list is: + + /pci@i0cf8/scsi@4/disk@0,0 + /pci@i0cf8/ide@1,1/drive@1/disk@0 + /pci@i0cf8/ethernet@3/ethernet-phy@0 + + OVMF filters and reorders the boot option list from bullet (b) with the + following nested loops algorithm: + + new_uefi_order := + for each qemu_ofw_path in QEMU's OpenFirmware device path list: + qemu_uefi_path_prefix := translate(qemu_ofw_path) + + for each boot_option in current_uefi_order: + full_boot_option := complete(boot_option) + + if match(qemu_uefi_path_prefix, full_boot_option): + append(new_uefi_order, boot_option) + break + + for each unmatched boot_option in current_uefi_order: + if survives(boot_option): + append(new_uefi_order, boot_option) + + current_uefi_order := new_uefi_order + + OVMF iterates over QEMU's OFW device paths in order, translates each to a + UEFI device path prefix, tries to match the translated prefix against the + UEFI boot options (which are completed from relative form to absolute + form for the purpose of prefix matching), and if there's a match, the + matching boot option is appended to the new boot order (which starts out + empty). + + (We elaborate on the translate() function under bullet (e). The + complete() function has been explained in bullet (c).) + + In addition, UEFI boot options that remain unmatched after filtering and + reordering are post-processed, and some of them "survive". Due to the + fact that OpenFirmware device paths have less expressive power than their + UEFI counterparts, some UEFI boot options are simply inexpressible (hence + unmatchable) by the nested loops algorithm. + + An important example is the memory-mapped UEFI shell, whose UEFI device + path is inexpressible by QEMU's OFW device paths: + + MemoryMapped(0xB,0x900000,0x10FFFFF)/ + FvFile(7C04A583-9E3E-4F1C-AD65-E05268D0B4D1) + + (Side remark: notice that the address range visible in the MemoryMapped() + node corresponds to DXEFV under "comprehensive memory map of OVMF"! In + addition, the FvFile() node's GUID originates from the FILE_GUID entry of + "ShellPkg/Application/Shell/Shell.inf".) + + The UEFI shell can be booted by pressing ESC in OVMF on the TianoCore + splash screen, and navigating to Boot Manager | EFI Internal Shell. If + the "survival policy" was not implemented, the UEFI shell's boot option + would always be filtered out. + + The current "survival policy" preserves all boot options that start with + neither PciRoot() nor HD(). + + (e) Translating QEMU's OpenFirmware device paths to UEFI device path + prefixes + + In this section we list the (strictly heuristical) mappings currently + performed by OVMF. + + The "prefix only" nature of the translation output is rooted minimally in + the fact that QEMU's OpenFirmware device paths cannot carry pathnames + within filesystems. There's no way to specify eg. + + \EFI\fedora\shim.efi + + in an OFW device path, therefore a UEFI device path translated from an + OFW device path can at best be a prefix (not a full match) of a UEFI + device path that ends with "\EFI\fedora\shim.efi". + + - IDE disk, IDE CD-ROM: + + OpenFirmware device path: + + /pci@i0cf8/ide@1,1/drive@0/disk@0 + ^ ^ ^ ^ ^ + | | | | master or slave + | | | primary or secondary + | PCI slot & function holding IDE controller + PCI root at system bus port, PIO + + UEFI device path prefix: + + PciRoot(0x0)/Pci(0x1,0x1)/Ata(Primary,Master,0x0) + ^ + fixed LUN + + - Floppy disk: + + OpenFirmware device path: + + /pci@i0cf8/isa@1/fdc@03f0/floppy@0 + ^ ^ ^ ^ + | | | A: or B: + | | ISA controller io-port (hex) + | PCI slot holding ISA controller + PCI root at system bus port, PIO + + UEFI device path prefix: + + PciRoot(0x0)/Pci(0x1,0x0)/Floppy(0x0) + ^ + ACPI UID (A: or B:) + + - Virtio-block disk: + + OpenFirmware device path: + + /pci@i0cf8/scsi@6[,3]/disk@0,0 + ^ ^ ^ ^ ^ + | | | fixed + | | PCI function corresponding to disk (optional) + | PCI slot holding disk + PCI root at system bus port, PIO + + UEFI device path prefixes (dependent on the presence of a nonzero PCI + function in the OFW device path): + + PciRoot(0x0)/Pci(0x6,0x0)/HD( + PciRoot(0x0)/Pci(0x6,0x3)/HD( + + - Virtio-scsi disk and virtio-scsi passthrough: + + OpenFirmware device path: + + /pci@i0cf8/scsi@7[,3]/channel@0/disk@2,3 + ^ ^ ^ ^ ^ + | | | | LUN + | | | target + | | channel (unused, fixed 0) + | PCI slot[, function] holding SCSI controller + PCI root at system bus port, PIO + + UEFI device path prefixes (dependent on the presence of a nonzero PCI + function in the OFW device path): + + PciRoot(0x0)/Pci(0x7,0x0)/Scsi(0x2,0x3) + PciRoot(0x0)/Pci(0x7,0x3)/Scsi(0x2,0x3) + + - Emulated and passed-through (physical) network cards: + + OpenFirmware device path: + + /pci@i0cf8/ethernet@3[,2] + ^ ^ + | PCI slot[, function] holding Ethernet card + PCI root at system bus port, PIO + + UEFI device path prefixes (dependent on the presence of a nonzero PCI + function in the OFW device path): + + PciRoot(0x0)/Pci(0x3,0x0) + PciRoot(0x0)/Pci(0x3,0x2) + +Virtio drivers +.............. + +UEFI abstracts various types of hardware resources into protocols, and allows +firmware developers to implement those protocols in device drivers. The Virtio +Specification defines various types of virtual hardware for virtual machines. +Connecting the two specifications, OVMF provides UEFI drivers for QEMU's +virtio-block, virtio-scsi, and virtio-net devices. + +The following diagram presents the protocol and driver stack related to Virtio +devices in edk2 and OVMF. Each node in the graph identifies a protocol and/or +the edk2 driver that produces it. Nodes on the top are more abstract. + + EFI_BLOCK_IO_PROTOCOL EFI_SIMPLE_NETWORK_PROTOCOL + [OvmfPkg/VirtioBlkDxe] [OvmfPkg/VirtioNetDxe] + | | + | EFI_EXT_SCSI_PASS_THRU_PROTOCOL | + | [OvmfPkg/VirtioScsiDxe] | + | | | + +------------------------+--------------------------+ + | + VIRTIO_DEVICE_PROTOCOL + | + +---------------------+---------------------+ + | | + [OvmfPkg/VirtioPciDeviceDxe] [custom platform drivers] + | | + | | + EFI_PCI_IO_PROTOCOL [OvmfPkg/Library/VirtioMmioDeviceLib] + [MdeModulePkg/Bus/Pci/PciBusDxe] direct MMIO register access + +The top three drivers produce standard UEFI abstractions: the Block IO +Protocol, the Extended SCSI Pass Thru Protocol, and the Simple Network +Protocol, for virtio-block, virtio-scsi, and virtio-net devices, respectively. + +Comparing these device-specific virtio drivers to each other, we can determine: + +- They all conform to the UEFI Driver Model. This means that their entry point + functions don't immediately start to search for devices and to drive them, + they only register instances of the EFI_DRIVER_BINDING_PROTOCOL. The UEFI + Driver Model then enumerates devices and chains matching drivers + automatically. + +- They are as minimal as possible, while remaining correct (refer to source + code comments for details). For example, VirtioBlkDxe and VirtioScsiDxe both + support only one request in flight. + + In theory, VirtioBlkDxe could implement EFI_BLOCK_IO2_PROTOCOL, which allows + queueing. Similarly, VirtioScsiDxe does not support the non-blocking mode of + EFI_EXT_SCSI_PASS_THRU_PROTOCOL.PassThru(). (Which is permitted by the UEFI + specification.) Both VirtioBlkDxe and VirtioScsiDxe delegate synchronous + request handling to "OvmfPkg/Library/VirtioLib". This limitation helps keep + the implementation simple, and testing thus far seems to imply satisfactory + performance, for a virtual boot firmware. + + VirtioNetDxe cannot avoid queueing, because EFI_SIMPLE_NETWORK_PROTOCOL + requires it on the interface level. Consequently, VirtioNetDxe is + significantly more complex than VirtioBlkDxe and VirtioScsiDxe. Technical + notes are provided in "OvmfPkg/VirtioNetDxe/TechNotes.txt". + +- None of these drivers access hardware directly. Instead, the Virtio Device + Protocol (OvmfPkg/Include/Protocol/VirtioDevice.h) collects / extracts virtio + operations defined in the Virtio Specification, and these backend-independent + virtio device drivers go through the abstract VIRTIO_DEVICE_PROTOCOL. + + IMPORTANT: the VIRTIO_DEVICE_PROTOCOL is not a standard UEFI protocol. It is + internal to edk2 and not described in the UEFI specification. It should only + be used by drivers and applications that live inside the edk2 source tree. + +Currently two providers exist for VIRTIO_DEVICE_PROTOCOL: + +- The first one is the "more traditional" virtio-pci backend, implemented by + OvmfPkg/VirtioPciDeviceDxe. This driver also complies with the UEFI Driver + Model. It consumes an instance of the EFI_PCI_IO_PROTOCOL, and, if the PCI + device/function under probing appears to be a virtio device, it produces a + Virtio Device Protocol instance for it. The driver translates abstract virtio + operations to PCI accesses. + +- The second provider, the virtio-mmio backend, is a library, not a driver, + living in OvmfPkg/Library/VirtioMmioDeviceLib. This library translates + abstract virtio operations to MMIO accesses. + + The virtio-mmio backend is only a library -- rather than a standalone, UEFI + Driver Model-compliant driver -- because the type of resource it consumes, an + MMIO register block base address, is not enumerable. + + In other words, while the PCI root bridge driver and the PCI bus driver + produce instances of EFI_PCI_IO_PROTOCOL automatically, thereby enabling the + UEFI Driver Model to probe devices and stack up drivers automatically, no + such enumeration exists for MMIO register blocks. + + For this reason, VirtioMmioDeviceLib needs to be linked into thin, custom + platform drivers that dispose over this kind of information. As soon as a + driver knows about the MMIO register block base addresses, it can pass each + to the library, and then the VIRTIO_DEVICE_PROTOCOL will be instantiated + (assuming a valid virtio-mmio register block of course). From that point on + the UEFI Driver Model again takes care of the chaining. + + Typically, such a custom driver does not conform to the UEFI Driver Model + (because that would presuppose auto-enumeration for MMIO register blocks). + Hence it has the following responsibilities: + + - it shall behave as a "wrapper" UEFI driver around the library, + + - it shall know virtio-mmio base addresses, + + - in its entry point function, it shall create a new UEFI handle with an + instance of the EFI_DEVICE_PATH_PROTOCOL for each virtio-mmio device it + knows the base address for, + + - it shall call VirtioMmioInstallDevice() on those handles, with the + corresponding base addresses. + + OVMF itself does not employ VirtioMmioDeviceLib. However, the library is used + (or has been tested as Proof-of-Concept) in the following 64-bit and 32-bit + ARM emulator setups: + + - in "RTSM_VE_FOUNDATIONV8_EFI.fd" and "FVP_AARCH64_EFI.fd", on ARM Holdings' + ARM(R) v8-A Foundation Model and ARM(R) AEMv8-A Base Platform