diff --git a/0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch b/0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch new file mode 100644 index 0000000000000000000000000000000000000000..c43d18a05a4bbd247a98aab716594afc1df4972b --- /dev/null +++ b/0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch @@ -0,0 +1,171 @@ +From a746987ffec6322426fe28c93305d83c8645e0ec Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 21 Nov 2017 00:57:46 +0100 +Subject: [PATCH] OvmfPkg: silence DEBUG_VERBOSE (0x00400000) in + QemuVideoDxe/QemuRamfbDxe (RH) + +edk2-stable202402 rebase: + +- context changes due to CSM support removal. + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been + introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit + to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077. + +- Remove obsolete commit message tags related to downstream patch + management: Message-id, Patchwork-id, O-Subject, Acked-by, From + (RHBZ#1846481). + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- Due to upstream commit 4b04d9d73604 ("OvmfPkg: Don't build in + QemuVideoDxe when we have CSM", 2019-06-26), the contexts of + "QemuVideoDxe.inf" / "QemuRamfbDxe.inf" have changed in the DSC files. + Resolve the conflict manually. + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- Upstream commit 1d25ff51af5c ("OvmfPkg: add QemuRamfbDxe", 2018-06-14) + introduced another GOP driver that consumes FrameBufferBltLib, and + thereby produces a large number of (mostly useless) debug messages at + the DEBUG_VERBOSE level. Extend the patch to suppress those messages in + both QemuVideoDxe and QemuRamfbDxe; update the subject accordingly. + QemuRamfbDxe itself doesn't log anything at the VERBOSE level (see also + the original commit message at the bottom of this downstream patch). + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like + a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no changes + +Bugzilla: 1488247 + +In commit 5b2291f9567a ("OvmfPkg: QemuVideoDxe uses +MdeModulePkg/FrameBufferLib"), QemuVideoDxe was rebased to +FrameBufferBltLib. + +The FrameBufferBltLib instance added in commit b1ca386074bd +("MdeModulePkg: Add FrameBufferBltLib library instance") logs many +messages on the VERBOSE level; for example, a normal boot with OVMF can +produce 500+ "VideoFill" messages, dependent on the progress bar, when the +VERBOSE bit is set in PcdDebugPrintErrorLevel. + +QemuVideoDxe itself doesn't log anything at the VERBOSE level, so we lose +none of its messages this way. + +Signed-off-by: Laszlo Ersek +Signed-off-by: Paolo Bonzini +(this patch was previously applied as commit 9b0d031dee7e823f6717bab73e422fbc6f0a6c52) +(cherry picked from commit 9122d5f2e8d8d289064d1e1700cb61964d9931f3) +(cherry picked from commit 7eb3be1d4ccafc26c11fe5afb95cc12b250ce6f0) +(cherry picked from commit bd650684712fb840dbcda5d6eaee065bd9e91fa1) +(cherry picked from commit b06b87f8ffd4fed4ef7eacb13689a9b6d111f850) +(cherry picked from commit c8c3f893e7c3710afe45c46839e97954871536e4) +(cherry picked from commit 1355849ad97c1e4a5c430597a377165a5cc118f7) +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 10 ++++++++-- + OvmfPkg/OvmfPkgIa32.dsc | 10 ++++++++-- + OvmfPkg/OvmfPkgIa32X64.dsc | 10 ++++++++-- + OvmfPkg/OvmfPkgX64.dsc | 10 ++++++++-- + 4 files changed, 32 insertions(+), 8 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index c7342f4f34..b4fb1554e7 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -683,8 +683,14 @@ + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf + +- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + + # +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 0f2cc35529..9e3f9673cf 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -808,8 +808,14 @@ + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf + +- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf + +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 3f3e3f0526..c9a19b8e58 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -847,8 +847,14 @@ + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf + +- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf + +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index e8d1c48ca1..cb1ad574c2 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -979,8 +979,14 @@ + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf + +- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf +- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } ++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf + diff --git a/0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch b/0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch new file mode 100644 index 0000000000000000000000000000000000000000..480a2300bdadf840f65e872e284df0e61d06d88f --- /dev/null +++ b/0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch @@ -0,0 +1,128 @@ +From f6997042745a9d1594d5f8d1bbabd4c256b437af Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 21 Nov 2017 00:57:47 +0100 +Subject: [PATCH] OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in NvmExpressDxe + (RH only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been + introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit + to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077. + +- Remove obsolete commit message tags related to downstream patch + management: Message-id, Patchwork-id, O-Subject, Acked-by, From + (RHBZ#1846481). + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- no change + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- no change + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like + a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no changes + +Bugzilla: 1488247 + +NvmExpressDxe logs all BlockIo read & write calls on the EFI_D_VERBOSE +level. + +Signed-off-by: Laszlo Ersek +Signed-off-by: Paolo Bonzini +(this patch was previously applied as commit 5f432837b9c60c2929b13dda1a1b488d5c3a6d2f) +(cherry picked from commit 33e00146eb878588ad1395d7b1ae38f401729da4) +(cherry picked from commit bd10cabcfcb1bc9a32b05062f4ee3792e27bc2d8) +(cherry picked from commit 5a27af700f49e00608f232f618dedd7bf5e9b3e6) +(cherry picked from commit 58bba429b9ec7b78109940ef945d0dc93f3cd958) +(cherry picked from commit b8d0ebded8c2cf5b266c807519e2d8ccfd66fee6) +(cherry picked from commit ed89844b47f46cfe911f1bf2bda40e537a908502) +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 5 ++++- + OvmfPkg/OvmfPkgIa32.dsc | 5 ++++- + OvmfPkg/OvmfPkgIa32X64.dsc | 5 ++++- + OvmfPkg/OvmfPkgX64.dsc | 5 ++++- + 4 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index b4fb1554e7..97f595b38a 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -678,7 +678,10 @@ + MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf + MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf ++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 9e3f9673cf..ae18ef3ad1 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -803,7 +803,10 @@ + MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf + MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf ++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index c9a19b8e58..4d9f28743e 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -842,7 +842,10 @@ + MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf + MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf ++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index cb1ad574c2..dbb973cd13 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -974,7 +974,10 @@ + MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf + MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf + MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf +- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf ++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++ } + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf diff --git a/0023-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch b/0023-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch new file mode 100644 index 0000000000000000000000000000000000000000..1b4026a22339c3ae3932886c68643a56eac37a5c --- /dev/null +++ b/0023-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch @@ -0,0 +1,123 @@ +From 7347ee13bc5e1eea267231a5d1e2fc4e7957e0fc Mon Sep 17 00:00:00 2001 +From: Oliver Steffen +Date: Wed, 16 Aug 2023 12:09:40 +0200 +Subject: [PATCH] OvmfPkg/AmdSevDxe: Shim Reboot workaround (RHEL only) + +RH-Author: Oliver Steffen +RH-MergeRequest: 46: OvmfPkg/AmdSevDxe: Shim Reboot workaround (RHEL only) +RH-Bugzilla: 2218196 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [1/1] 9bf3bb989e36253aa34bf82ecfe8faa7312e8d22 (osteffen/edk2) + +Add a callback at the end of the Dxe phase that sets the +"FB_NO_REBOOT" variable under the Shim GUID. +This is a workaround for a boot loop in case a confidential +guest that uses shim is booted with a vtpm device present. + +BZ 2218196 + +Signed-off-by: Oliver Steffen + +patch_name: edk2-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch +present_in_specfile: true +location_in_specfile: 44 +--- + OvmfPkg/AmdSevDxe/AmdSevDxe.c | 43 +++++++++++++++++++++++++++++++++ + OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 2 ++ + 2 files changed, 45 insertions(+) + +diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c +index d497a343d3..ca345e95da 100644 +--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c ++++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -28,6 +29,10 @@ + // Present, initialized, tested bits defined in MdeModulePkg/Core/Dxe/DxeMain.h + #define EFI_MEMORY_INTERNAL_MASK 0x0700000000000000ULL + ++static EFI_GUID ShimLockGuid = { ++ 0x605dab50, 0xe046, 0x4300, { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } ++}; ++ + STATIC + EFI_STATUS + AllocateConfidentialComputingBlob ( +@@ -191,6 +196,32 @@ STATIC EDKII_MEMORY_ACCEPT_PROTOCOL mMemoryAcceptProtocol = { + AmdSevMemoryAccept + }; + ++VOID ++EFIAPI ++PopulateVarstore ( ++ EFI_EVENT Event, ++ VOID *Context ++ ) ++{ ++ EFI_SYSTEM_TABLE *SystemTable = (EFI_SYSTEM_TABLE *)Context; ++ EFI_STATUS Status; ++ ++ DEBUG ((DEBUG_INFO, "Populating Varstore\n")); ++ UINT32 data = 1; ++ ++ Status = SystemTable->RuntimeServices->SetVariable ( ++ L"FB_NO_REBOOT", ++ &ShimLockGuid, ++ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS, ++ sizeof (data), ++ &data ++ ); ++ ASSERT_EFI_ERROR (Status); ++ ++ Status = SystemTable->BootServices->CloseEvent (Event); ++ ASSERT_EFI_ERROR (Status); ++} ++ + EFI_STATUS + EFIAPI + AmdSevDxeEntryPoint ( +@@ -203,6 +234,7 @@ AmdSevDxeEntryPoint ( + UINTN NumEntries; + UINTN Index; + CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION *SnpBootDxeTable; ++ EFI_EVENT PopulateVarstoreEvent; + + // + // Do nothing when SEV is not enabled +@@ -211,6 +243,17 @@ AmdSevDxeEntryPoint ( + return EFI_UNSUPPORTED; + } + ++ // Shim fallback reboot workaround ++ Status = gBS->CreateEventEx ( ++ EVT_NOTIFY_SIGNAL, ++ TPL_CALLBACK, ++ PopulateVarstore, ++ SystemTable, ++ &gEfiEndOfDxeEventGroupGuid, ++ &PopulateVarstoreEvent ++ ); ++ ASSERT_EFI_ERROR (Status); ++ + // + // Iterate through the GCD map and clear the C-bit from MMIO and NonExistent + // memory space. The NonExistent memory space will be used for mapping the +diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf +index e7c7d526c9..09cbd2b0ca 100644 +--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf ++++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf +@@ -54,6 +54,8 @@ + [Guids] + gConfidentialComputingSevSnpBlobGuid + gEfiEventBeforeExitBootServicesGuid ++ gEfiEndOfDxeEventGroupGuid ## CONSUMES ## Event ++ + + [Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId diff --git a/0025-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch b/0025-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch new file mode 100644 index 0000000000000000000000000000000000000000..ca63bdddecbacd027bed80aac28e20b9aee42e57 --- /dev/null +++ b/0025-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch @@ -0,0 +1,140 @@ +From b91946a0dc8bdc8c55005854e2177a1b6a1e9511 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 28 Aug 2023 13:27:09 +0200 +Subject: [PATCH] CryptoPkg/CrtLib: add access/open/read/write/close syscalls + (RH only) + +Needed by rhel downstream openssl patches, they use unix syscalls +for file access (instead of fopen + friends like the rest of the +code base). No actual file access is needed for edk2, so just +add stubs to make linking work. + +Signed-off-by: Gerd Hoffmann +--- + .../Library/BaseCryptLib/SysCall/CrtWrapper.c | 46 +++++++++++++++++++ + CryptoPkg/Library/Include/CrtLibSupport.h | 41 +++++++++++++++++ + 2 files changed, 87 insertions(+) + +diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c +index 8a8fdfefc7..11d01106d4 100644 +--- a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c ++++ b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c +@@ -611,6 +611,52 @@ fread ( + return 0; + } + ++int ++access( ++ const char*, ++ int ++ ) ++{ ++ return -1; ++} ++ ++int ++open ( ++ const char *, ++ int ++ ) ++{ ++ return -1; ++} ++ ++ssize_t ++read ( ++ int, ++ void*, ++ size_t ++ ) ++{ ++ return -1; ++} ++ ++ssize_t ++write ( ++ int, ++ const void*, ++ size_t ++ ) ++{ ++ return -1; ++} ++ ++int ++close ( ++ int ++ ) ++{ ++ return -1; ++} ++ + uid_t + getuid ( + void +diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/Include/CrtLibSupport.h +index 80e2fa9ca5..f344691d0d 100644 +--- a/CryptoPkg/Library/Include/CrtLibSupport.h ++++ b/CryptoPkg/Library/Include/CrtLibSupport.h +@@ -68,6 +68,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + // + // Definitions for global constants used by CRT library routines + // ++#define EINTR 4 + #define EINVAL 22 /* Invalid argument */ + #define EAFNOSUPPORT 47 /* Address family not supported by protocol family */ + #define INT_MAX 0x7FFFFFFF /* Maximum (signed) int value */ +@@ -96,6 +97,15 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + #define NS_INADDRSZ 4 /*%< IPv4 T_A */ + #define NS_IN6ADDRSZ 16 /*%< IPv6 T_AAAA */ + ++#define O_RDONLY 00000000 ++#define O_WRONLY 00000001 ++#define O_RDWR 00000002 ++ ++#define R_OK 4 ++#define W_OK 2 ++#define X_OK 1 ++#define F_OK 0 ++ + // + // Basic types mapping + // +@@ -322,6 +332,37 @@ fprintf ( + ... + ); + ++int ++access( ++ const char*, ++ int ++ ); ++ ++int ++open ( ++ const char *, ++ int ++ ); ++ ++ssize_t ++read ( ++ int, ++ void*, ++ size_t ++ ); ++ ++ssize_t ++write ( ++ int, ++ const void*, ++ size_t ++ ); ++ ++int ++close ( ++ int ++ ); ++ + time_t + time ( + time_t * diff --git a/0030-SecurityPkg-Tpm2DeviceLibDTpm-Remove-global-variable.patch b/0030-SecurityPkg-Tpm2DeviceLibDTpm-Remove-global-variable.patch new file mode 100644 index 0000000000000000000000000000000000000000..f59a395ff805996d034fbda2b83f8be401ec8bf1 --- /dev/null +++ b/0030-SecurityPkg-Tpm2DeviceLibDTpm-Remove-global-variable.patch @@ -0,0 +1,150 @@ +From f959d0c58a7f9c8e8b2155a145328fec5cab1edf Mon Sep 17 00:00:00 2001 +From: Phil Noh +Date: Fri, 5 Sep 2025 15:11:15 -0500 +Subject: [PATCH] SecurityPkg/Tpm2DeviceLibDTpm: Remove global variable for + command code + +As a BASE type library, currently the TCG PEI driver, Tcg2Pei.inf links +the library. On edk2-stable202508 version, it is found that the driver +includes and updates the global variable of mLastCommandSent in debug +build. Also found that the previous commit (460f270) for the library adds +and uses the global variable. Updating the global variable in PEI drivers +could affect the following issues. To address these issues, remove the +global variable usage. + +PEI ROM Boot : Global variable is not updated +PEI RAM Boot : PEI FV integration/security check is failed + +Signed-off-by: Phil Noh +--- + .../Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmDump.c | 13 +++++-------- + SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c | 9 ++++++++- + SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h | 4 +++- + SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c | 9 ++++++++- + 4 files changed, 24 insertions(+), 11 deletions(-) + +diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmDump.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmDump.c +index 7b2e449130..56a9684299 100644 +--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmDump.c ++++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmDump.c +@@ -218,8 +218,6 @@ TPM2_CODE_STRING ResponseCodeStrings[] = { + }; + UINTN ResponseCodeStringsCount = sizeof (ResponseCodeStrings) / sizeof (ResponseCodeStrings[0]); + +-UINT32 mLastCommandSent = 0; +- + /** + This simple function will dump up to MAX_TPM_BUFFER_DUMP bytes + of a TPM data buffer and apppend '...' if buffer is larger. +@@ -678,9 +676,6 @@ DumpTpmInputBlock ( + // If verbose, dump all of the buffer contents for deeper analysis. + DumpTpmBuffer ("DATA: ", MIN (InputBlockSize, NativeSize), InputBlock); + +- // Update the last command sent so that response parsing can have some context. +- mLastCommandSent = NativeCode; +- + return; + } + +@@ -690,13 +685,15 @@ DumpTpmInputBlock ( + + @param[in] OutputBlockSize Size of the output buffer. + @param[in] OutputBlock Pointer to the output buffer itself. ++ @param[in] CommandCode Command code for the input block. + + **/ + VOID + EFIAPI + DumpTpmOutputBlock ( + IN UINT32 OutputBlockSize, +- IN CONST UINT8 *OutputBlock ++ IN CONST UINT8 *OutputBlock, ++ IN UINT32 CommandCode + ) + { + CONST TPM2_RESPONSE_HEADER *RespHeader; +@@ -716,8 +713,8 @@ DumpTpmOutputBlock ( + DEBUG ((DEBUG_SECURITY, "Size: %d (0x%X)\n", NativeSize, NativeSize)); + + // Debug anything else based on the Command context. +- if (mLastCommandSent != 0x00) { +- switch (mLastCommandSent) { ++ if (CommandCode != 0x00) { ++ switch (CommandCode) { + case TPM_CC_StartAuthSession: + DumpTpmStartAuthSessionResponse (OutputBlockSize, OutputBlock); + break; +diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c +index d3054690e2..dc67786736 100644 +--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c ++++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c +@@ -162,6 +162,7 @@ PtpCrbTpmCommand ( + UINT16 Data16; + UINT32 Data32; + UINT8 RetryCnt; ++ UINT32 CommandCode; + + DEBUG_CODE_BEGIN (); + DumpTpmInputBlock (SizeIn, BufferIn); +@@ -336,7 +337,13 @@ PtpCrbTpmCommand ( + } + + DEBUG_CODE_BEGIN (); +- DumpTpmOutputBlock (TpmOutSize, BufferOut); ++ if (SizeIn >= sizeof (TPM2_COMMAND_HEADER)) { ++ CommandCode = SwapBytes32 (((TPM2_COMMAND_HEADER *)BufferIn)->commandCode); ++ } else { ++ CommandCode = 0; ++ } ++ ++ DumpTpmOutputBlock (TpmOutSize, BufferOut, CommandCode); + DEBUG_CODE_END (); + + // +diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h +index 8b7c37bb9b..7061414040 100644 +--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h ++++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h +@@ -73,12 +73,14 @@ DumpTpmInputBlock ( + a response from the TPM for maximum user-readability. + @param[in] OutputBlockSize Size of the output buffer. + @param[in] OutputBlock Pointer to the output buffer itself. ++ @param[in] CommandCode Command code for the input block. + **/ + VOID + EFIAPI + DumpTpmOutputBlock ( + IN