diff --git a/0001-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch b/0001-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch deleted file mode 100644 index 8b413819f5d573432fa43ffe1df47a4e891ce18c..0000000000000000000000000000000000000000 --- a/0001-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch +++ /dev/null @@ -1,244 +0,0 @@ -From 83761337ec91fbd459c55d7d956fcc25df3bfa50 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 8 Jun 2021 14:12:50 +0200 -Subject: [PATCH 18/27] NetworkPkg/IScsiDxe: wrap IScsiCHAP source files to 80 - characters -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Working with overlong lines is difficult for me; rewrap the CHAP-related -source files in IScsiDxe to 80 characters width. No functional changes. - -Cc: Jiaxin Wu -Cc: Maciej Rabeda -Cc: Philippe Mathieu-Daudé -Cc: Siyuan Fu -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 -Signed-off-by: Laszlo Ersek -Reviewed-by: Maciej Rabeda -Reviewed-by: Philippe Mathieu-Daudé -Message-Id: <20210608121259.32451-2-lersek@redhat.com> ---- - NetworkPkg/IScsiDxe/IScsiCHAP.c | 90 +++++++++++++++++++++++++-------- - NetworkPkg/IScsiDxe/IScsiCHAP.h | 3 +- - 2 files changed, 71 insertions(+), 22 deletions(-) - -diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c -index 355c6f129f..cbbc56ae5b 100644 ---- a/NetworkPkg/IScsiDxe/IScsiCHAP.c -+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c -@@ -1,5 +1,6 @@ - /** @file -- This file is for Challenge-Handshake Authentication Protocol (CHAP) Configuration. -+ This file is for Challenge-Handshake Authentication Protocol (CHAP) -+ Configuration. - - Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
- SPDX-License-Identifier: BSD-2-Clause-Patent -@@ -18,9 +19,11 @@ SPDX-License-Identifier: BSD-2-Clause-Patent - @param[in] ChallengeLength The length of iSCSI CHAP challenge message. - @param[out] ChapResponse The calculation of the expected hash value. - -- @retval EFI_SUCCESS The expected hash value was calculatedly successfully. -- @retval EFI_PROTOCOL_ERROR The length of the secret should be at least the -- length of the hash value for the hashing algorithm chosen. -+ @retval EFI_SUCCESS The expected hash value was calculatedly -+ successfully. -+ @retval EFI_PROTOCOL_ERROR The length of the secret should be at least -+ the length of the hash value for the hashing -+ algorithm chosen. - @retval EFI_PROTOCOL_ERROR MD5 hash operation fail. - @retval EFI_OUT_OF_RESOURCES Fail to allocate resource to complete MD5. - -@@ -94,8 +97,10 @@ Exit: - @param[in] AuthData iSCSI CHAP authentication data. - @param[in] TargetResponse The response from target. - -- @retval EFI_SUCCESS The response from target passed authentication. -- @retval EFI_SECURITY_VIOLATION The response from target was not expected value. -+ @retval EFI_SUCCESS The response from target passed -+ authentication. -+ @retval EFI_SECURITY_VIOLATION The response from target was not expected -+ value. - @retval Others Other errors as indicated. - - **/ -@@ -193,7 +198,10 @@ IScsiCHAPOnRspReceived ( - // - // The first Login Response. - // -- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_TARGET_PORTAL_GROUP_TAG); -+ Value = IScsiGetValueByKeyFromList ( -+ KeyValueList, -+ ISCSI_KEY_TARGET_PORTAL_GROUP_TAG -+ ); - if (Value == NULL) { - goto ON_EXIT; - } -@@ -205,13 +213,17 @@ IScsiCHAPOnRspReceived ( - - Session->TargetPortalGroupTag = (UINT16) Result; - -- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_AUTH_METHOD); -+ Value = IScsiGetValueByKeyFromList ( -+ KeyValueList, -+ ISCSI_KEY_AUTH_METHOD -+ ); - if (Value == NULL) { - goto ON_EXIT; - } - // -- // Initiator mandates CHAP authentication but target replies without "CHAP", or -- // initiator suggets "None" but target replies with some kind of auth method. -+ // Initiator mandates CHAP authentication but target replies without -+ // "CHAP", or initiator suggets "None" but target replies with some kind of -+ // auth method. - // - if (Session->AuthType == ISCSI_AUTH_TYPE_NONE) { - if (AsciiStrCmp (Value, ISCSI_KEY_VALUE_NONE) != 0) { -@@ -236,7 +248,10 @@ IScsiCHAPOnRspReceived ( - // - // The Target replies with CHAP_A= CHAP_I= CHAP_C= - // -- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_ALGORITHM); -+ Value = IScsiGetValueByKeyFromList ( -+ KeyValueList, -+ ISCSI_KEY_CHAP_ALGORITHM -+ ); - if (Value == NULL) { - goto ON_EXIT; - } -@@ -249,12 +264,18 @@ IScsiCHAPOnRspReceived ( - goto ON_EXIT; - } - -- Identifier = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_IDENTIFIER); -+ Identifier = IScsiGetValueByKeyFromList ( -+ KeyValueList, -+ ISCSI_KEY_CHAP_IDENTIFIER -+ ); - if (Identifier == NULL) { - goto ON_EXIT; - } - -- Challenge = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_CHALLENGE); -+ Challenge = IScsiGetValueByKeyFromList ( -+ KeyValueList, -+ ISCSI_KEY_CHAP_CHALLENGE -+ ); - if (Challenge == NULL) { - goto ON_EXIT; - } -@@ -269,7 +290,11 @@ IScsiCHAPOnRspReceived ( - - AuthData->InIdentifier = (UINT32) Result; - AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN; -- IScsiHexToBin ((UINT8 *) AuthData->InChallenge, &AuthData->InChallengeLength, Challenge); -+ IScsiHexToBin ( -+ (UINT8 *) AuthData->InChallenge, -+ &AuthData->InChallengeLength, -+ Challenge -+ ); - Status = IScsiCHAPCalculateResponse ( - AuthData->InIdentifier, - AuthData->AuthConfig->CHAPSecret, -@@ -303,7 +328,10 @@ IScsiCHAPOnRspReceived ( - goto ON_EXIT; - } - -- Response = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_RESPONSE); -+ Response = IScsiGetValueByKeyFromList ( -+ KeyValueList, -+ ISCSI_KEY_CHAP_RESPONSE -+ ); - if (Response == NULL) { - goto ON_EXIT; - } -@@ -341,7 +369,8 @@ ON_EXIT: - @param[in, out] Pdu The PDU to send out. - - @retval EFI_SUCCESS All check passed and the phase-related CHAP -- authentication info is filled into the iSCSI PDU. -+ authentication info is filled into the iSCSI -+ PDU. - @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. - @retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred. - -@@ -392,7 +421,11 @@ IScsiCHAPToSendReq ( - // It's the initial Login Request. Fill in the key=value pairs mandatory - // for the initial Login Request. - // -- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_INITIATOR_NAME, mPrivate->InitiatorName); -+ IScsiAddKeyValuePair ( -+ Pdu, -+ ISCSI_KEY_INITIATOR_NAME, -+ mPrivate->InitiatorName -+ ); - IScsiAddKeyValuePair (Pdu, ISCSI_KEY_SESSION_TYPE, "Normal"); - IScsiAddKeyValuePair ( - Pdu, -@@ -413,7 +446,8 @@ IScsiCHAPToSendReq ( - - case ISCSI_CHAP_STEP_ONE: - // -- // First step, send the Login Request with CHAP_A= key-value pair. -+ // First step, send the Login Request with CHAP_A= key-value -+ // pair. - // - AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", ISCSI_CHAP_ALGORITHM_MD5); - IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_ALGORITHM, ValueStr); -@@ -429,11 +463,20 @@ IScsiCHAPToSendReq ( - // - // CHAP_N= - // -- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_NAME, (CHAR8 *) &AuthData->AuthConfig->CHAPName); -+ IScsiAddKeyValuePair ( -+ Pdu, -+ ISCSI_KEY_CHAP_NAME, -+ (CHAR8 *) &AuthData->AuthConfig->CHAPName -+ ); - // - // CHAP_R= - // -- IScsiBinToHex ((UINT8 *) AuthData->CHAPResponse, ISCSI_CHAP_RSP_LEN, Response, &RspLen); -+ IScsiBinToHex ( -+ (UINT8 *) AuthData->CHAPResponse, -+ ISCSI_CHAP_RSP_LEN, -+ Response, -+ &RspLen -+ ); - IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response); - - if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) { -@@ -448,7 +491,12 @@ IScsiCHAPToSendReq ( - // - IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN); - AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN; -- IScsiBinToHex ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN, Challenge, &ChallengeLen); -+ IScsiBinToHex ( -+ (UINT8 *) AuthData->OutChallenge, -+ ISCSI_CHAP_RSP_LEN, -+ Challenge, -+ &ChallengeLen -+ ); - IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge); - - Conn->AuthStep = ISCSI_CHAP_STEP_FOUR; -diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h -index 140bba0dcd..5e59fb678b 100644 ---- a/NetworkPkg/IScsiDxe/IScsiCHAP.h -+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h -@@ -88,7 +88,8 @@ IScsiCHAPOnRspReceived ( - @param[in, out] Pdu The PDU to send out. - - @retval EFI_SUCCESS All check passed and the phase-related CHAP -- authentication info is filled into the iSCSI PDU. -+ authentication info is filled into the iSCSI -+ PDU. - @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. - @retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred. - --- -2.27.0 - diff --git a/0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch b/0001-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch similarity index 95% rename from 0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch rename to 0001-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch index a4db4de85ef19faa4fa5ad29d09fd1bd5e043b9b..f07e304f6a76d2db2d88a3081673da5c165b8b21 100644 --- a/0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch +++ b/0001-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch @@ -20,8 +20,8 @@ index 9c0ed5ed24..28f5cc0899 100644 --- a/OvmfPkg/Include/IndustryStandard/Virtio095Net.h +++ b/OvmfPkg/Include/IndustryStandard/Virtio095Net.h @@ -88,4 +88,11 @@ typedef struct { - #define VIRTIO_NET_S_LINK_UP BIT0 - #define VIRTIO_NET_S_ANNOUNCE BIT1 + #define VIRTIO_NET_S_LINK_UP BIT0 + #define VIRTIO_NET_S_ANNOUNCE BIT1 +// +// 1822 net card needs at least 1536 bytes for DMA, even we never negotiate diff --git a/0002-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch b/0002-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch deleted file mode 100644 index 7ddeeaac4a96d266a6067e24b698e7f0cf5bf9c9..0000000000000000000000000000000000000000 --- a/0002-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 29cab43bb7912a12efa5a78dac15394aee866e4c Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 8 Jun 2021 14:12:51 +0200 -Subject: [PATCH 19/27] NetworkPkg/IScsiDxe: simplify - "ISCSI_CHAP_AUTH_DATA.InChallenge" size -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The ISCSI_CHAP_AUTH_MAX_LEN macro is defined with value 1024. - -The usage of this macro currently involves a semantic (not functional) -bug, which we're going to fix in a subsequent patch, eliminating -ISCSI_CHAP_AUTH_MAX_LEN altogether. - -For now, remove the macro's usage from all -"ISCSI_CHAP_AUTH_DATA.InChallenge" contexts. This is doable without -duplicating open-coded constants. - -No changes in functionality. - -Cc: Jiaxin Wu -Cc: Maciej Rabeda -Cc: Philippe Mathieu-Daudé -Cc: Siyuan Fu -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 -Signed-off-by: Laszlo Ersek -Reviewed-by: Philippe Mathieu-Daudé -Reviewed-by: Maciej Rabeda -Message-Id: <20210608121259.32451-3-lersek@redhat.com> ---- - NetworkPkg/IScsiDxe/IScsiCHAP.c | 2 +- - NetworkPkg/IScsiDxe/IScsiCHAP.h | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c -index cbbc56ae5b..df3c2eb120 100644 ---- a/NetworkPkg/IScsiDxe/IScsiCHAP.c -+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c -@@ -289,7 +289,7 @@ IScsiCHAPOnRspReceived ( - } - - AuthData->InIdentifier = (UINT32) Result; -- AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN; -+ AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge); - IScsiHexToBin ( - (UINT8 *) AuthData->InChallenge, - &AuthData->InChallengeLength, -diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h -index 5e59fb678b..1fc1d96ea3 100644 ---- a/NetworkPkg/IScsiDxe/IScsiCHAP.h -+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h -@@ -49,7 +49,7 @@ typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA { - typedef struct _ISCSI_CHAP_AUTH_DATA { - ISCSI_CHAP_AUTH_CONFIG_NVDATA *AuthConfig; - UINT32 InIdentifier; -- UINT8 InChallenge[ISCSI_CHAP_AUTH_MAX_LEN]; -+ UINT8 InChallenge[1024]; - UINT32 InChallengeLength; - // - // Calculated CHAP Response (CHAP_R) value. --- -2.27.0 - diff --git a/0002-add-Wno-maybe-uninitialized-to-fix-build-error.patch b/0002-add-Wno-maybe-uninitialized-to-fix-build-error.patch new file mode 100644 index 0000000000000000000000000000000000000000..8eeeca1a2a5d9566a109c2ea8d7b9379e3a76ab0 --- /dev/null +++ b/0002-add-Wno-maybe-uninitialized-to-fix-build-error.patch @@ -0,0 +1,25 @@ +From f517ad5c6b7fab267f3beb9f87ea608e6b2875df Mon Sep 17 00:00:00 2001 +From: ouuleilei +Date: Fri, 18 Aug 2023 09:28:16 +0800 +Subject: [PATCH] add -Wno-maybe-uninitialized to fix build error + +--- + BaseTools/Conf/tools_def.template | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/BaseTools/Conf/tools_def.template b/BaseTools/Conf/tools_def.template +index 503a668..b3872c0 100755 +--- a/BaseTools/Conf/tools_def.template ++++ b/BaseTools/Conf/tools_def.template +@@ -852,7 +852,7 @@ DEFINE GCC5_RISCV_ALL_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sec + DEFINE GCC5_RISCV_ALL_DLINK_FLAGS = DEF(GCC5_RISCV_ALL_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map + DEFINE GCC5_RISCV_ALL_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220,--script=$(EDK_TOOLS_PATH)/Scripts/GccBase.lds + DEFINE GCC5_RISCV_ALL_ASM_FLAGS = -c -x assembler -imacros $(DEST_DIR_DEBUG)/AutoGen.h +-DEFINE GCC5_RISCV_ALL_CC_FLAGS_WARNING_DISABLE = -Wno-tautological-compare -Wno-pointer-compare ++DEFINE GCC5_RISCV_ALL_CC_FLAGS_WARNING_DISABLE = -Wno-tautological-compare -Wno-pointer-compare -Wno-maybe-uninitialized + + DEFINE GCC5_RISCV_OPENSBI_TYPES = -DOPENSBI_EXTERNAL_SBI_TYPES=OpensbiTypes.h + +-- +2.39.1 + diff --git a/0003-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch b/0003-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch deleted file mode 100644 index 82ee449ee976ff653be1e563c96e5ed6c6c0cd0d..0000000000000000000000000000000000000000 --- a/0003-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 95616b866187b00355042953efa5c198df07250f Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 8 Jun 2021 14:12:52 +0200 -Subject: [PATCH 20/27] NetworkPkg/IScsiDxe: clean up - "ISCSI_CHAP_AUTH_DATA.OutChallengeLength" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The "ISCSI_CHAP_AUTH_DATA.OutChallenge" field is declared as a UINT8 array -with ISCSI_CHAP_AUTH_MAX_LEN (1024) elements. However, when the challenge -is generated and formatted, only ISCSI_CHAP_RSP_LEN (16) octets are used -in the array. - -Change the array size to ISCSI_CHAP_RSP_LEN, and remove the (now unused) -ISCSI_CHAP_AUTH_MAX_LEN macro. - -Remove the "ISCSI_CHAP_AUTH_DATA.OutChallengeLength" field, which is -superfluous too. - -Most importantly, explain in a new comment *why* tying the challenge size -to the digest size (ISCSI_CHAP_RSP_LEN) has always made sense. (See also -Linux kernel commit 19f5f88ed779, "scsi: target: iscsi: tie the challenge -length to the hash digest size", 2019-11-06.) For sure, the motivation -that the new comment now explains has always been there, and has always -been the same, for IScsiDxe; it's just that now we spell it out too. - -No change in peer-visible behavior. - -Cc: Jiaxin Wu -Cc: Maciej Rabeda -Cc: Philippe Mathieu-Daudé -Cc: Siyuan Fu -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 -Signed-off-by: Laszlo Ersek -Reviewed-by: Philippe Mathieu-Daudé -Reviewed-by: Maciej Rabeda -Message-Id: <20210608121259.32451-4-lersek@redhat.com> ---- - NetworkPkg/IScsiDxe/IScsiCHAP.c | 3 +-- - NetworkPkg/IScsiDxe/IScsiCHAP.h | 9 ++++++--- - 2 files changed, 7 insertions(+), 5 deletions(-) - -diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c -index df3c2eb120..9e192ce292 100644 ---- a/NetworkPkg/IScsiDxe/IScsiCHAP.c -+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c -@@ -122,7 +122,7 @@ IScsiCHAPAuthTarget ( - AuthData->AuthConfig->ReverseCHAPSecret, - SecretSize, - AuthData->OutChallenge, -- AuthData->OutChallengeLength, -+ ISCSI_CHAP_RSP_LEN, // ChallengeLength - VerifyRsp - ); - -@@ -490,7 +490,6 @@ IScsiCHAPToSendReq ( - // CHAP_C= - // - IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN); -- AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN; - IScsiBinToHex ( - (UINT8 *) AuthData->OutChallenge, - ISCSI_CHAP_RSP_LEN, -diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h -index 1fc1d96ea3..35d5d6ec29 100644 ---- a/NetworkPkg/IScsiDxe/IScsiCHAP.h -+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h -@@ -19,7 +19,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent - - #define ISCSI_CHAP_ALGORITHM_MD5 5 - --#define ISCSI_CHAP_AUTH_MAX_LEN 1024 - /// - /// MD5_HASHSIZE - /// -@@ -59,9 +58,13 @@ typedef struct _ISCSI_CHAP_AUTH_DATA { - // - // Auth-data to be sent out for mutual authentication. - // -+ // While the challenge size is technically independent of the hashing -+ // algorithm, it is good practice to avoid hashing *fewer bytes* than the -+ // digest size. In other words, it's good practice to feed *at least as many -+ // bytes* to the hashing algorithm as the hashing algorithm will output. -+ // - UINT32 OutIdentifier; -- UINT8 OutChallenge[ISCSI_CHAP_AUTH_MAX_LEN]; -- UINT32 OutChallengeLength; -+ UINT8 OutChallenge[ISCSI_CHAP_RSP_LEN]; - } ISCSI_CHAP_AUTH_DATA; - - /** --- -2.27.0 - diff --git a/0004-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch b/0004-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch deleted file mode 100644 index 2be51c1cf4b3879c4b51f23fc9467ea193f79402..0000000000000000000000000000000000000000 --- a/0004-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch +++ /dev/null @@ -1,94 +0,0 @@ -From e8f28b09e63dfdbb4169969a43c65f86c44b035a Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 8 Jun 2021 14:12:53 +0200 -Subject: [PATCH 21/27] NetworkPkg/IScsiDxe: clean up library class - dependencies -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Sort the library class dependencies in the #include directives and in the -INF file. Remove the DpcLib class from the #include directives -- it is -not listed in the INF file, and IScsiDxe doesn't call either DpcLib API -(QueueDpc(), DispatchDpc()). No functional changes. - -Cc: Jiaxin Wu -Cc: Maciej Rabeda -Cc: Philippe Mathieu-Daudé -Cc: Siyuan Fu -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 -Signed-off-by: Laszlo Ersek -Reviewed-by: Philippe Mathieu-Daudé -Reviewed-by: Maciej Rabeda -Message-Id: <20210608121259.32451-5-lersek@redhat.com> ---- - NetworkPkg/IScsiDxe/IScsiDxe.inf | 6 +++--- - NetworkPkg/IScsiDxe/IScsiImpl.h | 17 ++++++++--------- - 2 files changed, 11 insertions(+), 12 deletions(-) - -diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf -index 0ffb340ce0..543c408302 100644 ---- a/NetworkPkg/IScsiDxe/IScsiDxe.inf -+++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf -@@ -65,6 +65,7 @@ - NetworkPkg/NetworkPkg.dec - - [LibraryClasses] -+ BaseCryptLib - BaseLib - BaseMemoryLib - DebugLib -@@ -72,14 +73,13 @@ - HiiLib - MemoryAllocationLib - NetLib -- TcpIoLib - PrintLib -+ TcpIoLib - UefiBootServicesTableLib - UefiDriverEntryPoint -+ UefiHiiServicesLib - UefiLib - UefiRuntimeServicesTableLib -- UefiHiiServicesLib -- BaseCryptLib - - [Protocols] - gEfiAcpiTableProtocolGuid ## SOMETIMES_CONSUMES ## SystemTable -diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h -index 387ab9765e..d895c7feb9 100644 ---- a/NetworkPkg/IScsiDxe/IScsiImpl.h -+++ b/NetworkPkg/IScsiDxe/IScsiImpl.h -@@ -35,21 +35,20 @@ SPDX-License-Identifier: BSD-2-Clause-Patent - #include - #include - --#include --#include --#include --#include -+#include - #include - #include -+#include -+#include -+#include - #include -+#include - #include -+#include - #include --#include -+#include - #include --#include --#include --#include --#include -+#include - - #include - #include --- -2.27.0 - diff --git a/0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch b/0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch deleted file mode 100644 index f1eddbe58dd3c5aeccbf2f193a7f77317c6d0e0f..0000000000000000000000000000000000000000 --- a/0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch +++ /dev/null @@ -1,147 +0,0 @@ -From cf01b2dc8fc3ff9cf49fb891af5703dc03e3193e Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 8 Jun 2021 14:12:54 +0200 -Subject: [PATCH 22/27] NetworkPkg/IScsiDxe: fix potential integer overflow in - IScsiBinToHex() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Considering IScsiBinToHex(): - -> if (((*HexLength) - 3) < BinLength * 2) { -> *HexLength = BinLength * 2 + 3; -> } - -the following subexpressions are problematic: - - (*HexLength) - 3 - BinLength * 2 - BinLength * 2 + 3 - -The first one may wrap under zero, the latter two may wrap over -MAX_UINT32. - -Rewrite the calculation using SafeIntLib. - -While at it, change the type of the "Index" variable from UINTN to UINT32. -The largest "Index"-based value that we calculate is - - Index * 2 + 2 (with (Index == BinLength)) - -Because the patch makes - - BinLength * 2 + 3 - -safe to calculate in UINT32, using UINT32 for - - Index * 2 + 2 (with (Index == BinLength)) - -is safe too. Consistently using UINT32 improves readability. - -This patch is best reviewed with "git show -W". - -The integer overflows that this patch fixes are theoretical; a subsequent -patch in the series will audit the IScsiBinToHex() call sites, and show -that none of them can fail. - -Cc: Jiaxin Wu -Cc: Maciej Rabeda -Cc: Philippe Mathieu-Daudé -Cc: Siyuan Fu -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 -Signed-off-by: Laszlo Ersek -Reviewed-by: Maciej Rabeda -Reviewed-by: Philippe Mathieu-Daudé -Message-Id: <20210608121259.32451-6-lersek@redhat.com> ---- - NetworkPkg/IScsiDxe/IScsiDxe.inf | 1 + - NetworkPkg/IScsiDxe/IScsiImpl.h | 1 + - NetworkPkg/IScsiDxe/IScsiMisc.c | 19 +++++++++++++++---- - NetworkPkg/IScsiDxe/IScsiMisc.h | 1 + - 4 files changed, 18 insertions(+), 4 deletions(-) - -diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf -index 543c408302..1dde56d00c 100644 ---- a/NetworkPkg/IScsiDxe/IScsiDxe.inf -+++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf -@@ -74,6 +74,7 @@ - MemoryAllocationLib - NetLib - PrintLib -+ SafeIntLib - TcpIoLib - UefiBootServicesTableLib - UefiDriverEntryPoint -diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h -index d895c7feb9..ac3a25730e 100644 ---- a/NetworkPkg/IScsiDxe/IScsiImpl.h -+++ b/NetworkPkg/IScsiDxe/IScsiImpl.h -@@ -44,6 +44,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent - #include - #include - #include -+#include - #include - #include - #include -diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c -index b8fef3ff6f..42988e15cb 100644 ---- a/NetworkPkg/IScsiDxe/IScsiMisc.c -+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c -@@ -316,6 +316,7 @@ IScsiMacAddrToStr ( - @retval EFI_SUCCESS The binary data is converted to the hexadecimal string - and the length of the string is updated. - @retval EFI_BUFFER_TOO_SMALL The string is too small. -+ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding. - @retval EFI_INVALID_PARAMETER The IP string is malformatted. - - **/ -@@ -327,18 +328,28 @@ IScsiBinToHex ( - IN OUT UINT32 *HexLength - ) - { -- UINTN Index; -+ UINT32 HexLengthMin; -+ UINT32 HexLengthProvided; -+ UINT32 Index; - - if ((HexStr == NULL) || (BinBuffer == NULL) || (BinLength == 0)) { - return EFI_INVALID_PARAMETER; - } - -- if (((*HexLength) - 3) < BinLength * 2) { -- *HexLength = BinLength * 2 + 3; -+ // -+ // Safely calculate: HexLengthMin := BinLength * 2 + 3. -+ // -+ if (RETURN_ERROR (SafeUint32Mult (BinLength, 2, &HexLengthMin)) || -+ RETURN_ERROR (SafeUint32Add (HexLengthMin, 3, &HexLengthMin))) { -+ return EFI_BAD_BUFFER_SIZE; -+ } -+ -+ HexLengthProvided = *HexLength; -+ *HexLength = HexLengthMin; -+ if (HexLengthProvided < HexLengthMin) { - return EFI_BUFFER_TOO_SMALL; - } - -- *HexLength = BinLength * 2 + 3; - // - // Prefix for Hex String. - // -diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h -index 46c725aab3..231413993b 100644 ---- a/NetworkPkg/IScsiDxe/IScsiMisc.h -+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h -@@ -150,6 +150,7 @@ IScsiAsciiStrToIp ( - @retval EFI_SUCCESS The binary data is converted to the hexadecimal string - and the length of the string is updated. - @retval EFI_BUFFER_TOO_SMALL The string is too small. -+ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding. - @retval EFI_INVALID_PARAMETER The IP string is malformatted. - - **/ --- -2.27.0 - diff --git a/0006-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch b/0006-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch deleted file mode 100644 index 82c659e51766bb758d6e6b55b9beed31a2f11637..0000000000000000000000000000000000000000 --- a/0006-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch +++ /dev/null @@ -1,88 +0,0 @@ -From d90fff40cb2502b627370a77f5608c8a178c3f78 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 8 Jun 2021 14:12:55 +0200 -Subject: [PATCH 23/27] NetworkPkg/IScsiDxe: assert that IScsiBinToHex() always - succeeds -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -IScsiBinToHex() is called for encoding: - -- the answer to the target's challenge; that is, CHAP_R; - -- the challenge for the target, in case mutual authentication is enabled; - that is, CHAP_C. - -The initiator controls the size of both blobs, the sizes of their hex -encodings are correctly calculated in "RspLen" and "ChallengeLen". -Therefore the IScsiBinToHex() calls never fail; assert that. - -Cc: Jiaxin Wu -Cc: Maciej Rabeda -Cc: Philippe Mathieu-Daudé -Cc: Siyuan Fu -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 -Signed-off-by: Laszlo Ersek -Reviewed-by: Philippe Mathieu-Daudé -Reviewed-by: Maciej Rabeda -Message-Id: <20210608121259.32451-7-lersek@redhat.com> ---- - NetworkPkg/IScsiDxe/IScsiCHAP.c | 27 +++++++++++++++------------ - 1 file changed, 15 insertions(+), 12 deletions(-) - -diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c -index 9e192ce292..dbe3c8ef46 100644 ---- a/NetworkPkg/IScsiDxe/IScsiCHAP.c -+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c -@@ -391,6 +391,7 @@ IScsiCHAPToSendReq ( - UINT32 RspLen; - CHAR8 *Challenge; - UINT32 ChallengeLen; -+ EFI_STATUS BinToHexStatus; - - ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION); - -@@ -471,12 +472,13 @@ IScsiCHAPToSendReq ( - // - // CHAP_R= - // -- IScsiBinToHex ( -- (UINT8 *) AuthData->CHAPResponse, -- ISCSI_CHAP_RSP_LEN, -- Response, -- &RspLen -- ); -+ BinToHexStatus = IScsiBinToHex ( -+ (UINT8 *) AuthData->CHAPResponse, -+ ISCSI_CHAP_RSP_LEN, -+ Response, -+ &RspLen -+ ); -+ ASSERT_EFI_ERROR (BinToHexStatus); - IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response); - - if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) { -@@ -490,12 +492,13 @@ IScsiCHAPToSendReq ( - // CHAP_C= - // - IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN); -- IScsiBinToHex ( -- (UINT8 *) AuthData->OutChallenge, -- ISCSI_CHAP_RSP_LEN, -- Challenge, -- &ChallengeLen -- ); -+ BinToHexStatus = IScsiBinToHex ( -+ (UINT8 *) AuthData->OutChallenge, -+ ISCSI_CHAP_RSP_LEN, -+ Challenge, -+ &ChallengeLen -+ ); -+ ASSERT_EFI_ERROR (BinToHexStatus); - IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge); - - Conn->AuthStep = ISCSI_CHAP_STEP_FOUR; --- -2.27.0 - diff --git a/0007-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch b/0007-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch deleted file mode 100644 index 2a3f31058557a7d5f20fd5aa77f8b234811c3c09..0000000000000000000000000000000000000000 --- a/0007-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch +++ /dev/null @@ -1,86 +0,0 @@ -From dc469f137110fe79704b8b92c552972c739bb915 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 8 Jun 2021 14:12:56 +0200 -Subject: [PATCH 24/27] NetworkPkg/IScsiDxe: reformat IScsiHexToBin() leading - comment block -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We'll need further return values for IScsiHexToBin() in a subsequent -patch; make room for them in the leading comment block of the function. -While at it, rewrap the comment block to 80 characters width. - -No functional changes. - -Cc: Jiaxin Wu -Cc: Maciej Rabeda -Cc: Philippe Mathieu-Daudé -Cc: Siyuan Fu -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 -Signed-off-by: Laszlo Ersek -Reviewed-by: Maciej Rabeda -Reviewed-by: Philippe Mathieu-Daudé -Message-Id: <20210608121259.32451-8-lersek@redhat.com> ---- - NetworkPkg/IScsiDxe/IScsiMisc.c | 16 ++++++++-------- - NetworkPkg/IScsiDxe/IScsiMisc.h | 16 ++++++++-------- - 2 files changed, 16 insertions(+), 16 deletions(-) - -diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c -index 42988e15cb..014700e87a 100644 ---- a/NetworkPkg/IScsiDxe/IScsiMisc.c -+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c -@@ -370,14 +370,14 @@ IScsiBinToHex ( - /** - Convert the hexadecimal string into a binary encoded buffer. - -- @param[in, out] BinBuffer The binary buffer. -- @param[in, out] BinLength Length of the binary buffer. -- @param[in] HexStr The hexadecimal string. -- -- @retval EFI_SUCCESS The hexadecimal string is converted into a binary -- encoded buffer. -- @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data. -- -+ @param[in, out] BinBuffer The binary buffer. -+ @param[in, out] BinLength Length of the binary buffer. -+ @param[in] HexStr The hexadecimal string. -+ -+ @retval EFI_SUCCESS The hexadecimal string is converted into a -+ binary encoded buffer. -+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the -+ converted data. - **/ - EFI_STATUS - IScsiHexToBin ( -diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h -index 231413993b..28cf408cd5 100644 ---- a/NetworkPkg/IScsiDxe/IScsiMisc.h -+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h -@@ -165,14 +165,14 @@ IScsiBinToHex ( - /** - Convert the hexadecimal string into a binary encoded buffer. - -- @param[in, out] BinBuffer The binary buffer. -- @param[in, out] BinLength Length of the binary buffer. -- @param[in] HexStr The hexadecimal string. -- -- @retval EFI_SUCCESS The hexadecimal string is converted into a binary -- encoded buffer. -- @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data. -- -+ @param[in, out] BinBuffer The binary buffer. -+ @param[in, out] BinLength Length of the binary buffer. -+ @param[in] HexStr The hexadecimal string. -+ -+ @retval EFI_SUCCESS The hexadecimal string is converted into a -+ binary encoded buffer. -+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the -+ converted data. - **/ - EFI_STATUS - IScsiHexToBin ( --- -2.27.0 - diff --git a/0008-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch b/0008-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch deleted file mode 100644 index 0996638c70d6a6616f1b76d3e97d17441bb78d7b..0000000000000000000000000000000000000000 --- a/0008-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 47b76780b487dbfde4efb6843b16064c4a97e94d Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 8 Jun 2021 14:12:57 +0200 -Subject: [PATCH 25/27] NetworkPkg/IScsiDxe: fix IScsiHexToBin() hex parsing -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The IScsiHexToBin() function has the following parser issues: - -(1) If the *subject sequence* in "HexStr" is empty, the function returns - EFI_SUCCESS (with "BinLength" set to 0 on output). Such inputs should - be rejected. - -(2) The function mis-handles a "HexStr" that ends with a stray nibble. For - example, if "HexStr" is "0xABC", the function decodes it to the bytes - {0xAB, 0x0C}, sets "BinLength" to 2 on output, and returns - EFI_SUCCESS. Such inputs should be rejected. - -(3) If an invalid hex char is found in "HexStr", the function treats it as - end-of-hex-string, and returns EFI_SUCCESS. Such inputs should be - rejected. - -All of the above cases are remotely triggerable, as shown in a subsequent -patch, which adds error checking to the IScsiHexToBin() call sites. While -the initiator is not immediately compromised, incorrectly parsing CHAP_R -from the target, in case of mutual authentication, is not great. - -Extend the interface contract of IScsiHexToBin() with -EFI_INVALID_PARAMETER, for reporting issues (1) through (3), and implement -the new checks. - -Cc: Jiaxin Wu -Cc: Maciej Rabeda -Cc: Philippe Mathieu-Daudé -Cc: Siyuan Fu -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 -Signed-off-by: Laszlo Ersek -Reviewed-by: Maciej Rabeda -Reviewed-by: Philippe Mathieu-Daudé -Message-Id: <20210608121259.32451-9-lersek@redhat.com> ---- - NetworkPkg/IScsiDxe/IScsiMisc.c | 12 ++++++++++-- - NetworkPkg/IScsiDxe/IScsiMisc.h | 1 + - 2 files changed, 11 insertions(+), 2 deletions(-) - -diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c -index 014700e87a..f0f4992b07 100644 ---- a/NetworkPkg/IScsiDxe/IScsiMisc.c -+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c -@@ -376,6 +376,7 @@ IScsiBinToHex ( - - @retval EFI_SUCCESS The hexadecimal string is converted into a - binary encoded buffer. -+ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr. - @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the - converted data. - **/ -@@ -402,14 +403,21 @@ IScsiHexToBin ( - - Length = AsciiStrLen (HexStr); - -+ // -+ // Reject an empty hex string; reject a stray nibble. -+ // -+ if (Length == 0 || Length % 2 != 0) { -+ return EFI_INVALID_PARAMETER; -+ } -+ - for (Index = 0; Index < Length; Index ++) { - TemStr[0] = HexStr[Index]; - Digit = (UINT8) AsciiStrHexToUint64 (TemStr); - if (Digit == 0 && TemStr[0] != '0') { - // -- // Invalid Lun Char. -+ // Invalid Hex Char. - // -- break; -+ return EFI_INVALID_PARAMETER; - } - if ((Index & 1) == 0) { - BinBuffer [Index/2] = Digit; -diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h -index 28cf408cd5..404a482e57 100644 ---- a/NetworkPkg/IScsiDxe/IScsiMisc.h -+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h -@@ -171,6 +171,7 @@ IScsiBinToHex ( - - @retval EFI_SUCCESS The hexadecimal string is converted into a - binary encoded buffer. -+ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr. - @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the - converted data. - **/ --- -2.27.0 - diff --git a/0009-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch b/0009-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch deleted file mode 100644 index 6c2861e5d3452fd8f16f8ed47d138111a27ff7bf..0000000000000000000000000000000000000000 --- a/0009-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 54e90edaed0d7c15230902ac4d74f4304bad2ebd Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 8 Jun 2021 14:12:58 +0200 -Subject: [PATCH 26/27] NetworkPkg/IScsiDxe: fix IScsiHexToBin() buffer - overflow -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The IScsiHexToBin() function documents the EFI_BUFFER_TOO_SMALL return -condition, but never actually checks whether the decoded buffer fits into -the caller-provided room (i.e., the input value of "BinLength"), and -EFI_BUFFER_TOO_SMALL is never returned. The decoding of "HexStr" can -overflow "BinBuffer". - -This is remotely exploitable, as shown in a subsequent patch, which adds -error checking to the IScsiHexToBin() call sites. This issue allows the -target to compromise the initiator. - -Introduce EFI_BAD_BUFFER_SIZE, in addition to the existent -EFI_BUFFER_TOO_SMALL, for reporting a special case of the buffer overflow, -plus actually catch the buffer overflow. - -Cc: Jiaxin Wu -Cc: Maciej Rabeda -Cc: Philippe Mathieu-Daudé -Cc: Siyuan Fu -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 -Signed-off-by: Laszlo Ersek -Reviewed-by: Maciej Rabeda -Reviewed-by: Philippe Mathieu-Daudé -Message-Id: <20210608121259.32451-10-lersek@redhat.com> ---- - NetworkPkg/IScsiDxe/IScsiMisc.c | 20 +++++++++++++++++--- - NetworkPkg/IScsiDxe/IScsiMisc.h | 3 +++ - 2 files changed, 20 insertions(+), 3 deletions(-) - -diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c -index f0f4992b07..4069547867 100644 ---- a/NetworkPkg/IScsiDxe/IScsiMisc.c -+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c -@@ -377,6 +377,9 @@ IScsiBinToHex ( - @retval EFI_SUCCESS The hexadecimal string is converted into a - binary encoded buffer. - @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr. -+ @retval EFI_BAD_BUFFER_SIZE The length of HexStr is too large for decoding: -+ the decoded size cannot be expressed in -+ BinLength on output. - @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the - converted data. - **/ -@@ -387,6 +390,8 @@ IScsiHexToBin ( - IN CHAR8 *HexStr - ) - { -+ UINTN BinLengthMin; -+ UINT32 BinLengthProvided; - UINTN Index; - UINTN Length; - UINT8 Digit; -@@ -409,6 +414,18 @@ IScsiHexToBin ( - if (Length == 0 || Length % 2 != 0) { - return EFI_INVALID_PARAMETER; - } -+ // -+ // Check if the caller provides enough room for the decoded blob. -+ // -+ BinLengthMin = Length / 2; -+ if (BinLengthMin > MAX_UINT32) { -+ return EFI_BAD_BUFFER_SIZE; -+ } -+ BinLengthProvided = *BinLength; -+ *BinLength = (UINT32)BinLengthMin; -+ if (BinLengthProvided < BinLengthMin) { -+ return EFI_BUFFER_TOO_SMALL; -+ } - - for (Index = 0; Index < Length; Index ++) { - TemStr[0] = HexStr[Index]; -@@ -425,9 +442,6 @@ IScsiHexToBin ( - BinBuffer [Index/2] = (UINT8) ((BinBuffer [Index/2] << 4) + Digit); - } - } -- -- *BinLength = (UINT32) ((Index + 1)/2); -- - return EFI_SUCCESS; - } - -diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h -index 404a482e57..fddef4f466 100644 ---- a/NetworkPkg/IScsiDxe/IScsiMisc.h -+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h -@@ -172,6 +172,9 @@ IScsiBinToHex ( - @retval EFI_SUCCESS The hexadecimal string is converted into a - binary encoded buffer. - @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr. -+ @retval EFI_BAD_BUFFER_SIZE The length of HexStr is too large for decoding: -+ the decoded size cannot be expressed in -+ BinLength on output. - @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the - converted data. - **/ --- -2.27.0 - diff --git a/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch b/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch deleted file mode 100644 index 426abb92367155d7d7211f2a526d49a24fa183e3..0000000000000000000000000000000000000000 --- a/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch +++ /dev/null @@ -1,84 +0,0 @@ -From b8649cf2a3e673a4a8cb6c255e394b354b771550 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 8 Jun 2021 14:12:59 +0200 -Subject: [PATCH 27/27] NetworkPkg/IScsiDxe: check IScsiHexToBin() return - values -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -IScsiDxe (that is, the initiator) receives two hex-encoded strings from -the iSCSI target: - -- CHAP_C, where the target challenges the initiator, - -- CHAP_R, where the target answers the challenge from the initiator (in - case the initiator wants mutual authentication). - -Accordingly, we have two IScsiHexToBin() call sites: - -- At the CHAP_C decoding site, check whether the decoding succeeds. The - decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes, - which is a permissible restriction on the target, per - . Shorter challenges - from the target are acceptable. - -- At the CHAP_R decoding site, enforce that the decoding both succeed, and - provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest - calculated by the target, therefore it must be of fixed size. We may - only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated. - -Cc: Jiaxin Wu -Cc: Maciej Rabeda -Cc: Philippe Mathieu-Daudé -Cc: Siyuan Fu -Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 -Signed-off-by: Laszlo Ersek -Reviewed-by: Philippe Mathieu-Daudé -Reviewed-by: Maciej Rabeda -Message-Id: <20210608121259.32451-11-lersek@redhat.com> ---- - NetworkPkg/IScsiDxe/IScsiCHAP.c | 20 ++++++++++++++------ - 1 file changed, 14 insertions(+), 6 deletions(-) - -diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c -index dbe3c8ef46..7e930c0d1e 100644 ---- a/NetworkPkg/IScsiDxe/IScsiCHAP.c -+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c -@@ -290,11 +290,15 @@ IScsiCHAPOnRspReceived ( - - AuthData->InIdentifier = (UINT32) Result; - AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge); -- IScsiHexToBin ( -- (UINT8 *) AuthData->InChallenge, -- &AuthData->InChallengeLength, -- Challenge -- ); -+ Status = IScsiHexToBin ( -+ (UINT8 *) AuthData->InChallenge, -+ &AuthData->InChallengeLength, -+ Challenge -+ ); -+ if (EFI_ERROR (Status)) { -+ Status = EFI_PROTOCOL_ERROR; -+ goto ON_EXIT; -+ } - Status = IScsiCHAPCalculateResponse ( - AuthData->InIdentifier, - AuthData->AuthConfig->CHAPSecret, -@@ -337,7 +341,11 @@ IScsiCHAPOnRspReceived ( - } - - RspLen = ISCSI_CHAP_RSP_LEN; -- IScsiHexToBin (TargetRsp, &RspLen, Response); -+ Status = IScsiHexToBin (TargetRsp, &RspLen, Response); -+ if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) { -+ Status = EFI_PROTOCOL_ERROR; -+ goto ON_EXIT; -+ } - - // - // Check the CHAP Name and Response replied by Target. --- -2.27.0 - diff --git a/0011-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch b/0011-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch deleted file mode 100644 index 0917f11c5f0a8efcd2b57b8a8f56528f98db9d79..0000000000000000000000000000000000000000 --- a/0011-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch +++ /dev/null @@ -1,982 +0,0 @@ -From 306307df0e228c73f6ad38ef231db75c4a3478d1 Mon Sep 17 00:00:00 2001 -From: Dandan Bi -Date: Mon, 28 Jun 2021 19:50:22 +0800 -Subject: [PATCH] MdeModulePkg/FPDT: Lock boot performance table address - variable at EndOfDxe - -REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2957 - -1. Allocate performance data table at EndOfDxe and then lock the varible - which store the table address at EndOfDxe. - -2. Enlarge PCD gEfiMdeModulePkgTokenSpaceGuid.PcdExtFpdtBootRecordPadSize - from 0x20000 to 0x30000 in order to hold the Delta performance data - between EndOfDxe and ReadyToBoot. - -3. SMM performance data is collected by DXE modules through SMM communication - at ReadyToBoot before. - Now to do SMM communication twice, one for allocating the performance - size at EndOfDxe, another is at ReadyToBoot to get SMM performance data. - -4. Make SmmCorePerformanceLib rather than FirmwarePerformanceSmm to communicate - with DxeCorePerformanceLib for SMM performance data and size. - -Cc: Liming Gao -Cc: Hao A Wu -Cc: Jian J Wang -Signed-off-by: Dandan Bi -Reviewed-by: Hao A Wu -Signed-off-by: Jinhua Cao ---- - .../DxeCorePerformanceLib.c | 132 +++++++++++---- - .../DxeCorePerformanceLib.inf | 3 +- - .../SmmCorePerformanceLib.c | 142 ++++++++++++---- - .../SmmCorePerformanceLib.inf | 5 +- - MdeModulePkg/MdeModulePkg.dec | 4 +- - .../FirmwarePerformanceDxe.c | 90 +++++++++-- - .../FirmwarePerformanceDxe.inf | 6 +- - .../FirmwarePerformanceSmm.c | 151 +----------------- - .../FirmwarePerformanceSmm.inf | 4 +- - 9 files changed, 302 insertions(+), 235 deletions(-) - -diff --git a/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.c b/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.c -index f500e20b32..bcefac6b6c 100644 ---- a/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.c -+++ b/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.c -@@ -10,7 +10,7 @@ - This library is mainly used by DxeCore to start performance logging to ensure that - Performance Protocol is installed at the very beginning of DXE phase. - --Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved.