FVP + emulators, respectively: + + EFI_BLOCK_IO_PROTOCOL + [OvmfPkg/VirtioBlkDxe] + | + VIRTIO_DEVICE_PROTOCOL + [ArmPlatformPkg/ArmVExpressPkg/ArmVExpressDxe/ArmFvpDxe.inf] + | + [OvmfPkg/Library/VirtioMmioDeviceLib] + direct MMIO register access + + - in "RTSM_VE_CORTEX-A15_EFI.fd" and "RTSM_VE_CORTEX-A15_MPCORE_EFI.fd", on + "qemu-system-arm -M vexpress-a15": + + EFI_BLOCK_IO_PROTOCOL EFI_SIMPLE_NETWORK_PROTOCOL + [OvmfPkg/VirtioBlkDxe] [OvmfPkg/VirtioNetDxe] + | | + +------------------+---------------+ + | + VIRTIO_DEVICE_PROTOCOL + [ArmPlatformPkg/ArmVExpressPkg/ArmVExpressDxe/ArmFvpDxe.inf] + | + [OvmfPkg/Library/VirtioMmioDeviceLib] + direct MMIO register access + + In the above ARM / VirtioMmioDeviceLib configurations, VirtioBlkDxe was + tested with booting Linux distributions, while VirtioNetDxe was tested with + pinging public IPv4 addresses from the UEFI shell. + +Platform Driver +............... + +Sometimes, elements of persistent firmware configuration are best exposed to +the user in a friendly way. OVMF's platform driver (OvmfPkg/PlatformDxe) +presents such settings on the "OVMF Platform Configuration" dialog: + +- Press ESC on the TianoCore splash screen, +- Navigate to Device Manager | OVMF Platform Configuration. + +At the moment, OVMF's platform driver handles only one setting: the preferred +graphics resolution. This is useful for two purposes: + +- Some UEFI shell commands, like DRIVERS and DEVICES, benefit from a wide + display. Using the MODE shell command, the user can switch to a larger text + resolution (limited by the graphics resolution), and see the command output + in a more easily consumable way. + + [RHEL] The list of text modes available to the MODE command is also limited + by ConSplitterDxe (found under MdeModulePkg/Universal/Console). + ConSplitterDxe builds an intersection of text modes that are + simultaneously supported by all consoles that ConSplitterDxe + multiplexes console output to. + + In practice, the strongest text mode restriction comes from + TerminalDxe, which provides console I/O on serial ports. TerminalDxe + has a very limited built-in list of text modes, heavily pruning the + intersection built by ConSplitterDxe, and made available to the MODE + command. + + On the Red Hat Enterprise Linux 7.1 host, TerminalDxe's list of modes + has been extended with text resolutions that match the Spice QXL GPU's + common graphics resolutions. This way a "full screen" text mode should + always be available in the MODE command. + +- The other advantage of controlling the graphics resolution lies with UEFI + operating systems that don't (yet) have a native driver for QEMU's virtual + video cards -- eg. the Spice QXL GPU. Such OSes may choose to inherit the + properties of OVMF's EFI_GRAPHICS_OUTPUT_PROTOCOL (provided by + OvmfPkg/QemuVideoDxe, see later). + + Although the display can be used at runtime in such cases, by direct + framebuffer access, its properties, for example, the resolution, cannot be + modified. The platform driver allows the user to select the preferred GOP + resolution, reboot, and let the guest OS inherit that preferred resolution. + +The platform driver has three access points: the "normal" driver entry point, a +set of HII callbacks, and a GOP installation callback. + +(1) Driver entry point: the PlatformInit() function. + + (a) First, this function loads any available settings, and makes them take + effect. For the preferred graphics resolution in particular, this means + setting the following PCDs: + + gEfiMdeModulePkgTokenSpaceGuid.PcdVideoHorizontalResolution + gEfiMdeModulePkgTokenSpaceGuid.PcdVideoVerticalResolution + + These PCDs influence the GraphicsConsoleDxe driver (located under + MdeModulePkg/Universal/Console), which switches to the preferred + graphics mode, and produces EFI_SIMPLE_TEXT_OUTPUT_PROTOCOLs on GOPs: + + EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL + [MdeModulePkg/Universal/Console/GraphicsConsoleDxe] + | + EFI_GRAPHICS_OUTPUT_PROTOCOL + [OvmfPkg/QemuVideoDxe] + | + EFI_PCI_IO_PROTOCOL + [MdeModulePkg/Bus/Pci/PciBusDxe] + + (b) Second, the driver entry point registers the user interface, including + HII callbacks. + + (c) Third, the driver entry point registers a GOP installation callback. + +(2) HII callbacks and the user interface. + + The Human Interface Infrastructure (HII) "is a set of protocols that allow + a UEFI driver to provide the ability to register user interface and + configuration content with the platform firmware". + + OVMF's platform driver: + + - provides a static, basic, visual form (PlatformForms.vfr), written in the + Visual Forms Representation language, + + - includes a UCS-16 encoded message catalog (Platform.uni), + + - includes source code that dynamically populates parts of the form, with + the help of MdeModulePkg/Library/UefiHiiLib -- this library simplifies + the handling of IFR (Internal Forms Representation) opcodes, + + - processes form actions that the user takes (Callback() function), + + - loads and saves platform configuration in a private, non-volatile + variable (ExtractConfig() and RouteConfig() functions). + + The ExtractConfig() HII callback implements the following stack of + conversions, for loading configuration and presenting it to the user: + + MultiConfigAltResp -- form engine / HII communication + ^ + | + [BlockToConfig] + | + MAIN_FORM_STATE -- binary representation of form/widget + ^ state + | + [PlatformConfigToFormState] + | + PLATFORM_CONFIG -- accessible to DXE and UEFI drivers + ^ + | + [PlatformConfigLoad] + | + UEFI non-volatile variable -- accessible to external utilities + + The layers are very similar for the reverse direction, ie. when taking + input from the user, and saving the configuration (RouteConfig() HII + callback): + + ConfigResp -- form engine / HII communication + | + [ConfigToBlock] + | + v + MAIN_FORM_STATE -- binary representation of form/widget + | state + [FormStateToPlatformConfig] + | + v + PLATFORM_CONFIG -- accessible to DXE and UEFI drivers + | + [PlatformConfigSave] + | + v + UEFI non-volatile variable -- accessible to external utilities + +(3) When the platform driver starts, a GOP may not be available yet. Thus the + driver entry point registers a callback (the GopInstalled() function) for + GOP installations. + + When the first GOP is produced (usually by QemuVideoDxe, or potentially by + a third party video driver), PlatformDxe retrieves the list of graphics + modes the GOP supports, and dynamically populates the drop-down list of + available resolutions on the form. The GOP installation callback is then + removed. + +Video driver +............ + +OvmfPkg/QemuVideoDxe is OVMF's built-in video driver. We can divide its +services in two parts: graphics output protocol (primary), and Int10h (VBE) +shim (secondary). + +(1) QemuVideoDxe conforms to the UEFI Driver Model; it produces an instance of + the EFI_GRAPHICS_OUTPUT_PROTOCOL (GOP) on each PCI display that it supports + and is connected to: + + EFI_GRAPHICS_OUTPUT_PROTOCOL + [OvmfPkg/QemuVideoDxe] + | + EFI_PCI_IO_PROTOCOL + [MdeModulePkg/Bus/Pci/PciBusDxe] + + It supports the following QEMU video cards: + + - Cirrus 5430 ("-device cirrus-vga"), + - Standard VGA ("-device VGA"), + - QXL VGA ("-device qxl-vga", "-device qxl"). + + For Cirrus the following resolutions and color depths are available: + 640x480x32, 800x600x32, 1024x768x24. On stdvga and QXL a long list of + resolutions is available. The list is filtered against the frame buffer + size during initialization. + + The size of the QXL VGA compatibility framebuffer can be changed with the + + -device qxl-vga,vgamem_mb=$NUM_MB + + QEMU option. If $NUM_MB exceeds 32, then the following is necessary + instead: + + -device qxl-vga,vgamem_mb=$NUM_MB,ram_size_mb=$((NUM_MB*2)) + + because the compatibility framebuffer can't cover more than half of PCI BAR + #0. The latter defaults to 64MB in size, and is controlled by the + "ram_size_mb" property. + +(2) When QemuVideoDxe binds the first Standard VGA or QXL VGA device, and there + is no real VGA BIOS present in the C to F segments (which could originate + from a legacy PCI option ROM -- refer to "Compatibility Support Module + (CSM)"), then QemuVideoDxe installs a minimal, "fake" VGA BIOS -- an Int10h + (VBE) "shim". + + The shim is implemented in 16-bit assembly in + "OvmfPkg/QemuVideoDxe/VbeShim.asm". The "VbeShim.sh" shell script assembles + it and formats it as a C array ("VbeShim.h") with the help of the "nasm" + utility. The driver's InstallVbeShim() function copies the shim in place + (the C segment), and fills in the VBE Info and VBE Mode Info structures. + The real-mode 10h interrupt vector is pointed to the shim's handler. + + The shim is (correctly) irrelevant and invisible for all UEFI operating + systems we know about -- except Windows Server 2008 R2 and other Windows + operating systems in that family. + + Namely, the Windows 2008 R2 SP1 (and Windows 7) UEFI guest's default video + driver dereferences the real mode Int10h vector, loads the pointed-to + handler code, and executes what it thinks to be VGA BIOS services in an + internal real-mode emulator. Consequently, video mode switching used not to + work in Windows 2008 R2 SP1 when it ran on the "pure UEFI" build of OVMF, + making the guest uninstallable. Hence the (otherwise optional, non-default) + Compatibility Support Module (CSM) ended up a requirement for running such + guests. + + The hard dependency on the sophisticated SeaBIOS CSM and the complex + supporting edk2 infrastructure, for enabling this family of guests, was + considered suboptimal by some members of the upstream community, + + [RHEL] and was certainly considered a serious maintenance disadvantage for + Red Hat Enterprise Linux 7.1 hosts. + + Thus, the shim has been collaboratively developed for the Windows 7 / + Windows Server 2008 R2 family. The shim provides a real stdvga / QXL + implementation for the few services that are in fact necessary for the + Windows 2008 R2 SP1 (and Windows 7) UEFI guest, plus some "fakes" that the + guest invokes but whose effect is not important. The only supported mode is + 1024x768x32, which is enough to install the guest and then upgrade its + video driver to the full-featured QXL XDDM one. + + The C segment is not present in the UEFI memory map prepared by OVMF. + Memory space that would cover it is never added (either in PEI, in the form + of memory resource descriptor HOBs, or in DXE, via gDS->AddMemorySpace()). + This way the handler body is invisible to all other UEFI guests, and the + rest of edk2. + + The Int10h real-mode IVT entry is covered with a Boot Services Code page, + making that too inaccessible to the rest of edk2. Due to the allocation + type, UEFI guest OSes different from the Windows Server 2008 