UINT32 OutputBlockSize, +- IN CONST UINT8 *OutputBlock ++ IN CONST UINT8 *OutputBlock, ++ IN UINT32 CommandCode + ); + + #endif // TPM2_PTP_H_ +diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c +index d2f0abd160..1e141c9272 100644 +--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c ++++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c +@@ -223,6 +223,7 @@ Tpm2TisTpmCommand ( + UINT32 TpmOutSize; + UINT16 Data16; + UINT32 Data32; ++ UINT32 CommandCode; + + DEBUG_CODE_BEGIN (); + DumpTpmInputBlock (SizeIn, BufferIn); +@@ -370,7 +371,13 @@ Tpm2TisTpmCommand ( + + Exit: + DEBUG_CODE_BEGIN (); +- DumpTpmOutputBlock (TpmOutSize, BufferOut); ++ if (SizeIn >= sizeof (TPM2_COMMAND_HEADER)) { ++ CommandCode = SwapBytes32 (((TPM2_COMMAND_HEADER *)BufferIn)->commandCode); ++ } else { ++ CommandCode = 0; ++ } ++ ++ DumpTpmOutputBlock (TpmOutSize, BufferOut, CommandCode); + DEBUG_CODE_END (); + MmioWrite8 ((UINTN)&TisReg->Status, TIS_PC_STS_READY); + return Status; diff --git a/30-edk2-ovmf-x64-sb-enrolled.json b/30-edk2-ovmf-x64-sb-enrolled.json index 3fbb0d732fa5bc40e741b5a21fb7a14b45eaa877..d77ed08f6570b211952be6940270daa9df5ceb94 100644 --- a/30-edk2-ovmf-x64-sb-enrolled.json +++ b/30-edk2-ovmf-x64-sb-enrolled.json @@ -5,6 +5,7 @@ ], "mapping": { "device": "flash", + "mode": "split", "executable": { "filename": "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd", "format": "raw" diff --git a/40-edk2-ovmf-x64-sb.json b/40-edk2-ovmf-x64-sb.json index ca6735002badc8830dc4316ba84f92db6d796dd5..02a762233099704e31957e50c83c363f843669a7 100644 --- a/40-edk2-ovmf-x64-sb.json +++ b/40-edk2-ovmf-x64-sb.json @@ -5,6 +5,7 @@ ], "mapping": { "device": "flash", + "mode": "split", "executable": { "filename": "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd", "format": "raw" diff --git a/50-edk2-aarch64-qcow2.json b/50-edk2-aarch64-qcow2.json new file mode 100644 index 0000000000000000000000000000000000000000..937d2953eae62645bcb245b55288643debeb9adb --- /dev/null +++ b/50-edk2-aarch64-qcow2.json @@ -0,0 +1,32 @@ +{ + "description": "UEFI firmware for ARM64 virtual machines", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "mode": "split", + "executable": { + "filename": "/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.qcow2", + "format": "qcow2" + }, + "nvram-template": { + "filename": "/usr/share/edk2/aarch64/vars-template-pflash.qcow2", + "format": "qcow2" + } + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + + ], + "tags": [ + + ] +} diff --git a/50-edk2-ovmf-x64-nosb.json b/50-edk2-ovmf-x64-nosb.json index f8c90101f1bb2d827b33d7924bdf620fe97e5053..c660e0c46419dc204837a2b8e489b49771591891 100644 --- a/50-edk2-ovmf-x64-nosb.json +++ b/50-edk2-ovmf-x64-nosb.json @@ -5,6 +5,7 @@ ], "mapping": { "device": "flash", + "mode": "split", "executable": { "filename": "/usr/share/edk2/ovmf/OVMF_CODE.fd", "format": "raw" @@ -18,7 +19,6 @@ { "architecture": "x86_64", "machines": [ - "pc-i440fx-*", "pc-q35-*" ] } diff --git a/50-edk2-riscv-qcow2.json b/50-edk2-riscv-qcow2.json new file mode 100644 index 0000000000000000000000000000000000000000..eb1930da494c3fe1c2c61ea11b9a30499d4eb612 --- /dev/null +++ b/50-edk2-riscv-qcow2.json @@ -0,0 +1,33 @@ +{ + "description": "UEFI firmware for RISC-V virtual machines", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "mode" : "split", + "executable": { + "filename": "/usr/share/edk2/riscv/RISCV_VIRT_CODE.qcow2", + "format": "qcow2" + }, + "nvram-template": { + "filename": "/usr/share/edk2/riscv/RISCV_VIRT_VARS.qcow2", + "format": "qcow2" + } + }, + "targets": [ + { + "architecture": "riscv64", + "machines": [ + "virt", + "virt-*" + ] + } + ], + "features": [ + + ], + "tags": [ + + ] +} diff --git a/51-edk2-aarch64-raw.json b/51-edk2-aarch64-raw.json new file mode 100644 index 0000000000000000000000000000000000000000..506bbe69c0197ab4c03d186aa51d9b30c58b0fb6 --- /dev/null +++ b/51-edk2-aarch64-raw.json @@ -0,0 +1,32 @@ +{ + "description": "UEFI firmware for ARM64 virtual machines", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "mode": "split", + "executable": { + "filename": "/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.raw", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2/aarch64/vars-template-pflash.raw", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + + ], + "tags": [ + + ] +} diff --git a/52-edk2-aarch64-verbose-qcow2.json b/52-edk2-aarch64-verbose-qcow2.json new file mode 100644 index 0000000000000000000000000000000000000000..976f2a6c238dec0c9ae3d7e5e94a7ccdec20cbd7 --- /dev/null +++ b/52-edk2-aarch64-verbose-qcow2.json @@ -0,0 +1,32 @@ +{ + "description": "UEFI firmware for ARM64 virtual machines, verbose