- (C) Copyright 2016 Hewlett Packard Enterprise Development LP
- SPDX-License-Identifier: BSD-2-Clause-Patent - -@@ -64,7 +64,7 @@ UINT32 mLoadImageCount = 0; - UINT32 mPerformanceLength = 0; - UINT32 mMaxPerformanceLength = 0; - UINT32 mBootRecordSize = 0; --UINT32 mBootRecordMaxSize = 0; -+UINTN mBootRecordMaxSize = 0; - UINT32 mCachedLength = 0; - - BOOLEAN mFpdtBufferIsReported = FALSE; -@@ -205,25 +205,26 @@ IsKnownID ( - } - - /** -- Allocate buffer for Boot Performance table. -+ This internal function dumps all the SMM performance data and size. - -- @return Status code. -+ @param SmmPerfData Smm Performance data. The buffer contain the SMM perf data is allocated by this function and caller needs to free it. -+ @param SmmPerfDataSize Smm Performance data size. -+ @param SkipGetPerfData Skip to get performance data, just get the size. - - **/ --EFI_STATUS --AllocateBootPerformanceTable ( -+VOID -+InternalGetSmmPerfData ( -+ OUT VOID **SmmPerfData, -+ OUT UINTN *SmmPerfDataSize, -+ IN BOOLEAN SkipGetPerfData - ) - { - EFI_STATUS Status; -- UINTN Size; - UINT8 *SmmBootRecordCommBuffer; - EFI_SMM_COMMUNICATE_HEADER *SmmCommBufferHeader; - SMM_BOOT_RECORD_COMMUNICATE *SmmCommData; - UINTN CommSize; -- UINTN BootPerformanceDataSize; -- UINT8 *BootPerformanceData; - EFI_SMM_COMMUNICATION_PROTOCOL *Communication; -- FIRMWARE_PERFORMANCE_VARIABLE PerformanceVariable; - EDKII_PI_SMM_COMMUNICATION_REGION_TABLE *SmmCommRegionTable; - EFI_MEMORY_DESCRIPTOR *SmmCommMemRegion; - UINTN Index; -@@ -237,7 +238,6 @@ AllocateBootPerformanceTable ( - SmmBootRecordCommBuffer = NULL; - SmmCommData = NULL; - SmmBootRecordData = NULL; -- SmmBootRecordDataSize = 0; - ReservedMemSize = 0; - Status = gBS->LocateProtocol (&gEfiSmmCommunicationProtocolGuid, NULL, (VOID **) &Communication); - if (!EFI_ERROR (Status)) { -@@ -284,6 +284,10 @@ AllocateBootPerformanceTable ( - Status = Communication->Communicate (Communication, SmmBootRecordCommBuffer, &CommSize); - - if (!EFI_ERROR (Status) && !EFI_ERROR (SmmCommData->ReturnStatus) && SmmCommData->BootRecordSize != 0) { -+ if (SkipGetPerfData) { -+ *SmmPerfDataSize = SmmCommData->BootRecordSize; -+ return; -+ } - // - // Get all boot records - // -@@ -305,19 +309,45 @@ AllocateBootPerformanceTable ( - } - SmmCommData->BootRecordOffset = SmmCommData->BootRecordOffset + SmmCommData->BootRecordSize; - } -+ *SmmPerfData = SmmBootRecordData; -+ *SmmPerfDataSize = SmmBootRecordDataSize; - } - } - } - } -+} -+ -+/** -+ Allocate buffer for Boot Performance table. -+ -+ @return Status code. -+ -+**/ -+EFI_STATUS -+AllocateBootPerformanceTable ( -+ VOID -+ ) -+{ -+ EFI_STATUS Status; -+ UINTN Size; -+ UINTN BootPerformanceDataSize; -+ UINT8 *BootPerformanceData; -+ FIRMWARE_PERFORMANCE_VARIABLE PerformanceVariable; -+ UINTN SmmBootRecordDataSize; -+ -+ SmmBootRecordDataSize = 0; -+ -+ // -+ // Get SMM performance data size at the point of EndOfDxe in order to allocate the boot performance table. -+ // Will Get all the data at ReadyToBoot. -+ // -+ InternalGetSmmPerfData (NULL, &SmmBootRecordDataSize, TRUE); - - // - // Prepare memory for Boot Performance table. - // Boot Performance table includes BasicBoot record, and one or more appended Boot Records. - // -- BootPerformanceDataSize = sizeof (BOOT_PERFORMANCE_TABLE) + mPerformanceLength + PcdGet32 (PcdExtFpdtBootRecordPadSize); -- if (SmmCommData != NULL && SmmBootRecordData != NULL) { -- BootPerformanceDataSize += SmmBootRecordDataSize; -- } -+ BootPerformanceDataSize = sizeof (BOOT_PERFORMANCE_TABLE) + mPerformanceLength + SmmBootRecordDataSize + PcdGet32 (PcdExtFpdtBootRecordPadSize); - - // - // Try to allocate the same runtime buffer as last time boot. -@@ -358,9 +388,6 @@ AllocateBootPerformanceTable ( - DEBUG ((DEBUG_INFO, "DxeCorePerformanceLib: ACPI Boot Performance Table address = 0x%x\n", mAcpiBootPerformanceTable)); - - if (mAcpiBootPerformanceTable == NULL) { -- if (SmmCommData != NULL && SmmBootRecordData != NULL) { -- FreePool (SmmBootRecordData); -- } - return EFI_OUT_OF_RESOURCES; - } - -@@ -385,19 +412,10 @@ AllocateBootPerformanceTable ( - mPerformanceLength = 0; - mMaxPerformanceLength = 0; - } -- if (SmmCommData != NULL && SmmBootRecordData != NULL) { -- // -- // Fill Boot records from SMM drivers. -- // -- CopyMem (BootPerformanceData, SmmBootRecordData, SmmBootRecordDataSize); -- FreePool (SmmBootRecordData); -- mAcpiBootPerformanceTable->Header.Length = (UINT32) (mAcpiBootPerformanceTable->Header.Length + SmmBootRecordDataSize); -- BootPerformanceData = BootPerformanceData + SmmBootRecordDataSize; -- } - - mBootRecordBuffer = (UINT8 *) mAcpiBootPerformanceTable; - mBootRecordSize = mAcpiBootPerformanceTable->Header.Length; -- mBootRecordMaxSize = mBootRecordSize + PcdGet32 (PcdExtFpdtBootRecordPadSize); -+ mBootRecordMaxSize = BootPerformanceDataSize; - - return EFI_SUCCESS; - } -@@ -1336,6 +1354,47 @@ ReportFpdtRecordBuffer ( - } - } - -+/** -+ Update Boot Performance table. -+ -+ @param Event The event of notify protocol. -+ @param Context Notify event context. -+ -+**/ -+VOID -+EFIAPI -+UpdateBootPerformanceTable ( -+ IN EFI_EVENT Event, -+ IN VOID *Context -+ ) -+{ -+ VOID *SmmBootRecordData; -+ UINTN SmmBootRecordDataSize; -+ UINTN AppendSize; -+ UINT8 *FirmwarePerformanceTablePtr; -+ -+ // -+ // Get SMM performance data. -+ // -+ SmmBootRecordData = NULL; -+ InternalGetSmmPerfData (&SmmBootRecordData, &SmmBootRecordDataSize, FALSE); -+ -+ FirmwarePerformanceTablePtr = (UINT8 *) mAcpiBootPerformanceTable + mAcpiBootPerformanceTable->Header.Length; -+ -+ if (mAcpiBootPerformanceTable->Header.Length + SmmBootRecordDataSize > mBootRecordMaxSize) { -+ DEBUG ((DEBUG_INFO, "DxeCorePerformanceLib: No enough space to save all SMM boot performance data\n")); -+ AppendSize = mBootRecordMaxSize - mAcpiBootPerformanceTable->Header.Length; -+ } else { -+ AppendSize = SmmBootRecordDataSize; -+ } -+ if (SmmBootRecordData != NULL) { -+ CopyMem (FirmwarePerformanceTablePtr, SmmBootRecordData, AppendSize); -+ mAcpiBootPerformanceTable->Header.Length += (UINT32) AppendSize; -+ mBootRecordSize += (UINT32) AppendSize; -+ FreePool (SmmBootRecordData); -+ } -+} -+ - /** - The constructor function initializes Performance infrastructure for DXE phase. - -@@ -1358,6 +1417,7 @@ DxeCorePerformanceLibConstructor ( - { - EFI_STATUS Status; - EFI_HANDLE Handle; -+ EFI_EVENT EndOfDxeEvent; - EFI_EVENT ReadyToBootEvent; - PERFORMANCE_PROPERTY *PerformanceProperty; - -@@ -1386,13 +1446,25 @@ DxeCorePerformanceLibConstructor ( - ASSERT_EFI_ERROR (Status); - - // -- // Register ReadyToBoot event to report StatusCode data -+ // Register EndOfDxe event to allocate the boot performance table and report the table address through status code. - // - Status = gBS->CreateEventEx ( - EVT_NOTIFY_SIGNAL, -- TPL_CALLBACK, -+ TPL_NOTIFY, - ReportFpdtRecordBuffer, - NULL, -+ &gEfiEndOfDxeEventGroupGuid, -+ &EndOfDxeEvent -+ ); -+ -+ // -+ // Register ReadyToBoot event to update the boot performance table for SMM performance data. -+ // -+ Status = gBS->CreateEventEx ( -+ EVT_NOTIFY_SIGNAL, -+ TPL_CALLBACK, -+ UpdateBootPerformanceTable, -+ NULL, - &gEfiEventReadyToBootGuid, - &ReadyToBootEvent - ); -diff --git a/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf b/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf -index 1c1dcc60a6..599d4dea66 100644 ---- a/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf -+++ b/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf -@@ -9,7 +9,7 @@ - # This library is mainly used by DxeCore to start performance logging to ensure that - # Performance and PerformanceEx Protocol are installed at the very beginning of DXE phase. - # --# Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
-+# Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved.
- # (C) Copyright 2016 Hewlett Packard Enterprise Development LP
- # SPDX-License-Identifier: BSD-2-Clause-Patent - # -@@ -67,6 +67,7 @@ - gZeroGuid ## SOMETIMES_CONSUMES ## GUID - gEfiFirmwarePerformanceGuid ## SOMETIMES_PRODUCES ## UNDEFINED # StatusCode Data - gEdkiiFpdtExtendedFirmwarePerformanceGuid ## SOMETIMES_CONSUMES ## HOB # StatusCode Data -+ gEfiEndOfDxeEventGroupGuid ## CONSUMES ## Event - gEfiEventReadyToBootGuid ## CONSUMES ## Event - gEdkiiPiSmmCommunicationRegionTableGuid ## SOMETIMES_CONSUMES ## SystemTable - gEdkiiPerformanceMeasurementProtocolGuid ## PRODUCES ## UNDEFINED # Install protocol -diff --git a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c -index b4f22c14ae..d80f37e520 100644 ---- a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c -+++ b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c -@@ -16,7 +16,7 @@ - - SmmPerformanceHandlerEx(), SmmPerformanceHandler() will receive untrusted input and do basic validation. - --Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.
- SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -48,6 +48,7 @@ CHAR8 *mPlatformLanguage = NULL; - SPIN_LOCK mSmmFpdtLock; - PERFORMANCE_PROPERTY mPerformanceProperty; - UINT32 mCachedLength = 0; -+UINT32 mBootRecordSize = 0; - - // - // Interfaces for SMM PerformanceMeasurement Protocol. -@@ -776,41 +777,116 @@ InsertFpdtRecord ( - } - - /** -- SmmReadyToBoot protocol notification event handler. -+ Communication service SMI Handler entry. - -- @param Protocol Points to the protocol's unique identifier -- @param Interface Points to the interface instance -- @param Handle The handle on which the interface was installed -+ This SMI handler provides services for report MM boot records. - -- @retval EFI_SUCCESS SmmReadyToBootCallback runs successfully -+ Caution: This function may receive untrusted input. -+ Communicate buffer and buffer size are external input, so this function will do basic validation. -+ -+ @param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister(). -+ @param[in] RegisterContext Points to an optional handler context which was specified when the -+ handler was registered. -+ @param[in, out] CommBuffer A pointer to a collection of data in memory that will -+ be conveyed from a non-MM environment into an MM environment. -+ @param[in, out] CommBufferSize The size of the CommBuffer. -+ -+ @retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers -+ should still be called. -+ @retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should -+ still be called. -+ @retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still -+ be called. -+ @retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced. - - **/ - EFI_STATUS - EFIAPI --SmmReportFpdtRecordData ( -- IN CONST EFI_GUID *Protocol, -- IN VOID *Interface, -- IN EFI_HANDLE Handle -+FpdtSmiHandler ( -+ IN EFI_HANDLE DispatchHandle, -+ IN CONST VOID *RegisterContext, -+ IN OUT VOID *CommBuffer, -+ IN OUT UINTN *CommBufferSize - ) - { -- UINT64 SmmBPDTddr; -- -- if (!mFpdtDataIsReported && mSmmBootPerformanceTable != NULL) { -- SmmBPDTddr = (UINT64)(UINTN)mSmmBootPerformanceTable; -- REPORT_STATUS_CODE_EX ( -- EFI_PROGRESS_CODE, -- EFI_SOFTWARE_SMM_DRIVER, -- 0, -- NULL, -- &gEdkiiFpdtExtendedFirmwarePerformanceGuid, -- &SmmBPDTddr, -- sizeof (UINT64) -+ EFI_STATUS Status; -+ SMM_BOOT_RECORD_COMMUNICATE *SmmCommData; -+ UINTN BootRecordOffset; -+ UINTN BootRecordSize; -+ VOID *BootRecordData; -+ UINTN TempCommBufferSize; -+ UINT8 *BootRecordBuffer; -+ -+ // -+ // If input is invalid, stop processing this SMI -+ // -+ if (CommBuffer == NULL || CommBufferSize == NULL) { -+ return EFI_SUCCESS; -+ } -+ -+ TempCommBufferSize = *CommBufferSize; -+ -+ if(TempCommBufferSize < sizeof (SMM_BOOT_RECORD_COMMUNICATE)) { -+ return EFI_SUCCESS; -+ } -+ -+ if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) { -+ DEBUG ((DEBUG_ERROR, "FpdtSmiHandler: MM communication data buffer in MMRAM or overflow!\n")); -+ return EFI_SUCCESS; -+ } -+ -+ SmmCommData = (SMM_BOOT_RECORD_COMMUNICATE*)CommBuffer; -+ -+ Status = EFI_SUCCESS; -+ -+ switch (SmmCommData->Function) { -+ case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_SIZE : -+ if (mSmmBootPerformanceTable != NULL) { -+ mBootRecordSize = mSmmBootPerformanceTable->Header.Length - sizeof (SMM_BOOT_PERFORMANCE_TABLE); -+ } -+ SmmCommData->BootRecordSize = mBootRecordSize; -+ break; -+ -+ case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA : -+ Status = EFI_UNSUPPORTED; -+ break; -+ -+ case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA_BY_OFFSET : -+ BootRecordOffset = SmmCommData->BootRecordOffset; -+ BootRecordData = SmmCommData->BootRecordData; -+ BootRecordSize = SmmCommData->BootRecordSize; -+ if (BootRecordData == NULL || BootRecordOffset >= mBootRecordSize) { -+ Status = EFI_INVALID_PARAMETER; -+ break; -+ } -+ -+ // -+ // Sanity check -+ // -+ if (BootRecordSize > mBootRecordSize - BootRecordOffset) { -+ BootRecordSize = mBootRecordSize - BootRecordOffset; -+ } -+ SmmCommData->BootRecordSize = BootRecordSize; -+ if (!SmmIsBufferOutsideSmmValid ((UINTN)BootRecordData, BootRecordSize)) { -+ DEBUG ((DEBUG_ERROR, "FpdtSmiHandler: MM Data buffer in MMRAM or overflow!\n")); -+ Status = EFI_ACCESS_DENIED; -+ break; -+ } -+ BootRecordBuffer = ((UINT8 *) (mSmmBootPerformanceTable)) + sizeof (SMM_BOOT_PERFORMANCE_TABLE); -+ CopyMem ( -+ (UINT8*)BootRecordData, -+ BootRecordBuffer + BootRecordOffset, -+ BootRecordSize - ); -- // -- // Set FPDT report state to TRUE. -- // -- mFpdtDataIsReported = TRUE; -+ mFpdtDataIsReported = TRUE; -+ break; -+ -+ default: -+ Status = EFI_UNSUPPORTED; - } -+ -+ SmmCommData->ReturnStatus = Status; -+ - return EFI_SUCCESS; - } - -@@ -830,8 +906,8 @@ InitializeSmmCorePerformanceLib ( - ) - { - EFI_HANDLE Handle; -+ EFI_HANDLE SmiHandle; - EFI_STATUS Status; -- VOID *SmmReadyToBootRegistration; - PERFORMANCE_PROPERTY *PerformanceProperty; - - // -@@ -851,11 +927,13 @@ InitializeSmmCorePerformanceLib ( - ); - ASSERT_EFI_ERROR (Status); - -- Status = gSmst->SmmRegisterProtocolNotify ( -- &gEdkiiSmmReadyToBootProtocolGuid, -- SmmReportFpdtRecordData, -- &SmmReadyToBootRegistration -- ); -+ // -+ // Register SMI handler. -+ // -+ SmiHandle = NULL; -+ Status = gSmst->SmiHandlerRegister (FpdtSmiHandler, &gEfiFirmwarePerformanceGuid, &SmiHandle); -+ ASSERT_EFI_ERROR (Status); -+ - Status = EfiGetSystemConfigurationTable (&gPerformanceProtocolGuid, (VOID **) &PerformanceProperty); - if (EFI_ERROR (Status)) { - // -diff --git a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.inf b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.inf -index 6b013b8557..9eecc4b58c 100644 ---- a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.inf -+++ b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.inf -@@ -8,7 +8,7 @@ - # This library is mainly used by SMM Core to start performance logging to ensure that - # SMM Performance and PerformanceEx Protocol are installed at the very beginning of SMM phase. - # --# Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
-+# Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.
- # SPDX-License-Identifier: BSD-2-Clause-Patent - # - ## -@@ -58,14 +58,13 @@ - - [Protocols] - gEfiSmmBase2ProtocolGuid ## CONSUMES -- gEdkiiSmmReadyToBootProtocolGuid ## NOTIFY - - [Guids] - ## PRODUCES ## SystemTable - gPerformanceProtocolGuid -- gEdkiiFpdtExtendedFirmwarePerformanceGuid ## SOMETIMES_PRODUCES ## UNDEFINED # StatusCode Data - gZeroGuid ## SOMETIMES_CONSUMES ## GUID - gEdkiiSmmPerformanceMeasurementProtocolGuid ## PRODUCES ## UNDEFINED # Install protocol -+ gEfiFirmwarePerformanceGuid ## SOMETIMES_PRODUCES ## UNDEFINED # SmiHandlerRegister - - [Pcd] - gEfiMdePkgTokenSpaceGuid.PcdPerformanceLibraryPropertyMask ## CONSUMES -diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec -index 5d9e2b8d3d..b139f1668c 100644 ---- a/MdeModulePkg/MdeModulePkg.dec -+++ b/MdeModulePkg/MdeModulePkg.dec -@@ -1822,9 +1822,9 @@ - gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosEntryPointProvideMethod|0x3|UINT32|0x00010069 - - ## This PCD specifies the additional pad size in FPDT Basic Boot Performance Table for -- # the extension FPDT boot records received after ReadyToBoot and before ExitBootService. -+ # the extension FPDT boot records received after EndOfDxe and before ExitBootService. - # @Prompt Pad size for extension FPDT boot records. -- gEfiMdeModulePkgTokenSpaceGuid.PcdExtFpdtBootRecordPadSize|0x20000|UINT32|0x0001005F -+ gEfiMdeModulePkgTokenSpaceGuid.PcdExtFpdtBootRecordPadSize|0x30000|UINT32|0x0001005F - - ## Indicates if ConIn device are connected on demand.

- # TRUE - ConIn device are not connected during BDS and ReadKeyStroke/ReadKeyStrokeEx produced -diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.c b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.c -index 61a7704b37..68755554ad 100644 ---- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.c -+++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.c -@@ -5,7 +5,7 @@ - for Firmware Basic Boot Performance Record and other boot performance records, - and install FPDT to ACPI table. - -- Copyright (c) 2011 - 2019, Intel Corporation. All rights reserved.
-+ Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.
- SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -16,6 +16,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -32,6 +33,8 @@ - #include - #include - #include -+#include -+#include - - #define SMM_BOOT_RECORD_COMM_SIZE (OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data) + sizeof(SMM_BOOT_RECORD_COMMUNICATE)) - -@@ -278,11 +281,12 @@ InstallFirmwarePerformanceDataTable ( - VOID - ) - { -- EFI_STATUS Status; -- EFI_ACPI_TABLE_PROTOCOL *AcpiTableProtocol; -- UINTN BootPerformanceDataSize; -- FIRMWARE_PERFORMANCE_VARIABLE PerformanceVariable; -- UINTN Size; -+ EFI_STATUS Status; -+ EFI_ACPI_TABLE_PROTOCOL *AcpiTableProtocol; -+ UINTN BootPerformanceDataSize; -+ FIRMWARE_PERFORMANCE_VARIABLE PerformanceVariable; -+ UINTN Size; -+ EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicyProtocol; - - // - // Get AcpiTable Protocol. -@@ -292,6 +296,14 @@ InstallFirmwarePerformanceDataTable ( - return Status; - } - -+ // -+ // Get VariablePolicy Protocol. -+ // -+ Status = gBS->LocateProtocol(&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID **)&VariablePolicyProtocol); -+ if (EFI_ERROR (Status)) { -+ return Status; -+ } -+ - if (mReceivedAcpiBootPerformanceTable != NULL) { - mAcpiBootPerformanceTable = mReceivedAcpiBootPerformanceTable; - mAcpiBootPerformanceTable->BasicBoot.ResetEnd = mBootPerformanceTableTemplate.BasicBoot.ResetEnd; -@@ -369,6 +381,24 @@ InstallFirmwarePerformanceDataTable ( - &PerformanceVariable - ); - -+ // -+ // Lock the variable which stores the Performance Table pointers. -+ // -+ Status = RegisterBasicVariablePolicy ( -+ VariablePolicyProtocol, -+ &gEfiFirmwarePerformanceGuid, -+ EFI_FIRMWARE_PERFORMANCE_VARIABLE_NAME, -+ VARIABLE_POLICY_NO_MIN_SIZE, -+ VARIABLE_POLICY_NO_MAX_SIZE, -+ VARIABLE_POLICY_NO_MUST_ATTR, -+ VARIABLE_POLICY_NO_CANT_ATTR, -+ VARIABLE_POLICY_TYPE_LOCK_NOW -+ ); -+ if (EFI_ERROR(Status)) { -+ DEBUG((DEBUG_ERROR, "[FirmwarePerformanceDxe] Error when lock variable %s, Status = %r\n", EFI_FIRMWARE_PERFORMANCE_VARIABLE_NAME, Status)); -+ ASSERT_EFI_ERROR(Status); -+ } -+ - // - // Publish Firmware Performance Data Table. - // -@@ -501,18 +531,12 @@ FpdtStatusCodeListenerDxe ( - DEBUG ((EFI_D_INFO, "FPDT: Boot Performance - OsLoaderStartImageStart = %ld\n", mAcpiBootPerformanceTable->BasicBoot.OsLoaderStartImageStart)); - DEBUG ((EFI_D_INFO, "FPDT: Boot Performance - ExitBootServicesEntry = 0\n")); - DEBUG ((EFI_D_INFO, "FPDT: Boot Performance - ExitBootServicesExit = 0\n")); -- } else if (Value == (EFI_SOFTWARE_DXE_BS_DRIVER | EFI_SW_DXE_BS_PC_READY_TO_BOOT_EVENT)) { -- if (mAcpiBootPerformanceTable == NULL) { -- // -- // ACPI Firmware Performance Data Table not installed yet, install it now. -- // -- InstallFirmwarePerformanceDataTable (); -- } - } else if (Data != NULL && CompareGuid (&Data->Type, &gEdkiiFpdtExtendedFirmwarePerformanceGuid)) { - // - // Get the Boot performance table and then install it to ACPI table. - // - CopyMem (&mReceivedAcpiBootPerformanceTable, Data + 1, Data->Size); -+ InstallFirmwarePerformanceDataTable (); - } else if (Data != NULL && CompareGuid (&Data->Type, &gEfiFirmwarePerformanceGuid)) { - DEBUG ((DEBUG_ERROR, "FpdtStatusCodeListenerDxe: Performance data reported through gEfiFirmwarePerformanceGuid will not be collected by FirmwarePerformanceDataTableDxe\n")); - Status = EFI_UNSUPPORTED; -@@ -526,6 +550,32 @@ FpdtStatusCodeListenerDxe ( - return Status; - } - -+/** -+ Notify function for event EndOfDxe. -+ -+ This is used to install ACPI Firmware Performance Data Table for basic boot records. -+ -+ @param[in] Event The Event that is being processed. -+ @param[in] Context The Event Context. -+ -+**/ -+VOID -+EFIAPI -+FpdtEndOfDxeEventNotify ( -+ IN EFI_EVENT Event, -+ IN VOID *Context -+ ) -+{ -+ // -+ // When performance is enabled, the FPDT will be installed when DxeCorePerformanceLib report the data to FimwarePerformanceDxe. -+ // This is used to install the FPDT for the basic boot recods when performance infrastructure is not enabled. -+ // -+ if ((PcdGet8(PcdPerformanceLibraryPropertyMask) & PERFORMANCE_LIBRARY_PROPERTY_MEASUREMENT_ENABLED) != 0) { -+ return; -+ } -+ ASSERT (mReceivedAcpiBootPerformanceTable == NULL); -+ InstallFirmwarePerformanceDataTable (); -+} - - /** - Notify function for event EVT_SIGNAL_EXIT_BOOT_SERVICES. This is used to record -@@ -596,6 +646,7 @@ FirmwarePerformanceDxeEntryPoint ( - FIRMWARE_SEC_PERFORMANCE *Performance; - VOID *Registration; - UINT64 OemTableId; -+ EFI_EVENT EndOfDxeEvent; - - CopyMem ( - mFirmwarePerformanceTableTemplate.Header.OemId, -@@ -620,6 +671,19 @@ FirmwarePerformanceDxeEntryPoint ( - Status = mRscHandlerProtocol->Register (FpdtStatusCodeListenerDxe, TPL_HIGH_LEVEL); - ASSERT_EFI_ERROR (Status); - -+ // -+ // Register the notify function to install FPDT at EndOfDxe. -+ // -+ Status = gBS->CreateEventEx ( -+ EVT_NOTIFY_SIGNAL, -+ TPL_NOTIFY, -+ FpdtEndOfDxeEventNotify, -+ NULL, -+ &gEfiEndOfDxeEventGroupGuid, -+ &EndOfDxeEvent -+ ); -+ ASSERT_EFI_ERROR (Status); -+ - // - // Register the notify function to update FPDT on ExitBootServices Event. - // -diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.inf b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.inf -index 1debb0193e..0411a22e66 100644 ---- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.inf -+++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.inf -@@ -5,7 +5,7 @@ - # for Firmware Basic Boot Performance Record and other boot performance records, - # and install FPDT to ACPI table. - # --# Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
-+# Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.
