diff --git a/0003-Remove-paths-leading-to-submodules.patch b/0003-Remove-paths-leading-to-submodules.patch new file mode 100644 index 0000000000000000000000000000000000000000..06d4d26a2324f971232fc273632c92e9d1cf52d2 --- /dev/null +++ b/0003-Remove-paths-leading-to-submodules.patch @@ -0,0 +1,65 @@ +From 00c911e68115577cc1b47c892e5a5d9eebe376bc Mon Sep 17 00:00:00 2001 +From: Miroslav Rezanina +Date: Thu, 24 Mar 2022 03:23:02 -0400 +Subject: [PATCH] Remove paths leading to submodules + +We removed submodules used upstream. However, edk2 build system requires +such include paths to resolve successfully, regardless of the firmware +platform being built. + +Signed-off-by: Miroslav Rezanina +--- + BaseTools/Source/C/GNUmakefile | 1 - + MdeModulePkg/MdeModulePkg.dec | 3 --- + MdePkg/MdePkg.dec | 5 ----- + 3 files changed, 9 deletions(-) + +diff --git a/BaseTools/Source/C/GNUmakefile b/BaseTools/Source/C/GNUmakefile +index 0ea314ef96..92d3dedf47 100644 +--- a/BaseTools/Source/C/GNUmakefile ++++ b/BaseTools/Source/C/GNUmakefile +@@ -24,7 +24,6 @@ all: makerootdir subdirs + LIBRARIES = Common + VFRAUTOGEN = VfrCompile/VfrLexer.h + APPLICATIONS = \ +- BrotliCompress \ + VfrCompile \ + EfiRom \ + GenFfs \ +diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec +index 24cc64f6b4..71825947d0 100644 +--- a/MdeModulePkg/MdeModulePkg.dec ++++ b/MdeModulePkg/MdeModulePkg.dec +@@ -26,9 +26,6 @@ + Include + Test/Mock/Include + +-[Includes.Common.Private] +- Library/BrotliCustomDecompressLib/brotli/c/include +- + [LibraryClasses] + ## @libraryclass Defines a set of methods to reset whole system. + ResetSystemLib|Include/Library/ResetSystemLib.h +diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec +index ed22a67568..0a2bfb5ec9 100644 +--- a/MdePkg/MdePkg.dec ++++ b/MdePkg/MdePkg.dec +@@ -30,7 +30,6 @@ + Include + Test/UnitTest/Include + Test/Mock/Include +- Library/MipiSysTLib/mipisyst/library/include + + [Includes.IA32] + Include/Ia32 +@@ -296,10 +295,6 @@ + # + FdtLib|Include/Library/FdtLib.h + +- ## @libraryclass Provides general mipi sys-T services. +- # +- MipiSysTLib|Include/Library/MipiSysTLib.h +- + ## @libraryclass Provides API to output Trace Hub debug message. + # + TraceHubDebugSysTLib|Include/Library/TraceHubDebugSysTLib.h diff --git a/0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch b/0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch new file mode 100644 index 0000000000000000000000000000000000000000..c43d18a05a4bbd247a98aab716594afc1df4972b --- /dev/null +++ b/0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch @@ -0,0 +1,171 @@ +From a746987ffec6322426fe28c93305d83c8645e0ec Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 21 Nov 2017 00:57:46 +0100 +Subject: [PATCH] OvmfPkg: silence DEBUG_VERBOSE (0x00400000) in + QemuVideoDxe/QemuRamfbDxe (RH) + +edk2-stable202402 rebase: + +- context changes due to CSM support removal. + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been + introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit + to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077. + +- Remove obsolete commit message tags related to downstream patch + management: Message-id, Patchwork-id, O-Subject, Acked-by, From + (RHBZ#1846481). + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- Due to upstream commit 4b04d9d73604 ("OvmfPkg: Don't build in + QemuVideoDxe when we have CSM", 2019-06-26), the contexts of + "QemuVideoDxe.inf" / "QemuRamfbDxe.inf" have changed in the DSC files. + Resolve the conflict manually. + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- Upstream commit 1d25ff51af5c ("OvmfPkg: add QemuRamfbDxe", 2018-06-14) + introduced another GOP driver that consumes FrameBufferBltLib, and + thereby produces a large number of (mostly useless) debug messages at + the DEBUG_VERBOSE level. Extend the patch to suppress those messages in + both QemuVideoDxe and QemuRamfbDxe; update the subject accordingly. + QemuRamfbDxe itself doesn't log anything at the VERBOSE level (see also + the original commit message at the bottom of this downstream patch). + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like + a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no changes + +Bugzilla: 1488247 + +In commit 5b2291f9567a ("OvmfPkg: QemuVideoDxe uses +MdeModulePkg/FrameBufferLib"), QemuVideoDxe was rebased to +FrameBufferBltLib. + +The FrameBufferBltLib instance added in commit b1ca386074bd +("MdeModulePkg: Add FrameBufferBltLib library instance") logs many +messages on the VERBOSE level; for example, a normal boot with OVMF can +produce 500+ "VideoFill" messages, dependent on the progress bar, when the +VERBOSE bit is set in PcdDebugPrintErrorLevel. + +QemuVideoDxe itself doesn't log anything at the VERBOSE level, so we lose +none of its messages this way. + +Signed-off-by: Laszlo Ersek +Signed-off-by: Paolo Bonzini +(this patch was previously applied as commit 9b0d031dee7e823f6717bab73e422fbc6f0a6c52) +(cherry picked from commit 9122d5f2e8d8d289064d1e1700cb61964d9931f3) +(cherry picked from commit 7eb3be1d4ccafc26c11fe5afb95cc12b250ce6f0) +(cherry picked from commit bd650684712fb840dbcda5d6eaee065bd9e91fa1) +(cherry picked from commit b06b87f8ffd4fed4ef7eacb13689a9b6d111f850) +(cherry picked from commit c8c3f893e7c3710afe45c46839e97954871536e4) +(cherry picked from commit 1355849ad97c1e4a5c430597a377165a5cc118f7) +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 10 ++++++++-- + OvmfPkg/OvmfPkgIa32.dsc | 10 ++++++++-- + OvmfPkg/OvmfPkgIa32X64.dsc | 10 ++++++++-- + OvmfPkg/OvmfPkgX64.dsc | 10 ++++++++-- + 4 files changed, 32 insertions(+), 8 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index c7342f4f34..b4fb1554e7 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -683,8 +683,14 @@ + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf + +- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + + # +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 0f2cc35529..9e3f9673cf 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -808,8 +808,14 @@ + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf + +- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf + +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 3f3e3f0526..c9a19b8e58 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -847,8 +847,14 @@ + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf + +- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf + +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index e8d1c48ca1..cb1ad574c2 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -979,8 +979,14 @@ + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf + +- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf + diff --git a/0009-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch b/0009-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch new file mode 100644 index 0000000000000000000000000000000000000000..830fc067a083aa7e91337e07f272ebd8f0048a7e --- /dev/null +++ b/0009-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch @@ -0,0 +1,94 @@ +From 1cd95a1d3d7de8efb2b1673fcc3d3cb1ff84967a Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Wed, 27 Jan 2016 03:05:18 +0100 +Subject: [PATCH] ArmVirtPkg: silence DEBUG_VERBOSE (0x00400000) in + QemuRamfbDxe (RH only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- no change + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- The previous version of this patch (downstream commit 76b4ac28e975) + caused a regression (RHBZ#1714446), which was fixed up in downstream + commit 5a216abaa737 ("ArmVirtPkg: silence DEBUG_VERBOSE masking + ~0x00400000 in QemuRamfbDxe (RH only)", 2019-08-05). + + Squash the fixup into the original patch. Fuse the commit messages. + (Acked-by tags are not preserved, lest we confuse ourselves while + reviewing this rebase.) + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- new patch, due to upstream commit c64688f36a8b ("ArmVirtPkg: add + QemuRamfbDxe", 2018-06-14) + +QemuRamfbDxe uses FrameBufferLib. The FrameBufferBltLib instance added in +commit b1ca386074bd ("MdeModulePkg: Add FrameBufferBltLib library +instance") logs many messages on the VERBOSE level; for example, a normal +boot with ArmVirtQemu[Kernel] can produce 500+ "VideoFill" messages, +dependent on the progress bar, when the VERBOSE bit is set in +PcdDebugPrintErrorLevel. + +Clear the VERBOSE bit without touching other bits -- those other bits +differ between the "silent" and "verbose" builds, so we can't set them as +constants. + +QemuRamfbDxe itself doesn't log anything at the VERBOSE level, so we lose +none of its messages, with the VERBOSE bit clear. + +Signed-off-by: Laszlo Ersek +(cherry picked from commit 76b4ac28e975bd63c25db903a1d42c47b38cc756) +Reported-by: Andrew Jones +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daude +(cherry picked from commit 5a216abaa737195327235e37563b18a6bf2a74dc) +Signed-off-by: Laszlo Ersek +(cherry picked from commit e5b8152bced2364a1ded0926dbba4d65e23e3f84) +(cherry picked from commit e7f57f154439c1c18ea5030b01f8d7bc492698b2) +--- + ArmVirtPkg/ArmVirtQemu.dsc | 5 ++++- + ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 ++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index 738f1b1403..d14888508d 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -559,7 +559,10 @@ + # + # Video support + # +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|($(DEBUG_PRINT_ERROR_LEVEL)) & 0xFFBFFFFF ++ } + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + OvmfPkg/PlatformDxe/Platform.inf + +diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc +index eee9590a7e..eb9f4b9fca 100644 +--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc ++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc +@@ -467,7 +467,10 @@ + # + # Video support + # +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|($(DEBUG_PRINT_ERROR_LEVEL)) & 0xFFBFFFFF ++ } + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + OvmfPkg/PlatformDxe/Platform.inf + diff --git a/0010-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch b/0010-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch new file mode 100644 index 0000000000000000000000000000000000000000..020ff669b167e225629901e327dbd01c1e5fab4a --- /dev/null +++ b/0010-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch @@ -0,0 +1,92 @@ +From ad73ab2cd9fe347c2d857364b0cc6a76202b610f Mon Sep 17 00:00:00 2001 +From: Philippe Mathieu-Daude +Date: Thu, 1 Aug 2019 20:43:48 +0200 +Subject: [PATCH] OvmfPkg: QemuRamfbDxe: Do not report DXE failure on Aarch64 + silent builds (RH only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- no change + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- We have to carry this downstream-only patch -- committed originally as + aaaedc1e2cfd -- indefinitely. + +- To avoid confusion, remove the tags from the commit message that had + been added by the downstream maintainer scripts, such as: Message-id, + Patchwork-id, O-Subject, Acked-by. These remain available on the + original downstream commit. The Bugzilla line is preserved, as it + doesn't relate to a specific posting, but to the problem. + +Bugzilla: 1714446 + +To suppress an error message on the silent build when ramfb is +not configured, change QemuRamfbDxe to return EFI_SUCCESS even +when it fails. +Some memory is wasted (driver stays resident without +any good use), but it is mostly harmless, as the memory +is released by the OS after ExitBootServices(). + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daude +(cherry picked from commit aaaedc1e2cfd55ef003fb1b5a37c73a196b26dc7) +Signed-off-by: Laszlo Ersek +(cherry picked from commit aa2b66b18a62d652bdbefae7b5732297294306ca) +(cherry picked from commit deb3451034326b75fd760aba47a5171493ff055e) +--- + OvmfPkg/QemuRamfbDxe/QemuRamfb.c | 14 ++++++++++++++ + OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf | 1 + + 2 files changed, 15 insertions(+) + +diff --git a/OvmfPkg/QemuRamfbDxe/QemuRamfb.c b/OvmfPkg/QemuRamfbDxe/QemuRamfb.c +index 5a1044f0dc..83c6d26c74 100644 +--- a/OvmfPkg/QemuRamfbDxe/QemuRamfb.c ++++ b/OvmfPkg/QemuRamfbDxe/QemuRamfb.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -259,6 +260,19 @@ InitializeQemuRamfb ( + + Status = QemuFwCfgFindFile ("etc/ramfb", &mRamfbFwCfgItem, &FwCfgSize); + if (EFI_ERROR (Status)) { ++#if defined (MDE_CPU_AARCH64) ++ // ++ // RHBZ#1714446 ++ // If no ramfb device was configured, this platform DXE driver should ++ // returns EFI_NOT_FOUND, so the DXE Core can unload it. However, even ++ // using a silent build, an error message is issued to the guest console. ++ // Since this confuse users, return success and stay resident. The wasted ++ // guest RAM still gets freed later after ExitBootServices(). ++ // ++ if (GetDebugPrintErrorLevel () == DEBUG_ERROR) { ++ return EFI_SUCCESS; ++ } ++#endif + return EFI_NOT_FOUND; + } + +diff --git a/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf b/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf +index e3890b8c20..f79a4bc987 100644 +--- a/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++++ b/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf +@@ -29,6 +29,7 @@ + BaseLib + BaseMemoryLib + DebugLib ++ DebugPrintErrorLevelLib + DevicePathLib + FrameBufferBltLib + MemoryAllocationLib diff --git a/0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch b/0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch new file mode 100644 index 0000000000000000000000000000000000000000..480a2300bdadf840f65e872e284df0e61d06d88f --- /dev/null +++ b/0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch @@ -0,0 +1,128 @@ +From f6997042745a9d1594d5f8d1bbabd4c256b437af Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 21 Nov 2017 00:57:47 +0100 +Subject: [PATCH] OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in NvmExpressDxe + (RH only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been + introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit + to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077. + +- Remove obsolete commit message tags related to downstream patch + management: Message-id, Patchwork-id, O-Subject, Acked-by, From + (RHBZ#1846481). + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- no change + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- no change + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like + a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no changes + +Bugzilla: 1488247 + +NvmExpressDxe logs all BlockIo read & write calls on the EFI_D_VERBOSE +level. + +Signed-off-by: Laszlo Ersek +Signed-off-by: Paolo Bonzini +(this patch was previously applied as commit 5f432837b9c60c2929b13dda1a1b488d5c3a6d2f) +(cherry picked from commit 33e00146eb878588ad1395d7b1ae38f401729da4) +(cherry picked from commit bd10cabcfcb1bc9a32b05062f4ee3792e27bc2d8) +(cherry picked from commit 5a27af700f49e00608f232f618dedd7bf5e9b3e6) +(cherry picked from commit 58bba429b9ec7b78109940ef945d0dc93f3cd958) +(cherry picked from commit b8d0ebded8c2cf5b266c807519e2d8ccfd66fee6) +(cherry picked from commit