family can + reclaim the page at zero. (The Windows 2008 family accesses that page + regardless of the allocation type.) + +Afterword +--------- + +After the bulk of this document was written in July 2014, OVMF development has +not stopped. To name two significant code contributions from the community: in +January 2015, OVMF runs on the "q35" machine type of QEMU, and it features a +driver for Xen paravirtual block devices (and another for the underlying Xen +bus). + +Furthermore, a dedicated virtualization platform has been contributed to +ArmPlatformPkg that plays a role parallel to OvmfPkg's. It targets the "virt" +machine type of qemu-system-arm and qemu-system-aarch64. Parts of OvmfPkg are +being refactored and modularized so they can be reused in +"ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc". diff --git a/SPECS/edk2.spec b/SPECS/edk2.spec new file mode 100644 index 0000000..28b8bcf --- /dev/null +++ b/SPECS/edk2.spec @@ -0,0 +1,1319 @@ +ExclusiveArch: x86_64 aarch64 + +%define GITDATE 20220126 +%define GITCOMMIT bb1bba3d77 +%define TOOLCHAIN GCC5 +%define OPENSSL_VER 1.1.1k + +%define qosb_testing 0 +%ifarch x86_64 +%define qosb_testing 1 +%endif + +%define qemu_package qemu-kvm-core >= 2.12.0-89 +%define qemu_binary /usr/libexec/qemu-kvm + +%define build_ovmf 0 +%define build_aarch64 0 +%ifarch x86_64 + %define build_ovmf 1 +%endif +%ifarch aarch64 + %define build_aarch64 1 +%endif + +Name: edk2 +Version: %{GITDATE}git%{GITCOMMIT} +Release: 3%{?dist} +Summary: UEFI firmware for 64-bit virtual machines +License: BSD-2-Clause-Patent and OpenSSL and MIT +URL: http://www.tianocore.org + +# The source tarball is created using following commands: +# COMMIT=bb1bba3d77 +# git archive --format=tar --prefix=edk2-$COMMIT/ $COMMIT \ +# | xz -9ev >/tmp/edk2-$COMMIT.tar.xz +Source0: http://batcave.lab.eng.brq.redhat.com/www/edk2-%{GITCOMMIT}.tar.xz +Source1: ovmf-whitepaper-c770f8c.txt +Source2: openssl-rhel-a75722161d20fd632f8875585d3aa066ec5fea93.tar.xz +Source3: ovmf-vars-generator +Source4: LICENSE.qosb +Source5: RedHatSecureBootPkKek1.pem + +Source10: edk2-aarch64-verbose.json +Source11: edk2-aarch64.json +Source12: edk2-ovmf-sb.json +Source13: edk2-ovmf.json +Source14: edk2-ovmf-cc.json +Source15: edk2-ovmf-amdsev.json + +Patch0008: 0008-BaseTools-do-not-build-BrotliCompress-RH-only.patch +Patch0009: 0009-MdeModulePkg-remove-package-private-Brotli-include-p.patch +Patch0010: 0010-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch +Patch0011: 0011-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch +Patch0012: 0012-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch +Patch0013: 0013-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch +Patch0014: 0014-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch +Patch0015: 0015-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch +Patch0016: 0016-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch +Patch0017: 0017-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch +Patch0018: 0018-ArmVirtPkg-set-early-hello-message-RH-only.patch +Patch0019: 0019-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch +Patch0020: 0020-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch +Patch0021: 0021-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch +Patch0022: 0022-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch +Patch0023: 0023-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch +Patch0024: 0024-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch +Patch0025: 0025-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch +Patch0026: 0026-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch +Patch0029: 0029-OvmfPkg-Remove-PrintDxe-RHEL-only.patch +Patch0030: 0030-OvmfPkg-Remove-EbcDxe-RHEL-only.patch +Patch0031: 0031-ArmVirtPkg-Remove-EbcDxe-RHEL-only.patch +Patch0032: 0032-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch +Patch0033: 0033-OvmfPkg-Remove-QemuRamfbDxe-display-device-driver-RH.patch +Patch0034: 0034-ArmVirtPkg-Remove-QemuRamfbDxe-display-device-driver.patch +Patch0035: 0035-OvmfPkg-Remove-NvmExpressDxe-device-driver-RHEL-only.patch +Patch0036: 0036-ArmVirtPkg-Remove-NvmExpressDxe-device-driver-RHEL-o.patch +Patch0037: 0037-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch +Patch0038: 0038-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch +Patch0039: 0039-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch +Patch0040: 0040-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch +Patch0041: 0041-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch +Patch0042: 0042-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch +Patch0043: 0043-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch +Patch0044: 0044-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch +Patch0045: 0045-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch +Patch0046: 0046-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch +# For bz#1935497 - edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default +Patch47: edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch +# For bz#1935497 - edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default +Patch48: edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch +# For bz#1935497 - edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default +Patch49: edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch +# For bz#1935497 - edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default +Patch50: edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch +# For bz#1935497 - edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default +Patch51: edk2-OvmfPkg-rework-TPM-configuration.patch +# For bz#2041755 - Mark SEV launch secret area as reserved +Patch52: edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch + + +# python3-devel and libuuid-devel are required for building tools. +# python3-devel is also needed for varstore template generation and +# verification with "ovmf-vars-generator". +BuildRequires: python3-devel +BuildRequires: libuuid-devel +BuildRequires: /usr/bin/iasl +BuildRequires: binutils gcc git gcc-c++ make + +%if %{build_ovmf} +# Only OVMF includes 80x86 assembly files (*.nasm*). +BuildRequires: nasm + +# Only OVMF includes the Secure Boot feature, for which we need to separate out +# the UEFI shell. +BuildRequires: dosfstools +BuildRequires: mtools +BuildRequires: xorriso + +# For generating the variable store template with the default certificates +# enrolled, we need the qemu-kvm executable. +BuildRequires: %{qemu_package} + +%if %{qosb_testing} +# For verifying SB enablement in the above variable store template, we need a +# guest kernel that prints "Secure boot enabled". +BuildRequires: kernel-core >= 4.18.0-161 +BuildRequires: rpmdevtools +%endif + +# endif build_ovmf +%endif + + +%package ovmf +Summary: UEFI firmware for x86_64 virtual machines +BuildArch: noarch +Provides: OVMF = %{version}-%{release} +Obsoletes: OVMF < 20180508-100.gitee3198e672e2.el7 + +# OVMF includes the Secure Boot and IPv6 features; it has a builtin OpenSSL +# library. +Provides: bundled(openssl) = %{OPENSSL_VER} +License: BSD-2-Clause-Patent and OpenSSL + +# URL taken from the Maintainers.txt file. +URL: http://www.tianocore.org/ovmf/ + +%description ovmf +OVMF (Open Virtual Machine Firmware) is a project to enable UEFI support for +Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU +and KVM. + + +%package aarch64 +Summary: UEFI firmware for aarch64 virtual machines +BuildArch: noarch +Provides: AAVMF = %{version}-%{release} +Obsoletes: AAVMF < 20180508-100.gitee3198e672e2.el7 + +# No Secure Boot for AAVMF yet, but we include OpenSSL for the IPv6 stack. +Provides: bundled(openssl) = %{OPENSSL_VER} +License: BSD-2-Clause-Patent and OpenSSL + +# URL taken from the Maintainers.txt file. +URL: https://github.com/tianocore/tianocore.github.io/wiki/ArmVirtPkg + +%description aarch64 +AAVMF (ARM Architecture Virtual Machine Firmware) is an EFI Development Kit II +platform that enables UEFI support for QEMU/KVM ARM Virtual Machines. This +package contains a 64-bit build. + + +%package tools +Summary: EFI Development Kit II Tools +License: BSD-2-Clause-Patent +URL: https://github.com/tianocore/tianocore.github.io/wiki/BaseTools +%description tools +This package provides tools that are needed to +build EFI executables and ROMs using the GNU tools. + +%package tools-doc +Summary: Documentation for EFI Development Kit II Tools +BuildArch: noarch +License: BSD-2-Clause-Patent +URL: https://github.com/tianocore/tianocore.github.io/wiki/BaseTools +%description tools-doc +This package documents the tools that are needed to +build EFI executables and ROMs using the GNU tools. + +%description +EDK II is a modern, feature-rich, cross-platform firmware development +environment for the UEFI and PI specifications. This package contains sample +64-bit UEFI firmware builds for QEMU and KVM. + +%prep +# We needs some special git config options that %%autosetup won't give us. +# We init the git dir ourselves, then tell %%autosetup not to blow it away. +%setup -q -n edk2-%{GITCOMMIT} +git init -q +git config core.whitespace cr-at-eol +git config am.keepcr true +# -T is passed to %%setup to not re-extract the archive +# -D is passed to %%setup to not delete the existing archive dir +%autosetup -T -D -n edk2-%{GITCOMMIT} -S git_am + +cp -a -- %{SOURCE1} %{SOURCE3} . +cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} . +tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x + +# Format the Red Hat-issued certificate that is to be enrolled as both Platform +# Key and first Key Exchange Key, as an SMBIOS OEM String. This means stripping +# the PEM header and footer, and prepending the textual representation of the +# GUID that identifies this particular OEM String to "EnrollDefaultKeys.efi", +# plus the separator ":". For details, see +# comments 2, 7, 14. +sed \ + -e 's/^-----BEGIN CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \ + -e '/^-----END CERTIFICATE-----$/d' \ + %{SOURCE5} \ + > PkKek1.oemstr + +# Done by %setup, but we do not use it for the auxiliary tarballs +chmod -Rf a+rX,u+w,g-w,o-w . + +%build +export PYTHON_COMMAND=%{__python3} +source ./edksetup.sh +%make_build -C "$EDK_TOOLS_PATH" \ + EXTRA_OPTFLAGS="%{optflags}" \ + EXTRA_LDFLAGS="%{__global_ldflags}" + +SMP_MFLAGS="%{?