- # SPDX-License-Identifier: BSD-2-Clause-Patent - # - ## -@@ -46,12 +46,14 @@ - HobLib - LockBoxLib - UefiLib -+ VariablePolicyHelperLib - - [Protocols] - gEfiAcpiTableProtocolGuid ## CONSUMES - gEfiRscHandlerProtocolGuid ## CONSUMES - gEfiVariableArchProtocolGuid ## CONSUMES - gEfiLockBoxProtocolGuid ## CONSUMES -+ gEdkiiVariablePolicyProtocolGuid ## CONSUMES - - [Guids] - gEfiEventExitBootServicesGuid ## CONSUMES ## Event -@@ -63,6 +65,7 @@ - gEfiFirmwarePerformanceGuid - gEdkiiFpdtExtendedFirmwarePerformanceGuid ## SOMETIMES_CONSUMES ## UNDEFINED # StatusCode Data - gFirmwarePerformanceS3PointerGuid ## PRODUCES ## UNDEFINED # SaveLockBox -+ gEfiEndOfDxeEventGroupGuid ## CONSUMES ## Event - - [Pcd] - gEfiMdeModulePkgTokenSpaceGuid.PcdProgressCodeOsLoaderLoad ## CONSUMES -@@ -72,6 +75,7 @@ - gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultOemRevision ## CONSUMES - gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultCreatorId ## CONSUMES - gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultCreatorRevision ## CONSUMES -+ gEfiMdePkgTokenSpaceGuid.PcdPerformanceLibraryPropertyMask ## CONSUMES - - [FeaturePcd] - gEfiMdeModulePkgTokenSpaceGuid.PcdFirmwarePerformanceDataTableS3Support ## CONSUMES -diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c -index d6c6e7693e..dbd9fe1842 100644 ---- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c -+++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c -@@ -11,7 +11,7 @@ - - FpdtSmiHandler() will receive untrusted input and do basic validation. - -- Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
-+ Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.
- SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -29,21 +29,12 @@ - #include - #include - #include --#include - #include --#include - #include - --SMM_BOOT_PERFORMANCE_TABLE *mSmmBootPerformanceTable = NULL; -- - EFI_SMM_RSC_HANDLER_PROTOCOL *mRscHandlerProtocol = NULL; - UINT64 mSuspendStartTime = 0; - BOOLEAN mS3SuspendLockBoxSaved = FALSE; --UINT32 mBootRecordSize = 0; --UINT8 *mBootRecordBuffer = NULL; -- --SPIN_LOCK mSmmFpdtLock; --BOOLEAN mSmramIsOutOfResource = FALSE; - - /** - Report status code listener for SMM. This is used to record the performance -@@ -85,21 +76,6 @@ FpdtStatusCodeListenerSmm ( - return EFI_UNSUPPORTED; - } - -- // -- // Collect one or more Boot records in boot time -- // -- if (Data != NULL && CompareGuid (&Data->Type, &gEdkiiFpdtExtendedFirmwarePerformanceGuid)) { -- AcquireSpinLock (&mSmmFpdtLock); -- // -- // Get the boot performance data. -- // -- CopyMem (&mSmmBootPerformanceTable, Data + 1, Data->Size); -- mBootRecordBuffer = ((UINT8 *) (mSmmBootPerformanceTable)) + sizeof (SMM_BOOT_PERFORMANCE_TABLE); -- -- ReleaseSpinLock (&mSmmFpdtLock); -- return EFI_SUCCESS; -- } -- - if (Data != NULL && CompareGuid (&Data->Type, &gEfiFirmwarePerformanceGuid)) { - DEBUG ((DEBUG_ERROR, "FpdtStatusCodeListenerSmm: Performance data reported through gEfiFirmwarePerformanceGuid will not be collected by FirmwarePerformanceDataTableSmm\n")); - return EFI_UNSUPPORTED; -@@ -154,118 +130,6 @@ FpdtStatusCodeListenerSmm ( - return EFI_SUCCESS; - } - --/** -- Communication service SMI Handler entry. -- -- This SMI handler provides services for report SMM boot records. -- -- Caution: This function may receive untrusted input. -- Communicate buffer and buffer size are external input, so this function will do basic validation. -- -- @param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister(). -- @param[in] RegisterContext Points to an optional handler context which was specified when the -- handler was registered. -- @param[in, out] CommBuffer A pointer to a collection of data in memory that will -- be conveyed from a non-SMM environment into an SMM environment. -- @param[in, out] CommBufferSize The size of the CommBuffer. -- -- @retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers -- should still be called. -- @retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should -- still be called. -- @retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still -- be called. -- @retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced. -- --**/ --EFI_STATUS --EFIAPI --FpdtSmiHandler ( -- IN EFI_HANDLE DispatchHandle, -- IN CONST VOID *RegisterContext, -- IN OUT VOID *CommBuffer, -- IN OUT UINTN *CommBufferSize -- ) --{ -- EFI_STATUS Status; -- SMM_BOOT_RECORD_COMMUNICATE *SmmCommData; -- UINTN BootRecordOffset; -- UINTN BootRecordSize; -- VOID *BootRecordData; -- UINTN TempCommBufferSize; -- -- // -- // If input is invalid, stop processing this SMI -- // -- if (CommBuffer == NULL || CommBufferSize == NULL) { -- return EFI_SUCCESS; -- } -- -- TempCommBufferSize = *CommBufferSize; -- -- if(TempCommBufferSize < sizeof (SMM_BOOT_RECORD_COMMUNICATE)) { -- return EFI_SUCCESS; -- } -- -- if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) { -- DEBUG ((EFI_D_ERROR, "FpdtSmiHandler: SMM communication data buffer in SMRAM or overflow!\n")); -- return EFI_SUCCESS; -- } -- -- SmmCommData = (SMM_BOOT_RECORD_COMMUNICATE*)CommBuffer; -- -- Status = EFI_SUCCESS; -- -- switch (SmmCommData->Function) { -- case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_SIZE : -- if (mSmmBootPerformanceTable != NULL) { -- mBootRecordSize = mSmmBootPerformanceTable->Header.Length - sizeof (SMM_BOOT_PERFORMANCE_TABLE); -- } -- SmmCommData->BootRecordSize = mBootRecordSize; -- break; -- -- case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA : -- Status = EFI_UNSUPPORTED; -- break; -- -- case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA_BY_OFFSET : -- BootRecordOffset = SmmCommData->BootRecordOffset; -- BootRecordData = SmmCommData->BootRecordData; -- BootRecordSize = SmmCommData->BootRecordSize; -- if (BootRecordData == NULL || BootRecordOffset >= mBootRecordSize) { -- Status = EFI_INVALID_PARAMETER; -- break; -- } -- -- // -- // Sanity check -- // -- if (BootRecordSize > mBootRecordSize - BootRecordOffset) { -- BootRecordSize = mBootRecordSize - BootRecordOffset; -- } -- SmmCommData->BootRecordSize = BootRecordSize; -- if (!SmmIsBufferOutsideSmmValid ((UINTN)BootRecordData, BootRecordSize)) { -- DEBUG ((EFI_D_ERROR, "FpdtSmiHandler: SMM Data buffer in SMRAM or overflow!\n")); -- Status = EFI_ACCESS_DENIED; -- break; -- } -- -- CopyMem ( -- (UINT8*)BootRecordData, -- mBootRecordBuffer + BootRecordOffset, -- BootRecordSize -- ); -- break; -- -- default: -- Status = EFI_UNSUPPORTED; -- } -- -- SmmCommData->ReturnStatus = Status; -- -- return EFI_SUCCESS; --} -- - /** - The module Entry Point of the Firmware Performance Data Table SMM driver. - -@@ -284,12 +148,6 @@ FirmwarePerformanceSmmEntryPoint ( - ) - { - EFI_STATUS Status; -- EFI_HANDLE Handle; -- -- // -- // Initialize spin lock -- // -- InitializeSpinLock (&mSmmFpdtLock); - - // - // Get SMM Report Status Code Handler Protocol. -@@ -307,12 +165,5 @@ FirmwarePerformanceSmmEntryPoint ( - Status = mRscHandlerProtocol->Register (FpdtStatusCodeListenerSmm); - ASSERT_EFI_ERROR (Status); - -- // -- // Register SMI handler. -- // -- Handle = NULL; -- Status = gSmst->SmiHandlerRegister (FpdtSmiHandler, &gEfiFirmwarePerformanceGuid, &Handle); -- ASSERT_EFI_ERROR (Status); -- - return Status; - } -diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.inf b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.inf -index 618cbd56ca..6be57553f0 100644 ---- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.inf -+++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.inf -@@ -4,7 +4,7 @@ - # This module registers report status code listener to collect performance data - # for SMM boot performance records and S3 Suspend Performance Record. - # --# Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
-+# Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.
- # SPDX-License-Identifier: BSD-2-Clause-Patent - # - ## -@@ -51,10 +51,8 @@ - - [Guids] - ## SOMETIMES_PRODUCES ## UNDEFINED # SaveLockBox -- ## PRODUCES ## UNDEFINED # SmiHandlerRegister - ## SOMETIMES_CONSUMES ## UNDEFINED # StatusCode Data - gEfiFirmwarePerformanceGuid -- gEdkiiFpdtExtendedFirmwarePerformanceGuid ## SOMETIMES_PRODUCES ## UNDEFINED # StatusCode Data - - [Pcd] - gEfiMdeModulePkgTokenSpaceGuid.PcdProgressCodeS3SuspendStart ## CONSUMES --- -2.27.0 - diff --git a/0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch b/0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch deleted file mode 100644 index 0fce38aa7846e709b0eb6b946b7514a824780139..0000000000000000000000000000000000000000 --- a/0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch +++ /dev/null @@ -1,378 +0,0 @@ -From 6642e762e1cedae30a08e28c456de2372bda7766 Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Mon, 13 Sep 2021 22:20:57 +0800 -Subject: [PATCH 1/8] SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c - from edk2-platforms - -Import PeiDxeTpmPlatformHierarchyLib from edk2-platforms without any -modifications. - -Signed-off-by: Stefan Berger ---- - .../Include/Library/TpmPlatformHierarchyLib.h | 27 ++ - .../PeiDxeTpmPlatformHierarchyLib.c | 266 ++++++++++++++++++ - .../PeiDxeTpmPlatformHierarchyLib.inf | 45 +++ - 3 files changed, 338 insertions(+) - create mode 100644 SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h - create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c - create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf - -diff --git a/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h -new file mode 100644 -index 0000000000..a872fa09dc ---- /dev/null -+++ b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h -@@ -0,0 +1,27 @@ -+/** @file -+ TPM Platform Hierarchy configuration library. -+ -+ This library provides functions for customizing the TPM's Platform Hierarchy -+ Authorization Value (platformAuth) and Platform Hierarchy Authorization -+ Policy (platformPolicy) can be defined through this function. -+ -+Copyright (c) 2019, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation.
-+SPDX-License-Identifier: BSD-2-Clause-Patent -+ -+**/ -+ -+#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_ -+#define _TPM_PLATFORM_HIERARCHY_LIB_H_ -+ -+/** -+ This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event. -+ -+**/ -+VOID -+EFIAPI -+ConfigureTpmPlatformHierarchy ( -+ VOID -+ ); -+ -+#endif -diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c -new file mode 100644 -index 0000000000..9812ab99ab ---- /dev/null -+++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c -@@ -0,0 +1,266 @@ -+/** @file -+ TPM Platform Hierarchy configuration library. -+ -+ This library provides functions for customizing the TPM's Platform Hierarchy -+ Authorization Value (platformAuth) and Platform Hierarchy Authorization -+ Policy (platformPolicy) can be defined through this function. -+ -+ Copyright (c) 2019, Intel Corporation. All rights reserved.
-+ Copyright (c) Microsoft Corporation.
-+ SPDX-License-Identifier: BSD-2-Clause-Patent -+ -+ @par Specification Reference: -+ https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/ -+**/ -+ -+#include -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+// -+// The authorization value may be no larger than the digest produced by the hash -+// algorithm used for context integrity. -+// -+#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE -+ -+UINT16 mAuthSize; -+ -+/** -+ Generate high-quality entropy source through RDRAND. -+ -+ @param[in] Length Size of the buffer, in bytes, to fill with. -+ @param[out] Entropy Pointer to the buffer to store the entropy data. -+ -+ @retval EFI_SUCCESS Entropy generation succeeded. -+ @retval EFI_NOT_READY Failed to request random data. -+ -+**/ -+EFI_STATUS -+EFIAPI -+RdRandGenerateEntropy ( -+ IN UINTN Length, -+ OUT UINT8 *Entropy -+ ) -+{ -+ EFI_STATUS Status; -+ UINTN BlockCount; -+ UINT64 Seed[2]; -+ UINT8 *Ptr; -+ -+ Status = EFI_NOT_READY; -+ BlockCount = Length / 64; -+ Ptr = (UINT8 *)Entropy; -+ -+ // -+ // Generate high-quality seed for DRBG Entropy -+ // -+ while (BlockCount > 0) { -+ Status = GetRandomNumber128 (Seed); -+ if (EFI_ERROR (Status)) { -+ return Status; -+ } -+ CopyMem (Ptr, Seed, 64); -+ -+ BlockCount--; -+ Ptr = Ptr + 64; -+ } -+ -+ // -+ // Populate the remained data as request. -+ // -+ Status = GetRandomNumber128 (Seed); -+ if (EFI_ERROR (Status)) { -+ return Status; -+ } -+ CopyMem (Ptr, Seed, (Length % 64)); -+ -+ return Status; -+} -+ -+/** -+ This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value -+ and limits an authValue to being no larger than the largest digest produced by a TPM. -+ -+ @param[out] AuthSize Tpm2 Auth size -+ -+ @retval EFI_SUCCESS Auth size returned. -+ @retval EFI_DEVICE_ERROR Can not return platform auth due to device error. -+ -+**/ -+EFI_STATUS -+EFIAPI -+GetAuthSize ( -+ OUT UINT16 *AuthSize -+ ) -+{ -+ EFI_STATUS Status; -+ TPML_PCR_SELECTION Pcrs; -+ UINTN Index; -+ UINT16 DigestSize; -+ -+ Status = EFI_SUCCESS; -+ -+ while (mAuthSize == 0) { -+ -+ mAuthSize = SHA1_DIGEST_SIZE; -+ ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION)); -+ Status = Tpm2GetCapabilityPcrs (&Pcrs); -+ -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n")); -+ break; -+ } -+ -+ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count)); -+ -+ for (Index = 0; Index < Pcrs.count; Index++) { -+ DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash)); -+ -+ switch (Pcrs.pcrSelections[Index].hash) { -+ case TPM_ALG_SHA1: -+ DigestSize = SHA1_DIGEST_SIZE; -+ break; -+ case TPM_ALG_SHA256: -+ DigestSize = SHA256_DIGEST_SIZE; -+ break; -+ case TPM_ALG_SHA384: -+ DigestSize = SHA384_DIGEST_SIZE; -+ break; -+ case TPM_ALG_SHA512: -+ DigestSize = SHA512_DIGEST_SIZE; -+ break; -+ case TPM_ALG_SM3_256: -+ DigestSize = SM3_256_DIGEST_SIZE; -+ break; -+ default: -+ DigestSize = SHA1_DIGEST_SIZE; -+ break; -+ } -+ -+ if (DigestSize > mAuthSize) { -+ mAuthSize = DigestSize; -+ } -+ } -+ break; -+ } -+ -+ *AuthSize = mAuthSize; -+ return Status; -+} -+ -+/** -+ Set PlatformAuth to random value. -+**/ -+VOID -+RandomizePlatformAuth ( -+ VOID -+ ) -+{ -+ EFI_STATUS Status; -+ UINT16 AuthSize; -+ UINT8 *Rand; -+ UINTN RandSize; -+ TPM2B_AUTH NewPlatformAuth; -+ -+ // -+ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null -+ // -+ -+ GetAuthSize (&AuthSize); -+ -+ ZeroMem (NewPlatformAuth.buffer, AuthSize); -+ NewPlatformAuth.size = AuthSize; -+ -+ // -+ // Allocate one buffer to store random data. -+ // -+ RandSize = MAX_NEW_AUTHORIZATION_SIZE; -+ Rand = AllocatePool (RandSize); -+ -+ RdRandGenerateEntropy (RandSize, Rand); -+ CopyMem (NewPlatformAuth.buffer, Rand, AuthSize); -+ -+ FreePool (Rand); -+ -+ // -+ // Send Tpm2HierarchyChangeAuth command with the new Auth value -+ // -+ Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth); -+ DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status)); -+ ZeroMem (NewPlatformAuth.buffer, AuthSize); -+ ZeroMem (Rand, RandSize); -+} -+ -+/** -+ Disable the TPM platform hierarchy. -+ -+ @retval EFI_SUCCESS The TPM was disabled successfully. -+ @retval Others An error occurred attempting to disable the TPM platform hierarchy. -+ -+**/ -+EFI_STATUS -+DisableTpmPlatformHierarchy ( -+ VOID -+ ) -+{ -+ EFI_STATUS Status; -+ -+ // Make sure that we have use of the TPM. -+ Status = Tpm2RequestUseTpm (); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status)); -+ ASSERT_EFI_ERROR (Status); -+ return Status; -+ } -+ -+ // Let's do what we can to shut down the hierarchies. -+ -+ // Disable the PH NV. -+ // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TPM parts have -+ // been known to store the EK cert in the PH NV. If we disable it, the -+ // EK cert will be unreadable. -+ -+ // Disable the PH. -+ Status = Tpm2HierarchyControl ( -+ TPM_RH_PLATFORM, // AuthHandle -+ NULL, // AuthSession -+ TPM_RH_PLATFORM, // Hierarchy -+ NO // State -+ ); -+ DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH = %r\n", gEfiCallerBaseName, __FUNCTION__, Status)); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status)); -+ ASSERT_EFI_ERROR (Status); -+ } -+ -+ return Status; -+} -+ -+/** -+ This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth) -+ and Platform Hierarchy Authorization Policy (platformPolicy) -+ -+**/ -+VOID -+EFIAPI -+ConfigureTpmPlatformHierarchy ( -+ ) -+{ -+ if (PcdGetBool (PcdRandomizePlatformHierarchy)) { -+ // -+ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null -+ // -+ RandomizePlatformAuth (); -+ } else { -+ // -+ // Disable the hierarchy entirely (do not randomize it) -+ // -+ DisableTpmPlatformHierarchy (); -+ } -+} -diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf -new file mode 100644 -index 0000000000..b7a7fb0a08 ---- /dev/null -+++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf -@@ -0,0 +1,45 @@ -+### @file -+# -+# TPM Platform Hierarchy configuration library. -+# -+# This library provides functions for customizing the TPM's Platform Hierarchy -+# Authorization Value (platformAuth) and Platform Hierarchy Authorization -+# Policy (platformPolicy) can be defined through this function. -+# -+# Copyright (c) 2019, Intel Corporation. All rights reserved.
-+# Copyright (c) Microsoft Corporation.