ed89844b47f46cfe911f1bf2bda40e537a908502) +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 5 ++++- + OvmfPkg/OvmfPkgIa32.dsc | 5 ++++- + OvmfPkg/OvmfPkgIa32X64.dsc | 5 ++++- + OvmfPkg/OvmfPkgX64.dsc | 5 ++++- + 4 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index b4fb1554e7..97f595b38a 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -678,7 +678,10 @@ + MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf + MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf ++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 9e3f9673cf..ae18ef3ad1 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -803,7 +803,10 @@ + MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf + MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf ++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index c9a19b8e58..4d9f28743e 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -842,7 +842,10 @@ + MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf + MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf ++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index cb1ad574c2..dbb973cd13 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -974,7 +974,10 @@ + MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf + MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf ++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf diff --git a/0012-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch b/0012-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch new file mode 100644 index 0000000000000000000000000000000000000000..49c905c05f1870123b7b5bb886006fe1d968dd82 --- /dev/null +++ b/0012-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch @@ -0,0 +1,80 @@ +From aeebf10a86cc381a49083992eda48b8333df668f Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Wed, 24 Jun 2020 11:31:36 +0200 +Subject: [PATCH] OvmfPkg/QemuKernelLoaderFsDxe: suppress error on no "-kernel" + in silent aa64 build (RH) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Remove obsolete commit message tags related to downstream patch + management: Message-id, Patchwork-id, O-Subject, Acked-by, From, + RH-Acked-by, RH-Author (RHBZ#1846481). + +Bugzilla: 1844682 + +If the "-kernel" QEMU option is not used, then QemuKernelLoaderFsDxe +should return EFI_NOT_FOUND, so that the DXE Core can unload it. However, +the associated error message, logged by the DXE Core to the serial +console, is not desired in the silent edk2-aarch64 build, given that the +absence of "-kernel" is nothing out of the ordinary. Therefore, return +success and stay resident. The wasted guest RAM still gets freed after +ExitBootServices(). + +(Inspired by RHEL-8.1.0 commit aaaedc1e2cfd.) + +Signed-off-by: Laszlo Ersek +Signed-off-by: Miroslav Rezanina +(cherry picked from commit 9adcdf493ebbd11efb74e2905ab5f6c8996e096d) +--- + .../QemuKernelLoaderFsDxe.c | 17 +++++++++++++++++ + .../QemuKernelLoaderFsDxe.inf | 1 + + 2 files changed, 18 insertions(+) + +diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +index 646a9a5f15..98e2f1f74a 100644 +--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c ++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1224,6 +1225,22 @@ QemuKernelLoaderFsDxeEntrypoint ( + if ((Blob == NULL) && (mKernelNamedBlobCount == 0)) { + DEBUG ((DEBUG_INFO, "%a: no kernel and no named blobs present -> quit\n", __func__)); + Status = EFI_NOT_FOUND; ++#if defined (MDE_CPU_AARCH64) ++ // ++ // RHBZ#1844682 ++ // ++ // If the "-kernel" QEMU option is not being used, this platform DXE driver ++ // should return EFI_NOT_FOUND, so that the DXE Core can unload it. ++ // However, the associated error message, logged by the DXE Core to the ++ // serial console, is not desired in the silent edk2-aarch64 build, given ++ // that the absence of "-kernel" is nothing out of the ordinary. Therefore, ++ // return success and stay resident. The wasted guest RAM still gets freed ++ // after ExitBootServices(). ++ // ++ if (GetDebugPrintErrorLevel () == DEBUG_ERROR) { ++ Status = EFI_SUCCESS; ++ } ++#endif + goto FreeBlobs; + } + +diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf +index a2f44bbca1..e46e5e47d1 100644 +--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf ++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf +@@ -28,6 +28,7 @@ + BaseLib + BaseMemoryLib + DebugLib ++ DebugPrintErrorLevelLib + DevicePathLib + MemoryAllocationLib + PrintLib diff --git a/0013-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch b/0013-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch new file mode 100644 index 0000000000000000000000000000000000000000..2ed0d986f6ff3310349ed1082b1083d67a90e2d3 --- /dev/null +++ b/0013-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch @@ -0,0 +1,79 @@ +From 7997189087f6b062893f89c21dbe20eaa0159519 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Wed, 24 Jun 2020 11:40:09 +0200 +Subject: [PATCH] SecurityPkg/Tcg2Dxe: suppress error on no swtpm in silent + aa64 build (RH) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Remove obsolete commit message tags related to downstream patch + management: Message-id, Patchwork-id, O-Subject, Acked-by, From, + RH-Acked-by, RH-Author (RHBZ#1846481). + +Bugzilla: 1844682 + +If swtpm / vTPM2 is not being used, Tcg2Dxe should return EFI_UNSUPPORTED, +so that the DXE Core can unload it. However, the associated error message, +logged by the DXE Core to the serial console, is not desired in the silent +edk2-aarch64 build, given that the absence of swtpm / vTPM2 is nothing out +of the ordinary. Therefore, return success and stay resident. The wasted +guest RAM still gets freed after ExitBootServices(). + +(Inspired by RHEL-8.1.0 commit aaaedc1e2cfd.) + +Signed-off-by: Laszlo Ersek +Signed-off-by: Miroslav Rezanina +(cherry picked from commit cbce29f7749477e271f9764fed82de94724af5df) +--- + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c | 17 +++++++++++++++++ + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf | 1 + + 2 files changed, 18 insertions(+) + +diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c +index 85a852842d..179c1499d3 100644 +--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c ++++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c +@@ -29,6 +29,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + #include + + #include ++#include + #include + #include + #include +@@ -2753,6 +2754,22 @@ DriverEntry ( + CompareGuid (PcdGetPtr (PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid)) + { + DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n")); ++#if defined (MDE_CPU_AARCH64) ++ // ++ // RHBZ#1844682 ++ // ++ // If swtpm / vTPM2 is not being used, this driver should return ++ // EFI_UNSUPPORTED, so that the DXE Core can unload it. However, the ++ // associated error message, logged by the DXE Core to the serial console, ++ // is not desired in the silent edk2-aarch64 build, given that the absence ++ // of swtpm / vTPM2 is nothing out of the ordinary. Therefore, return ++ // success and stay resident. The wasted guest RAM still gets freed after ++ // ExitBootServices(). ++ // ++ if (GetDebugPrintErrorLevel () == DEBUG_ERROR) { ++ return EFI_SUCCESS; ++ } ++#endif + return EFI_UNSUPPORTED; + } + +diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +index a645474bf3..dbb7a52f33 100644 +--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf ++++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +@@ -55,6 +55,7 @@ + UefiRuntimeServicesTableLib + BaseMemoryLib + DebugLib ++ DebugPrintErrorLevelLib + Tpm2CommandLib + PrintLib + UefiLib