_smp_mflags}" +if [[ x"$SMP_MFLAGS" = x-j* ]]; then + CC_FLAGS="$CC_FLAGS -n ${SMP_MFLAGS#-j}" +elif [ -n "%{?jobs}" ]; then + CC_FLAGS="$CC_FLAGS -n %{?jobs}" +fi + +CC_FLAGS="$CC_FLAGS --cmd-len=65536 -t %{TOOLCHAIN} -b DEBUG --hash" +CC_FLAGS="$CC_FLAGS -D NETWORK_IP6_ENABLE" +CC_FLAGS="$CC_FLAGS -D NETWORK_HTTP_BOOT_ENABLE -D NETWORK_TLS_ENABLE" +CC_FLAGS="$CC_FLAGS -D TPM2_ENABLE=TRUE" +CC_FLAGS="$CC_FLAGS -D TPM1_ENABLE=FALSE" + +OVMF_FLAGS="${CC_FLAGS}" +OVMF_FLAGS="${OVMF_FLAGS} -D FD_SIZE_4MB" +OVMF_FLAGS="${OVMF_FLAGS} -D PVSCSI_ENABLE=FALSE -D MPT_SCSI_ENABLE=FALSE" + +OVMF_SB_FLAGS="${OVMF_FLAGS}" +OVMF_SB_FLAGS="${OVMF_SB_FLAGS} -D SECURE_BOOT_ENABLE" +OVMF_SB_FLAGS="${OVMF_SB_FLAGS} -D SMM_REQUIRE" +OVMF_SB_FLAGS="${OVMF_SB_FLAGS} -D EXCLUDE_SHELL_FROM_FD" + + +build_iso() { + dir="$1" + UEFI_SHELL_BINARY=${dir}/Shell.efi + ENROLLER_BINARY=${dir}/EnrollDefaultKeys.efi + UEFI_SHELL_IMAGE=uefi_shell.img + ISO_IMAGE=${dir}/UefiShell.iso + + UEFI_SHELL_BINARY_BNAME=$(basename -- "$UEFI_SHELL_BINARY") + UEFI_SHELL_SIZE=$(stat --format=%s -- "$UEFI_SHELL_BINARY") + ENROLLER_SIZE=$(stat --format=%s -- "$ENROLLER_BINARY") + + # add 1MB then 10% for metadata + UEFI_SHELL_IMAGE_KB=$(( + (UEFI_SHELL_SIZE + ENROLLER_SIZE + 1 * 1024 * 1024) * 11 / 10 / 1024 + )) + + # create non-partitioned FAT image + rm -f -- "$UEFI_SHELL_IMAGE" + mkdosfs -C "$UEFI_SHELL_IMAGE" -n UEFI_SHELL -- "$UEFI_SHELL_IMAGE_KB" + + # copy the shell binary into the FAT image + export MTOOLS_SKIP_CHECK=1 + mmd -i "$UEFI_SHELL_IMAGE" ::efi + mmd -i "$UEFI_SHELL_IMAGE" ::efi/boot + mcopy -i "$UEFI_SHELL_IMAGE" "$UEFI_SHELL_BINARY" ::efi/boot/bootx64.efi + mcopy -i "$UEFI_SHELL_IMAGE" "$ENROLLER_BINARY" :: + mdir -i "$UEFI_SHELL_IMAGE" -/ :: + + # build ISO with FAT image file as El Torito EFI boot image + mkisofs -input-charset ASCII -J -rational-rock \ + -e "$UEFI_SHELL_IMAGE" -no-emul-boot \ + -o "$ISO_IMAGE" "$UEFI_SHELL_IMAGE" +} + + +%if %{build_ovmf} +# Build with neither SB nor SMM; include UEFI shell. +build ${OVMF_FLAGS} -a X64 \ + -p OvmfPkg/OvmfPkgX64.dsc + +# Build with SB and SMM; exclude UEFI shell. +build ${OVMF_SB_FLAGS} -a IA32 -a X64 \ + -p OvmfPkg/OvmfPkgIa32X64.dsc + +# Build AmdSev +touch OvmfPkg/AmdSev/Grub/grub.efi # dummy +build ${OVMF_FLAGS} -a X64 \ + -p OvmfPkg/AmdSev/AmdSevX64.dsc + +# Sanity check: the varstore templates must be identical. +cmp Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \ + Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd + +# Prepare an ISO image that boots the UEFI shell. +build_iso Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64 + +# Enroll the default certificates in a separate variable store template. +%{__python3} ovmf-vars-generator --verbose --verbose \ + --qemu-binary %{qemu_binary} \ + --ovmf-binary Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \ + --ovmf-template-vars Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \ + --uefi-shell-iso Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/UefiShell.iso \ + --oem-string "$(< PkKek1.oemstr)" \ + --skip-testing \ + Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.secboot.fd + +# endif build_ovmf +%endif + +%if %{build_aarch64} +# Build with a verbose debug mask first, and stash the binary. +build ${CC_FLAGS} -a AARCH64 \ + -p ArmVirtPkg/ArmVirtQemu.dsc \ + -D DEBUG_PRINT_ERROR_LEVEL=0x8040004F +cp -a Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.fd \ + Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.verbose.fd + +# Rebuild with a silent (errors only) debug mask. +build ${CC_FLAGS} -a AARCH64 \ + -p ArmVirtPkg/ArmVirtQemu.dsc \ + -D DEBUG_PRINT_ERROR_LEVEL=0x80000000 +# endif build_aarch64 +%endif + + +%install + +cp -a OvmfPkg/License.txt License.OvmfPkg.txt +cp -a CryptoPkg/Library/OpensslLib/openssl/LICENSE LICENSE.openssl +mkdir -p %{buildroot}%{_datadir}/qemu/firmware + +# install the tools +mkdir -p %{buildroot}%{_bindir} \ + %{buildroot}%{_datadir}/%{name}/Conf \ + %{buildroot}%{_datadir}/%{name}/Scripts +install BaseTools/Source/C/bin/* \ + %{buildroot}%{_bindir} +install BaseTools/BinWrappers/PosixLike/LzmaF86Compress \ + %{buildroot}%{_bindir} +install BaseTools/BuildEnv \ + %{buildroot}%{_datadir}/%{name} +install BaseTools/Conf/*.template \ + %{buildroot}%{_datadir}/%{name}/Conf +install BaseTools/Scripts/GccBase.lds \ + %{buildroot}%{_datadir}/%{name}/Scripts + + +%if %{build_ovmf} +mkdir -p \ + %{buildroot}%{_datadir}/OVMF \ + %{buildroot}%{_datadir}/%{name}/ovmf + +install -m 0644 Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \ + %{buildroot}%{_datadir}/%{name}/ovmf/OVMF_CODE.cc.fd +install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \ + %{buildroot}%{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd + +install -m 0644 Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \ + %{buildroot}%{_datadir}/%{name}/ovmf/OVMF_VARS.fd +install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.secboot.fd \ + %{buildroot}%{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd +install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/UefiShell.iso \ + %{buildroot}%{_datadir}/%{name}/ovmf/UefiShell.iso + +install -m 0644 Build/AmdSev/DEBUG_%{TOOLCHAIN}/FV/OVMF.fd \ + %{buildroot}%{_datadir}/%{name}/ovmf/OVMF.amdsev.fd + +ln -s ../%{name}/ovmf/OVMF_CODE.secboot.fd %{buildroot}%{_datadir}/OVMF/ +ln -s ../%{name}/ovmf/OVMF_VARS.fd %{buildroot}%{_datadir}/OVMF/ +ln -s ../%{name}/ovmf/OVMF_VARS.secboot.fd %{buildroot}%{_datadir}/OVMF/ +ln -s ../%{name}/ovmf/UefiShell.iso %{buildroot}%{_datadir}/OVMF/ + +install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/Shell.efi \ + %{buildroot}%{_datadir}/%{name}/ovmf/Shell.efi +install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/EnrollDefaultKeys.efi \ + %{buildroot}%{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi + +install -m 0644 edk2-ovmf-sb.json \ + %{buildroot}%{_datadir}/qemu/firmware/40-edk2-ovmf-sb.json +install -m 0644 edk2-ovmf.json \ + %{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf.json +install -m 0644 edk2-ovmf-cc.json \ + %{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json +install -m 0644 edk2-ovmf-amdsev.json \ + %{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf-amdsev.json + +# endif build_ovmf +%endif + +%if %{build_aarch64} +mkdir -p \ + %{buildroot}%{_datadir}/AAVMF \ + %{buildroot}%{_datadir}/%{name}/aarch64 + +# Pad and install the verbose binary. +cat Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.verbose.fd \ + /dev/zero \ +| head -c 64m \ + > %{buildroot}%{_datadir}/%{name}/aarch64/QEMU_EFI-pflash.raw + +# Pad and install the silent (default) binary. +cat Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.fd \ + /dev/zero \ +| head -c 64m \ + > %{buildroot}%{_datadir}/%{name}/aarch64/QEMU_EFI-silent-pflash.raw + +# Create varstore template. +cat Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_VARS.fd \ + /dev/zero \ +| head -c 64m \ + > %{buildroot}%{_datadir}/%{name}/aarch64/vars-template-pflash.raw + +ln -s ../%{name}/aarch64/QEMU_EFI-pflash.raw \ + %{buildroot}%{_datadir}/AAVMF/AAVMF_CODE.verbose.fd +ln -s ../%{name}/aarch64/QEMU_EFI-silent-pflash.raw \ + %{buildroot}%{_datadir}/AAVMF/AAVMF_CODE.fd +ln -s ../%{name}/aarch64/vars-template-pflash.raw \ + %{buildroot}%{_datadir}/AAVMF/AAVMF_VARS.fd + +chmod 0644 -- %{buildroot}%{_datadir}/AAVMF/AAVMF_*.fd + +install -m 0644 Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.verbose.fd \ + %{buildroot}%{_datadir}/%{name}/aarch64/QEMU_EFI.fd +install -m 0644 Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.fd \ + %{buildroot}%{_datadir}/%{name}/aarch64/QEMU_EFI.silent.fd +install -m 0644 Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_VARS.fd \ + %{buildroot}%{_datadir}/%{name}/aarch64/QEMU_VARS.fd + +install -m 0644 edk2-aarch64.json \ + %{buildroot}%{_datadir}/qemu/firmware/60-edk2-aarch64.json +install -m 0644 edk2-aarch64-verbose.json \ + %{buildroot}%{_datadir}/qemu/firmware/70-edk2-aarch64-verbose.json +# endif build_aarch64 +%endif + + +%check + +%if %{qosb_testing} +# Of the installed host kernels, boot the one with the highest Version-Release +# under OVMF, and check if it prints "Secure boot enabled". +KERNEL_PKG=$(rpm -q kernel-core | rpmdev-sort | tail -n 1) +KERNEL_IMG=$(rpm -q -l $KERNEL_PKG | egrep '^/lib/modules/[^/]+/vmlinuz$') + +%{__python3} ovmf-vars-generator --verbose --verbose \ + --qemu-binary %{qemu_binary} \ + --ovmf-binary Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \ + --ovmf-template-vars Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \ + --uefi-shell-iso Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/UefiShell.iso \ + --kernel-path $KERNEL_IMG \ + --skip-enrollment \ + --no-download \ + Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.secboot.fd + +# endif qosb_testing +%endif + + +%global common_files \ + %%license License.txt License.OvmfPkg.txt License-History.txt LICENSE.openssl \ + %%dir %%{_datadir}/%%{name}/ \ + %%dir %%{_datadir}/qemu \ + %%dir %%{_datadir}/qemu/firmware + +%if %{build_ovmf} +%files ovmf +%common_files +%doc OvmfPkg/README +%doc ovmf-whitepaper-c770f8c.txt +%dir %{_datadir}/OVMF/ +%dir %{_datadir}/%{name}/ovmf/ +%{_datadir}/%{name}/ovmf/OVMF_CODE.cc.fd +%{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd +%{_datadir}/%{name}/ovmf/OVMF_VARS.fd +%{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd +%{_datadir}/%{name}/ovmf/OVMF.amdsev.fd +%{_datadir}/%{name}/ovmf/UefiShell.iso +%{_datadir}/OVMF/OVMF_CODE.secboot.fd +%{_datadir}/OVMF/OVMF_VARS.fd +%{_datadir}/OVMF/OVMF_VARS.secboot.fd +%{_datadir}/OVMF/UefiShell.iso +%{_datadir}/%{name}/ovmf/Shell.efi +%{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi +%{_datadir}/qemu/firmware/40-edk2-ovmf-sb.json +%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json +%{_datadir}/qemu/firmware/50-edk2-ovmf-amdsev.json +%{_datadir}/qemu/firmware/50-edk2-ovmf.json +# endif build_ovmf +%endif + +%if %{build_aarch64} +%files aarch64 +%common_files +%dir %{_datadir}/AAVMF/ +%dir %{_datadir}/%{name}/aarch64/ +%{_datadir}/%{name}/aarch64/QEMU_EFI-pflash.raw +%{_datadir}/%{name}/aarch64/QEMU_EFI-silent-pflash.raw +%{_datadir}/%{name}/aarch64/vars-template-pflash.raw +%{_datadir}/AAVMF/AAVMF_CODE.verbose.fd +%{_datadir}/AAVMF/AAVMF_CODE.fd +%{_datadir}/AAVMF/AAVMF_VARS.fd +%{_datadir}/%{name}/aarch64/QEMU_EFI.fd +%{_datadir}/%{name}/aarch64/QEMU_EFI.silent.fd +%{_datadir}/%{name}/aarch64/QEMU_VARS.fd +%{_datadir}/qemu/firmware/60-edk2-aarch64.json +%{_datadir}/qemu/firmware/70-edk2-aarch64-verbose.json +# endif build_aarch64 +%endif + +%files tools +%license License.txt +%license License-History.txt +%{_bindir}/DevicePath +%{_bindir}/EfiRom +%{_bindir}/GenCrc32 +%{_bindir}/GenFfs +%{_bindir}/GenFv +%{_bindir}/GenFw +%{_bindir}/GenSec +%{_bindir}/LzmaCompress +%{_bindir}/LzmaF86Compress +%{_bindir}/TianoCompress +%{_bindir}/VfrCompile +%{_bindir}/VolInfo +%dir %{_datadir}/%{name} +%{_datadir}/%{name}/BuildEnv +%{_datadir}/%{name}/Conf +%{_datadir}/%{name}/Scripts + +%files tools-doc +%doc BaseTools/UserManuals/*.rtf + + +%changelog +* Wed Feb 23 2022 Miroslav Rezanina - 20220126gitbb1bba3d77-3 +- edk2-spec-build-amdsev-variant.patch [bz#2054661] +- edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch [bz#2041755] +- Resolves: bz#2054661 + (RFE: Support measured AMD SEV boot with kernel/initrd/cmdline in OVMF) +- Resolves: bz#2041755 + (Mark SEV launch secret area as reserved) + +* Tue Feb 08 2022 Miroslav Rezanina - 20220126gitbb1bba3d77-2 +- edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch [bz#1935497] +- edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch [bz#1935497] +- edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch [bz#1935497] +- edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch [bz#1935497] +- edk2-OvmfPkg-rework-TPM-configuration.patch [bz#1935497] +- edk2-spec-adapt-specfile-to-build-option-changes-disable-.patch [bz#1935497] +- Resolves: bz#1935497 + (edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default) + +* Tue Feb 01 2022 Miroslav Rezanina - 20220126gitbb1bba3d77-1 +- Rebase to latest upstream release [bz#2018388] +- Resolves: bz#2018388 + ([rebase] update edk2 to nov '21 release (edk2-stable202111xx)) + +* Fri Jan 14 2022 Miroslav Rezanina - 20210527gite1999b264f1f-8 +- edk2-Revert-advertise-OpenSSL-on-TianoCore-splash-screen-.patch [bz#2027286] +- Resolves: bz#2027286 + (Remove the customized boot splash logo patch) + +* Mon Nov 01 2021 Miroslav Rezanina - 20210527gite1999b264f1f-7 +- edk2-fix-tpm-build-options.patch [bz#2000396] +- Resolves: bz#2000396 + ([aarch64][RHEL9] The lack of TPMFinalLog in efi causes the tpm self-test in the guest to fail) + +* Mon Aug 09 2021 Mohan Boddu - 20210527gite1999b264f1f-6 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Fri Aug 06 2021 Miroslav Rezanina - 20210527gite1999b264f1f-5 +- edk2-MdeModulePkg-PartitionDxe-Ignore-PMBR-BootIndicator-.patch [bz#1988760] +- Resolves: bz#1988760 + (edk2 does not ignore PMBR protective record BootIndicator as required by UEFI spec) + +* Fri Jul 30 2021 Miroslav Rezanina - 20210527gite1999b264f1f-4 +- edk2-spec-remove-Group-and-defattr.patch [bz#1983789] +- edk2-spec-Add-BuildRequires-make.patch [bz#1983789] +- edk2-spec-don-t-conditionalize-package-definitions.patch [bz#1983789] +- edk2-spec-Use-autosetup-with-our-required-git-config-opti.patch [bz#1983789] +- edk2-spec-Replace-ifarch-else-conditionals-with-build_XXX.patch [bz#1983789] +- edk2-spec-Move-D-TPM_ENABLE-to-common-CC_FLAGS.patch [bz#1983789] +- edk2-spec-Add-qemu_package-and-qemu_binary.patch [bz#1983789] +- edk2-spec-Remove-extra-true-at-end-of-check.patch [bz#1983789] +- edk2-spec-Move-check-to-between-install-and-files.patch [bz#1983789] +- edk2-spec-Add-qosb_testing-macro.patch [bz#1983789] +- edk2-spec-Split-out-build_iso-function.patch [bz#1983789] +- edk2-spec-Replace-RPM_BUILD_ROOT-with-buildroot.patch [bz#1983789] +- edk2-spec-Use-make_build-macro.patch [bz#1983789] +- edk2-spec-Factor-out-OVMF_FLAGS-and-OVMF_SB_FLAGS.patch [bz#1983789] +- edk2-spec-Don-t-put-build-output-in-the-top-directory.patch [bz#1983789] +- edk2-spec-Centralize-non-firmware-install-files-at-the-to.patch [bz#1983789] +- Resolves: bz#1983789 + (Make spec easier to share with Fedora) + +* Mon Jul 12 2021 Miroslav Rezanina - 20210527gite1999b264f1f-3 +- edk2-OvmfPkg-Remove-PrintDxe-RHEL-only.patch [bz#1967747] +- edk2-OvmfPkg-Remove-EbcDxe-RHEL-only.patch [bz#1967747] +- edk2-ArmVirtPkg-Remove-EbcDxe-RHEL-only.patch [bz#1967747] +- edk2-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch [bz#1967747] +- edk2-OvmfPkg-Remove-QemuRamfbDxe-display-device-driver-RH.patch [bz#1967747] +- edk2-ArmVirtPkg-Remove-QemuRamfbDxe-display-device-driver.patch [bz#1967747] +- edk2-OvmfPkg-Remove-NvmExpressDxe-device-driver-RHEL-only.patch [bz#1967747] +- edk2-ArmVirtPkg-Remove-NvmExpressDxe-device-driver-RHEL-o.patch [bz#1967747] +- edk2-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch [bz#1967747] +- edk2-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch [bz#1967747] +- edk2-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch [bz#1967747] +- edk2-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch [bz#1967747] +- edk2-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch [bz#1967747] +- edk2-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch [bz#1967747] +- edk2-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch [bz#1967747] +- edk2-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch [bz#1967747] +- edk2-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch [bz#1967747] +- edk2-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch [bz#1967747] +- edk2-OvmfPkg-Remove-Xen-Drivers-RHEL-only.patch [bz#1967747] +- Resolves: bz#1967747 + (edk2: review features and drivers shipped in RHEL) + +* Fri Jul 02 2021 Miroslav Rezanina - 20210527gite1999b264f1f-2 +- edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch [bz#1961100] +- edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch [bz#1961100] +- edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch [bz#1961100] +- edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch [bz#1961100] +- edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch [bz#1961100] +- edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch [bz#1961100] +- edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch [bz#1961100] +- edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch [bz#1961100] +- edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch [bz#1961100] +- edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch [bz#1961100] +- edk2-redhat-build-UefiShell.iso-with-xorriso-rather-than-.patch [bz#1971840] +- Resolves: bz#1961100 + (edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]) +- Resolves: bz#1971840 + (Please replace genisoimage with xorriso) + +* Wed Jun 23 2021 Miroslav Rezanina - 20210527gite1999b264f1f-1 +- Rebase to edk2-stable202105 [bz#1938254] +- Sync edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch from RHEL-8 +- Sync edk2-redhat-add-OVMF-binary-that-will-support-SEV-ES.patch from RHEL-8 +- Resolves: bz#1938254 + ((edk2-rebase-rhel-9.0) - rebase edk2 to edk2-stable202105 for RHEL-9-Beta) + +* Fri Jan 08 2021 Miroslav Rezanina - 20200602gitca407c7246bf-1.el9 +- Include fixes to build in RHEL 9 environment (bz#1906468) +- Resolves: bz#1906468 + ([RHEL9][FTBFS] edk2 FTBFS on Red Hat Enterprise Linux 9.0.0 Alpha) + +* Mon Nov 23 2020 Miroslav Rezanina - 20200602gitca407c7246bf-4.el8 +- edk2-OvmfPkg-SmmControl2Dxe-negotiate-ICH9_LPC_SMI_F_CPU_.patch [bz#1849177] +- edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch [bz#1849177] +- edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-afte.patch [bz#1849177] +- edk2-CryptoPkg-OpensslLib-Upgrade-OpenSSL-to-1.1.1g.patch [bz#1893806] +- edk2-redhat-bump-OpenSSL-dist-git-submodule-to-1.1.1g-RHE.patch [bz#1893806] +- Resolves: bz#1849177 + (OVMF: negotiate "SMI on VCPU hotplug" with QEMU) +- Resolves: bz#1893806 + (attempt advancing RHEL8 edk2's OpenSSL submodule to RHEL8 OpenSSL 1.1.1g (or later)) + +* Mon Aug 10 2020 Miroslav Rezanina - 20200602gitca407c7246bf-3.el8 +- edk2-UefiCpuPkg-PiSmmCpuDxeSmm-pause-in-WaitForSemaphore-.patch [bz#1861718] +- Resolves: bz#1861718 + (Very slow boot when overcommitting CPU) + +* Wed Jun 24 2020 Miroslav Rezanina - 20200602gitca407c7246bf-2.el8 +- edk2-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch [bz#1844682] +- edk2-OvmfPkg-GenericQemuLoadImageLib-log-Not-Found-at-INF.patch [bz#1844682] +- edk2-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch [bz#1844682] +- Resolves: bz#1844682 + (silent build of edk2-aarch64 logs DEBUG_ERROR messages that don't actually report serious errors) + +* Sat Jun 13 2020 Miroslav Rezanina - 20200602gitca407c7246bf-1.el8 +- Rebase to edk2-stable202005 [bz#1817035] +- Resolves: bz#1817035 + ((edk2-rebase-rhel-8.3) - rebase edk2 to upstream tag edk2-stable202005 for RHEL-8.3) + +* Fri Mar 27 2020 Miroslav Rezanina - 20190829git37eef91017ad-9.el8 +- edk2-OvmfPkg-QemuVideoDxe-unbreak-secondary-vga-and-bochs.patch [bz#1806359] +- Resolves: bz#1806359 + (bochs-display cannot show graphic wihout driver attach) + +* Tue Feb 18 2020 Miroslav Rezanina - 20190829git37eef91017ad-8.el8 +- edk2-MdeModulePkg-Enable-Disable-S3BootScript-dynamically.patch [bz#1801274] +- edk2-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch [bz#1801274] +- Resolves: bz#1801274 + (CVE-2019-14563 edk2: numeric truncation in MdeModulePkg/PiDxeS3BootScriptLib [rhel-8]) + +* Tue Feb 11 2020 Miroslav Rezanina - 20190829git37eef91017ad-7.el8 +- edk2-SecurityPkg-Fix-spelling-errors-PARTIAL-PICK.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-simplify-Ver.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-remove-else-.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-keep-PE-COFF.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-narrow-down-.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-o.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-remove-super.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-unnest-AddIm.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-eliminate-St.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-f.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-fix-imgexec-.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-fix-defer-vs.patch [bz#1751993] +- Resolves: bz#1751993 + (DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8]) + +* Tue Jan 21 2020 Miroslav Rezanina - 20190829git37eef91017ad-6.el8 +- edk2-UefiCpuPkg-PiSmmCpuDxeSmm-fix-2M-4K-page-splitting-r.patch [bz#1789335] +- Resolves: bz#1789335 + (VM with edk2 can't boot when setting memory with '-m 2001') + +* Thu Jan 16 2020 Miroslav Rezanina - 20190829git37eef91017ad-5.el8 +- edk2-MdeModulePkg-UefiBootManagerLib-log-reserved-mem-all.patch [bz#1789797] +- edk2-NetworkPkg-HttpDxe-fix-32-bit-truncation-in-HTTPS-do.patch [bz#1789797] +- Resolves: bz#1789797 + (Backport upstream patch series: "UefiBootManagerLib, HttpDxe: tweaks for large HTTP(S) downloads" to improve HTTP(S) Boot experience with large (4GiB+) files) + +* Wed Dec 11 2019 Miroslav Rezanina - 20190829git37eef91017ad-4.el8 +- edk2-redhat-set-guest-RAM-size-to-768M-for-SB-varstore-te.patch [bz#1778301] +- edk2-redhat-re-enable-Secure-Boot-varstore-template-verif.patch [bz#1778301] +- Resolves: bz#1778301 + (re-enable Secure Boot (varstore template) verification in %check) + +* Thu Dec 05 2019 Miroslav Rezanina - 20190829git37eef91017ad-3.el8 +- Update used openssl version [bz#1616029] +- Resolves: bz#1616029 + (rebuild edk2 against the final RHEL-8.2.0 version of OpenSSL-1.1.1) + +* Mon Dec 02 2019 Miroslav Rezanina - 20190829git37eef91017ad-2.el8 +- edk2-MdePkg-Include-Protocol-Tls.h-Add-the-data-type-of-E.patch [bz#1536624] +- edk2-CryptoPkg-TlsLib-Add-the-new-API-TlsSetVerifyHost-CV.patch [bz#1536624] +- edk2-CryptoPkg-Crt-turn-strchr-into-a-function-CVE-2019-1.patch [bz#1536624] +- edk2-CryptoPkg-Crt-satisfy-inet_pton.c-dependencies-CVE-2.patch [bz#1536624] +- edk2-CryptoPkg-Crt-import-inet_pton.c-CVE-2019-14553.patch [bz#1536624] +- edk2-CryptoPkg-TlsLib-TlsSetVerifyHost-parse-IP-address-l.patch [bz#1536624] +- edk2-NetworkPkg-TlsDxe-Add-the-support-of-host-validation.patch [bz#1536624] +- edk2-NetworkPkg-HttpDxe-Set-the-HostName-for-the-verifica.patch [bz#1536624] +- edk2-redhat-enable-HTTPS-Boot.patch [bz#1536624] +- Resolves: bz#1536624 + (HTTPS enablement in OVMF) + +* Fri Nov 29 2019 Miroslav Rezanina - 20190829git37eef91017ad-1.el8 +- Rebase to edk2-stable201908 [bz#1748180] +- Resolves: bz#1748180 + ((edk2-rebase-rhel-8.2) - rebase edk2 to upstream tag edk2-stable201908 for RHEL-8.2) + +* Mon Aug 05 2019 Miroslav Rezanina - 20190308git89910a39dcfd-6.el8 +- edk2-ArmVirtPkg-silence-DEBUG_VERBOSE-masking-0x00400000-.patch [bz#1714446] +- edk2-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch [bz#1714446] +- edk2-ArmPkg-DebugPeCoffExtraActionLib-debugger-commands-a.patch [bz#1714446] +- Resolves: bz#1714446 + (edk2-aarch64 silent build is not silent enough) + +* Tue Jul 02 2019 Miroslav Rezanina - 20190308git89910a39dcfd-5.el8 +- edk2-redhat-add-D-TPM2_ENABLE-to-the-edk2-ovmf-build-flag.patch [bz#1693205] +- Resolves: bz#1693205 + (edk2: Enable TPM2 support) + +* Tue Jun 11 2019 Miroslav Rezanina - 20190308git89910a39dcfd-4.el8 +- edk2-OvmfPkg-raise-the-PCIEXBAR-base-to-2816-MB-on-Q35.patch [bz#1666941] +- edk2-OvmfPkg-PlatformPei-set-32-bit-UC-area-at-PciBase-Pc.patch [bz#1666941] +- Resolves: bz#1666941 + (UEFI guest cannot boot into os when setting some special memory size) + +* Tue Apr 09 2019 Danilo Cesar Lemes de Paula - 20190308git89910a39dcfd-2.el8 +- edk2-redhat-provide-firmware-descriptor-meta-files.patch [bz#1600230] +- Resolves: bz#1600230 + ([RHEL 8.1] RFE: provide firmware descriptor meta-files for the edk2-ovmf and edk2-aarch64 firmware images) + +* Mon Apr 08 2019 Danilo Cesar Lemes de Paula - 20190308git89910a39dcfd-1.el8 +- Rebase to edk2-20190308git89910a39dcfd + +* Mon Jan 21 2019 Danilo Cesar Lemes de Paula - 20180508gitee3198e672e2-9.el8 +- edk2-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch [bz#1662184] +- edk2-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch [bz#1662184] +- edk2-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch [bz#1662184] +- edk2-git-Use-HTTPS-support.patch [] +- Resolves: bz#1662184 + (backport fix for (theoretical?) regression introduced by earlier CVE fixes) + +* Wed Nov 21 2018 Danilo Cesar Lemes de Paula - 20180508gitee3198e672e2-8.el8 +- edk2-NetworkPkg-UefiPxeBcDxe-Add-EXCLUSIVE-attribute-when.patch [bz#1643377] +- Resolves: bz#1643377 + (Exception when grubx64.efi used for UEFI netboot) + +* Tue Nov 06 2018 Danilo Cesar Lemes de Paula - 20180508gitee3198e672e2-5.el8 +- edk2-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch [bz#1641436] +- edk2-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch [bz#1641449 bz#1641453 bz#1641464 bz#1641469] +- edk2-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch [bz#1641453 bz#1641464 bz#1641469] +- edk2-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch [bz#1641445 bz#1641453 bz#1641464 bz#1641469] +- Resolves: bz#1641436 + (CVE-2018-3613 edk2: Logic error in MdeModulePkg in EDK II firmware allows for privilege escalation by authenticated users [rhel-8]) +- Resolves: bz#1641445 + (CVE-2017-5731 edk2: Privilege escalation via processing of malformed files in TianoCompress.c [rhel-8]) +- Resolves: bz#1641449 + (CVE-2017-5732 edk2: Privilege escalation via processing of malformed files in BaseUefiDecompressLib.c [rhel-8]) +- Resolves: bz#1641453 + (CVE-2017-5733 edk2: Privilege escalation via heap-based buffer overflow in MakeTable() function [rhel-8]) +- Resolves: bz#1641464 + (CVE-2017-5734 edk2: Privilege escalation via stack-based buffer overflow in MakeTable() function [rhel-8]) +- Resolves: bz#1641469 + (CVE-2017-5735 edk2: Privilege escalation via heap-based buffer overflow in Decode() function [rhel-8]) + +* Tue Sep 04 2018 Danilo Cesar Lemes de Paula - 20180508gitee3198e672e2-5.el8 +- edk2-BaseTools-footer.makefile-expand-BUILD_CFLAGS-last-f.patch [bz#1607906] +- edk2-BaseTools-header.makefile-remove-c-from-BUILD_CFLAGS.patch [bz#1607906] +- edk2-BaseTools-Source-C-split-O2-to-BUILD_OPTFLAGS.patch [bz#1607906] +- edk2-BaseTools-Source-C-take-EXTRA_OPTFLAGS-from-the-call.patch [bz#1607906] +- edk2-BaseTools-Source-C-take-EXTRA_LDFLAGS-from-the-calle.patch [bz#1607906] +- edk2-BaseTools-VfrCompile-honor-EXTRA_LDFLAGS.patch [bz#1607906] +- edk2-redhat-inject-the-RPM-compile-and-link-options-to-th.patch [bz#1607906] +- Resolves: bz#1607906 + (edk2-tools: Does not use RPM build flags) + +* Wed Aug 08 2018 Danilo Cesar Lemes de Paula - 20180508gitee3198e672e2-4.el8 +- edk2-redhat-provide-virtual-bundled-OpenSSL-in-edk2-ovmf-.patch [bz#1607801] +- Resolves: bz#1607801 + (add 'Provides: bundled(openssl) = 1.1.0h' to the spec file) + +* Tue Jul 24 2018 Danilo Cesar Lemes de Paula - 20180508gitee3198e672e2-3.el8 +- edk2-redhat-Provide-and-Obsolete-OVMF-and-AAVMF.patch [bz#1596148] +- edk2-ArmVirtPkg-unify-HttpLib-resolutions-in-ArmVirt.dsc..patch [bz#1536627] +- edk2-ArmVirtPkg-ArmVirtQemu-enable-the-IPv6-stack.patch [bz#1536627] +- edk2-advertise-OpenSSL-due-to-IPv6-enablement-too-RHEL-on.patch [bz#1536627] +- edk2-redhat-add-D-NETWORK_IP6_ENABLE-to-the-build-flags.patch [bz#1536627] +- edk2-redhat-update-license-fields-and-files-in-the-spec-f.patch [bz#1536627] +- Resolves: bz#1536627 + (IPv6 enablement in OVMF) +- Resolves: bz#1596148 + (restore Provides/Obsoletes macros for OVMF and AAVMF, from RHEL-8 Alpha) + +* Tue Jul 10 2018 Danilo C. L. de Paula - 20180508gitee3198e672e2-2.el8 +- Rebase edk2 on top of 20180508gitee3198e672e2 + +* Fri Jun 08 2018 Miroslav Rezanina - 20180508-2.gitee3198e672e2 +- OvmfPkg/PlatformBootManagerLib: connect consoles unconditionally [bz#1577546] +- build OVMF varstore template with SB enabled / certs enrolled [bz#1561128] +- connect Virtio RNG devices again [bz#1579518] +- Resolves: bz#1577546 + (no input consoles connected under certain circumstances) +- Resolves: bz#1561128 + (OVMF Secure boot enablement (enrollment of default keys)) +- Resolves: bz#1579518 + (EFI_RNG_PROTOCOL no longer produced for virtio-rng) +* Wed Dec 06 2017 Miroslav Rezanina - 20171011-4.git92d07e48907f.el7 +- ovmf-MdeModulePkg-Core-Dxe-log-informative-memprotect-msg.patch [bz#1520485] +- ovmf-MdeModulePkg-BdsDxe-fall-back-to-a-Boot-Manager-Menu.patch [bz#1515418] +- Resolves: bz#1515418 + (RFE: Provide diagnostics for failed boot) +- Resolves: bz#1520485 + (AAVMF: two new messages with silent build) + +* Fri Dec 01 2017 Miroslav Rezanina - 20171011-3.git92d07e48907f.el7 +- ovmf-UefiCpuPkg-CpuDxe-Fix-multiple-entries-of-RT_CODE-in.patch [bz#1518308] +- ovmf-MdeModulePkg-DxeCore-Filter-out-all-paging-capabilit.patch [bz#1518308] +- ovmf-MdeModulePkg-Core-Merge-memory-map-after-filtering-p.patch [bz#1518308] +- Resolves: bz#1518308 + (UEFI memory map regression (runtime code entry splitting) introduced by c1cab54ce57c) + +* Mon Nov 27 2017 Miroslav Rezanina - 20171011-2.git92d07e48907f.el7 +- ovmf-MdeModulePkg-Bds-Remove-assertion-in-BmCharToUint.patch [bz#1513632] +- ovmf-MdeModulePkg-Bds-Check-variable-name-even-if-OptionN.patch [bz#1513632] +- ovmf-MdeModulePkg-PciBus-Fix-bug-that-PCI-BUS-claims-too-.patch [bz#1514105] +- ovmf-OvmfPkg-make-it-a-proper-BASE-library.patch [bz#1488247] +- ovmf-OvmfPkg-create-a-separate-PlatformDebugLibIoPort-ins.patch [bz#1488247] +- ovmf-OvmfPkg-save-on-I-O-port-accesses-when-the-debug-por.patch [bz#1488247] +- ovmf-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch [bz#1488247] +- ovmf-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-QemuVide.patch [bz#1488247] +- ovmf-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch [bz#1488247] +- ovmf-Revert-redhat-introduce-separate-silent-and-verbose-.patch [bz#1488247] +- Resolves: bz#1488247 + (make debug logging no-op unless a debug console is active) +- Resolves: bz#1513632 + ([RHEL-ALT 7.5] AAVMF fails to boot after setting BootNext) +- Resolves: bz#1514105 + (backport edk2 commit 6e3287442774 so that PciBusDxe not over-claim resources) + +* Wed Oct 18 2017 Miroslav Rezanina - 20171011-1.git92d07e48907f.el7 +- Rebase to 92d07e48907f [bz#1469787] +- Resolves: bz#1469787 + ((ovmf-rebase-rhel-7.5) Rebase OVMF for RHEL-7.5) +- Resolves: bz#1434740 + (OvmfPkg/PciHotPlugInitDxe: don't reserve IO space when IO support is disabled) +- Resolves: bz#1434747 + ([Q35] code12 error when hotplug x710 device in win2016) +- Resolves: bz#1447027 + (Guest cannot boot with 240 or above vcpus when using ovmf) +- Resolves: bz#1458192 + ([Q35] recognize "usb-storage" devices in XHCI ports) +- Resolves: bz#1468526 + (>1TB RAM support) +- Resolves: bz#1488247 + (provide "OVMF_CODE.secboot.verbose.fd" for log capturing; silence "OVMF_CODE.secboot.fd") +- Resolves: bz#1496170 + (Inconsistent MOR control variables exposed by OVMF, breaks Windows Device Guard) + +* Fri May 12 2017 Miroslav Rezanina - 20170228-5.gitc325e41585e3.el7 +- ovmf-OvmfPkg-EnrollDefaultKeys-update-SignatureOwner-GUID.patch [bz#1443351] +- ovmf-OvmfPkg-EnrollDefaultKeys-expose-CertType-parameter-.patch [bz#1443351] +- ovmf-OvmfPkg-EnrollDefaultKeys-blacklist-empty-file-in-db.patch [bz#1443351] +- ovmf-OvmfPkg-introduce-the-FD_SIZE_IN_KB-macro-build-flag.patch [bz#1443351] +- ovmf-OvmfPkg-OvmfPkg.fdf.inc-extract-VARS_LIVE_SIZE-and-V.patch [bz#1443351] +- ovmf-OvmfPkg-introduce-4MB-flash-image-mainly-for-Windows.patch [bz#1443351] +- ovmf-OvmfPkg-raise-max-variable-size-auth-non-auth-to-33K.patch [bz#1443351] +- ovmf-OvmfPkg-PlatformPei-handle-non-power-of-two-spare-si.patch [bz#1443351] +- ovmf-redhat-update-local-build-instructions-with-D-FD_SIZ.patch [bz#1443351] +- ovmf-redhat-update-OVMF-build-commands-with-D-FD_SIZE_4MB.patch [bz#1443351] +- Resolves: bz#1443351 + ([svvp][ovmf] job "Secure Boot Logo Test" failed with q35&ovmf) + +* Fri Apr 28 2017 Miroslav Rezanina - 20170228-4.gitc325e41585e3.el7 +- ovmf-ShellPkg-Shell-clean-up-bogus-member-types-in-SPLIT_.patch [bz#1442908] +- ovmf-ShellPkg-Shell-eliminate-double-free-in-RunSplitComm.patch [bz#1442908] +- Resolves: bz#1442908 + (Guest hang when running a wrong command in Uefishell) + +* Tue Apr 04 2017 Miroslav Rezanina - 20170228-3.gitc325e41585e3.el7 +- ovmf-ArmVirtPkg-FdtClientDxe-supplement-missing-EFIAPI-ca.patch [bz#1430262] +- ovmf-ArmVirtPkg-ArmVirtPL031FdtClientLib-unconditionally-.patch [bz#1430262] +- ovmf-MdeModulePkg-RamDiskDxe-fix-C-string-literal-catenat.patch [bz#1430262] +- ovmf-EmbeddedPkg-introduce-EDKII-Platform-Has-ACPI-GUID.patch [bz#1430262] +- ovmf-EmbeddedPkg-introduce-PlatformHasAcpiLib.patch [bz#1430262] +- ovmf-EmbeddedPkg-introduce-EDKII-Platform-Has-Device-Tree.patch [bz#1430262] +- ovmf-ArmVirtPkg-add-PlatformHasAcpiDtDxe.patch [bz#1430262] +- ovmf-ArmVirtPkg-enable-AcpiTableDxe-and-EFI_ACPI_TABLE_PR.patch [bz#1430262] +- ovmf-ArmVirtPkg-FdtClientDxe-install-DT-as-sysconfig-tabl.patch [bz#1430262] +- ovmf-ArmVirtPkg-PlatformHasAcpiDtDxe-don-t-expose-DT-if-Q.patch [bz#1430262] +- ovmf-ArmVirtPkg-remove-PURE_ACPI_BOOT_ENABLE-and-PcdPureA.patch [bz#1430262] +- Resolves: bz#1430262 + (AAVMF: forward QEMU's DT to the guest OS only if ACPI payload is unavailable) + +* Mon Mar 27 2017 Miroslav Rezanina - 20170228-2.gitc325e41585e3.el7 +- ovmf-MdeModulePkg-Core-Dxe-downgrade-CodeSegmentCount-is-.patch [bz#1433428] +- Resolves: bz#1433428 + (AAVMF: Fix error message during ARM guest VM installation) + +* Wed Mar 08 2017 Laszlo Ersek - ovmf-20170228-1.gitc325e41585e3.el7 +- Rebase to upstream c325e41585e3 [bz#1416919] +- Resolves: bz#1373812 + (guest boot from network even set 'boot order=1' for virtio disk with OVMF) +- Resolves: bz#1380282 + (Update OVMF to openssl-1.0.2k-hobbled) +- Resolves: bz#1412313 + (select broadcast SMI if available) +- Resolves: bz#1416919 + (Rebase OVMF for RHEL-7.4) +- Resolves: bz#1426330 + (disable libssl in CryptoPkg) + +* Mon Sep 12 2016 Laszlo Ersek - ovmf-20160608b-1.git988715a.el7 +- rework downstream-only commit dde83a75b566 "setup the tree for the secure + boot feature (RHEL only)", excluding patent-encumbered files from the + upstream OpenSSL 1.0.2g tarball [bz#1374710] +- rework downstream-only commit dfc3ca1ee509 "CryptoPkg/OpensslLib: Upgrade + OpenSSL version to 1.0.2h", excluding patent-encumbered files from the + upstream OpenSSL 1.0.2h tarball [bz#1374710] + +* Thu Aug 04 2016 Miroslav Rezanina - OVMF-20160608-3.git988715a.el7 +- ovmf-MdePkg-PCI-Add-missing-PCI-PCIE-definitions.patch [bz#1332408] +- ovmf-ArmPlatformPkg-NorFlashDxe-accept-both-non-secure-an.patch [bz#1353494] +- ovmf-ArmVirtPkg-ArmVirtQemu-switch-secure-boot-build-to-N.patch [bz#1353494] +- ovmf-ArmPlatformPkg-NorFlashAuthenticatedDxe-remove-this-.patch [bz#1353494] +- ovmf-ArmVirtPkg-add-FDF-definition-for-empty-varstore.patch [bz#1353494] +- ovmf-redhat-package-the-varstore-template-produced-by-the.patch [bz#1353494] +- ovmf-ArmVirtPkg-Re-add-the-Driver-Health-Manager.patch [bz#1353494] +- ovmf-ArmVirtPkg-HighMemDxe-allow-patchable-PCD-for-PcdSys.patch [bz#1353494] +- ovmf-ArmVirtPkg-ArmVirtQemuKernel-make-ACPI-support-AARCH.patch [bz#1353494] +- ovmf-ArmVirtPkg-align-ArmVirtQemuKernel-with-ArmVirtQemu.patch [bz#1353494] +- ovmf-ArmVirtPkg-ArmVirtQemu-factor-out-shared-FV.FvMain-d.patch [bz#1353494] +- ovmf-ArmVirtPkg-factor-out-Rules-FDF-section.patch [bz#1353494] +- ovmf-ArmVirtPkg-add-name-GUIDs-to-FvMain-instances.patch [bz#1353494] +- ovmf-OvmfPkg-add-a-Name-GUID-to-each-Firmware-Volume.patch [bz#1353494] +- ovmf-OvmfPkg-PlatformBootManagerLib-remove-stale-FvFile-b.patch [bz#1353494] +- ovmf-MdePkg-IndustryStandard-introduce-EFI_PCI_CAPABILITY.patch [bz#1332408] +- ovmf-MdeModulePkg-PciBusDxe-look-for-the-right-capability.patch [bz#1332408] +- ovmf-MdeModulePkg-PciBusDxe-recognize-hotplug-capable-PCI.patch [bz#1332408] +- ovmf-OvmfPkg-add-PciHotPlugInitDxe.patch [bz#1332408] +- ovmf-ArmPkg-ArmGicLib-manage-GICv3-SPI-state-at-the-distr.patch [bz#1356655] +- ovmf-ArmVirtPkg-PlatformBootManagerLib-remove-stale-FvFil.patch [bz#1353494] +- ovmf-OvmfPkg-EnrollDefaultKeys-assign-Status-before-readi.patch [bz#1356913] +- ovmf-OvmfPkg-EnrollDefaultKeys-silence-VS2015x86-warning-.patch [bz#1356913] +- ovmf-CryptoPkg-update-openssl-to-ignore-RVCT-3079.patch [bz#1356184] +- ovmf-CryptoPkg-Fix-typos-in-comments.patch [bz#1356184] +- ovmf-CryptoPkg-BaseCryptLib-Avoid-passing-NULL-ptr-to-fun.patch [bz#1356184] +- ovmf-CryptoPkg-BaseCryptLib-Init-the-content-of-struct-Ce.patch [bz#1356184] +- ovmf-CryptoPkg-OpensslLib-Upgrade-OpenSSL-version-to-1.0..patch [bz#1356184] +- Resolves: bz#1332408 + (Q35 machine can not hot-plug scsi controller under switch) +- Resolves: bz#1353494 + ([OVMF] "EFI Internal Shell" should be removed from "Boot Manager") +- Resolves: bz#1356184 + (refresh embedded OpenSSL to 1.0.2h) +- Resolves: bz#1356655 + (AAVMF: stop accessing unmapped gicv3 registers) +- Resolves: bz#1356913 + (fix use-without-initialization in EnrollDefaultKeys.efi) + +* Tue Jul 12 2016 Miroslav Rezanina - OVMF-20160608-2.git988715a.el7 +- ovmf-ArmPkg-ArmGicV3Dxe-configure-all-interrupts-as-non-s.patch [bz#1349407] +- ovmf-ArmVirtPkg-PlatformBootManagerLib-Postpone-the-shell.patch [bz#1353689] +- Resolves: bz#1349407 + (AArch64: backport fix to run over gicv3 emulation) +- Resolves: bz#1353689 + (AAVMF: Drops to shell with uninitialized NVRAM file) + +* Thu Jun 9 2016 Laszlo Ersek - ovmf-20160608-1.git988715a.el7 +- Resolves: bz#1341733 + (prevent SMM stack overflow in OVMF while enrolling certificates in "db") +- Resolves: bz#1257882 + (FEAT: support to boot from virtio 1.0 modern devices) +- Resolves: bz#1333238 + (Q35 machine can not boot up successfully with more than 3 virtio-scsi + storage controller under switch) +- Resolves: bz#1330955 + (VM can not be booted up from hard disk successfully when with a passthrough + USB stick) + +* Thu May 19 2016 Laszlo Ersek - ovmf-20160419-2.git90bb4c5.el7 +- Submit scratch builds from the exploded tree again to + supp-rhel-7.3-candidate, despite FatPkg being OSS at this point; see + bz#1329559. + +* Wed Apr 20 2016 Laszlo Ersek - ovmf-20160419-1.git90bb4c5.el7 +- FatPkg is under the 2-clause BSDL now; "ovmf" has become OSS +- upgrade to openssl-1.0.2g +- Resolves: bz#1323363 + (remove "-D SECURE_BOOT_ENABLE" from AAVMF) +- Resolves: bz#1257882 + (FEAT: support to boot from virtio 1.0 modern devices) +- Resolves: bz#1308678 + (clearly separate SB-less, SMM-less OVMF binary from SB+SMM OVMF binary) + +* Fri Feb 19 2016 Miroslav Rezanina - OVMF-20160202-2.gitd7c0dfa.el7 +- ovmf-restore-TianoCore-splash-logo-without-OpenSSL-advert.patch [bz#1308678] +- ovmf-OvmfPkg-ArmVirtPkg-show-OpenSSL-less-logo-without-Se.patch [bz#1308678] +- ovmf-OvmfPkg-simplify-VARIABLE_STORE_HEADER-generation.patch [bz#1308678] +- ovmf-redhat-bring-back-OVMF_CODE.fd-but-without-SB-and-wi.patch [bz#1308678] +- ovmf-redhat-rename-OVMF_CODE.smm.fd-to-OVMF_CODE.secboot..patch [bz#1308678] + +* Tue Feb 2 2016 Laszlo Ersek - ovmf-20160202-1.gitd7c0dfa.el7 +- rebase to upstream d7c0dfa +- update OpenSSL to 1.0.2e (upstream) +- update FatPkg to SVN r97 (upstream) +- drive NVMe devices (upstream) +- resize xterm on serial console mode change, when requested with + -fw_cfg name=opt/(ovmf|aavmf)/PcdResizeXterm,string=y + (downstream) +- Resolves: bz#1259395 + (revert / roll back AAVMF fix for BZ 1188054) +- Resolves: bz#1202819 + (OVMF: secure boot limitations) +- Resolves: bz#1182495 + (OVMF rejects iPXE oprom when Secure Boot is enabled) + +* Thu Nov 5 2015 Laszlo Ersek - ovmf-20151104-1.gitb9ffeab.el7 +- rebase to upstream b9ffeab +- Resolves: bz#1207554 + ([AAVMF] AArch64: populate SMBIOS) +- Resolves: bz#1270279 + (AAVMF: output improvements) + +* Thu Jun 25 2015 Miroslav Rezanina - OVMF-20150414-2.gitc9e5618.el7 +- ovmf-OvmfPkg-PlatformPei-set-SMBIOS-entry-point-version-d.patch [bz#1232876] +- Resolves: bz#1232876 + (OVMF should install a version 2.8 SMBIOS entry point) + +* Sat Apr 18 2015 Laszlo Ersek - 20150414-1.gitc9e5618.el7 +- rebase from upstream 9ece15a to c9e5618 +- adapt .gitignore files +- update to openssl-0.9.8zf +- create Logo-OpenSSL.bmp rather than modifying Logo.bmp in-place +- update to FatPkg SVN r93 (git 8ff136aa) +- drop the following downstream-only patches (obviated by upstream + counterparts): + "tools_def.template: use forward slash with --add-gnu-debuglink (RHEL only)" + "tools_def.template: take GCC48 prefixes from environment (RHEL only)" + "OvmfPkg: set video resolution of text setup to 640x480 (RHEL only)" + "OvmfPkg: resolve OrderedCollectionLib with base red-black tree instance" + "OvmfPkg: AcpiPlatformDxe: actualize QemuLoader.h comments" + "OvmfPkg: AcpiPlatformDxe: remove current ACPI table loader" + "OvmfPkg: AcpiPlatformDxe: implement QEMU's full ACPI table loader interface" + "OvmfPkg: QemuVideoDxe: fix querying of QXL's drawable buffer size" + "OvmfPkg: disable stale fork of SecureBootConfigDxe" + "OvmfPkg: SecureBootConfigDxe: remove stale fork" + "Try to read key strike even when ..." + "OvmfPkg: BDS: remove dead call to PlatformBdsEnterFrontPage()" + "OvmfPkg: BDS: drop useless return statement" + "OvmfPkg: BDS: don't overwrite the BDS Front Page timeout" + "OvmfPkg: BDS: optimize second argument in PlatformBdsEnterFrontPage() call" + 'OvmfPkg: BDS: drop superfluous "connect first boot option" logic' + "OvmfPkg: BDS: drop custom boot timeout, revert to IntelFrameworkModulePkg's" + "Add comments to clarify mPubKeyStore buffer MemCopy. ..." + "MdeModulePkg/SecurityPkg Variable: Add boundary check..." + "OvmfPkg: AcpiPlatformDxe: make dependency on PCI enumeration explicit" + "MdePkg: UefiScsiLib: do not encode LUN in CDB for READ and WRITE" + "MdePkg: UefiScsiLib: do not encode LUN in CDB for other SCSI commands" +- merge downstream AAVMF patch "adapt packaging to Arm64", which forces us to + rename the main package from "OVMF" to "ovmf" +- drop the following ARM BDS specific tweaks (we'll only build the Intel BDS): + "ArmPlatformPkg/Bds: generate ESP Image boot option if user pref is unset + (Acadia)" + "ArmPlatformPkg/Bds: check for other defaults too if user pref is unset + (Acadia)" + "ArmPlatformPkg/ArmVirtualizationPkg: auto-detect boot path (Acadia)" + "ArmPlatformPkg/Bds: initialize ConIn/ConOut/ErrOut before connecting + terminals" + "ArmPlatformPkg/Bds: let FindCandidate() search all filesystems" + "ArmPlatformPkg/Bds: FindCandidateOnHandle(): log full device path" + "ArmPlatformPkg/Bds: fall back to Boot Menu when no default option was found" + "ArmPlatformPkg/Bds: always connect drivers before looking at boot options" +- drop patch "ArmPlatformPkg/ArmVirtualizationPkg: enable DEBUG_VERBOSE (Acadia + only)", obsoleted by fixed bug 1197141 +- tweak patch "write up build instructions (for interactive, local development) + (RHELSA)". The defaults in "BaseTools/Conf/target.template", ie. + ACTIVE_PLATFORM and TARGET_ARCH, are set for OVMF / X64. The AAVMF build + instructions now spell out the necessary override options (-p and -a, + respectively). +- extend patch "build FAT driver from source (RHELSA)" to the Xen build as well + (only for consistency; we don't build for Xen). +- drop the following downstream-only AAVMF patches, due to the 77d5dac -> + c9e5618 AAVMF rebase & join: + "redhat/process-rh-specific.sh: fix check for hunk-less filtered patches" + "redhat/process-rh-specific.sh: suppress missing files in final 'rm'" + "ArmVirtualizationQemu: build UEFI shell from source (Acadia only)" + "MdePkg: UefiScsiLib: do not encode LUN in CDB for READ and WRITE" + "MdePkg: UefiScsiLib: do not encode LUN in CDB for