logs", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "mode": "split", + "executable": { + "filename": "/usr/share/edk2/aarch64/QEMU_EFI-pflash.qcow2", + "format": "qcow2" + }, + "nvram-template": { + "filename": "/usr/share/edk2/aarch64/vars-template-pflash.qcow2", + "format": "qcow2" + } + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + "verbose-static" + ], + "tags": [ + + ] +} diff --git a/53-edk2-aarch64-verbose-raw.json b/53-edk2-aarch64-verbose-raw.json new file mode 100644 index 0000000000000000000000000000000000000000..fa0ed91ea635f129c9f99574c59c67769d2cf7cf --- /dev/null +++ b/53-edk2-aarch64-verbose-raw.json @@ -0,0 +1,32 @@ +{ + "description": "UEFI firmware for ARM64 virtual machines, verbose logs", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "mode": "split", + "executable": { + "filename": "/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw", + "format": "raw" + }, + "nvram-template": { + "filename": "/usr/share/edk2/aarch64/vars-template-pflash.raw", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + "verbose-static" + ], + "tags": [ + + ] +} diff --git a/60-edk2-ovmf-x64-amdsev.json b/60-edk2-ovmf-x64-amdsev.json index 9a561bc7eb266aa33b8ead3fba24f32681b1c417..591bd6a8bdcfbc92a571c0aa76c4a2a888217d41 100644 --- a/60-edk2-ovmf-x64-amdsev.json +++ b/60-edk2-ovmf-x64-amdsev.json @@ -4,12 +4,8 @@ "uefi" ], "mapping": { - "device": "flash", - "mode": "stateless", - "executable": { - "filename": "/usr/share/edk2/ovmf/OVMF.amdsev.fd", - "format": "raw" - } + "device": "memory", + "filename": "/usr/share/edk2/ovmf/OVMF.amdsev.fd" }, "targets": [ { diff --git a/60-edk2-ovmf-x64-inteltdx.json b/60-edk2-ovmf-x64-inteltdx.json index 44993ab1f3c983b48abc34994e4c29494a7613c5..445eb70e038444ed07c6979f278125a848ef9b59 100644 --- a/60-edk2-ovmf-x64-inteltdx.json +++ b/60-edk2-ovmf-x64-inteltdx.json @@ -4,12 +4,8 @@ "uefi" ], "mapping": { - "device": "flash", - "mode": "stateless", - "executable": { - "filename": "/usr/share/edk2/ovmf/OVMF.inteltdx.fd", - "format": "raw" - } + "device": "memory", + "filename": "/usr/share/edk2/ovmf/OVMF.inteltdx.secboot.fd" }, "targets": [ { @@ -20,7 +16,9 @@ } ], "features": [ + "enrolled-keys", "intel-tdx", + "secure-boot", "verbose-dynamic" ], "tags": [ diff --git a/DBXUpdate-20250610.aa64.bin b/DBXUpdate-20250610.aa64.bin new file mode 100644 index 0000000000000000000000000000000000000000..33520068f2602fbd2c739b7f71e8946f5ba6ccd4 Binary files /dev/null and b/DBXUpdate-20250610.aa64.bin differ diff --git a/DBXUpdate-20250610.x64.bin b/DBXUpdate-20250610.x64.bin new file mode 100644 index 0000000000000000000000000000000000000000..811e27eb39e1e7e0f56637bfe7b01e8acdb71165 Binary files /dev/null and b/DBXUpdate-20250610.x64.bin differ diff --git a/edk2-build.py b/edk2-build.py index 5f02ecb854de6a003750786648142365aec75efe..c4bfbae4cffb395c6f3c4d91847a33c827470ce6 100755 --- a/edk2-build.py +++ b/edk2-build.py @@ -51,7 +51,7 @@ def get_toolchain(cfg, build): return cfg[build]['tool'] if cfg.has_option('global', 'tool'): return cfg['global']['tool'] - return 'GCC5' + return 'GCC' def get_hostarch(): mach = os.uname().machine @@ -147,7 +147,7 @@ def build_run(cmdline, name, section, silent = False, nologs = False): print(f'### exit code: {result.returncode}') else: secs = int(time.time() - start) - print(f'### OK ({int(secs/60)}:{secs%60:02d})') + print(f'### OK ({int(secs)}sec)') else: print(cmdline, flush = True) result = subprocess.run(cmdline, check = False) diff --git a/edk2-build.rhel-10 b/edk2-build.rhel-10 new file mode 100644 index 0000000000000000000000000000000000000000..3aaaa47e6f7f31be6ee4d5b7d57c57b45f84a8d7 --- /dev/null +++ b/edk2-build.rhel-10 @@ -0,0 +1,192 @@ + +[opts.ovmf.common] +NETWORK_HTTP_BOOT_ENABLE = TRUE +NETWORK_IP6_ENABLE = TRUE +NETWORK_TLS_ENABLE = TRUE +NETWORK_ISCSI_ENABLE = TRUE +NETWORK_ALLOW_HTTP_CONNECTIONS = TRUE +TPM2_ENABLE = TRUE +TPM2_CONFIG_ENABLE = TRUE +TPM1_ENABLE = FALSE +CAVIUM_ERRATUM_27456 = TRUE + +[opts.ovmf.4m] +FD_SIZE_4MB = TRUE + +[opts.ovmf.sb.smm] +SECURE_BOOT_ENABLE = TRUE +SMM_REQUIRE = TRUE +BUILD_SHELL = FALSE + +[opts.ovmf.qemu.vars] +QEMU_PV_VARS = TRUE +SECURE_BOOT_ENABLE = TRUE +BUILD_SHELL = FALSE + +[opts.ovmf.sb.stateless] +SECURE_BOOT_ENABLE = TRUE +SMM_REQUIRE = FALSE +BUILD_SHELL = FALSE + +[opts.armvirt.verbose] +DEBUG_PRINT_ERROR_LEVEL = 0x8040004F + +[opts.armvirt.silent] +DEBUG_PRINT_ERROR_LEVEL = 0x80000000 + + +[pcds.la57] +PcdUse5LevelPageTable = TRUE + +[pcds.nx.strict] +PcdDxeNxMemoryProtectionPolicy = 0xC000000000007FD5 +PcdImageProtectionPolicy = 0x03 +PcdSetNxForStack = TRUE +PcdNullPointerDetectionPropertyMask = 0x03 +PcdUninstallMemAttrProtocol = TRUE + +[pcds.nx.compat.aa64] +# workaround for bugs in shim.efi and grub.efi +PcdDxeNxMemoryProtectionPolicy = 0xC000000000007FD1 +PcdUninstallMemAttrProtocol = TRUE + +[pcds.nx.compat.x64] +# workaround for bugs in