diff --git a/0020-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch b/0020-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch new file mode 100644 index 0000000000000000000000000000000000000000..ef32f659ed7b8b75d44e9c8fa0d65d9818d45298 --- /dev/null +++ b/0020-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch @@ -0,0 +1,55 @@ +From 0a76a4f4a131e7e5432d8477647b3da327d7304d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Jul 2021 20:29:25 +0200 +Subject: [PATCH] OvmfPkg: Remove TftpDynamicCommand from shell (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +rebase to edk2-stable202405: + +rewrite due to shell build config being moved to an include file + +RH-Author: Philippe Mathieu-Daudé +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [13/19] cf9ef346386ac89fa05b29d429d8d1b27cf0e3b0 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek + +Remove the command to download files in the shell via TFTP. + +Suggested-by: Laszlo Ersek +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Miroslav Rezanina +--- + OvmfPkg/Include/Dsc/ShellComponents.dsc.inc | 4 ---- + OvmfPkg/Include/Fdf/ShellDxe.fdf.inc | 1 - + 2 files changed, 5 deletions(-) + +diff --git a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +index e8f4f42b33..9df0a29c17 100644 +--- a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc ++++ b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +@@ -6,10 +6,6 @@ + + !if $(TOOL_CHAIN_TAG) != "XCODE5" + !if $(NETWORK_ENABLE) == TRUE +- ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } + ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +diff --git a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +index eef89be88e..a0e0d10e76 100644 +--- a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc ++++ b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +@@ -10,7 +10,6 @@ + + !if $(TOOL_CHAIN_TAG) != "XCODE5" + !if $(NETWORK_ENABLE) == TRUE +-INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf + !endif + INF ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf diff --git a/0023-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch b/0023-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch new file mode 100644 index 0000000000000000000000000000000000000000..1b4026a22339c3ae3932886c68643a56eac37a5c --- /dev/null +++ b/0023-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch @@ -0,0 +1,123 @@ +From 7347ee13bc5e1eea267231a5d1e2fc4e7957e0fc Mon Sep 17 00:00:00 2001 +From: Oliver Steffen +Date: Wed, 16 Aug 2023 12:09:40 +0200 +Subject: [PATCH] OvmfPkg/AmdSevDxe: Shim Reboot workaround (RHEL only) + +RH-Author: Oliver Steffen +RH-MergeRequest: 46: OvmfPkg/AmdSevDxe: Shim Reboot workaround (RHEL only) +RH-Bugzilla: 2218196 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [1/1] 9bf3bb989e36253aa34bf82ecfe8faa7312e8d22 (osteffen/edk2) + +Add a callback at the end of the Dxe phase that sets the +"FB_NO_REBOOT" variable under the Shim GUID. +This is a workaround for a boot loop in case a confidential +guest that uses shim is booted with a vtpm device present. + +BZ 2218196 + +Signed-off-by: Oliver Steffen + +patch_name: edk2-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch +present_in_specfile: true +location_in_specfile: 44 +--- + OvmfPkg/AmdSevDxe/AmdSevDxe.c | 43 +++++++++++++++++++++++++++++++++ + OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 2 ++ + 2 files changed, 45 insertions(+) + +diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c +index d497a343d3..ca345e95da 100644 +--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c ++++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -28,6 +29,10 @@ + // Present, initialized, tested bits defined in MdeModulePkg/Core/Dxe/DxeMain.h + #define EFI_MEMORY_INTERNAL_MASK 0x0700000000000000ULL + ++static EFI_GUID ShimLockGuid = { ++ 0x605dab50, 0xe046, 0x4300, { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } ++}; ++ + STATIC + EFI_STATUS + AllocateConfidentialComputingBlob ( +@@ -191,6 +196,32 @@ STATIC EDKII_MEMORY_ACCEPT_PROTOCOL mMemoryAcceptProtocol = { + AmdSevMemoryAccept + }; + ++VOID ++EFIAPI ++PopulateVarstore ( ++ EFI_EVENT Event, ++ VOID *Context ++ ) ++{ ++ EFI_SYSTEM_TABLE *SystemTable = (EFI_SYSTEM_TABLE *)Context; ++ EFI_STATUS Status; ++ ++ DEBUG ((DEBUG_INFO, "Populating Varstore\n")); ++ UINT32 data = 1; ++ ++ Status = SystemTable->RuntimeServices->SetVariable ( ++ L"FB_NO_REBOOT", ++ &ShimLockGuid, ++ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS, ++ sizeof (data), ++ &data ++ ); ++ ASSERT_EFI_ERROR (Status); ++ ++ Status = SystemTable->BootServices->CloseEvent (Event); ++ ASSERT_EFI_ERROR (Status); ++} ++ + EFI_STATUS + EFIAPI + AmdSevDxeEntryPoint ( +@@ -203,6 +234,7 @@ AmdSevDxeEntryPoint ( + UINTN NumEntries; + UINTN Index; + CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION *SnpBootDxeTable; ++ EFI_EVENT PopulateVarstoreEvent; + + // + // Do nothing when SEV is not enabled +@@ -211,6 +243,17 @@ AmdSevDxeEntryPoint ( + return EFI_UNSUPPORTED; + } + ++ // Shim fallback reboot workaround ++ Status = gBS->CreateEventEx ( ++ EVT_NOTIFY_SIGNAL, ++ TPL_CALLBACK, ++ PopulateVarstore, ++ SystemTable, ++ &gEfiEndOfDxeEventGroupGuid, ++ &PopulateVarstoreEvent ++ ); ++ ASSERT_EFI_ERROR (Status); ++ + // + // Iterate through the GCD map and clear the C-bit from MMIO and NonExistent + // memory space. The NonExistent memory space will be used for mapping the +diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf +index e7c7d526c9..09cbd2b0ca 100644 +--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf ++++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf +@@ -54,6 +54,8 @@ + [Guids] + gConfidentialComputingSevSnpBlobGuid + gEfiEventBeforeExitBootServicesGuid ++ gEfiEndOfDxeEventGroupGuid ## CONSUMES ## Event ++ + + [Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId diff --git a/0026-NetworkPkg-DxeNetLib-Reword-PseudoRandom-error-loggi.patch b/0026-NetworkPkg-DxeNetLib-Reword-PseudoRandom-error-loggi.patch new file mode 100644 index 0000000000000000000000000000000000000000..c7bf367057917ffdb5921cb866f23a4b16974ac7 --- /dev/null +++ b/0026-NetworkPkg-DxeNetLib-Reword-PseudoRandom-error-loggi.patch @@ -0,0 +1,45 @@ +From 39bf29d3ac9fdeccef41cc77ba32af092f02121b Mon Sep 17 00:00:00 2001 +From: Oliver Steffen +Date: Wed, 14 Aug 2024 09:53:49 +0200 +Subject: [PATCH] NetworkPkg/DxeNetLib: Reword PseudoRandom error logging + +RH-Author: Oliver Steffen +RH-MergeRequest: 66: NetworkPkg/DxeNetLib: adjust PseudoRandom error logging +RH-Jira: RHEL-45829 +RH-Acked-by: Miroslav Rezanina +RH-Commit: [2/2] d1f24c14ccea7346d395c263ed577039f91debfd (osteffen/edk2) + +The word "Failed" is used when logging tired Rng algorithms. +These mostly non-critical messages confused some users. + +Reword it and also add a message confirming eventual success to +deescalate the importance somewhat. + +Signed-off-by: Oliver Steffen + +patch_name: edk2-NetworkPkg-DxeNetLib-Reword-PseudoRandom-error-loggi.patch +present_in_specfile: true +location_in_specfile: 41 +--- + NetworkPkg/Library/DxeNetLib/DxeNetLib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c +index 3495b42db8..f8e59595da 100644 +--- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c ++++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c +@@ -952,12 +952,13 @@ PseudoRandom ( + // + // Secure Algorithm was supported on this platform + // ++ DEBUG ((DEBUG_VERBOSE, "Generated random data using secure algorithm %d: %r\n", AlgorithmIndex, Status)); + return EFI_SUCCESS; + } else