-+# -+# SPDX-License-Identifier: BSD-2-Clause-Patent -+# -+### -+ -+[Defines] -+ INF_VERSION = 0x00010005 -+ BASE_NAME = PeiDxeTpmPlatformHierarchyLib -+ FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73 -+ MODULE_TYPE = PEIM -+ VERSION_STRING = 1.0 -+ LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER -+ -+[LibraryClasses] -+ BaseLib -+ BaseMemoryLib -+ DebugLib -+ MemoryAllocationLib -+ PcdLib -+ RngLib -+ Tpm2CommandLib -+ Tpm2DeviceLib -+ -+[Packages] -+ MdePkg/MdePkg.dec -+ MdeModulePkg/MdeModulePkg.dec -+ SecurityPkg/SecurityPkg.dec -+ CryptoPkg/CryptoPkg.dec -+ MinPlatformPkg/MinPlatformPkg.dec -+ -+[Sources] -+ PeiDxeTpmPlatformHierarchyLib.c -+ -+[Pcd] -+ gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy --- -2.27.0 - diff --git a/0013-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch b/0013-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch deleted file mode 100644 index e250097ddf91b67f558b84c7bfcf794841df7b51..0000000000000000000000000000000000000000 --- a/0013-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch +++ /dev/null @@ -1,121 +0,0 @@ -From da8e34ff10bff3bff14c0bc5ee1f2e3f3d72428f Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Mon, 13 Sep 2021 22:20:58 +0800 -Subject: [PATCH 2/8] SecurityPkg/TPM: Fix bugs in imported - PeiDxeTpmPlatformHierarchyLib - -Fix some bugs in the original PeiDxeTpmPlatformHierarchyLib.c. - -Signed-off-by: Stefan Berger -Reviewed-by: Jiewen Yao ---- - .../PeiDxeTpmPlatformHierarchyLib.c | 23 +++++-------------- - .../PeiDxeTpmPlatformHierarchyLib.inf | 5 ++-- - 2 files changed, 8 insertions(+), 20 deletions(-) - -diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c -index 9812ab99ab..d82a0ae1bd 100644 ---- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c -+++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c -@@ -18,7 +18,6 @@ - #include - #include - #include --#include - #include - #include - #include -@@ -27,7 +26,6 @@ - // The authorization value may be no larger than the digest produced by the hash - // algorithm used for context integrity. - // --#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE - - UINT16 mAuthSize; - -@@ -54,7 +52,7 @@ RdRandGenerateEntropy ( - UINT8 *Ptr; - - Status = EFI_NOT_READY; -- BlockCount = Length / 64; -+ BlockCount = Length / sizeof(Seed); - Ptr = (UINT8 *)Entropy; - - // -@@ -65,10 +63,10 @@ RdRandGenerateEntropy ( - if (EFI_ERROR (Status)) { - return Status; - } -- CopyMem (Ptr, Seed, 64); -+ CopyMem (Ptr, Seed, sizeof(Seed)); - - BlockCount--; -- Ptr = Ptr + 64; -+ Ptr = Ptr + sizeof(Seed); - } - - // -@@ -78,7 +76,7 @@ RdRandGenerateEntropy ( - if (EFI_ERROR (Status)) { - return Status; - } -- CopyMem (Ptr, Seed, (Length % 64)); -+ CopyMem (Ptr, Seed, (Length % sizeof(Seed))); - - return Status; - } -@@ -164,8 +162,6 @@ RandomizePlatformAuth ( - { - EFI_STATUS Status; - UINT16 AuthSize; -- UINT8 *Rand; -- UINTN RandSize; - TPM2B_AUTH NewPlatformAuth; - - // -@@ -174,19 +170,13 @@ RandomizePlatformAuth ( - - GetAuthSize (&AuthSize); - -- ZeroMem (NewPlatformAuth.buffer, AuthSize); - NewPlatformAuth.size = AuthSize; - - // -- // Allocate one buffer to store random data. -+ // Create the random bytes in the destination buffer - // -- RandSize = MAX_NEW_AUTHORIZATION_SIZE; -- Rand = AllocatePool (RandSize); -- -- RdRandGenerateEntropy (RandSize, Rand); -- CopyMem (NewPlatformAuth.buffer, Rand, AuthSize); - -- FreePool (Rand); -+ RdRandGenerateEntropy (NewPlatformAuth.size, NewPlatformAuth.buffer); - - // - // Send Tpm2HierarchyChangeAuth command with the new Auth value -@@ -194,7 +184,6 @@ RandomizePlatformAuth ( - Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth); - DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status)); - ZeroMem (NewPlatformAuth.buffer, AuthSize); -- ZeroMem (Rand, RandSize); - } - - /** -diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf -index b7a7fb0a08..7bf666794f 100644 ---- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf -+++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf -@@ -1,6 +1,5 @@ --### @file --# --# TPM Platform Hierarchy configuration library. -+## @file -+# TPM Platform Hierarchy configuration library. - # - # This library provides functions for customizing the TPM's Platform Hierarchy - # Authorization Value (platformAuth) and Platform Hierarchy Authorization --- -2.27.0 - diff --git a/0014-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch b/0014-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch deleted file mode 100644 index 480ab1dfb06c05118568fa074c7d675be915a88c..0000000000000000000000000000000000000000 --- a/0014-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch +++ /dev/null @@ -1,161 +0,0 @@ -From 4f998a6c11ca05dc19bafe54ecd43ed74bd2cb3c Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Mon, 13 Sep 2021 22:20:59 +0800 -Subject: [PATCH 3/8] SecrutiyPkg/Tcg: Import Tcg2PlatformDxe from - edk2-platforms - -Import Tcg2PlatformDxe from edk2-platforms without any modifications. - -Signed-off-by: Stefan Berger -Reviewed-by: Jiewen Yao ---- - .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 85 +++++++++++++++++++ - .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 44 ++++++++++ - 2 files changed, 129 insertions(+) - create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c - create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf - -diff --git a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c -new file mode 100644 -index 0000000000..150cf748ff ---- /dev/null -+++ b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c -@@ -0,0 +1,85 @@ -+/** @file -+ Platform specific TPM2 component for configuring the Platform Hierarchy. -+ -+ Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.
-+ SPDX-License-Identifier: BSD-2-Clause-Patent -+ -+**/ -+ -+#include -+ -+#include -+#include -+#include -+#include -+#include -+ -+/** -+ This callback function will run at the SmmReadyToLock event. -+ -+ Configuration of the TPM's Platform Hierarchy Authorization Value (platformAuth) -+ and Platform Hierarchy Authorization Policy (platformPolicy) can be defined through this function. -+ -+ @param Event Pointer to this event -+ @param Context Event hanlder private data -+ **/ -+VOID -+EFIAPI -+SmmReadyToLockEventCallBack ( -+ IN EFI_EVENT Event, -+ IN VOID *Context -+ ) -+{ -+ EFI_STATUS Status; -+ VOID *Interface; -+ -+ // -+ // Try to locate it because EfiCreateProtocolNotifyEvent will trigger it once when registration. -+ // Just return if it is not found. -+ // -+ Status = gBS->LocateProtocol ( -+ &gEfiDxeSmmReadyToLockProtocolGuid, -+ NULL, -+ &Interface -+ ); -+ if (EFI_ERROR (Status)) { -+ return ; -+ } -+ -+ ConfigureTpmPlatformHierarchy (); -+ -+ gBS->CloseEvent (Event); -+} -+ -+/** -+ The driver's entry point. Will register a function for callback during SmmReadyToLock event to -+ configure the TPM's platform authorization. -+ -+ @param[in] ImageHandle The firmware allocated handle for the EFI image. -+ @param[in] SystemTable A pointer to the EFI System Table. -+ -+ @retval EFI_SUCCESS The entry point is executed successfully. -+ @retval other Some error occurs when executing this entry point. -+**/ -+EFI_STATUS -+EFIAPI -+Tcg2PlatformDxeEntryPoint ( -+ IN EFI_HANDLE ImageHandle, -+ IN EFI_SYSTEM_TABLE *SystemTable -+ ) -+{ -+ VOID *Registration; -+ EFI_EVENT Event; -+ -+ Event = EfiCreateProtocolNotifyEvent ( -+ &gEfiDxeSmmReadyToLockProtocolGuid, -+ TPL_CALLBACK, -+ SmmReadyToLockEventCallBack, -+ NULL, -+ &Registration -+ ); -+ -+ ASSERT (Event != NULL); -+ -+ return EFI_SUCCESS; -+} -diff --git a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf -new file mode 100644 -index 0000000000..af29c1cd98 ---- /dev/null -+++ b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf -@@ -0,0 +1,44 @@ -+### @file -+# Platform specific TPM2 component. -+# -+# Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.
-+# -+# SPDX-License-Identifier: BSD-2-Clause-Patent -+# -+### -+ -+[Defines] -+ INF_VERSION = 0x00010017 -+ BASE_NAME = Tcg2PlatformDxe -+ FILE_GUID = 5CAB08D5-AD8F-4d8b-B828-D17A8D9FE977 -+ VERSION_STRING = 1.0 -+ MODULE_TYPE = DXE_DRIVER -+ ENTRY_POINT = Tcg2PlatformDxeEntryPoint -+# -+# The following information is for reference only and not required by the build tools. -+# -+# VALID_ARCHITECTURES = IA32 X64 IPF -+# -+ -+[LibraryClasses] -+ BaseLib -+ UefiBootServicesTableLib -+ UefiDriverEntryPoint -+ DebugLib -+ UefiLib -+ TpmPlatformHierarchyLib -+ -+[Packages] -+ MdePkg/MdePkg.dec -+ MdeModulePkg/MdeModulePkg.dec -+ MinPlatformPkg/MinPlatformPkg.dec -+ SecurityPkg/SecurityPkg.dec -+ -+[Sources] -+ Tcg2PlatformDxe.c -+ -+[Protocols] -+ gEfiDxeSmmReadyToLockProtocolGuid ## SOMETIMES_CONSUMES ## NOTIFY -+ -+[Depex] -+ gEfiTcg2ProtocolGuid --- -2.27.0 - diff --git a/0015-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch b/0015-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch deleted file mode 100644 index b6bcac817d23eaa48c3c01ac443823cf3e1d4ddb..0000000000000000000000000000000000000000 --- a/0015-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch +++ /dev/null @@ -1,63 +0,0 @@ -From edaa95dc147509a6c84225d70476c7dd9179cb57 Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Mon, 13 Sep 2021 22:21:00 +0800 -Subject: [PATCH 4/8] SecurityPkg/Tcg: Make Tcg2PlatformDxe buildable and fix - style issues - -Signed-off-by: Stefan Berger -Reviewed-by: Jiewen Yao ---- - SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h | 4 ++-- - .../PeiDxeTpmPlatformHierarchyLib.c | 2 +- - SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 3 +-- - 3 files changed, 4 insertions(+), 5 deletions(-) - -diff --git a/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h -index a872fa09dc..8d61a4867b 100644 ---- a/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h -+++ b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h -@@ -11,8 +11,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ - --#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_ --#define _TPM_PLATFORM_HIERARCHY_LIB_H_ -+#ifndef TPM_PLATFORM_HIERARCHY_LIB_H_ -+#define TPM_PLATFORM_HIERARCHY_LIB_H_ - - /** - This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event. -diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c -index d82a0ae1bd..0bb04a20fc 100644 ---- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c -+++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c -@@ -233,7 +233,7 @@ DisableTpmPlatformHierarchy ( - - /** - This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth) -- and Platform Hierarchy Authorization Policy (platformPolicy) -+ and Platform Hierarchy Authorization Policy (platformPolicy). - - **/ - VOID -diff --git a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf -index af29c1cd98..635302fe6f 100644 ---- a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf -+++ b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf -@@ -1,4 +1,4 @@ --### @file -+## @file - # Platform specific TPM2 component. - # - # Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.
-@@ -31,7 +31,6 @@ - [Packages] - MdePkg/MdePkg.dec - MdeModulePkg/MdeModulePkg.dec -- MinPlatformPkg/MinPlatformPkg.dec - SecurityPkg/SecurityPkg.dec - - [Sources] --- -2.27.0 - diff --git a/0016-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch b/0016-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch deleted file mode 100644 index 6b096da5164edc18eff9184a47d6d4e4ad73965b..0000000000000000000000000000000000000000 --- a/0016-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 0282acbc3dee92ee04f1a212ca3f4c77e8b97207 Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Mon, 13 Sep 2021 22:21:01 +0800 -Subject: [PATCH 5/8] SecurityPkg: Introduce new PCD - PcdRandomizePlatformHierarchy - -Introduce the new PCD -gEfiSecurityPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy. -We need it for TpmPlatformHierarchyLib. - -Signed-off-by: Stefan Berger -Reviewed-by: Jiewen Yao ---- - .../PeiDxeTpmPlatformHierarchyLib.inf | 3 +-- - SecurityPkg/SecurityPkg.dec | 6 ++++++ - 2 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf -index 7bf666794f..efe560e7ff 100644 ---- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf -+++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf -@@ -35,10 +35,9 @@ - MdeModulePkg/MdeModulePkg.dec - SecurityPkg/SecurityPkg.dec - CryptoPkg/CryptoPkg.dec -- MinPlatformPkg/MinPlatformPkg.dec - - [Sources] - PeiDxeTpmPlatformHierarchyLib.c - - [Pcd] -- gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy -+ gEfiSecurityPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy -diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec -index 5335cc5397..276ea6e2dd 100644 ---- a/SecurityPkg/SecurityPkg.dec -+++ b/SecurityPkg/SecurityPkg.dec -@@ -291,6 +291,12 @@ - # @Prompt Physical presence of the platform operator. - gEfiSecurityPkgTokenSpaceGuid.PcdTpmPhysicalPresence|TRUE|BOOLEAN|0x00010001 - -+ ## Indicates whether the TPM2 platform hierarchy will be disabled by using -+ # a random password or by disabling the hierarchy -+ # TRUE - A random password will be used -+ # FALSE - The hierarchy will be disabled -+ gEfiSecurityPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy|TRUE|BOOLEAN|0x00010024 -+ - [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] - ## Indicates whether TPM physical presence is locked during platform initialization. - # Once it is locked, it can not be unlocked for TPM life time.

--- -2.27.0 - diff --git a/0017-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch b/0017-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch deleted file mode 100644 index 38acd0ec1e1e72ed9cd921d00649bdb6df36a69d..0000000000000000000000000000000000000000 --- a/0017-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch +++ /dev/null @@ -1,191 +0,0 @@ -From ede5db34ee1e35c16cf016b974046b1c499c19a6 Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Mon, 13 Sep 2021 22:21:03 +0800 -Subject: [PATCH 6/8] SecurityPkg/Tcg: Import Tcg2PlatformPei from - edk2-platforms - -Import Tcg2PlatformPei from edk2-platforms without any modifications. - -Signed-off-by: Stefan Berger -Reviewed-by: Jiewen Yao ---- - .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 107 ++++++++++++++++++ - .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 52 +++++++++ - 2 files changed, 159 insertions(+) - create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c - create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf - -diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c -new file mode 100644 -index 0000000000..66ec75ad0e ---- /dev/null -+++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c -@@ -0,0 +1,107 @@ -+/** @file -+ -+Copyright (c) 2017, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation.
-+SPDX-License-Identifier: BSD-2-Clause-Patent -+ -+**/ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+ -+#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE -+ -+/** -+ This function handles PlatformInit task at the end of PEI -+ -+ @param[in] PeiServices Pointer to PEI Services Table. -+ @param[in] NotifyDesc Pointer to the descriptor for the Notification event that -+ caused this function to execute. -+ @param[in] Ppi Pointer to the PPI data associated with this function. -+ -+ @retval EFI_SUCCESS The function completes successfully -+ @retval others -+**/ -+EFI_STATUS -+EFIAPI -+PlatformInitEndOfPei ( -+ IN CONST EFI_PEI_SERVICES **PeiServices, -+ IN EFI_PEI_NOTIFY_DESCRIPTOR *NotifyDescriptor, -+ IN VOID *Ppi -+ ) -+{ -+ VOID *TcgEventLog; -+ -+ // -+ // Try to get TcgEventLog in S3 to see if S3 error is reported. -+ // -+ TcgEventLog = GetFirstGuidHob(&gTcgEventEntryHobGuid); -+ if (TcgEventLog == NULL) { -+ TcgEventLog = GetFirstGuidHob(&gTcgEvent2EntryHobGuid); -+ } -+ -+ if (TcgEventLog == NULL) { -+ // -+ // no S3 error reported -+ // -+ return EFI_SUCCESS; -+ } -+ -+ // -+ // If there is S3 error on TPM_SU_STATE and success on TPM_SU_CLEAR, -+ // configure the TPM Platform Hierarchy. -+ // -+ ConfigureTpmPlatformHierarchy (); -+ -+ return EFI_SUCCESS; -+} -+ -+static EFI_PEI_NOTIFY_DESCRIPTOR mEndOfPeiNotifyList = { -+ (EFI_PEI_PPI_DESCRIPTOR_NOTIFY_CALLBACK | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST), -+ &gEfiEndOfPeiSignalPpiGuid, -+ (EFI_PEIM_NOTIFY_ENTRY_POINT)PlatformInitEndOfPei -+}; -+ -+/** -+ Main entry -+ -+ @param[in] FileHandle Handle of the file being invoked. -+ @param[in] PeiServices Pointer to PEI Services table. -+ -+ @retval EFI_SUCCESS Install function successfully. -+ -+**/ -+EFI_STATUS -+EFIAPI -+Tcg2PlatformPeiEntryPoint ( -+ IN EFI_PEI_FILE_HANDLE FileHandle, -+ IN CONST EFI_PEI_SERVICES **PeiServices -+ ) -+{ -+ EFI_STATUS Status; -+ EFI_BOOT_MODE BootMode; -+ -+ Status = PeiServicesGetBootMode (&BootMode); -+ ASSERT_EFI_ERROR(Status); -+ -+ if (BootMode != BOOT_ON_S3_RESUME) { -+ return EFI_SUCCESS; -+ } -+ -+ // -+ // Performing PlatformInitEndOfPei after EndOfPei PPI produced -+ // -+ Status = PeiServicesNotifyPpi (&mEndOfPeiNotifyList); -+ -+ return Status; -+} -diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf -new file mode 100644 -index 0000000000..579f09b940 ---- /dev/null -+++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf -@@ -0,0 +1,52 @@ -+### @file -+# -+# Copyright (c) 2017, Intel Corporation. All rights reserved.
-+# -+# SPDX-License-Identifier: BSD-2-Clause-Patent -+# -+### -+ -+[Defines] -+ INF_VERSION = 0x00010017 -+ BASE_NAME = Tcg2PlatformPei -+ FILE_GUID = 47727552-A54B-4A84-8CC1-BFF23E239636 -+ VERSION_STRING = 1.0 -+ MODULE_TYPE = PEIM -+ ENTRY_POINT = Tcg2PlatformPeiEntryPoint -+ -+# -+# The following information is for reference only and not required by the build tools. -+# -+# VALID_ARCHITECTURES = IA32 X64 IPF EBC -+# -+ -+[LibraryClasses] -+ PcdLib -+ BaseMemoryLib -+ MemoryAllocationLib -+ PeiServicesLib -+ PeimEntryPoint -+ DebugLib -+ Tpm2DeviceLib -+ Tpm2CommandLib -+ TpmPlatformHierarchyLib -+ RngLib -+ -+[Packages] -+ MdePkg/MdePkg.dec -+ SecurityPkg/SecurityPkg.dec -+ MinPlatformPkg/MinPlatformPkg.dec -+ -+[Sources] -+ Tcg2PlatformPei.c -+ -+[Guids] -+ gTcgEventEntryHobGuid -+ gTcgEvent2EntryHobGuid -+ -+[Ppis] -+ gEfiEndOfPeiSignalPpiGuid -+ -+[Depex] -+ gEfiTpmDeviceSelectedGuid -+ --- -2.27.0 - diff --git a/0018-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch b/0018-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch deleted file mode 100644 index 3a51c880c88c97e2203214b0a16e06e704fc3232..0000000000000000000000000000000000000000 --- a/0018-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 5134d284aafd4816e265b5c551ee32d6eb43bbc8 Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Mon, 13 Sep 2021 22:21:04 +0800 -Subject: [PATCH 7/8] SecurityPkg/Tcg: Make Tcg2PlatformPei buildable and fix - style issues - -Signed-off-by: Stefan Berger -Reviewed-by: Jiewen Yao ---- - SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 11 ++++++----- - SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 4 ++-- - 2 files changed, 8 insertions(+), 7 deletions(-) - -diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c -index 66ec75ad0e..21d2c1433d 100644 ---- a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c -+++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c -@@ -1,4 +1,5 @@ - /** @file -+ Configure TPM 2 platform hierarchy on TPM state resume failure on S3 resume - - Copyright (c) 2017, Intel Corporation. All rights reserved.
- Copyright (c) Microsoft Corporation.
-@@ -24,12 +25,12 @@ SPDX-License-Identifier: BSD-2-Clause-Patent - /** - This function handles PlatformInit task at the end of PEI - -- @param[in] PeiServices Pointer to PEI Services Table. -- @param[in] NotifyDesc Pointer to the descriptor for the Notification event that -- caused this function to execute. -- @param[in] Ppi Pointer to the PPI data associated with this function. -+ @param[in] PeiServices Pointer to PEI Services Table. -+ @param[in] NotifyDescriptor Pointer to the descriptor for the Notification event that -+ caused this function to execute. -+ @param[in] Ppi Pointer to the PPI data associated with this function. - -- @retval EFI_SUCCESS The function completes successfully -+ @retval EFI_SUCCESS The function completes successfully - @retval others - **/ - EFI_STATUS -diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf -index 579f09b940..6f57de025b 100644 ---- a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf -+++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf -@@ -1,4 +1,5 @@ --### @file -+## @file -+# Configure TPM 2 platform hierarchy on TPM state resume failure on S3 resume - # - # Copyright (c) 2017, Intel Corporation. All rights reserved.