other SCSI commands" + "ArmVirtualizationPkg: work around cache incoherence on KVM affecting DTB" + "Changed build target to supp-rhel-7.1-candidate" + "ArmVirtualizationPkg: VirtFdtDxe: forward FwCfg addresses from DTB to PCDs" + "ArmVirtualizationPkg: introduce QemuFwCfgLib instance for DXE drivers" + "ArmVirtualizationPkg: clone PlatformIntelBdsLib from ArmPlatformPkg" + "ArmVirtualizationPkg: PlatformIntelBdsLib: add basic policy" + "OvmfPkg: extract QemuBootOrderLib" + "OvmfPkg: QemuBootOrderLib: featurize PCI-like device path translation" + "OvmfPkg: introduce VIRTIO_MMIO_TRANSPORT_GUID" + "ArmVirtualizationPkg: VirtFdtDxe: use dedicated VIRTIO_MMIO_TRANSPORT_GUID" + "OvmfPkg: QemuBootOrderLib: widen ParseUnitAddressHexList() to UINT64" + "OvmfPkg: QemuBootOrderLib: OFW-to-UEFI translation for virtio-mmio" + "ArmVirtualizationPkg: PlatformIntelBdsLib: adhere to QEMU's boot order" + "ArmVirtualizationPkg: identify "new shell" as builtin shell for Intel BDS" + "ArmVirtualizationPkg: Intel BDS: load EFI-stubbed Linux kernel from fw_cfg" + 'Revert "ArmVirtualizationPkg: work around cache incoherence on KVM affecting + DTB"' + "OvmfPkg: QemuBootOrderLib: expose QEMU's "-boot menu=on[, splash-time=N]"" + "OvmfPkg: PlatformBdsLib: get front page timeout from QEMU" + "ArmVirtualizationPkg: PlatformIntelBdsLib: get front page timeout from QEMU" + "ArmPkg: ArmArchTimerLib: clean up comments" + "ArmPkg: ArmArchTimerLib: use edk2-conformant (UINT64 * UINT32) / UINT32" + "ArmPkg: ArmArchTimerLib: conditionally rebase to actual timer frequency" + "ArmVirtualizationQemu: ask the hardware for the timer frequency" + "ArmPkg: DebugPeCoffExtraActionLib: debugger commands are not errors" + "ArmPlatformPkg: PEIM startup is not an error" + "ArmVirtualizationPkg: PlatformIntelBdsLib: lack of QEMU kernel is no error" + "ArmVirtualizationPkg: expose debug message bitmask on build command line" +- tweak patch "rebase to upstream 77d5dac (Acadia only)": update spec changelog + only +- tweak patch "spec: build AAVMF with the Intel BDS driver (RHELSA only)": + apply "-D INTEL_BDS" to manual build instructions in redhat/README too +- tweak patch "spec: build and install verbose and silent (default) AAVMF + binaries": apply DEBUG_PRINT_ERROR_LEVEL setting to interactive build + instructions in redhat/README too +- install OVMF whitepaper as part of the OVMF build's documentation +- Resolves: bz#1211337 + (merge AAVMF into OVMF) +- Resolves: bz#1206523 + ([AAVMF] fix missing cache maintenance) + +* Fri Mar 06 2015 Miroslav Rezanina - AAVMF-20141113-5.git77d5dac.el7_1 +- aavmf-ArmPkg-DebugPeCoffExtraActionLib-debugger-commands-a.patch [bz#1197141] +- aavmf-ArmPlatformPkg-PEIM-startup-is-not-an-error.patch [bz#1197141] +- aavmf-ArmVirtualizationPkg-PlatformIntelBdsLib-lack-of-QEM.patch [bz#1197141] +- aavmf-ArmVirtualizationPkg-expose-debug-message-bitmask-on.patch [bz#1197141] +- aavmf-spec-build-and-install-verbose-and-silent-default-AA.patch [bz#1197141] +- Resolves: bz#1197141 + (create silent & verbose builds) + +* Tue Feb 10 2015 Miroslav Rezanina - AAVMF-20141113-4.git77d5dac.el7 +- aavmf-ArmPkg-ArmArchTimerLib-clean-up-comments.patch [bz#1188247] +- aavmf-ArmPkg-ArmArchTimerLib-use-edk2-conformant-UINT64-UI.patch [bz#1188247] +- aavmf-ArmPkg-ArmArchTimerLib-conditionally-rebase-to-actua.patch [bz#1188247] +- aavmf-ArmVirtualizationQemu-ask-the-hardware-for-the-timer.patch [bz#1188247] +- aavmf-ArmPkg-TimerDxe-smack-down-spurious-timer-interrupt-.patch [bz#1188054] +- Resolves: bz#1188054 + (guest reboot (asked from within AAVMF) regressed in 3.19.0-0.rc5.58.aa7a host kernel) +- Resolves: bz#1188247 + (backport "fix gBS->Stall()" series) + +* Mon Jan 19 2015 Miroslav Rezanina - AAVMF-20141113-3.git77d5dac.el7 +- aavmf-OvmfPkg-QemuBootOrderLib-expose-QEMU-s-boot-menu-on-.patch [bz#1172756] +- aavmf-OvmfPkg-PlatformBdsLib-get-front-page-timeout-from-Q.patch [bz#1172756] +- aavmf-ArmVirtualizationPkg-PlatformIntelBdsLib-get-front-p.patch [bz#1172756] +- Resolves: bz#1172756 + ([RFE]Expose boot-menu shortcut to domain via AAVMF) + +* Wed Jan 14 2015 Miroslav Rezanina - AAVMF-20141113-2.git77d5dac.el7 +- aavmf-ArmVirtualizationPkg-VirtFdtDxe-forward-FwCfg-addres.patch [bz#1172749] +- aavmf-ArmVirtualizationPkg-introduce-QemuFwCfgLib-instance.patch [bz#1172749] +- aavmf-ArmVirtualizationPkg-clone-PlatformIntelBdsLib-from-.patch [bz#1172749] +- aavmf-ArmVirtualizationPkg-PlatformIntelBdsLib-add-basic-p.patch [bz#1172749] +- aavmf-OvmfPkg-extract-QemuBootOrderLib.patch [bz#1172749] +- aavmf-OvmfPkg-QemuBootOrderLib-featurize-PCI-like-device-p.patch [bz#1172749] +- aavmf-OvmfPkg-introduce-VIRTIO_MMIO_TRANSPORT_GUID.patch [bz#1172749] +- aavmf-ArmVirtualizationPkg-VirtFdtDxe-use-dedicated-VIRTIO.patch [bz#1172749] +- aavmf-OvmfPkg-QemuBootOrderLib-widen-ParseUnitAddressHexLi.patch [bz#1172749] +- aavmf-OvmfPkg-QemuBootOrderLib-OFW-to-UEFI-translation-for.patch [bz#1172749] +- aavmf-ArmVirtualizationPkg-PlatformIntelBdsLib-adhere-to-Q.patch [bz#1172749] +- aavmf-ArmVirtualizationPkg-identify-new-shell-as-builtin-s.patch [bz#1172749] +- aavmf-ArmVirtualizationPkg-Intel-BDS-load-EFI-stubbed-Linu.patch [bz#1172749] +- aavmf-spec-build-AAVMF-with-the-Intel-BDS-driver-RHELSA-on.patch [bz#1172749] +- aavmf-Revert-ArmVirtualizationPkg-work-around-cache-incohe.patch [bz#1172910] +- Resolves: bz#1172749 + (implement fw_cfg, boot order handling, and -kernel booting in ArmVirtualizationQemu) +- Resolves: bz#1172910 + (revert Acadia-only workaround (commit df7bca4e) once Acadia host kernel (KVM) is fixed) + +* Fri Dec 05 2014 Miroslav Rezanina - OVMF-20140822-7.git9ece15a.el7 +- ovmf-MdePkg-UefiScsiLib-do-not-encode-LUN-in-CDB-for-READ.patch [bz#1166971] +- ovmf-MdePkg-UefiScsiLib-do-not-encode-LUN-in-CDB-for-othe.patch [bz#1166971] +- Resolves: bz#1166971 + (virtio-scsi disks and cd-roms with nonzero LUN are rejected with errors) + +* Tue Nov 25 2014 Miroslav Rezanina - OVMF-20140822-6.git9ece15a.el7 +- ovmf-OvmfPkg-AcpiPlatformDxe-make-dependency-on-PCI-enume.patch [bz#1166027] +- Resolves: bz#1166027 + (backport "OvmfPkg: AcpiPlatformDxe: make dependency on PCI enumeration explicit") + +* Tue Nov 18 2014 Miroslav Rezanina - OVMF-20140822-4.git9ece15a.el7 +- ovmf-Add-comments-to-clarify-mPubKeyStore-buffer-MemCopy.patch [bz#1162314] +- ovmf-MdeModulePkg-SecurityPkg-Variable-Add-boundary-check.patch [bz#1162314] +- Resolves: bz#1162314 + (EMBARGOED OVMF: uefi: INTEL-TA-201410-001 && INTEL-TA-201410-002 [rhel-7.1]) + +* Thu Nov 13 2014 Laszlo Ersek - AAVMF-20141113-1.git77d5dac +- rebased to upstream 77d5dac + +- patch "ArmVirtualizationPkg: FdtPL011SerialPortLib: support UEFI_APPLICATION" + is now upstream (SVN r16219, git edb5073) + +* Thu Nov 13 2014 Miroslav Rezanina - OVMF-20140822-3.git9ece15a.el7 +- ovmf-Revert-OvmfPkg-set-video-resolution-of-text-setup-to.patch [bz#1153927] +- ovmf-Try-to-read-key-strike-even-when-the-TimeOuts-value-.patch [bz#1153927] +- ovmf-OvmfPkg-BDS-remove-dead-call-to-PlatformBdsEnterFron.patch [bz#1153927] +- ovmf-OvmfPkg-BDS-drop-useless-return-statement.patch [bz#1153927] +- ovmf-OvmfPkg-BDS-don-t-overwrite-the-BDS-Front-Page-timeo.patch [bz#1153927] +- ovmf-OvmfPkg-BDS-optimize-second-argument-in-PlatformBdsE.patch [bz#1153927] +- ovmf-OvmfPkg-BDS-drop-superfluous-connect-first-boot-opti.patch [bz#1153927] +- ovmf-OvmfPkg-BDS-drop-custom-boot-timeout-revert-to-Intel.patch [bz#1153927] +- ovmf-OvmfPkg-set-video-resolution-of-text-setup-to-640x48.patch [bz#1153927] +- Resolves: bz#1153927 + (set NEXTBOOT to uefi setting failed from Windows Recovery console) + +* Tue Nov 11 2014 Miroslav Rezanina - OVMF-20140822-2.git9ece15a +- ovmf-redhat-process-rh-specific.sh-suppress-missing-files.patch [bz#1145784] +- ovmf-Revert-RH-only-OvmfPkg-QemuVideoDxe-fix-querying-of-.patch [bz#1145784] +- ovmf-Revert-RH-only-OvmfPkg-AcpiPlatformDxe-implement-QEM.patch [bz#1145784] +- ovmf-Revert-RH-only-OvmfPkg-AcpiPlatformDxe-remove-curren.patch [bz#1145784] +- ovmf-Revert-RH-only-OvmfPkg-AcpiPlatformDxe-actualize-Qem.patch [bz#1145784] +- ovmf-Revert-RH-only-OvmfPkg-resolve-OrderedCollectionLib-.patch [bz#1145784] +- ovmf-OvmfPkg-QemuVideoDxe-work-around-misreported-QXL-fra.patch [bz#1145784] +- ovmf-OvmfPkg-resolve-OrderedCollectionLib-with-base-red-b.patch [bz#1145784] +- ovmf-OvmfPkg-AcpiPlatformDxe-actualize-QemuLoader.h-comme.patch [bz#1145784] +- ovmf-OvmfPkg-AcpiPlatformDxe-remove-current-ACPI-table-lo.patch [bz#1145784] +- ovmf-OvmfPkg-AcpiPlatformDxe-implement-QEMU-s-full-ACPI-t.patch [bz#1145784] +- ovmf-spec-build-small-bootable-ISO-with-standalone-UEFI-s.patch [bz#1147592] +- ovmf-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch [bz#1147592] +- ovmf-spec-exclude-the-UEFI-shell-from-the-SecureBoot-enab.patch [bz#1147592] +- ovmf-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch [bz#1148296] +- ovmf-spec-package-EnrollDefaultKeys.efi-on-UefiShell.iso-.patch [bz#1148296] +- ovmf-OvmfPkg-disable-stale-fork-of-SecureBootConfigDxe.patch [bz#1148294] +- ovmf-OvmfPkg-SecureBootConfigDxe-remove-stale-fork.patch [bz#1148294] +- Resolves: bz#1145784 + (OVMF sync with QXL and ACPI patches up to edk2 7a9612ce) +- Resolves: bz#1147592 + (the binary RPM should include a small ISO file with a directly bootable UEFI shell binary) +- Resolves: bz#1148294 + (drop OvmfPkg's stale fork of SecureBootConfigDxe) +- Resolves: bz#1148296 + (provide a non-interactive way to auto-enroll important SecureBoot certificates) + +* Wed Oct 15 2014 Laszlo Ersek - AAVMF-20141015-1.gitc373687 +- ported packaging to aarch64 / AAVMF + +* Fri Aug 22 2014 Laszlo Ersek - 20140822-1.git9ece15a.el7 +- rebase from upstream 3facc08 to 9ece15a +- update to openssl-0.9.8zb +- update to FatPkg SVN r86 (git 2355ea2c) +- the following patches of Paolo Bonzini have been merged in upstream; drop the + downstream-only copies: + 7bc1421 edksetup.sh: Look for BuildEnv under EDK_TOOLS_PATH + d549344 edksetup.sh: Ensure that WORKSPACE points to the top of an edk2 + checkout + 1c023eb BuildEnv: remove useless check before setting $WORKSPACE +- include the following patches that have been pending review on the upstream + list for a long time: + [PATCH 0/4] OvmfPkg: complete client for QEMU's ACPI loader interface + http://thread.gmane.org/gmane.comp.bios.tianocore.devel/8369 + [PATCH] OvmfPkg: QemuVideoDxe: fix querying of QXL's drawable buffer size + http://thread.gmane.org/gmane.comp.bios.tianocore.devel/8515 +- nasm is a build-time dependency now because upstream BuildTools has started + to call it directly + +* Wed Jul 23 2014 Laszlo Ersek - 20140723-1.git3facc08.el7 +- rebase from upstream a618eaa to 3facc08 +- update to openssl-0.9.8za +- drop downstream-only split varstore patch, rely on upstream's + +* Tue Jun 24 2014 Miroslav Rezanina - 20140619-1.gita618eaa.el7 +- Initial version