if (Status == EFI_UNSUPPORTED) { + // + // Secure Algorithm was not supported on this platform + // +- DEBUG ((DEBUG_VERBOSE, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status)); ++ DEBUG ((DEBUG_VERBOSE, "Unable to generate random data using secure algorithm %d not available: %r\n", AlgorithmIndex, Status)); + + // + // Try the next secure algorithm diff --git a/0027-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch b/0027-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch new file mode 100644 index 0000000000000000000000000000000000000000..d88d04a9d69c7a506de2563b4f25a69705870743 --- /dev/null +++ b/0027-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch @@ -0,0 +1,350 @@ +From 31dbf8ef1a2d46f22b387c3a8334be2c9b09bfcb Mon Sep 17 00:00:00 2001 +From: Oliver Steffen +Date: Mon, 4 Nov 2024 12:40:12 +0100 +Subject: [PATCH] OvmfPkg: Add a Fallback RNG (RH only) + +RH-Author: Oliver Steffen +RH-MergeRequest: 82: Add a Fallback RNG (RH only) +RH-Jira: RHEL-66234 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [1/2] bb62ac9e3f1cd5eae1bb94e047fb6ebada57cd24 (osteffen/edk2) + +Since the pixiefail CVE fix, the network stack requires a random number +generator. +In case there is no hardware random number generator available, +have the Platform Boot Manager install a pseudo RNG to ensure +the network can be used. + +Signed-off-by: Oliver Steffen + +patch_name: edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch +present_in_specfile: true +location_in_specfile: 48 +--- + .../PlatformBootManagerLib/BdsPlatform.c | 6 + + .../PlatformBootManagerLib/FallbackRng.c | 222 ++++++++++++++++++ + .../PlatformBootManagerLib/FallbackRng.h | 20 ++ + .../PlatformBootManagerLib.inf | 5 + + 4 files changed, 253 insertions(+) + create mode 100644 OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c + create mode 100644 OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h + +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c +index b696f1b338..2982b4f288 100644 +--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c ++++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c +@@ -17,6 +17,7 @@ + + #include + #include ++#include "FallbackRng.h" + + // + // Global data +@@ -350,6 +351,9 @@ PlatformBootManagerBeforeConsole ( + ConnectVirtioPciRng, + NULL + ); ++ ++ FallbackRngCheckAndInstall (); ++ + } + + EFI_STATUS +@@ -1619,6 +1623,8 @@ PlatformBootManagerAfterConsole ( + + DEBUG ((DEBUG_INFO, "PlatformBootManagerAfterConsole\n")); + ++ FallbackRngPrintWarning (); ++ + if (PcdGetBool (PcdOvmfFlashVariablesEnable)) { + DEBUG (( + DEBUG_INFO, +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c +new file mode 100644 +index 0000000000..bba60e29d5 +--- /dev/null ++++ b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c +@@ -0,0 +1,222 @@ ++/** @file ++ Copyright (C) 2024, Red Hat, Inc. ++ SPDX-License-Identifier: BSD-2-Clause-Patent ++**/ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "FallbackRng.h" ++ ++typedef struct { ++ EFI_RNG_PROTOCOL Rng; ++ EFI_HANDLE Handle; ++} FALLBACK_RNG_DEV; ++ ++/** ++ Returns information about the random number generation implementation. ++ ++ @param[in] This A pointer to the EFI_RNG_PROTOCOL ++ instance. ++ @param[in,out] RNGAlgorithmListSize On input, the size in bytes of ++ RNGAlgorithmList. ++ On output with a return code of ++ EFI_SUCCESS, the size in bytes of the ++ data returned in RNGAlgorithmList. On ++ output with a return code of ++ EFI_BUFFER_TOO_SMALL, the size of ++ RNGAlgorithmList required to obtain the ++ list. ++ @param[out] RNGAlgorithmList A caller-allocated memory buffer filled ++ by the driver with one EFI_RNG_ALGORITHM ++ element for each supported RNG algorithm. ++ The list must not change across multiple ++ calls to the same driver. The first ++ algorithm in the list is the default ++ algorithm for the driver. ++ ++ @retval EFI_SUCCESS The RNG algorithm list was returned ++ successfully. ++ @retval EFI_UNSUPPORTED The services is not supported by this ++ driver. ++ @retval EFI_DEVICE_ERROR The list of algorithms could not be ++ retrieved due to a hardware or firmware ++ error. ++ @retval EFI_INVALID_PARAMETER One or more of the parameters are ++ incorrect. ++ @retval EFI_BUFFER_TOO_SMALL The buffer RNGAlgorithmList is too small ++ to hold the result. ++ ++**/ ++STATIC ++EFI_STATUS ++EFIAPI ++FallbackRngGetInfo ( ++ IN EFI_RNG_PROTOCOL *This, ++ IN OUT UINTN *RNGAlgorithmListSize, ++ OUT EFI_RNG_ALGORITHM *RNGAlgorithmList ++ ) ++{ ++ if ((This == NULL) || (RNGAlgorithmListSize == NULL)) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ if (*RNGAlgorithmListSize < sizeof (EFI_RNG_ALGORITHM)) { ++ *RNGAlgorithmListSize = sizeof (EFI_RNG_ALGORITHM); ++ return EFI_BUFFER_TOO_SMALL; ++ } ++ ++ if (RNGAlgorithmList == NULL) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ *RNGAlgorithmListSize = sizeof (EFI_RNG_ALGORITHM); ++ CopyGuid (RNGAlgorithmList, &gEfiRngAlgorithmRaw); ++ ++ return EFI_SUCCESS; ++} ++ ++/** ++ Produces and returns an RNG value using either the default or specified RNG ++ algorithm. ++ ++ @param[in] This A pointer to the EFI_RNG_PROTOCOL ++ instance. ++ @param[in] RNGAlgorithm A pointer to the EFI_RNG_ALGORITHM that ++ identifies the RNG algorithm to use. May ++ be NULL in which case the function will ++ use its default RNG algorithm. ++ @param[in] RNGValueLength The length in bytes of the memory buffer ++ pointed to by RNGValue. The driver shall ++ return exactly this numbers of bytes. ++ @param[out] RNGValue A caller-allocated memory buffer filled ++ by the driver with the resulting RNG ++ value. ++ ++ @retval EFI_SUCCESS The RNG value was returned successfully. ++ @retval EFI_UNSUPPORTED The algorithm specified by RNGAlgorithm ++ is not supported by this driver. ++ @retval EFI_DEVICE_ERROR An RNG value could not be retrieved due ++ to a hardware or firmware error. ++ @retval EFI_NOT_READY There is not enough random data available ++ to satisfy the length requested by ++ RNGValueLength. ++ @retval EFI_INVALID_PARAMETER RNGValue is NULL or RNGValueLength is ++ zero. ++ ++**/ ++STATIC ++EFI_STATUS ++EFIAPI ++FallbackRngGetRNG ( ++ IN EFI_RNG_PROTOCOL *This, ++ IN EFI_RNG_ALGORITHM *RNGAlgorithm OPTIONAL, ++ IN UINTN RNGValueLength, ++ OUT UINT8 *RNGValue ++ ) ++{ ++ UINT64 RandomData; ++ EFI_STATUS Status; ++ UINTN i; ++ ++ if ((This == NULL) || (RNGValueLength == 0) || (RNGValue == NULL)) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ // ++ // We only support the raw algorithm, so reject requests for anything else ++ // ++ if ((RNGAlgorithm != NULL) && ++ !CompareGuid (RNGAlgorithm, &gEfiRngAlgorithmRaw)) ++ { ++ return EFI_UNSUPPORTED; ++ } ++ ++ for (i = 0; i < RNGValueLength; ++i) { ++ if (i % 4 == 0) { ++ Status = GetRandomNumber64 (&RandomData); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ } ++ } ++ ++ return EFI_SUCCESS; ++} ++ ++static FALLBACK_RNG_DEV Dev = { ++ .Rng.GetInfo = FallbackRngGetInfo, ++ .Rng.GetRNG = FallbackRngGetRNG, ++ .Handle = NULL, ++}; ++ ++EFI_STATUS ++FallbackRngCheckAndInstall ( ++ ) ++{ ++ EFI_STATUS Status; ++ EFI_HANDLE *HandleBuffer = NULL; ++ UINTN HandleCount = 0; ++ ++ if (Dev.Handle != NULL) { ++ DEBUG ((DEBUG_INFO, "Fallback RNG already installed.