diff --git a/dist b/dist deleted file mode 100644 index 9c0e36ec42a2d9bfefacb21ac6354c9ddd910533..0000000000000000000000000000000000000000 --- a/dist +++ /dev/null @@ -1 +0,0 @@ -an8 diff --git a/edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch b/edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch new file mode 100644 index 0000000000000000000000000000000000000000..e2d7ed388288d85d0b5b368072500f94493288ad --- /dev/null +++ b/edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch @@ -0,0 +1,109 @@ +From bb0f29580825e60a5dc5c67e260dd20258eb71b0 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 29 Mar 2023 11:52:52 -0400 +Subject: [PATCH] SecurityPkg/DxeImageVerificationLib: Check result of + GetEfiGlobalVariable2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +RH-MergeRequest: 22: SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2 +RH-Bugzilla: 1861743 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [1/1] 70e1ae5e2c7c148fc23160acdd360c044df5f4ff + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1861743 +Upstream: Merged +CVE: CVE-2019-14560 + +commit 494127613b36e870250649b02cd4ce5f1969d9bd +Author: Gerd Hoffmann +Date: Fri Mar 3 18:35:53 2023 +0800 + + SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2 + + Call gRT->GetVariable() directly to read the SecureBoot variable. It is + one byte in size so we can easily place it on the stack instead of + having GetEfiGlobalVariable2() allocate it for us, which avoids a few + possible error cases. + + Skip secure boot checks if (and only if): + + (a) the SecureBoot variable is not present (EFI_NOT_FOUND) according to + the return value, or + (b) the SecureBoot variable was read successfully and is set to + SECURE_BOOT_MODE_DISABLE. + + Previously the code skipped the secure boot checks on *any* + gRT->GetVariable() error (GetEfiGlobalVariable2 sets the variable + value to NULL in that case) and also on memory allocation failures. + + Fixes: CVE-2019-14560 + Signed-off-by: Gerd Hoffmann + Suggested-by: Marvin Häuser + Reviewed-by: Min Xu + Reviewed-by: Jiewen Yao + +Signed-off-by: Jon Maloy +--- + .../DxeImageVerificationLib.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +index c48861cd64..1252927664 100644 +--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c ++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +@@ -1650,7 +1650,8 @@ DxeImageVerificationHandler ( + EFI_IMAGE_EXECUTION_ACTION Action; + WIN_CERTIFICATE *WinCertificate; + UINT32 Policy; +- UINT8 *SecureBoot; ++ UINT8 SecureBoot; ++ UINTN SecureBootSize; + PE_COFF_LOADER_IMAGE_CONTEXT ImageContext; + UINT32 NumberOfRvaAndSizes; + WIN_CERTIFICATE_EFI_PKCS *PkcsCertData; +@@ -1665,6 +1666,8 @@ DxeImageVerificationHandler ( + RETURN_STATUS PeCoffStatus; + EFI_STATUS HashStatus; + EFI_STATUS DbStatus; ++ EFI_STATUS VarStatus; ++ UINT32 VarAttr; + BOOLEAN IsFound; + + SignatureList = NULL; +@@ -1720,22 +1723,25 @@ DxeImageVerificationHandler ( + CpuDeadLoop (); + } + +- GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL); ++ SecureBootSize = sizeof (SecureBoot); ++ VarStatus = gRT->GetVariable (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, &VarAttr, &SecureBootSize, &SecureBoot); + // + // Skip verification if SecureBoot variable doesn't exist. + // +- if (SecureBoot == NULL) { ++ if (VarStatus == EFI_NOT_FOUND) { + return EFI_SUCCESS; + } + + // + // Skip verification if SecureBoot is disabled but not AuditMode + // +- if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) { +- FreePool (SecureBoot); ++ if ((VarStatus == EFI_SUCCESS) && ++ (VarAttr == (EFI_VARIABLE_BOOTSERVICE_ACCESS | ++ EFI_VARIABLE_RUNTIME_ACCESS)) && ++ (SecureBoot == SECURE_BOOT_MODE_DISABLE)) ++ { + return EFI_SUCCESS; + } +- FreePool (SecureBoot); + + // + // Read the Dos header. +-- +2.39.1 + diff --git a/edk2-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch b/edk2-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch new file mode 100644 index 0000000000000000000000000000000000000000..273906152dc8a0406848932391bfa6d14ae47291 --- /dev/null +++ b/edk2-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch @@ -0,0 +1,49 @@ +From c32f4994552ea5835cf00ce06f2f7d88c71249e5 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 28 Feb 2023 15:47:00 +0100 +Subject: [PATCH] UefiCpuPkg/MpInitLib: fix apic mode for cpu hotplug + +RH-Author: Miroslav Rezanina +RH-MergeRequest: 29: UefiCpuPkg/MpInitLib: fix apic mode for cpu hotplug +RH-Bugzilla: 2150267 +RH-Acked-by: Oliver Steffen +RH-Acked-by: Jon Maloy +RH-Commit: [1/1] e7e332ac0e6edf207b1b9692f2e1aed4a1fe7c0c + +In case the number of CPUs can in increase beyond 255 +due to CPU hotplug choose x2apic mode. + +Signed-off-by: Gerd Hoffmann +--- + UefiCpuPkg/Library/MpInitLib/MpLib.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpInitLib/MpLib.c +index b9a06747ed..177d15ab5b 100644 +--- a/UefiCpuPkg/Library/MpInitLib/MpLib.c ++++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c +@@ -495,7 +495,9 @@ CollectProcessorCount ( + // + // Enable x2APIC mode if + // 1. Number of CPU is greater than 255; or +- // 2. There are any logical processors reporting an Initial APIC ID of 255 or greater. ++ // 2. The platform exposed the exact *boot* CPU count to us in advance, and ++ // more than 255 logical processors are possible later, with hotplug; or ++ // 3. There are any logical processors reporting an Initial APIC ID of 255 or greater. + // + X2Apic = FALSE; + if (CpuMpData->CpuCount > 255) { +@@ -503,6 +505,10 @@ CollectProcessorCount ( + // If there are more than 255 processor found, force to enable X2APIC + // + X2Apic = TRUE; ++ } else if ((PcdGet32 (PcdCpuBootLogicalProcessorNumber) > 0) && ++ (PcdGet32 (PcdCpuMaxLogicalProcessorNumber) > 255)) ++ { ++ X2Apic = TRUE; + } else { + CpuInfoInHob = (CPU_INFO_IN_HOB *) (UINTN) CpuMpData->CpuInfoInHob; + for (Index = 0; Index < CpuMpData->CpuCount; Index++) { +-- +2.37.3 + diff --git a/edk2.spec b/edk2.spec index 400ab2c1edb6a7c2e861fd43a6745d073b31d4b9..b6aa5905776536908b90625639dad028a81486e9 100644 --- a/edk2.spec +++ b/edk2.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 ExclusiveArch: x86_64 aarch64 %define GITDATE 20220126 @@ -7,7 +8,7 @@ ExclusiveArch: x86_64 aarch64 Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 5%{?dist} +Release: 6%{anolis_release}%{?dist} Summary: UEFI firmware for 64-bit virtual machines Group: Applications/Emulators License: BSD-2-Clause-Patent and OpenSSL and MIT @@ -56,26 +57,31 @@ Patch27: edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch # For bz#2164558 - CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-8] # For bz#2164581 - CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-8] Patch28: edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch +# For bz#1861743 - CVE-2019-14560 edk2: Function GetEfiGlobalVariable2() return value not checked in DxeImageVerificationHandler() [rhel-8] +Patch29: edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch +# For bz#2150267 - ovmf must consider max cpu count not boot cpu count for apic mode [rhel-8] +Patch30: edk2-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch + # Support hygon csv3 feature -Patch29: 0029-anolis-UefiCpuPkg-Add-StandardSignatureIsHygonGenuin.patch -Patch30: 