shim.efi and grub.efi +PcdDxeNxMemoryProtectionPolicy = 0 +PcdUninstallMemAttrProtocol = TRUE + + +##################################################################### +# stateful ovmf builds (with vars in flash) + +[build.ovmf.4m.default] +desc = ovmf build (64-bit, 4MB) +conf = OvmfPkg/OvmfPkgX64.dsc +arch = X64 +opts = ovmf.common + ovmf.4m +pcds = nx.compat.x64 + la57 +plat = OvmfX64 +dest = RHEL-10/ovmf +cpy1 = FV/OVMF_CODE.fd OVMF_CODE.fd +cpy2 = FV/OVMF_VARS.fd +cpy3 = X64/Shell.efi + +[build.ovmf.4m.sb.smm] +desc = ovmf build (64-bit, 4MB, q35 only, needs smm, secure boot) +conf = OvmfPkg/OvmfPkgX64.dsc +arch = X64 +opts = ovmf.common + ovmf.4m + ovmf.sb.smm +pcds = nx.compat.x64 + la57 +plat = OvmfX64 +dest = RHEL-10/ovmf +cpy1 = FV/OVMF_CODE.fd OVMF_CODE.secboot.fd +cpy2 = X64/EnrollDefaultKeys.efi + +[build.ovmf.qemu.vars] +desc = ovmf build (64-bit, 4MB, qemu vars, secure boot) +conf = OvmfPkg/OvmfPkgX64.dsc +arch = X64 +opts = ovmf.common + ovmf.4m + ovmf.qemu.vars +pcds = nx.strict + la57 +plat = OvmfX64 +dest = RHEL-10/ovmf +cpy1 = FV/OVMF.fd OVMF.qemuvars.fd + + +##################################################################### +# stateless ovmf builds (firmware in rom or r/o flash) + +[build.ovmf.amdsev] +desc = ovmf build for AmdSev (4MB) +conf = OvmfPkg/AmdSev/AmdSevX64.dsc +arch = X64 +opts = ovmf.common + ovmf.4m +pcds = nx.compat.x64 +plat = AmdSev +dest = RHEL-10/ovmf +cpy1 = FV/OVMF.fd OVMF.amdsev.fd + +[build.ovmf.inteltdx] +desc = ovmf build for IntelTdx (4MB) +conf = OvmfPkg/IntelTdx/IntelTdxX64.dsc +arch = X64 +opts = ovmf.common + ovmf.4m + ovmf.sb.stateless +pcds = nx.compat.x64 + la57 +plat = IntelTdx +dest = RHEL-10/ovmf +cpy1 = FV/OVMF.fd OVMF.inteltdx.fd + + +##################################################################### +# armvirt builds + +[build.armvirt.aa64.verbose] +desc = ArmVirt build for qemu, 64-bit (arm v8), verbose +conf = ArmVirtPkg/ArmVirtQemu.dsc +arch = AARCH64 +opts = ovmf.common + armvirt.verbose +pcds = nx.compat.aa64 +plat = ArmVirtQemu-AARCH64 +dest = RHEL-10/aarch64 +cpy1 = FV/QEMU_EFI.fd +cpy2 = FV/QEMU_VARS.fd +cpy3 = FV/QEMU_EFI.fd QEMU_EFI-pflash.raw +cpy4 = FV/QEMU_VARS.fd vars-template-pflash.raw +pad3 = QEMU_EFI-pflash.raw 64m +pad4 = vars-template-pflash.raw 64m + +[build.armvirt.aa64.silent] +desc = ArmVirt build for qemu, 64-bit (arm v8), silent +conf = ArmVirtPkg/ArmVirtQemu.dsc +arch = AARCH64 +opts = ovmf.common + armvirt.silent +pcds = nx.compat.aa64 +plat = ArmVirtQemu-AARCH64 +dest = RHEL-10/aarch64 +cpy1 = FV/QEMU_EFI.fd QEMU_EFI.silent.fd +cpy2 = FV/QEMU_EFI.fd QEMU_EFI-silent-pflash.raw +pad2 = QEMU_EFI-silent-pflash.raw 64m + +[build.armvirt.aa64.qemu.vars] +desc = ArmVirt build for qemu, 64-bit (arm v8), qemu vars, secure boot +conf = ArmVirtPkg/ArmVirtQemu.dsc +arch = AARCH64 +opts = ovmf.common + ovmf.qemu.vars + armvirt.silent +pcds = nx.strict +plat = ArmVirtQemu-AARCH64 +dest = RHEL-10/aarch64 +cpy1 = FV/QEMU_EFI.fd QEMU_EFI.qemuvars.fd +cpy2 = FV/QEMU_EFI.fd QEMU_EFI-qemuvars-pflash.raw +pad2 = QEMU_EFI-qemuvars-pflash.raw 64m + + +##################################################################### +# riscv build + +[build.riscv.qemu] +conf = OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc +arch = RISCV64 +plat = RiscVVirtQemu +dest = RHEL-10/riscv +cpy1 = FV/RISCV_VIRT_CODE.fd +cpy2 = FV/RISCV_VIRT_CODE.fd RISCV_VIRT_CODE.raw +cpy3 = FV/RISCV_VIRT_VARS.fd +cpy4 = FV/RISCV_VIRT_VARS.fd RISCV_VIRT_VARS.raw +pad1 = RISCV_VIRT_CODE.raw 32m +pad2 = RISCV_VIRT_VARS.raw 32m diff --git a/edk2-platforms-7f42d4034c8f.tar.xz b/edk2-d46aa46c8361.tar.xz similarity index 50% rename from edk2-platforms-7f42d4034c8f.tar.xz rename to edk2-d46aa46c8361.tar.xz index 75212941f914a44f3b3104085740efc963937816..f236f828c43a0d0a373c2ead186f8b6a4f2d7254 100644 Binary files a/edk2-platforms-7f42d4034c8f.tar.xz and b/edk2-d46aa46c8361.tar.xz differ diff --git a/edk2-stable202402.tar.gz b/edk2-stable202402.tar.gz deleted file mode 100644 index 07ca4d6cb44cf9282ddb0aea91ce2838987e2ba9..0000000000000000000000000000000000000000 Binary files a/edk2-stable202402.tar.gz and /dev/null differ diff --git a/edk2.spec b/edk2.spec index d3c80dcea6efb3524e42f519483bef68a6818b07..8c9c9e025ee64d0951a8bc2338107500f951dfa2 100644 --- a/edk2.spec +++ b/edk2.spec @@ -1,4 +1,4 @@ -%define anolis_release 19 +%define anolis_release 1 %undefine _auto_set_build_flags ExclusiveArch: x86_64 aarch64 loongarch64 riscv64 @@ -30,47 +30,23 @@ ExclusiveArch: x86_64 aarch64 loongarch64 riscv64 Name: edk2 -Version: 202402 +Version: 20250822 Release: %{anolis_release}%{?dist} Summary: UEFI firmware for 64-bit virtual machines License: BSD-2-Clause-Patent and OpenSSL and MIT URL: http://www.tianocore.org -Source0: https://github.com/tianocore/edk2/archive/refs/tags/edk2-stable%{version}.tar.gz -Source1: ovmf-whitepaper-c770f8c.txt -Source2: https://github.com/openssl/openssl/archive/refs/tags/openssl-%{OPENSSL_VER}.tar.gz # https://github.com/ucb-bar/berkeley-softfloat-3/tree/b64af41c3276f97f0e181920400ee056b9c88037 -Source3: softfloat-%{softfloat_version}.tar.xz # https://github.com/tianocore/edk2-platforms/commit/7f42d4034c8f4266da691df69dce18234f752cb4 -Source4: edk2-platforms-7f42d4034c8f.tar.xz -Source5: https://github.com/akheron/jansson/releases/download/v2.13.1/jansson-2.13.1.tar.bz2 # https://github.com/google/brotli/tree/f4153a09f87cbb9c826d8fc12c74642bb2d879ea -Source6: brotli-gitf4153a0.tar.gz # json description files -Source10: 50-edk2-aarch64.json -Source11: 51-edk2-aarch64-verbose.json -Source40: 30-edk2-ovmf-x64-sb-enrolled.json -Source41: 40-edk2-ovmf-x64-sb.json -Source42: 50-edk2-ovmf-x64-nosb.json -Source43: 60-edk2-ovmf-x64-amdsev.json -Source44: 60-edk2-ovmf-x64-inteltdx.json -Source50: 50-edk2-loongarch64.json -Source51: 51-edk2-loongarch64-verbose.json -Source52: 52-edk2-riscv-qcow2.json -Source80: https://gitlab.com/kraxel/edk2-build-config/-/blob/master/bin/edk2-build.py -Source81: edk2-build # LoongArch patches for edk2-platforms -Source90: 0023-Platform-Loongson-Remove-minimium-memory-size-limita.patch -Source91: 0024-Platform-Loongson-Modify-loongarch-uefi-firmware-siz.patch -Source92: fixup-fdt-parse-error.patch -Source93: 1006-LoongArchQemuPkg-Enabling-some-base-libraries.patch -Source94: 1007-LoongArchQemuPkg-Add-network-support.patch Patch0001: 0001-MdePkg-Add-StandardSignatureIsHygonGenuine-in-BaseCp.patch Patch0002: 0002-UefiCpuPkg-LocalApicLib-Exclude-second-SendIpi-seque.patch @@ -112,6 +88,11 @@ Patch1006: 1006-MdePkg-Fix-overflow-issue-in-BasePeC.patch Patch1008: 1008-CVE-2024-1298.patch # https://github.com/tianocore/edk2/pull/10928 Patch1009: 1009-CVE-2024-38797.patch +Patch1010: 0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch +Patch1011: 0030-SecurityPkg-Tpm2DeviceLibDTpm-Remove-global-variable.patch +Patch1012: 0025-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch +Patch1013: 0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch +Patch1014: 0023-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch BuildRequires: python3-devel BuildRequires: libuuid-devel @@ -131,6 +112,9 @@ BuildRequires: xorriso # modules in grub2-efi-x64-modules package if we don't touch dummy grub.efi. BuildRequires: grub2-tools BuildRequires: grub2-efi-x64-modules +BuildRequires: perl +BuildRequires: perl(JSON) +BuildRequires: python3dist(virt-firmware) >= 25.4 %endif %package ovmf @@ -210,6 +194,24 @@ Summary: Documentation for EFI Development Kit II Tools BuildArch: noarch License: BSD-2-Clause-Patent URL: https://github.com/tianocore/tianocore.github.io/wiki/BaseTools +Source0: edk2-d46aa46c8361.tar.xz +Source1: ovmf-whitepaper-c770f8c.txt +Source2: openssl-rhel-4cf5738ac1c163d5ce2517250321da906492c40d.tar.xz +Source3: dtc-1.7.0.tar.xz +Source10: 50-edk2-aarch64-qcow2.json +Source11: 51-edk2-aarch64-raw.json +Source12: 52-edk2-aarch64-verbose-qcow2.json +Source13: 53-edk2-aarch64-verbose-raw.json +Source40: 30-edk2-ovmf-x64-sb-enrolled.json +Source41: 40-edk2-ovmf-x64-sb.json +Source43: 50-edk2-ovmf-x64-nosb.json +Source44: 60-edk2-ovmf-x64-amdsev.json +Source45: 60-edk2-ovmf-x64-inteltdx.json +Source50: 50-edk2-riscv-qcow2.json +Source80: edk2-build.py +Source82: edk2-build.rhel-10 +Source90: DBXUpdate-20250610.x64.bin +Source91: DBXUpdate-20250610.aa64.bin %description tools-doc This package documents the tools that are needed to build EFI executables and ROMs using the GNU tools. @@ -564,6 +566,10 @@ rm -f %{buildroot}%{_datadir}/edk2/riscv/*.raw %changelog +* Thu Nov 06 2025 zhoujiajia111 - 20250822-1 +- Updated to version 20250822 to fix CVE-2025-8713 +- Prevent boot loops in confidential guests with SEV-SNP and vTPM by disabling shim fallback reboots + * Tue Sep 23 2025 wh02252983 - 202402-19 - openssl update to 3.0.14 to fix CVE-2024-0727 diff --git a/jansson-2.13.1.tar.bz2 b/jansson-2.13.1.tar.bz2 deleted file mode 100644 index 48d750663db027ab5fdd9dd980b948a47ee4d344..0000000000000000000000000000000000000000 Binary files a/jansson-2.13.1.tar.bz2 and /dev/null differ diff --git a/openssl-3.0.14.tar.gz b/openssl-3.0.14.tar.gz deleted file mode 100644 index bb5756708bc4b12a6c696d8510393a7b0ae93a27..0000000000000000000000000000000000000000 Binary files a/openssl-3.0.14.tar.gz and /dev/null differ diff --git a/openssl-rhel-4cf5738ac1c163d5ce2517250321da906492c40d.tar.xz b/openssl-rhel-4cf5738ac1c163d5ce2517250321da906492c40d.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..25d03af77b7acd4f9a412479a79be90570d4a004 Binary files /dev/null and b/openssl-rhel-4cf5738ac1c163d5ce2517250321da906492c40d.tar.xz differ