\n")); ++ return EFI_ALREADY_STARTED; ++ } ++ ++ Status = gBS->LocateHandleBuffer ( ++ ByProtocol, ++ &gEfiRngProtocolGuid, ++ NULL, ++ &HandleCount, ++ &HandleBuffer ++ ); ++ ++ gBS->FreePool (HandleBuffer); ++ ++ if (Status == EFI_NOT_FOUND) { ++ HandleCount = 0; ++ } else if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "Error locating RNG protocol instances: %r\n", Status)); ++ return Status; ++ } ++ ++ DEBUG ((DEBUG_INFO, "Found %u RNGs\n", HandleCount)); ++ ++ if (HandleCount == 0) { ++ // Install RNG ++ Status = gBS->InstallProtocolInterface ( ++ &Dev.Handle, ++ &gEfiRngProtocolGuid, ++ EFI_NATIVE_INTERFACE, ++ &Dev.Rng ++ ); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "Failed to install fallback RNG: %r\n", Status)); ++ return Status; ++ } ++ ++ gDS->Dispatch (); ++ } ++ ++ return EFI_SUCCESS; ++} ++ ++VOID ++FallbackRngPrintWarning ( ++ ) ++{ ++ if (Dev.Handle != NULL) { ++ Print (L"WARNING: Pseudo Random Number Generator in use - Pixiefail CVE not mitigated!\n"); ++ DEBUG ((DEBUG_WARN, "WARNING: Pseudo Random Number Generator in use - Pixiefail CVE not mitigated!\n")); ++ gBS->Stall (2000000); ++ } ++} +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h +new file mode 100644 +index 0000000000..77332bc51c +--- /dev/null ++++ b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h +@@ -0,0 +1,20 @@ ++/** @file ++ Copyright (C) 2024, Red Hat, Inc. ++ SPDX-License-Identifier: BSD-2-Clause-Patent ++**/ ++ ++#ifndef _FALLBACK_RNG_H_ ++#define _FALLBACK_RNG_H_ ++ ++#include ++#include ++ ++EFI_STATUS ++FallbackRngCheckAndInstall ( ++ ); ++ ++VOID ++FallbackRngPrintWarning ( ++ ); ++ ++#endif +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf +index 8257862662..50a9ee94ad 100644 +--- a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf ++++ b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf +@@ -25,6 +25,8 @@ + PlatformData.c + QemuKernel.c + BdsPlatform.h ++ FallbackRng.c ++ FallbackRng.h + + [Packages] + MdePkg/MdePkg.dec +@@ -58,6 +60,7 @@ + XenPlatformLib + QemuFwCfgSimpleParserLib + PlatformBootManagerCommonLib ++ RngLib + + [Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent +@@ -82,6 +85,7 @@ + gEfiDxeSmmReadyToLockProtocolGuid # PROTOCOL SOMETIMES_PRODUCED + gEfiLoadedImageProtocolGuid # PROTOCOL SOMETIMES_PRODUCED + gEfiFirmwareVolume2ProtocolGuid # PROTOCOL SOMETIMES_CONSUMED ++ gEfiRngProtocolGuid # PROTOCOL SOMETIMES_PRODUCED + + [Guids] + gEfiEndOfDxeEventGroupGuid +@@ -90,3 +94,4 @@ + gUefiShellFileGuid + gGrubFileGuid + gUiAppFileGuid ++ gEfiRngAlgorithmRaw diff --git a/0028-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch b/0028-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch new file mode 100644 index 0000000000000000000000000000000000000000..91e809e1a8066f32cc6d3f2c881d5831f0f289b6 --- /dev/null +++ b/0028-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch @@ -0,0 +1,102 @@ +From 0e021bb6df65419ea1f813501ad5781c63c5adab Mon Sep 17 00:00:00 2001 +From: Oliver Steffen +Date: Thu, 7 Nov 2024 11:36:22 +0100 +Subject: [PATCH] OvmfPkg/ArmVirtPkg: Add a Fallback RNG (RH only) + +RH-Author: Oliver Steffen +RH-MergeRequest: 82: Add a Fallback RNG (RH only) +RH-Jira: RHEL-66234 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [2/2] ae2c04680e6420e096c667a22c52ec6f6fb46935 (osteffen/edk2) + +Since the pixiefail CVE fix, the network stack requires a random number +generator. +In case there is no hardware random number generator available, +have the Platform Boot Manager install a pseudo RNG to ensure +the network can be used. + +This patch adds the fallback rng which was introduced in a +previous commit also to the ArmVirtPkg PlatformBootManagerLib. + +Signed-off-by: Oliver Steffen + +patch_name: edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch +present_in_specfile: true +location_in_specfile: 49 +--- + OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c | 6 ++++++ + .../PlatformBootManagerLibLight/PlatformBootManagerLib.inf | 5 +++++ + 2 files changed, 11 insertions(+) + +diff --git a/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c b/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c +index 2c24c65489..273e6f6a7e 100644 +--- a/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c ++++ b/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include "FallbackRng.h" + + #include "PlatformBm.h" + +@@ -819,6 +820,7 @@ PlatformBootManagerBeforeConsole ( + // + FilterAndProcess (&gEfiGraphicsOutputProtocolGuid, NULL, AddOutput); + ++ + // + // Add the hardcoded short-form USB keyboard device path to ConIn. + // +@@ -916,6 +918,8 @@ PlatformBootManagerBeforeConsole ( + // + FilterAndProcess (&gVirtioDeviceProtocolGuid, IsVirtioSerial, SetupVirtioSerial); + FilterAndProcess (&gEfiPciIoProtocolGuid, IsVirtioPciSerial, SetupVirtioSerial); ++ ++ FallbackRngCheckAndInstall (); + } + + /** +@@ -982,6 +986,8 @@ PlatformBootManagerAfterConsole ( + BOOLEAN Uninstall; + BOOLEAN ShellEnabled; + ++ FallbackRngPrintWarning (); ++ + // + // Show the splash screen. + // +diff --git a/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBootManagerLib.inf b/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBootManagerLib.inf +index 6c5552da16..1de19eb507 100644 +--- a/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBootManagerLib.inf ++++ b/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBootManagerLib.inf +@@ -27,6 +27,8 @@ + PlatformBm.c + PlatformBm.h + QemuKernel.c ++ ../PlatformBootManagerLib/FallbackRng.h ++ ../PlatformBootManagerLib/FallbackRng.c + + [Packages] + MdeModulePkg/MdeModulePkg.dec +@@ -54,6 +56,7 @@ + UefiLib + UefiRuntimeServicesTableLib + PlatformBootManagerCommonLib ++ RngLib + + [FixedPcd] + gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate +@@ -72,6 +75,7 @@ + gRootBridgesConnectedEventGroupGuid + gUefiShellFileGuid + gUiAppFileGuid ++ gEfiRngAlgorithmRaw + + [Protocols] + gEfiFirmwareVolume2ProtocolGuid +@@ -79,3 +83,4 @@ + gEfiMemoryAttributeProtocolGuid + gEfiPciRootBridgeIoProtocolGuid + gVirtioDeviceProtocolGuid ++ gEfiRngProtocolGuid diff --git a/0030-SecurityPkg-Tpm2DeviceLibDTpm-Remove-global-variable.patch b/0030-SecurityPkg-Tpm2DeviceLibDTpm-Remove-global-variable.patch new file mode 100644 index 0000000000000000000000000000000000000000..f59a395ff805996d034fbda2b83f8be401ec8bf1 --- /dev/null +++ b/0030-SecurityPkg-Tpm2DeviceLibDTpm-Remove-global-variable.patch @@ -0,0 +1,150 @@ +From f959d0c58a7f9c8e8b2155a145328fec5cab1edf Mon Sep 17 00:00:00 2001 +From: Phil Noh +Date: Fri, 5 Sep 2025 15:11:15 -0500 +Subject: [PATCH] SecurityPkg/Tpm2DeviceLibDTpm: Remove global variable for + command code + +As a BASE type library, currently the TCG PEI driver, Tcg2Pei.inf links +the library. On edk2-stable202508 version, it is found that the driver +includes and updates the global variable of mLastCommandSent in debug +build. Also found that the previous commit (460f270) for the library adds +and uses the global variable. Updating the global variable in PEI drivers +could affect the following issues. To address these issues, remove the +global variable usage. + +PEI ROM Boot : Global variable is not updated +PEI RAM Boot : PEI FV integration/security check is failed + +Signed-off-by: Phil Noh +--- + .../Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmDump.c | 13 +++++-------- + SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c | 9 ++++++++- + SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h | 4 +++- + SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c | 9 ++++++++- + 4 files changed, 24 insertions(+), 11 deletions(-) + +diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmDump.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmDump.c +index 7b2e449130..56a9684299 100644 +--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmDump.c ++++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmDump.c +@@ -218,8 +218,6 @@ TPM2_CODE_STRING ResponseCodeStrings[] = { + }; + UINTN ResponseCodeStringsCount = sizeof (ResponseCodeStrings) / sizeof (ResponseCodeStrings[0]); + +-UINT32 mLastCommandSent = 0; +- + /** + This simple function will dump up to MAX_TPM_BUFFER_DUMP bytes + of a TPM data buffer and apppend '...' if buffer is larger. +@@ -678,9 +676,6 @@ DumpTpmInputBlock ( + // If verbose, dump all of the buffer contents for deeper analysis. + DumpTpmBuffer ("DATA: ", MIN (InputBlockSize, NativeSize), InputBlock); + +- // Update the last command sent so that response parsing can have some context. +- mLastCommandSent = NativeCode; +- + return; + } + +@@ -690,13 +685,15 @@ DumpTpmInputBlock ( + + @param[in] OutputBlockSize Size of the output buffer. + @param[in] OutputBlock Pointer to the output buffer itself. ++ @param[in] CommandCode Command code for the input block. + + **/ + VOID + EFIAPI + DumpTpmOutputBlock ( + IN UINT32 OutputBlockSize, +- IN CONST UINT8 *OutputBlock ++ IN CONST UINT8 *OutputBlock, ++ IN UINT32 CommandCode + ) + { + CONST TPM2_RESPONSE_HEADER *RespHeader; +@@ -716,8 +713,8 @@ DumpTpmOutputBlock ( + DEBUG ((DEBUG_SECURITY, "Size: %d (0x%X)\n", NativeSize, NativeSize)); + + // Debug anything else based on the Command context. +- if (mLastCommandSent != 0x00) { +- switch (mLastCommandSent) { ++ if (CommandCode != 0x00) { ++ switch (CommandCode) { + case TPM_CC_StartAuthSession: + DumpTpmStartAuthSessionResponse (OutputBlockSize, OutputBlock); + break; +diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c +index d3054690e2..dc67786736 100644 +--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c ++++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c +@@ -162,6 +162,7 @@ PtpCrbTpmCommand ( + UINT16 Data16; + UINT32 Data32; + UINT8 RetryCnt; ++ UINT32 CommandCode; + + DEBUG_CODE_BEGIN (); + DumpTpmInputBlock (SizeIn, BufferIn); +@@ -336,7 +337,13 @@ PtpCrbTpmCommand ( + } + + DEBUG_CODE_BEGIN (); +- DumpTpmOutputBlock (TpmOutSize, BufferOut); ++ if (SizeIn >= sizeof (TPM2_COMMAND_HEADER)) { ++ CommandCode = SwapBytes32 (((TPM2_COMMAND_HEADER *)BufferIn)->commandCode); ++ } else { ++ CommandCode = 0; ++ } ++ ++ DumpTpmOutputBlock (TpmOutSize, BufferOut, CommandCode); + DEBUG_CODE_END (); + + // +diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h +index 8b7c37bb9b..7061414040 100644 +--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h ++++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h +@@ -73,12 +73,14 @@ DumpTpmInputBlock ( + a response from the TPM for maximum user-readability. + @param[in] OutputBlockSize Size of the output buffer. + @param[in] OutputBlock Pointer to the output buffer itself. ++ @param[in] CommandCode Command code for the input block. + **/ + VOID + EFIAPI + DumpTpmOutputBlock ( + IN UINT32 OutputBlockSize, +- IN CONST UINT8 *OutputBlock ++ IN CONST UINT8 *OutputBlock, ++ IN UINT32 CommandCode + ); + + #endif // TPM2_PTP_H_ +diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c +index d2f0abd160..1e141c9272 100644 +--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c ++++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c +@@ -223,6 +223,7 @@ Tpm2TisTpmCommand ( + UINT32 TpmOutSize; + UINT16 Data16; + UINT32 Data32; ++ UINT32 CommandCode; + + DEBUG_CODE_BEGIN (); + DumpTpmInputBlock (SizeIn, BufferIn); +@@ -370,7 +371,13 @@ Tpm2TisTpmCommand ( + + Exit: + DEBUG_CODE_BEGIN (); +- DumpTpmOutputBlock (TpmOutSize, BufferOut); ++ if (SizeIn >= sizeof (TPM2_COMMAND_HEADER)) { ++ CommandCode = SwapBytes32 (((TPM2_COMMAND_HEADER *)BufferIn)->commandCode); ++ } else { ++ CommandCode = 0; ++ } ++ ++ DumpTpmOutputBlock (TpmOutSize, BufferOut, CommandCode); + DEBUG_CODE_END (); + MmioWrite8 ((UINTN)&TisReg->Status, TIS_PC_STS_READY); + return Status; diff --git a/50-edk2-aarch64-qcow2.json b/50-edk2-aarch64-qcow2.json new file mode 100644 index 0000000000000000000000000000000000000000..937d2953eae62645bcb245b55288643debeb9adb --- /dev/null +++ b/50-edk2-aarch64-qcow2.json @@ -0,0 +1,32 @@ +{ + "description": "UEFI firmware for ARM64 virtual machines", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "mode": "split", + "executable": { + "filename": "/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.qcow2", + "format": "qcow2" + }, + "nvram-template": { + "filename": "/usr/share/edk2/aarch64/vars-template-pflash.qcow2", + "format": "qcow2" + } + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + + ], + "tags": [ + + ] +} diff --git a/50-edk2-riscv-qcow2.json b/50-edk2-riscv-qcow2.json new file mode 100644 index 0000000000000000000000000000000000000000..eb1930da494c3fe1c2c61ea11b9a30499d4eb612 --- /dev/null +++ b/50-edk2-riscv-qcow2.json @@ -0,0 +1,33 @@ +{ + "description": "UEFI firmware for RISC-V virtual machines", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "mode" : "split", + "executable": { + "filename": "/usr/share/edk2/riscv/RISCV_VIRT_CODE.qcow2", + "format": "qcow2" + }, + "nvram-template": { + "filename": "/usr/share/edk2/riscv/RISCV_VIRT_VARS.qcow2", + "format": "qcow2" + } + }, + "targets": [ + { + "architecture": "riscv64", + "machines": [ + "virt", + "virt-*" + ] + } + ], + "features": [ + + ], + "tags": [ + + ] +} diff --git a/51-edk2-aarch64-raw.json b/51-edk2-aarch64-raw.json new file mode 100644 index 0000000000000000000000000000000000000000..506bbe69c0197ab4c03d186aa51d9b30c58b0fb6 --- /dev/null +++ b/51-edk2-aarch64-raw.json @@ -0,0 +1,32 @@ +{ + "description": "UEFI firmware for ARM64 virtual machines", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "mode": "split", + "executable": { + "filename": "/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.raw", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2/aarch64/vars-template-pflash.raw", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + + ], + "tags": [ + + ] +} diff --git a/52-edk2-aarch64-verbose-qcow2.json b/52-edk2-aarch64-verbose-qcow2.json new file mode 100644 index 0000000000000000000000000000000000000000..976f2a6c238dec0c9ae3d7e5e94a7ccdec20cbd7 --- /dev/null +++ b/52-edk2-aarch64-verbose-qcow2.json @@ -0,0 +1,32 @@ +{ + "description": "UEFI firmware for ARM64 virtual machines, verbose logs", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "mode": "split", + "executable": { + "filename": "/usr/share/edk2/aarch64/QEMU_EFI-pflash.qcow2", + "format": "qcow2" + }, + "nvram-template": { + "filename": "/usr/share/edk2/aarch64/vars-template-pflash.qcow2", + "format": "qcow2" + } + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + "verbose-static" + ], + "tags": [ + + ] +} diff --git a/53-edk2-aarch64-verbose-raw.json b/53-edk2-aarch64-verbose-raw.json new file mode 100644 index 0000000000000000000000000000000000000000..fa0ed91ea635f129c9f99574c59c67769d2cf7cf --- /dev/null +++ b/53-edk2-aarch64-verbose-raw.json @@ -0,0 +1,32 @@ +{ + "description": "UEFI firmware for ARM64 virtual machines, verbose logs", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "mode": "split", + "executable": { + "filename": "/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2/aarch64/vars-template-pflash.raw", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + "verbose-static" + ], + "tags": [ + + ] +} diff --git a/DBXUpdate-20250610.aa64.bin b/DBXUpdate-20250610.aa64.bin new file mode 100644 index 0000000000000000000000000000000000000000..33520068f2602fbd2c739b7f71e8946f5ba6ccd4 Binary files /dev/null and b/DBXUpdate-20250610.aa64.bin differ diff --git a/DBXUpdate-20250610.x64.bin b/DBXUpdate-20250610.x64.bin new file mode 100644 index 0000000000000000000000000000000000000000..811e27eb39e1e7e0f56637bfe7b01e8acdb71165 Binary files /dev/null and b/DBXUpdate-20250610.x64.bin differ diff --git a/dtc-1.7.0.tar.xz b/dtc-1.7.0.