- # -@@ -35,7 +36,6 @@ - [Packages] - MdePkg/MdePkg.dec - SecurityPkg/SecurityPkg.dec -- MinPlatformPkg/MinPlatformPkg.dec - - [Sources] - Tcg2PlatformPei.c --- -2.27.0 - diff --git a/0019-SecurityPkg-Add-references-to-header-and-inf-files-t.patch b/0019-SecurityPkg-Add-references-to-header-and-inf-files-t.patch deleted file mode 100644 index beb2c1fac4bd786b1eeb2204944dd8fe5a3c711e..0000000000000000000000000000000000000000 --- a/0019-SecurityPkg-Add-references-to-header-and-inf-files-t.patch +++ /dev/null @@ -1,68 +0,0 @@ -From e031b8396ba1ad059f7c1dc6e28e9fc4ca6aaae9 Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Mon, 13 Sep 2021 22:21:06 +0800 -Subject: [PATCH 8/8] SecurityPkg: Add references to header and inf files to - SecurityPkg - -Signed-off-by: Stefan Berger -Reviewed-by: Jiewen Yao ---- - SecurityPkg/SecurityPkg.dec | 4 ++++ - SecurityPkg/SecurityPkg.dsc | 12 ++++++++++++ - 2 files changed, 16 insertions(+) - -diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec -index 276ea6e2dd..beffd08772 100644 ---- a/SecurityPkg/SecurityPkg.dec -+++ b/SecurityPkg/SecurityPkg.dec -@@ -68,6 +68,10 @@ - # - Tcg2PhysicalPresenceLib|Include/Library/Tcg2PhysicalPresenceLib.h - -+ ## @libraryclass Handle TPM 2.0 platform hierarchy configuration -+ # -+ TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h -+ - ## @libraryclass Provides interfaces about TCG storage generic command. - # - TcgStorageCoreLib|Include/Library/TcgStorageCoreLib.h -diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc -index a2eeadda7a..8d5371295a 100644 ---- a/SecurityPkg/SecurityPkg.dsc -+++ b/SecurityPkg/SecurityPkg.dsc -@@ -211,6 +211,8 @@ - - SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf - -+ SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf -+ - # - # TCG Storage. - # -@@ -272,6 +274,11 @@ - NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf - } - -+ SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf { -+ -+ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf -+ } -+ - SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { - - Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf -@@ -288,6 +295,11 @@ - Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf - } - -+ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { -+ -+ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf -+ } -+ - # - # Hash2 - # --- -2.27.0 - diff --git a/0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch b/0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch deleted file mode 100644 index 082e0577963b69e51739f45b56711cb74c169ac3..0000000000000000000000000000000000000000 --- a/0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch +++ /dev/null @@ -1,191 +0,0 @@ -From f6ec1dd34fb6b9757b5ead465ee2ea20c182b0ac Mon Sep 17 00:00:00 2001 -From: Guomin Jiang -Date: Wed, 13 Jan 2021 18:08:09 +0800 -Subject: [PATCH] UefiCpuPkg: Move MigrateGdt from DiscoverMemory to - TempRamDone. (CVE-2019-11098) - -REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1614 -REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3160 - -The GDT still in flash with commit 60b12e69fb1c8c7180fdda92f008248b9ec83db1 -after TempRamDone - -So move the action to TempRamDone event to avoid reading GDT from flash. - -Signed-off-by: Guomin Jiang -Cc: Eric Dong -Cc: Ray Ni -Cc: Laszlo Ersek -Cc: Rahul Kumar -Cc: Debkumar De -Cc: Harry Han -Cc: Catharine West -Reviewed-by: Ray Ni ---- - UefiCpuPkg/CpuMpPei/CpuMpPei.c | 37 -------------------------- - UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 1 - - UefiCpuPkg/CpuMpPei/CpuPaging.c | 8 ------ - UefiCpuPkg/SecCore/SecCore.inf | 1 + - UefiCpuPkg/SecCore/SecMain.c | 45 ++++++++++++++++++++++++++++++++ - 5 files changed, 46 insertions(+), 46 deletions(-) - -diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.c b/UefiCpuPkg/CpuMpPei/CpuMpPei.c -index 40729a09b9..3c1bad6470 100644 ---- a/UefiCpuPkg/CpuMpPei/CpuMpPei.c -+++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.c -@@ -429,43 +429,6 @@ GetGdtr ( - AsmReadGdtr ((IA32_DESCRIPTOR *)Buffer); - } - --/** -- Migrates the Global Descriptor Table (GDT) to permanent memory. -- -- @retval EFI_SUCCESS The GDT was migrated successfully. -- @retval EFI_OUT_OF_RESOURCES The GDT could not be migrated due to lack of available memory. -- --**/ --EFI_STATUS --MigrateGdt ( -- VOID -- ) --{ -- EFI_STATUS Status; -- UINTN GdtBufferSize; -- IA32_DESCRIPTOR Gdtr; -- VOID *GdtBuffer; -- -- AsmReadGdtr ((IA32_DESCRIPTOR *) &Gdtr); -- GdtBufferSize = sizeof (IA32_SEGMENT_DESCRIPTOR) -1 + Gdtr.Limit + 1; -- -- Status = PeiServicesAllocatePool ( -- GdtBufferSize, -- &GdtBuffer -- ); -- ASSERT (GdtBuffer != NULL); -- if (EFI_ERROR (Status)) { -- return EFI_OUT_OF_RESOURCES; -- } -- -- GdtBuffer = ALIGN_POINTER (GdtBuffer, sizeof (IA32_SEGMENT_DESCRIPTOR)); -- CopyMem (GdtBuffer, (VOID *) Gdtr.Base, Gdtr.Limit + 1); -- Gdtr.Base = (UINTN) GdtBuffer; -- AsmWriteGdtr (&Gdtr); -- -- return EFI_SUCCESS; --} -- - /** - Initializes CPU exceptions handlers for the sake of stack switch requirement. - -diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf -index ba829d816e..7444bdb968 100644 ---- a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf -+++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf -@@ -67,7 +67,6 @@ - gUefiCpuPkgTokenSpaceGuid.PcdCpuStackSwitchExceptionList ## SOMETIMES_CONSUMES - gUefiCpuPkgTokenSpaceGuid.PcdCpuKnownGoodStackSize ## SOMETIMES_CONSUMES - gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize ## SOMETIMES_CONSUMES -- gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes ## CONSUMES - - [Depex] - TRUE -diff --git a/UefiCpuPkg/CpuMpPei/CpuPaging.c b/UefiCpuPkg/CpuMpPei/CpuPaging.c -index 50ad4277af..3e261d6657 100644 ---- a/UefiCpuPkg/CpuMpPei/CpuPaging.c -+++ b/UefiCpuPkg/CpuMpPei/CpuPaging.c -@@ -605,17 +605,9 @@ MemoryDiscoveredPpiNotifyCallback ( - { - EFI_STATUS Status; - BOOLEAN InitStackGuard; -- BOOLEAN InterruptState; - EDKII_MIGRATED_FV_INFO *MigratedFvInfo; - EFI_PEI_HOB_POINTERS Hob; - -- if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) { -- InterruptState = SaveAndDisableInterrupts (); -- Status = MigrateGdt (); -- ASSERT_EFI_ERROR (Status); -- SetInterruptState (InterruptState); -- } -- - // - // Paging must be setup first. Otherwise the exception TSS setup during MP - // initialization later will not contain paging information and then fail -diff --git a/UefiCpuPkg/SecCore/SecCore.inf b/UefiCpuPkg/SecCore/SecCore.inf -index 545781d6b4..ded83beb52 100644 ---- a/UefiCpuPkg/SecCore/SecCore.inf -+++ b/UefiCpuPkg/SecCore/SecCore.inf -@@ -77,6 +77,7 @@ - - [Pcd] - gUefiCpuPkgTokenSpaceGuid.PcdPeiTemporaryRamStackSize ## CONSUMES -+ gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes ## CONSUMES - - [UserExtensions.TianoCore."ExtraFiles"] - SecCoreExtra.uni -diff --git a/UefiCpuPkg/SecCore/SecMain.c b/UefiCpuPkg/SecCore/SecMain.c -index 155be49a60..2416c4ce56 100644 ---- a/UefiCpuPkg/SecCore/SecMain.c -+++ b/UefiCpuPkg/SecCore/SecMain.c -@@ -35,6 +35,43 @@ EFI_PEI_PPI_DESCRIPTOR mPeiSecPlatformInformationPpi[] = { - } - }; - -+/** -+ Migrates the Global Descriptor Table (GDT) to permanent memory. -+ -+ @retval EFI_SUCCESS The GDT was migrated successfully. -+ @retval EFI_OUT_OF_RESOURCES The GDT could not be migrated due to lack of available memory. -+ -+**/ -+EFI_STATUS -+MigrateGdt ( -+ VOID -+ ) -+{ -+ EFI_STATUS Status; -+ UINTN GdtBufferSize; -+ IA32_DESCRIPTOR Gdtr; -+ VOID *GdtBuffer; -+ -+ AsmReadGdtr ((IA32_DESCRIPTOR *) &Gdtr); -+ GdtBufferSize = sizeof (IA32_SEGMENT_DESCRIPTOR) -1 + Gdtr.Limit + 1; -+ -+ Status = PeiServicesAllocatePool ( -+ GdtBufferSize, -+ &GdtBuffer -+ ); -+ ASSERT (GdtBuffer != NULL); -+ if (EFI_ERROR (Status)) { -+ return EFI_OUT_OF_RESOURCES; -+ } -+ -+ GdtBuffer = ALIGN_POINTER (GdtBuffer, sizeof (IA32_SEGMENT_DESCRIPTOR)); -+ CopyMem (GdtBuffer, (VOID *) Gdtr.Base, Gdtr.Limit + 1); -+ Gdtr.Base = (UINTN) GdtBuffer; -+ AsmWriteGdtr (&Gdtr); -+ -+ return EFI_SUCCESS; -+} -+ - // - // These are IDT entries pointing to 10:FFFFFFE4h. - // -@@ -409,6 +446,14 @@ SecTemporaryRamDone ( - // - State = SaveAndDisableInterrupts (); - -+ // -+ // Migrate GDT before NEM near down -+ // -+ if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) { -+ Status = MigrateGdt (); -+ ASSERT_EFI_ERROR (Status); -+ } -+ - // - // Disable Temporary RAM after Stack and Heap have been migrated at this point. - // --- -2.27.0 - diff --git a/0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch b/0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch deleted file mode 100644 index 00641eee61f1493958703eb612d00952d957a8d1..0000000000000000000000000000000000000000 --- a/0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch +++ /dev/null @@ -1,208 +0,0 @@ -From cab1f02565d3b29081dd21afb074f35fdb4e1fd6 Mon Sep 17 00:00:00 2001 -From: Miki Demeter -Date: Thu, 27 Oct 2022 16:20:54 -0700 -Subject: [PATCH] MdeModulePkg/PiSmmCore:SmmEntryPoint underflow(CVE-2021-38578) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3387 - -Added use of SafeIntLib to validate values are not causing overflows or -underflows in user controlled values when calculating buffer sizes. - -Signed-off-by: Miki Demeter -Reviewed-by: Michael D Kinney -Cc: Jian J Wang -Cc: Liming Gao -Reviewed-by: Liming Gao ---- - MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 41 ++++++++++++++++++----- - MdeModulePkg/Core/PiSmmCore/PiSmmCore.h | 1 + - MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf | 1 + - MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c | 31 +++++++++++++---- - MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf | 1 + - 5 files changed, 60 insertions(+), 15 deletions(-) - -diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c -index 9e5c6cbe33..875c7c0258 100644 ---- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c -+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c -@@ -609,6 +609,7 @@ SmmEndOfS3ResumeHandler ( - @param[in] Size2 Size of Buff2 - - @retval TRUE Buffers overlap in memory. -+ @retval TRUE Math error. Prevents potential math over and underflows. - @retval FALSE Buffer doesn't overlap. - - **/ -@@ -620,11 +621,24 @@ InternalIsBufferOverlapped ( - IN UINTN Size2 - ) - { -+ UINTN End1; -+ UINTN End2; -+ BOOLEAN IsOverUnderflow1; -+ BOOLEAN IsOverUnderflow2; -+ -+ // Check for over or underflow -+ IsOverUnderflow1 = EFI_ERROR (SafeUintnAdd ((UINTN)Buff1, Size1, &End1)); -+ IsOverUnderflow2 = EFI_ERROR (SafeUintnAdd ((UINTN)Buff2, Size2, &End2)); -+ -+ if (IsOverUnderflow1 || IsOverUnderflow2) { -+ return TRUE; -+ } -+ - // - // If buff1's end is less than the start of buff2, then it's ok. - // Also, if buff1's start is beyond buff2's end, then it's ok. - // -- if (((Buff1 + Size1) <= Buff2) || (Buff1 >= (Buff2 + Size2))) { -+ if ((End1 <= (UINTN)Buff2) || ((UINTN)Buff1 >= End2)) { - return FALSE; - } - -@@ -651,6 +665,7 @@ SmmEntryPoint ( - EFI_SMM_COMMUNICATE_HEADER *CommunicateHeader; - BOOLEAN InLegacyBoot; - BOOLEAN IsOverlapped; -+ BOOLEAN IsOverUnderflow; - VOID *CommunicationBuffer; - UINTN BufferSize; - -@@ -699,23 +714,31 @@ SmmEntryPoint ( - (UINT8 *) gSmmCorePrivate, - sizeof (*gSmmCorePrivate) - ); -- if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferSize) || IsOverlapped) { -+ // -+ // Check for over or underflows -+ // -+ IsOverUnderflow = EFI_ERROR (SafeUintnSub (BufferSize, OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data), &BufferSize)); -+ -+ if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferSize) || -+ IsOverlapped || IsOverUnderflow) -+ { - // - // If CommunicationBuffer is not in valid address scope, - // or there is overlap between gSmmCorePrivate and CommunicationBuffer, -+ // or there is over or underflow, - // return EFI_INVALID_PARAMETER - // - gSmmCorePrivate->CommunicationBuffer = NULL; - gSmmCorePrivate->ReturnStatus = EFI_ACCESS_DENIED; - } else { - CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER *)CommunicationBuffer; -- BufferSize -= OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data); -- Status = SmiManage ( -- &CommunicateHeader->HeaderGuid, -- NULL, -- CommunicateHeader->Data, -- &BufferSize -- ); -+ // BufferSize was updated by the SafeUintnSub() call above. -+ Status = SmiManage ( -+ &CommunicateHeader->HeaderGuid, -+ NULL, -+ CommunicateHeader->Data, -+ &BufferSize -+ ); - // - // Update CommunicationBuffer, BufferSize and ReturnStatus - // Communicate service finished, reset the pointer to CommBuffer to NULL -diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h -index 71422b9dfc..b8a490a8c3 100644 ---- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h -+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h -@@ -54,6 +54,7 @@ - #include - #include - #include -+#include - - #include "PiSmmCorePrivateData.h" - #include "HeapGuard.h" -diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf -index c8bfae3860..3df44b38f1 100644 ---- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf -+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf -@@ -60,6 +60,7 @@ - PerformanceLib - HobLib - SmmMemLib -+ SafeIntLib - - [Protocols] - gEfiDxeSmmReadyToLockProtocolGuid ## UNDEFINED # SmiHandlerRegister -diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c -index 4f00cebaf5..fbba868fd0 100644 ---- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c -+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c -@@ -34,8 +34,8 @@ - #include - #include - #include -- - #include "PiSmmCorePrivateData.h" -+#include - - #define SMRAM_CAPABILITIES (EFI_MEMORY_WB | EFI_MEMORY_UC) - -@@ -1354,6 +1354,7 @@ SmmSplitSmramEntry ( - @param[in] ReservedRangeToCompare Pointer to EFI_SMM_RESERVED_SMRAM_REGION to compare. - - @retval TRUE There is overlap. -+ @retval TRUE Math error. - @retval FALSE There is no overlap. - - **/ -@@ -1353,11 +1354,29 @@ SmmIsSmramOverlap ( - IN EFI_SMM_RESERVED_SMRAM_REGION *ReservedRangeToCompare - ) - { -- UINT64 RangeToCompareEnd; -- UINT64 ReservedRangeToCompareEnd; -- -- RangeToCompareEnd = RangeToCompare->CpuStart + RangeToCompare->PhysicalSize; -- ReservedRangeToCompareEnd = ReservedRangeToCompare->SmramReservedStart + ReservedRangeToCompare->SmramReservedSize; -+ UINT64 RangeToCompareEnd; -+ UINT64 ReservedRangeToCompareEnd; -+ BOOLEAN IsOverUnderflow1; -+ BOOLEAN IsOverUnderflow2; -+ -+ // Check for over or underflow. -+ IsOverUnderflow1 = EFI_ERROR ( -+ SafeUint64Add ( -+ (UINT64)RangeToCompare->CpuStart, -+ RangeToCompare->PhysicalSize, -+ &RangeToCompareEnd -+ ) -+ ); -+ IsOverUnderflow2 = EFI_ERROR ( -+ SafeUint64Add ( -+ (UINT64)ReservedRangeToCompare->SmramReservedStart, -+ ReservedRangeToCompare->SmramReservedSize, -+ &ReservedRangeToCompareEnd -+ ) -+ ); -+ if (IsOverUnderflow1 || IsOverUnderflow2) { -+ return TRUE; -+ } - - if ((RangeToCompare->CpuStart >= ReservedRangeToCompare->SmramReservedStart) && - (RangeToCompare->CpuStart < ReservedRangeToCompareEnd)) { -diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf -index 6109d6b544..ddeb39cee2 100644 ---- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf -+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf -@@ -46,6 +46,7 @@ - DxeServicesLib - PcdLib - ReportStatusCodeLib -+ SafeIntLib - - [Protocols] - gEfiSmmBase2ProtocolGuid ## PRODUCES --- -2.27.0 - diff --git a/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch b/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch deleted file mode 100644 index 99ddb6f8caf3c7085de4267e094aa52856d60ba6..0000000000000000000000000000000000000000 --- a/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch +++ /dev/null @@ -1,43 +0,0 @@ -From a114dc3c9af48a8f8ed22e738944a9c3e830a088 Mon Sep 17 00:00:00 2001 -From Shao Denghui -Date: Mon, 20 Feb 2023 21:59:31 +0800 -Subject: [PATCH] [PATCH] Avoid dangling ptrs in header and data params for - PEM_read_bio_ex In the event of a failure in PEM_read_bio_ex() we free the - buffers we allocated for the header and data buffers. However we were not - clearing the ptrs stored in *header and *data. Since, on success, the caller - is responsible for freeing these ptrs this can potentially lead to a double - free if the caller frees them even on failure. - -Thanks to Dawei Wang for reporting this issue. - -Based on a proposed patch by Kurt Roeckx. - -CVE-2022-4450 - -Reference: https://github.com/openssl/openssl/commit/ee6243f3947107d655f6dee96f63861561a5aaeb - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz - -Signed-off-by: Shao Denghui ---- - CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c -index 64baf71..6c7c4fe 100644 ---- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c -+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c -@@ -940,7 +940,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header, - *data = pem_malloc(len, flags); - if (*header == NULL || *data == NULL) { - pem_free(*header, flags, 0); -+ *header = NULL; - pem_free(*data, flags, 0); -+ *data = NULL; - goto end; - } - BIO_read(headerB, *header, headerlen); --- -2.27.0 - diff --git a/0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch b/0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch deleted file mode 100644 index 9852ad6fce9b023892b7d279ce37febdabd9dda1..0000000000000000000000000000000000000000 --- a/0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 7dd5a23212e3c7bf25a9cd7689681beb89b2d20f Mon Sep 17 00:00:00 2001 -From Shao Denghui -Date: Tue, 21 Feb 2023 20:12:59 +0800 -Subject: [PATCH] [PATCH] pk7_doit.c: Check return of BIO_set_md() calls - -These calls invoke EVP_DigestInit() which can fail for digests -with implicit fetches. Subsequent EVP_DigestUpdate() from BIO_write() -or EVP_DigestFinal() from BIO_read() will segfault on NULL -dereference. This can be triggered by an attacker providing -PKCS7 data digested with MD4 for example if the legacy provider -is not loaded. - -If BIO_set_md() fails the md BIO cannot be used. - -CVE-2023-0401 - -Reference: https://github.com/openssl/openssl/commit/6eebe6c0238178356114a96a7858f36b24172847 - -Reviewed-by: Paul Dale -Reviewed-by: Richard Levitte - -Signed-off-by: Shao Denghui ---- - .../Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c -index f63fbc5..bbfcf27 100644 ---- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c -+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c -@@ -67,7 +67,10 @@ static int PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg) - goto err; - } - -- BIO_set_md(btmp, md); -+ if (BIO_set_md(btmp, md) <= 0) { -+ PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST, ERR_R_BIO_LIB); -+ goto err; -+ } - if (*pbio == NULL) - *pbio = btmp; - else if (!BIO_push(*pbio, btmp)) { -@@ -454,7 +457,10 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) - goto err; - } - -- BIO_set_md(btmp, evp_md); -+ if (BIO_set_md(btmp, evp_md) <= 0) { -+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_BIO_LIB); -+ goto err; -+ } - if (out == NULL) - out = btmp; - else --- -2.27.0 - diff --git a/0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch b/0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch deleted file mode 100644 index 0c517923a0764e7447b3a81a5c23a08c0666c589..0000000000000000000000000000000000000000 --- a/0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 93bb2a5f1df1617502c24f287ea4e5ca351aef95 Mon Sep 17 00:00:00 2001 -From: chenhuiying -Date: Sat, 25 Feb 2023 15:05:15 +0800 -Subject: [PATCH] Fix a UAF resulting from a bug in BIO_new_NDEF - -If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will -be part of an invalid BIO chain. This causes a "use after free" when the -BIO is eventually freed. - -Based on an original patch by Viktor Dukhovni and an idea from Theo -Buehler. - -Thanks to Octavio Galland for reporting this issue. - -REF: https://github.com/openssl/openssl/commit/c3829dd8825c654652201e16f8a0a0c46ee3f344 -Signed-off-by: chenhuiying ---- - .../OpensslLib/openssl/crypto/asn1/bio_ndef.c | 39 +++++++++++++++---- - 1 file changed, 32 insertions(+), 7 deletions(-) - -diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c -index 6222c99..cf52468 100644 ---- a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c -+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c -@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg); - static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen, - void *parg); - -+/* -+ * On success, the returned BIO owns the input BIO as part of its BIO chain. -+ * On failure, NULL is returned and the input BIO is owned by the caller. -+ * -+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() -+ */ - BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) - { - NDEF_SUPPORT *ndef_aux = NULL; - BIO *asn_bio = NULL; - const ASN1_AUX *aux = it->funcs; - ASN1_STREAM_ARG sarg; -+ BIO *pop_bio = NULL; - - if (!aux || !aux->asn1_cb) { - ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED); -@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) - out = BIO_push(asn_bio, out); - if (out == NULL) - goto err; -+ pop_bio = asn_bio; - -- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free); -- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free); -+ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0 -+ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0 -+ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0) -+ goto err; - - /* -- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure -- * needs. -+ * Now let the callback prepend any digest, cipher, etc., that the BIO's -+ * ASN1 structure needs. - */ - - sarg.out = out; - sarg.ndef_bio = NULL; - sarg.boundary = NULL; - -- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) -+ /* -+ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the -+ * middle of some partially built, but not returned BIO chain. -+ */ -+ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) { -+ /* -+ * ndef_aux is now owned by asn_bio so we must not free it in the err -+ * clean up block -+ */ -+ ndef_aux = NULL; - goto err; -+ } -+ -+ /* -+ * We must not fail now because the callback has prepended additional -+ * BIOs to the chain -+ */ - - ndef_aux->val = val; - ndef_aux->it = it; -@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) - ndef_aux->boundary = sarg.boundary; - ndef_aux->out = out; - -- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux); -- - return sarg.ndef_bio; - - err: -+ /* BIO_pop() is NULL safe */ -+ (void)BIO_pop(pop_bio); - BIO_free(asn_bio); - OPENSSL_free(ndef_aux); - return NULL; --- -2.27.0 - diff --git a/0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch b/0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch deleted file mode 100644 index f42b4369200dadc8faec4fac0f9971f5753149ed..0000000000000000000000000000000000000000 --- a/0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch +++ /dev/null @@ -1,79 +0,0 @@ -From cb81a80d059f41b0930fcc36c36a155244f3873a Mon Sep 17 00:00:00 2001 -From: chenhuiying -Date: Sat, 25 Feb 2023 16:18:41 +0800 -Subject: [PATCH] Check CMS failure during BIO setup with -stream is handled correctly - -Test for the issue fixed in the previous commit - -REF:https://github.com/openssl/openssl/commit/f040f2577891d2bdb7610566c172233844cf673a -Signed-off-by: chenhuiying ---- - .../openssl/test/recipes/80-test_cms.t | 15 +++++++++++++-- - .../openssl/test/smime-certs/badrsa.pem | 18 ++++++++++++++++++ - 2 files changed, 31 insertions(+), 2 deletions(-) - create mode 100644 CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem - -diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t -index 5dc6a3a..ec11bfc 100644 ---- a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t -+++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t -@@ -13,7 +13,7 @@ use warnings; - use POSIX; - use File::Spec::Functions qw/catfile/; - use File::Compare qw/compare_text/; --use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/; -+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/; - use OpenSSL::Test::Utils; - - setup("test_cms"); -@@ -27,7 +27,7 @@ my $smcont = srctop_file("test", "smcont.txt"); - my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) - = disabled qw/des dh dsa ec ec2m rc2 zlib/; - --plan tests => 6; -+plan tests => 7; - - my @smime_pkcs7_tests = ( - -@@ -584,3 +584,14 @@ sub check_availability { - - return ""; - } -+ -+# Check that we get the expected failure return code -+with({ exit_checker => sub { return shift == 6; } }, -+ sub { -+ ok(run(app(['openssl', 'cms', '-encrypt', -+ '-in', srctop_file("test", "smcont.txt"), -+ '-stream', '-recip', -+ srctop_file("test/smime-certs", "badrsa.pem"), -+ ])), -+ "Check failure during BIO setup with -stream is handled correctly"); -+ }); -diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem -new file mode 100644 -index 0000000..f824fc2 ---- /dev/null -+++ b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem -@@ -0,0 +1,18 @@ -+-----BEGIN CERTIFICATE----- -+MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD -+VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY -+DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN -+AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw -+I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A -+/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s -+yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0 -+zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB -+lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww -+CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm -+ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW -+eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt -+5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d -+rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv -+yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/ -+j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg= -+-----END CERTIFICATE----- --- -2.27.0 - diff --git a/0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch b/0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch deleted file mode 100644 index e670922a93780088a750eb54a88f4fed5dfd496d..0000000000000000000000000000000000000000 --- a/0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch +++ /dev/null @@ -1,102 +0,0 @@ -From fe9395b9fe1507236eafd147dc0cd4a8c9bf1fe6 Mon Sep 17 00:00:00 2001 -From: chenhuiying -Date: Sat, 25 Feb 2023 17:54:23 +0800 -Subject: [PATCH] Correctly compare EdiPartyName in GENERAL_NAME_cmp() - -If a GENERAL_NAME field contained EdiPartyName data then it was -incorrectly being handled as type "other". This could lead to a -segmentation fault. - -Many thanks to David Benjamin from Google for reporting this issue. - -CVE-2020-1971 - -reference: https://github.com/openssl/openssl/commit/f960d81215ebf3f65e03d4d5d857fb9b666d6920 -Signed-off-by: chenhuiying ---- - .../openssl/crypto/x509v3/v3_genn.c | 45 +++++++++++++++++-- - 1 file changed, 42 insertions(+), 3 deletions(-) - -diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c -index 23e3bc4..23778e2 100644 ---- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c -+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c -@@ -57,6 +57,37 @@ GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a) - (char *)a); - } - -+static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b) -+{ -+ int res; -+ -+ if (a == NULL || b == NULL) { -+ /* -+ * Shouldn't be possible in a valid GENERAL_NAME, but we handle it -+ * anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here -+ */ -+ return -1; -+ } -+ if (a->nameAssigner == NULL && b->nameAssigner != NULL) -+ return -1; -+ if (a->nameAssigner != NULL && b->nameAssigner == NULL) -+ return 1; -+ /* If we get here then both have nameAssigner set, or both unset */ -+ if (a->nameAssigner != NULL) { -+ res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner); -+ if (res != 0) -+ return res; -+ } -+ /* -+ * partyName is required, so these should never be NULL. We treat it in -+ * the same way as the a == NULL || b == NULL case above -+ */ -+ if (a->partyName == NULL || b->partyName == NULL) -+ return -1; -+ -+ return ASN1_STRING_cmp(a->partyName, b->partyName); -+} -+ - /* Returns 0 if they are equal, != 0 otherwise. */ - int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) - { -@@ -66,8 +97,11 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) - return -1; - switch (a->type) { - case GEN_X400: -+ result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); -+ break; -+ - case GEN_EDIPARTY: -- result = ASN1_TYPE_cmp(a->d.other, b->d.other); -+ result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName); - break; - - case GEN_OTHERNAME: -@@ -114,8 +148,11 @@ void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value) - { - switch (type) { - case GEN_X400: -+ a->d.x400Address = value; -+ break; -+ - case GEN_EDIPARTY: -- a->d.other = value; -+ a->d.ediPartyName = value; - break; - - case GEN_OTHERNAME: -@@ -149,8 +186,10 @@ void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype) - *ptype = a->type; - switch (a->type) { - case GEN_X400: -+ return a->d.x400Address; -+ - case GEN_EDIPARTY: -- return a->d.other; -+ return a->d.ediPartyName; - - case GEN_OTHERNAME: - return a->d.otherName; --- -2.27.0 - diff --git a/0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch b/0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch deleted file mode 100644 index 24e3c8a9b64f3a28bbb093777d01ffc32b709b79..0000000000000000000000000000000000000000 --- a/0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 7553d2119f3c899f779eaacafff63feaa843814a Mon Sep 17 00:00:00 2001 -From: s00803682 -Date: Sat, 25 Feb 2023 18:22:13 +0800 -Subject: [PATCH] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1) - -REF: https://github.com/openssl/openssl/commit/2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 -Signed-off-by: chenhuiying ---- - CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c | 2 +- - CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c -index 23778e2..12ce733 100644 ---- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c -+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c -@@ -97,7 +97,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) - return -1; - switch (a->type) { - case GEN_X400: -- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); -+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address); - break; - - case GEN_EDIPARTY: -diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h -index 6c6eca3..b80438d 100644 ---- a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h -+++ b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h -@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st { - OTHERNAME *otherName; /* otherName */ - ASN1_IA5STRING *rfc822Name; - ASN1_IA5STRING *dNSName; -- ASN1_TYPE *x400Address; -+ ASN1_STRING *x400Address; - X509_NAME *directoryName; - EDIPARTYNAME *ediPartyName; - ASN1_IA5STRING *uniformResourceIdentifier; --- -2.27.0 - diff --git a/0029-Fix-Timing-Oracle-in-RSA-decryption.patch b/0029-Fix-Timing-Oracle-in-RSA-decryption.patch deleted file mode 100644 index 3e5762570fe5b1469ef1a90eb502db1baeec5265..0000000000000000000000000000000000000000 --- a/0029-Fix-Timing-Oracle-in-RSA-decryption.patch +++ /dev/null @@ -1,834 +0,0 @@ -From df422474e4e7e2f380840eeb9d6e466312fe0879 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 20 Jan 2023 15:26:54 +0000 -Subject: [PATCH] Fix Timing Oracle in RSA decryption - -A timing based side channel exists in the OpenSSL RSA Decryption -implementation which could be sufficient to recover a plaintext across -a network in a Bleichenbacher style attack. To achieve a successful -decryption an attacker would have to be able to send a very large number -of trial messages for decryption. The vulnerability affects all RSA -padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. - -Patch written by Dmitry Belyavsky and Hubert Kario - -CVE-2022-4304 - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Tomas Mraz - -reference: https://github.com/openssl/openssl/pull/20284 -Signed-off-by: yexiao ---- - CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 + - .../Library/OpensslLib/OpensslLibCrypto.inf | 1 + - .../OpensslLib/openssl/crypto/bn/bn_blind.c | 14 - - .../OpensslLib/openssl/crypto/bn/bn_err.c | 2 + - .../OpensslLib/openssl/crypto/bn/bn_local.h | 14 + - .../OpensslLib/openssl/crypto/bn/build.info | 3 +- - .../openssl/crypto/bn/rsa_sup_mul.c | 614 ++++++++++++++++++ - .../OpensslLib/openssl/crypto/err/openssl.txt | 3 +- - .../OpensslLib/openssl/crypto/rsa/rsa_ossl.c | 17 +- - .../OpensslLib/openssl/include/crypto/bn.h | 5 + - .../openssl/include/openssl/bnerr.h | 1 + - 11 files changed, 655 insertions(+), 20 deletions(-) - create mode 100644 CryptoPkg/Library/OpensslLib/openssl/crypto/bn/rsa_sup_mul.c - -diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf -index b00bb74..ec5be59 100644 ---- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf -+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf -@@ -155,6 +155,7 @@ - $(OPENSSL_PATH)/crypto/bn/bn_sqr.c - $(OPENSSL_PATH)/crypto/bn/bn_sqrt.c - $(OPENSSL_PATH)/crypto/bn/bn_srp.c -+ $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c - $(OPENSSL_PATH)/crypto/bn/bn_word.c - $(OPENSSL_PATH)/crypto/bn/bn_x931p.c - $(OPENSSL_PATH)/crypto/buffer/buf_err.c -diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf -index 3557711..ee68e48 100644 ---- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf -+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf -@@ -155,6 +155,7 @@ - $(OPENSSL_PATH)/crypto/bn/bn_sqr.c - $(OPENSSL_PATH)/crypto/bn/bn_sqrt.c - $(OPENSSL_PATH)/crypto/bn/bn_srp.c -+ $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c - $(OPENSSL_PATH)/crypto/bn/bn_word.c - $(OPENSSL_PATH)/crypto/bn/bn_x931p.c - $(OPENSSL_PATH)/crypto/buffer/buf_err.c -diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_blind.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_blind.c -index 76fc7eb..6e9d239 100644 ---- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_blind.c -+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_blind.c -@@ -13,20 +13,6 @@ - - #define BN_BLINDING_COUNTER 32 - --struct bn_blinding_st { -- BIGNUM *A; -- BIGNUM *Ai; -- BIGNUM *e; -- BIGNUM *mod; /* just a reference */ -- CRYPTO_THREAD_ID tid; -- int counter; -- unsigned long flags; -- BN_MONT_CTX *m_ctx; -- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, -- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -- CRYPTO_RWLOCK *lock; --}; -- - BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) - { - BN_BLINDING *ret = NULL; -diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_err.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_err.c -index dd87c15..3dd8d9a 100644 ---- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_err.c -+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_err.c -@@ -73,6 +73,8 @@ static const ERR_STRING_DATA BN_str_functs[] = { - {ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"}, - {ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"}, - {ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"}, -+ {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0), -+ "ossl_bn_rsa_do_unblind"}, - {0, NULL} - }; - -diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_local.h b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_local.h -index 8ad69cc..0965135 100644 ---- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_local.h -+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_local.h -@@ -263,6 +263,20 @@ struct bn_gencb_st { - } cb; - }; - -+struct bn_blinding_st { -+ BIGNUM *A; -+ BIGNUM *Ai; -+ BIGNUM *e; -+ BIGNUM *mod; /* just a reference */ -+ CRYPTO_THREAD_ID tid; -+ int counter; -+ unsigned long flags; -+ BN_MONT_CTX *m_ctx; -+ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, -+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -+ CRYPTO_RWLOCK *lock; -+}; -+ - /*- - * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions - * -diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/build.info b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/build.info -index b9ed532..c9fe2fd 100644 ---- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/build.info -+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/build.info -@@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\ - bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \ - {- $target{bn_asm_src} -} \ - bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ -- bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c -+ bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \ -+ rsa_sup_mul.c - - INCLUDE[bn_exp.o]=.. - -diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/rsa_sup_mul.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/rsa_sup_mul.c -new file mode 100644 -index 0000000..acafefd ---- /dev/null -+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/rsa_sup_mul.c -@@ -0,0 +1,614 @@ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "internal/numbers.h" -+#include "internal/constant_time.h" -+#include "bn_local.h" -+ -+# if BN_BYTES == 8 -+typedef uint64_t limb_t; -+# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 -+/* nonstandard; implemented by gcc on 64-bit platforms */ -+typedef __uint128_t limb2_t; -+# define HAVE_LIMB2_T -+# endif -+# define LIMB_BIT_SIZE 64 -+# define LIMB_BYTE_SIZE 8 -+# elif BN_BYTES == 4 -+typedef uint32_t limb_t; -+typedef uint64_t limb2_t; -+# define LIMB_BIT_SIZE 32 -+# define LIMB_BYTE_SIZE 4 -+# define HAVE_LIMB2_T -+# else -+# error "Not supported" -+# endif -+ -+/* -+ * For multiplication we're using schoolbook multiplication, -+ * so if we have two numbers, each with 6 "digits" (words) -+ * the multiplication is calculated as follows: -+ * A B C D E F -+ * x I J K L M N -+ * -------------- -+ * N*F -+ * N*E -+ * N*D -+ * N*C -+ * N*B -+ * N*A -+ * M*F -+ * M*E -+ * M*D -+ * M*C -+ * M*B -+ * M*A -+ * L*F -+ * L*E -+ * L*D -+ * L*C -+ * L*B -+ * L*A -+ * K*F -+ * K*E -+ * K*D -+ * K*C -+ * K*B -+ * K*A -+ * J*F -+ * J*E -+ * J*D -+ * J*C -+ * J*B -+ * J*A -+ * I*F -+ * I*E -+ * I*D -+ * I*C -+ * I*B -+ * + I*A -+ * ========================== -+ * N*B N*D N*F -+ * + N*A N*C N*E -+ * + M*B M*D M*F -+ * + M*A M*C M*E -+ * + L*B L*D L*F -+ * + L*A L*C L*E -+ * + K*B K*D K*F -+ * + K*A K*C K*E -+ * + J*B J*D J*F -+ * + J*A J*C J*E -+ * + I*B I*D I*F -+ * + I*A I*C I*E -+ * -+ * 1+1 1+3 1+5 -+ * 1+0 1+2 1+4 -+ * 0+1 0+3 0+5 -+ * 0+0 0+2 0+4 -+ * -+ * 0 1 2 3 4 5 6 -+ * which requires n^2 multiplications and 2n full length additions -+ * as we can keep every other result of limb multiplication in two separate -+ * limbs -+ */ -+ -+#if defined HAVE_LIMB2_T -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ limb2_t t; -+ /* -+ * this is idiomatic code to tell compiler to use the native mul -+ * those three lines will actually compile to single instruction -+ */ -+ -+ t = (limb2_t)a * b; -+ *hi = t >> LIMB_BIT_SIZE; -+ *lo = (limb_t)t; -+} -+#elif (BN_BYTES == 8) && (defined _MSC_VER) -+/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ -+#pragma intrinsic(_umul128) -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ *lo = _umul128(a, b, hi); -+} -+#else -+/* -+ * if the compiler doesn't have either a 128bit data type nor a "return -+ * high 64 bits of multiplication" -+ */ -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ limb_t a_low = (limb_t)(uint32_t)a; -+ limb_t a_hi = a >> 32; -+ limb_t b_low = (limb_t)(uint32_t)b; -+ limb_t b_hi = b >> 32; -+ -+ limb_t p0 = a_low * b_low; -+ limb_t p1 = a_low * b_hi; -+ limb_t p2 = a_hi * b_low; -+ limb_t p3 = a_hi * b_hi; -+ -+ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32); -+ -+ *lo = p0 + (p1 << 32) + (p2 << 32); -+ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy; -+} -+#endif -+ -+/* add two limbs with carry in, return carry out */ -+static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry) -+{ -+ limb_t carry1, carry2, t; -+ /* -+ * `c = a + b; if (c < a)` is idiomatic code that makes compilers -+ * use add with carry on assembly level -+ */ -+ -+ *ret = a + carry; -+ if (*ret < a) -+ carry1 = 1; -+ else -+ carry1 = 0; -+ -+ t = *ret; -+ *ret = t + b; -+ if (*ret < t) -+ carry2 = 1; -+ else -+ carry2 = 0; -+ -+ return carry1 + carry2; -+} -+ -+/* -+ * add two numbers of the same size, return overflow -+ * -+ * add a to b, place result in ret; all arrays need to be n limbs long -+ * return overflow from addition (0 or 1) -+ */ -+static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n) -+{ -+ limb_t c = 0; -+ ossl_ssize_t i; -+ -+ for(i = n - 1; i > -1; i--) -+ c = _add_limb(&ret[i], a[i], b[i], c); -+ -+ return c; -+} -+ -+/* -+ * return number of limbs necessary for temporary values -+ * when multiplying numbers n limbs large -+ */ -+static ossl_inline size_t mul_limb_numb(size_t n) -+{ -+ return 2 * n * 2; -+} -+ -+/* -+ * multiply two numbers of the same size -+ * -+ * multiply a by b, place result in ret; a and b need to be n limbs long -+ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs -+ * long -+ */ -+static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp) -+{ -+ limb_t *r_odd, *r_even; -+ size_t i, j, k; -+ -+ r_odd = tmp; -+ r_even = &tmp[2 * n]; -+ -+ memset(ret, 0, 2 * n * sizeof(limb_t)); -+ -+ for (i = 0; i < n; i++) { -+ for (k = 0; k < i + n + 1; k++) { -+ r_even[k] = 0; -+ r_odd[k] = 0; -+ } -+ for (j = 0; j < n; j++) { -+ /* -+ * place results from even and odd limbs in separate arrays so that -+ * we don't have to calculate overflow every time we get individual -+ * limb multiplication result -+ */ -+ if (j % 2 == 0) -+ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]); -+ else -+ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]); -+ } -+ /* -+ * skip the least significant limbs when adding multiples of -+ * more significant limbs (they're zero anyway) -+ */ -+ add(ret, ret, r_even, n + i + 1); -+ add(ret, ret, r_odd, n + i + 1); -+ } -+} -+ -+/* modifies the value in place by performing a right shift by one bit */ -+static ossl_inline void rshift1(limb_t *val, size_t n) -+{ -+ limb_t shift_in = 0, shift_out = 0; -+ size_t i; -+ -+ for (i = 0; i < n; i++) { -+ shift_out = val[i] & 1; -+ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1); -+ shift_in = shift_out; -+ } -+} -+ -+/* extend the LSB of flag to all bits of limb */ -+static ossl_inline limb_t mk_mask(limb_t flag) -+{ -+ flag |= flag << 1; -+ flag |= flag << 2; -+ flag |= flag << 4; -+ flag |= flag << 8; -+ flag |= flag << 16; -+#if (LIMB_BYTE_SIZE == 8) -+ flag |= flag << 32; -+#endif -+ return flag; -+} -+ -+/* -+ * copy from either a or b to ret based on flag -+ * when flag == 0, then copies from b -+ * when flag == 1, then copies from a -+ */ -+static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n) -+{ -+ /* -+ * would be more efficient with non volatile mask, but then gcc -+ * generates code with jumps -+ */ -+ volatile limb_t mask; -+ size_t i; -+ -+ mask = mk_mask(flag); -+ for (i = 0; i < n; i++) { -+#if (LIMB_BYTE_SIZE == 8) -+ ret[i] = constant_time_select_64(mask, a[i], b[i]); -+#else -+ ret[i] = constant_time_select_32(mask, a[i], b[i]); -+#endif -+ } -+} -+ -+static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow) -+{ -+ limb_t borrow1, borrow2, t; -+ /* -+ * while it doesn't look constant-time, this is idiomatic code -+ * to tell compilers to use the carry bit from subtraction -+ */ -+ -+ *ret = a - borrow; -+ if (*ret > a) -+ borrow1 = 1; -+ else -+ borrow1 = 0; -+ -+ t = *ret; -+ *ret = t - b; -+ if (*ret > t) -+ borrow2 = 1; -+ else -+ borrow2 = 0; -+ -+ return borrow1 + borrow2; -+} -+ -+/* -+ * place the result of a - b into ret, return the borrow bit. -+ * All arrays need to be n limbs long -+ */ -+static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n) -+{ -+ limb_t borrow = 0; -+ ossl_ssize_t i; -+ -+ for (i = n - 1; i > -1; i--) -+ borrow = _sub_limb(&ret[i], a[i], b[i], borrow); -+ -+ return borrow; -+} -+ -+/* return the number of limbs necessary to allocate for the mod() tmp operand */ -+static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum) -+{ -+ return (anum + modnum) * 3; -+} -+ -+/* -+ * calculate a % mod, place the result in ret -+ * size of a is defined by anum, size of ret and mod is modnum, -+ * size of tmp is returned by mod_limb_numb() -+ */ -+static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, -+ size_t modnum, limb_t *tmp) -+{ -+ limb_t *atmp, *modtmp, *rettmp; -+ limb_t res; -+ size_t i; -+ -+ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE); -+ -+ atmp = tmp; -+ modtmp = &tmp[anum + modnum]; -+ rettmp = &tmp[(anum + modnum) * 2]; -+ -+ for (i = modnum; i 0; i--, rp--) { -+ v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2); -+ v = v + carry + rp[-1]; -+ carry |= (v != rp[-1]); -+ carry &= (v <= rp[-1]); -+ rp[-1] = v; -+ } -+ -+ /* perform the final reduction by mod... */ -+ carry -= sub(ret, rp, mod, modnum); -+ -+ /* ...conditionally */ -+ cselect(carry, ret, rp, ret, modnum); -+} -+ -+/* allocated buffer should be freed afterwards */ -+static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs) -+{ -+ int i; -+ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ limb_t *ptr = buf + (limbs - real_limbs); -+ -+ for (i = 0; i < real_limbs; i++) -+ ptr[i] = bn->d[real_limbs - i - 1]; -+} -+ -+#if LIMB_BYTE_SIZE == 8 -+static ossl_inline uint64_t be64(uint64_t host) -+{ -+ const union { -+ long one; -+ char little; -+ } is_endian = { 1 }; -+ -+ if (is_endian.little) { -+ uint64_t big = 0; -+ -+ big |= (host & 0xff00000000000000) >> 56; -+ big |= (host & 0x00ff000000000000) >> 40; -+ big |= (host & 0x0000ff0000000000) >> 24; -+ big |= (host & 0x000000ff00000000) >> 8; -+ big |= (host & 0x00000000ff000000) << 8; -+ big |= (host & 0x0000000000ff0000) << 24; -+ big |= (host & 0x000000000000ff00) << 40; -+ big |= (host & 0x00000000000000ff) << 56; -+ return big; -+ } else { -+ return host; -+ } -+} -+ -+#else -+/* Not all platforms have htobe32(). */ -+static ossl_inline uint32_t be32(uint32_t host) -+{ -+ const union { -+ long one; -+ char little; -+ } is_endian = { 1 }; -+ -+ if (is_endian.little) { -+ uint32_t big = 0; -+ -+ big |= (host & 0xff000000) >> 24; -+ big |= (host & 0x00ff0000) >> 8; -+ big |= (host & 0x0000ff00) << 8; -+ big |= (host & 0x000000ff) << 24; -+ return big; -+ } else { -+ return host; -+ } -+} -+#endif -+ -+/* -+ * We assume that intermediate, possible_arg2, blinding, and ctx are used -+ * similar to BN_BLINDING_invert_ex() arguments. -+ * to_mod is RSA modulus. -+ * buf and num is the serialization buffer and its length. -+ * -+ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished -+ * we serialize the new structure instead of BIGNUMs taking endianness into account. -+ */ -+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, -+ const BN_BLINDING *blinding, -+ const BIGNUM *possible_arg2, -+ const BIGNUM *to_mod, BN_CTX *ctx, -+ unsigned char *buf, int num) -+{ -+ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL; -+ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf; -+ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0; -+ size_t l_tmp_count = 0; -+ int ret = 0; -+ size_t i; -+ unsigned char *tmp; -+ const BIGNUM *arg1 = intermediate; -+ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2; -+ -+ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ -+ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count; -+ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); -+ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); -+ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE); -+ -+ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL)) -+ goto err; -+ -+ BN_to_limb(arg1, l_im, l_size); -+ BN_to_limb(arg2, l_mul, l_size); -+ BN_to_limb(to_mod, l_mod, l_mod_count); -+ -+ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE); -+ -+ if (blinding->m_ctx != NULL) { -+ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ? -+ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count); -+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); -+ } else { -+ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ? -+ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count); -+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); -+ } -+ -+ if ((l_ret == NULL) || (l_tmp == NULL)) -+ goto err; -+ -+ if (blinding->m_ctx != NULL) { -+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); -+ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, -+ blinding->m_ctx->n0[0], l_tmp); -+ } else { -+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); -+ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp); -+ } -+ -+ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */ -+ if (num < BN_num_bytes(to_mod)) { -+ BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT); -+ goto err; -+ } -+ -+ memset(buf, 0, num); -+ tmp = buf + num - BN_num_bytes(to_mod); -+ for (i = 0; i < l_mod_count; i++) { -+#if LIMB_BYTE_SIZE == 8 -+ l_buf = be64(l_ret[i]); -+#else -+ l_buf = be32(l_ret[i]); -+#endif -+ if (i == 0) { -+ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num); -+ -+ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta); -+ tmp += delta; -+ } else { -+ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE); -+ tmp += LIMB_BYTE_SIZE; -+ } -+ } -+ ret = num; -+ -+ err: -+ OPENSSL_free(l_im); -+ OPENSSL_free(l_mul); -+ OPENSSL_free(l_mod); -+ OPENSSL_free(l_tmp); -+ OPENSSL_free(l_ret); -+ -+ return ret; -+} -diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt b/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt -index 35512f9..03d1640 100644 ---- a/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt -+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt -@@ -1,4 +1,4 @@ --# Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. -+# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. - # - # Licensed under the OpenSSL license (the "License"). You may not use - # this file except in compliance with the License. You can obtain a copy -@@ -231,6 +231,7 @@ BN_F_BN_RSHIFT:146:BN_rshift - BN_F_BN_SET_WORDS:144:bn_set_words - BN_F_BN_STACK_PUSH:148:BN_STACK_push - BN_F_BN_USUB:115:BN_usub -+BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind - BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow - BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean - BUF_F_BUF_MEM_NEW:101:BUF_MEM_new -diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_ossl.