0030-anolis-UefiCpuPkg-LocalApicLib-Exclude-second-SendIp.patch -Patch31: 0031-anolis-OvmfPkg-Add-CSV-secure-call-library-on-Hygon-.patch -Patch32: 0032-anolis-OvmfPkg-Tcg-Add-CsvLib-for-TpmMmioSevDecryptP.patch -Patch33: 0033-anolis-OvmfPkg-ResetVector-Support-CSV-in-ResetVecto.patch -Patch34: 0034-anolis-OvmfPkg-PlatformPei-Initialize-CSV-VM-s-memor.patch -Patch35: 0035-anolis-OvmfPkg-BaseMemcryptSevLib-update-page-status.patch -Patch36: 0036-anolis-OvmfPkg-Add-CsvDxe-driver.patch -Patch37: 0037-anolis-OvmfPkg-IoMmuDxe-Add-CsvIoMmu-protocol.patch -Patch38: 0038-anolis-OvmfPkg-Reserve-a-CPUID-table-page-for-CSV-gu.patch +Patch1000: 0029-anolis-UefiCpuPkg-Add-StandardSignatureIsHygonGenuin.patch +Patch1001: 0030-anolis-UefiCpuPkg-LocalApicLib-Exclude-second-SendIp.patch +Patch1002: 0031-anolis-OvmfPkg-Add-CSV-secure-call-library-on-Hygon-.patch +Patch1003: 0032-anolis-OvmfPkg-Tcg-Add-CsvLib-for-TpmMmioSevDecryptP.patch +Patch1004: 0033-anolis-OvmfPkg-ResetVector-Support-CSV-in-ResetVecto.patch +Patch1005: 0034-anolis-OvmfPkg-PlatformPei-Initialize-CSV-VM-s-memor.patch +Patch1006: 0035-anolis-OvmfPkg-BaseMemcryptSevLib-update-page-status.patch +Patch1007: 0036-anolis-OvmfPkg-Add-CsvDxe-driver.patch +Patch1008: 0037-anolis-OvmfPkg-IoMmuDxe-Add-CsvIoMmu-protocol.patch +Patch1009: 0038-anolis-OvmfPkg-Reserve-a-CPUID-table-page-for-CSV-gu.patch # Support SEV live migration -Patch39: 0039-OvmfPkg-BaseMemEncryptLib-Detect-SEV-live-migration-.patch -Patch40: 0040-OvmfPkg-BaseMemEncryptLib-Hypercall-API-for-page-enc.patch -Patch41: 0041-OvmfPkg-BaseMemEncryptLib-Invoke-page-encryption-sta.patch -Patch42: 0042-OvmfPkg-VmgExitLib-Encryption-state-change-hypercall.patch -Patch43: 0043-OvmfPkg-PlatformPei-Mark-SEC-GHCB-page-as-unencrypte.patch -Patch44: 0044-OvmfPkg-AmdSevDxe-Add-support-for-SEV-live-migration.patch -Patch45: 0045-anolis-OvmfPkg-BaseMemcryptSevLib-Correct-the-calcul.patch -Patch46: 0046-anolis-OvmfPkg-BaseMemEncryptLib-Return-SUCCESS-if-n.patch +Patch1010: 0039-OvmfPkg-BaseMemEncryptLib-Detect-SEV-live-migration-.patch +Patch1011: 0040-OvmfPkg-BaseMemEncryptLib-Hypercall-API-for-page-enc.patch +Patch1012: 0041-OvmfPkg-BaseMemEncryptLib-Invoke-page-encryption-sta.patch +Patch1013: 0042-OvmfPkg-VmgExitLib-Encryption-state-change-hypercall.patch +Patch1014: 0043-OvmfPkg-PlatformPei-Mark-SEC-GHCB-page-as-unencrypte.patch +Patch1015: 0044-OvmfPkg-AmdSevDxe-Add-support-for-SEV-live-migration.patch +Patch1016: 0045-anolis-OvmfPkg-BaseMemcryptSevLib-Correct-the-calcul.patch +Patch1017: 0046-anolis-OvmfPkg-BaseMemEncryptLib-Return-SUCCESS-if-n.patch # python3-devel and libuuid-devel are required for building tools. # python3-devel is also needed for varstore template generation and @@ -519,10 +525,20 @@ true %endif %changelog -* Mon Dec 11 2023 Jiang Xin - 20220126gitbb1bba3d77-5 +* Thu Dec 14 2023 Jiang Xin - 20220126gitbb1bba3d77-6.0.1 - Support hygon CSV3 feature - Support SEV live migration +* Fri Aug 04 2023 Jon Maloy - 20220126gitbb1bba3d77-6 +- edk2-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch [bz#2150267] +- Resolves: bz#2150267 + (ovmf must consider max cpu count not boot cpu count for apic mode [rhel-8]) + +* Thu Apr 06 2023 Miroslav Rezanina - 20220126gitbb1bba3d77-5 +- edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch [bz#1861743] +- Resolves: bz#1861743 + (CVE-2019-14560 edk2: Function GetEfiGlobalVariable2() return value not checked in DxeImageVerificationHandler() [rhel-8]) + * Wed Feb 15 2023 Jon Maloy - 20220126gitbb1bba3d77-4 - edk2-openssl-update.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581] - edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581]