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..c974b08e6bdbff54f5ae4b3452eb112b875cae8e Binary files /dev/null and b/dtc-1.7.0.tar.xz differ diff --git a/edk2-build.py b/edk2-build.py index 5f02ecb854de6a003750786648142365aec75efe..c4bfbae4cffb395c6f3c4d91847a33c827470ce6 100755 --- a/edk2-build.py +++ b/edk2-build.py @@ -51,7 +51,7 @@ def get_toolchain(cfg, build): return cfg[build]['tool'] if cfg.has_option('global', 'tool'): return cfg['global']['tool'] - return 'GCC5' + return 'GCC' def get_hostarch(): mach = os.uname().machine @@ -147,7 +147,7 @@ def build_run(cmdline, name, section, silent = False, nologs = False): print(f'### exit code: {result.returncode}') else: secs = int(time.time() - start) - print(f'### OK ({int(secs/60)}:{secs%60:02d})') + print(f'### OK ({int(secs)}sec)') else: print(cmdline, flush = True) result = subprocess.run(cmdline, check = False) diff --git a/edk2-d46aa46c8361.tar.xz b/edk2-d46aa46c8361.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..f236f828c43a0d0a373c2ead186f8b6a4f2d7254 Binary files /dev/null and b/edk2-d46aa46c8361.tar.xz differ diff --git a/edk2.spec b/edk2.spec index d3c80dcea6efb3524e42f519483bef68a6818b07..d0ba6918fb614ffc96623730fac4171167a07880 100644 --- a/edk2.spec +++ b/edk2.spec @@ -1,4 +1,4 @@ -%define anolis_release 19 +%define anolis_release 1 %undefine _auto_set_build_flags ExclusiveArch: x86_64 aarch64 loongarch64 riscv64 @@ -30,17 +30,20 @@ ExclusiveArch: x86_64 aarch64 loongarch64 riscv64 Name: edk2 -Version: 202402 +Version: 20250822 Release: %{anolis_release}%{?dist} Summary: UEFI firmware for 64-bit virtual machines License: BSD-2-Clause-Patent and OpenSSL and MIT URL: http://www.tianocore.org +Source: edk2-d46aa46c8361.tar.xz Source0: https://github.com/tianocore/edk2/archive/refs/tags/edk2-stable%{version}.tar.gz Source1: ovmf-whitepaper-c770f8c.txt Source2: https://github.com/openssl/openssl/archive/refs/tags/openssl-%{OPENSSL_VER}.tar.gz +Source2: openssl-rhel-4cf5738ac1c163d5ce2517250321da906492c40d.tar.xz # https://github.com/ucb-bar/berkeley-softfloat-3/tree/b64af41c3276f97f0e181920400ee056b9c88037 Source3: softfloat-%{softfloat_version}.tar.xz +Source3: dtc-1.7.0.tar.xz # https://github.com/tianocore/edk2-platforms/commit/7f42d4034c8f4266da691df69dce18234f752cb4 Source4: edk2-platforms-7f42d4034c8f.tar.xz Source5: https://github.com/akheron/jansson/releases/download/v2.13.1/jansson-2.13.1.tar.bz2 @@ -49,28 +52,35 @@ Source6: brotli-gitf4153a0.tar.gz # json description files Source10: 50-edk2-aarch64.json +Source10: 50-edk2-aarch64-qcow2.json Source11: 51-edk2-aarch64-verbose.json Source40: 30-edk2-ovmf-x64-sb-enrolled.json Source41: 40-edk2-ovmf-x64-sb.json +Source11: 51-edk2-aarch64-raw.json Source42: 50-edk2-ovmf-x64-nosb.json Source43: 60-edk2-ovmf-x64-amdsev.json Source44: 60-edk2-ovmf-x64-inteltdx.json Source50: 50-edk2-loongarch64.json +Source12: 52-edk2-aarch64-verbose-qcow2.json Source51: 51-edk2-loongarch64-verbose.json Source52: 52-edk2-riscv-qcow2.json +Source50: 50-edk2-riscv-qcow2.json Source80: https://gitlab.com/kraxel/edk2-build-config/-/blob/master/bin/edk2-build.py Source81: edk2-build +Source13: 53-edk2-aarch64-verbose-raw.json # LoongArch patches for edk2-platforms Source90: 0023-Platform-Loongson-Remove-minimium-memory-size-limita.patch +Source80: edk2-build.py Source91: 0024-Platform-Loongson-Modify-loongarch-uefi-firmware-siz.patch Source92: fixup-fdt-parse-error.patch Source93: 1006-LoongArchQemuPkg-Enabling-some-base-libraries.patch Source94: 1007-LoongArchQemuPkg-Add-network-support.patch +Source90: DBXUpdate-20250610.x64.bin Patch0001: 0001-MdePkg-Add-StandardSignatureIsHygonGenuine-in-BaseCp.patch Patch0002: 0002-UefiCpuPkg-LocalApicLib-Exclude-second-SendIpi-seque.patch @@ -81,6 +91,7 @@ Patch0006: 0006-OvmfPkg-PlatformPei-Initialize-CSV-VM-s-memory.patch Patch0007: 0007-OvmfPkg-BaseMemcryptSevLib-update-page-status-to-Sec.patch Patch0008: 0008-OvmfPkg-Add-CsvDxe-driver.patch Patch0009: 0009-OvmfPkg-IoMmuDxe-Add-CsvIoMmu-protocol.patch +Source91: DBXUpdate-20250610.aa64.bin Patch0010: 0010-OvmfPkg-Reserve-a-CPUID-table-page-for-CSV-guest.patch Patch0011: 0011-OvmfPkg-Use-classic-mmio-window-for-CSV-guest.patch Patch0012: 0012-OvmfPkg-BaseMemEncryptLib-Detect-SEV-live-migration-.patch @@ -112,6 +123,19 @@ Patch1006: 1006-MdePkg-Fix-overflow-issue-in-BasePeC.patch Patch1008: 1008-CVE-2024-1298.patch # https://github.com/tianocore/edk2/pull/10928 Patch1009: 1009-CVE-2024-38797.patch +Patch1010: 0013-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch +Patch1011: 0020-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch +Patch1012: 0009-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch +Patch1013: 0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch +Patch1014: 0010-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch +Patch1015: 0030-SecurityPkg-Tpm2DeviceLibDTpm-Remove-global-variable.patch +Patch1016: 0027-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch +Patch1017: 0012-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch +Patch1018: 0003-Remove-paths-leading-to-submodules.patch +Patch1019: 0023-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch +Patch1020: 0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch +Patch1021: 0028-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch +Patch1022: 0026-NetworkPkg-DxeNetLib-Reword-PseudoRandom-error-loggi.patch BuildRequires: python3-devel BuildRequires: libuuid-devel @@ -131,6 +155,9 @@ BuildRequires: xorriso # modules in grub2-efi-x64-modules package if we don't touch dummy grub.efi. BuildRequires: grub2-tools BuildRequires: grub2-efi-x64-modules +BuildRequires: perl +BuildRequires: perl(JSON) +BuildRequires: python3dist(virt-firmware) >= 25.4 %endif %package ovmf @@ -564,6 +591,19 @@ rm -f %{buildroot}%{_datadir}/edk2/riscv/*.raw %changelog +* Thu Dec 04 2025 mgb01105731 - 20250822-1 +- Updated to version 20250822 to fix xxxxxxxxx +- Suppress unnecessary error messages on AArch64 when no vTPM is present to ensure clean boot logs +- Remove insecure TFTP command to reduce attack surface and improve system security +- Reduce debug noise by silencing non-essential VERBOSE messages from QemuRamfbDxe during boot +- Silence verbose debug messages to reduce log spam and improve readability during boot +- Suppress unnecessary error messages to avoid user confusion during silent builds on AArch64 +- Remove global variable usage to ensure PEI phase safety and prevent firmware validation failures +- Remove stale build references to improve clarity and maintainability +- Prevent boot loops in confidential guests with shim and vTPM by disabling fallback reboot +- Reduce log noise and improve performance by disabling verbose NVMe debug messages +- Improve log clarity by replacing misleading 'Failed' messages and add success confirmation for secure random data generation + * Tue Sep 23 2025 wh02252983 - 202402-19 - openssl update to 3.0.14 to fix CVE-2024-0727 diff --git a/openssl-rhel-4cf5738ac1c163d5ce2517250321da906492c40d.tar.xz b/openssl-rhel-4cf5738ac1c163d5ce2517250321da906492c40d.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..1e77631720c9e029c78f2d99265c18bb6083a116 Binary files /dev/null and b/openssl-rhel-4cf5738ac1c163d5ce2517250321da906492c40d.tar.xz differ