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_ossl.c -index b52a66f..6c3c0cf 100644 ---- a/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_ossl.c -+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_ossl.c -@@ -465,11 +465,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - BN_free(d); - } - -- if (blinding) -- if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) -+ if (blinding) { -+ /* -+ * ossl_bn_rsa_do_unblind() combines blinding inversion and -+ * 0-padded BN BE serialization -+ */ -+ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx, -+ buf, num); -+ if (j == 0) - goto err; -- -- j = BN_bn2binpad(ret, buf, num); -+ } else { -+ j = BN_bn2binpad(ret, buf, num); -+ if (j < 0) -+ goto err; -+ } - - switch (padding) { - case RSA_PKCS1_PADDING: -diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h -index 60afda1..b5f36fb 100644 ---- a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h -+++ b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h -@@ -86,5 +86,10 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); - int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); - int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, - const BIGNUM *d, BN_CTX *ctx); -+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, -+ const BN_BLINDING *blinding, -+ const BIGNUM *possible_arg2, -+ const BIGNUM *to_mod, BN_CTX *ctx, -+ unsigned char *buf, int num); - - #endif -diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/bnerr.h b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/bnerr.h -index 9f3c7cf..a0752ce 100644 ---- a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/bnerr.h -+++ b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/bnerr.h -@@ -72,6 +72,7 @@ int ERR_load_BN_strings(void); - # define BN_F_BN_SET_WORDS 144 - # define BN_F_BN_STACK_PUSH 148 - # define BN_F_BN_USUB 115 -+# define BN_F_OSSL_BN_RSA_DO_UNBLIND 151 - - /* - * BN reason codes. --- -2.33.0 - diff --git a/0030-brotli-Fix-VLA-parameter-warning-893.patch b/0030-brotli-Fix-VLA-parameter-warning-893.patch deleted file mode 100644 index 9f6974efeb9fe81234db1bea1dac0ca36a95e85b..0000000000000000000000000000000000000000 --- a/0030-brotli-Fix-VLA-parameter-warning-893.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 0a3944c8c99b8d10cc4325f721b7c273d2b41f7b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Adri=C3=A1n=20Herrera=20Arcila?= -Date: Wed, 23 Jun 2021 08:53:59 +0100 -Subject: [PATCH] Fix VLA parameter warning (#893) - -Make VLA buffer types consistent in declarations and definitions. -Resolves build crash when using -Werror due to "vla-parameter" warning. - -Signed-off-by: Adrian Herrera - -reference: https://github.com/google/brotli/pull/893 -Signed-off-by: Jiabo Feng ---- - BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c | 6 ++++-- - BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c | 5 +++-- - .../Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c | 6 ++++-- - .../Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c | 5 +++-- - 4 files changed, 14 insertions(+), 8 deletions(-) - -diff --git a/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c b/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c -index ae5a3d3..7eee968 100644 ---- a/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c -+++ b/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c -@@ -2030,8 +2030,10 @@ static BROTLI_NOINLINE BrotliDecoderErrorCode SafeProcessCommands( - } - - BrotliDecoderResult BrotliDecoderDecompress( -- size_t encoded_size, const uint8_t* encoded_buffer, size_t* decoded_size, -- uint8_t* decoded_buffer) { -+ size_t encoded_size, -+ const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)], -+ size_t* decoded_size, -+ uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]) { - BrotliDecoderState s; - BrotliDecoderResult result; - size_t total_out = 0; -diff --git a/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c b/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c -index 8d90937..0c49c64 100644 ---- a/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c -+++ b/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c -@@ -1470,8 +1470,9 @@ static size_t MakeUncompressedStream( - - BROTLI_BOOL BrotliEncoderCompress( - int quality, int lgwin, BrotliEncoderMode mode, size_t input_size, -- const uint8_t* input_buffer, size_t* encoded_size, -- uint8_t* encoded_buffer) { -+ const uint8_t input_buffer[BROTLI_ARRAY_PARAM(input_size)], -+ size_t* encoded_size, -+ uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(*encoded_size)]) { - BrotliEncoderState* s; - size_t out_size = *encoded_size; - const uint8_t* input_start = input_buffer; - -diff --git a/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c b/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c -index ae5a3d3..7eee968 100644 ---- a/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c -+++ b/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c -@@ -2030,8 +2030,10 @@ static BROTLI_NOINLINE BrotliDecoderErrorCode SafeProcessCommands( - } - - BrotliDecoderResult BrotliDecoderDecompress( -- size_t encoded_size, const uint8_t* encoded_buffer, size_t* decoded_size, -- uint8_t* decoded_buffer) { -+ size_t encoded_size, -+ const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)], -+ size_t* decoded_size, -+ uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]) { - BrotliDecoderState s; - BrotliDecoderResult result; - size_t total_out = 0; -diff --git a/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c b/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c -index 8d90937..0c49c64 100644 ---- a/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c -+++ b/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c -@@ -1470,8 +1470,9 @@ static size_t MakeUncompressedStream( - - BROTLI_BOOL BrotliEncoderCompress( - int quality, int lgwin, BrotliEncoderMode mode, size_t input_size, -- const uint8_t* input_buffer, size_t* encoded_size, -- uint8_t* encoded_buffer) { -+ const uint8_t input_buffer[BROTLI_ARRAY_PARAM(input_size)], -+ size_t* encoded_size, -+ uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(*encoded_size)]) { - BrotliEncoderState* s; - size_t out_size = *encoded_size; - const uint8_t* input_start = input_buffer; --- -2.41.0 - diff --git a/0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch b/0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch deleted file mode 100644 index bde72b36e08ff9e3d261be6a2ac1074f65088f63..0000000000000000000000000000000000000000 --- a/0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch +++ /dev/null @@ -1,48 +0,0 @@ -From ae8272ef787d80950803c521a13a308651bdc62e Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Mon, 20 Dec 2021 22:32:38 +0800 -Subject: [PATCH] MdeModulePkg/UsbBusDxe: fix NOOPT build error - -gcc-11 (fedora 35): - -/home/kraxel/projects/edk2/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBus.c: In function ?UsbIoBulkTransfer?: -/home/kraxel/projects/edk2/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBus.c:277:12: error: ?UsbHcBulkTransfer? accessing 80 bytes in a region of size 8 [-Werror=stringop-overflow=] - -Signed-off-by: Gerd Hoffmann -Reviewed-by: Hao A Wu - -reference: https://github.com/tianocore/edk2/pull/2347 -Signed-off-by: Jiabo Feng ---- - MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c | 2 +- - MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c -index 12d08c0b74..740e7babb0 100644 ---- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c -+++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c -@@ -285,7 +285,7 @@ UsbHcBulkTransfer ( - IN UINT8 DevSpeed, - IN UINTN MaxPacket, - IN UINT8 BufferNum, -- IN OUT VOID *Data[EFI_USB_MAX_BULK_BUFFER_NUM], -+ IN OUT VOID *Data[], - IN OUT UINTN *DataLength, - IN OUT UINT8 *DataToggle, - IN UINTN TimeOut, -diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h -index 04cf36d3c8..d93370a6c2 100644 ---- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h -+++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h -@@ -149,7 +149,7 @@ UsbHcBulkTransfer ( - IN UINT8 DevSpeed, - IN UINTN MaxPacket, - IN UINT8 BufferNum, -- IN OUT VOID *Data[EFI_USB_MAX_BULK_BUFFER_NUM], -+ IN OUT VOID *Data[], - IN OUT UINTN *DataLength, - IN OUT UINT8 *DataToggle, - IN UINTN TimeOut, --- -2.41.0 diff --git a/0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch b/0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch deleted file mode 100644 index 59197006c1b85166acd7401bcaf896bdb61d9161..0000000000000000000000000000000000000000 --- a/0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 7b005f344e533cd913c3ca05b266f9872df886d1 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Thu, 24 Mar 2022 20:04:34 +0800 -Subject: [PATCH 1/3] BaseTools: fix gcc12 warning - -GenFfs.c:545:5: error: pointer ?InFileHandle? used after ?fclose? [-Werror=use-after-free] - 545 | Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle); - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -GenFfs.c:544:5: note: call to ?fclose? here - 544 | fclose (InFileHandle); - | ^~~~~~~~~~~~~~~~~~~~~ - -Signed-off-by: Gerd Hoffmann -Reviewed-by: Bob Feng - -reference: https://github.com/tianocore/edk2/pull/2694 -Signed-off-by: Jiabo Feng ---- - BaseTools/Source/C/GenFfs/GenFfs.c | 2 +- - BaseTools/Source/C/GenSec/GenSec.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/BaseTools/Source/C/GenFfs/GenFfs.c b/BaseTools/Source/C/GenFfs/GenFfs.c -index 949025c333..d78d62ab36 100644 ---- a/BaseTools/Source/C/GenFfs/GenFfs.c -+++ b/BaseTools/Source/C/GenFfs/GenFfs.c -@@ -542,7 +542,7 @@ GetAlignmentFromFile(char *InFile, UINT32 *Alignment) - PeFileBuffer = (UINT8 *) malloc (PeFileSize); - if (PeFileBuffer == NULL) { - fclose (InFileHandle); -- Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle); -+ Error(NULL, 0, 4001, "Resource", "memory cannot be allocated for %s", InFile); - return EFI_OUT_OF_RESOURCES; - } - fread (PeFileBuffer, sizeof (UINT8), PeFileSize, InFileHandle); -diff --git a/BaseTools/Source/C/GenSec/GenSec.c b/BaseTools/Source/C/GenSec/GenSec.c -index d54a4f9e0a..b1d05367ec 100644 ---- a/BaseTools/Source/C/GenSec/GenSec.c -+++ b/BaseTools/Source/C/GenSec/GenSec.c -@@ -1062,7 +1062,7 @@ GetAlignmentFromFile(char *InFile, UINT32 *Alignment) - PeFileBuffer = (UINT8 *) malloc (PeFileSize); - if (PeFileBuffer == NULL) { - fclose (InFileHandle); -- Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle); -+ Error(NULL, 0, 4001, "Resource", "memory cannot be allocated for %s", InFile); - return EFI_OUT_OF_RESOURCES; - } - fread (PeFileBuffer, sizeof (UINT8), PeFileSize, InFileHandle); --- -2.41.0 \ No newline at end of file diff --git a/0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch b/0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch deleted file mode 100644 index 2ceedd5f6686319219a31455b9eac4a3d3282ac8..0000000000000000000000000000000000000000 --- a/0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 85021f8cf22d1bd4114803c6c610dea5ef0059f1 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Thu, 24 Mar 2022 20:04:35 +0800 -Subject: [PATCH 2/3] BaseTools: fix gcc12 warning - -Sdk/C/LzmaEnc.c: In function ?LzmaEnc_CodeOneMemBlock?: -Sdk/C/LzmaEnc.c:2828:19: error: storing the address of local variable ?outStream? in ?*p.rc.outStream? [-Werror=dangling-pointer=] - 2828 | p->rc.outStream = &outStream.vt; - | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~ -Sdk/C/LzmaEnc.c:2811:28: note: ?outStream? declared here - 2811 | CLzmaEnc_SeqOutStreamBuf outStream; - | ^~~~~~~~~ -Sdk/C/LzmaEnc.c:2811:28: note: ?pp? declared here -Sdk/C/LzmaEnc.c:2828:19: error: storing the address of local variable ?outStream? in ?*(CLzmaEnc *)pp.rc.outStream? [-Werror=dangling-pointer=] - 2828 | p->rc.outStream = &outStream.vt; - | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~ -Sdk/C/LzmaEnc.c:2811:28: note: ?outStream? declared here - 2811 | CLzmaEnc_SeqOutStreamBuf outStream; - | ^~~~~~~~~ -Sdk/C/LzmaEnc.c:2811:28: note: ?pp? declared here -cc1: all warnings being treated as errors - -Signed-off-by: Gerd Hoffmann -Reviewed-by: Bob Feng - -reference: https://github.com/tianocore/edk2/pull/2694 -Signed-off-by: Jiabo Feng ---- - BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c b/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c -index 4e9b499f8d..4b9f5fa692 100644 ---- a/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c -+++ b/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c -@@ -2638,12 +2638,13 @@ SRes LzmaEnc_CodeOneMemBlock(CLzmaEncHandle pp, Bool reInit, - - nowPos64 = p->nowPos64; - RangeEnc_Init(&p->rc); -- p->rc.outStream = &outStream.vt; - - if (desiredPackSize == 0) - return SZ_ERROR_OUTPUT_EOF; - -+ p->rc.outStream = &outStream.vt; - res = LzmaEnc_CodeOneBlock(p, desiredPackSize, *unpackSize); -+ p->rc.outStream = NULL; - - *unpackSize = (UInt32)(p->nowPos64 - nowPos64); - *destLen -= outStream.rem; --- -2.41.0.windows.1 - diff --git a/0034-Basetools-turn-off-gcc12-warning.patch b/0034-Basetools-turn-off-gcc12-warning.patch deleted file mode 100644 index f17e7b01abf296c946f62f804a264255f34bb986..0000000000000000000000000000000000000000 --- a/0034-Basetools-turn-off-gcc12-warning.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 22130dcd98b4d4b76ac8d922adb4a2dbc86fa52c Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Thu, 24 Mar 2022 20:04:36 +0800 -Subject: [PATCH 3/3] Basetools: turn off gcc12 warning - -In function ?SetDevicePathEndNode?, - inlined from ?FileDevicePath? at DevicePathUtilities.c:857:5: -DevicePathUtilities.c:321:3: error: writing 4 bytes into a region of size 1 [-Werror=stringop-overflow=] - 321 | memcpy (Node, &mUefiDevicePathLibEndDevicePath, sizeof (mUefiDevicePathLibEndDevicePath)); - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -In file included from UefiDevicePathLib.h:22, - from DevicePathUtilities.c:16: -../Include/Protocol/DevicePath.h: In function ?FileDevicePath?: -../Include/Protocol/DevicePath.h:51:9: note: destination object ?Type? of size 1 - 51 | UINT8 Type; ///< 0x01 Hardware Device Path. - | ^~~~ - -Signed-off-by: Gerd Hoffmann -Reviewed-by: Bob Feng - -reference: https://github.com/tianocore/edk2/pull/2694 -Signed-off-by: Jiabo Feng ---- - BaseTools/Source/C/DevicePath/GNUmakefile | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/BaseTools/Source/C/DevicePath/GNUmakefile b/BaseTools/Source/C/DevicePath/GNUmakefile -index 7ca08af966..b05d2bddfa 100644 ---- a/BaseTools/Source/C/DevicePath/GNUmakefile -+++ b/BaseTools/Source/C/DevicePath/GNUmakefile -@@ -13,6 +13,9 @@ OBJECTS = DevicePath.o UefiDevicePathLib.o DevicePathFromText.o DevicePathUtili - - include $(MAKEROOT)/Makefiles/app.makefile - -+# gcc 12 trips over device path handling -+BUILD_CFLAGS += -Wno-error=stringop-overflow -+ - LIBS = -lCommon - ifeq ($(CYGWIN), CYGWIN) - LIBS += -L/lib/e2fsprogs -luuid --- -2.41.0 - diff --git a/brotli.f4153a09f87cbb9c826d8fc12c74642bb2d879ea.tar.gz b/brotli.f4153a09f87cbb9c826d8fc12c74642bb2d879ea.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..6a83abbf90052dfe266dc39b6f6fd61b8c9247f9 Binary files /dev/null and b/brotli.f4153a09f87cbb9c826d8fc12c74642bb2d879ea.tar.gz differ diff --git a/brotli.tar.gz b/edk2-stable202308.tar.gz similarity index 56% rename from brotli.tar.gz rename to edk2-stable202308.tar.gz index a70a886e5b4bfc3da7bc35160d8188df4867749d..b3d17c18b34ff35d3b934ddcb79047e026a6127a 100644 Binary files a/brotli.tar.gz and b/edk2-stable202308.tar.gz differ diff --git a/edk2.spec b/edk2.spec index 03cd814273defd5a05a3362fdfa8c37afaae11de..b8110b28fa64a547519e95962a62865281e7c31f 100644 --- a/edk2.spec +++ b/edk2.spec @@ -1,66 +1,25 @@ -%global stable_date 202011 +%global stable_date 202308 %global release_tag edk2-stable%{stable_date} -%global openssl_version 1.1.1f +%global openssl_commitid de90e54bbe82e5be4fb9608b6f5c308bb837d355 +%global brotli_commitid f4153a09f87cbb9c826d8fc12c74642bb2d879ea +%global public_mipi_sys_t_commitid 370b5944c046bab043dd8b133727b2135af7747a %global _python_bytecompile_extra 0 Name: edk2 Version: %{stable_date} -Release: 13 +Release: 1 Summary: EFI Development Kit II -License: BSD-2-Clause-Patent +License: BSD-2-Clause-Patent and OpenSSL and MIT URL: https://github.com/tianocore/edk2 Source0: https://github.com/tianocore/edk2/archive/%{release_tag}.tar.gz -Source1: openssl-%{openssl_version}.tar.gz -Source2: brotli.tar.gz - -# for CVE-2021-38575 -Patch0001: 0001-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch -Patch0002: 0002-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch -Patch0003: 0003-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch -Patch0004: 0004-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch -Patch0005: 0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch -Patch0006: 0006-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch -Patch0007: 0007-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch -Patch0008: 0008-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch -Patch0009: 0009-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch -Patch0010: 0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch - -# for CVE-2021-28216 -Patch0011: 0011-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch - -# for CVE-2021-38576 -Patch0012: 0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch -Patch0013: 0013-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch -Patch0014: 0014-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch -Patch0015: 0015-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch -Patch0016: 0016-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch -Patch0017: 0017-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch -Patch0018: 0018-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch -Patch0019: 0019-SecurityPkg-Add-references-to-header-and-inf-files-t.patch - -Patch0020: 0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch - -Patch0021: 0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch - -Patch0022: 0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch -Patch0023: 0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch -Patch0024: 0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch -Patch0025: 0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch -Patch0026: 0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch -Patch0027: 0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch -Patch0028: 0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch - -# for CVE-2022-4304 -Patch0029: 0029-Fix-Timing-Oracle-in-RSA-decryption.patch - -# solving the compilation failure problem of gcc 12.3.0 -Patch0030: 0030-brotli-Fix-VLA-parameter-warning-893.patch -Patch0031: 0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch -Patch0032: 0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch -Patch0033: 0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch -Patch0034: 0034-Basetools-turn-off-gcc12-warning.patch - -BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command +Source1: openssl.%{openssl_commitid}.tar.gz +Source2: brotli.%{brotli_commitid}.tar.gz +Source3: public-mipi-sys-t.%{public_mipi_sys_t_commitid}.tar.gz + +patch0: 0001-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch +patch1: 0002-add-Wno-maybe-uninitialized-to-fix-build-error.patch + +BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl %description EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. @@ -107,11 +66,21 @@ BuildArch: noarch EFI Development Kit II Open Virtual Machine Firmware (ia32) %endif +%ifarch riscv64 +%package ovmf-riscv64 +Summary: Open Virtual Machine Firmware +BuildArch: noarch +%description ovmf-riscv64 +EFI Development Kit II Open Virtual Machine Firmware (riscv64) +%endif + %prep %setup -n edk2-%{release_tag} tar -xf %{SOURCE1} -C CryptoPkg/Library/OpensslLib/openssl --strip-components=1 tar -xf %{SOURCE2} -C MdeModulePkg/Library/BrotliCustomDecompressLib/brotli --strip-components=1 tar -xf %{SOURCE2} -C BaseTools/Source/C/BrotliCompress/brotli --strip-components=1 +tar -xf %{SOURCE3} -C MdePkg/Library/MipiSysTLib/mipisyst --strip-components=1 + %autopatch -p1 %build @@ -138,10 +107,15 @@ BUILD_OPTION="$BUILD_OPTION -D TPM2_ENABLE=TRUE" BUILD_OPTION="$BUILD_OPTION -D TPM2_CONFIG_ENABLE=TRUE" BUILD_OPTION="$BUILD_OPTION -D TPM_ENABLE=TRUE" BUILD_OPTION="$BUILD_OPTION -D TPM_CONFIG_ENABLE=TRUE" + +%ifarch riscv64 + BUILD_OPTION="-t GCC5 -n $NCPUS -b RELEASE -a RISCV64 -p OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc -D SECURE_BOOT_ENABLE=TRUE -D TPM_ENABLE=TRUE -D TPM_CONFIG_ENABLE=TRUE" +%endif + build $BUILD_OPTION %install -cp CryptoPkg/Library/OpensslLib/openssl/LICENSE LICENSE.openssl +cp CryptoPkg/Library/OpensslLib/openssl/LICENSE.txt LICENSE.openssl mkdir -p %{buildroot}%{_bindir} \ %{buildroot}%{_datadir}/%{name}/Conf \ %{buildroot}%{_datadir}/%{name}/Scripts @@ -193,8 +167,15 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys cp Build/OvmfIa32/*/FV/OVMF_CODE.fd %{buildroot}/usr/share/%{name}/ovmf-ia32 %endif +%ifarch riscv64 + mkdir -p %{buildroot}/usr/share/%{name}/ovmf-riscv64 + cp Build/RiscVVirtQemu/RELEASE_GCC5/FV/RISCV_VIRT_CODE.fd %{buildroot}/usr/share/%{name}/ovmf-riscv64 + cp Build/RiscVVirtQemu/RELEASE_GCC5/FV/RISCV_VIRT_VARS.fd %{buildroot}/usr/share/%{name}/ovmf-riscv64 +%endif + %files devel %license License.txt +%license License-History.txt %license LICENSE.openssl %{_bindir}/BrotliCompress %{_bindir}/DevicePath @@ -205,7 +186,6 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %{_bindir}/GenFw %{_bindir}/GenSec %{_bindir}/LzmaCompress -%{_bindir}/Split %{_bindir}/TianoCompress %{_bindir}/VfrCompile %{_bindir}/VolInfo @@ -259,7 +239,18 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %dir /usr/share/%{name} %endif +%ifarch riscv64 +%license OvmfPkg/License.txt +%license LICENSE.openssl +%files ovmf-riscv64 +%dir %{_datadir}/%{name} +%{_datadir}/%{name}/ovmf-riscv64 +%endif + %changelog +* Mon Aug 28 2023 wangliu - 202308-1 +- update edk2 to stable202308 + * Thu Jul 13 2023 Jiabo Feng - 202011-13 - solving the compilation failure problem of gcc 12.3.0 @@ -363,3 +354,4 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys * Wed Sep 18 2019 openEuler Buildteam - 201908-1 - Package init + diff --git a/openssl-1.1.1f.tar.gz b/openssl-1.1.1f.tar.gz deleted file mode 100644 index 4bcec00f31b93c7bb0371a57a37153e51e58e713..0000000000000000000000000000000000000000 Binary files a/openssl-1.1.1f.tar.gz and /dev/null differ diff --git a/edk2-stable202011.tar.gz b/openssl.de90e54bbe82e5be4fb9608b6f5c308bb837d355.tar.gz similarity index 58% rename from edk2-stable202011.tar.gz rename to openssl.de90e54bbe82e5be4fb9608b6f5c308bb837d355.tar.gz index 0c2cd385cf55d5e336be5ee55ec9fc4cff2ec8ec..dd3e1788aba370f6ce283c967aa7c4087c6a4a67 100644 Binary files a/edk2-stable202011.tar.gz and b/openssl.de90e54bbe82e5be4fb9608b6f5c308bb837d355.tar.gz differ diff --git a/public-mipi-sys-t.370b5944c046bab043dd8b133727b2135af7747a.tar.gz b/public-mipi-sys-t.370b5944c046bab043dd8b133727b2135af7747a.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..c20e014c5b362ef1ab6c41248930cf025227b217 Binary files /dev/null and b/public-mipi-sys-t.370b5944c046bab043dd8b133727b2135af7747a.tar.gz differ